ltcai 4.2.0 → 4.3.0

package/latticeai/api/portability.py

@@ -26,6 +26,8 @@ class BackupRequest(BaseModel):
 class RestoreRequest(BaseModel):
     path: str
     verify: bool = True
+    dry_run: bool = False
+    confirm: bool = False
 
 
 class EncryptedArchiveRequest(BaseModel):
@@ -36,6 +38,18 @@ class EncryptedArchiveRequest(BaseModel):
 class EncryptedRestoreRequest(BaseModel):
     path: str
     passphrase: str
+    dry_run: bool = False
+    confirm: bool = False
+
+
+class EncryptedInspectRequest(BaseModel):
+    path: str
+    passphrase: Optional[str] = None
+
+
+class EncryptedVerifyRequest(BaseModel):
+    path: str
+    passphrase: str
 
 
 class DockerPostgresRequest(BaseModel):
@@ -74,6 +88,12 @@ def create_portability_router(
         _require_service()
         return service.storage_status()
 
+    @router.get("/api/knowledge-graph/backup-health")
+    async def backup_health(request: Request):
+        require_user(request)
+        _require_service()
+        return service.backup_health()
+
     @router.get("/api/knowledge-graph/provenance")
     async def recent_provenance(request: Request, limit: int = 50, source_type: Optional[str] = None):
         """Recent ingestions (provenance trail) for the ingestion-sources UI."""
@@ -114,7 +134,7 @@ def create_portability_router(
         require_admin(request)
         _require_service()
         try:
-            return service.restore(req.path, verify=req.verify)
+            return service.restore(req.path, verify=req.verify, dry_run=req.dry_run, confirm=req.confirm)
         except (ValueError, FileNotFoundError) as exc:
             raise HTTPException(status_code=400, detail=str(exc))
 
@@ -127,12 +147,49 @@ def create_portability_router(
         except (ValueError, FileNotFoundError) as exc:
             raise HTTPException(status_code=400, detail=str(exc))
 
+    @router.post("/api/knowledge-graph/archive/inspect")
+    async def inspect_encrypted_archive(req: EncryptedInspectRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.inspect_encrypted_archive(req.path, passphrase=req.passphrase)
+        except (ValueError, FileNotFoundError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
+    @router.post("/api/knowledge-graph/archive/verify")
+    async def verify_encrypted_archive(req: EncryptedVerifyRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        result = service.verify_encrypted_archive(req.path, passphrase=req.passphrase)
+        if not result.get("ok"):
+            raise HTTPException(status_code=400, detail="; ".join(result.get("errors") or ["Archive verification failed."]))
+        return result
+
+    @router.post("/api/knowledge-graph/archive/import")
+    async def import_encrypted_archive(req: EncryptedRestoreRequest, request: Request):
+        require_admin(request)
+        _require_service()
+        try:
+            return service.import_encrypted_archive(
+                req.path,
+                passphrase=req.passphrase,
+                dry_run=req.dry_run,
+                confirm=req.confirm,
+            )
+        except (ValueError, FileNotFoundError) as exc:
+            raise HTTPException(status_code=400, detail=str(exc))
+
     @router.post("/api/knowledge-graph/archive/restore")
     async def restore_encrypted_archive(req: EncryptedRestoreRequest, request: Request):
         require_admin(request)
         _require_service()
         try:
-            return service.restore_encrypted_archive(req.path, passphrase=req.passphrase)
+            return service.restore_encrypted_archive(
+                req.path,
+                passphrase=req.passphrase,
+                dry_run=req.dry_run,
+                confirm=req.confirm,
+            )
         except (ValueError, FileNotFoundError) as exc:
             raise HTTPException(status_code=400, detail=str(exc))
 

package/latticeai/app_factory.py

@@ -154,6 +154,7 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from latticeai.api.hooks import create_hooks_router
     from latticeai.core.hooks import HooksRegistry
     from latticeai.core.builtin_hooks import register_builtin_hook_runners
+    from latticeai.core.product_hardening import build_product_hardening_status
     from latticeai.api.agent_registry import create_agent_registry_router
     from latticeai.core.agent_registry import AgentRegistry
     from latticeai.api.memory import create_memory_router
@@ -1256,6 +1257,13 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
         except Exception as e:
             return {"error": str(e)}
 
