## [4.13.1] - 2026-06-21 ### Fixed - **Corrected the bundled Seal attestation verification key.** 4.13.0 shipped an incorrect `seal_pubkey.ed25519` (a development key accidentally committed in the v0.2 producer work), so genuine signed attestations would not verify against the bundled verifier. 4.13.1 restores the authoritative signing key and its constitution signature; real attestations verify correctly again. No other change from 4.13.0. ## [4.13.0] - 2026-06-20 ### Changed — Free/Pro tier realignment (LED-1454 / LED-1738 / LED-1740 / LED-1741) Tools are re-sorted by marginal cost. **A 90-day grace window (through 2026-09-16) plus automatic grandfathering means no existing free user is cut off mid-workflow** — newly-metered tools keep working for current free users during grace and are auto-grandfathered on first use. - **Now FREE** (zero-marginal-cost, read-only/local): `delimit_notify`, the agent lifecycle (`agent_dispatch`, `agent_status`, `agent_complete`, `agent_handoff`, `next_task`, `task_complete`), the loop control-plane (`loop_status`, `loop_config`), and `repo_analyze`, `repo_config_audit`, `repo_config_validate`, `repo_diagnose`, `test_coverage`. - **Now Pro** (real-marginal-cost — scrapers, daemons, posting, deep audits): `delimit_audit`, `build_loop_daemon`, `daemon_run`, `vendor_news_scan`, `vendor_news_draft`, `content_publish`, `social_post`, `social_generate`, `social_approve`, `social_history`, `social_target`, `social_daemon`, `github_scan`, `reddit_scan`, `inbox_daemon`, `notify_inbox`, `security_deliberate`, `security_ingest`, `gov_new_task`. - The free multi-model `delimit_deliberate` (3 free runs) is unchanged. ### Added — Seal v0.2 dual-signed attestation - Attestations are now issued with **dual Ed25519 signatures** (independent key custody) and a REQUIRED model_sequence, verified client-side by the bundled verifier. Existing receipt verification (Merkle, constitution seed) is byte-compatible; the verifier and seed are unchanged. ### Fixed - **`delimit_agent_dispatch`: the dead-letter circuit breaker no longer false-pauses on long-lived pool tasks** (LED-3514). Pool-lifecycle task types are excluded from the auto-pause depth count; a genuine worker backlog still trips the breaker. - **`delimit_substantive_content_check`: stricter gate on third-party-engagement bodies** (LED-3486) — promotion disguised as a technical contribution is now hard-blocked. - **`delimit_github_scan`: data-grounded precision filter** (LED-1724) cuts ~94% of low-signal scan noise. - `secrets_broker` scope checks can now fail closed (opt-in), and the `security_audit` chain no longer duplicates P0 ledger stubs (LED-1753). ### Internal - Tool docstring-quality (TDQS) upgrades for the multiplexer tools; outreach/content tool-backend updates; test-suite hermeticity hardening; internal-only `outreach_body_gen.py` and the Seal `producer.py` issuance module excluded from the public bundle. ## [4.12.1] - 2026-06-20 ### Fixed - **Gemini governance shim routes to Antigravity (`agy`).** The generated `gemini` shim now prefers the Antigravity CLI before the retired free-tier `gemini-cli` (which returns `IneligibleTierError` as of June 2026), falling through to the real `gemini` if `agy` is not installed. Restores the generation path for users on the deprecated free tier; users without `agy` are unaffected. ### Documentation - README now documents the zero-config `delimit check` command — the fastest path to value (PR #140). ## [4.11.1] - 2026-06-17 ### Changed — compiled engine bumped to proModuleVersion 3.10.0 (binary-customer parity for LED-1454) - Binary (compiled-engine) installs now fetch pro module **v3.10.0**, which carries the LED-1454 leaky-gate closure into the compiled `PRO_TOOLS` set: `delimit_security_deliberate`, `delimit_security_ingest`, `delimit_gov_new_task`, and `delimit_social_approve` now require Pro on the compiled path too (previously free only there due to a set mismatch), and `delimit_repo_diagnose` + `delimit_test_coverage` are free everywhere. The four gated tools carry a **90-day grace + automatic grandfather**, so no existing free user is hard-cut mid-migration. Non-binary (Python-fallback) behavior is unchanged from 4.11.0. ## [4.11.0] - 2026-06-17 ### Changed - **`delimit_repo_diagnose` and `delimit_test_coverage` moved to FREE** (LED-1454). Both are read-only, zero-marginal-cost tools (a quick repo health pass and an `os.walk` test-file-count estimate); they round out the free tier alongside the already-free `delimit_test_smoke` and repo-inspection family. The four Pro security/governance/social tools they were grouped with stay Pro. ### Added - **Golden Path** — a "first 10 minutes" merge-gate walkthrough in the README: lint → diff → semver → multi-model deliberation → signed, replayable attestation → persistent memory + ledger. ### Fixed - `delimit_security_audit` no longer accumulates duplicate P0 ledger items when the same target is scanned repeatedly (dedup on exact finding title; fail-open). - The Twitter auto-post path now enforces a 24h freshness window (parity with the GitHub path), so a stale-approved draft is surfaced for manual posting rather than auto-posting late. ## [4.10.0] - 2026-06-16 ### Changed — Pro tier rebalanced (90-day grace; no existing user is hard-cut) - **12 zero-marginal-cost tools moved to FREE**: the agent lifecycle (`delimit_agent_dispatch` / `_status` / `_complete` / `_handoff`), `delimit_notify`, repo inspection (`delimit_repo_analyze`, `delimit_repo_config_audit`, `delimit_repo_config_validate`), and loop/task control (`delimit_loop_config`, `delimit_loop_status`, `delimit_next_task`, `delimit_task_complete`). These are