ltcai 4.7.2 → 5.1.0

package/frontend/src/i18n.ts

@@ -0,0 +1,247 @@
+export type Language = "ko" | "en";
+
+export type TextMap = Record<string, string>;
+
+export const LANGUAGE_LABELS: Record<Language, string> = {
+  ko: "한국어",
+  en: "English",
+};
+
+export const COPY: Record<Language, TextMap> = {
+  ko: {
+    "language.label": "언어",
+    "language.ko": "한국어",
+    "language.en": "English",
+    "brain.level": "단계",
+    "brain.depth.1": "Living Brain",
+    "brain.depth.2": "Memory Layer",
+    "brain.depth.3": "Knowledge Layer",
+    "brain.depth.4": "Relationship Layer",
+    "brain.depth.5": "Knowledge Graph",
+    "brain.view.memories": "기억 보기",
+    "brain.view.topics": "주제 보기",
+    "brain.view.relationships": "관계 보기",
+    "brain.view.graph": "그래프로 보기",
+    "brain.surface": "돌아가기",
+    "brain.title": "Lattice Brain",
+    "brain.local": "로컬 우선",
+    "brain.portable": "이동 가능",
+    "brain.private": "개인 소유",
+    "brain.admin": "관리자 콘솔",
+    "brain.empty.kicker": "내 오래가는 기억",
+    "brain.empty.title": "잊으면 안 되는 일부터 말해 주세요.",
+    "brain.empty.body": "문서, 대화, 프로젝트, 결정이 Brain에 쌓이고 나중에 주제와 관계로 다시 보입니다.",
+    "brain.prompt.remember": "이 결정을 기억해줘: ",
+    "brain.prompt.know": "내가 이미 알고 있는 것은? ",
+    "brain.prompt.plan": "이 프로젝트 맥락을 계획으로 바꿔줘: ",
+    "brain.placeholder": "Brain에게 말하기...",
+    "brain.image": "이미지",
+    "brain.unavailable": "지금은 답할 수 없음",
+    "brain.imageAttached": "이미지 첨부됨",
+    "brain.send": "보내기",
+    "brain.saved": "기억에 저장됨 · 연결된 주제 {topics}개 · 관련 기억 {memories}개",
+    "brain.recalled": "기억을 다시 꺼냈습니다: {title}",
+    "brain.overview.kicker": "Brain 한눈에 보기",
+    "brain.overview.title": "기억과 주제를 바로 확인하세요.",
+    "brain.overview.graph": "전체 그래프",
+    "brain.overview.recent": "최근 기억",
+    "brain.overview.recentEmpty": "아직 최근 기억이 없습니다.",
+    "brain.overview.older": "이전 기억",
+    "brain.overview.olderEmpty": "대화가 쌓이면 과거 기억이 보입니다.",
+    "brain.overview.topics": "주요 주제",
+    "brain.overview.topicsEmpty": "주제가 형성되는 중입니다.",
+    "brain.graph.empty": "아직 맞는 지식이 없습니다.",
+    "brain.graph.summaryFallback": "이 개념은 가장 깊은 지식 계층의 일부입니다.",
+    "brain.graph.focused": "대화와 문서에서 함께 나온 내용이 선으로 이어집니다.",
+    "brain.graph.emptyFocus": "대화, 문서, 프로젝트를 쌓으면 Brain 그래프가 자랍니다.",
+    "care.title": "내 Brain 돌보기",
+    "care.subtitle": "내 컴퓨터에 두고, 필요하면 옮길 수 있습니다.",
+    "care.private": "개인 보관",
+    "care.export": "내보내기",
+    "care.export.detail": "다른 곳으로 가져가기",
+    "care.backup": "백업",
+    "care.backup.detail": "복사본 저장",
+    "care.archive": "보관 파일",
+    "care.archive.detail": "암호화된 Brain",
+    "care.path.placeholder": "확인하거나 미리 볼 보관 파일 경로",
+    "care.path.label": "Brain 보관 파일 경로",
+    "care.passphrase.placeholder": "보관 파일 비밀번호",
+    "care.passphrase.label": "Brain 보관 파일 비밀번호",
+    "care.inspect": "확인",
+    "care.restorePreview": "복원 미리보기",
+    "care.note": "복원 미리보기는 Brain을 바꾸지 않고 보관 파일만 확인합니다. 실제 복원은 설정에서 확정합니다.",
+    "care.working": "진행 중",
+    "admin.back": "Brain",
+    "admin.kicker": "분리된 관리자 작업공간",
+    "admin.title": "Admin Console",
+    "admin.body": "사용자, 로그, 보안, Brain 상태는 일반 사용자 화면과 분리됩니다.",
+    "flow.shell": "내 로컬 Brain 만들기",
+    "flow.login.title": "내 Brain을 시작합니다.",