+    def _product_hardening_status():
+        return build_product_hardening_status(
+            config=CONFIG,
+            portability=KG_PORTABILITY,
+            device_identity=DEVICE_IDENTITY,
+        )
+
     app.include_router(create_admin_router(
         require_admin=require_admin, require_user=require_user,
         load_users=load_users, save_users=save_users,
@@ -1270,6 +1278,7 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
         invite_code=INVITE_CODE, invite_gate_enabled=INVITE_GATE_ENABLED,
         default_port=DEFAULT_PORT,
         policy_matrix=policy_matrix,
+        product_hardening_status=_product_hardening_status,
     ))
 
     app.include_router(create_invitations_router(

package/latticeai/core/config.py

@@ -163,7 +163,7 @@ class Config:
             host=host,
             port=port,
             network_exposed=network_exposed,
-            enable_telegram=_bool(env, "LATTICEAI_ENABLE_TELEGRAM", default=not is_public),
+            enable_telegram=_bool(env, "LATTICEAI_ENABLE_TELEGRAM", default=False),
             enable_graph=_bool(env, "LATTICEAI_ENABLE_GRAPH", default=True),
             autoload_models=_bool(env, "LATTICEAI_AUTOLOAD_MODELS", default=is_public),
             model_idle_unload_seconds=_int(env, "LATTICEAI_MODEL_IDLE_UNLOAD_SECONDS", 0),

package/latticeai/core/marketplace.py

@@ -11,7 +11,7 @@ from copy import deepcopy
 from typing import Any, Dict, List, Optional
 
 
-MARKETPLACE_VERSION = "4.2.0"
+MARKETPLACE_VERSION = "4.3.0"
 TEMPLATE_KINDS = ("plugin", "workflow", "agent")
 
 

package/latticeai/core/multi_agent.py

@@ -14,7 +14,7 @@ from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
 
 
-MULTI_AGENT_VERSION = "4.2.0"
+MULTI_AGENT_VERSION = "4.3.0"
 
 AGENT_ROLES = ("researcher", "planner", "executor", "reviewer", "release")
 CORE_PIPELINE = ("planner", "executor", "reviewer")