local-state / read tools that anchor the free tier. - **12 marginal-cost tools moved to Pro** (LLM calls, outbound network, or background daemons), each behind a **90-day grace window + automatic grandfather** so existing free users are never hard-cut mid-migration: `delimit_audit`, `delimit_build_loop_daemon`, `delimit_vendor_news_scan`, `delimit_vendor_news_draft`, `delimit_content_publish`, `delimit_social_target`, `delimit_github_scan`, `delimit_reddit_scan`, `delimit_inbox_daemon`, `delimit_social_daemon`, `delimit_daemon_run`, `delimit_notify_inbox`. ### Added - **scan_bridge precision filter** — a data-grounded gate that cuts ~94% of low-signal strategic auto-promotions; env-tunable and reversible (`DELIMIT_SCAN_PROMO_*`). - Tool documentation upgrades (registry tool-score lift), a docstring-quality (TDQS) check, and secrets-broker hardening (honest at-rest field naming + kill-switched scope enforcement). ### Fixed - The central Pro entitlement gate is now grace-aware, so newly-Pro tools honor the migration window end-to-end (no hard-block during grace). ## [4.9.0] - 2026-06-15 ### Added - **Hardened v0.2 attestation verification (Delimit Seal).** The bundled open-core verifier now validates `schema_version: 0.2` receipts: required `model_sequence` (non-suppressible model trace), hash-only Merkle payload (`merkle.py`, no raw content), and dual Ed25519 signatures (`signatures[]`, deduped by distinct public key). New `gateway/ai/seal/`: `merkle.py`, `seal_pubkeys.json` (published co-signing key), `HARDENED_SCHEMA.md`, canonicalization conformance vectors. Fully backward compatible — existing v0.1 single-signature receipts still verify unchanged. # Changelog ## [4.7.10] - 2026-06-09 Reliability + a new fail-closed handoff guard. ### Added - **`delimit_handoff_preflight`** — a read-only MCP validator that checks the cross-agent invariant set before a handoff/Auto-Phoenix switch (committer identity not junk, repo not bare, no leaked `GIT_*`, no stale index lock, recent context stamp), fail-closed. The permitted-identity allowlist is configurable via `DELIMIT_GIT_IDENTITIES` (no identity baked into source). ### Fixed - **Test hygiene** — git-touching tests are now hermetic and a sentinel guards against any test mutating the package's `.git/config` (`core.bare`/identity). - **`parse_transcript_tail`** reads only the trailing ~64KB of a transcript (seek-from-end) instead of loading the whole file — cheaper Stop-hook / crash-recovery floor on large transcripts. ## [4.7.9] - 2026-06-09 Control plane (LED-1709) — one interactive surface over the work that matters. ### Added - **`delimit control`** — an interactive CLI that browses a single unified queue across **attestations, approvals, sensing, and ops**, drills into any item, and **approves/rejects** founder-approval items inline. Approving here writes the *same* ack as replying "ship it" by email (no parallel store). - **`delimit_control` MCP tool** (`list`/`get`/`approve`/`reject`) — the shared API behind both the CLI and the web dashboard (no split-brain): CLI calls it directly, the dashboard via the existing MCP-over-HTTP route. Read-only aggregation; the attestation lane is kept distinct from the sensing firehose. ## [4.7.8] - 2026-06-09 ### Fixed - **Portable gateway paths.** ~8 functional defaults hardcoded the developer's `/home/delimit/delimit-gateway` checkout, which doesn't exist on customer installs (agent reaping, dispatch, loop engine, continuity, content grounding). They now resolve the gateway repo root portably via a new `_paths` resolver (`DELIMIT_GATEWAY_REPO`/`DELIMIT_GATEWAY_ROOT` env override → `__file__`-relative root), with no behavior change where the dev path was already correct. ## [4.7.7] - 2026-06-09 `delimit chat` resilience. ### Fixed - **No more false "out of quota" on Claude.** The model health-probe killed `claude -p` after 6s, but a cold start (Claude Code + MCP load + API round-trip) routinely takes longer; the shim exits 143 on that timeout and the classifier mislabeled it as a quota failure. Now: 12s probe; timeout/SIGTERM/143 are treated as "slow — proceeding", and "out of quota" is only reported when the probe output actually says so. - **Auto-Phoenix now actually preserves context on model switch.** The migration soul-capture hardcoded a dev-only `sys.path`, so the import failed silently and "Soul captured" was printed even though nothing was saved. Context is now captured via the bundled server (with an installed-server fallback) and success is only claimed when the capture truly succeeds. ### Changed - Boot banner is now **DELIMIT CHAT** (ANSI-shadow art) with the version read live from `package.json`, so it never shows a stale release number again. ## [4.7.6] - 2026-06-09 Session-lifecycle release: never lose context on quota exhaustion or crash. ### Added - **Deterministic session-end capture.** The Stop hook now writes a `source="deterministic", quality="floor"` handoff (git state + ledger tail + transcript tail, no LLM, time-boxed) when a session ends without a richer model-authored capture — so a hard `/quit` no longer drops context. Skips when a fresh (<5 min) model capture already exists. - **Crash recovery.