npm - delimit-cli - Versions diffs - 3.11.9 → 3.11.11 - Mend

delimit-cli 3.11.9 → 3.11.11

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/CHANGELOG.md +48 -0
package/README.md +9 -3
package/adapters/codex-security.js +64 -0
package/adapters/codex-skill.js +78 -0
package/adapters/cursor-rules.js +97 -0
package/bin/delimit-setup.js +14 -4
package/package.json +2 -1
package/server.json +2 -2

package/CHANGELOG.md CHANGED Viewed

@@ -1,5 +1,53 @@
 # Changelog
+## [3.11.10] - 2026-03-24
+### Added
+- Cursor adapter with `.cursor/rules/delimit.md` support (Cursor 0.45+)
+- Codex adapters: `codex-skill.js` (governance) and `codex-security.js`
+- Setup `--dry-run` previews config changes before writing
+- Uninstall `--dry-run` with backups for all 4 AI assistants
+- Post-install config validation (checks all assistant configs)
+- npm publish workflow with provenance and approval gates
+- Setup matrix tests (13 new tests across all AI assistants)
+### Changed
+- Repo renamed to `delimit-ai/delimit-mcp-server`
+- Description: "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate."
+- Clear Free vs Pro tier boundaries in README
+### Security
+- Hardened `.npmignore` (blocks .env, credentials, keys)
+- Supply chain security section in SECURITY.md
+## [3.11.9] - 2026-03-23
+### Added
+- Auto-detect API keys and CLIs on `delimit init` and `delimit version`
+- `delimit_quickstart` MCP tool (60-second guided first-run)
+- Deliberation cost tracking (estimate + actual per model)
+- Input sanitization: `_sanitize_path`, `_sanitize_subprocess_arg`
+- GitHub Action smoke test workflow
+### Fixed
+- Gemini deliberation HTTP 400 (ADC credentials + jamsons project)
+- Deliberation timeout: parallelized round 1 (46% faster)
+- Sensor dedup: titles include repo/issue to prevent duplicates
+- Test-mode guard prevents ledger pollution from tests
+### Changed
+- Governance default mode: advisory -> guarded (blocks critical actions)
+- Ledger tools now route through governance loop (113/116 tools)
+- Dialogue deliberation capped at 4 rounds (was 6)
+- Per-model API timeout: 120s -> 45s (fail fast)
+## [3.11.8] - 2026-03-23
+### Fixed
+- Codex compatibility: 11 type coercion fixes (string->list/dict)
+- CI green: FastMCP fallback, env var injection, mock patterns
+- Dashboard dark/light mode with CSS variables
 ## [2.4.0] - 2026-03-15
 ### Added

package/README.md CHANGED Viewed

@@ -5,15 +5,21 @@ Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, govern
 [![npm](https://img.shields.io/npm/v/delimit-cli)](https://www.npmjs.com/package/delimit-cli)
 [![GitHub Action](https://img.shields.io/badge/GitHub%20Action-v1.6.0-blue)](https://github.com/marketplace/actions/delimit-api-governance)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-[![delimit MCP server](https://glama.ai/mcp/servers/delimit-ai/delimit/badges/score.svg)](https://glama.ai/mcp/servers/delimit-ai/delimit)
+[![Glama](https://glama.ai/mcp/servers/delimit-ai/delimit-mcp-server/badges/score.svg)](https://glama.ai/mcp/servers/delimit-ai/delimit-mcp-server)
-Your tasks, memory, and governance carry between Claude Code, Codex, and Gemini CLI. Persistent ledger, API breaking change detection, security audit, multi-model deliberation — all shared across assistants.
+Persistent ledger, API governance, security orchestration, and multi-model deliberation — all shared across Claude Code, Codex, Cursor, and Gemini CLI.