package/latticeai/core/product_hardening.py

@@ -0,0 +1,217 @@
+"""Product hardening and privacy status helpers.
+
+These helpers are read-only and must not perform network probes. They describe
+the local-first startup posture and distinguish available credentials from
+enabled outbound communication.
+"""
+
+from __future__ import annotations
+
+import os
+import shutil
+from pathlib import Path
+from typing import Any, Dict, Mapping, Optional
+
+from latticeai.core.config import Config
+
+
+def _bool(env: Mapping[str, str], key: str, default: bool = False) -> bool:
+    raw = env.get(key)
+    if raw is None:
+        return default
+    return raw.strip().lower() in {"1", "true", "yes", "on"}
+
+
+def _present(env: Mapping[str, str], *keys: str) -> bool:
+    return any(bool(str(env.get(key) or "").strip()) for key in keys)
+
+
+def external_integration_status(
+    config: Config,
+    *,
+    env: Optional[Mapping[str, str]] = None,
+) -> Dict[str, Any]:
+    if env is None:
+        env = os.environ
+    telegram_credentials = _present(env, "LATTICEAI_TELEGRAM_BOT_TOKEN", "TELEGRAM_BOT_TOKEN")
+    brain_network_auto_push = _bool(env, "LATTICEAI_BRAIN_NETWORK_AUTO_PUSH", default=False)
+    updater_enabled = _bool(env, "LATTICEAI_ENABLE_UPDATES", default=False)
+    model_downloads_enabled = _bool(env, "LATTICEAI_ALLOW_MODEL_DOWNLOADS", default=False) or bool(config.autoload_models)
+    docker_auto_start = _bool(env, "LATTICEAI_DOCKER_AUTO_START", default=False)
+    external_connectors_enabled = _bool(env, "LATTICEAI_ENABLE_EXTERNAL_CONNECTORS", default=False)
+    postgres_enabled = config.storage_engine == "postgres" and bool(config.postgres_dsn)
+    return {
+        "local_only_default": default_startup_local_only(config, env=env),
+        "integrations": {
+            "telegram": {
+                "enabled": bool(config.enable_telegram),
+                "credential_present": telegram_credentials,
+                "opt_in_required": True,
+                "automatic_egress": bool(config.enable_telegram),
+                "detail": (
+                    "enabled by LATTICEAI_ENABLE_TELEGRAM"
+                    if config.enable_telegram
+                    else "disabled; token presence alone does not start Telegram"
+                ),
+            },
+            "brain_network": {
+                "enabled": brain_network_auto_push,
+                "credential_present": False,
+                "opt_in_required": True,
+                "automatic_egress": brain_network_auto_push,
+                "detail": "peer pushes are user/admin initiated; no automatic peer sync by default",
+            },
+            "updates": {
+                "enabled": updater_enabled,
+                "credential_present": False,
+                "opt_in_required": True,
+                "automatic_egress": updater_enabled,
+                "detail": "desktop updater checks are disabled unless LATTICEAI_ENABLE_UPDATES is true",
+            },
+            "model_downloads": {
+                "enabled": model_downloads_enabled,
+                "credential_present": _present(env, "HF_TOKEN", "HUGGINGFACEHUB_API_TOKEN"),
+                "opt_in_required": True,
+                "automatic_egress": bool(config.autoload_models),
+                "detail": "model downloads require an explicit load/autoload setting",
+            },
+            "docker": {
+                "enabled": docker_auto_start,
+                "credential_present": False,
+                "opt_in_required": True,
+                "automatic_egress": docker_auto_start,
+                "detail": "Docker setup requires explicit runtime consent; auto-start is disabled by default",
+            },
+            "postgres": {
+                "enabled": postgres_enabled,
+                "credential_present": bool(config.postgres_dsn),
+                "opt_in_required": True,
+                "automatic_egress": postgres_enabled,
+                "detail": "Postgres scale mode is used only when storage engine and DSN are explicitly configured",
+            },
+            "external_connectors": {
+                "enabled": external_connectors_enabled,
+                "credential_present": _present(
+                    env,
+                    "OPENAI_API_KEY",
+                    "ANTHROPIC_API_KEY",
+                    "GITHUB_TOKEN",
+                    "SLACK_BOT_TOKEN",
+                    "DISCORD_BOT_TOKEN",