** On SessionStart, if the previous session was SIGKILLed (no clean Stop), its orphaned transcript is salvaged into a floor handoff — excluding the current session's transcript, guarded against double-salvage. - **Scoped revive** (`delimit_revive(scope=…)`): dispatched subagents revive only their own handoff context, never the orchestrator's global soul. ### Fixed - `delimit_revive` output no longer trips delimit's own prompt-injection detector (Markdown headers replace rule-delimiter runs). - Transcript-tail parser now falls back to `thinking` blocks, so floor handoffs carry the session's narrative instead of "(no final assistant text)". - Pre-push test gate clears inherited `GIT_DIR`/`GIT_WORK_TREE`, so test fixtures no longer operate on the real repo. ## [4.7.5] - 2026-06-08 Interactive `delimit chat` TUI + setup wizard + CLI config flags, and Antigravity CLI integration (stdio config, chat-permission alignment). _(This release was published to npm but its source reconciliation to the public repo landed retroactively; recorded here for an honest history.)_ ## [4.7.3] - 2026-06-04 Docs + metadata release. No functional changes to the package. ### Changed - npm README now carries the **"Adopt with minimum privilege"** section (phase-1 read-only tool allowlist, Action SHA-pinning, BYOK vault guidance) that previously only rendered on GitHub. - Detection-engine claims corrected to **28 change types (17 breaking, 11 non-breaking)** — adds `field_requirement_relaxed` (context-aware severity) to the documented table. - `server.json` (MCP registry metadata) version brought current. ## [4.7.2] - 2026-06-04 ### Fixed - **Tool-usage telemetry now persists.** `record_call` previously only kept an in-memory per-session counter that vanished on restart, so tool utilization was unobservable. It now appends every call to `~/.delimit/tool_usage.jsonl` (crash-safe, append-only), making utilization and dormancy measurable. ### Added - **`delimit_toolcard_cache action="usage"`** — durable tool-utilization + dormancy report (per-tool call counts, `last_seen`, and registered tools never called). - Additive next-step suggestions wiring under-surfaced tools into the governance loop: `lint → impact`, `agent_dispatch → agent_link`, `deploy_verify → seal_verify`, `evidence_collect → seal_verify`, `os_plan → os_gates`. Purely additive — no tool signature or behavior changed. Published via OIDC trusted publishing with provenance. ## [4.7.1] - 2026-06-03 Release-infrastructure update. No functional changes to the package versus 4.7.0. ### Changed - Published via **npm Trusted Publishing (OIDC)** from GitHub Actions — this release carries a **sigstore provenance attestation** (the 4.7.0 build was published manually and did not). Future releases publish tokenlessly with provenance. The free `delimit seal-verify` command and `delimit_seal_verify` MCP tool from 4.7.0 are unchanged. ## [4.7.0] - 2026-06-03 Feature release: fold the open-core Delimit Seal verifier into delimit-cli. ### Added - **`delimit seal-verify `** + MCP tool **`delimit_seal_verify`** (Free tier): verify a Delimit Seal receipt's Ed25519 signature and content-pin against the bundled, content-hashed Layer-0 constitution — with no access to the engine or the signing key. Bundles `gateway/ai/seal/` (verifier, constitution, public key, sample receipt). Honest about what it does NOT attest. - The verifier **lazy-imports `cryptography` and fails closed** if it is absent (returns verification_unavailable) — it never blocks install or any other tool. To enable seal verification: `pip install cryptography`. ### Notes - Purely additive — no existing tool, command, or behavior changed. ## [4.6.1] - 2026-05-22 Patch release: bundle hygiene + gateway sync carrying 7 upstream improvements. ### Fixed - **`delimit setup hooks`** (LED-1207, #100): bypass broken `npx` fallback in the pre-commit / pre-push hook generator. Fresh installs now produce hooks that work even when the npm-resolved `delimit` shim is absent from `PATH` (the fallback used to fail silently and produce no-op hooks). ### Improved (carried from the gateway) These ship inside the gateway/ tree that bundles with delimit-cli. They are in effect for anyone running the MCP server from a 4.6.1 install: - **Cross-post dedup for Reddit drafts** — same-author + same-normalized-title within a 7-day window dedupes manual re-submits across subreddits. Reddit's native `crosspost_parent` field is *also* now captured: when set, an O(1) fingerprint lookup catches the native cross-post case before the heuristic. Two-layer coverage: native UI cross-posts (rare, O(1)) + manual re-submits (common, O(N)). - **Inline follow-up draft in reply-alert emails** — both Reddit reply-alerts and GitHub outreach-reply-alerts now ship with a pre-composed, voice-matched follow-up reply inside the email body. The original "Draft a follow-up reply and post from mobile" sentinel remains as graceful degradation if the drafter falls through. Designed for mobile copy-paste-and-post flow. - **STR-195 binding founder decisions auto-injected into `delimit_deliberate`** — when a panel question touches a venture name or decision keyword, matching `feedback_*.md` memories surface as a `BINDING FOUNDER DECISIONS — CANNOT BE RE-LITIGATED` block prepended to the panel context. Closed decisions stop getting re-argued every deliberation. Memory walk is mtime-cached; portfolio anchors can be extended via `~/.delimit/social_target_ventures.json` for Pro users whose ventures aren't in the default delimit-portfolio set. - **`delimit_security_audit` false-positive elimination** (LED-1278 (c)): token-handling code (`const token = readCurrentToken()`, `const token = (options.token || process.env.X)`) no longer trips the `generic_secret` detector. Provider-specific detectors (aws_access_key, github_token, jwt_token, sk-proj API key) remain fully armed. Verified against a regression-guard test set including real AKIA, ghp_, JWT, and bearer-token literal shapes. ### Chores - **Excluded dev-only build scripts from the customer tarball** (#101): `build-license-core.sh`, `security-check.sh`, and `test-license-core-so.sh` are