fix(security): Critical security and reliability fixes for enterprise deployment

Security fixes:
- config.py: Add path traversal validation to prevent loading malicious configs
- sqlite_index.py: Add LIKE pattern escaping to prevent SQL injection
- redis_client.py: Replace blocking KEYS with non-blocking SCAN iterator
- graphiti_manager.py: Replace threading.Lock with asyncio.Lock to prevent deadlocks

Reliability improvements:
- redis_client.py: Add connection retry with exponential backoff (3 attempts)
- redis_client.py: Add thread-safe initialization with double-checked locking
- redis_client.py: Fix cache_embedding to store full EmbeddingCacheModel structure
- livegrep_client.py: Add context manager protocol for proper resource cleanup
- livegrep_client.py: Add thread-safe client creation and retry logic

New components:
- graphiti_manager.py: Neo4j/Graphiti knowledge graph manager (warm tier)
- livegrep_client.py: Code search client for livegrep integration (cold tier)
- test_graphiti_manager.py: Comprehensive tests for knowledge graph
- test_livegrep_client.py: Comprehensive tests for code search client

Repository cleanup:
- .gitignore: Exclude working .md files, keep only essential docs
- .gitignore: Exclude .claude/ personal config and Archive/
- Remove accidental python/=0.21 file

All 752 tests passing.

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: H4LFdotDEV

.env.example

@@ -1,102 +1,67 @@
 # Claude Code++ Environment Variables
-# Copy this file to .env and populate with your values
-
-# ============================================================================
-# REQUIRED: API Keys
-# ============================================================================
-
-# Anthropic API key for Claude models
-# Get from: https://console.anthropic.com/
-ANTHROPIC_API_KEY=sk-ant-your-key-here
-
-# OpenAI API key (optional, for gpt-4o fallback)
-# Get from: https://platform.openai.com/api-keys
-OPENAI_API_KEY=sk-your-key-here
-
-# LiteLLM master key for model routing proxy authentication
-# Generate: `openssl rand -hex 32`
-LITELLM_MASTER_KEY=your-secure-key-here
-
-# ============================================================================
-# OPTIONAL: Alternative Embeddings Providers
-# ============================================================================
-
-# Voyage AI embeddings (higher quality than OpenAI)
-# Get from: https://www.voyageai.com/
-VOYAGE_API_KEY=
+# Copy this file to .env and fill in the values
+#
+# Required variables are marked with (REQUIRED)
+# Optional variables have defaults or are only needed for specific features
 
-# ============================================================================
-# REQUIRED: Redis Authentication
-# ============================================================================
+# =============================================================================
+# REQUIRED - API Keys
+# =============================================================================
 
-# Redis password for cache layer
-# Generate: `openssl rand -base64 24`
-REDIS_PASSWORD=your-secure-redis-password-here
+# Anthropic API Key for Claude models (REQUIRED)
+ANTHROPIC_API_KEY=sk-ant-your-anthropic-api-key-here
 
-# ============================================================================
-# OPTIONAL: Storage & Persistence
-# ============================================================================
+# LiteLLM master key for model routing (REQUIRED)
+# Generate a secure random key, e.g.: openssl rand -base64 32
+LITELLM_MASTER_KEY=your-secure-litellm-master-key
 
-# Path to Obsidian vault for human-readable memory storage
-OBSIDIAN_VAULT_PATH=~/Library/Mobile\ Documents/iCloud~md~obsidian/Documents/ObsidianVault
+# Redis password for session cache (REQUIRED)
+# Generate a secure password, e.g.: openssl rand -base64 32
+REDIS_PASSWORD=your-secure-redis-password
 
-# SQLite database path (auto-created if doesn't exist)
-SQLITE_PATH=~/.claude-code-pp/memory/sqlite/memories.db
+# Neo4j password for knowledge graph (REQUIRED)
+# Generate a secure password, e.g.: openssl rand -base64 32
+NEO4J_PASSWORD=your-secure-neo4j-password
 
-# FAISS index path
-FAISS_INDEX_PATH=~/.claude-code-pp/memory/faiss/vectors.index
+# =============================================================================
+# OPTIONAL - Additional API Keys
+# =============================================================================
 
