delimit-cli 3.14.28 → 3.14.30

package/gateway/ai/backends/tools_design.py

@@ -194,10 +194,13 @@ def design_extract_tokens(
 ) -> Dict[str, Any]:
     """Extract design tokens from project CSS/SCSS/Tailwind config.
 
-    If FIGMA_TOKEN env var is set and figma_file_key provided, fetches from Figma API.
+    If a Figma token is available and figma_file_key provided, fetches from Figma API.
     Otherwise scans local project files for CSS variables, Tailwind config, etc.
+
+    Token resolution order: FIGMA_TOKEN env var -> ~/.delimit/secrets/figma.json -> free fallback.
     """
-    figma_token = os.environ.get("FIGMA_TOKEN", "")
+    from ai.key_resolver import get_figma_token
+    figma_token, _token_source = get_figma_token()
     if figma_token and figma_file_key:
         return _figma_extract_tokens(figma_file_key, figma_token, token_types)
 
@@ -255,7 +258,7 @@ def design_extract_tokens(
         all_tokens["breakpoints"] = unique_bp
 
     total = sum(len(v) for v in all_tokens.values())
-    return {
+    result = {
         "tool": "design.extract_tokens",
         "status": "ok",
         "tokens": all_tokens,
@@ -263,6 +266,14 @@ def design_extract_tokens(
         "source_files": sorted(set(source_files)),
         "figma_used": False,
     }
+    # If user passed a figma_file_key but no token is available, add a hint
+    if figma_file_key and not figma_token:
+        result["hint"] = (
+            "Figma integration available -- set FIGMA_TOKEN env var "
+            "or store your token with `delimit_secret_store key=figma value=<token>`. "
+            "Local CSS/Tailwind tokens were extracted instead."
+        )
+    return result
 
 
 def _figma_extract_tokens(file_key: str, token: str, token_types: Optional[List[str]]) -> Dict[str, Any]:
@@ -647,6 +658,16 @@ def story_generate(
 ) -> Dict[str, Any]:
     """Generate a .stories.tsx file for a component (no Storybook required)."""
     comp = Path(component_path)
+    if not comp.exists() and "/" not in component_path and "\\" not in component_path:
+        # Bare name like "Button" — search current directory for matching files
+        search_root = Path.cwd()
+        name = comp.stem
+        for pattern in [f"**/{name}.tsx", f"**/{name}.jsx", f"**/{name}.ts", f"**/{name}.js"]:
+            matches = [p for p in search_root.glob(pattern)
+                       if "node_modules" not in str(p) and ".next" not in str(p)]
+            if matches:
+                comp = matches[0]
+                break
     if not comp.exists():
         return {"tool": "story.generate", "error": f"Component file not found: {comp}"}
 
