ltcai 4.1.0 → 4.3.0

package/lattice_brain/storage/postgres.py

@@ -0,0 +1,123 @@
+"""Opt-in Postgres/pgvector storage engine for Brain Core scale mode."""
+
+from __future__ import annotations
+
+from dataclasses import dataclass
+from pathlib import Path
+from typing import Any, Dict
+
+from .base import StorageCapabilities, StorageEngine, StorageUnavailable
+
+
+def _quote_ident(value: str) -> str:
+    return '"' + str(value).replace('"', '""') + '"'
+
+
+@dataclass(frozen=True)
+class PostgresConfig:
+    dsn: str
+    schema: str = "lattice_brain"
+
+
+class PostgresEngine(StorageEngine):
+    name = "postgres"
+
+    def __init__(self, dsn: str, *, schema: str = "lattice_brain") -> None:
+        self.config = PostgresConfig(dsn=dsn, schema=schema)
+
+    def _psycopg(self):
+        try:
+            import psycopg  # type: ignore
+        except Exception as exc:
+            raise StorageUnavailable(
+                "Postgres storage requires optional dependency 'psycopg'. "
+                "Install the postgres extra before selecting LATTICEAI_STORAGE_ENGINE=postgres."
+            ) from exc
+        return psycopg
+
+    def connect(self) -> Any:
+        if not self.config.dsn:
+            raise StorageUnavailable(
+                "Postgres storage requires LATTICEAI_POSTGRES_DSN; no SQLite fallback is attempted."
+            )
+        psycopg = self._psycopg()
+        return psycopg.connect(self.config.dsn)
+
+    def initialize(self) -> Dict[str, Any]:
+        schema = _quote_ident(self.config.schema)
+        with self.connect() as conn:
+            with conn.cursor() as cur:
+                cur.execute("CREATE EXTENSION IF NOT EXISTS vector")
+                cur.execute(f"CREATE SCHEMA IF NOT EXISTS {schema}")
+                cur.execute(
+                    f"""
+                    CREATE TABLE IF NOT EXISTS {schema}.storage_meta (
+                      key text PRIMARY KEY,
+                      value text NOT NULL,
+                      updated_at timestamptz NOT NULL DEFAULT now()
+                    )
+                    """
+                )
+                cur.execute(
+                    f"""
+                    CREATE TABLE IF NOT EXISTS {schema}.brain_vectors (
+                      item_id text PRIMARY KEY,
+                      item_type text NOT NULL,
+                      source_node text NOT NULL,
+                      text_hash text NOT NULL,
+                      embedding vector,
+                      embedding_dim integer NOT NULL,
+                      embedding_model text NOT NULL,
+                      metadata_json jsonb NOT NULL DEFAULT '{{}}'::jsonb,
+                      indexed_at timestamptz NOT NULL DEFAULT now()
+                    )
+                    """
+                )
+                cur.execute(
+                    f"""
+                    INSERT INTO {schema}.storage_meta(key, value)
+                    VALUES ('engine', 'postgres')
+                    ON CONFLICT (key) DO UPDATE
+                      SET value = EXCLUDED.value, updated_at = now()
+                    """
+                )
+        return {"engine": self.name, "schema": self.config.schema}
+
+    def capabilities(self) -> StorageCapabilities:
+        try:
+            with self.connect() as conn:
+                with conn.cursor() as cur:
+                    cur.execute("SELECT extname FROM pg_extension WHERE extname='vector'")
+                    pgvector = cur.fetchone() is not None
+        except Exception as exc:
+            return StorageCapabilities(
+                engine=self.name,
+                available=False,
+                reason=str(exc),
+                vector_backend="pgvector",
+                metadata={"schema": self.config.schema},
+            )
+        return StorageCapabilities(
+            engine=self.name,
+            available=True,
+            reason=None if pgvector else "pgvector extension is not installed",
+            vector_backend="pgvector",
+            vector_available=pgvector,
+            backup_restore=False,
+            migrations=True,
+            encrypted_archives=False,
+            metadata={"schema": self.config.schema},
+        )
+
+    def backup(self, destination: Path) -> Dict[str, Any]:
+        raise StorageUnavailable(
+            "Postgres logical backup is not implemented inside the app; use pg_dump for this engine."
+        )
+
+    def restore(self, source: Path) -> Dict[str, Any]:
+        raise StorageUnavailable(
+            "Postgres restore is not implemented inside the app; use pg_restore/psql for this engine."
+        )
+
+
+__all__ = ["PostgresConfig", "PostgresEngine", "_quote_ident"]

