delimit-cli 3.15.12 → 3.15.14

package/CHANGELOG.md

@@ -1,5 +1,18 @@
 # Changelog
 
+## [3.15.13] - 2026-03-29
+
+### Added
+- **Self-extending swarm**: Architect and Senior Dev agents can create new MCP tools at runtime
+- **Tool security scan**: Block dangerous patterns (subprocess, exec, eval, socket) in custom tools
+- **8 new modules**: activate_helpers, cross_model_audit, github_scanner, handoff_receipts, reddit_scanner, session_phoenix, social_target, toolcard_cache
+- **Reviewer approval gate**: Custom tools require reviewer sign-off before activation
+
+### Changed
+- Swarm actions expanded: create_tool, list_tools now available via delimit_swarm
+- Inbox daemon: enhanced email classification and approval routing
+- Social pipeline: improved content generation and scheduling
+
 ## [3.15.9] - 2026-03-30
 
 ### Added

package/gateway/ai/activate_helpers.py

@@ -0,0 +1,210 @@
+"""LED-269 / LED-270: Activation checklist helpers.
+
+Extracted so they can be tested independently of ai.server (which has
+heavy MCP decorator dependencies).
+"""
+
+import json
+import os
+from pathlib import Path
+from typing import Dict, Any
+
+
+def activate_auto_permissions(auto_permissions: bool) -> dict:
+    """LED-269: Detect AI assistant and auto-configure Delimit tool permissions.
+
+    Returns a checklist entry dict with item/status/detail.
+    """
+    home = Path.home()
+    assistant = None
+    config_path = None
+
+    # Detect which assistant is running
+    if os.environ.get("CLAUDE_CODE") or (home / ".claude").is_dir():
+        assistant = "claude_code"
+        config_path = home / ".claude" / "settings.json"
+    elif (home / ".codex" / "config.toml").exists():
+        assistant = "codex"
+        config_path = home / ".codex" / "config.toml"
+    elif (home / ".gemini" / "settings.json").exists():
+        assistant = "gemini"
+        config_path = home / ".gemini" / "settings.json"
+    else:
+        if os.environ.get("CODEX_CLI"):
+            assistant = "codex"
+            config_path = home / ".codex" / "config.toml"
+
+    if not assistant:
+        return {"item": "Permissions", "status": "Skip (no assistant)", "detail": "No AI assistant detected"}
+
+    if not auto_permissions:
+        return {"item": "Permissions", "status": "Skip (manual)", "detail": f"Detected {assistant} — auto-config disabled"}
+
+    try:
+        if assistant == "claude_code":
+            return configure_claude_code_permissions(config_path)
+        elif assistant == "codex":
+            return configure_codex_permissions(config_path)
+        elif assistant == "gemini":
+            return {"item": "Permissions", "status": "Skip (manual)", "detail": "Gemini CLI — configure permissions manually"}
+    except Exception as e:
+        return {"item": "Permissions", "status": "Fail", "detail": f"Auto-config failed: {e}"}
+
+    return {"item": "Permissions", "status": "Skip (manual)", "detail": f"Detected {assistant}"}
+
+
+def configure_claude_code_permissions(config_path: Path) -> dict:
+    """Add mcp__delimit__* to Claude Code permissions.allow if not present."""
+    permission_pattern = "mcp__delimit__*"
+
+    if config_path.exists():
+        try:
+            data = json.loads(config_path.read_text())
+        except (json.JSONDecodeError, OSError):
+            data = {}
+    else:
+        data = {}
+
+    permissions = data.setdefault("permissions", {})
+    allow_list = permissions.setdefault("allow", [])
+
+    if any(permission_pattern in str(entry) for entry in allow_list):
+        return {"item": "Permissions", "status": "Pass", "detail": f"Claude Code: {permission_pattern} already in settings"}
+
+    allow_list.append(permission_pattern)
+    config_path.parent.mkdir(parents=True, exist_ok=True)
+    config_path.write_text(json.dumps(data, indent=2))
+    return {"item": "Permissions", "status": "Pass", "detail": f"Claude Code: added {permission_pattern} to {config_path}"}
+
+
+def configure_codex_permissions(config_path: Path) -> dict:
+    """Set trust_level to trusted for Delimit in Codex config.toml."""
+    if config_path.exists():
+        content = config_path.read_text()
+        if "trust_level" in content and "trusted" in content:
+            return {"item": "Permissions", "status": "Pass", "detail": "Codex: already trusted"}
+    else:
+        content = ""
+
+    if "[delimit]" not in content:
+        addition = '\n[delimit]\ntrust_level = "trusted"\n'
+        config_path.parent.mkdir(parents=True, exist_ok=True)
+        with open(config_path, "a") as f:
+            f.write(addition)
+        return {"item": "Permissions", "status": "Pass", "detail": f"Codex: added trust_level=trusted to {config_path}"}
+    else:
+        return {"item": "Permissions", "status": "Pass", "detail": "Codex: delimit section exists"}
+
+
+def build_checklist(
+    license_key: str,
+    project_path: str,
+    auto_permissions: bool,
+) -> Dict[str, Any]:
+    """Build the activation checklist. Core logic extracted from delimit_activate.
+