publish-time hooks invoked from `prepublishOnly`; they never ran on customer installs. Removed from the published bundle (166 → 163 files, ~10KB unpacked) and closed the meta-leak where the scripts' own leak-detection grep patterns contained the patterns they protected against. ### Documentation - **Retract incorrect 4.6.0 'known issue' line** (LED-1403): the prior CHANGELOG entry referenced a regression that did not actually ship. ## [4.6.0] - 2026-05-15 ### Added — Codex CLI + Gemini CLI auto-trigger directives (LED-1399) `delimit setup` now installs governance directives at the **verified-effective** locations for Codex CLI and Gemini CLI, closing the gap where users of those CLIs got the delimit MCP server wired but **not** the auto-trigger behaviors (`delimit_test_smoke` after edits, `delimit_repo_diagnose` before commit, etc.) that Claude Code users already get. **What changed:** - **Codex CLI**: writes `~/AGENTS.md` (verified against the Codex binary spec — Codex auto-loads `AGENTS.md` "from CWD up to the root"). The previous `~/.codex/instructions.md` write was dead code; Codex never read that path. - **Gemini CLI**: writes `~/.gemini/GEMINI.md` (verified against the gemini-cli bundle: `return ["GEMINI.md"]` is the discovery list; the global tier is `~/.gemini/GEMINI.md`). - Both gated on the respective CLI being installed (directory exists OR `which` finds the binary). Both use the existing managed-section markers (`` / ``) so user content is preserved on upgrade per the LED-1257 customer-protection rule. **Backwards-compat:** existing `~/.codex/instructions.md` files from prior installs are NOT removed (harmless dead config; deleting could clobber user customizations around our managed section). ### Other changes - **server.json merge-gate framing** (LED-2178): formal merge-gate framing in the public server.json descriptor. - **Memory Rules in `delimit init` template** (STR-143): the init-generated CLAUDE.md now includes the canonical Memory Rules section. - Documentation refreshes: cross-agent-handoff worked example surfaced on README, test-count badge bumped, misleading version stamps removed. ### Known issue (pre-existing, fix tracked) — **RETRACTED 2026-05-15** > ~~**`delimit attest mcp` exit codes** (LED-1403): on tool error (e.g. no > lockfile → npm audit unavailable) and unknown attestation kind, the CLI > currently returns exit 1 instead of the expected exit 2.~~ > > **Retraction:** the original report was a phantom test failure caused by a > corrupted local git worktree (LED-1401), not a real CLI bug. On a clean > clone, all 6 `attest-mcp` test suites pass and the CLI returns the correct > exit codes (0 pass+skip / 1 fail / 2 error per STR-656). LED-1403 closed > `not_reproducible`. No customer action required. ## [4.5.2] - 2026-05-02 ### Hardened — `postinstall.js` never-block-install guard (LED-1188) `scripts/postinstall.js` is now wrapped in a top-level guard that ensures no postinstall failure mode can ever block `npm install delimit-cli`. Per the customer-protection rule, npm publish is a production deploy and a postinstall crash on a paying Pro user's machine is a customer-facing incident regardless of root cause. Failure modes now hardened: - **EROFS / EACCES / EPERM / EPIPE on stdout** — every banner write is wrapped in a try/catch (some sandbox installers redirect stdout to a read-only pipe). - **Network unreachable / DNS fail / TLS error / proxy reject** — the telemetry HTTPS request silent-fails at every layer (`req.on('error')`, `req.on('timeout')`, outer try/catch). - **Missing or unreadable `package.json`** — graceful no-op; lets the install complete so `delimit doctor` can diagnose the partial-install state. - **`uncaughtException` propagation** — outermost guard swallows any synchronous throw from the IIFE so the npm process always sees exit 0. - **Idempotency** — re-running install is a no-op; the postinstall does not write to `~/.delimit/` (that's `bin/delimit-setup.js`). - **`DELIMIT_NO_TELEMETRY=1|true|yes`** kill switch honored (case-insensitive). Regression coverage: `tests/postinstall-hardening.test.js` (6 tests) locks the contract. ### Added — `lib/delimit-home.js` env-var unification (LED-1188) Single source of truth for resolving the Delimit private-state directory. Replaces ~37 hardcoded `path.join(os.homedir(), '.delimit')` sites across the CLI surface. Resolution order: 1. `$DELIMIT_HOME` (preferred — explicit, easy to reason about) 2. `$DELIMIT_NAMESPACE_ROOT` (gateway-compat fallback) 3. `/.delimit` (default) Both helpers re-resolve on every call so tests can mutate `process.env` between calls without module-cache invalidation. Public API: ```js const { delimitHome, homeSubpath } = require('delimit-cli/lib/delimit-home'); const ledger = homeSubpath('ledger'); // shorthand for path.join(delimitHome(), 'ledger') ``` Regression coverage: `tests/delimit-home.test.js` (9 tests). ### Carry — STR-656 `delimit attest mcp` v1 (PRs #73, #74, #76, #77) The four mcp-server PRs already merged into main are carried to npm in this release. No customer-facing change beyond what those PRs documented: - **#73** — `delimit attest mcp` panel-verdict behavior locks (Q1–Q6): live MCP-protocol-conformance probe, 3-tier exit codes, `--output` / `--no-write` flags, EROFS soft-fail on the preview JSON write, telemetry counter with `DELIMIT_NO_TELEMETRY` kill switch, top-level runtime guard. `--write` is now deprecated alias for `--output` (will be removed in v4.7). - **#74** — `delimit setup` template + `package.json` files-array gate `gateway/ai/self_repair/` and `self_repair_daemon.py` as gateway-only. - **#76** — Template reframe of the operating-model rule