 ---
 ## GitHub Action
-Add to any repo with an OpenAPI spec:
+Zero-config — auto-detects your OpenAPI spec:
+```yaml
+- uses: delimit-ai/delimit-action@v1
+```
+Or with full configuration:
 ```yaml
 name: API Contract Check

package/adapters/codex-security.js ADDED Viewed

@@ -0,0 +1,64 @@
+#!/usr/bin/env node
+/**
+ * Delimit Security Skill for Codex CLI
+ *
+ * Validates that Codex-generated code doesn't introduce security anti-patterns.
+ * Runs as a security validation skill.
+ */
+const fs = require('fs');
+const path = require('path');
+const SECURITY_PATTERNS = [
+    { pattern: /eval\s*\(/g, severity: 'high', message: 'eval() usage detected — potential code injection' },
+    { pattern: /exec\s*\(/g, severity: 'medium', message: 'exec() usage — verify input sanitization' },
+    { pattern: /shell\s*=\s*True/g, severity: 'high', message: 'subprocess with shell=True — command injection risk' },
+    { pattern: /dangerouslySetInnerHTML/g, severity: 'medium', message: 'dangerouslySetInnerHTML — XSS risk' },
+    { pattern: /password\s*=\s*["'][^"']+["']/gi, severity: 'high', message: 'Hardcoded password detected' },
+    { pattern: /api[_-]?key\s*=\s*["'][A-Za-z0-9]{10,}["']/gi, severity: 'high', message: 'Hardcoded API key detected' },
+];
+function checkSecurity(context) {
+    const code = context.code || context.content || '';
+    if (!code) return { status: 'clean', findings: [] };
+    const findings = [];
+    for (const { pattern, severity, message } of SECURITY_PATTERNS) {
+        const matches = code.match(pattern);
+        if (matches) {
+            findings.push({ severity, message, count: matches.length });
+        }
+    }
+    // Audit
+    try {
+        const auditDir = path.join(process.env.HOME || '', '.delimit', 'audit');
+        fs.mkdirSync(auditDir, { recursive: true });
+        const record = {
+            timestamp: new Date().toISOString(),
+            source: 'codex-security',
+            findings_count: findings.length,
+            high_count: findings.filter(f => f.severity === 'high').length,
+        };
+        const auditFile = path.join(auditDir, `${new Date().toISOString().split('T')[0]}.jsonl`);
+        fs.appendFileSync(auditFile, JSON.stringify(record) + '\n');
+    } catch {}
+    const hasHigh = findings.some(f => f.severity === 'high');
+    return {
+        status: hasHigh ? 'flagged' : findings.length > 0 ? 'warnings' : 'clean',
+        findings,
+    };
+}
+const context = process.argv[2] ? JSON.parse(process.argv[2]) : {};
+const result = checkSecurity(context);
+if (result.status === 'flagged') {
+    for (const f of result.findings) {
+        console.error(`[Delimit Security] ${f.severity.toUpperCase()}: ${f.message}`);
+    }
+    process.exit(1);
+}
+process.exit(0);

package/adapters/codex-skill.js ADDED Viewed

@@ -0,0 +1,78 @@
+#!/usr/bin/env node
+/**
+ * Delimit Governance Skill for Codex CLI
+ *
+ * Runs as a validation skill triggered on pre-code-generation and pre-suggestion.
+ * Checks governance state and policy compliance before Codex executes actions.