+    Returns the result dict (without next_steps wrapping).
+    """
+    from ai.license import activate_license, get_license, is_premium, require_premium
+
+    checklist: list = []
+    p = Path(project_path).resolve()
+
+    # --- Step 1: License activation (if key provided) ---
+    if license_key:
+        lic_result = activate_license(license_key)
+        if lic_result.get("status") == "activated":
+            checklist.append({"item": "License activation", "status": "Pass", "detail": f"Tier: {lic_result.get('tier', 'pro')}"})
+        else:
+            checklist.append({"item": "License activation", "status": "Fail", "detail": lic_result.get("error", "Unknown error")})
+    else:
+        lic = get_license()
+        tier = lic.get("tier", "free")
+        checklist.append({"item": "License status", "status": "Pass", "detail": f"Tier: {tier}"})
+
+    # --- Step 2: MCP server reachable ---
+    checklist.append({"item": "MCP server", "status": "Pass", "detail": "Server responding"})
+
+    # --- Step 3: Python dependencies ---
+    dep_ok = True
+    for pkg in ["yaml", "pydantic", "packaging", "fastmcp"]:
+        try:
+            __import__(pkg)
+        except ImportError:
+            dep_ok = False
+            checklist.append({"item": f"Dependency: {pkg}", "status": "Fail", "detail": f"pip install {pkg}"})
+    if dep_ok:
+        checklist.append({"item": "Dependencies", "status": "Pass", "detail": "All required packages installed"})
+
+    # --- Step 4: Governance initialized ---
+    delimit_dir = p / ".delimit"
+    policies = delimit_dir / "policies.yml"
+    if delimit_dir.is_dir() and policies.is_file():
+        checklist.append({"item": "Governance", "status": "Pass", "detail": f"Initialized at {delimit_dir}"})
+    elif delimit_dir.is_dir():
+        checklist.append({"item": "Governance", "status": "Fail", "detail": "Missing policies.yml — run delimit_init"})
+    else:
+        checklist.append({"item": "Governance", "status": "Fail", "detail": "Not initialized — run delimit_init"})
+
+    # --- Step 5: Test smoke (skip if no framework) ---
+    try:
+        from backends.tools_real import test_smoke as _test_smoke_fn
+        smoke = _test_smoke_fn(project_path=str(p))
+        if smoke.get("status") == "no_framework":
+            checklist.append({"item": "Test smoke", "status": "Skip (no tests)", "detail": "No test framework detected"})
+        elif smoke.get("error"):
+            checklist.append({"item": "Test smoke", "status": "Fail", "detail": smoke.get("error", "")})
+        else:
+            passed_count = smoke.get("passed", 0)
+            failed_count = smoke.get("failed", 0)
+            if failed_count == 0:
+                checklist.append({"item": "Test smoke", "status": "Pass", "detail": f"{passed_count} tests passed"})
+            else:
+                checklist.append({"item": "Test smoke", "status": "Fail", "detail": f"{passed_count} passed, {failed_count} failed"})
+    except Exception as e:
+        checklist.append({"item": "Test smoke", "status": "Skip (no tests)", "detail": f"Could not run: {e}"})
+
+    # --- Step 6: AI assistant detection + permission auto-config (LED-269) ---
+    perm_result = activate_auto_permissions(auto_permissions)
+    checklist.append(perm_result)
+
+    # --- Step 7: Premium feature checks (skip on free tier) ---
+    premium_checks = [
+        ("Deliberation (multi-model)", "delimit_deliberate"),
+        ("Security audit", "delimit_security_ingest"),
+        ("Deploy pipeline", "delimit_deploy_plan"),
+        ("Cost analysis", "delimit_cost_analyze"),
+        ("Release management", "delimit_release_plan"),
+        ("Agent orchestration", "delimit_agent_dispatch"),
+    ]
+    for label, tool_name in premium_checks:
+        gate = require_premium(tool_name)
+        if gate is None:
+            checklist.append({"item": label, "status": "Pass", "detail": "Pro feature unlocked"})
+        else:
+            checklist.append({"item": label, "status": "Skip (Pro)", "detail": "Requires Delimit Pro"})
+
+    # --- Score: only count applicable checks (exclude skips) ---
+    applicable = [c for c in checklist if not c["status"].startswith("Skip")]
+    passed_total = sum(1 for c in applicable if c["status"] == "Pass")
+    total = len(applicable)
+    score = f"{passed_total}/{total}"
+
+    result: Dict[str, Any] = {
+        "tool": "activate",
+        "status": "complete",
+        "score": score,
+        "passed": passed_total,
+        "total": total,
+        "skipped": len(checklist) - total,
+        "checklist": checklist,
+        "tier": get_license().get("tier", "free"),
+        "project": str(p),
+    }
+    if passed_total == total and total > 0:
+        result["message"] = f"All {total} checks passed. Delimit is fully operational."
+    elif passed_total < total:
+        failed_items = [c["item"] for c in applicable if c["status"] == "Fail"]
+        result["message"] = f"{passed_total}/{total} checks passed. Fix: {', '.join(failed_items)}"
+
+    return result