package/lattice_brain/storage/sqlite.py

@@ -0,0 +1,128 @@
+"""SQLite storage engine for Brain Core.
+
+SQLite is the default and remains fully local-first. sqlite-vec is detected and
+loaded when present; otherwise the existing brute-force cosine path remains the
+honest, real fallback and is surfaced in capability reports.
+"""
+
+from __future__ import annotations
+
+import shutil
+import sqlite3
+from pathlib import Path
+from typing import Any, Dict, Optional
+
+from .base import StorageCapabilities, StorageEngine
+
+
+def _load_sqlite_vec(conn: sqlite3.Connection) -> tuple[bool, Optional[str]]:
+    try:
+        import sqlite_vec  # type: ignore
+    except Exception as exc:
+        return False, f"sqlite-vec Python package not installed: {exc}"
+    try:
+        conn.enable_load_extension(True)
+    except Exception:
+        pass
+    try:
+        sqlite_vec.load(conn)
+    except Exception as exc:
+        return False, f"sqlite-vec extension failed to load: {exc}"
+    return True, None
+
+
+class SQLiteEngine(StorageEngine):
+    name = "sqlite"
+
+    def __init__(self, db_path: Path, *, load_vec: bool = True) -> None:
+        self.db_path = Path(db_path)
+        self.load_vec = bool(load_vec)
+        self._sqlite_vec_loaded = False
+        self._sqlite_vec_reason: Optional[str] = None
+
+    def connect(self) -> sqlite3.Connection:
+        self.db_path.parent.mkdir(parents=True, exist_ok=True)
+        conn = sqlite3.connect(str(self.db_path))
+        conn.row_factory = sqlite3.Row
+        conn.execute("PRAGMA journal_mode=WAL")
+        conn.execute("PRAGMA foreign_keys=ON")
+        if self.load_vec:
+            loaded, reason = _load_sqlite_vec(conn)
+            self._sqlite_vec_loaded = loaded
+            self._sqlite_vec_reason = reason
+        return conn
+
+    def initialize(self) -> Dict[str, Any]:
+        with self.connect() as conn:
+            conn.execute(
+                """
+                CREATE TABLE IF NOT EXISTS storage_meta (
+                  key TEXT PRIMARY KEY,
+                  value TEXT NOT NULL
+                )
+                """
+            )
+            conn.execute(
+                "INSERT OR REPLACE INTO storage_meta(key, value) VALUES ('engine', 'sqlite')"
+            )
+        return {"engine": self.name, "db_path": str(self.db_path)}
+
+    def capabilities(self) -> StorageCapabilities:
+        if not self.db_path.parent.exists():
+            return StorageCapabilities(
+                engine=self.name,
+                available=True,
+                vector_backend="bruteforce-cosine",
+                vector_available=True,
+                backup_restore=True,
+                migrations=True,
+                encrypted_archives=True,
+                metadata={"db_path": str(self.db_path), "sqlite_vec_loaded": False},
+            )
+        # Probe on demand so status is accurate even before the graph opens.
+        try:
+            with self.connect():
+                pass
+        except Exception as exc:
+            return StorageCapabilities(
+                engine=self.name,
+                available=False,
+                reason=str(exc),
+                metadata={"db_path": str(self.db_path)},
+            )
+        vector_backend = "sqlite-vec" if self._sqlite_vec_loaded else "bruteforce-cosine"
+        return StorageCapabilities(
+            engine=self.name,
+            available=True,
+            reason=None if self._sqlite_vec_loaded else self._sqlite_vec_reason,
+            vector_backend=vector_backend,
+            vector_available=True,
+            backup_restore=True,
+            migrations=True,
+            encrypted_archives=True,
+            metadata={
+                "db_path": str(self.db_path),
+                "sqlite_vec_loaded": self._sqlite_vec_loaded,
+            },
+        )
+
+    def backup(self, destination: Path) -> Dict[str, Any]:
+        dest = Path(destination)
+        dest.parent.mkdir(parents=True, exist_ok=True)
+        with self.connect() as src, sqlite3.connect(str(dest)) as dst:
+            src.backup(dst)
+        return {"engine": self.name, "path": str(dest), "bytes": dest.stat().st_size}
+
+    def restore(self, source: Path) -> Dict[str, Any]:
+        src = Path(source)
+        if not src.exists():
+            raise FileNotFoundError(f"SQLite backup not found: {src}")
+        self.db_path.parent.mkdir(parents=True, exist_ok=True)
+        for sibling in (self.db_path, Path(str(self.db_path) + "-wal"), Path(str(self.db_path) + "-shm")):
+            if sibling.exists():
+                sibling.unlink()
+        shutil.copyfile(src, self.db_path)
+        return {"engine": self.name, "restored": True, "path": str(self.db_path)}
+
+
+__all__ = ["SQLiteEngine"]

