ltcai 5.0.0 → 5.1.0

package/latticeai/api/security_dashboard.py

@@ -26,7 +26,6 @@ from __future__ import annotations
 import io
 import json
 import logging
-import re
 from collections import defaultdict
 from datetime import datetime
 from typing import Any, Callable, Dict, List, Optional
@@ -36,6 +35,7 @@ from fastapi.responses import Response
 from pydantic import BaseModel
 
 from ..core import timezones
+from ..core.security import SECRET_TEXT_PATTERNS, redact_secret_text
 
 logger = logging.getLogger(__name__)
 
@@ -43,23 +43,11 @@ logger = logging.getLogger(__name__)
 # ── Hard secret patterns ──────────────────────────────────────────────────────
 # 이 값들은 관리자도 절대 원문으로 보면 안 된다.
 
-HARD_SECRET_PATTERNS = [
-    re.compile(r"(?i)(api[_-]?key|secret|access[_-]?token|password|passwd|bearer)\s*[:=]\s*\S+"),
-    re.compile(r"sk-[A-Za-z0-9]{20,}"),
-    re.compile(r"ghp_[A-Za-z0-9]{30,}"),
-    re.compile(r"xox[baprs]-[A-Za-z0-9-]{10,}"),
-    re.compile(r"AKIA[0-9A-Z]{16}"),
-    re.compile(r"-----BEGIN [A-Z ]+PRIVATE KEY-----[\s\S]+?-----END [A-Z ]+PRIVATE KEY-----"),
-]
+HARD_SECRET_PATTERNS = SECRET_TEXT_PATTERNS
 
 
 def redact_hard_secrets(text: str) -> str:
-    if not text:
-        return text or ""
-    out = text
-    for pat in HARD_SECRET_PATTERNS:
-        out = pat.sub("[REDACTED_SECRET]", out)
-    return out
+    return redact_secret_text(text)
 
 
 def soft_mask(text: str, *, keep: int = 4) -> str:

package/latticeai/api/static_routes.py

@@ -12,11 +12,27 @@ from fastapi.responses import FileResponse, HTMLResponse
 
 from latticeai.api.ui_redirects import app_redirect
 
+PRODUCTION_CSP = (
+    "default-src 'self'; "
+    "script-src 'self'; "
+    "style-src 'self' 'unsafe-inline'; "
+    "img-src 'self' data: blob: http://127.0.0.1:*; "
+    "font-src 'self' data:; "
+    "connect-src 'self' http://127.0.0.1:* ws://127.0.0.1:*; "
+    "frame-src 'none'; "
+    "object-src 'none'; "
+    "base-uri 'none'; "
+    "form-action 'self'; "
+    "frame-ancestors 'none'"
+)
+
+
 def ui_file_response(path: Path) -> FileResponse:
     response = FileResponse(path)
     response.headers["Cache-Control"] = "no-cache, no-store, must-revalidate"
     response.headers["Pragma"] = "no-cache"
     response.headers["Expires"] = "0"
+    response.headers["Content-Security-Policy"] = PRODUCTION_CSP
     return response
 
 @dataclass(frozen=True)

package/latticeai/app_factory.py

@@ -23,6 +23,84 @@ if TYPE_CHECKING:  # imports for annotations only — keep module import light
     from latticeai.core.config import Config
 