+ */
+const fs = require('fs');
+const path = require('path');
+const DELIMIT_HOME = path.join(process.env.HOME || '', '.delimit');
+const MODE_FILE = path.join(DELIMIT_HOME, 'enforcement_mode');
+function getMode() {
+    try {
+        return fs.readFileSync(MODE_FILE, 'utf-8').trim();
+    } catch {
+        return 'guarded'; // Default
+    }
+}
+function checkGovernance(context) {
+    const mode = getMode();
+    const warnings = [];
+    // Check if governance is initialized
+    const policiesFile = path.join(process.cwd(), '.delimit', 'policies.yml');
+    if (!fs.existsSync(policiesFile)) {
+        warnings.push('No .delimit/policies.yml — run: delimit init');
+    }
+    // Check for sensitive file access
+    const sensitivePatterns = ['.env', 'credentials', '.ssh', 'secrets'];
+    const target = context.target || context.file || '';
+    for (const pattern of sensitivePatterns) {
+        if (target.includes(pattern)) {
+            if (mode === 'enforce') {
+                return { status: 'blocked', reason: `Access to sensitive path: ${target}` };
+            }
+            warnings.push(`Accessing sensitive path: ${target}`);
+        }
+    }
+    // Audit log
+    try {
+        const auditDir = path.join(DELIMIT_HOME, 'audit');
+        fs.mkdirSync(auditDir, { recursive: true });
+        const record = {
+            timestamp: new Date().toISOString(),
+            source: 'codex-skill',
+            mode,
+            context: typeof context === 'object' ? JSON.stringify(context).slice(0, 200) : String(context).slice(0, 200),
+            warnings,
+        };
+        const auditFile = path.join(auditDir, `${new Date().toISOString().split('T')[0]}.jsonl`);
+        fs.appendFileSync(auditFile, JSON.stringify(record) + '\n');
+    } catch {}
+    return { status: 'allowed', mode, warnings };
+}
+// Entry point — read context from stdin or args
+const context = process.argv[2] ? JSON.parse(process.argv[2]) : {};
+const result = checkGovernance(context);
+if (result.status === 'blocked') {
+    console.error(`[Delimit] BLOCKED: ${result.reason}`);
+    process.exit(1);
+}
+if (result.warnings.length > 0) {
+    for (const w of result.warnings) {
+        console.error(`[Delimit] Warning: ${w}`);
+    }
+}
+process.exit(0);

package/adapters/cursor-rules.js ADDED Viewed

@@ -0,0 +1,97 @@
+#!/usr/bin/env node
+/**
+ * Delimit Governance Rules for Cursor
+ *
+ * Cursor doesn't have a hook system like Claude Code or Codex,
+ * so governance enforcement happens server-side via MCP tool calls.
+ * This adapter manages the .cursorrules and .cursor/rules/ files
+ * that guide Cursor's behavior.
+ */
+const fs = require('fs');
+const path = require('path');
+const HOME = process.env.HOME || '';
+const CURSOR_DIR = path.join(HOME, '.cursor');
+const CURSOR_RULES_DIR = path.join(CURSOR_DIR, 'rules');
+const CURSORRULES_FILE = path.join(HOME, '.cursorrules');
+/**
+ * Install Delimit governance rules into Cursor.
+ * Creates both .cursorrules (legacy) and .cursor/rules/delimit.md (new).
+ */
+function installRules(version) {
+    const rules = getDelimitRules(version);
+    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+)
+    if (fs.existsSync(CURSOR_DIR)) {
+        fs.mkdirSync(CURSOR_RULES_DIR, { recursive: true });
+        const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
+        fs.writeFileSync(rulesFile, rules);
+    }
+    return { installed: true, paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')] };
+}
+/**
+ * Remove Delimit rules from Cursor.
