grab
diff --git a/‎.github/workflows/build.yml‎
Lines changed: 6 additions & 0 deletions b/‎.github/workflows/build.yml‎
Lines changed: 6 additions & 0 deletions
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎forge.config.ts‎
Lines changed: 108 additions & 68 deletions b/‎forge.config.ts‎
Lines changed: 108 additions & 68 deletions
diff --git a/‎package.json‎
Lines changed: 6 additions & 1 deletion b/‎package.json‎
Lines changed: 6 additions & 1 deletion
diff --git a/‎runtime/llama/bin/.gitkeep‎ b/‎runtime/llama/bin/.gitkeep‎
diff --git a/‎runtime/llama/runtime-manifest.json‎
Lines changed: 46 additions & 0 deletions b/‎runtime/llama/runtime-manifest.json‎
Lines changed: 46 additions & 0 deletions
@@ -66,6 +66,9 @@ jobs:
       - name: Install dependencies
         run: npm ci --prefer-offline
 
+      - name: Prepare bundled llama runtime (macOS)
+        run: node scripts/prepare-llama-runtime.mjs --refresh --strict --targets=darwin-arm64,darwin-x64
+
       - name: Verify required environment variables
         run: |
           if [ -z "${{ vars.APPLE_ID }}" ] || [ -z "${{ secrets.APPLE_PASSWORD }}" ] || [ -z "${{ secrets.APPLE_TEAM_ID }}" ] || [ -z "${{ secrets.SIGNING_IDENTITY }}" ]; then
@@ -213,6 +216,9 @@ jobs:
       - name: Install dependencies
         run: npm ci --prefer-offline
 
+      - name: Prepare bundled llama runtime (Windows)
+        run: node scripts/prepare-llama-runtime.mjs --refresh --strict --targets=windows-x64
+
       - name: Verify environment variables
         shell: bash
         run: |
 
@@ -34,6 +34,10 @@ Thumbs.db
 .npm
 .eslintcache
 
+# Bundled llama runtime binaries (generated)
+runtime/llama/bin/*
+!runtime/llama/bin/.gitkeep
+
 # Apple Developer certificates and profiles
 *.p12
 *.pem
 
@@ -29,6 +29,7 @@ const config: ForgeConfig = {
     icon: './public/icon', // Electron Forge will append .icns, .ico, .png automatically
     extraResource: [
       './public',
+      './runtime/llama',
     ],
     // Code signing configuration (uses .env locally, CI environment variables in automation)
     osxSign: (isMAS ? {
@@ -74,83 +75,116 @@ const config: ForgeConfig = {
   // Hooks for post-processing after packaging
   hooks: {
     postPackage: async (_config, options) => {
-      // Only run for MAS builds on macOS
-      if (!isMAS || options.platform !== 'mas') {
+      const isMacBuild = options.platform === 'darwin' || options.platform === 'mas';
+      if (!isMacBuild) {
         return;
       }
 
-      console.log('[postPackage] Re-signing helper apps with correct entitlements for MAS...');
-
       const outputDir = options.outputPaths[0];
-      const identity = process.env.SIGNING_IDENTITY_APPSTORE || 'Apple Distribution';
-      const childEntitlements = path.resolve('entitlements.child.plist');
-      const mainEntitlements = path.resolve('entitlements.mas.plist');
-      const teamId = process.env.APPLE_TEAM_ID || '';
-      const bundleId = (_config as any).packagerConfig.appBundleId || 'com.grabtaxi.klever';
-
-      // Find the .app bundle inside the output directory
       const items = fs.readdirSync(outputDir);
       const appBundle = items.find(item => item.endsWith('.app'));
-
       if (!appBundle) {
-        console.log('[postPackage] No .app bundle found in output directory, skipping');
-        return;
+        throw new Error('[postPackage] No .app bundle found in output directory');
       }
 
       const appPath = path.join(outputDir, appBundle);
       const frameworksPath = path.join(appPath, 'Contents', 'Frameworks');
+      const runtimeRoot = path.join(appPath, 'Contents', 'Resources', 'llama', 'bin');
 