 
+def build_config_runtime(config: "Optional[Config]" = None) -> Dict[str, Any]:
+    """Build the app configuration runtime without importing heavy model code."""
+
+    from latticeai.core.config import Config
+
+    cfg = config if config is not None else Config.from_env()
+    return {
+        "CONFIG": cfg,
+        "APP_MODE": cfg.app_mode,
+        "IS_PUBLIC_MODE": cfg.is_public,
+        "DEFAULT_HOST": cfg.host,
+        "DEFAULT_PORT": cfg.port,
+        "NETWORK_EXPOSED": cfg.network_exposed,
+        "ENABLE_TELEGRAM": cfg.enable_telegram,
+        "ENABLE_GRAPH": cfg.enable_graph,
+        "AUTOLOAD_MODELS": cfg.autoload_models,
+        "MODEL_IDLE_UNLOAD_SECONDS": cfg.model_idle_unload_seconds,
+        "ALLOW_LOCAL_MODELS": cfg.allow_local_models,
+        "REQUIRE_AUTH": cfg.require_auth,
+        "ALLOW_PLAINTEXT_API_KEYS": cfg.allow_plaintext_api_keys,
+        "CORS_ALLOW_NETWORK": cfg.cors_allow_network,
+        "CORS_EXTRA_ORIGINS": cfg.cors_extra_origins,
+        "PUBLIC_MODEL": cfg.public_model,
+        "LOCAL_MODEL": cfg.local_model,
+        "LOCAL_DRAFT_MODEL": cfg.local_draft_model,
+    }
+
+
+def build_security_runtime(config: "Config") -> Dict[str, Any]:
+    """Build auth/security-derived runtime settings from the central config."""
+
+    from latticeai.core.security import configure_trusted_proxies
+
+    configure_trusted_proxies(config.trusted_proxies)
+    return {
+        "SSO_DISCOVERY_URL": config.sso_discovery_url,
+        "SSO_CLIENT_ID": config.sso_client_id,
+        "SSO_CLIENT_SECRET": config.sso_client_secret,
+        "SSO_REDIRECT_URI": config.sso_redirect_uri,
+        "SSO_PROVIDER_NAME": config.sso_provider_name,
+        "RATE_LIMIT_ENABLED": config.rate_limit_enabled,
+        "OPEN_REGISTRATION": config.open_registration,
+        "INVITE_CODE": config.invite_code,
+        "INVITE_GATE_ENABLED": config.invite_gate_enabled,
+    }
+
+
+def build_brain_runtime(
+    *,
+    data_dir: Any,
+    history_file: Any,
+    enable_graph: bool,
+    embedder: Any,
+    storage_engine: Any,
+) -> Dict[str, Any]:
+    """Construct Brain Core storage/conversation primitives behind one seam."""
+
+    from lattice_brain import BrainCore, ConversationStore
+
+    brain_core = BrainCore.from_paths(
+        data_dir,
+        embedder=embedder.provider,
+        storage_engine=storage_engine,
+    ) if enable_graph else None
+    knowledge_graph = brain_core.knowledge if brain_core is not None else None
+    conversations = (
+        brain_core.conversations
+        if brain_core is not None
+        else ConversationStore(data_dir / "knowledge_graph.sqlite")
+    )
+    conversations.import_legacy_json(history_file)
+    return {
+        "BRAIN_CORE": brain_core,
+        "KNOWLEDGE_GRAPH": knowledge_graph,
+        "CONVERSATIONS": conversations,
+    }
+
+
 def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     """The legacy ``server_app`` assembly, moved verbatim into function scope.
 
@@ -58,14 +136,13 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from pydantic import BaseModel
 
     from latticeai.models.router import LLMRouter, normalize_branding
-    from knowledge_graph import set_llm_router
+    from lattice_brain._kg_common import set_llm_router
     from local_knowledge_api import LocalKnowledgeWatcher
     from latticeai.core.security import (
         hash_password,
         verify_password,
         host_is_loopback as _host_is_loopback_impl,
         client_ip as _client_ip_impl,
-        configure_trusted_proxies as _configure_trusted_proxies,
         bytes_match_extension as _bytes_match_extension_impl,
         redact_secret_text as _redact_secret_text,
         check_ip_rate_limit as _check_ip_rate_limit,
@@ -83,7 +160,6 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from latticeai.api.admin import create_admin_router
     from latticeai.api.security_dashboard import create_security_router as _create_security_router
     from latticeai.core.model_compat import list_cached_profiles as _list_compat_profiles
-    from latticeai.core.config import Config
     from latticeai.core.workspace_os import (
         WORKSPACE_OS_VERSION,
         WorkspaceOSStore,
@@ -160,7 +236,6 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     from latticeai.api.portability import create_portability_router
     from latticeai.services.memory_service import MemoryService
     from lattice_brain.ingestion import IngestionItem, IngestionPipeline
-    from lattice_brain import BrainCore, ConversationStore
     from lattice_brain.storage import storage_from_env
     from lattice_brain.context import ContextAssembler
     from lattice_brain.memory import BrainMemory
@@ -202,42 +277,43 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     # ── App-level config — parsed once, in one place (latticeai.core.config) ──────
     # The module-level names below are kept as a compatibility surface for the rest
     # of server.py; all of them are now derived from a single CONFIG instance.
-    CONFIG = config if config is not None else Config.from_env()
+    _config_runtime = build_config_runtime(config)
+    CONFIG = _config_runtime["CONFIG"]
     APP_VERSION = WORKSPACE_OS_VERSION
 