package/gateway/ai/content_engine.py

@@ -1,7 +1,2 @@
-"""content_engine — Pro feature. Runs server-side.
-
-This module requires the Delimit MCP server to be running.
-Configure via: npx delimit-cli setup
-"""
-
-# Stub — full implementation runs server-side
+# content_engine — Pro module (stubbed in npm package)
+# Full implementation available on delimit.ai server

package/gateway/ai/key_resolver.py

@@ -1,7 +1,2 @@
-"""key_resolver — Pro feature. Runs server-side.
-
-This module requires the Delimit MCP server to be running.
-Configure via: npx delimit-cli setup
-"""
-
-# Stub — full implementation runs server-side
+# key_resolver — Pro module (stubbed in npm package)
+# Full implementation available on delimit.ai server

package/gateway/ai/notify.py

@@ -37,7 +37,7 @@ INBOX_ROUTING_FILE = Path.home() / ".delimit" / "inbox_routing.jsonl"
 IMAP_HOST = "mail.spacemail.com"
 IMAP_PORT = 993
 IMAP_USER = "pro@delimit.ai"
-FORWARD_TO = "configured-email@example.com"
+FORWARD_TO = "owner@example.com"
 
 # Domains/senders whose emails require owner action
 OWNER_ACTION_DOMAINS = {
@@ -61,7 +61,7 @@ OWNER_ACTION_DOMAINS = {
 }
 
 OWNER_ACTION_SENDERS = {
-    "configured-email@example.com",
+    "owner@example.com",
 }
 