package/lattice_brain/store.py

@@ -0,0 +1,3 @@
+from latticeai.brain.store import KnowledgeGraphStore
+
+__all__ = ["KnowledgeGraphStore"]

package/lattice_brain/write_master.py

@@ -0,0 +1 @@
+from latticeai.brain.write_master import *  # noqa: F401,F403

package/latticeai/__init__.py

@@ -1,3 +1,3 @@
 """Lattice AI - modular server package."""
 
-__version__ = "4.1.0"
+__version__ = "4.3.0"

package/latticeai/api/admin.py

@@ -56,6 +56,7 @@ def create_admin_router(
     invite_gate_enabled: bool,
     default_port: int,
     policy_matrix: Optional[Callable[[], List[Dict[str, object]]]] = None,
+    product_hardening_status: Optional[Callable[[], Dict[str, object]]] = None,
 ) -> APIRouter:
     router = APIRouter()
 
@@ -155,6 +156,16 @@ def create_admin_router(
             ]
         }
 
+    @router.get("/admin/product-hardening")
+    async def admin_product_hardening(request: Request):
+        require_admin(request)
+        if product_hardening_status is None:
+            return {
+                "available": False,
+                "reason": "Product hardening status provider is not configured.",
+            }
+        return product_hardening_status()
+
     @router.get("/vpc/status")
     async def vpc_status(request: Request):
         require_user(request)

package/latticeai/api/portability.py

@@ -26,6 +26,42 @@ class BackupRequest(BaseModel):
 class RestoreRequest(BaseModel):
     path: str
     verify: bool = True
+    dry_run: bool = False
+    confirm: bool = False
+
+
+class EncryptedArchiveRequest(BaseModel):
+    path: Optional[str] = None
+    passphrase: str
+
+
+class EncryptedRestoreRequest(BaseModel):
+    path: str
+    passphrase: str
+    dry_run: bool = False
+    confirm: bool = False
+
+
+class EncryptedInspectRequest(BaseModel):
+    path: str
+    passphrase: Optional[str] = None
+
+
+class EncryptedVerifyRequest(BaseModel):
+    path: str
+    passphrase: str
+
+
+class DockerPostgresRequest(BaseModel):
+    consent: bool = False
+    dry_run: bool = False
+    port: int = 5432
+
+
+class SQLiteToPostgresRequest(BaseModel):
+    dsn: str
+    schema_name: str = "lattice_brain"
+    dry_run: bool = True
 
 
 def create_portability_router(
@@ -46,6 +82,18 @@ def create_portability_router(
         _require_service()
         return service.snapshot_metadata()
 
+    @router.get("/api/brain/storage")
+    async def brain_storage_status(request: Request):
+        require_user(request)
+        _require_service()
+        return service.storage_status()
+
+    @router.get("/api/knowledge-graph/backup-health")
+    async def backup_health(request: Request):
+        require_user(request)
+        _require_service()
+        return service.backup_health()
+
     @router.get("/api/knowledge-graph/provenance")
     async def recent_provenance(request: Request, limit: int = 50, source_type: Optional[str] = None):
         """Recent ingestions (provenance trail) for the ingestion-sources UI."""
@@ -86,8 +134,86 @@ def create_portability_router(
         require_admin(request)
         _require_service()
         try:
-            return service.restore(req.path, verify=req.verify)
+            return service.restore(req.path, verify=req.verify, dry_run=req.dry_run, confirm=req.confirm)
         except (ValueError, FileNotFoundError) as exc:
             raise HTTPException(status_code=400, detail=str(exc))
 