+    "flow.login.body": "모델은 바뀔 수 있지만, 내 문서와 대화, 결정, 기억은 사라지면 안 됩니다. Lattice는 이 지식을 내가 소유하는 개인 Brain으로 모읍니다.",
+    "flow.name": "이름",
+    "flow.email": "이메일",
+    "flow.password": "비밀번호",
+    "flow.password.placeholder": "로컬 Brain 비밀번호",
+    "flow.login.busy": "Brain 여는 중...",
+    "flow.login.submit": "내 Brain 시작하기",
+    "flow.login.note": "기존 Brain과 다른 이메일이면 새로 만들지 않고 먼저 확인합니다.",
+    "flow.login.missing": "이름과 이메일, 비밀번호를 입력하면 기존 Brain을 안전하게 확인합니다.",
+    "flow.login.otherEmail": "이 컴퓨터의 기존 Brain과 다른 이메일입니다. 오타인지 확인해 주세요.",
+    "flow.login.wrongPassword": "기존 Brain 이메일은 맞지만 비밀번호가 다릅니다. 비밀번호를 다시 확인해 주세요.",
+    "flow.login.unavailable": "로컬 프로필을 열 수 없습니다. 이메일과 비밀번호를 확인해 주세요.",
+    "flow.promise.memory.k": "오래 남는 지식",
+    "flow.promise.memory.v": "내 일이 장기 기억이 됩니다.",
+    "flow.promise.model.k": "교체 가능한 모델",
+    "flow.promise.model.v": "모델은 목소리이고, 자산은 Brain입니다.",
+    "flow.promise.ownership.k": "사용자 소유",
+    "flow.promise.ownership.v": "백업, 복원, 이동이 가능합니다.",
+    "flow.analysis.title": "이 컴퓨터를 확인합니다.",
+    "flow.analysis.body": "Brain이 클라우드에 의존하지 않고 이 컴퓨터에서 편하게 돌아갈 수 있는지 확인합니다.",
+    "flow.analysis.finding": "가장 편한 설정을 찾는 중...",
+    "flow.analysis.ready": "추천 모델을 바로 시작할 수 있게 준비했습니다.",
+    "flow.analysis.wait": "잠시만 기다리면 자동으로 정리됩니다.",
+    "flow.analysis.error": "Lattice가 이 컴퓨터를 끝까지 확인하지 못했습니다. 그래도 안전한 기본값으로 계속할 수 있습니다.",
+    "flow.analysis.continue": "추천 모델 보기",
+    "flow.recommend.title": "추천 모델로 시작하세요.",
+    "flow.recommend.body": "모델은 Brain의 현재 목소리입니다. 나중에 바꿔도 기억과 지식은 그대로 남습니다.",
+    "flow.recommend.primary": "추천대로 시작하기",
+    "flow.recommend.unsupported": "이 컴퓨터에서 추가 확인이 필요합니다",
+    "flow.recommend.back": "뒤로",
+    "flow.recommend.hint": "잘 모르겠다면 추천대로 시작하면 됩니다.",
+    "flow.install.title": "모델을 설치하고 시작합니다.",
+    "flow.install.body": "이 모델이 Brain의 로컬 목소리가 됩니다. 다운로드, 확인, 로드는 사용자가 누른 뒤에만 진행됩니다.",
+    "flow.install.wait": "Brain이 사용할 모델을 기다리고 있습니다.",
+    "flow.install.prepare": "Brain 준비 중입니다.",
+    "flow.install.done": "Brain이 준비되었습니다.",
+    "flow.install.note": "큰 모델은 다운로드에 몇 분 이상 걸릴 수 있습니다. 진행률은 모델 런타임이 알려주는 만큼 표시하고, 멈춘 것처럼 보여도 현재 단계가 유지됩니다.",
+    "flow.install.retry": "다른 모델을 고르거나 다시 시도할 수 있습니다.",
+    "flow.install.back": "다른 모델 고르기",
+    "flow.install.start": "다운로드하고 시작하기",
+    "flow.install.busy": "모델 준비 중...",
+    "flow.install.enter": "Brain으로 들어가기",
+    "flow.install.local": "모든 작업은 이 컴퓨터에서 진행됩니다.",
+  },
+  en: {
+    "language.label": "Language",
+    "language.ko": "한국어",
+    "language.en": "English",
+    "brain.level": "Level",
+    "brain.depth.1": "Living Brain",
+    "brain.depth.2": "Memory Layer",
+    "brain.depth.3": "Knowledge Layer",
+    "brain.depth.4": "Relationship Layer",
+    "brain.depth.5": "Knowledge Graph",
+    "brain.view.memories": "Memories",
+    "brain.view.topics": "Topics",
+    "brain.view.relationships": "Relationships",
+    "brain.view.graph": "Graph",
+    "brain.surface": "Back",
+    "brain.title": "Lattice Brain",
+    "brain.local": "Local-first",
+    "brain.portable": "Portable",
+    "brain.private": "Private",
+    "brain.admin": "Admin Console",
+    "brain.empty.kicker": "Durable memory",