+                ),
+                "opt_in_required": True,
+                "automatic_egress": external_connectors_enabled,
+                "detail": "connector credentials are inert until the connector is explicitly enabled and invoked",
+            },
+        },
+    }
+
+
+def default_startup_local_only(
+    config: Config,
+    *,
+    env: Optional[Mapping[str, str]] = None,
+) -> bool:
+    if env is None:
+        env = os.environ
+    local_embedding = config.embedding_provider in {"", "hash", "local", "fallback", "sqlite"}
+    external = external_integration_status_no_recurse(config, env=env)
+    return (
+        not config.network_exposed
+        and not config.cors_allow_network
+        and not config.enable_telegram
+        and not config.autoload_models
+        and config.storage_engine == "sqlite"
+        and local_embedding
+        and not any(item["automatic_egress"] for item in external.values())
+    )
+
+
+def external_integration_status_no_recurse(
+    config: Config,
+    *,
+    env: Mapping[str, str],
+) -> Dict[str, Dict[str, Any]]:
+    return {
+        "brain_network": {"automatic_egress": _bool(env, "LATTICEAI_BRAIN_NETWORK_AUTO_PUSH", default=False)},
+        "updates": {"automatic_egress": _bool(env, "LATTICEAI_ENABLE_UPDATES", default=False)},
+        "docker": {"automatic_egress": _bool(env, "LATTICEAI_DOCKER_AUTO_START", default=False)},
+        "postgres": {"automatic_egress": config.storage_engine == "postgres" and bool(config.postgres_dsn)},
+        "external_connectors": {"automatic_egress": _bool(env, "LATTICEAI_ENABLE_EXTERNAL_CONNECTORS", default=False)},
+    }
+
+
+def build_product_hardening_status(
+    *,
+    config: Config,
+    portability: Any = None,
+    device_identity: Any = None,
+    env: Optional[Mapping[str, str]] = None,
+) -> Dict[str, Any]:
+    if env is None:
+        env = os.environ
+    storage = {"available": False}
+    backup = {"available": False}
+    if portability is not None and getattr(portability, "available", lambda: False)():
+        storage = portability.storage_status()
+        backup = portability.backup_health()
+    identity = {}
+    if device_identity is not None:
+        identity = device_identity.describe()
+    data_dir = Path(config.data_dir)
+    return {
+        "version": "4.3.0",
+        "startup": {
+            "local_only_default": default_startup_local_only(config, env=env),
+            "host": config.host,
+            "port": config.port,
+            "network_exposed": config.network_exposed,
+            "auth_required": config.require_auth,
+            "cors_network_allowed": config.cors_allow_network,
+        },
+        "desktop": {
+            "sidecar_lifecycle": "managed",
+            "restart_supported": True,
+            "shutdown_supported": True,
+            "updater": {
+                "enabled": _bool(env, "LATTICEAI_ENABLE_UPDATES", default=False),
+                "limitation": "No external update checks run unless explicitly enabled by policy.",
+            },
+        },
+        "first_run": {
+            "data_dir": str(data_dir),
+            "data_dir_exists": data_dir.exists(),
+            "python_available": shutil.which("python3") is not None or shutil.which("python") is not None,
+            "docker_available": shutil.which("docker") is not None,
+            "docker_required": False,
+            "postgres_required": False,
+        },
+        "privacy": external_integration_status(config, env=env),
+        "storage": storage,
+        "backup": backup,
+        "device_identity": identity,
+        "permissions": {
+            "export_requires_admin": True,
+            "import_requires_admin": True,
+            "restore_requires_admin": True,
+            "destructive_restore_requires_confirmation": True,
+            "workspace_isolation_enforced": True,
+            "audit_log_visible_to_admin": True,
+        },
+        "failure_policy": {
+            "archive_corruption": "fail_closed",
+            "partial_archive": "fail_closed",
+            "signature_mismatch": "fail_closed",
+            "unsupported_version": "fail_closed",
+            "missing_docker": "honest_unavailable",
+            "missing_postgres": "honest_unavailable",
+            "permission_denied": "honest_error",
+        },
+    }
+
+
+__all__ = [
+    "build_product_hardening_status",
+    "default_startup_local_only",
+    "external_integration_status",
+]