per swarm-executor panel verdict. - **#77** — `package.json` files-array gate `gateway/ai/corp_dashboard.py` as gateway-only. Regression coverage: `tests/attest-mcp.test.js` (10 tests, now in the npm test script — was previously orphaned). ### Bundle — proprietary gating extended `package.json` files-array now excludes three additional gateway-internal modules from the npm bundle (per the npm-bundle proprietary-gating rule — these are not customer-shipping CLI surfaces): - `!gateway/ai/content_grounding/` — LED-1084 grounding layer - `!gateway/ai/inbox_drafts/` — LED-1129 SQLite draft registry - `!gateway/ai/inbox_executor.py` — LED-1134 inbox executor These remain gateway-only; they are imported only by gateway daemons and have no public CLI surface. ### Backward compatibility - No MCP tool signature changes - No CLI command renamed or removed - No storage format change - All previously-passing tests still pass; 25 new tests added (171 → 196) ## [4.5.1] - 2026-04-28 ### Security — attestation `canonicalize()` strengthened (LED-1180) The `canonicalize()` helper used to derive attestation IDs and HMAC signatures was passing `Object.keys(bundle).sort()` as the second argument to `JSON.stringify`. JSON.stringify treats that argument as a property **allowlist**, not a sort order, and the allowlist contained only top-level keys — so nested objects serialised as `{}` and the HMAC committed only to the bundle's top-level shape. Practical effect: a bundle with `{governance: {violations: ["safe"]}}` and one with `{governance: {violations: ["malicious"]}}` produced **identical signatures**. Tampering nested fields was undetectable through signature verification. **This release replaces canonicalize with a proper recursive sorted-key serializer.** Old (v4.3 – v4.5.0) attestations remain readable but verify with the new canonicalize and will report `signature_mismatch`. New attestations produced by v4.5.1+ commit to the full content of the bundle. - `lib/wrap-engine.js` — fixed `canonicalize()`, exported it for reuse - `lib/trust-page-engine.js` — verifier now imports the corrected canonicalize - `tests/v43-wrap-engine.test.js` — added LED-1180 regression: tampering a nested field MUST change the signature; if it doesn't, canonicalize is silently dropping nested keys - `tests/v43-trust-page-engine.test.js` — test fixtures sign with the corrected canonicalize If you have a corpus of v4.5.0 or earlier attestations and need them re-signed under the new primitive, the migration tool is on the LED-1180 follow-up. For most users, attestations are short-lived merge-decision artifacts and re-signing is unnecessary. ### Other - (Internal) LED-1175 + LED-1177 MVP shipped in `delimit-private`: signed deliberation attestations + Scanner Input v0 schema. Public docs: [delimit.ai/docs/scanner-input](https://delimit.ai/docs/scanner-input), [delimit.ai/docs/vs-bugcrawl](https://delimit.ai/docs/vs-bugcrawl). No customer-facing CLI changes in 4.5.1. ## [4.5.0] - 2026-04-27 ### Added — Ledger hygiene toolkit (LED-1145, 7 PRs) The full hygiene loop is now a single MCP surface — call `delimit_ledger_health` to see what's wrong, then run the suggested tool to fix it. - **`delimit_ledger_health`** — one-shot traffic-light status (P0 inflation / stale / duplicates / garbage venture) with ranked next-action list - **`delimit_ledger_groom`** — read-only proposal: stale-open + duplicate-titles + garbage-venture detection. Each proposal includes a copy-pasteable `delimit_ledger_bulk` invocation - **`delimit_ledger_bulk(item_ids, action, dry_run=True)`** — batch operations (`archive`, `set_status`, `set_priority`, `add_tag`, `mark_done`, `cancel`). `dry_run=True` is the safety default. **No hard delete** — archive is an append-only soft transition - **`delimit_ledger_auto_close_external`** — find LEDs linked to a GitHub issue/PR and auto-close when the upstream resolves (mark_done for merged PRs / closed-as-completed; archive for not_planned closures) - **`delimit_ledger_auto_cancel_stale`** — auto-archive items dormant past `DELIMIT_STALE_TTL_DAYS` (default 60). Composes `bulk_action(archive)`. dry_run default - **Extended `delimit_ledger_list`** — new filters: `status_in`, `priority_in`, `tags_contains_all`, `text`, `linked_external_id`, `created_before/after`, `updated_before/after`, `sort`, `order`, `fields` projection (`"slim"` / explicit list / unknown=error), cursor pagination - **P0 soft-quota** on `delimit_ledger_add` — soft warning when count > `DELIMIT_P0_SOFT_QUOTA` (default 50). Item still added; surfaces a nudge to groom ### Added — Memory-system convergence (LED-1165) `delimit_memory` is now the canonical durable memory; Claude Code auto-memory becomes a one-way client projection. - **`hot_load: bool` parameter** on `delimit_memory_store` — opt-in, default False. Marks an entry for projection - **`delimit_memory_index(target_path, dry_run, limit)`** — projects hot_load=True entries into a managed section of MEMORY.md (`` / `` markers). User content outside markers is preserved verbatim. **One-way only** — never reads MEMORY.md back into delimit_memory ### Fixed — Secret-scanner false positives in `tools_infra` The `_CREDENTIAL_FALSE_POSITIVES` regex now suppresses three additional benign patterns so legitimate credential-loading code (env-var lookup, dict-getter, control-flow guards) doesn't trip the audit: - `\w+\.get(` (any object-method getter, was tokens-only) - `if not :` (Python control-flow with credential variable) - `:\n` matched-text (block-opener colon, not key-value separator) ### Fixed — OpenAPI diff engine defensive coverage Real-world specs can ship malformed shapes. The diff engine now defends against the entire dict-iteration crash class without losing any actual finding: - **`required: bool` in object schemas** (legal in parameter objects but seen leaking into nested schemas) — was raising `TypeError: 'bool' object is not iterable`. Treats as no-required-fields and continues - **`properties: [...]