+    "brain.empty.title": "Start with what should not be forgotten.",
+    "brain.empty.body": "Documents, conversations, projects, and decisions accumulate in your Brain, then reappear as topics and relationships.",
+    "brain.prompt.remember": "Remember this decision: ",
+    "brain.prompt.know": "What do I already know about ",
+    "brain.prompt.plan": "Turn this project context into a plan: ",
+    "brain.placeholder": "Talk to your Brain...",
+    "brain.image": "Image",
+    "brain.unavailable": "Unavailable",
+    "brain.imageAttached": "Image attached",
+    "brain.send": "Send",
+    "brain.saved": "Saved to memory · {topics} linked topics · {memories} related memories",
+    "brain.recalled": "Recalled this memory: {title}",
+    "brain.overview.kicker": "Brain at a glance",
+    "brain.overview.title": "See memories and topics immediately.",
+    "brain.overview.graph": "Full graph",
+    "brain.overview.recent": "Recent memories",
+    "brain.overview.recentEmpty": "No recent memories yet.",
+    "brain.overview.older": "Earlier memories",
+    "brain.overview.olderEmpty": "Earlier memories appear as conversations accumulate.",
+    "brain.overview.topics": "Main topics",
+    "brain.overview.topicsEmpty": "Topics are still forming.",
+    "brain.graph.empty": "No matching knowledge yet",
+    "brain.graph.summaryFallback": "This concept is part of the deepest knowledge layer.",
+    "brain.graph.focused": "Ideas that appeared together in conversations and documents are connected by lines.",
+    "brain.graph.emptyFocus": "Your Brain graph grows as you add conversations, documents, and projects.",
+    "care.title": "Care for my Brain",
+    "care.subtitle": "Own it locally. Keep it portable.",
+    "care.private": "Private",
+    "care.export": "Export",
+    "care.export.detail": "Take it with you",
+    "care.backup": "Backup",
+    "care.backup.detail": "Save a copy",
+    "care.archive": "Archive",
+    "care.archive.detail": "Encrypted Brain",
+    "care.path.placeholder": "Paste an archive path to inspect or preview",
+    "care.path.label": "Brain archive path",
+    "care.passphrase.placeholder": "Archive passphrase",
+    "care.passphrase.label": "Brain archive passphrase",
+    "care.inspect": "Inspect",
+    "care.restorePreview": "Restore preview",
+    "care.note": "Restore preview checks an archive without changing your Brain. Confirmed restore stays in Settings.",
+    "care.working": "Working",
+    "admin.back": "Brain",
+    "admin.kicker": "Separate admin workspace",
+    "admin.title": "Admin Console",
+    "admin.body": "Users, logs, security, and Brain health stay out of the normal user experience.",
+    "flow.shell": "Create your local Brain",
+    "flow.login.title": "Start your Brain.",
+    "flow.login.body": "Models can change, but your documents, conversations, decisions, and memories should stay yours. Lattice gathers them into a personal Brain you control.",
+    "flow.name": "Name",
+    "flow.email": "Email",
+    "flow.password": "Password",
+    "flow.password.placeholder": "Local Brain password",
+    "flow.login.busy": "Opening Brain...",
+    "flow.login.submit": "Start my Brain",