package/latticeai/core/workspace_os.py

@@ -19,7 +19,7 @@ from pathlib import Path
 from typing import Any, Callable, Dict, Iterable, List, Optional
 
 
-WORKSPACE_OS_VERSION = "4.2.0"
+WORKSPACE_OS_VERSION = "4.3.0"
 
 # Workspace types separate single-user Personal workspaces from shared
 # Organization workspaces. Both keep the same local-first JSON store; the type

package/latticeai/services/kg_portability.py

@@ -19,7 +19,7 @@ import shutil
 import tempfile
 import zipfile
 from datetime import datetime, timezone
-from pathlib import Path
+from pathlib import Path, PurePosixPath
 from typing import Any, Dict, Optional
 
 from lattice_brain.archive import BrainArchivePaths, EncryptedBrainArchive
@@ -50,6 +50,13 @@ def _sha256_file(path: Path) -> str:
     return h.hexdigest()
 
 
+def _safe_zip_names(names) -> None:
+    for name in names:
+        path = PurePosixPath(name)
+        if path.is_absolute() or ".." in path.parts:
+            raise ValueError(f"Backup archive contains unsafe path: {name}")
+
+
 class KGPortabilityService:
     def __init__(self, *, knowledge_graph: Any, data_dir, enable_graph: bool = True, device_identity: Any = None) -> None:
         self._kg = knowledge_graph
@@ -156,13 +163,23 @@ class KGPortabilityService:
                             zf.write(f, f"blobs/{f.relative_to(blob_dir)}")
         return {"path": str(dest), "bytes": dest.stat().st_size, "manifest": manifest}
 
-    def restore(self, archive_path, *, verify: bool = True) -> Dict[str, Any]:
+    def restore(
+        self,
+        archive_path,
+        *,
+        verify: bool = True,
+        dry_run: bool = False,
+        confirm: bool = False,
+    ) -> Dict[str, Any]:
         self._require()
         archive = Path(archive_path)
         if not archive.exists():
             raise FileNotFoundError(f"Backup archive not found: {archive}")
+        if not dry_run and not confirm:
+            raise ValueError("Explicit confirmation is required before restoring a Knowledge Graph backup.")
         with zipfile.ZipFile(archive) as zf:
             names = zf.namelist()
+            _safe_zip_names(names)
             if "knowledge_graph.sqlite" not in names:
                 raise ValueError("Archive is missing knowledge_graph.sqlite.")
             manifest = json.loads(zf.read("manifest.json")) if "manifest.json" in names else {}
@@ -173,6 +190,18 @@ class KGPortabilityService:
                 if verify and manifest.get("db_sha256"):
                     if _sha256_file(db_src) != manifest["db_sha256"]:
                         raise ValueError("Backup integrity check failed (db sha256 mismatch).")
+                if dry_run:
+                    return {
+                        "restored": False,
+                        "dry_run": True,
+                        "verified": True,
+                        "manifest": manifest,
+                        "planned": {
+                            "database": str(self._kg.db_path),
+                            "blobs": str(self._kg.blob_dir),
+                            "archive": str(archive),
+                        },
+                    }
                 db_dest = Path(self._kg.db_path)
                 blob_dest = Path(self._kg.blob_dir)
                 db_dest.parent.mkdir(parents=True, exist_ok=True)
@@ -196,25 +225,82 @@ class KGPortabilityService:
             "nodes": sum(stats.get("nodes", {}).values()),
         }
 
