ltcai 4.1.0 → 4.3.0

package/latticeai/core/marketplace.py

@@ -11,7 +11,7 @@ from copy import deepcopy
 from typing import Any, Dict, List, Optional
 
 
-MARKETPLACE_VERSION = "4.1.0"
+MARKETPLACE_VERSION = "4.3.0"
 TEMPLATE_KINDS = ("plugin", "workflow", "agent")
 
 

package/latticeai/core/multi_agent.py

@@ -14,7 +14,7 @@ from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
 
 
-MULTI_AGENT_VERSION = "4.1.0"
+MULTI_AGENT_VERSION = "4.3.0"
 
 AGENT_ROLES = ("researcher", "planner", "executor", "reviewer", "release")
 CORE_PIPELINE = ("planner", "executor", "reviewer")

package/latticeai/core/product_hardening.py

@@ -0,0 +1,217 @@
+"""Product hardening and privacy status helpers.
+
+These helpers are read-only and must not perform network probes. They describe
+the local-first startup posture and distinguish available credentials from
+enabled outbound communication.
+"""
+
+from __future__ import annotations
+
+import os
+import shutil
+from pathlib import Path
+from typing import Any, Dict, Mapping, Optional
+
+from latticeai.core.config import Config
+
+
+def _bool(env: Mapping[str, str], key: str, default: bool = False) -> bool:
+    raw = env.get(key)
+    if raw is None:
+        return default
+    return raw.strip().lower() in {"1", "true", "yes", "on"}
+
+
+def _present(env: Mapping[str, str], *keys: str) -> bool:
+    return any(bool(str(env.get(key) or "").strip()) for key in keys)
+
+
+def external_integration_status(
+    config: Config,
+    *,
+    env: Optional[Mapping[str, str]] = None,
+) -> Dict[str, Any]:
+    if env is None:
+        env = os.environ
+    telegram_credentials = _present(env, "LATTICEAI_TELEGRAM_BOT_TOKEN", "TELEGRAM_BOT_TOKEN")
+    brain_network_auto_push = _bool(env, "LATTICEAI_BRAIN_NETWORK_AUTO_PUSH", default=False)
+    updater_enabled = _bool(env, "LATTICEAI_ENABLE_UPDATES", default=False)
+    model_downloads_enabled = _bool(env, "LATTICEAI_ALLOW_MODEL_DOWNLOADS", default=False) or bool(config.autoload_models)
+    docker_auto_start = _bool(env, "LATTICEAI_DOCKER_AUTO_START", default=False)
+    external_connectors_enabled = _bool(env, "LATTICEAI_ENABLE_EXTERNAL_CONNECTORS", default=False)
+    postgres_enabled = config.storage_engine == "postgres" and bool(config.postgres_dsn)
+    return {
+        "local_only_default": default_startup_local_only(config, env=env),
+        "integrations": {
+            "telegram": {
+                "enabled": bool(config.enable_telegram),
+                "credential_present": telegram_credentials,
+                "opt_in_required": True,
+                "automatic_egress": bool(config.enable_telegram),
+                "detail": (
+                    "enabled by LATTICEAI_ENABLE_TELEGRAM"
+                    if config.enable_telegram
+                    else "disabled; token presence alone does not start Telegram"
+                ),
+            },
+            "brain_network": {
+                "enabled": brain_network_auto_push,
+                "credential_present": False,
+                "opt_in_required": True,
+                "automatic_egress": brain_network_auto_push,
+                "detail": "peer pushes are user/admin initiated; no automatic peer sync by default",
+            },
+            "updates": {
+                "enabled": updater_enabled,
+                "credential_present": False,
+                "opt_in_required": True,
+                "automatic_egress": updater_enabled,
+                "detail": "desktop updater checks are disabled unless LATTICEAI_ENABLE_UPDATES is true",
+            },
+            "model_downloads": {
+                "enabled": model_downloads_enabled,
+                "credential_present": _present(env, "HF_TOKEN", "HUGGINGFACEHUB_API_TOKEN"),
+                "opt_in_required": True,
+                "automatic_egress": bool(config.autoload_models),
+                "detail": "model downloads require an explicit load/autoload setting",
+            },
+            "docker": {
+                "enabled": docker_auto_start,
+                "credential_present": False,
+                "opt_in_required": True,
+                "automatic_egress": docker_auto_start,
+                "detail": "Docker setup requires explicit runtime consent; auto-start is disabled by default",
+            },
+            "postgres": {
+                "enabled": postgres_enabled,
+                "credential_present": bool(config.postgres_dsn),
+                "opt_in_required": True,
+                "automatic_egress": postgres_enabled,
+                "detail": "Postgres scale mode is used only when storage engine and DSN are explicitly configured",
+            },
+            "external_connectors": {
+                "enabled": external_connectors_enabled,
+                "credential_present": _present(
+                    env,