@@ -714,6 +735,55 @@ type Story = StoryObj<typeof {comp_name}>;
     }
 
 
+# ---------------------------------------------------------------------------
+# 25a. Puppeteer fallback for screenshots
+# ---------------------------------------------------------------------------
+
+def _puppeteer_screenshot_fallback(url: str, baselines_dir: Path) -> Dict[str, Any]:
+    """Take a screenshot via puppeteer (npx) when Playwright is not available."""
+    try:
+        baselines_dir.mkdir(parents=True, exist_ok=True)
+        safe_name = re.sub(r"[^a-zA-Z0-9]", "_", url)[:100]
+        screenshot_path = baselines_dir / f"{safe_name}.png"
+
+        # Inline JS script for puppeteer
+        script = (
+            "const puppeteer = require('puppeteer');"
+            "(async () => {"
+            "  const browser = await puppeteer.launch({headless: 'new', args: ['--no-sandbox']});"
+            "  const page = await browser.newPage();"
+            "  await page.setViewport({width: 1280, height: 720});"
+            f"  await page.goto('{url}', {{waitUntil: 'networkidle2', timeout: 15000}});"
+            f"  await page.screenshot({{path: '{screenshot_path}'}});"
+            "  await browser.close();"
+            "})();"
+        )
+        result = subprocess.run(
+            ["node", "-e", script],
+            capture_output=True,
+            timeout=30,
+        )
+        if result.returncode != 0:
+            return {
+                "tool": "story.visual_test",
+                "status": "puppeteer_error",
+                "error": result.stderr.decode(errors="replace")[:500],
+                "hint": "Puppeteer fallback failed. Install Playwright for better support: pip install playwright && python -m playwright install chromium",
+            }
+
+        return {
+            "tool": "story.visual_test",
+            "status": "ok",
+            "screenshot_path": str(screenshot_path),
+            "baseline_exists": False,
+            "diff_percent": None,
+            "engine": "puppeteer_fallback",
+            "hint": "Screenshot taken with puppeteer (fallback). Install Playwright for full visual regression with baseline comparison.",
+        }
+    except Exception as e:
+        return {"tool": "story.visual_test", "status": "error", "error": str(e)}
+
+
 # ---------------------------------------------------------------------------
 # 25. story_visual_test
 # ---------------------------------------------------------------------------
@@ -723,19 +793,39 @@ def story_visual_test(
     project_path: Optional[str] = None,
     threshold: float = 0.05,
 ) -> Dict[str, Any]:
-    """Take a screenshot with Playwright and compare against baseline."""
+    """Take a screenshot with Playwright and compare against baseline.
+
+    Falls back to puppeteer (npx) if Playwright is not installed,
+    and returns install guidance if neither is available.
+    """
+    from ai.key_resolver import get_playwright, get_puppeteer
+
     root = Path(project_path) if project_path else Path.cwd()
     baselines_dir = root / ".delimit" / "visual-baselines"
 
-    if not _has_playwright():
+    pw_available, _ = get_playwright()
+
+    if not pw_available:
+        # Try puppeteer fallback via npx
+        pup_available, _ = get_puppeteer()
+        if pup_available:
+            return _puppeteer_screenshot_fallback(url, baselines_dir)
+
         return {
             "tool": "story.visual_test",
-            "status": "no_playwright",
-            "message": "Playwright is not installed. Install with: pip install playwright && python -m playwright install chromium",
+            "status": "no_screenshot_tool",
+            "message": (
+                "No screenshot tool available. Install one of the following:\n"
+                "  - Playwright (recommended): pip install playwright && python -m playwright install chromium\n"
+                "  - Puppeteer (fallback): npm install -g puppeteer"
+            ),
             "screenshot_path": None,
             "baseline_exists": False,
             "diff_percent": None,
-            "next_steps_hint": "Install Playwright for visual regression testing, or use static accessibility checks instead.",
+            "next_steps_hint": (
+                "Install Playwright for full visual regression testing, "
+                "or use `delimit_story_accessibility` for static checks that require no browser."
+            ),
         }
 
     try:
@@ -795,7 +885,24 @@ def story_visual_test(
         }
 
     except Exception as e:
-        return {"tool": "story.visual_test", "error": str(e)}
+        pup_available, _ = get_puppeteer()
+        if pup_available:
+            return _puppeteer_screenshot_fallback(url, baselines_dir)
+
+        return {
+            "tool": "story.visual_test",
+            "status": "playwright_error",
+            "error": str(e),
+            "screenshot_path": None,
+            "baseline_exists": False,
+            "diff_percent": None,
+            "engine": "playwright",
+            "hint": (
+                "Playwright is installed but could not launch a browser in this environment. "
+                "Install/configure a browser runtime that works in the current sandbox, or "
+                "use Puppeteer as a fallback."
+            ),
+        }
 