+    "flow.login.note": "If the email differs from this computer's Brain, Lattice checks before creating anything new.",
+    "flow.login.missing": "Enter your name, email, and password so Lattice can safely check your Brain.",
+    "flow.login.otherEmail": "This email differs from the Brain on this computer. Please check for a typo.",
+    "flow.login.wrongPassword": "The email matches this Brain, but the password is different. Please check it again.",
+    "flow.login.unavailable": "Could not open the local profile. Check your email and password.",
+    "flow.promise.memory.k": "Durable knowledge",
+    "flow.promise.memory.v": "Your work becomes long-term memory.",
+    "flow.promise.model.k": "Replaceable models",
+    "flow.promise.model.v": "The model is the voice; the Brain is the asset.",
+    "flow.promise.ownership.k": "User owned",
+    "flow.promise.ownership.v": "Back up, restore, and move it.",
+    "flow.analysis.title": "Checking this computer.",
+    "flow.analysis.body": "Lattice checks whether your Brain can run comfortably on this computer without depending on the cloud.",
+    "flow.analysis.finding": "Finding the easiest setup...",
+    "flow.analysis.ready": "Your recommended model is ready to start.",
+    "flow.analysis.wait": "This will be summarized automatically in a moment.",
+    "flow.analysis.error": "Lattice could not finish checking this computer. You can still continue with a safe default.",
+    "flow.analysis.continue": "View recommended models",
+    "flow.recommend.title": "Start with the recommended model.",
+    "flow.recommend.body": "The model is your Brain's current voice. You can change it later without losing memory or knowledge.",
+    "flow.recommend.primary": "Start with recommendation",
+    "flow.recommend.unsupported": "This computer needs one more check",
+    "flow.recommend.back": "Back",
+    "flow.recommend.hint": "If unsure, start with the recommendation.",
+    "flow.install.title": "Install the model and start.",
+    "flow.install.body": "This model becomes your Brain's local voice. Download, validation, and loading begin only after you choose to start.",
+    "flow.install.wait": "Waiting for the model your Brain will use.",
+    "flow.install.prepare": "Preparing your Brain.",
+    "flow.install.done": "Your Brain is ready.",
+    "flow.install.note": "Large models can take several minutes to download. Progress is shown when the model runtime reports it; a steady stage still means work is continuing.",
+    "flow.install.retry": "Choose another model or try again.",
+    "flow.install.back": "Choose another model",
+    "flow.install.start": "Download and start",
+    "flow.install.busy": "Preparing model...",
+    "flow.install.enter": "Enter Brain",
+    "flow.install.local": "Everything runs on this computer.",
+  },
+};
+
+export function t(language: Language, key: string, values?: Record<string, string | number>) {
+  let text = COPY[language]?.[key] || COPY.ko[key] || key;
+  if (values) {
+    for (const [name, value] of Object.entries(values)) {
+      text = text.replaceAll(`{${name}}`, String(value));
+    }
+  }
+  return text;
+}