+                    "OPENAI_API_KEY",
+                    "ANTHROPIC_API_KEY",
+                    "GITHUB_TOKEN",
+                    "SLACK_BOT_TOKEN",
+                    "DISCORD_BOT_TOKEN",
+                ),
+                "opt_in_required": True,
+                "automatic_egress": external_connectors_enabled,
+                "detail": "connector credentials are inert until the connector is explicitly enabled and invoked",
+            },
+        },
+    }
+
+
+def default_startup_local_only(
+    config: Config,
+    *,
+    env: Optional[Mapping[str, str]] = None,
+) -> bool:
+    if env is None:
+        env = os.environ
+    local_embedding = config.embedding_provider in {"", "hash", "local", "fallback", "sqlite"}
+    external = external_integration_status_no_recurse(config, env=env)
+    return (
+        not config.network_exposed
+        and not config.cors_allow_network
+        and not config.enable_telegram
+        and not config.autoload_models
+        and config.storage_engine == "sqlite"
+        and local_embedding
+        and not any(item["automatic_egress"] for item in external.values())
+    )
+
+
+def external_integration_status_no_recurse(
+    config: Config,
+    *,
+    env: Mapping[str, str],
+) -> Dict[str, Dict[str, Any]]:
+    return {
+        "brain_network": {"automatic_egress": _bool(env, "LATTICEAI_BRAIN_NETWORK_AUTO_PUSH", default=False)},
+        "updates": {"automatic_egress": _bool(env, "LATTICEAI_ENABLE_UPDATES", default=False)},
+        "docker": {"automatic_egress": _bool(env, "LATTICEAI_DOCKER_AUTO_START", default=False)},
+        "postgres": {"automatic_egress": config.storage_engine == "postgres" and bool(config.postgres_dsn)},
+        "external_connectors": {"automatic_egress": _bool(env, "LATTICEAI_ENABLE_EXTERNAL_CONNECTORS", default=False)},
+    }
+
+
+def build_product_hardening_status(
+    *,
+    config: Config,
+    portability: Any = None,
+    device_identity: Any = None,
+    env: Optional[Mapping[str, str]] = None,
+) -> Dict[str, Any]:
+    if env is None:
+        env = os.environ
+    storage = {"available": False}
+    backup = {"available": False}
+    if portability is not None and getattr(portability, "available", lambda: False)():
+        storage = portability.storage_status()
+        backup = portability.backup_health()
+    identity = {}
+    if device_identity is not None:
+        identity = device_identity.describe()
+    data_dir = Path(config.data_dir)
+    return {
+        "version": "4.3.0",
+        "startup": {
+            "local_only_default": default_startup_local_only(config, env=env),
+            "host": config.host,
+            "port": config.port,
+            "network_exposed": config.network_exposed,
+            "auth_required": config.require_auth,
+            "cors_network_allowed": config.cors_allow_network,
+        },
+        "desktop": {
+            "sidecar_lifecycle": "managed",
+            "restart_supported": True,
+            "shutdown_supported": True,
+            "updater": {
+                "enabled": _bool(env, "LATTICEAI_ENABLE_UPDATES", default=False),
+                "limitation": "No external update checks run unless explicitly enabled by policy.",
+            },
+        },
+        "first_run": {
+            "data_dir": str(data_dir),
+            "data_dir_exists": data_dir.exists(),
+            "python_available": shutil.which("python3") is not None or shutil.which("python") is not None,
+            "docker_available": shutil.which("docker") is not None,
+            "docker_required": False,
+            "postgres_required": False,
+        },
+        "privacy": external_integration_status(config, env=env),
+        "storage": storage,
+        "backup": backup,
+        "device_identity": identity,
+        "permissions": {
+            "export_requires_admin": True,
+            "import_requires_admin": True,
+            "restore_requires_admin": True,
+            "destructive_restore_requires_confirmation": True,
+            "workspace_isolation_enforced": True,
+            "audit_log_visible_to_admin": True,
+        },
+        "failure_policy": {
+            "archive_corruption": "fail_closed",
+            "partial_archive": "fail_closed",
+            "signature_mismatch": "fail_closed",
+            "unsupported_version": "fail_closed",
+            "missing_docker": "honest_unavailable",
+            "missing_postgres": "honest_unavailable",
+            "permission_denied": "honest_error",
+        },
+    }
+
+
+__all__ = [
+    "build_product_hardening_status",
+    "default_startup_local_only",
+    "external_integration_status",
+]

package/latticeai/core/workspace_os.py

@@ -19,7 +19,7 @@ from pathlib import Path
 from typing import Any, Callable, Dict, Iterable, List, Optional
 
