delimit-cli 3.13.3 → 3.14.1

package/bin/delimit-cli.js

@@ -5,6 +5,7 @@ const axios = require('axios');
 const fs = require('fs');
 const path = require('path');
 const { execSync, spawn } = require('child_process');
+const os = require('os');
 const chalk = require('chalk');
 const inquirer = require('inquirer');
 const DelimitAuthSetup = require('../lib/auth-setup');
@@ -1067,9 +1068,43 @@ program
             return;
         }
 
+        // Step 2b: Compliance template selection (LED-258)
+        let complianceTemplate = null;
+        if (!options.yes) {
+            try {
+                const templateAns = await inquirer.prompt([{
+                    type: 'list',
+                    name: 'template',
+                    message: 'Compliance template (optional):',
+                    choices: [
+                        { name: 'none     — Standard governance only', value: 'none' },
+                        { name: 'SOC2     — Service Organization Control evidence', value: 'soc2' },
+                        { name: 'PCI-DSS  — Payment card data protection', value: 'pci-dss' },
+                        { name: 'HIPAA    — Healthcare data safeguards', value: 'hipaa' },
+                        { name: 'startup  — Fast-moving team defaults', value: 'startup' },
+                    ],
+                    default: 'none',
+                }]);
+                if (templateAns.template !== 'none') complianceTemplate = templateAns.template;
+            } catch {}
+        }
+
         // Step 3: Create policy file
         fs.mkdirSync(configDir, { recursive: true });
         fs.writeFileSync(policyFile, POLICY_PRESETS[preset]);
+
+        // Write compliance template config if selected
+        if (complianceTemplate) {
+            const templateConfig = {
+                soc2: { evidence_required: true, audit_trail: true, change_approval: true, retention_days: 365 },
+                'pci-dss': { evidence_required: true, audit_trail: true, change_approval: true, secret_scanning: true, retention_days: 365 },
+                hipaa: { evidence_required: true, audit_trail: true, change_approval: true, phi_detection: true, retention_days: 2190 },
+                startup: { evidence_required: false, audit_trail: true, change_approval: false, retention_days: 90 },
+            };
+            const tmplFile = path.join(configDir, 'compliance.json');
+            fs.writeFileSync(tmplFile, JSON.stringify({ template: complianceTemplate, ...templateConfig[complianceTemplate] }, null, 2));
+            console.log(chalk.green(`  Created .delimit/compliance.json (${complianceTemplate})`));
+        }
         console.log(chalk.green(`  Created .delimit/policies.yml (${preset})`));
 
         // Step 4: Add GitHub Action workflow if spec found + GitHub CI
@@ -1130,6 +1165,69 @@ jobs:
             }
         }
 
+        // Step 4b: Add scheduled drift monitoring workflow (LED-260)
+        if (specPath && ciProvider === 'github') {
+            const driftWorkflowFile = path.join(projectDir, '.github', 'workflows', 'api-drift-monitor.yml');
+            if (!fs.existsSync(driftWorkflowFile)) {
+                let writeDrift = false;
+                if (!options.yes) {
+                    try {
+                        const driftAns = await inquirer.prompt([{
+                            type: 'confirm',
+                            name: 'addDrift',
+                            message: 'Add weekly drift monitoring workflow?',
+                            default: true,
+                        }]);
+                        writeDrift = driftAns.addDrift;
+                    } catch {}
+                }
+                if (writeDrift) {
+                    try {
+                        const driftContent = `name: API Drift Monitor
+on:
+  schedule:
+    - cron: '17 9 * * 1'  # Weekly on Monday at 9:17 AM UTC
+  workflow_dispatch: {}
+
+permissions:
+  contents: read
+  issues: write
+
+jobs:
+  drift-check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: actions/setup-python@v4
+        with:
+          python-version: '3.10'
+      - run: pip install pyyaml 2>/dev/null
+      - name: Check for API drift
+        run: |
+          npx delimit-cli lint ${specPath} ${specPath} --baseline
+          echo "Drift check complete"
+      - name: Create issue on drift
+        if: failure()
+        uses: actions/github-script@v6
+        with:
+          script: |
+            await github.rest.issues.create({
+              owner: context.repo.owner,
+              repo: context.repo.repo,
+              title: 'API Drift Detected — Governance Review Needed',
+              body: 'The weekly drift monitor detected changes to the API spec that have not been reviewed through governance. Run delimit lint to review.',
+              labels: ['api-governance', 'drift'],
+            });
+`;
+                        fs.writeFileSync(driftWorkflowFile, driftContent);
+                        console.log(chalk.green('  Created .github/workflows/api-drift-monitor.yml'));
+                    } catch (err) {
+                        console.log(chalk.yellow(`  Could not write drift workflow: ${err.message}`));
+                    }
+                }
+            }
+        }
+
         // Step 5: Run first lint to show immediate value
         console.log('');
         if (specPath) {
@@ -1182,9 +1280,50 @@ jobs:
             }
         }
 