 
 # ---------------------------------------------------------------------------

package/gateway/ai/backends/tools_infra.py

@@ -34,8 +34,8 @@ DEPLOYS_DIR = Path(os.environ.get("DELIMIT_DEPLOYS_DIR", os.path.expanduser("~/.
 SECRET_PATTERNS = {
     "aws_access_key": r"(?:AKIA[0-9A-Z]{16})",
     "aws_secret_key": r"(?:aws_secret_access_key|AWS_SECRET_ACCESS_KEY)\s*[=:]\s*['\"]?[A-Za-z0-9/+=]{40}",
-    "generic_api_key": r"(?:api[_-]?key|apikey)\s*[=:]\s*['\"]?[A-Za-z0-9_\-]{20,}",
-    "generic_secret": r"(?:secret|password|passwd|token)\s*[=:]\s*['\"]?[^\s'\"]{8,}",
+    "generic_api_key": r"\b(?:api[_-]?key|apikey)\b\s*[=:]\s*['\"]?[A-Za-z0-9_\-]{20,}",
+    "generic_secret": r"\b(?:secret|password|passwd|token)\b\s*[=:]\s*['\"]?[^\s'\"]{8,}",
     "private_key_header": r"-----BEGIN (?:RSA |EC |DSA )?PRIVATE KEY-----",
     "github_token": r"gh[pousr]_[A-Za-z0-9_]{36,}",
     "slack_token": r"xox[baprs]-[0-9A-Za-z\-]{10,}",
@@ -62,7 +62,17 @@ SKIP_DIRS = {"node_modules", ".git", "__pycache__", ".venv", "venv", ".tox", "di
 
 
 def _run_cmd(cmd: List[str], timeout: int = 30, cwd: Optional[str] = None) -> Dict[str, Any]:
-    """Run a command and return stdout, stderr, returncode."""
+    """Run a command and return stdout, stderr, returncode.
+
+    Security: always uses list-form args (never shell=True).
+    Validates cwd if provided and rejects null bytes in arguments.
+    """
+    # Defense-in-depth: reject null bytes in any argument
+    for i, arg in enumerate(cmd):
+        if "\x00" in str(arg):
+            return {"stdout": "", "stderr": f"Argument {i} contains null bytes", "returncode": -4}
+    if cwd and "\x00" in cwd:
+        return {"stdout": "", "stderr": "cwd contains null bytes", "returncode": -4}
     try:
         result = subprocess.run(cmd, capture_output=True, text=True, timeout=timeout, cwd=cwd)
         return {"stdout": result.stdout, "stderr": result.stderr, "returncode": result.returncode}
@@ -74,6 +84,28 @@ def _run_cmd(cmd: List[str], timeout: int = 30, cwd: Optional[str] = None) -> Di
         return {"stdout": "", "stderr": str(e), "returncode": -3}
 
 
+def _bump_semver(version: str, bump: str) -> str:
+    """Compute the next semver version without mutating files."""
+    try:
+        major_s, minor_s, patch_s = version.split(".", 2)
+        major = int(major_s)
+        minor = int(minor_s)
+        patch = int(patch_s)
+    except Exception as exc:
+        raise ValueError(f"Invalid semver version '{version}'") from exc
+
+    if bump == "patch":
+        patch += 1
+    elif bump == "minor":
+        minor += 1
+        patch = 0
+    elif bump == "major":
+        major += 1
+        minor = 0
+        patch = 0
+    return f"{major}.{minor}.{patch}"
+
+
 def _scan_files(target: str) -> List[Path]:
     """Collect scannable source files under target."""
     root = Path(target).resolve()
@@ -82,14 +114,15 @@ def _scan_files(target: str) -> List[Path]:
         return [root]
     if not root.is_dir():
         return []
-    for p in root.rglob("*"):
-        if any(skip in p.parts for skip in SKIP_DIRS):
-            continue
-        if p.is_file() and p.suffix in SCAN_EXTENSIONS:
-            files.append(p)
-        # Cap to avoid scanning massive repos
-        if len(files) >= 5000:
-            break
+    for dirpath, dirnames, filenames in os.walk(root, onerror=lambda _err: None):
+        dirnames[:] = [d for d in dirnames if d not in SKIP_DIRS]
+        for filename in filenames:
+            p = Path(dirpath) / filename
+            if p.suffix in SCAN_EXTENSIONS:
+                files.append(p)
+            # Cap to avoid scanning massive repos
+            if len(files) >= 5000:
+                return files
     return files
 
 
@@ -892,36 +925,27 @@ def deploy_site(project_path: str = ".", message: str = "", env_vars: dict = Non
     except Exception as e:
         return {"error": f"Git status failed: {e}"}
 