+    @router.post("/api/knowledge-graph/archive")
+    async def encrypted_archive(req: EncryptedArchiveRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.encrypted_archive(req.path, passphrase=req.passphrase)
+        except (ValueError, FileNotFoundError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
+    @router.post("/api/knowledge-graph/archive/inspect")
+    async def inspect_encrypted_archive(req: EncryptedInspectRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.inspect_encrypted_archive(req.path, passphrase=req.passphrase)
+        except (ValueError, FileNotFoundError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
+    @router.post("/api/knowledge-graph/archive/verify")
+    async def verify_encrypted_archive(req: EncryptedVerifyRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        result = service.verify_encrypted_archive(req.path, passphrase=req.passphrase)
+        if not result.get("ok"):
+            raise HTTPException(status_code=400, detail="; ".join(result.get("errors") or ["Archive verification failed."]))
+        return result
+
+    @router.post("/api/knowledge-graph/archive/import")
+    async def import_encrypted_archive(req: EncryptedRestoreRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.import_encrypted_archive(
+                req.path,
+                passphrase=req.passphrase,
+                dry_run=req.dry_run,
+                confirm=req.confirm,
+            )
+        except (ValueError, FileNotFoundError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
+    @router.post("/api/knowledge-graph/archive/restore")
+    async def restore_encrypted_archive(req: EncryptedRestoreRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.restore_encrypted_archive(
+                req.path,
+                passphrase=req.passphrase,
+                dry_run=req.dry_run,
+                confirm=req.confirm,
+            )
+        except (ValueError, FileNotFoundError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
+    @router.post("/api/brain/storage/postgres/docker")
+    async def setup_postgres_docker(req: DockerPostgresRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        return service.postgres_docker_setup(
+            consent=req.consent,
+            dry_run=req.dry_run,
+            port=req.port,
+        )
+
+    @router.post("/api/brain/storage/migrate-postgres")
+    async def migrate_sqlite_to_postgres(req: SQLiteToPostgresRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.migrate_sqlite_to_postgres(
+                dsn=req.dsn,
+                schema=req.schema_name,
+                dry_run=req.dry_run,
+            )
+        except (ValueError, FileNotFoundError, RuntimeError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
     return router

package/latticeai/app_factory.py

@@ -60,7 +60,7 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from pydantic import BaseModel
 
     from latticeai.models.router import LLMRouter, normalize_branding
-    from knowledge_graph import KnowledgeGraphStore, set_llm_router
+    from knowledge_graph import set_llm_router
     from local_knowledge_api import LocalKnowledgeWatcher
     from latticeai.core.security import (
         hash_password,
@@ -154,6 +154,7 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from latticeai.api.hooks import create_hooks_router
     from latticeai.core.hooks import HooksRegistry
     from latticeai.core.builtin_hooks import register_builtin_hook_runners
+    from latticeai.core.product_hardening import build_product_hardening_status
     from latticeai.api.agent_registry import create_agent_registry_router
     from latticeai.core.agent_registry import AgentRegistry
     from latticeai.api.memory import create_memory_router
@@ -161,11 +162,12 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from latticeai.api.portability import create_portability_router
     from latticeai.services.memory_service import MemoryService
     from latticeai.services.ingestion import IngestionItem, IngestionPipeline
-    from latticeai.brain.conversations import ConversationStore
-    from latticeai.brain.context import ContextAssembler
-    from latticeai.brain.memory import BrainMemory
-    from latticeai.brain.identity import DeviceIdentity
-    from latticeai.brain.network import BrainNetwork
+    from lattice_brain import BrainCore, ConversationStore
+    from lattice_brain.storage import storage_from_env
+    from lattice_brain.context import ContextAssembler
+    from lattice_brain.memory import BrainMemory
+    from lattice_brain.identity import DeviceIdentity
+    from lattice_brain.network import BrainNetwork
     from latticeai.api.network import create_network_router
     from latticeai.services.kg_portability import KGPortabilityService
     # The aliased names below look unused but are part of the legacy
@@ -342,16 +344,22 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     )
     if EMBEDDER.fell_back:
         logging.warning("Embedding provider %s unavailable: %s", EMBEDDER.requested, EMBEDDER.detail)
-    KNOWLEDGE_GRAPH = KnowledgeGraphStore(
-        DATA_DIR / "knowledge_graph.sqlite",
-        DATA_DIR / "knowledge_graph_blobs",
+    STORAGE_ENGINE = storage_from_env(os.environ, data_dir=DATA_DIR) if ENABLE_GRAPH else None
+    BRAIN_CORE = BrainCore.from_paths(
+        DATA_DIR,
         embedder=EMBEDDER.provider,
+        storage_engine=STORAGE_ENGINE,
     ) if ENABLE_GRAPH else None
+    KNOWLEDGE_GRAPH = BRAIN_CORE.knowledge if BRAIN_CORE is not None else None
     # ── v4 durable conversation store: unbounded episodic memory in the same
     # SQLite file as the graph (kg_portability backup/restore covers it for
     # free). Legacy chat_history.json is imported once, idempotently, and the
     # file is left untouched on disk as the import source.
-    CONVERSATIONS = ConversationStore(DATA_DIR / "knowledge_graph.sqlite")
+    CONVERSATIONS = (
+        BRAIN_CORE.conversations
+        if BRAIN_CORE is not None
+        else ConversationStore(DATA_DIR / "knowledge_graph.sqlite")
+    )
     CONVERSATIONS.import_legacy_json(HISTORY_FILE)
     # Hooks registry is constructed here (ahead of the watcher) so folder-watch
     # reindexes can fire the pre_index/post_index lifecycle hooks.
@@ -1249,6 +1257,13 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
         except Exception as e:
             return {"error": str(e)}
 