+        // Step 6: Save first evidence event (LED-258)
+        const evidenceDir = path.join(configDir, 'evidence');
+        fs.mkdirSync(evidenceDir, { recursive: true });
+        const evidenceEvent = {
+            id: `EVD-${Date.now().toString(36)}`,
+            ts: new Date().toISOString(),
+            type: 'governance_init',
+            tool: 'delimit_init',
+            model: 'cli',
+            status: 'pass',
+            summary: `Governance initialized with ${preset} preset`,
+            detail: [
+                `Project: ${projectName}`,
+                frameworkLabel ? `Framework: ${frameworkLabel}` : null,
+                specPath ? `Spec: ${specPath}` : 'Mode: Zero-Spec',
+                `Preset: ${preset}`,
+                ciProvider !== 'none' ? `CI: ${ciProvider}` : null,
+            ].filter(Boolean).join('\n'),
+            venture: projectName,
+        };
+        try {
+            const evidenceFile = path.join(evidenceDir, 'events.jsonl');
+            fs.appendFileSync(evidenceFile, JSON.stringify(evidenceEvent) + '\n');
+            console.log(chalk.green('  Evidence recorded — first governance event saved'));
+        } catch {}
+
+        // Step 7: Show gate status (LED-258)
+        console.log(chalk.bold('\n  Governance Gates:'));
+        const gates = [
+            { name: 'API Lint', status: specPath || ['fastapi', 'nestjs', 'express'].includes(framework) ? 'active' : 'inactive', chain: 'semver → gov_evaluate' },
+            { name: 'Security Audit', status: 'ready', chain: 'evidence_collect → notify' },
+            { name: 'Deploy Plan', status: 'ready', chain: 'security_audit' },
+            { name: 'Release Validate', status: 'ready', chain: 'evidence_collect → notify → ledger' },
+        ];
+        for (const gate of gates) {
+            const icon = gate.status === 'active' ? chalk.green('●') : gate.status === 'ready' ? chalk.yellow('○') : chalk.gray('○');
+            const statusLabel = gate.status === 'active' ? chalk.green('active') : gate.status === 'ready' ? chalk.yellow('ready') : chalk.gray('inactive');
+            console.log(`    ${icon} ${chalk.bold(gate.name)} ${chalk.gray('→')} ${chalk.gray(gate.chain)} ${chalk.gray('(')}${statusLabel}${chalk.gray(')')}`);
+        }
+
         // Summary
         const elapsed = ((Date.now() - startTime) / 1000).toFixed(1);
-        console.log(chalk.bold(`\n  Setup complete in ${elapsed}s\n`));
+        console.log(chalk.bold(`\n  Setup complete in ${elapsed}s`));
+        console.log(chalk.gray(`  Evidence saved to .delimit/evidence/events.jsonl\n`));
         console.log('  Next steps:');
         if (specPath) {
             console.log(`    ${chalk.bold('delimit lint')} ${specPath} ${specPath}  — lint on every PR`);
@@ -1196,6 +1335,170 @@ jobs:
         console.log('');
     });
 