-      console.log(`[postPackage] App bundle: ${appPath}`);
-      console.log(`[postPackage] Frameworks path: ${frameworksPath}`);
+      const runtimeArtifacts = fs.existsSync(runtimeRoot)
+        ? fs.readdirSync(runtimeRoot)
+          .flatMap((platformDir) => {
+            const platformDirPath = path.join(runtimeRoot, platformDir);
+            if (!fs.existsSync(platformDirPath) || !fs.statSync(platformDirPath).isDirectory()) {
+              return [];
+            }
 
-      if (!fs.existsSync(frameworksPath)) {
-        console.log('[postPackage] No Frameworks directory found, skipping helper re-signing');
-        return;
+            return fs.readdirSync(platformDirPath)
+              .map((entry) => path.join(platformDirPath, entry))
+              .filter((artifactPath) => {
+                if (!fs.existsSync(artifactPath)) {
+                  return false;
+                }
+                const stat = fs.lstatSync(artifactPath);
+                if (!stat.isFile()) {
+                  return false;
+                }
+
+                const lowerName = path.basename(artifactPath).toLowerCase();
+                return lowerName === 'llama-server'
+                  || lowerName === 'llama-server.exe'
+                  || lowerName.endsWith('.dylib')
+                  || lowerName.endsWith('.so');
+              });
+          })
+        : [];
+
+      if (runtimeArtifacts.length === 0) {
+        throw new Error('[postPackage] Bundled llama runtime artifacts were not found in app package');
       }
 
-      // Find all helper apps
-      const frameworkItems = fs.readdirSync(frameworksPath);
-      const helperApps = frameworkItems.filter(item => item.endsWith('.app'));
+      const runtimeDynamicLibraries = runtimeArtifacts.filter((artifactPath) => {
+        const lowerName = path.basename(artifactPath).toLowerCase();
+        return lowerName.endsWith('.dylib') || lowerName.endsWith('.so');
+      });
+      if (runtimeDynamicLibraries.length === 0) {
+        throw new Error('[postPackage] Bundled llama runtime dynamic libraries were not found in app package');
+      }
 
-      console.log(`[postPackage] Found ${helperApps.length} helper apps to re-sign`);
+      if (isMAS && options.platform === 'mas') {
+        console.log('[postPackage] Re-signing helper apps and bundled runtime for MAS...');
+        const identity = process.env.SIGNING_IDENTITY_APPSTORE || 'Apple Distribution';
+        const childEntitlements = path.resolve('entitlements.child.plist');
+        const mainEntitlements = path.resolve('entitlements.mas.plist');
+        const teamId = process.env.APPLE_TEAM_ID || '';
+        const bundleId = (_config as any).packagerConfig.appBundleId || 'com.grabtaxi.klever';
 
-      for (const helperApp of helperApps) {
-        const helperPath = path.join(frameworksPath, helperApp);
-        console.log(`[postPackage] Re-signing helper: ${helperApp}`);
+        console.log(`[postPackage] App bundle: ${appPath}`);
+        console.log(`[postPackage] Frameworks path: ${frameworksPath}`);
 
-        try {
-          // Re-sign the helper app with child entitlements (inherit only)
+        if (!fs.existsSync(frameworksPath)) {
+          console.log('[postPackage] No Frameworks directory found, skipping helper re-signing');
+        } else {
+          // Find all helper apps
+          const frameworkItems = fs.readdirSync(frameworksPath);
+          const helperApps = frameworkItems.filter(item => item.endsWith('.app'));
+
+          console.log(`[postPackage] Found ${helperApps.length} helper apps to re-sign`);
+
+          for (const helperApp of helperApps) {
+            const helperPath = path.join(frameworksPath, helperApp);
+            console.log(`[postPackage] Re-signing helper: ${helperApp}`);
+
+            try {
+              // Re-sign the helper app with child entitlements (inherit only)
+              execSync(
+                `codesign --force --sign "${identity}" --entitlements "${childEntitlements}" --timestamp=none "${helperPath}"`,
+                { stdio: 'inherit' }
+              );
+              console.log(`[postPackage] ✅ Successfully re-signed: ${helperApp}`);
+            } catch (error) {
+              console.error(`[postPackage] ❌ Failed to re-sign ${helperApp}:`, error);
+              throw error;
+            }
+          }
+        }
+
+        for (const runtimeBinaryPath of runtimeArtifacts) {
+          console.log(`[postPackage] Re-signing bundled runtime artifact: ${runtimeBinaryPath}`);
           execSync(
-            `codesign --force --sign "${identity}" --entitlements "${childEntitlements}" --timestamp=none "${helperPath}"`,
+            `codesign --force --sign "${identity}" --entitlements "${childEntitlements}" --timestamp=none "${runtimeBinaryPath}"`,
             { stdio: 'inherit' }
           );
-          console.log(`[postPackage] ✅ Successfully re-signed: ${helperApp}`);
-
-          // Verify the entitlements were applied
-          try {
-            const verifyOutput = execSync(
-              `codesign -d --entitlements - "${helperPath}" 2>&1`,
-              { encoding: 'utf8' }
-            );
-            console.log(`[postPackage] Verifying entitlements for ${helperApp}:`);
-            console.log(verifyOutput);
-          } catch (verifyError) {
-            console.error(`[postPackage] ⚠️  Failed to verify entitlements for ${helperApp}:`, verifyError);
-          }
-        } catch (error) {
-          console.error(`[postPackage] ❌ Failed to re-sign ${helperApp}:`, error);
-          throw error;
         }
-      }
 