package/frontend/src/pages/System.tsx

@@ -19,7 +19,7 @@ const tabs: Array<{ id: SystemTab; label: string }> = [
   { id: "activity", label: "History" },
   { id: "network", label: "Devices" },
   { id: "settings", label: "Preferences" },
-  { id: "admin", label: "Admin" },
+  { id: "admin", label: "Admin Console" },
 ];
 
 export function SystemPage({ initialTab }: { initialTab?: string }) {

package/frontend/src/store/appStore.ts

@@ -1,4 +1,5 @@
 import { create } from "zustand";
+import type { Language } from "@/i18n";
 
 export type Theme = "dark" | "light";
 export type WorkspaceMode = "basic" | "advanced" | "admin";
@@ -8,10 +9,12 @@ type AppState = {
   mode: WorkspaceMode;
   workspaceId: string | null;
   apiBase: string | null;
+  language: Language;
   setTheme: (theme: Theme) => void;
   setMode: (mode: WorkspaceMode) => void;
   setWorkspaceId: (workspaceId: string | null) => void;
   setApiBase: (apiBase: string | null) => void;
+  setLanguage: (language: Language) => void;
 };
 
 function readTheme(): Theme {
@@ -37,11 +40,21 @@ function readWorkspaceId(): string | null {
   return null;
 }
 
+function readLanguage(): Language {
+  try {
+    const saved = localStorage.getItem("lattice.language");
+    if (saved === "ko" || saved === "en") return saved;
+  } catch {}
+  const browser = typeof navigator !== "undefined" ? navigator.language.toLowerCase() : "";
+  return browser.startsWith("ko") ? "ko" : "en";
+}
+
 export const useAppStore = create<AppState>((set) => ({
   theme: readTheme(),
   mode: readMode(),
   workspaceId: readWorkspaceId(),
   apiBase: null,
+  language: readLanguage(),
   setTheme: (theme) => {
     document.documentElement.dataset.theme = theme;
     try { localStorage.setItem("lattice.theme", theme); } catch {}
@@ -58,4 +71,9 @@ export const useAppStore = create<AppState>((set) => ({
     set({ workspaceId });
   },
   setApiBase: (apiBase) => set({ apiBase }),
+  setLanguage: (language) => {
+    document.documentElement.lang = language === "ko" ? "ko" : "en";
+    try { localStorage.setItem("lattice.language", language); } catch {}
+    set({ language });
+  },
 }));

package/frontend/src/styles.css

@@ -1290,6 +1290,38 @@ body {
   outline: none;
 }
 
+.language-switcher {
+  display: inline-flex;
+  align-items: center;
+  gap: 0.25rem;
+  border: 1px solid hsl(var(--border) / 0.58);
+  border-radius: 999px;
+  background: hsl(var(--surface-glass));
+  padding: 0.18rem;
+}
+
+.language-switcher button {
+  min-height: 1.65rem;
+  border: 0;
+  border-radius: 999px;
+  background: transparent;
+  color: hsl(var(--fg-muted));
+  padding: 0 0.56rem;
+  font-size: 0.68rem;
+  font-weight: 820;
+  letter-spacing: 0;
+  cursor: pointer;
+}
+
+.language-switcher button.is-active {
+  background: hsl(var(--brain-core) / 0.14);
+  color: hsl(var(--fg));
+}
+
+.language-switcher.compact {
+  flex: 0 0 auto;
+}
+
 .brain-stream {
   flex: 1 1 auto;
   overflow-y: auto;
@@ -2854,6 +2886,10 @@ body {
   text-align: center;
 }
 
+.ritual-language {
+  margin: 0 auto 1rem;
+}
+
 .ritual-brain {
   margin: 0 auto 1.75rem;
 }

package/lattice_brain/__init__.py

@@ -26,7 +26,7 @@ from .storage import (
     storage_from_env,
 )
 
-__version__ = "4.7.2"
+__version__ = "5.1.0"
 