+// Demo command — prove governance value in 5 minutes (LED-262)
+program
+    .command('demo')
+    .description('Run a self-contained governance demo — proves value in under 5 minutes')
+    .action(async () => {
+        const tmpDir = path.join(os.tmpdir(), `delimit-demo-${Date.now()}`);
+        fs.mkdirSync(tmpDir, { recursive: true });
+
+        console.log(chalk.bold('\n  Delimit Governance Demo\n'));
+        console.log(chalk.gray(`  Working in ${tmpDir}\n`));
+
+        // Step 1: Create a sample API spec
+        console.log(chalk.bold('  Step 1: Creating sample API spec...'));
+        const baseSpec = {
+            openapi: '3.0.3',
+            info: { title: 'Pet Store API', version: '1.0.0' },
+            paths: {
+                '/pets': {
+                    get: {
+                        summary: 'List all pets',
+                        operationId: 'listPets',
+                        parameters: [
+                            { name: 'limit', in: 'query', required: false, schema: { type: 'integer' } },
+                        ],
+                        responses: { '200': { description: 'A list of pets', content: { 'application/json': { schema: { type: 'array', items: { '$ref': '#/components/schemas/Pet' } } } } } },
+                    },
+                    post: {
+                        summary: 'Create a pet',
+                        operationId: 'createPet',
+                        requestBody: { content: { 'application/json': { schema: { '$ref': '#/components/schemas/Pet' } } } },
+                        responses: { '201': { description: 'Pet created' } },
+                    },
+                },
+                '/pets/{petId}': {
+                    get: {
+                        summary: 'Get a pet by ID',
+                        operationId: 'showPetById',
+                        parameters: [{ name: 'petId', in: 'path', required: true, schema: { type: 'string' } }],
+                        responses: { '200': { description: 'A pet', content: { 'application/json': { schema: { '$ref': '#/components/schemas/Pet' } } } } },
+                    },
+                },
+            },
+            components: {
+                schemas: {
+                    Pet: {
+                        type: 'object',
+                        required: ['id', 'name'],
+                        properties: {
+                            id: { type: 'integer', format: 'int64' },
+                            name: { type: 'string' },
+                            tag: { type: 'string' },
+                        },
+                    },
+                },
+            },
+        };
+
+        const baseSpecPath = path.join(tmpDir, 'openapi-v1.yaml');
+        fs.writeFileSync(baseSpecPath, yaml.dump(baseSpec));
+        console.log(chalk.green('  Created openapi-v1.yaml (3 endpoints, 1 schema)\n'));
+
+        // Step 2: Introduce breaking changes
+        console.log(chalk.bold('  Step 2: Introducing breaking changes...'));
+        const changedSpec = JSON.parse(JSON.stringify(baseSpec));
+        changedSpec.info.version = '2.0.0';
+
+        // Breaking: remove endpoint
+        delete changedSpec.paths['/pets/{petId}'];
+        // Breaking: add required parameter
+        changedSpec.paths['/pets'].get.parameters.push(
+            { name: 'owner_id', in: 'query', required: true, schema: { type: 'string' } }
+        );
+        // Breaking: remove response field
+        delete changedSpec.components.schemas.Pet.properties.tag;
+        // Non-breaking: add endpoint
+        changedSpec.paths['/pets/search'] = {
+            get: {
+                summary: 'Search pets',
+                operationId: 'searchPets',
+                parameters: [{ name: 'q', in: 'query', required: true, schema: { type: 'string' } }],
+                responses: { '200': { description: 'Search results' } },
+            },
+        };
+
+        const changedSpecPath = path.join(tmpDir, 'openapi-v2.yaml');
+        fs.writeFileSync(changedSpecPath, yaml.dump(changedSpec));
+        console.log(chalk.red('  Removed: GET /pets/{petId}'));
+        console.log(chalk.red('  Added required param: owner_id on GET /pets'));
+        console.log(chalk.red('  Removed field: Pet.tag'));
+        console.log(chalk.green('  Added: GET /pets/search'));
+        console.log('');
+
+        // Step 3: Run Delimit lint
+        console.log(chalk.bold('  Step 3: Running governance check...\n'));
+        try {
+            const result = apiEngine.lint(baseSpecPath, changedSpecPath, { policy: 'strict' });
+
+            if (result && result.summary) {
+                const s = result.summary;
+                const breaking = s.breaking || s.breaking_changes || 0;
+                const total = s.total || s.total_changes || 0;
+                const safe = total - breaking;
+
+                if (breaking > 0) {
+                    console.log(chalk.red.bold(`  BLOCKED — ${breaking} breaking change(s) detected\n`));
+                } else {
+                    console.log(chalk.green.bold(`  PASSED — No breaking changes\n`));
+                }
+
+                // Show violations
+                const violations = result.violations || [];
+                if (violations.length > 0) {
+                    console.log(chalk.bold('  Violations:'));
+                    violations.forEach((v, i) => {
+                        const icon = v.severity === 'error' ? chalk.red('  BLOCK') : chalk.yellow('  WARN ');
+                        console.log(`  ${icon} ${v.message}`);
+                        if (v.path) console.log(chalk.gray(`         ${v.path}`));
+                    });
+                    console.log('');
+                }
+
+                // Semver
+                if (result.semver) {
+                    console.log(`  Semver: ${chalk.bold(result.semver.bump?.toUpperCase() || 'MAJOR')}`);
+                    if (result.semver.next_version) {
+                        console.log(`  Next version: ${chalk.bold(result.semver.next_version)}`);
+                    }
+                }
+
+                // Show safe changes
+                if (safe > 0) {
+                    console.log(chalk.green(`\n  ${safe} additive change(s) also detected`));
+                }
+            }
+        } catch (err) {
+            console.log(chalk.yellow(`  Lint error: ${err.message}`));
+        }
+
+        // Step 4: Show governance gates
+        console.log(chalk.bold('\n  Governance Gates:'));
+        console.log(`    ${chalk.red('X')} API Lint          ${chalk.gray('→ semver → gov_evaluate')}`);
+        console.log(`    ${chalk.red('X')} Policy Compliance  ${chalk.gray('→ evidence_collect')}`);
+        console.log(`    ${chalk.green('+')} Security Audit     ${chalk.gray('→ evidence_collect → notify')}`);
+        console.log(`    ${chalk.red('X')} Deploy Readiness   ${chalk.gray('→ deploy_plan → security_audit')}`);
+        console.log(chalk.red.bold('\n  Deploy BLOCKED until all gates pass.\n'));
+
+        // Step 5: Show what would happen with the fix
+        console.log(chalk.bold('  What Delimit does:'));
+        console.log(chalk.gray('    1. Detects the 3 breaking changes automatically'));
+        console.log(chalk.gray('    2. Evaluates against your policy (strict/default/relaxed)'));
+        console.log(chalk.gray('    3. Blocks the deploy via governance gates'));
+        console.log(chalk.gray('    4. Records evidence for audit trail'));
+        console.log(chalk.gray('    5. Posts remediation guide on the PR'));
+        console.log(chalk.gray('    6. Tracks in the ledger for cross-model continuity'));
+
+        console.log(chalk.bold('\n  Try it on your project:'));
+        console.log(`    ${chalk.green('npx delimit-cli init')}     — set up governance`);
+        console.log(`    ${chalk.green('npx delimit-cli lint')}     — lint your API spec`);
+        console.log(`    ${chalk.green('npx delimit-cli setup')}    — configure AI assistants\n`);
+
+        // Cleanup
+        try { fs.rmSync(tmpDir, { recursive: true }); } catch {}
+    });
+
 // Doctor command — verify setup is correct
 program
     .command('doctor')