-      // Re-sign the main app to update the seal after helper modifications
-      console.log('[postPackage] Re-signing main app to update seal...');
-      try {
-        // Create enhanced entitlements with application identifier for TestFlight
-        const mainEntitlementsContent = fs.readFileSync(mainEntitlements, 'utf8');
-        const enhancedEntitlements = mainEntitlementsContent.replace(
-          '</dict>',
-          `    <!-- Required for TestFlight distribution -->
+        // Re-sign the main app to update the seal after helper/runtime modifications
+        console.log('[postPackage] Re-signing main app to update seal...');
+        try {
+          // Create enhanced entitlements with application identifier for TestFlight
+          const mainEntitlementsContent = fs.readFileSync(mainEntitlements, 'utf8');
+          const enhancedEntitlements = mainEntitlementsContent.replace(
+            '</dict>',
+            `    <!-- Required for TestFlight distribution -->
     <key>com.apple.application-identifier</key>
     <string>${teamId}.${bundleId}</string>
     <key>com.apple.developer.team-identifier</key>
@@ -160,26 +194,32 @@ const config: ForgeConfig = {
         <string>${teamId}.${bundleId}</string>
     </array>
 </dict>`
-        );
+          );
 
-        const tempEntitlements = path.join(outputDir, 'temp-entitlements.plist');
-        fs.writeFileSync(tempEntitlements, enhancedEntitlements);
+          const tempEntitlements = path.join(outputDir, 'temp-entitlements.plist');
+          fs.writeFileSync(tempEntitlements, enhancedEntitlements);
 
-        execSync(
-          `codesign --force --sign "${identity}" --entitlements "${tempEntitlements}" --timestamp=none "${appPath}"`,
-          { stdio: 'inherit' }
-        );
+          execSync(
+            `codesign --force --sign "${identity}" --entitlements "${tempEntitlements}" --timestamp=none "${appPath}"`,
+            { stdio: 'inherit' }
+          );
 
-        // Clean up temp file
-        fs.unlinkSync(tempEntitlements);
+          // Clean up temp file
+          fs.unlinkSync(tempEntitlements);
+
+          console.log('[postPackage] ✅ Successfully re-signed main app');
+        } catch (error) {
+          console.error('[postPackage] ❌ Failed to re-sign main app:', error);
+          throw error;
+        }
+      }
 
-        console.log('[postPackage] ✅ Successfully re-signed main app');
-      } catch (error) {
-        console.error('[postPackage] ❌ Failed to re-sign main app:', error);
-        throw error;
+      for (const runtimeBinaryPath of runtimeArtifacts) {
+        console.log(`[postPackage] Verifying bundled runtime signature: ${runtimeBinaryPath}`);
+        execSync(`codesign --verify --verbose=2 "${runtimeBinaryPath}"`, { stdio: 'inherit' });
       }
 
-      console.log('[postPackage] Helper re-signing complete');
+      console.log('[postPackage] Bundled runtime verification complete');
     },
   },
   makers: [
 