 __all__ = [
     "AgentRuntime",

package/lattice_brain/portability.py

@@ -75,8 +75,8 @@ def _sqlite_siblings(db_path: Path) -> tuple[Path, Path, Path]:
 def _restore_sibling(path: Path, backup: Path) -> None:
     if backup.exists():
         shutil.copy2(backup, path)
-    elif path.exists():
-        path.unlink()
+    else:
+        path.unlink(missing_ok=True)
 
 
 def _replace_sqlite_atomically(src: Path, dest: Path, backup_dir: Path) -> None:
@@ -85,14 +85,18 @@ def _replace_sqlite_atomically(src: Path, dest: Path, backup_dir: Path) -> None:
     shutil.copyfile(src, tmp)
     backups: dict[Path, Path] = {}
     try:
+        # -wal/-shm are transient: another live connection can checkpoint and
+        # remove them between exists() and the copy/unlink. Treat a vanished
+        # sibling as "nothing to preserve" instead of crashing the restore.
         for sibling in _sqlite_siblings(dest):
-            if sibling.exists():
-                backup = backup_dir / sibling.name
+            backup = backup_dir / sibling.name
+            try:
                 shutil.copy2(sibling, backup)
-                backups[sibling] = backup
+            except FileNotFoundError:
+                continue
+            backups[sibling] = backup
         for sibling in _sqlite_siblings(dest)[1:]:
-            if sibling.exists():
-                sibling.unlink()
+            sibling.unlink(missing_ok=True)
         os.replace(tmp, dest)
     except Exception:
         if tmp.exists():

package/lattice_brain/runtime/multi_agent.py

@@ -14,7 +14,7 @@ from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
 
 
-MULTI_AGENT_VERSION = "4.7.2"
+MULTI_AGENT_VERSION = "5.1.0"
 
 AGENT_ROLES = ("researcher", "planner", "executor", "reviewer", "release")
 CORE_PIPELINE = ("planner", "executor", "reviewer")

package/latticeai/__init__.py

@@ -1,3 +1,3 @@
 """Lattice AI - modular server package."""
 
-__version__ = "4.7.2"
+__version__ = "5.1.0"

package/latticeai/api/chat.py

@@ -27,7 +27,7 @@ from latticeai.core.document_generator import DocumentGenerationSession, detect_
 from lattice_brain.runtime.hooks import dispatch_tool
 from latticeai.services.app_context import AppContext
 from latticeai.services.tool_dispatch import build_agent_runtime, collect_created_files
-from tools import AGENT_ROOT, ToolError, ensure_agent_root, execute_tool, knowledge_save, local_read, network_status
+from tools import AGENT_ROOT, ToolError, ensure_agent_root, execute_tool, knowledge_save, network_status
 
 class ChatRequest(BaseModel):
     message: str
@@ -42,6 +42,7 @@ class ChatRequest(BaseModel):
     user_email: Optional[str] = None
     user_nickname: Optional[str] = None
     image_data: Optional[str] = None
+    allow_file_context: bool = False
 
 
 class AgentRequest(BaseModel):
@@ -450,16 +451,23 @@ def create_chat_router(context: AppContext) -> APIRouter:
     
         if CONFIG.auto_read_chat_paths:
             _file_path_re = re.compile(r'(?:^|[\s\'\"(])((~|/[\w.])[^\s\'")\]]*)', re.MULTILINE)
-            for _m in _file_path_re.finditer(req.message or ""):
-                _fpath = _m.group(1).strip()
-                try:
-                    _result = local_read(_fpath)
-                    _fcontent = _result.get("content", "")
-                    if _fcontent:
-                        context += f"\n\n[FILE: {_fpath}]\n```\n{_fcontent[:6000]}\n```"
-                        print(f"📂 Auto-injected file context: {_fpath}")
-                except Exception:
-                    pass
+            requested_paths = [_m.group(1).strip() for _m in _file_path_re.finditer(req.message or "")]
+            if requested_paths:
+                append_audit_event(
+                    "auto_file_context_blocked",
+                    user_email=effective_email,
+                    path_count=len(requested_paths),
+                    allow_file_context=req.allow_file_context,
+                    reason="local file context requires an explicit approved file/tool flow",
+                )
+                if req.allow_file_context:
+                    raise HTTPException(
+                        status_code=400,
+                        detail=(
+                            "Automatic local file reads are disabled in chat. "
+                            "Attach the file, upload it, or use an approved local-file tool flow."
+                        ),
+                    )
     