package/bin/delimit-setup.js

@@ -290,7 +290,7 @@ async function main() {
             }
             // Add governance instructions
             if (!geminiConfig.customInstructions || !geminiConfig.customInstructions.includes('delimit_ledger_context')) {
-                geminiConfig.customInstructions = 'Delimit MCP is installed. On every session start, call delimit_ledger_context to check for open tasks. If new project, call delimit_scan. Track all work via the ledger.';
+                geminiConfig.customInstructions = 'Delimit MCP is installed. On every session start: (1) call delimit_ledger_context for open tasks, (2) call delimit_gov_health, (3) call delimit_inbox_daemon(action="start") to start email polling. If new project, call delimit_scan. Track all work via the ledger.';
                 fs.writeFileSync(GEMINI_CONFIG, JSON.stringify(geminiConfig, null, 2));
             }
         } catch (e) {
@@ -537,7 +537,12 @@ if [ "$DELIMIT_WRAPPED" = "true" ] || [ ! -t 1 ]; then
 fi
 DELIMIT_HOME="\${DELIMIT_HOME:-$HOME/.delimit}"
 TOOL_COUNT="0"
-[ -f "$DELIMIT_HOME/server/ai/server.py" ] && TOOL_COUNT=$(grep -c '@mcp.tool' "$DELIMIT_HOME/server/ai/server.py" 2>/dev/null || echo "0")
+if [ -f "$DELIMIT_HOME/server/ai/server.py" ]; then
+  TOTAL=$(grep -c '@mcp.tool' "$DELIMIT_HOME/server/ai/server.py" 2>/dev/null || echo "0")
+  OPS=$(grep -c '@_ops_pack_tool' "$DELIMIT_HOME/server/ai/server.py" 2>/dev/null || echo "0")
+  INTERNAL=$(grep -c '@_internal_tool' "$DELIMIT_HOME/server/ai/server.py" 2>/dev/null || echo "0")
+  TOOL_COUNT=$((TOTAL - OPS - INTERNAL))
+fi
 echo ""
 printf "  \${PURPLE}\${BOLD}    ____  ________    ______  _____________\${RESET}\\n"
 printf "  \${PURPLE}\${BOLD}   / __ \\\\/ ____/ /   /  _/  |/  /  _/_  __/\${RESET}\\n"
@@ -810,8 +815,9 @@ Unify all AI coding assistants with persistent context, governance, and multi-mo
 ## On every session start:
 1. Call \`delimit_ledger_context\` to check for open tasks
 2. Call \`delimit_gov_health\` to check governance status
-3. If returning user, summarize what's pending
-4. If new project, call \`delimit_scan\` to discover what Delimit can do
+3. Call \`delimit_inbox_daemon(action="start")\` to start email polling — ALL venture inboxes route through this. Owner approves/adjusts/denies via email reply, same as being logged in.
+4. If returning user, summarize what's pending
+5. If new project, call \`delimit_scan\` to discover what Delimit can do
 
 ## After editing code:
 - After editing UI/CSS: call \`delimit_design_validate_responsive\`