     # Forwarded headers (X-Forwarded-For / CF-Connecting-IP) are only honoured for
     # IP rate limiting when the direct peer is one of these trusted proxies. Empty by
     # default (local-first): the peer address is used and client-supplied headers are
     # ignored, so per-IP rate limits cannot be spoofed.
-    _configure_trusted_proxies(CONFIG.trusted_proxies)
-
-    APP_MODE = CONFIG.app_mode
-    IS_PUBLIC_MODE = CONFIG.is_public
-    DEFAULT_HOST = CONFIG.host
-    DEFAULT_PORT = CONFIG.port
+    APP_MODE = _config_runtime["APP_MODE"]
+    IS_PUBLIC_MODE = _config_runtime["IS_PUBLIC_MODE"]
+    DEFAULT_HOST = _config_runtime["DEFAULT_HOST"]
+    DEFAULT_PORT = _config_runtime["DEFAULT_PORT"]
     def _host_is_loopback(host: str) -> bool:
         return _host_is_loopback_impl(host)
 
-    NETWORK_EXPOSED = CONFIG.network_exposed
-    ENABLE_TELEGRAM = CONFIG.enable_telegram
-    ENABLE_GRAPH    = CONFIG.enable_graph
-    AUTOLOAD_MODELS = CONFIG.autoload_models
-    MODEL_IDLE_UNLOAD_SECONDS = CONFIG.model_idle_unload_seconds
-    ALLOW_LOCAL_MODELS = CONFIG.allow_local_models
-    REQUIRE_AUTH = CONFIG.require_auth
-    ALLOW_PLAINTEXT_API_KEYS = CONFIG.allow_plaintext_api_keys
-    CORS_ALLOW_NETWORK = CONFIG.cors_allow_network
-    CORS_EXTRA_ORIGINS = CONFIG.cors_extra_origins
-    PUBLIC_MODEL = CONFIG.public_model
-    LOCAL_MODEL = CONFIG.local_model
-    LOCAL_DRAFT_MODEL = CONFIG.local_draft_model
+    NETWORK_EXPOSED = _config_runtime["NETWORK_EXPOSED"]
+    ENABLE_TELEGRAM = _config_runtime["ENABLE_TELEGRAM"]
+    ENABLE_GRAPH    = _config_runtime["ENABLE_GRAPH"]
+    AUTOLOAD_MODELS = _config_runtime["AUTOLOAD_MODELS"]
+    MODEL_IDLE_UNLOAD_SECONDS = _config_runtime["MODEL_IDLE_UNLOAD_SECONDS"]
+    ALLOW_LOCAL_MODELS = _config_runtime["ALLOW_LOCAL_MODELS"]
+    REQUIRE_AUTH = _config_runtime["REQUIRE_AUTH"]
+    ALLOW_PLAINTEXT_API_KEYS = _config_runtime["ALLOW_PLAINTEXT_API_KEYS"]
+    CORS_ALLOW_NETWORK = _config_runtime["CORS_ALLOW_NETWORK"]
+    CORS_EXTRA_ORIGINS = _config_runtime["CORS_EXTRA_ORIGINS"]
+    PUBLIC_MODEL = _config_runtime["PUBLIC_MODEL"]
+    LOCAL_MODEL = _config_runtime["LOCAL_MODEL"]
+    LOCAL_DRAFT_MODEL = _config_runtime["LOCAL_DRAFT_MODEL"]
+
+    _security_runtime = build_security_runtime(CONFIG)
 