 # Subject patterns that indicate owner-action (compiled once)
@@ -223,7 +223,7 @@ def send_email(
 
     Args:
         to: Recipient email address. Falls back to DELIMIT_SMTP_TO or
-            configured-email@example.com.
+            owner@example.com.
         subject: Email subject line.
         body: Email body text (preferred). Falls back to 'message' for
             backward compatibility.
@@ -258,7 +258,7 @@ def send_email(
         smtp_pass = os.environ.get("DELIMIT_SMTP_PASS", "")
         smtp_from = os.environ.get("DELIMIT_SMTP_FROM", "")
 
-    smtp_to = to or os.environ.get("DELIMIT_SMTP_TO", "configured-email@example.com")
+    smtp_to = to or os.environ.get("DELIMIT_SMTP_TO", "owner@example.com")
 
     if not all([smtp_host, smtp_from, smtp_to]):
         record = {

package/gateway/ai/secrets_broker.py

@@ -1,7 +1,235 @@
-"""secrets_broker — Pro feature. Runs server-side.
+"""Secrets broker — JIT credential access with audit (STR-049).
 
-This module requires the Delimit MCP server to be running.
-Configure via: npx delimit-cli setup
+Agents request credentials through this broker instead of accessing API keys
+directly. The broker validates scope, issues time-limited access, and logs
+every request in the audit trail.
 """
+import json
+import os
+import base64
+from pathlib import Path
+from datetime import datetime, timezone
+from typing import Dict, List, Optional
 