 
-WORKSPACE_OS_VERSION = "4.1.0"
+WORKSPACE_OS_VERSION = "4.3.0"
 
 # Workspace types separate single-user Personal workspaces from shared
 # Organization workspaces. Both keep the same local-first JSON store; the type

package/latticeai/services/kg_portability.py

@@ -19,9 +19,16 @@ import shutil
 import tempfile
 import zipfile
 from datetime import datetime, timezone
-from pathlib import Path
+from pathlib import Path, PurePosixPath
 from typing import Any, Dict, Optional
 
+from lattice_brain.archive import BrainArchivePaths, EncryptedBrainArchive
+from lattice_brain.storage import (
+    DockerPostgresWizard,
+    PostgresEngine,
+    SQLiteToPostgresMigrator,
+)
+
 FORMAT = "latticeai.kg.export"
 FORMAT_VERSION = 1
 BACKUP_FORMAT = "latticeai.kg.backup"
@@ -43,6 +50,13 @@ def _sha256_file(path: Path) -> str:
     return h.hexdigest()
 
 
+def _safe_zip_names(names) -> None:
+    for name in names:
+        path = PurePosixPath(name)
+        if path.is_absolute() or ".." in path.parts:
+            raise ValueError(f"Backup archive contains unsafe path: {name}")
+
+
 class KGPortabilityService:
     def __init__(self, *, knowledge_graph: Any, data_dir, enable_graph: bool = True, device_identity: Any = None) -> None:
         self._kg = knowledge_graph
@@ -95,7 +109,7 @@ class KGPortabilityService:
         origin = "unsigned-legacy"
         signature = artifact.get("signature")
         if signature:
-            from latticeai.brain.identity import verify_manifest
+            from lattice_brain.identity import verify_manifest
 
             if not verify_manifest(artifact.get("header") or {}, signature):
                 raise ValueError("Bundle signature verification failed — refusing to import.")
@@ -149,13 +163,23 @@ class KGPortabilityService:
                             zf.write(f, f"blobs/{f.relative_to(blob_dir)}")
         return {"path": str(dest), "bytes": dest.stat().st_size, "manifest": manifest}
 
-    def restore(self, archive_path, *, verify: bool = True) -> Dict[str, Any]:
+    def restore(
+        self,
+        archive_path,
+        *,
+        verify: bool = True,
+        dry_run: bool = False,
+        confirm: bool = False,
+    ) -> Dict[str, Any]:
         self._require()
         archive = Path(archive_path)
         if not archive.exists():
             raise FileNotFoundError(f"Backup archive not found: {archive}")
+        if not dry_run and not confirm:
+            raise ValueError("Explicit confirmation is required before restoring a Knowledge Graph backup.")
         with zipfile.ZipFile(archive) as zf:
             names = zf.namelist()
+            _safe_zip_names(names)
             if "knowledge_graph.sqlite" not in names:
                 raise ValueError("Archive is missing knowledge_graph.sqlite.")
             manifest = json.loads(zf.read("manifest.json")) if "manifest.json" in names else {}
@@ -166,6 +190,18 @@ class KGPortabilityService:
                 if verify and manifest.get("db_sha256"):
                     if _sha256_file(db_src) != manifest["db_sha256"]:
                         raise ValueError("Backup integrity check failed (db sha256 mismatch).")
+                if dry_run:
+                    return {
+                        "restored": False,
+                        "dry_run": True,
+                        "verified": True,
+                        "manifest": manifest,
+                        "planned": {
+                            "database": str(self._kg.db_path),
+                            "blobs": str(self._kg.blob_dir),
+                            "archive": str(archive),
+                        },
+                    }
                 db_dest = Path(self._kg.db_path)
                 blob_dest = Path(self._kg.blob_dir)
                 db_dest.parent.mkdir(parents=True, exist_ok=True)
@@ -189,6 +225,113 @@ class KGPortabilityService:
             "nodes": sum(stats.get("nodes", {}).values()),
         }
 