     # ── SSO / OIDC config ─────────────────────────────────────────────────────────
-    SSO_DISCOVERY_URL = CONFIG.sso_discovery_url
-    SSO_CLIENT_ID = CONFIG.sso_client_id
-    SSO_CLIENT_SECRET = CONFIG.sso_client_secret
-    SSO_REDIRECT_URI = CONFIG.sso_redirect_uri
-    SSO_PROVIDER_NAME = CONFIG.sso_provider_name
+    SSO_DISCOVERY_URL = _security_runtime["SSO_DISCOVERY_URL"]
+    SSO_CLIENT_ID = _security_runtime["SSO_CLIENT_ID"]
+    SSO_CLIENT_SECRET = _security_runtime["SSO_CLIENT_SECRET"]
+    SSO_REDIRECT_URI = _security_runtime["SSO_REDIRECT_URI"]
+    SSO_PROVIDER_NAME = _security_runtime["SSO_PROVIDER_NAME"]
     _sso_discovery_cache: Optional[Dict] = None
     _sso_discovery_cache_url: str = ""
     _sso_states: Dict[str, float] = {}  # state → timestamp (CSRF protection)
@@ -343,22 +419,20 @@ def _build(config: "Optional[Config]" = None) -> Dict[str, Any]:
     if EMBEDDER.fell_back:
         logging.warning("Embedding provider %s unavailable: %s", EMBEDDER.requested, EMBEDDER.detail)
     STORAGE_ENGINE = storage_from_env(os.environ, data_dir=DATA_DIR) if ENABLE_GRAPH else None
-    BRAIN_CORE = BrainCore.from_paths(
-        DATA_DIR,
-        embedder=EMBEDDER.provider,
+    _brain_runtime = build_brain_runtime(
+        data_dir=DATA_DIR,
+        history_file=HISTORY_FILE,
+        enable_graph=ENABLE_GRAPH,
+        embedder=EMBEDDER,
         storage_engine=STORAGE_ENGINE,
-    ) if ENABLE_GRAPH else None
-    KNOWLEDGE_GRAPH = BRAIN_CORE.knowledge if BRAIN_CORE is not None else None
+    )
+    BRAIN_CORE = _brain_runtime["BRAIN_CORE"]
+    KNOWLEDGE_GRAPH = _brain_runtime["KNOWLEDGE_GRAPH"]
     # ── v4 durable conversation store: unbounded episodic memory in the same
     # SQLite file as the graph (kg_portability backup/restore covers it for
     # free). Legacy chat_history.json is imported once, idempotently, and the
     # file is left untouched on disk as the import source.
-    CONVERSATIONS = (
-        BRAIN_CORE.conversations
-        if BRAIN_CORE is not None
-        else ConversationStore(DATA_DIR / "knowledge_graph.sqlite")
-    )
-    CONVERSATIONS.import_legacy_json(HISTORY_FILE)
+    CONVERSATIONS = _brain_runtime["CONVERSATIONS"]
     # Hooks registry is constructed here (ahead of the watcher) so folder-watch
     # reindexes can fire the pre_index/post_index lifecycle hooks.
     HOOKS_REGISTRY = HooksRegistry(DATA_DIR / "hooks.json")

package/latticeai/core/audit.py

@@ -9,6 +9,7 @@ from pathlib import Path
 from typing import Any, Callable, Dict, List, Optional
 
 from . import timezones
+from .security import redact_secrets
 
 _history_lock = threading.Lock()
 
@@ -40,11 +41,12 @@ def get_audit_log(audit_file: Path) -> List[Dict]:
 
 def append_audit_event(audit_file: Path, event_type: str, **payload) -> None:
     try:
+        safe_payload = redact_secrets(payload)
         event = {
             "event_type": event_type,
             # item 7: 대시보드 "오늘" 계산과 동일한 시간대 기준으로 기록한다.
             "timestamp": timezones.now_iso(),
-            **payload,
+            **safe_payload,
         }
         with _history_lock:
             events = get_audit_log(audit_file)