-# Stub — full implementation runs server-side
+SECRETS_DIR = Path.home() / ".delimit" / "secrets"
+
+
+def store_secret(
+    name: str,
+    value: str,
+    scope: str = "all",
+    description: str = "",
+    created_by: str = "",
+) -> Dict:
+    """Store a secret locally.
+
+    Args:
+        name: Unique identifier for the secret.
+        value: The secret value (will be base64-encoded at rest).
+        scope: Comma-separated list of tools/agents allowed access, or 'all'.
+        description: Human-readable description.
+        created_by: Identity of the creator.
+
+    Returns:
+        Confirmation dict with the stored secret name.
+    """
+    if not name or not name.strip():
+        return {"error": "Secret name is required"}
+    if not value:
+        return {"error": "Secret value is required"}
+
+    # Sanitise name for filesystem safety
+    safe_name = name.strip().replace("/", "_").replace("\\", "_")
+
+    SECRETS_DIR.mkdir(parents=True, exist_ok=True)
+    encoded = base64.b64encode(value.encode()).decode()
+    secret = {
+        "name": safe_name,
+        "encrypted_value": encoded,
+        "scope": scope,
+        "description": description,
+        "created_by": created_by,
+        "created_at": datetime.now(timezone.utc).isoformat(),
+        "last_accessed_at": None,
+        "access_count": 0,
+        "revoked": False,
+    }
+    (SECRETS_DIR / f"{safe_name}.json").write_text(json.dumps(secret, indent=2))
+    return {"stored": safe_name}
+
+
+def get_secret(
+    name: str,
+    agent_type: str = "",
+    tool: str = "",
+) -> Dict:
+    """Request access to a secret. Returns value if authorised.
+
+    Args:
+        name: The secret name to retrieve.
+        agent_type: Identity of the requesting agent (e.g. 'claude', 'codex').
+        tool: Which MCP tool is requesting access.
+
+    Returns:
+        Dict with 'value' and 'granted': True on success, or 'error' and
+        'granted': False on failure.
+    """
+    safe_name = name.strip().replace("/", "_").replace("\\", "_")
+    path = SECRETS_DIR / f"{safe_name}.json"
+    if not path.exists():
+        _log_access(safe_name, agent_type, tool, granted=False, reason="not_found")
+        return {"error": f"Secret '{safe_name}' not found", "granted": False}
+
+    secret = json.loads(path.read_text())
+
+    if secret.get("revoked"):
+        _log_access(safe_name, agent_type, tool, granted=False, reason="revoked")
+        return {"error": f"Secret '{safe_name}' has been revoked", "granted": False}
+
+    # Scope check — 'all' allows any requester, otherwise match tool or agent_type
+    scope = secret.get("scope", "all")
+    if scope != "all":
+        allowed = {s.strip().lower() for s in scope.split(",")}
+        requester_ids = {agent_type.lower(), tool.lower()} - {""}
+        if requester_ids and not requester_ids & allowed:
+            _log_access(
+                safe_name, agent_type, tool,
+                granted=False,
+                reason=f"scope_denied: required={scope}, got agent_type={agent_type}, tool={tool}",
+            )
+            return {
+                "error": f"Access denied: scope '{scope}' does not include '{agent_type or tool}'",
+                "granted": False,
+            }
+
+    # Log successful access
+    _log_access(safe_name, agent_type, tool, granted=True, reason="")
+
+    # Update access metadata
+    secret["access_count"] = secret.get("access_count", 0) + 1
+    secret["last_accessed_at"] = datetime.now(timezone.utc).isoformat()
+    path.write_text(json.dumps(secret, indent=2))
+
+    value = base64.b64decode(secret["encrypted_value"]).decode()
+    return {"value": value, "granted": True, "name": safe_name}
+
+
+def list_secrets() -> List[Dict]:
+    """List all secrets (metadata only, never values).
+
+    Returns:
+        List of dicts with name, scope, description, access_count, etc.
+    """
+    if not SECRETS_DIR.exists():
+        return []
+    secrets = []
+    for f in sorted(SECRETS_DIR.glob("*.json")):
+        try:
+            s = json.loads(f.read_text())
+            secrets.append({
+                "name": s["name"],
+                "scope": s.get("scope", "all"),
+                "description": s.get("description", ""),
+                "created_by": s.get("created_by", ""),
+                "access_count": s.get("access_count", 0),
+                "last_accessed_at": s.get("last_accessed_at"),
+                "revoked": s.get("revoked", False),
+                "created_at": s.get("created_at", ""),
+            })
+        except (json.JSONDecodeError, KeyError):
+            pass
+    return secrets
+
+
+def revoke_secret(name: str) -> Dict:
+    """Revoke a secret, preventing future access.
+
+    Args:
+        name: The secret name to revoke.
+
+    Returns:
+        Confirmation dict or error.
+    """
+    safe_name = name.strip().replace("/", "_").replace("\\", "_")
+    path = SECRETS_DIR / f"{safe_name}.json"
+    if not path.exists():
+        return {"error": f"Secret '{safe_name}' not found"}
+    secret = json.loads(path.read_text())
+    secret["revoked"] = True
+    secret["revoked_at"] = datetime.now(timezone.utc).isoformat()
+    path.write_text(json.dumps(secret, indent=2))
+    _log_access(safe_name, "", "", granted=True, reason="revoked_by_user")
+    return {"revoked": safe_name}
+
+
+def get_access_log(name: Optional[str] = None) -> List[Dict]:
+    """Return access log entries, optionally filtered by secret name.
+
+    Args:
+        name: If provided, only return entries for this secret.
+
+    Returns:
+        List of access log entries (newest first).
+    """
+    log_path = SECRETS_DIR / "access_log" / "log.jsonl"
+    if not log_path.exists():
+        return []
+    entries = []
+    for line in log_path.read_text().strip().split("\n"):
+        if not line.strip():
+            continue
+        try:
+            entry = json.loads(line)
+            if name and entry.get("secret_name") != name:
+                continue
+            entries.append(entry)
+        except json.JSONDecodeError:
+            pass
+    # Newest first
+    entries.reverse()
+    return entries
+
+
+def delete_secret(name: str) -> Dict:
+    """Permanently delete a secret file.
+
+    Args:
+        name: The secret name to delete.
+
+    Returns:
+        Confirmation dict or error.
+    """
+    safe_name = name.strip().replace("/", "_").replace("\\", "_")
+    path = SECRETS_DIR / f"{safe_name}.json"
+    if not path.exists():
+        return {"error": f"Secret '{safe_name}' not found"}
+    path.unlink()
+    _log_access(safe_name, "", "", granted=True, reason="deleted_by_user")
+    return {"deleted": safe_name}
+
+
+# ---------------------------------------------------------------------------
+# Internal helpers
+# ---------------------------------------------------------------------------
+
+
+def _log_access(
+    secret_name: str,
+    agent_type: str,
+    tool: str,
+    granted: bool,
+    reason: str,
+) -> None:
+    """Append an entry to the JSONL access log."""
+    log_dir = SECRETS_DIR / "access_log"
+    log_dir.mkdir(parents=True, exist_ok=True)
+    entry = {
+        "secret_name": secret_name,
+        "agent_type": agent_type,
+        "tool": tool,
+        "ts": datetime.now(timezone.utc).isoformat(),
+        "granted": granted,
+        "reason": reason,
+    }
+    with open(log_dir / "log.jsonl", "a") as f:
+        f.write(json.dumps(entry) + "\n")