-# ============================================================================
-# OPTIONAL: Infrastructure Connections
-# ============================================================================
+# OpenAI API Key (for embeddings, Graphiti entity extraction, fallback models)
+OPENAI_API_KEY=
 
-# Redis connection URL (used if Redis is external/non-docker)
-REDIS_URL=redis://localhost:6379
+# Voyage API Key (for code-optimized embeddings)
+VOYAGE_API_KEY=
 
-# ChromaDB connection URL (used if ChromaDB is external)
-CHROMADB_URL=http://localhost:8000
+# GitHub Personal Access Token (for repository indexing)
+GITHUB_TOKEN=
 
-# LiteLLM proxy URL
-LITELLM_URL=http://localhost:4000
+# =============================================================================
+# OPTIONAL - Service Configuration
+# =============================================================================
 
-# ============================================================================
-# OPTIONAL: Logging & Debugging
-# ============================================================================
+# Memory MCP Configuration
+MEMORY_MCP_LOG_LEVEL=INFO
+MEMORY_MCP_LOG_FILE=/tmp/memory-mcp.log
+CLAUDE_CODE_PP_CONFIG=~/.claude-code-pp/config/settings.yaml
 
-# Log level: DEBUG, INFO, WARNING, ERROR, CRITICAL
-LOG_LEVEL=INFO
+# Neo4j/Graphiti Configuration
+NEO4J_URI=bolt://localhost:7687
+NEO4J_USER=neo4j
 
-# Enable debug mode (verbose output)
-DEBUG=false
+# livegrep Configuration
+LIVEGREP_ENDPOINT=http://localhost:8910
+LIVEGREP_INDEX_PATH=~/.claude-code-pp/livegrep/index.idx
 
-# ============================================================================
-# OPTIONAL: Performance Tuning
-# ============================================================================
+# Local LLM Configuration (Ollama)
+OLLAMA_BASE_URL=http://localhost:11434
 
-# FAISS index batch size (higher = faster indexing, more memory)
-FAISS_BATCH_SIZE=128
+# =============================================================================
+# OPTIONAL - Development & Debug
+# =============================================================================
 
-# Redis connection pool size
-REDIS_POOL_SIZE=10
+# Enable debug logging for MCP servers
+MCP_DEBUG=false
 
-# ============================================================================
-# NOTES
-# ============================================================================
-#
-# 1. Required variables (marked REQUIRED above) MUST be set
-#    - Docker Compose will fail if these are missing
-#    - Values with `:?required` syntax are enforced
-#
-# 2. API Keys should be rotated regularly
-#    - Never commit .env to version control
-#    - .env.example contains only placeholders (safe to commit)
-#
-# 3. For Development:
-#    - Generate secure passwords: openssl rand -base64 24
-#    - Use different keys per environment (dev/staging/prod)
-#
-# 4. For Production:
-#    - Store secrets in a secret manager (AWS Secrets Manager, HashiCorp Vault, etc.)
-#    - Never use default passwords
-#    - Use strong, unique LITELLM_MASTER_KEY
-#    - Enable Redis requirepass (already configured in docker-compose.yaml)
+# Enable verbose logging for all components
+VERBOSE=false

.gitignore

@@ -1,2 +1,46 @@
 .DS_Store
 
+# Swift
+swift-system-controller/.build
+swift-system-controller/.swiftpm
+
+# Python
+__pycache__/
+*.pyc
+.venv/
+*.egg-info/
+python/=0.21
+
+# Docker
+docker/.env
+
+# Local config overrides
+config/*.local.yaml
+
+# Logs
+*.log
+
+# Documentation - exclude all except essential
+*.md
+!README.md
+!LICENSE.md
+!CHANGELOG.md
+!SECURITY.md
+!CONTRIBUTING.md
+!CODE_OF_CONDUCT.md
+# Keep plugin/subproject READMEs
+!plugins/**/README.md
+!python/README.md
+
+# Archive and working files
+Archive/
+Archive.zip
+*.checkpoint
+*.bak
+
+# Claude Code local config (personal workflow)
+.claude/agents/
+.claude/commands/
+.claude/rules/
+.claude/skills/
+.claude/hooks.json