npm - delimit-cli - Versions diffs - 3.14.44 → 3.14.45 - Mend

delimit-cli 3.14.44 → 3.14.45

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/gateway/ai/notify.py +5 -4
package/gateway/ai/server.py +2 -2
package/package.json +2 -1
package/scripts/security-check.sh +66 -0

package/gateway/ai/notify.py CHANGED Viewed

@@ -37,7 +37,7 @@ INBOX_ROUTING_FILE = Path.home() / ".delimit" / "inbox_routing.jsonl"
 IMAP_HOST = "mail.spacemail.com"
 IMAP_PORT = 993
 IMAP_USER = "pro@delimit.ai"
-FORWARD_TO = os.environ.get("DELIMIT_FORWARD_TO", "")
+FORWARD_TO = "configured-email@example.com"
 # Domains/senders whose emails require owner action
 OWNER_ACTION_DOMAINS = {
@@ -61,7 +61,7 @@ OWNER_ACTION_DOMAINS = {
 }
 OWNER_ACTION_SENDERS = {
-    os.environ.get("DELIMIT_FORWARD_TO", ""),
+    "configured-email@example.com",
 }
 # Subject patterns that indicate owner-action (compiled once)
@@ -222,7 +222,8 @@ def send_email(
     """Send an email notification via SMTP.
     Args:
-        to: Recipient email address. Falls back to DELIMIT_SMTP_TO env var.
+        to: Recipient email address. Falls back to DELIMIT_SMTP_TO or
+            configured-email@example.com.
         subject: Email subject line.
         body: Email body text (preferred). Falls back to 'message' for
             backward compatibility.
@@ -257,7 +258,7 @@ def send_email(
         smtp_pass = os.environ.get("DELIMIT_SMTP_PASS", "")
         smtp_from = os.environ.get("DELIMIT_SMTP_FROM", "")
-    smtp_to = to or os.environ.get("DELIMIT_SMTP_TO", "")
+    smtp_to = to or os.environ.get("DELIMIT_SMTP_TO", "configured-email@example.com")
     if not all([smtp_host, smtp_from, smtp_to]):
         record = {

package/gateway/ai/server.py CHANGED Viewed

@@ -5886,7 +5886,7 @@ def delimit_notify(channel: str = "webhook", message: str = "",
         subject: Subject line (email only). Use [ACTION], [INFO], [ALERT] prefix.
         event_type: Event category for filtering.
         to: Recipient email address (email only). Overrides default DELIMIT_SMTP_TO.
-            Send to any address — leave empty for default (uses DELIMIT_SMTP_TO env var).
+            Send to any address — leave empty for default (configured-email@example.com).
         from_account: Sender account key from ~/.delimit/secrets/smtp-all.json
             (e.g. 'pro@delimit.ai', '<configured-email>'). Email only.
     """
@@ -5994,7 +5994,7 @@ def delimit_notify_inbox(action: str = "status", limit: int = 10,
     """Check inbound email inbox, classify, and route (Pro).
     Polls pro@delimit.ai via IMAP. Classifies emails as owner-action
-    (forwards to configured email) or non-owner (stays in inbox).
+    (forwards to configured-email@example.com) or non-owner (stays in inbox).
     Args:
         action: 'status' (show inbox state), 'poll' (classify and optionally forward),

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "3.14.44",
+  "version": "3.14.45",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [
@@ -25,6 +25,7 @@
   },
   "scripts": {
     "postinstall": "node scripts/postinstall.js",
+    "prepublishOnly": "bash scripts/security-check.sh",
     "test": "node --test tests/setup-onboarding.test.js tests/setup-matrix.test.js tests/config-export-import.test.js tests/cross-model-hooks.test.js tests/golden-path.test.js"
   },
   "keywords": [

package/scripts/security-check.sh ADDED Viewed

@@ -0,0 +1,66 @@
+#!/bin/bash
+# Pre-publish security check — blocks npm publish if secrets are found
+# Run: bash scripts/security-check.sh
+set -euo pipefail
+echo "🔍 Delimit pre-publish security scan..."
+FAIL=0
+# Pack to temp and scan the actual tarball contents
+TMPDIR=$(mktemp -d)
+npm pack --pack-destination "$TMPDIR" --quiet 2>/dev/null
+TARBALL=$(ls "$TMPDIR"/*.tgz)
+tar -xzf "$TARBALL" -C "$TMPDIR"
+# 1. Credential patterns
+echo -n "  Credentials... "
+if grep -rEi '(password|passwd|secret|api_key|apikey)\s*[:=]\s*["\x27][^"\x27]{4,}' "$TMPDIR/package/" --include="*.py" --include="*.js" --include="*.json" 2>/dev/null | grep -v 'environ\|getenv\|process\.env\|os\.environ\|<configured\|example\|placeholder\|REDACTED\|\${credentials\|credentials\.\|security-scan-ignore'; then
+    echo "❌ FOUND CREDENTIALS"
+    FAIL=1
+else
+    echo "✅ clean"
+fi
+# 2. Blocklist terms
+echo -n "  Blocklist... "
+BLOCKLIST="jamsonsholdings|Bladabah|Domainvested26|Delimit26|home/jamsons|infracore|crypttrx|\.wr_env"
+if grep -rEi "$BLOCKLIST" "$TMPDIR/package/" --include="*.py" --include="*.js" --include="*.json" 2>/dev/null; then
+    echo "❌ BLOCKED TERMS FOUND"
+    FAIL=1
+else
+    echo "✅ clean"
+fi
+# 3. PII (email addresses that aren't examples)
+echo -n "  PII... "
+if grep -rEi '[a-z0-9._%+-]+@(gmail|yahoo|hotmail|outlook|proton|jamsons|wire\.report|domainvested)' "$TMPDIR/package/" --include="*.py" --include="*.js" --include="*.json" 2>/dev/null | grep -v "example\|placeholder\|<configured\|noreply"; then
+    echo "❌ PII FOUND"
+    FAIL=1
+else
+    echo "✅ clean"
+fi
+# 4. Proprietary files that shouldn't ship
+echo -n "  Proprietary files... "
+PROPRIETARY="social_target\.py|social\.py|founding_users\.py|inbox_daemon\.py"
+if find "$TMPDIR/package/" -name "*.py" | grep -Ei "$PROPRIETARY" 2>/dev/null; then
+    echo "❌ PROPRIETARY FILES IN PACKAGE"
+    FAIL=1
+else
+    echo "✅ clean"
+fi
+# Cleanup
+rm -rf "$TMPDIR"
+if [ $FAIL -ne 0 ]; then
+    echo ""
+    echo "❌ SECURITY CHECK FAILED — do not publish"
+    exit 1
+fi
+echo ""
+echo "✅ All security checks passed"
+exit 0