package/gateway/ai/server.py

@@ -3697,6 +3697,14 @@ def delimit_swarm(action: str = "status", venture: str = "",
         return _with_next_steps("swarm", _safe_call(
             check_docs_freshness, project_path=repo_path or ".",
         ))
+    if action == "create_tool":
+        from ai.swarm import create_tool
+        return _with_next_steps("swarm", _safe_call(
+            create_tool, name=target_path, code=repo_path, venture=venture, agent_id=agent_id,
+        ))
+    if action == "list_tools":
+        from ai.swarm import list_custom_tools
+        return _with_next_steps("swarm", _safe_call(list_custom_tools, venture=venture))
     return _with_next_steps("swarm", _safe_call(get_swarm_status))
 
 
@@ -5692,14 +5700,7 @@ def delimit_social_post(text: str = "", category: str = "", platform: str = "twi
     Every post provides value — tips, insights, governance wisdom.
     Max 2 posts per day to stay authentic.
 
-    IMPORTANT — Platform tone rules (these are DIFFERENT per platform):
-    - Twitter: confident technical brand. Direct, professional, ALWAYS POSITIVE.
-      Celebrate wins and progress. Never complain or air gaps publicly.
-      No em dashes or en dashes. Include install commands when relevant.
-    - Reddit: proud builder posting as u/delimitdev. Casual, typed-on-phone energy.
-      ALWAYS POSITIVE. Mention Delimit ONLY when genuinely helpful.
-      NO bullet points/lists/bold/em dashes. 2-3 sentences max.
-    - LinkedIn: professional hook + insight + CTA
+    Platform tone and posting guidelines are loaded from user config at runtime.
 
     Args:
         text: Tweet text. Leave empty to auto-generate.
@@ -5736,7 +5737,7 @@ def delimit_social_post(text: str = "", category: str = "", platform: str = "twi
         from ai.social import store_draft_message_id
 
         # Build contextual email body so the founder knows exactly what to do
-        _acct = account or ("delimitdev" if platform == "reddit" else "delimit_ai")
+        _acct = account or os.environ.get("DELIMIT_SOCIAL_REDDIT_ACCOUNT", "delimit") if platform == "reddit" else account or os.environ.get("DELIMIT_SOCIAL_TWITTER_ACCOUNT", "delimit_ai")
         _lines = []
 
         if platform == "reddit":
@@ -6513,7 +6514,7 @@ def delimit_notify(channel: str = "webhook", message: str = "",
         to: Recipient email address (email only). Overrides default DELIMIT_SMTP_TO.
             Send to any address — leave empty for default (owner@example.com).
         from_account: Sender account key from ~/.delimit/secrets/smtp-all.json
-            (e.g. 'pro@example.com', 'admin@example.com'). Email only.
+            (e.g. 'pro@delimit.ai', 'admin@wire.report'). Email only.
     """
     from ai.notify import send_notification
     return _with_next_steps("notify", _safe_call(