+    def verify_backup(self, archive_path) -> Dict[str, Any]:
+        archive = Path(archive_path)
+        if not archive.exists():
+            return {"ok": False, "path": str(archive), "errors": [f"Backup archive not found: {archive}"]}
+        try:
+            with zipfile.ZipFile(archive) as zf:
+                names = zf.namelist()
+                _safe_zip_names(names)
+                if "knowledge_graph.sqlite" not in names:
+                    raise ValueError("Archive is missing knowledge_graph.sqlite.")
+                manifest = json.loads(zf.read("manifest.json")) if "manifest.json" in names else {}
+                with tempfile.TemporaryDirectory() as tmp_s:
+                    tmp = Path(tmp_s)
+                    zf.extract("knowledge_graph.sqlite", tmp)
+                    db_src = tmp / "knowledge_graph.sqlite"
+                    if manifest.get("db_sha256") and _sha256_file(db_src) != manifest["db_sha256"]:
+                        raise ValueError("Backup integrity check failed (db sha256 mismatch).")
+            return {"ok": True, "path": str(archive), "manifest": manifest, "errors": []}
+        except (ValueError, zipfile.BadZipFile, OSError, json.JSONDecodeError) as exc:
+            return {"ok": False, "path": str(archive), "errors": [str(exc)]}
+
     # ── encrypted .latticebrain archive ───────────────────────────────────
     def encrypted_archive(self, dest_path=None, *, passphrase: str) -> Dict[str, Any]:
         self._require()
         self._exports_dir.mkdir(parents=True, exist_ok=True)
         dest = Path(dest_path) if dest_path else self._exports_dir / f"brain-{_stamp()}.latticebrain"
+        metadata = {
+            "storage": self.storage_status().get("active", {}),
+            "snapshot": self.snapshot_metadata(),
+            "device_identity": self._identity.describe() if self._identity is not None else {},
+            "provenance": {"exported_at": _now_iso(), "source": "kg-portability"},
+        }
         archive = EncryptedBrainArchive(
             BrainArchivePaths(
                 db_path=Path(self._kg.db_path),
                 blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+                metadata=metadata,
             )
         )
         return archive.create(dest, passphrase=passphrase)
 
-    def restore_encrypted_archive(self, archive_path, *, passphrase: str) -> Dict[str, Any]:
+    def inspect_encrypted_archive(self, archive_path, *, passphrase: Optional[str] = None) -> Dict[str, Any]:
+        archive = EncryptedBrainArchive(
+            BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+            )
+        )
+        return archive.inspect(Path(archive_path), passphrase=passphrase)
+
+    def verify_encrypted_archive(self, archive_path, *, passphrase: str) -> Dict[str, Any]:
+        archive = EncryptedBrainArchive(
+            BrainArchivePaths(
+                db_path=Path(self._kg.db_path),
+                blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
+            )
+        )
+        return archive.verify(Path(archive_path), passphrase=passphrase)
+
+    def restore_encrypted_archive(
+        self,
+        archive_path,
+        *,
+        passphrase: str,
+        dry_run: bool = False,
+        confirm: bool = False,
+    ) -> Dict[str, Any]:
         self._require()
         archive = EncryptedBrainArchive(
             BrainArchivePaths(
                 db_path=Path(self._kg.db_path),
                 blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
             )
         )
         return archive.restore(
@@ -223,9 +309,29 @@ class KGPortabilityService:
             target=BrainArchivePaths(
                 db_path=Path(self._kg.db_path),
                 blob_dir=Path(self._kg.blob_dir),
+                data_dir=self._data_dir,
             ),
+            dry_run=dry_run,
+            confirm=confirm,
         )
 
+    def import_encrypted_archive(
+        self,
+        archive_path,
+        *,
+        passphrase: str,
+        dry_run: bool = False,
+        confirm: bool = False,
+    ) -> Dict[str, Any]:
+        result = self.restore_encrypted_archive(
+            archive_path,
+            passphrase=passphrase,
+            dry_run=dry_run,
+            confirm=confirm,
+        )
+        result["operation"] = "import"
+        return result
+
     # ── status surface ───────────────────────────────────────────────────────
     def snapshot_metadata(self) -> Dict[str, Any]:
         if not self.available():
@@ -253,6 +359,28 @@ class KGPortabilityService:
                 else {"engine": "sqlite", "available": True}
             ),
             "postgres": PostgresEngine("", schema="lattice_brain").capabilities().as_dict(),
+            "backup_health": self.backup_health(),
+        }
+
+    def backup_health(self) -> Dict[str, Any]:
+        self._exports_dir.mkdir(parents=True, exist_ok=True)
+        backups = sorted(
+            [
+                p for p in self._exports_dir.glob("*")
+                if p.is_file() and (p.suffix == ".zip" or p.suffix == ".latticebrain")
+            ],
+            key=lambda p: p.stat().st_mtime,
+            reverse=True,
+        )
+        latest = backups[0] if backups else None
+        return {
+            "available": True,
+            "directory": str(self._exports_dir),
+            "count": len(backups),
+            "latest": str(latest) if latest else None,
+            "latest_bytes": latest.stat().st_size if latest else 0,
+            "encrypted_archives": sum(1 for p in backups if p.suffix == ".latticebrain"),
+            "zip_backups": sum(1 for p in backups if p.suffix == ".zip"),
         }
 