-    # 2. Git add + commit
-    commit_msg = message or "deploy: site update"
+    # 2. Preflight the git remote before creating a commit.
     try:
-        subprocess.run(["git", "add", "-A"], cwd=str(p), timeout=10, capture_output=True)
         result = subprocess.run(
-            ["git", "commit", "-m", commit_msg],
-            cwd=str(p), timeout=10, capture_output=True, text=True
-        )
-        if result.returncode == 0:
-            results["steps"].append({"step": "commit", "status": "ok", "message": commit_msg})
-        else:
-            results["steps"].append({"step": "commit", "status": "skipped", "detail": "nothing to commit"})
-    except Exception as e:
-        results["steps"].append({"step": "commit", "status": "error", "detail": str(e)})
-
-    # 3. Git push
-    try:
-        result = subprocess.run(
-            ["git", "push", "origin", "HEAD"],
+            ["git", "push", "--dry-run", "origin", "HEAD"],
             cwd=str(p), timeout=30, capture_output=True, text=True
         )
-        results["steps"].append({
-            "step": "push",
-            "status": "ok" if result.returncode == 0 else "error",
-            "detail": result.stderr.strip()[:200] if result.returncode != 0 else "pushed"
-        })
+        if result.returncode != 0:
+            results["steps"].append({
+                "step": "push_precheck",
+                "status": "error",
+                "detail": (result.stderr.strip() or result.stdout.strip())[:200],
+            })
+            results["status"] = "push_precheck_failed"
+            return results
+        results["steps"].append({"step": "push_precheck", "status": "ok"})
     except Exception as e:
-        results["steps"].append({"step": "push", "status": "error", "detail": str(e)})
+        results["steps"].append({"step": "push_precheck", "status": "error", "detail": str(e)})
+        results["status"] = "push_precheck_error"
+        return results
 
-    # 4. Vercel build
+    # 3. Vercel build
     env = {**os.environ}
     if env_vars:
         # Whitelist safe env var prefixes — block LD_PRELOAD, PATH overrides, etc.
@@ -952,7 +976,68 @@ def deploy_site(project_path: str = ".", message: str = "", env_vars: dict = Non
         results["status"] = "build_error"
         return results
 
-    # 5. Vercel deploy
+    # 4. Git add + commit
+    commit_msg = message or "deploy: site update"
+    try:
+        result = subprocess.run(["git", "add", "-A"], cwd=str(p), timeout=10, capture_output=True, text=True)
+        if result.returncode != 0:
+            results["steps"].append({
+                "step": "git_add",
+                "status": "error",
+                "detail": (result.stderr.strip() or result.stdout.strip())[:200],
+            })
+            results["status"] = "git_add_failed"
+            return results
+        results["steps"].append({"step": "git_add", "status": "ok"})
+    except Exception as e:
+        results["steps"].append({"step": "git_add", "status": "error", "detail": str(e)})
+        results["status"] = "git_add_error"
+        return results
+
+    try:
+        result = subprocess.run(
+            ["git", "commit", "-m", commit_msg],
+            cwd=str(p), timeout=10, capture_output=True, text=True
+        )
+        commit_output = f"{result.stdout}\n{result.stderr}".lower()
+        if result.returncode == 0:
+            results["steps"].append({"step": "commit", "status": "ok", "message": commit_msg})
+        elif "nothing to commit" in commit_output or "working tree clean" in commit_output:
+            results["steps"].append({"step": "commit", "status": "skipped", "detail": "nothing to commit"})
+        else:
+            results["steps"].append({
+                "step": "commit",
+                "status": "error",
+                "detail": (result.stderr.strip() or result.stdout.strip())[:200],
+            })
+            results["status"] = "commit_failed"
+            return results
+    except Exception as e:
+        results["steps"].append({"step": "commit", "status": "error", "detail": str(e)})
+        results["status"] = "commit_error"
+        return results
+
+    # 5. Git push
+    try:
+        result = subprocess.run(
+            ["git", "push", "origin", "HEAD"],
+            cwd=str(p), timeout=30, capture_output=True, text=True
+        )
+        if result.returncode != 0:
+            results["steps"].append({
+                "step": "push",
+                "status": "error",
+                "detail": (result.stderr.strip() or result.stdout.strip())[:200],
+            })
+            results["status"] = "push_failed"
+            return results
+        results["steps"].append({"step": "push", "status": "ok", "detail": "pushed"})
+    except Exception as e:
+        results["steps"].append({"step": "push", "status": "error", "detail": str(e)})
+        results["status"] = "push_error"
+        return results
+
+    # 6. Vercel deploy
     try:
         result = subprocess.run(
             ["npx", "vercel", "deploy", "--prebuilt", "--prod"],
@@ -970,9 +1055,14 @@ def deploy_site(project_path: str = ".", message: str = "", env_vars: dict = Non
             "status": "ok" if result.returncode == 0 else "error",
             "url": deploy_url
         })
+        if result.returncode != 0:
+            results["status"] = "deploy_failed"
+            return results
         results["deploy_url"] = deploy_url
     except Exception as e:
         results["steps"].append({"step": "deploy", "status": "error", "detail": str(e)})
+        results["status"] = "deploy_error"
+        return results
 