+    def _product_hardening_status():
+        return build_product_hardening_status(
+            config=CONFIG,
+            portability=KG_PORTABILITY,
+            device_identity=DEVICE_IDENTITY,
+        )
+
     app.include_router(create_admin_router(
         require_admin=require_admin, require_user=require_user,
         load_users=load_users, save_users=save_users,
@@ -1263,6 +1278,7 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
         invite_code=INVITE_CODE, invite_gate_enabled=INVITE_GATE_ENABLED,
         default_port=DEFAULT_PORT,
         policy_matrix=policy_matrix,
+        product_hardening_status=_product_hardening_status,
     ))
 
     app.include_router(create_invitations_router(

package/latticeai/brain/__init__.py

@@ -1,18 +1,18 @@
-"""latticeai.brain — the durable substrate of the Digital Brain.
-
-v4 home for the brain's storage modules. The knowledge-graph store itself
-still lives in the root ``knowledge_graph`` module pending its decomposition
-(T3d); new brain components land here first.
-"""
+"""Compatibility namespace for the standalone :mod:`lattice_brain` package."""
 
+from lattice_brain.core import BrainCore, BrainCoreConfig
 from latticeai.brain.context import AssembledContext, ContextAssembler, ContextSection
 from latticeai.brain.conversations import ConversationStore
 from latticeai.brain.memory import BrainMemory
+from latticeai.brain.store import KnowledgeGraphStore
 
 __all__ = [
     "AssembledContext",
+    "BrainCore",
+    "BrainCoreConfig",
     "BrainMemory",
     "ContextAssembler",
     "ContextSection",
     "ConversationStore",
+    "KnowledgeGraphStore",
 ]

package/latticeai/brain/_kg_common.py

@@ -33,7 +33,7 @@ except Exception:  # pragma: no cover - v2 schema is optional at import time
     EdgeType = None  # type: ignore[assignment]
     _exec_script = None  # type: ignore[assignment]
 
-from latticeai.core.local_embeddings import LocalEmbeddingModel
+from lattice_brain.embeddings import LocalEmbeddingModel
 
 # Default read source for the graph queries: v2 reconstruction views.
 # Override with LATTICEAI_KG_READ_V2=0 to fall back to the legacy tables.

package/latticeai/brain/network.py

@@ -23,7 +23,7 @@ import uuid
 from pathlib import Path
 from typing import Any, Dict, List, Optional
 
-from latticeai.brain.identity import DeviceIdentity, fingerprint_of, verify_signature
+from lattice_brain.identity import DeviceIdentity, fingerprint_of, verify_signature
 
 PEER_AUTH_WINDOW_SECONDS = 300
 _NONCE_CACHE_MAX = 4096

package/latticeai/brain/retrieval.py

@@ -813,6 +813,15 @@ class KnowledgeGraphRetrievalMixin:
             raise
 
     def index_status(self) -> Dict[str, Any]:
+        storage_capabilities = None
+        try:
+            storage_capabilities = self.storage_engine.capabilities().as_dict()
+        except Exception as exc:
+            storage_capabilities = {
+                "engine": "sqlite",
+                "available": False,
+                "reason": str(exc),
+            }
         with self._connect() as conn:
             vector_counts = {
                 row["item_type"]: row["count"]
@@ -864,6 +873,12 @@ class KnowledgeGraphRetrievalMixin:
                 # Honest capability report: trigram FTS5 keyword index, or
                 # LIKE-scan fallback when this SQLite build lacks it.
                 "fts_enabled": bool(getattr(self, "_fts_enabled", False)),
+                "engine": storage_capabilities,
+                "vector_search_backend": (
+                    storage_capabilities.get("vector_backend")
+                    if isinstance(storage_capabilities, dict)
+                    else "bruteforce-cosine"
+                ),
             },
             "source_items": len(source_items),
             "indexed_items": sum(vector_counts.values()),