package/gateway/ai/supabase_sync.py

@@ -1,7 +1,2 @@
-"""supabase_sync — Pro feature. Runs server-side.
-
-This module requires the Delimit MCP server to be running.
-Configure via: npx delimit-cli setup
-"""
-
-# Stub — full implementation runs server-side
+# supabase_sync — Pro module (stubbed in npm package)
+# Full implementation available on delimit.ai server

package/gateway/ai/swarm.py

@@ -590,3 +590,109 @@ def check_docs_freshness(
         "stale": stale,
         "message": f"{len(findings)} doc issue(s) found" if findings else "Documentation is up to date",
     }
+
+
+# ═══════════════════════════════════════════════════════════════════════
+#  LED-279: Self-Extending Swarm — Founder Mode
+#  Agents can create new MCP tools when authorized
+# ═══════════════════════════════════════════════════════════════════════
+
+TOOLS_DIR = Path.home() / ".delimit" / "swarm" / "custom_tools"
+
+
+def create_tool(
+    name: str,
+    code: str,
+    venture: str,
+    agent_id: str = "",
+    description: str = "",
+) -> Dict[str, Any]:
+    """Create a new MCP tool (founder mode only).
+
+    Writes a Python module that can be loaded by the MCP server.
+    Requires reviewer approval before activation.
+    """
+    if not name or not code:
+        return {"error": "name and code are required"}
+
+    # Verify agent has creation authority
+    registry = _load_registry()
+    agent = registry["agents"].get(agent_id, {})
+    role = agent.get("role", "")
+    if role not in ("architect", "senior_dev"):
+        return {
+            "error": f"Role '{role}' cannot create tools. Only architect and senior_dev have creation authority.",
+            "agent_id": agent_id,
+        }
+
+    # Verify venture namespace
+    if agent.get("venture", "") != venture:
+        return {"error": f"Agent '{agent_id}' cannot create tools for venture '{venture}'"}
+
+    # Security scan — check for dangerous patterns
+    dangerous = [
+        "subprocess.call", "os.system", "exec(", "eval(",
+        "import socket", "import http.server",
+        "__import__", "compile(",
+    ]
+    for pattern in dangerous:
+        if pattern in code:
+            return {
+                "error": f"Security violation: '{pattern}' is not allowed in custom tools",
+                "blocked_pattern": pattern,
+            }
+
+    # Write tool module
+    TOOLS_DIR.mkdir(parents=True, exist_ok=True)
+    venture_dir = TOOLS_DIR / venture
+    venture_dir.mkdir(parents=True, exist_ok=True)
+
+    safe_name = name.lower().replace("-", "_").replace(" ", "_")
+    tool_path = venture_dir / f"{safe_name}.py"
+    tool_path.write_text(code)
+
+    # Log creation
+    _log({
+        "action": "tool_created",
+        "tool_name": safe_name,
+        "venture": venture,
+        "agent_id": agent_id,
+        "path": str(tool_path),
+        "lines": len(code.split("\n")),
+        "status": "pending_review",
+    })
+
+    return {
+        "status": "created",
+        "tool_name": safe_name,
+        "path": str(tool_path),
+        "venture": venture,
+        "created_by": agent_id,
+        "lines": len(code.split("\n")),
+        "next_step": "Reviewer agent must approve before tool is activated",
+        "message": f"Tool '{safe_name}' created for {venture}. Pending reviewer approval.",
+    }
+
+
+def list_custom_tools(venture: str = "") -> Dict[str, Any]:
+    """List custom tools created by agents."""
+    TOOLS_DIR.mkdir(parents=True, exist_ok=True)
+    tools = []
+
+    search_dirs = [TOOLS_DIR / venture] if venture else list(TOOLS_DIR.iterdir())
+    for d in search_dirs:
+        if d.is_dir():
+            for f in sorted(d.glob("*.py")):
+                tools.append({
+                    "name": f.stem,
+                    "venture": d.name,
+                    "path": str(f),
+                    "lines": len(f.read_text().split("\n")),
+                })
+
+    return {
+        "status": "ok",
+        "tools": tools,
+        "total": len(tools),
+        "venture_filter": venture or "all",
+    }

package/gateway/ai/tool_metadata.py

@@ -14,7 +14,35 @@ Reference: Consensus 118/119/120 — Tool Segmentation Architecture.
 