package/latticeai/core/builtin_hooks.py

@@ -14,10 +14,7 @@ from __future__ import annotations
 
 from typing import Any, Callable
 
-_SECRET_KEY_HINTS = (
-    "token", "password", "passwd", "secret", "api_key", "apikey",
-    "authorization", "auth", "cookie", "session", "private_key",
-)
+from latticeai.core.security import SECRET_KEY_HINTS, redact_secrets as redact_secret_values
 
 
 def register_builtin_hook_runners(
@@ -32,11 +29,12 @@ def register_builtin_hook_runners(
     def redact_secrets(context):
         """pre_run — strip secret-like keys from the agent context packet."""
         payload = context.payload if isinstance(context.payload, dict) else {}
-        redacted = []
-        for key in list(payload.keys()):
-            if any(s in str(key).lower() for s in _SECRET_KEY_HINTS):
-                payload[key] = "***redacted***"
-                redacted.append(key)
+        before = dict(payload)
+        payload.update(redact_secret_values(payload))
+        redacted = [
+            key for key in payload.keys()
+            if payload.get(key) != before.get(key) or any(s in str(key).lower() for s in SECRET_KEY_HINTS)
+        ]
         return {"status": "ok", "output": f"redacted {len(redacted)} field(s)" if redacted else "no secrets present"}
 
     def audit_agent_run(context):

package/latticeai/core/logging_safety.py

@@ -3,22 +3,17 @@
 from __future__ import annotations
 
 import logging
-import re
 from typing import Any
 
-_TELEGRAM_BOT_TOKEN_RE = re.compile(r"\bbot(\d{5,20}):([A-Za-z0-9_-]{8,})")
-_TELEGRAM_BARE_TOKEN_RE = re.compile(
-    r"(?<![A-Za-z0-9_:-])(\d{5,20}):([A-Za-z0-9_-]{8,})(?![A-Za-z0-9_-])"
-)
+from latticeai.core.security import redact_secret_text, redact_secrets
+
 _LOG_FILTER_INSTALLED = False
 
 
 def mask_telegram_bot_token(value: Any) -> str:
-    """Return ``value`` as text with Telegram bot token secrets redacted."""
+    """Return ``value`` as text with Telegram bot token and other secrets redacted."""
 
-    text = str(value)
-    text = _TELEGRAM_BOT_TOKEN_RE.sub(r"bot\1:REDACTED", text)
-    return _TELEGRAM_BARE_TOKEN_RE.sub(r"bot\1:REDACTED", text)
+    return redact_secret_text(str(value))
 
 
 def safe_log_text(value: Any) -> str:
@@ -28,18 +23,7 @@ def safe_log_text(value: Any) -> str:
 
 
 def _safe_log_arg(value: Any) -> Any:
-    if isinstance(value, str):
-        return mask_telegram_bot_token(value)
-    if isinstance(value, tuple):
-        return tuple(_safe_log_arg(item) for item in value)
-    if isinstance(value, list):
-        return [_safe_log_arg(item) for item in value]
-    if isinstance(value, dict):
-        return {_safe_log_arg(key): _safe_log_arg(item) for key, item in value.items()}
-
-    text = str(value)
-    masked = mask_telegram_bot_token(text)
-    return masked if masked != text else value
+    return redact_secrets(value)
 
 
 def install_sensitive_log_filter() -> None:

package/latticeai/core/marketplace.py

@@ -11,7 +11,7 @@ from copy import deepcopy
 from typing import Any, Dict, List, Optional
 
 
-MARKETPLACE_VERSION = "5.0.0"
+MARKETPLACE_VERSION = "5.1.0"
 TEMPLATE_KINDS = ("plugin", "workflow", "agent")
 
 

package/latticeai/core/security.py

@@ -6,7 +6,7 @@ import re
 import secrets
 import threading
 import time
-from typing import Dict, List
+from typing import Any, Dict, List
 
 from fastapi import HTTPException
 
@@ -119,21 +119,79 @@ def bytes_match_extension(data: bytes, ext: str) -> bool:
     return any(head.startswith(sig) for sig in signatures)
 