+    def verify_backup(self, archive_path) -> Dict[str, Any]:
+        archive = Path(archive_path)
+        if not archive.exists():
+            return {"ok": False, "path": str(archive), "errors": [f"Backup archive not found: {archive}"]}
+        try:
+            with zipfile.ZipFile(archive) as zf:
+                names = zf.namelist()
+                _safe_zip_names(names)
+                if "knowledge_graph.sqlite" not in names:
+                    raise ValueError("Archive is missing knowledge_graph.sqlite.")
+                manifest = json.loads(zf.read("manifest.json")) if "manifest.json" in names else {}
+                with tempfile.TemporaryDirectory() as tmp_s:
+                    tmp = Path(tmp_s)
+                    zf.extract("knowledge_graph.sqlite", tmp)
+                    db_src = tmp / "knowledge_graph.sqlite"
+                    if manifest.get("db_sha256") and _sha256_file(db_src) != manifest["db_sha256"]:
+                        raise ValueError("Backup integrity check failed (db sha256 mismatch).")
+            return {"ok": True, "path": str(archive), "manifest": manifest, "errors": []}
+        except (ValueError, zipfile.BadZipFile, OSError, json.JSONDecodeError) as exc:
+            return {"ok": False, "path": str(archive), "errors": [str(exc)]}
+
+    # ── encrypted .latticebrain archive ───────────────────────────────────
+    def encrypted_archive(self, dest_path=None, *, passphrase: str) -> Dict[str, Any]:
+        self._require()
+        self._exports_dir.mkdir(parents=True, exist_ok=True)
+        dest = Path(dest_path) if dest_path else self._exports_dir / f"brain-{_stamp()}.latticebrain"
+        metadata = {
+            "storage": self.storage_status().get("active", {}),
+            "snapshot": self.snapshot_metadata(),
+            "device_identity": self._identity.describe() if self._identity is not None else {},
+            "provenance": {"exported_at": _now_iso(), "source": "kg-portability"},
+        }
+        archive = EncryptedBrainArchive(
+            BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+                metadata=metadata,
+            )
+        )
+        return archive.create(dest, passphrase=passphrase)
+
+    def inspect_encrypted_archive(self, archive_path, *, passphrase: Optional[str] = None) -> Dict[str, Any]:
+        archive = EncryptedBrainArchive(
+            BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+            )
+        )
+        return archive.inspect(Path(archive_path), passphrase=passphrase)
+
+    def verify_encrypted_archive(self, archive_path, *, passphrase: str) -> Dict[str, Any]:
+        archive = EncryptedBrainArchive(
+            BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+            )
+        )
+        return archive.verify(Path(archive_path), passphrase=passphrase)
+
+    def restore_encrypted_archive(
+        self,
+        archive_path,
+        *,
+        passphrase: str,
+        dry_run: bool = False,
+        confirm: bool = False,
+    ) -> Dict[str, Any]:
+        self._require()
+        archive = EncryptedBrainArchive(
+            BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+            )
+        )
+        return archive.restore(
+            Path(archive_path),
+            passphrase=passphrase,
+            target=BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+            ),
+            dry_run=dry_run,
+            confirm=confirm,
+        )
+
+    def import_encrypted_archive(
+        self,
+        archive_path,
+        *,
+        passphrase: str,
+        dry_run: bool = False,
+        confirm: bool = False,
+    ) -> Dict[str, Any]:
+        result = self.restore_encrypted_archive(
+            archive_path,
+            passphrase=passphrase,
+            dry_run=dry_run,
+            confirm=confirm,
+        )
+        result["operation"] = "import"
+        return result
+
     # ── status surface ───────────────────────────────────────────────────────
     def snapshot_metadata(self) -> Dict[str, Any]:
         if not self.available():
@@ -198,8 +341,89 @@ class KGPortabilityService:
             **self._kg.schema_versions(),
             "stats": self._kg.stats(),
             "provenance": self._kg.provenance_stats(),
+            "storage": (
+                self._kg.storage_engine.capabilities().as_dict()
+                if getattr(self._kg, "storage_engine", None) is not None
+                else {"engine": "sqlite", "available": True}
+            ),
         }
 