@@ -12,6 +12,11 @@
   "type": "module",
   "main": ".vite/build/main.cjs",
   "scripts": {
+    "prepare:llama-runtime": "node scripts/prepare-llama-runtime.mjs",
+    "prepare:llama-runtime:refresh": "node scripts/prepare-llama-runtime.mjs --refresh --strict",
+    "prepackage": "npm run prepare:llama-runtime",
+    "premake": "npm run prepare:llama-runtime",
+    "prestart": "npm run prepare:llama-runtime",
     "start": "electron-forge start",
     "package": "electron-forge package",
     "make": "electron-forge make",
@@ -23,7 +28,7 @@
     "make:all": "electron-forge make --platform=darwin,win32",
     "publish": "electron-forge publish",
     "lint": "eslint --ext .ts,.tsx .",
-    "test:assistant": "tsx --test src/main/assistant/ToolSafetyPolicy.test.ts src/main/assistant/OllamaGuideService.test.ts",
+    "test:assistant": "tsx --test src/main/assistant/*.test.ts",
     "generate:tools": "tsx scripts/generate-tools.ts",
     "version": "echo '✅ Version updated to' $npm_package_version",
     "release": "npm version patch && git push origin main --follow-tags",
 
@@ -0,0 +1,46 @@
+{
+  "source": {
+    "owner": "ggml-org",
+    "repo": "llama.cpp"
+  },
+  "release": {
+    "tag": "b8855",
+    "name": "b8855",
+    "publishedAt": "2026-04-20T12:55:44Z",
+    "url": "https://github.com/ggml-org/llama.cpp/releases/tag/b8855"
+  },
+  "platforms": {
+    "darwin-arm64": {
+      "assetName": "llama-b8855-bin-macos-arm64.tar.gz",
+      "assetUrl": "https://github.com/ggml-org/llama.cpp/releases/download/b8855/llama-b8855-bin-macos-arm64.tar.gz",
+      "assetSha256": "b01357ce84a434bbc45e9f838b5620a635de63ceef305829e725f8c70a032c37",
+      "lastResolvedAt": "2026-04-20T15:20:36.251Z",
+      "binaryRelativePath": "bin/darwin-arm64/llama-server",
+      "binarySha256": "07cc25e06d71512b462057e25142cf41b43746882b4ef30297cf274f44161d26",
+      "preparedAt": "2026-04-20T15:36:51.799Z",
+      "runtimeDependencyCount": 27
+    },
+    "darwin-x64": {
+      "assetName": "llama-b8855-bin-macos-x64.tar.gz",
+      "assetUrl": "https://github.com/ggml-org/llama.cpp/releases/download/b8855/llama-b8855-bin-macos-x64.tar.gz",
+      "assetSha256": "5f229b3a815280737f2e8b93b49d8ca9c6d0d87bddb280c69266ea1a06daa3e2",
+      "lastResolvedAt": "2026-04-20T15:20:36.252Z"
+    },
+    "windows-x64": {
+      "assetName": "llama-b8855-bin-win-cpu-x64.zip",
+      "assetUrl": "https://github.com/ggml-org/llama.cpp/releases/download/b8855/llama-b8855-bin-win-cpu-x64.zip",
+      "assetSha256": "58b4f3f56250b8b2025c65964464b887d0f241e6f95577b2fdb84b14d4979b20",
+      "lastResolvedAt": "2026-04-20T15:20:36.252Z",
+      "binaryRelativePath": "bin/windows-x64/llama-server.exe",
+      "binarySha256": "ea2239a647e835b1c9640694520211d5807daae795aff6d2c398ac8ac99efe64",
+      "preparedAt": "2026-04-20T15:20:43.283Z"
+    },
+    "windows-arm64": {
+      "assetName": "llama-b8855-bin-win-cpu-arm64.zip",
+      "assetUrl": "https://github.com/ggml-org/llama.cpp/releases/download/b8855/llama-b8855-bin-win-cpu-arm64.zip",
+      "assetSha256": "64a7416cc56b317439f922a460c08091c38ac7c7cbd0a8b93974f9d1a45a9981",
+      "lastResolvedAt": "2026-04-20T15:20:36.252Z"
+    }
+  },
+  "updatedAt": "2026-04-20T15:36:51.802Z"
+}