+ */
+function uninstallRules() {
+    const removed = [];
+    // Remove from .cursor/rules/
+    const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
+    if (fs.existsSync(rulesFile)) {
+        fs.unlinkSync(rulesFile);
+        removed.push(rulesFile);
+    }
+    return { removed };
+}
+function getDelimitRules(version) {
+    return `# Delimit Governance (v${version})
+## On every session start:
+1. Call \`delimit_ledger_context\` to check for open tasks
+2. Call \`delimit_gov_health\` to check governance status
+## After editing code:
+- After editing UI/CSS: call \`delimit_design_validate_responsive\`
+- After editing API specs: call \`delimit_lint\`
+- After editing tests: call \`delimit_test_smoke\`
+## Before deploying:
+1. Call \`delimit_security_audit\`
+2. Call \`delimit_test_smoke\`
+3. Call \`delimit_deploy_plan\`
+## Before committing:
+- Call \`delimit_repo_diagnose\` to check for common issues
+## Governance enforcement:
+- All tool calls route through governance automatically (server-side)
+- Critical actions are blocked until approved
+- High-risk actions require approval in enforce mode
+- Check mode: advisory (warn only), guarded (block critical), enforce (block critical + high-risk)
+## Links
+- Docs: https://delimit.ai/docs
+- GitHub: https://github.com/delimit-ai/delimit-mcp-server
+`;
+}
+module.exports = { installRules, uninstallRules, getDelimitRules };
+// CLI entry point
+if (require.main === module) {
+    const action = process.argv[2] || 'install';
+    const version = process.argv[3] || '3.11.9';
+    if (action === 'install') {
+        const result = installRules(version);
+        console.log(`Installed Delimit rules to Cursor: ${result.paths.join(', ')}`);
+    } else if (action === 'uninstall') {
+        const result = uninstallRules();
+        console.log(`Removed: ${result.removed.join(', ') || 'nothing to remove'}`);
+    }
+}

package/bin/delimit-setup.js CHANGED Viewed

@@ -54,7 +54,7 @@ async function main() {
     log(blue('  / / / / __/ / /    / // /|_/ // /  / /   '));
     log(blue(' / /_/ / /___/ /____/ // /  / // /  / /    '));
     log(blue('/_____/_____/_____/___/_/  /_/___/ /_/     '));
-    log(dim('  One workspace for every AI coding assistant'));
+    log(dim('  Unify all AI coding assistants'));
     log('');
     // Step 1: Check prerequisites
@@ -415,13 +415,23 @@ Run full governance compliance checks. Verify security, policy compliance, evide
         }
     }
-    // Cursor rules
+    // Cursor rules (legacy .cursorrules + new .cursor/rules/ directory)
     const cursorRules = path.join(os.homedir(), '.cursorrules');
     if (fs.existsSync(path.join(os.homedir(), '.cursor'))) {
         const cursorResult = upsertDelimitSection(cursorRules);
         if (cursorResult.action !== 'unchanged') {
             log(`  ${green('✓')} ${cursorResult.action === 'created' ? 'Created' : 'Updated'} ${cursorRules}`);
         }
+        // Also install to .cursor/rules/delimit.md (Cursor 0.45+)
+        try {
+            const cursorRulesDir = path.join(os.homedir(), '.cursor', 'rules');
+            fs.mkdirSync(cursorRulesDir, { recursive: true });
+            const cursorAdapter = require('../adapters/cursor-rules');
+            cursorAdapter.installRules(pkg.version);
+            log(`  ${green('✓')} Installed governance rules to .cursor/rules/delimit.md`);
+        } catch (e) {
+            log(`  ${dim('  Could not install .cursor/rules: ' + e.message)}`);
+        }
     }
     // Silent: auto-detect API keys and configure models.json (no output)
@@ -697,7 +707,7 @@ function getDelimitSection() {
     return `<!-- delimit:start v${version} -->
 # Delimit
-One workspace for every AI coding assistant.
+Unify all AI coding assistants with persistent context, governance, and multi-model debate.
 ## On every session start:
 1. Call \`delimit_ledger_context\` to check for open tasks
@@ -746,7 +756,7 @@ Add breaking change detection to any repo:
 ## Links
 - Docs: https://delimit.ai/docs
-- GitHub: https://github.com/delimit-ai/delimit
+- GitHub: https://github.com/delimit-ai/delimit-mcp-server
 - Action: https://github.com/marketplace/actions/delimit-api-governance
 <!-- delimit:end -->`;
 }

package/package.json CHANGED Viewed

@@ -1,12 +1,13 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "3.11.9",
+  "version": "3.11.11",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [
     "bin/",
     "lib/",
+    "adapters/",
     "gateway/",
     "server.json",
     "README.md",

package/server.json CHANGED Viewed

@@ -7,13 +7,13 @@
     "url": "https://github.com/delimit-ai/delimit-mcp-server",
     "source": "github"
   },
-  "version": "3.11.8",
+  "version": "3.11.10",
   "websiteUrl": "https://delimit.ai",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "delimit-cli",
-      "version": "3.11.8",
+      "version": "3.11.10",
       "transport": {
         "type": "stdio"
       }