+    def storage_status(self) -> Dict[str, Any]:
+        if not self.available():
+            return {"available": False}
+        return {
+            "available": True,
+            "active": (
+                self._kg.storage_engine.capabilities().as_dict()
+                if getattr(self._kg, "storage_engine", None) is not None
+                else {"engine": "sqlite", "available": True}
+            ),
+            "postgres": PostgresEngine("", schema="lattice_brain").capabilities().as_dict(),
+            "backup_health": self.backup_health(),
+        }
+
+    def backup_health(self) -> Dict[str, Any]:
+        self._exports_dir.mkdir(parents=True, exist_ok=True)
+        backups = sorted(
+            [
+                p for p in self._exports_dir.glob("*")
+                if p.is_file() and (p.suffix == ".zip" or p.suffix == ".latticebrain")
+            ],
+            key=lambda p: p.stat().st_mtime,
+            reverse=True,
+        )
+        latest = backups[0] if backups else None
+        return {
+            "available": True,
+            "directory": str(self._exports_dir),
+            "count": len(backups),
+            "latest": str(latest) if latest else None,
+            "latest_bytes": latest.stat().st_size if latest else 0,
+            "encrypted_archives": sum(1 for p in backups if p.suffix == ".latticebrain"),
+            "zip_backups": sum(1 for p in backups if p.suffix == ".zip"),
+        }
+
+    def postgres_docker_setup(
+        self,
+        *,
+        consent: bool,
+        dry_run: bool = False,
+        port: int = 5432,
+    ) -> Dict[str, Any]:
+        wizard = DockerPostgresWizard(self._data_dir / "postgres", port=port)
+        return wizard.start(consent=consent, dry_run=dry_run)
+
+    def migrate_sqlite_to_postgres(
+        self,
+        *,
+        dsn: str,
+        schema: str = "lattice_brain",
+        dry_run: bool = True,
+    ) -> Dict[str, Any]:
+        self._require()
+        if not dsn:
+            raise ValueError("Postgres DSN is required for SQLite to Postgres migration.")
+        migrator = SQLiteToPostgresMigrator(
+            Path(self._kg.db_path),
+            PostgresEngine(dsn, schema=schema),
+        )
+        if dry_run:
+            return migrator.migrate(dry_run=True)
+        backup = self.backup()
+        verification = self.verify_backup(backup["path"])
+        if not verification.get("ok"):
+            raise RuntimeError(
+                "Pre-migration backup verification failed; Postgres migration was not started: "
+                + "; ".join(verification.get("errors") or [])
+            )
+        result = migrator.migrate(dry_run=False)
+        result["pre_migration_backup"] = {
+            "path": backup["path"],
+            "verified": True,
+            "manifest": backup.get("manifest"),
+        }
+        return result
+
     def recent_ingestions(self, *, limit: int = 50, source_type: Optional[str] = None) -> Dict[str, Any]:
         """Recent provenance records (newest first) for the ingestion-sources UI."""
         if not self.available():

package/ltcai_cli.py

@@ -269,9 +269,10 @@ def main() -> None:
 
     # Telegram startup notification (local start, tunnel handled separately inside _start_tunnel)
     if not args.tunnel:
+        _tg_enabled = os.getenv("LATTICEAI_ENABLE_TELEGRAM", "").strip().lower() in ("1", "true", "yes", "on")
         _tg_token = os.getenv("LATTICEAI_TELEGRAM_BOT_TOKEN", "")
         _tg_chat  = os.getenv("LATTICEAI_TELEGRAM_CHAT_ID", "")
-        if _tg_token and _tg_chat:
+        if _tg_enabled and _tg_token and _tg_chat:
             _local_msg = (
                 f"✅ Lattice AI 시작됨\n\n"
                 f"🏠 로컬: http://localhost:{args.port}"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "4.1.0",
+  "version": "4.3.0",
   "description": "Lattice AI — local-first Digital Brain Platform (knowledge graph, durable memory, hybrid search, agents, signed brain exchange)",
   "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI#readme",
   "repository": {
@@ -41,8 +41,8 @@
     "desktop:tauri:check": "cd src-tauri && cargo check",
     "desktop:electron": "electron desktop/electron/main.cjs",
     "package:vsix": "node scripts/build_vsix.mjs",
-    "release:artifacts": "npm run build:assets && npm run build:python && npm pack && npm run package:vsix",
-    "release:validate": "node scripts/run_python.mjs scripts/validate_release_artifacts.py $npm_package_version --require-vsix --require-tgz",
+    "release:artifacts": "node scripts/clean_release_artifacts.mjs $npm_package_version && npm run build:assets && npm run build:python && npm pack && npm run package:vsix && npm run desktop:tauri:build",
+    "release:validate": "node scripts/run_python.mjs scripts/validate_release_artifacts.py $npm_package_version --require-vsix --require-tgz --require-dmg",
     "publish:npm": "npm pack && npm publish ltcai-$npm_package_version.tgz --access public",
     "publish:pypi": "npm run build:python && node scripts/run_python.mjs -m twine upload --skip-existing dist/ltcai-$npm_package_version.tar.gz dist/ltcai-$npm_package_version-py3-none-any.whl",
     "publish:vscode": "cd vscode-extension && npm run package:vsix && npm run publish:vscode",
@@ -80,6 +80,7 @@
     "tools/",
     "mcp_registry.py",
     "latticeai/**/*.py",
+    "lattice_brain/**/*.py",
     "skills/",
     "static/favicon.ico",
     "static/manifest.json",