package/latticeai/brain/store.py

@@ -21,11 +21,31 @@ class KnowledgeGraphStore(
     KnowledgeGraphDocumentsMixin,
     KnowledgeGraphRetrievalMixin,
 ):
-    def __init__(self, db_path: Path, blob_dir: Path, embedder: Any = None):
+    def __init__(
+        self,
+        db_path: Path,
+        blob_dir: Path,
+        embedder: Any = None,
+        storage_engine: Any = None,
+    ):
         self.db_path = Path(db_path)
         self.blob_dir = Path(blob_dir)
         self.db_path.parent.mkdir(parents=True, exist_ok=True)
         self.blob_dir.mkdir(parents=True, exist_ok=True)
+        if storage_engine is None:
+            from lattice_brain.storage import SQLiteEngine
+
+            storage_engine = SQLiteEngine(self.db_path)
+        storage_caps = storage_engine.capabilities()
+        if not storage_caps.available:
+            raise RuntimeError(storage_caps.reason or "Brain storage is unavailable.")
+        if storage_caps.engine != "sqlite":
+            raise RuntimeError(
+                "KnowledgeGraphStore currently requires SQLiteEngine. "
+                "Explicit non-SQLite storage must use the migration/scale tooling; "
+                "no SQLite fallback is attempted."
+            )
+        self.storage_engine = storage_engine
         # The embedder is swappable behind a fixed interface
         # (model_id/dim/embed/encode/decode/similarity). Defaults to the
         # deterministic, offline hash model so the store works with no config;
@@ -49,11 +69,7 @@ class KnowledgeGraphStore(
         return ("nodes", "edges")
 
     def _connect(self) -> sqlite3.Connection:
-        conn = sqlite3.connect(str(self.db_path))
-        conn.row_factory = sqlite3.Row
-        conn.execute("PRAGMA journal_mode=WAL")
-        conn.execute("PRAGMA foreign_keys=ON")
-        return conn
+        return self.storage_engine.connect()
 
     def _init_db(self) -> None:
         with self._connect() as conn:

package/latticeai/core/config.py

@@ -104,6 +104,11 @@ class Config:
     embedding_timeout: int
     embedding_custom_target: str
 
+    # ── brain storage ───────────────────────────────────────────────
+    storage_engine: str
+    postgres_dsn: str
+    postgres_schema: str
+
     # ── SSO / OIDC ──────────────────────────────────────────────────
     sso_discovery_url: str
     sso_client_id: str
@@ -158,7 +163,7 @@ class Config:
             host=host,
             port=port,
             network_exposed=network_exposed,
-            enable_telegram=_bool(env, "LATTICEAI_ENABLE_TELEGRAM", default=not is_public),
+            enable_telegram=_bool(env, "LATTICEAI_ENABLE_TELEGRAM", default=False),
             enable_graph=_bool(env, "LATTICEAI_ENABLE_GRAPH", default=True),
             autoload_models=_bool(env, "LATTICEAI_AUTOLOAD_MODELS", default=is_public),
             model_idle_unload_seconds=_int(env, "LATTICEAI_MODEL_IDLE_UNLOAD_SECONDS", 0),
@@ -185,6 +190,9 @@ class Config:
             embedding_dim=_int(env, "LATTICEAI_VECTOR_DIM", 0),
             embedding_timeout=_int(env, "LATTICEAI_EMBEDDING_TIMEOUT", 30),
             embedding_custom_target=_value(env, "LATTICEAI_EMBEDDING_CUSTOM_TARGET", ""),
+            storage_engine=_value(env, "LATTICEAI_STORAGE_ENGINE", "sqlite").strip().lower() or "sqlite",
+            postgres_dsn=_value(env, "LATTICEAI_POSTGRES_DSN", ""),
+            postgres_schema=_value(env, "LATTICEAI_POSTGRES_SCHEMA", "lattice_brain"),
             sso_discovery_url=_value(env, "OIDC_DISCOVERY_URL", ""),
             sso_client_id=_value(env, "OIDC_CLIENT_ID", ""),
             sso_client_secret=_value(env, "OIDC_CLIENT_SECRET", ""),