` instead of dict** (Kong-class) — `.keys()` no longer crashes; treats as empty properties and continues - **`paths: []`, `responses: []`, `content: []` (request and response)** — all coerce to `{}` at function entry. Diffs against the well-formed side still produce correct findings ### Tests - 108 ledger-manager tests (15 originals + 93 new across 7 features + E2E hygiene-loop integration) - 24 memory-bridge tests (new test file) - 60 diff-engine tests (49 + 11 new defensive) - All backward-compatible — existing test suites pass without modification ### Backward compatibility - All MCP tool parameter additions are optional with safe defaults - Existing storage format is unchanged (`hot_load` and `archived` are additive on the entry/status side) - No CLI command renamed or removed - Default `delimit_ledger_list` response shape preserved (full record by default; `fields="slim"` opts into the 90% payload reduction) ## [4.4.0] - 2026-04-25 ### Added — Pre-external-PR duplicate guard - **New MCP tool `delimit_external_pr_check(repo, author)`** — pre-flight gate that runs `gh pr list` against a target repo and returns a fail-closed verdict if any matching open PR (or recently-merged PR within 30 days) already exists. Prevents autonomous workflows from drafting duplicate external-repo PRs off stale outreach signals. - **`delimit_gov_evaluate(action="external_pr", context={target_repo, author})`** composes the duplicate check + policy evaluation in one call. Verdict `blocked_duplicate` is a hard stop. - **CLAUDE.md auto-trigger rule added**: BEFORE drafting any external-repo PR, the duplicate gate must pass. - 12 new unit tests covering: open PR, recently-merged PR, old merged PR, closed PR, gh CLI not installed, gh auth failure, missing target_repo. End-to-end test against real `goharbor/harbor` PR #23089 confirms duplicate detection works. ### Documentation - readme: replace stale demo links + delete old GIF (#67) (e6059dd3) - LED-1089 SECURITY.md — install-time + runtime threat model (#65) (4e03319c) - readme: canon-aligned hero + real attestation demo (#63) (9172924a) ### CI/CD - retry verify-published-version with bounded backoff (fixes v4.3.4 race) (#62) (f5a768d5) ### Other - LED-1084 week 2 hygiene: build features.json during `delimit setup` (#66) (8145456f) - sync: gateway LED-1010 design tool fixes (Tailwind awareness, status taxonomy, link-href FP) (#64) (d756e1bb) ### Completed Ledger Items - **LED-1094**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1095**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1096**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1097**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1098**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1100**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1102**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1103**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1104**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1105**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1106**: [P1] Build responsive-overflow gate (narrow MVP) — dogfood on delimit.ai - **LED-1107**: [P1] Fix 3 responsive overflow bugs caught by LED-1106 gate on first dogfood run - **LED-1108**: [P1] Cross-venture task - **LED-1109**: [P1] Cross-venture task - **LED-1110**: [P1] Cross-venture task - **LED-1111**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final - **LED-1113**: [P1] Cross-venture task - **LED-1114**: [P1] Consensus reached: Review the full transcript. As orchestrator, provide your own analysis and final ### Stats - **Commits**: 6 - **Files changed**: 6 - **Insertions**: 708(+) / 130(-) - **Since**: v4.3.4 ## [4.2.0] - 2026-04-21 ### Added (gateway sync — LED-987 through LED-1008) - **Venture tagging (LED-1008)** — work orders, deliberations, and social drafts carry a canonical venture tag propagated through `save_draft` and the Supabase sync writers. `_normalize_venture` maps freeform strings (e.g., "DomainVested", "wire.report", "LT") to the canonical 4-member vocabulary (delimit / domainvested / wirereport / livetube). Unknown values pass through lowercased so they surface instead of dropping. - **Warm-window filter for social targets (LED-998)** — 72h window on X scans, 14d on reddit. Env-tunable via `DELIMIT_X_WARM_HOURS` and `DELIMIT_REDDIT_WARM_HOURS`. Fail-open on missing timestamps so parser bugs don't silently drop everything. - **X draft salvage (LED-997)** — `_try_trim_twitter_draft` trims LLM output at sentence boundary when it exceeds 3 sentences or 280 chars. Runs before the max-length check so a good-but-long draft becomes a good-and-short one instead of dying in the sanitizer. Proven live: salvaged a 626-char draft to 241 chars on the first post-deploy cycle. - **Reversible stale cleanup (LED-990)** — weekly systemd timer demotes blocked items to a cold lane after 30d instead of deleting. Ledger update restores cold → blocked/open with a single status flip. First-run safe with DRY_RUN=1. - **Warm-thread PR watcher (LED-989)** — 14-day warm window on outreach follow-ups; skip threads inactive longer than that. MAX_ACTIVE_THREADS=8 cap prevents dog-piling a single repository. - **Lemon Squeezy → Supabase reconciler (LED-996)** — trial watcher now polls LS every 6h and upserts subscription_status + role into the Supabase users table. Catches webhook drops