         trace_seed = CHAT_SERVICE.build_graph_trace(
             req.message,

package/latticeai/api/models.py

@@ -77,6 +77,7 @@ class SetApiKeyRequest(BaseModel):
 
 class PullModelRequest(BaseModel):
     model: str
+    allow_download: bool = False
 
 
 class PrepareModelRequest(BaseModel):
@@ -291,6 +292,11 @@ def create_models_router(
     @router.post("/engines/pull-model")
     async def pull_ollama_model(req: PullModelRequest, request: Request):
         require_user(request)
+        if not req.allow_download:
+            raise HTTPException(
+                status_code=403,
+                detail="Model downloads require explicit user consent (allow_download=true).",
+            )
         model_ref = normalize_local_model_request(req.model, None)
         if not model_ref:
             raise HTTPException(status_code=400, detail="모델 식별자가 비어 있습니다.")

package/latticeai/api/security_dashboard.py

@@ -26,7 +26,6 @@ from __future__ import annotations
 import io
 import json
 import logging
-import re
 from collections import defaultdict
 from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
@@ -36,6 +35,7 @@ from fastapi.responses import Response
 from pydantic import BaseModel
 
 from ..core import timezones
+from ..core.security import SECRET_TEXT_PATTERNS, redact_secret_text
 
 logger = logging.getLogger(__name__)
 
@@ -43,23 +43,11 @@ logger = logging.getLogger(__name__)
 # ── Hard secret patterns ──────────────────────────────────────────────────────
 # 이 값들은 관리자도 절대 원문으로 보면 안 된다.
 
-HARD_SECRET_PATTERNS = [
-    re.compile(r"(?i)(api[_-]?key|secret|access[_-]?token|password|passwd|bearer)\s*[:=]\s*\S+"),
-    re.compile(r"sk-[A-Za-z0-9]{20,}"),
-    re.compile(r"ghp_[A-Za-z0-9]{30,}"),
-    re.compile(r"xox[baprs]-[A-Za-z0-9-]{10,}"),
-    re.compile(r"AKIA[0-9A-Z]{16}"),
-    re.compile(r"-----BEGIN [A-Z ]+PRIVATE KEY-----[\s\S]+?-----END [A-Z ]+PRIVATE KEY-----"),
-]
+HARD_SECRET_PATTERNS = SECRET_TEXT_PATTERNS
 
 
 def redact_hard_secrets(text: str) -> str:
-    if not text:
-        return text or ""
-    out = text
-    for pat in HARD_SECRET_PATTERNS:
-        out = pat.sub("[REDACTED_SECRET]", out)
-    return out
+    return redact_secret_text(text)
 
 
 def soft_mask(text: str, *, keep: int = 4) -> str:

package/latticeai/api/static_routes.py

@@ -12,11 +12,27 @@ from fastapi.responses import FileResponse, HTMLResponse
 
 from latticeai.api.ui_redirects import app_redirect
 
+PRODUCTION_CSP = (
+    "default-src 'self'; "
+    "script-src 'self'; "
+    "style-src 'self' 'unsafe-inline'; "
+    "img-src 'self' data: blob: http://127.0.0.1:*; "
+    "font-src 'self' data:; "
+    "connect-src 'self' http://127.0.0.1:* ws://127.0.0.1:*; "
+    "frame-src 'none'; "
+    "object-src 'none'; "
+    "base-uri 'none'; "
+    "form-action 'self'; "
+    "frame-ancestors 'none'"
+)
+
+
 def ui_file_response(path: Path) -> FileResponse:
     response = FileResponse(path)
     response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
     response.headers["Pragma"] = "no-cache"
     response.headers["Expires"] = "0"
+    response.headers["Content-Security-Policy"] = PRODUCTION_CSP
     return response
 
 @dataclass(frozen=True)