package/scripts/bump_version.py

@@ -23,6 +23,7 @@ REPO = Path(__file__).resolve().parents[1]
 # (path, kind, pattern) — pattern groups: (prefix, version)
 TARGETS = [
     ("latticeai/__init__.py", "regex", r'(__version__ = ")([^"]+)(")'),
+    ("lattice_brain/__init__.py", "regex", r'(__version__ = ")([^"]+)(")'),
     ("latticeai/core/workspace_os.py", "regex", r'(WORKSPACE_OS_VERSION = ")([^"]+)(")'),
     ("latticeai/core/marketplace.py", "regex", r'(MARKETPLACE_VERSION = ")([^"]+)(")'),
     ("latticeai/core/multi_agent.py", "regex", r'(MULTI_AGENT_VERSION = ")([^"]+)(")'),
@@ -31,6 +32,8 @@ TARGETS = [
     ("package-lock.json", "package-lock", None),
     ("vscode-extension/package.json", "json", "version"),
     ("vscode-extension/package-lock.json", "package-lock", None),
+    ("src-tauri/Cargo.toml", "regex", r'(^version = ")([^"]+)(")'),
+    ("src-tauri/tauri.conf.json", "json", "version"),
     ("static/app/asset-manifest.json", "json", "version"),
 ]
 

package/scripts/clean_release_artifacts.mjs

@@ -0,0 +1,27 @@
+#!/usr/bin/env node
+import { existsSync, rmSync } from "node:fs";
+import { join } from "node:path";
+
+const repo = join(import.meta.dirname, "..");
+const version = process.argv[2] || process.env.npm_package_version;
+
+if (!version || !/^\d+\.\d+\.\d+([.-][0-9A-Za-z.]+)?$/.test(version)) {
+  console.error("usage: node scripts/clean_release_artifacts.mjs <version>");
+  process.exit(2);
+}
+
+const targets = [
+  join(repo, "dist", `ltcai-${version}-py3-none-any.whl`),
+  join(repo, "dist", `ltcai-${version}.tar.gz`),
+  join(repo, "dist", `ltcai-${version}.vsix`),
+  join(repo, `ltcai-${version}.tgz`),
+  join(repo, "src-tauri", "target", "release", "bundle", "dmg", `Lattice AI_${version}_aarch64.dmg`),
+  join(repo, "src-tauri", "target", "release", "bundle", "macos", "Lattice AI.app"),
+];
+
+for (const target of targets) {
+  if (existsSync(target)) {
+    rmSync(target, { recursive: true, force: true });
+    console.log(`removed ${target}`);
+  }
+}

package/scripts/lint_frontend.mjs

@@ -72,6 +72,16 @@ const requiredPaths = [
   "/workflows/api/definitions",
   "/workspace/os",
   "/models",
+  "/api/brain/storage",
+  "/api/brain/storage/postgres/docker",
+  "/api/brain/storage/migrate-postgres",
+  "/api/knowledge-graph/archive",
+  "/api/knowledge-graph/archive/inspect",
+  "/api/knowledge-graph/archive/verify",
+  "/api/knowledge-graph/archive/import",
+  "/api/knowledge-graph/archive/restore",
+  "/api/knowledge-graph/backup-health",
+  "/admin/product-hardening",
 ];
 if (openapiPaths.length < 300) fail(`OpenAPI path count too low: ${openapiPaths.length}`);
 for (const path of requiredPaths) {