     def postgres_docker_setup(
@@ -279,7 +407,22 @@ class KGPortabilityService:
             Path(self._kg.db_path),
             PostgresEngine(dsn, schema=schema),
         )
-        return migrator.migrate(dry_run=dry_run)
+        if dry_run:
+            return migrator.migrate(dry_run=True)
+        backup = self.backup()
+        verification = self.verify_backup(backup["path"])
+        if not verification.get("ok"):
+            raise RuntimeError(
+                "Pre-migration backup verification failed; Postgres migration was not started: "
+                + "; ".join(verification.get("errors") or [])
+            )
+        result = migrator.migrate(dry_run=False)
+        result["pre_migration_backup"] = {
+            "path": backup["path"],
+            "verified": True,
+            "manifest": backup.get("manifest"),
+        }
+        return result
 
     def recent_ingestions(self, *, limit: int = 50, source_type: Optional[str] = None) -> Dict[str, Any]:
         """Recent provenance records (newest first) for the ingestion-sources UI."""

package/ltcai_cli.py

@@ -269,9 +269,10 @@ def main() -> None:
 
     # Telegram startup notification (local start, tunnel handled separately inside _start_tunnel)
     if not args.tunnel:
+        _tg_enabled = os.getenv("LATTICEAI_ENABLE_TELEGRAM", "").strip().lower() in ("1", "true", "yes", "on")
         _tg_token = os.getenv("LATTICEAI_TELEGRAM_BOT_TOKEN", "")
         _tg_chat  = os.getenv("LATTICEAI_TELEGRAM_CHAT_ID", "")
-        if _tg_token and _tg_chat:
+        if _tg_enabled and _tg_token and _tg_chat:
             _local_msg = (
                 f"✅ Lattice AI 시작됨\n\n"
                 f"🏠 로컬: http://localhost:{args.port}"

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "4.2.0",
+  "version": "4.3.0",
   "description": "Lattice AI — local-first Digital Brain Platform (knowledge graph, durable memory, hybrid search, agents, signed brain exchange)",
   "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI#readme",
   "repository": {
@@ -41,8 +41,8 @@
     "desktop:tauri:check": "cd src-tauri && cargo check",
     "desktop:electron": "electron desktop/electron/main.cjs",
     "package:vsix": "node scripts/build_vsix.mjs",
-    "release:artifacts": "npm run build:assets && npm run build:python && npm pack && npm run package:vsix",
-    "release:validate": "node scripts/run_python.mjs scripts/validate_release_artifacts.py $npm_package_version --require-vsix --require-tgz",
+    "release:artifacts": "node scripts/clean_release_artifacts.mjs $npm_package_version && npm run build:assets && npm run build:python && npm pack && npm run package:vsix && npm run desktop:tauri:build",
+    "release:validate": "node scripts/run_python.mjs scripts/validate_release_artifacts.py $npm_package_version --require-vsix --require-tgz --require-dmg",
     "publish:npm": "npm pack && npm publish ltcai-$npm_package_version.tgz --access public",
     "publish:pypi": "npm run build:python && node scripts/run_python.mjs -m twine upload --skip-existing dist/ltcai-$npm_package_version.tar.gz dist/ltcai-$npm_package_version-py3-none-any.whl",
     "publish:vscode": "cd vscode-extension && npm run package:vsix && npm run publish:vscode",