     results["status"] = "deployed"
     return results
@@ -1036,32 +1126,71 @@ def deploy_npm(project_path: str = ".", bump: str = "patch", tag: str = "latest"
     except Exception:
         pass
 
+    # ── Dry-run: simulate without touching the filesystem ──
+    if dry_run:
+        # Compute what the next version would be without actually bumping
+        parts = current_version.split(".")
+        if len(parts) == 3 and bump in ("patch", "minor", "major"):
+            major, minor, patch_v = int(parts[0]), int(parts[1]), int(parts[2])
+            if bump == "patch":
+                patch_v += 1
+            elif bump == "minor":
+                minor += 1
+                patch_v = 0
+            elif bump == "major":
+                major += 1
+                minor = 0
+                patch_v = 0
+            simulated_version = f"{major}.{minor}.{patch_v}"
+        else:
+            simulated_version = current_version
+        results["new_version"] = simulated_version
+        results["steps"].append({"step": "version_bump", "status": "dry_run", "from": current_version, "to": simulated_version, "bump": bump})
+        results["steps"].append({"step": "publish", "status": "dry_run", "tag": tag, "output": f"Would publish {pkg_name}@{simulated_version} with tag {tag}"})
+        results["steps"].append({"step": "verify", "status": "dry_run"})
+        results["status"] = "dry_run_complete"
+        return results
+
     # 4. Version bump
     if bump in ("patch", "minor", "major"):
-        try:
-            bump_cmd = ["npm", "version", bump, "--no-git-tag-version"]
-            result = subprocess.run(
-                bump_cmd, capture_output=True, text=True, timeout=10, cwd=str(p)
-            )
-            if result.returncode == 0:
-                new_version = result.stdout.strip().lstrip("v")
+        if dry_run:
+            try:
+                new_version = _bump_semver(current_version, bump)
                 results["new_version"] = new_version
-                results["steps"].append({"step": "version_bump", "status": "ok", "from": current_version, "to": new_version, "bump": bump})
-            else:
-                results["steps"].append({"step": "version_bump", "status": "error", "detail": result.stderr.strip()[:200]})
+                results["steps"].append({
+                    "step": "version_bump",
+                    "status": "dry_run",
+                    "from": current_version,
+                    "to": new_version,
+                    "bump": bump,
+                })
+            except Exception as e:
+                results["steps"].append({"step": "version_bump", "status": "error", "detail": str(e)})
+                results["status"] = "bump_failed"
+                return results
+        else:
+            try:
+                bump_cmd = ["npm", "version", bump, "--no-git-tag-version"]
+                result = subprocess.run(
+                    bump_cmd, capture_output=True, text=True, timeout=10, cwd=str(p)
+                )
+                if result.returncode == 0:
+                    new_version = result.stdout.strip().lstrip("v")
+                    results["new_version"] = new_version
+                    results["steps"].append({"step": "version_bump", "status": "ok", "from": current_version, "to": new_version, "bump": bump})
+                else:
+                    results["steps"].append({"step": "version_bump", "status": "error", "detail": result.stderr.strip()[:200]})
+                    results["status"] = "bump_failed"
+                    return results
+            except Exception as e:
+                results["steps"].append({"step": "version_bump", "status": "error", "detail": str(e)})
                 results["status"] = "bump_failed"
                 return results
-        except Exception as e:
-            results["steps"].append({"step": "version_bump", "status": "error", "detail": str(e)})
-            results["status"] = "bump_failed"
-            return results
     else:
         results["new_version"] = current_version
 