 
+SECRET_KEY_HINTS = (
+    "api_key",
+    "apikey",
+    "secret",
+    "token",
+    "password",
+    "passwd",
+    "authorization",
+    "cookie",
+    "session",
+    "private_key",
+    "client_secret",
+    "webhook",
+    "dsn",
+    "credential",
+)
+
+SECRET_TEXT_PATTERNS = [
+    re.compile(r"(?i)\b(api[_ -]?key|secret|token|password|passwd|authorization|bearer|client[_ -]?secret|webhook|dsn)\s*[:=]\s*['\"]?([^\s'\",;]{8,})['\"]?"),
+    re.compile(r"\b(sk-[A-Za-z0-9_\-]{16,})\b"),
+    re.compile(r"\b(xai-[A-Za-z0-9_\-]{16,})\b"),
+    re.compile(r"\b(gsk_[A-Za-z0-9_\-]{16,})\b"),
+    re.compile(r"\b(ghp_[A-Za-z0-9_]{30,})\b"),
+    re.compile(r"\b(xox[baprs]-[A-Za-z0-9-]{10,})\b"),
+    re.compile(r"\b(AKIA[0-9A-Z]{16})\b"),
+    re.compile(r"(?i)\b(postgres(?:ql)?://[^@\s]+:[^@\s]+@[^\s]+)"),
+    re.compile(r"-----BEGIN [A-Z ]+PRIVATE KEY-----[\s\S]+?-----END [A-Z ]+PRIVATE KEY-----"),
+]
+
+TELEGRAM_TOKEN_WITH_BOT_RE = re.compile(r"\bbot(\d{5,20}):[A-Za-z0-9_-]{8,}\b")
+TELEGRAM_TOKEN_BARE_RE = re.compile(r"(?<![A-Za-z0-9_:-])(\d{5,20}):[A-Za-z0-9_-]{8,}(?![A-Za-z0-9_-])")
+
+
+def _is_secret_key(key: Any) -> bool:
+    lowered = str(key or "").lower().replace("-", "_")
+    return any(hint in lowered for hint in SECRET_KEY_HINTS)
+
+
 def redact_secret_text(text: str) -> str:
+    """Redact known secret shapes from user-visible text, logs, and audit data."""
+
     if not text:
         return ""
-    patterns = [
-        r"(?i)(api[_ -]?key|secret|token|password|passwd)\s*[:=]\s*['\"]?([A-Za-z0-9_\-\.]{12,})['\"]?",
-        r"\b(sk-[A-Za-z0-9_\-]{16,})\b",
-        r"\b(xai-[A-Za-z0-9_\-]{16,})\b",
-        r"\b(gsk_[A-Za-z0-9_\-]{16,})\b",
-    ]
     redacted = str(text)
-    for pattern in patterns:
-        redacted = re.sub(pattern, lambda m: f"{m.group(1)}=[REDACTED]" if len(m.groups()) > 1 else "[REDACTED]", redacted)
+    redacted = TELEGRAM_TOKEN_WITH_BOT_RE.sub(r"bot\1:REDACTED", redacted)
+    redacted = TELEGRAM_TOKEN_BARE_RE.sub(r"bot\1:REDACTED", redacted)
+    for pattern in SECRET_TEXT_PATTERNS:
+        def repl(match: re.Match) -> str:
+            if len(match.groups()) >= 2:
+                return f"{match.group(1)}=[REDACTED_SECRET]"
+            return "[REDACTED_SECRET]"
+
+        redacted = pattern.sub(repl, redacted)
     return redacted
 
 
+def redact_secrets(value: Any) -> Any:
+    """Recursively redact secret-like values before logs, audit, or API previews."""
+
+    if isinstance(value, str):
+        return redact_secret_text(value)
+    if isinstance(value, dict):
+        out: Dict[Any, Any] = {}
+        for key, item in value.items():
+            out[key] = "[REDACTED_SECRET]" if _is_secret_key(key) else redact_secrets(item)
+        return out
+    if isinstance(value, list):
+        return [redact_secrets(item) for item in value]
+    if isinstance(value, tuple):
+        return tuple(redact_secrets(item) for item in value)
+    return value
+
+
 # ── IP-based rate limiting (registration / login) ────────────────────────────
 _ip_rate_windows: dict = {}
 _ip_rate_lock = threading.Lock()

package/latticeai/core/workspace_os.py

@@ -19,7 +19,7 @@ from pathlib import Path
 from typing import Any, Callable, Dict, Iterable, List, Optional
 