without manual SQL intervention. - **ACTION_DENYLIST (LED-988)** — executor v2 gains an explicit denylist of prohibited action categories (money, legal/identity, credentials, deploy, contracts) that fires BEFORE the ACTION_SPEC whitelist check. Defense-in-depth against LLM-driven executor drift. - **Reddit residential-IP proxy (LED-987)** — scoped service bypasses 429s on reddit34.p.rapidapi.com by routing through a residential IP. Systemd-managed, auto-restart, rate-limited. - **propose_pr autonomous build primitive (LED-988)** — executor can propose PRs against an allowlisted repo set (`PROPOSE_PR_ALLOWED_REPOS`) with a fixed branch prefix (`delimit/`) and author (`delimit-bot`). Guarded by denylist + whitelist. ### Fixed - **Exit-shim counter undercounting** — previously missed commits outside `SESSION_CWD` and dropped Z-suffixed timestamps; both now captured. - **Proprietary path leaks** — sync-gateway.sh EXCLUDE list hardened to keep portfolio-specific files (social.py, social_target.py, inbox_daemon.py, founding_users.py, deliberation.py) out of the npm bundle. ### Tests - Gateway: 163/163 passing on changed-file tests (social.py, social_target.py, supabase_sync). - npm CLI: 134/134 passing (no CLI behavior changes — bundled gateway update). - Security audit: 0 real findings across gateway + UI (false positives only — test fixtures and TypeScript `token:` parameter types). ### Notes - Companion dashboard changes at app.delimit.ai (LED-995 Billing + API Keys wiring, LED-997 Blocked drafts tab, LED-1008 venture chips + filters) shipped via delimit-ui/main. - Supabase migration 025 (venture TEXT column on 4 tables) applied separately via Management API. ## [4.1.53] - 2026-04-10 ### Fixed (cycle engine — think→build→deploy) - **Strategy deliberation timeout waste** — strategy cycle ran every 4th iteration with a 120s timeout. Gemini CLI loads 187 MCP tools on startup, causing guaranteed timeouts. Now runs every 8th iteration and skips entirely if a successful deliberation exists within the last hour. - **Empty social drafts** — `generate_tailored_draft` returned `""` when no models were enabled instead of firing the fallback template. Added diagnostic logging (model, response length, preview) and empty-response detection. - **Stale deploy queue** — 15 items from 2026-04-08 were stuck as `pending`. Added `_expire_stale_deploys()` that archives items older than 48h to `expired.jsonl` before every deploy stage. Deploy stage also handles `ImportError` on server functions gracefully. ### Added (gateway sync) - Unified think→build→deploy cycle (`run_full_cycle`, shipped earlier this session) - Account-aware brand voice sanitizer + Twitter prompt v2 (LED-791/796) - Swagger 2.0 `$ref` parameter fix in diff engine - twttr241 fixes: wrong secrets file, 429 retry, flaky test (LED-763/781/783) - Security: `..` path traversal rejection in `sensor_github_issue` (#40) - Scanner FP allowlist for test fixture credentials (LED-817) - Loop engine dispatch status fix (LED-814) ### Tests - Gateway: 88/88 loop+social tests passing. - npm CLI: 134/134 passing (no CLI changes — bundled gateway only). ## [4.1.52] - 2026-04-10 ### Fixed (exit shim reporting zeros) - **Git commit count always zero** — `git log --after="$SESSION_START"` was passing a raw epoch integer. Git's `--after` needs `@` prefix for epoch time (`--after="@$SESSION_START"`). - **Ledger item count always zero** — the awk script matched any line with a `created_at` field but never compared the timestamp against the session start. Now converts `SESSION_START` to ISO format and uses string comparison to count only items created during the session. - **Deliberation count always zero** — looked for a `deliberations.jsonl` file that doesn't exist. Deliberations are stored as individual JSON files in `~/.delimit/deliberations/`. Now uses `find -newermt "@$SESSION_START"` to count files created during the session. ### Tests - 134/134 npm CLI tests passing (no test changes — shell template fix only). ## [4.1.51] - 2026-04-09 ### Fixed (gateway loop engine — LED-814) - **`ai/loop_engine.run_governed_iteration` mishandled swarm dispatch statuses.** Only `status=='completed'` was treated as success. The swarm dispatcher returns `'dispatched'` for async handoff, so every build-loop tick fell into the failure branch and logged "Dispatch failed" even though the underlying work shipped. Session `build-loop-2026-04-09` accumulated 6 spurious failures (LED-787 / 788 / 755 / 762 / 799 / 807) for tasks that all actually shipped. Now: - `'completed'` → close ledger + notify deploy loop (unchanged) - `'dispatched'` → mark ledger `in_progress` with the swarm `task_id`, NOT a failure - `'blocked'` → record a founder-approval gate without tripping the circuit breaker - anything else → genuine failure, error message includes the unexpected status string for debuggability - Verified live against the running MCP session before this release: `iterations 6→7`, `errors 0`, `LED-814` recorded as `dispatched` with `swarm_task_id task-449ecdf9`. - Picked up via the standard `npm run sync-gateway` step in `prepublishOnly` (gateway commit `ce802cd` is now on `delimit-ai/delimit-gateway` main). ### Added - **`tests/test_loop_engine_dispatch_status.py`** in the gateway — covers all four dispatch status branches (`completed` / `dispatched` / `blocked` / unknown), 154 lines, ships with the bundled gateway. ### Scope - Single-purpose patch: gateway loop engine only. This is the deferred half of the multi-model deliberation that produced 4.1.50 — the deliberation explicitly required splitting the gateway fix from the CLAUDE.md regex fix so each ship has a clean rollback