     # 5. Publish
     publish_cmd = ["npm", "publish", "--tag", tag]
-    if dry_run:
-        publish_cmd.append("--dry-run")
 
     try:
         result = subprocess.run(
@@ -1070,7 +1199,7 @@ def deploy_npm(project_path: str = ".", bump: str = "patch", tag: str = "latest"
         if result.returncode == 0:
             results["steps"].append({
                 "step": "publish",
-                "status": "ok" if not dry_run else "dry_run",
+                "status": "ok",
                 "tag": tag,
                 "output": result.stdout.strip()[-300:]
             })
@@ -1091,27 +1220,26 @@ def deploy_npm(project_path: str = ".", bump: str = "patch", tag: str = "latest"
         results["status"] = "publish_failed"
         return results
 
-    # 6. Verify on registry (skip for dry run)
-    if not dry_run:
-        try:
-            import time
-            time.sleep(2)  # brief wait for registry propagation
-            result = subprocess.run(
-                ["npm", "view", pkg_name, "version"],
-                capture_output=True, text=True, timeout=15
-            )
-            registry_version = result.stdout.strip()
-            verified = registry_version == results.get("new_version", current_version)
-            results["steps"].append({
-                "step": "verify",
-                "status": "ok" if verified else "mismatch",
-                "registry_version": registry_version
-            })
-        except Exception:
-            results["steps"].append({"step": "verify", "status": "skipped"})
+    # 6. Verify on registry
+    try:
+        import time
+        time.sleep(2)  # brief wait for registry propagation
+        result = subprocess.run(
+            ["npm", "view", pkg_name, "version"],
+            capture_output=True, text=True, timeout=15
+        )
+        registry_version = result.stdout.strip()
+        verified = registry_version == results.get("new_version", current_version)
+        results["steps"].append({
+            "step": "verify",
+            "status": "ok" if verified else "mismatch",
+            "registry_version": registry_version
+        })
+    except Exception:
+        results["steps"].append({"step": "verify", "status": "skipped"})
 
     # 7. Git commit the version bump
-    if bump in ("patch", "minor", "major") and not dry_run:
+    if bump in ("patch", "minor", "major"):
         try:
             new_ver = results.get("new_version", current_version)
             subprocess.run(["git", "add", "package.json"], cwd=str(p), timeout=10, capture_output=True)

package/gateway/ai/backends/tools_real.py

@@ -551,6 +551,8 @@ def docs_generate(target: str = ".", options: Optional[Dict] = None) -> Dict[str
 
     # Scan Python files
     for py_file in sorted(project.rglob("*.py")):
+        if not py_file.is_file():
+            continue
         if any(d in py_file.parts for d in skip_dirs):
             continue
         if py_file.name.startswith("test_") or py_file.name == "conftest.py":
@@ -569,6 +571,8 @@ def docs_generate(target: str = ".", options: Optional[Dict] = None) -> Dict[str
     # Scan JS/TS files
     for ext in ("*.js", "*.ts", "*.jsx", "*.tsx"):
         for js_file in sorted(project.rglob(ext)):
+            if not js_file.is_file():
+                continue
             if any(d in js_file.parts for d in skip_dirs):
                 continue
             if ".test." in js_file.name or ".spec." in js_file.name:
@@ -715,6 +719,8 @@ def docs_validate(target: str = ".", options: Optional[Dict] = None) -> Dict[str
     missing_docs = []
 
     for py_file in sorted(project.rglob("*.py")):
+        if not py_file.is_file():
+            continue
         if any(d in py_file.parts for d in skip_dirs):
             continue
         if py_file.name.startswith("test_") or py_file.name == "conftest.py":
@@ -731,6 +737,8 @@ def docs_validate(target: str = ".", options: Optional[Dict] = None) -> Dict[str
     # 3. Check broken internal links in all markdown files
     broken_links = []
     for md_file in sorted(project.rglob("*.md")):
+        if not md_file.is_file():
+            continue
         if any(d in md_file.parts for d in skip_dirs):
             continue
         broken_links.extend(_check_broken_links(md_file, project))