 
-WORKSPACE_OS_VERSION = "5.0.0"
+WORKSPACE_OS_VERSION = "5.1.0"
 
 # Workspace types separate single-user Personal workspaces from shared
 # Organization workspaces. Both keep the same local-first JSON store; the type

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "ltcai",
-  "version": "5.0.0",
+  "version": "5.1.0",
   "description": "Lattice AI — local-first Living Brain workspace (conversation, durable memory, hybrid search, agents, advanced graph exploration, portable encrypted brain archives)",
   "homepage": "https://github.com/TaeSooPark-PTS/LatticeAI#readme",
   "repository": {
@@ -30,7 +30,7 @@
     "typecheck:frontend": "npx tsc -p tsconfig.json --noEmit",
     "test": "node scripts/run_python.mjs -m pytest tests/ -v",
     "test:unit": "node scripts/run_python.mjs -m pytest tests/unit/ -v",
-    "test:integration": "node scripts/run_python.mjs -m pytest tests/integration/ -v",
+    "test:integration": "node scripts/run_integration_tests.mjs",
     "test:visual": "playwright test",
     "vercel:build": "node scripts/build_vercel_static.mjs",
     "desktop:tauri": "tauri dev",

package/scripts/clean_release_artifacts.mjs

@@ -1,5 +1,5 @@
 #!/usr/bin/env node
-import { existsSync, rmSync } from "node:fs";
+import { existsSync, readdirSync, rmSync } from "node:fs";
 import { join } from "node:path";
 
 const repo = join(import.meta.dirname, "..");
@@ -19,6 +19,21 @@ const targets = [
   join(repo, "src-tauri", "target", "release", "bundle", "macos", "Lattice AI.app"),
 ];
 
+const distDir = join(repo, "dist");
+if (existsSync(distDir)) {
+  for (const name of readdirSync(distDir)) {
+    if (/^ltcai-\d+\.\d+\.\d+.*\.(whl|tar\.gz|vsix|tgz)$/.test(name)) {
+      targets.push(join(distDir, name));
+    }
+  }
+}
+
+for (const name of readdirSync(repo)) {
+  if (/^ltcai-\d+\.\d+\.\d+.*\.tgz$/.test(name)) {
+    targets.push(join(repo, name));
+  }
+}
+
 for (const target of targets) {
   if (existsSync(target)) {
     rmSync(target, { recursive: true, force: true });

package/scripts/com.pts.claudecode.discord.plist

@@ -0,0 +1,31 @@
+<?xml version="1.0" encoding="UTF-8"?>
+<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN"
+  "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
+<plist version="1.0">
+<dict>
+  <key>Label</key>
+  <string>com.pts.claudecode.discord</string>
+  <key>ProgramArguments</key>
+  <array>
+    <string>/opt/homebrew/bin/node</string>
+    <string>/Users/parktaesoo/.claude/bin/pts-claudecode-discord-bridge.mjs</string>
+  </array>
+  <key>RunAtLoad</key>
+  <true/>
+  <key>KeepAlive</key>
+  <true/>
+  <key>EnvironmentVariables</key>
+  <dict>
+    <key>PATH</key>
+    <string>/Users/parktaesoo/.bun/bin:/opt/homebrew/bin:/usr/local/bin:/usr/bin:/bin:/usr/sbin:/sbin</string>
+    <key>DISCORD_STATE_DIR</key>
+    <string>/Users/parktaesoo/.claude/channels/discord</string>
+    <key>PTS_CLAUDECODE_PROJECT_DIR</key>
+    <string>/Users/parktaesoo/Downloads/Lattice AI</string>
+  </dict>
+  <key>StandardOutPath</key>
+  <string>/Users/parktaesoo/.claude/logs/pts_claudecode_bridge.out.log</string>
+  <key>StandardErrorPath</key>
+  <string>/Users/parktaesoo/.claude/logs/pts_claudecode_bridge.err.log</string>
+</dict>
+</plist>