story. ### Tests - npm CLI: 134/134 still passing (no CLI changes — bundled gateway only). - Gateway: new `test_loop_engine_dispatch_status.py` suite passing. ## [4.1.50] - 2026-04-09 ### Fixed (CRITICAL — CLAUDE.md in-prose marker clobber) - **`upsertDelimitSection` regex was unanchored** — `bin/delimit-setup.js` used `//` (no line anchors) to detect the managed-section markers. If a user *quoted* the markers inside backticks in a documentation bullet (e.g. `Use managed-section markers (\`\` / \`\`)`), the regex matched the prose mention. On the next `delimit setup` run the upsert sliced everything between the prose start and prose end markers and replaced it with a fresh stock template — the exact "never clobber user-customized files" failure mode 4.1.48 / 4.1.49 were written to prevent. Reproduced on `/root/CLAUDE.md` 2026-04-09. - Both markers are now anchored to start-of-line with the multiline flag, allow optional leading horizontal whitespace (`/^[ \t]*[ \t]*$/m`), and the file is BOM-stripped before matching. Result: documentation prose that quotes the markers inside backticks, blockquotes (`> `), or bullets (`- `, `* `) is never matched, while genuine markers — flush-left, indented, or BOM-prefixed — still are. Same fix applied to the test mirror in `tests/setup-onboarding.test.js`. ### Added - **Regression tests** in `tests/setup-onboarding.test.js` covering five failure modes the v4.1.49 regex would have matched incorrectly: - Markers quoted in a bullet via inline backticks (the exact /root/CLAUDE.md 2026-04-09 incident) - Markers with a CRLF (`\r\n`) line ending - File starting with a UTF-8 BOM - Tab- and space-indented real markers (must still be recognized) - Bullet- and blockquote-prefixed markers (must NOT be recognized) Each test asserts both the first-run behavior (`appended` vs `updated`) and that user content survives a subsequent version-bump upgrade verbatim. ### Scope - Single-purpose patch: CLAUDE.md preservation only. Unrelated gateway fixes (e.g. `loop_engine` LED-814) deferred to 4.1.51 per multi-model deliberation, since 4.1.48 and 4.1.49 both shipped with the regression bug undetected and 4.1.50 must stay laser-focused. ### Tests - 134/134 npm CLI tests passing (was 129). New regression suite (`does not match markers quoted in prose`, CRLF, BOM, indented, bullet/blockquote-prefixed) covers every edge case the multi-model deliberation surfaced. ## [4.1.49] - 2026-04-09 ### Fixed (full preservation audit follow-up to 4.1.48) - **Project `.claude/settings.json` hooks clobber** — `installClaudeHooks` was replacing the project-level `.claude/settings.json` hooks object with the merged-with-global config, propagating global hooks into every project file and wiping any project-local hooks the user had set. Now merges only Delimit-owned hook groups (entries whose command contains `delimit`) into existing project hooks; project-specific user hooks survive. - **Gemini `general.defaultApprovalMode` clobber** — `delimit-cli setup` was force-setting Gemini's `defaultApprovalMode` to `auto_edit` on every run, overwriting whatever the user had chosen (e.g. `manual`). Now only sets it when missing. - **`~/.claude.json` MCP hooks replacement** — `lib/hooks-installer.js` (opt-in via `delimit-cli hooks install`) replaced `preCommand` / `postCommand` / `authentication` / `audit` keys on every install. Now only fills in missing keys, preserving any user-chosen MCP hook commands. ### Added - **`tests/setup-no-clobber.test.js`** — dedicated regression suite that runs setup helpers against synthetic fresh-user HOME directories with pre-populated user customizations (project hooks, Gemini approval mode, custom MCP hook commands) and asserts none get clobbered. 5 tests, all passing. ### Audit results - Audited every `fs.writeFileSync` in `bin/delimit-setup.js`, `lib/cross-model-hooks.js`, `lib/hooks-installer.js`, `adapters/cursor-rules.js`, and `scripts/postinstall.js`. - All remaining writes are either delimit-owned (shims, hook scripts, generated `delimit.md`), guarded by `!fs.existsSync` (models.json, social_target_config.json, codex empty file), or surgical merges that preserve user content (`.mcp.json` mcpServers, `.claude/settings.json` allowList, `.codex/config.toml` mcp_servers.delimit block, `.cursor/mcp.json` mcpServers, rc-file PATH append). - The full preservation contract is now: `delimit-cli setup` may safely run on any user machine, including via the shim auto-update flow, without destroying user state. New installs and upgrades are equivalent for everything except delimit-owned files. ### Tests - 129/129 passing (was 124). ## [4.1.48] - 2026-04-09 ### Fixed - **CRITICAL: CLAUDE.md clobber on upgrade** — `delimit-cli setup` used a loose heuristic (`# Delimit` + `delimit_ledger_context` or `# Delimit AI Guardrails`) to decide whether to replace a user's entire `CLAUDE.md` with the stock template. Any founder-customized CLAUDE.md that happened to mention `delimit_ledger_context` got clobbered on every upgrade — this included 4.1.47's auto-update flow, which destroyed custom auto-trigger rules, paying-customer protection blocks, and incident-derived escalation rules. The clobber path is removed entirely. `upsertDelimitSection` now either upserts between `` / `` markers (preserving user content above and below), or — if no markers exist — appends the managed section at the bottom, preserving all existing user content verbatim. - Same fix applied to `GEMINI.md` in `lib/cross-model-hooks.js` (previously did a whole-file overwrite if it did not contain the detection phrase). - Detection marker changed from the prose phrase `Consensus 123` to the stable structural marker `