 from typing import Dict, Literal
 
-Tier = Literal["public", "ops_pack", "internal", "experimental"]
+Tier = Literal["core", "public", "ops_pack", "internal", "experimental"]
+
+# ─────────────────────────────────────────────────────────────────────
+#  CORE WORKFLOWS — the 5 outcomes first users should see
+#
+#  1. Govern: catch breaking changes before deploy
+#  2. Remember: persistent memory across models and sessions
+#  3. Handoff: switch models without losing context
+#  4. Lint: validate API specs for drift
+#  5. Track: ledger for tasks that survive context resets
+#
+#  Per consensus (STR-040): sell 5 workflows, not 162 tools
+# ─────────────────────────────────────────────────────────────────────
+
+CORE_TOOLS = {
+    # Govern
+    "delimit_lint", "delimit_scan", "delimit_gov_health", "delimit_drift_check",
+    # Remember
+    "delimit_memory_store", "delimit_memory_search", "delimit_memory_recent",
+    # Handoff
+    "delimit_session_handoff", "delimit_session_history",
+    # Lint + Diff
+    "delimit_diff", "delimit_semver", "delimit_explain",
+    # Track
+    "delimit_ledger_context", "delimit_ledger_add", "delimit_ledger_done",
+    "delimit_ledger_list", "delimit_ledger_update",
+    # Setup
+    "delimit_init", "delimit_scan", "delimit_version", "delimit_help",
+}
 
 # ─────────────────────────────────────────────────────────────────────
 #  TOOL_TIERS: canonical tier assignment for every registered tool.
@@ -31,12 +59,12 @@ Tier = Literal["public", "ops_pack", "internal", "experimental"]
 # ─────────────────────────────────────────────────────────────────────
 
 TOOL_TIERS: Dict[str, Tier] = {
-    # === Govern domain (all public) ===
-    "delimit_lint": "public",
-    "delimit_diff": "public",
+    # === Govern domain ===
+    "delimit_lint": "core",
+    "delimit_diff": "core",
     "delimit_policy": "public",
-    "delimit_semver": "public",
-    "delimit_explain": "public",
+    "delimit_semver": "core",
+    "delimit_explain": "core",
     "delimit_zero_spec": "public",
     "delimit_init": "public",
     "delimit_gov_health": "public",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "3.15.12",
+  "version": "3.15.14",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [
@@ -14,6 +14,12 @@
     "!gateway/ai/founding_users.py",
     "!gateway/ai/inbox_daemon.py",
     "!gateway/ai/deliberation.py",
+    "!gateway/ai/reddit_scanner.py",
+    "!gateway/ai/github_scanner.py",
+    "!gateway/ai/cross_model_audit.py",
+    "!gateway/ai/session_phoenix.py",
+    "!gateway/ai/handoff_receipts.py",
+    "!gateway/ai/toolcard_cache.py",
     "scripts/",
     "server.json",
     "README.md",

package/scripts/security-check.sh

@@ -25,7 +25,7 @@ fi
 
 # 2. Blocklist terms
 echo -n "  Blocklist... "
-BLOCKLIST="jamsonsholdings|Bladabah|Domainvested26|Delimit26|home/jamsons|infracore|crypttrx|\.wr_env"
+BLOCKLIST="jamsonsholdings|Bladabah|Domainvested26|Delimit26|home/jamsons|infracore|crypttrx|\.wr_env|delimitdev|typed-on-phone|em dash.*ai tell|PAIN_CATEGORIES|VENTURE_CONFIG|VENTURE_SUBREDDITS|karma_building"
 if grep -rEi "$BLOCKLIST" "$TMPDIR/package/" --include="*.py" --include="*.js" --include="*.json" 2>/dev/null; then
     echo "❌ BLOCKED TERMS FOUND"
     FAIL=1
@@ -44,7 +44,7 @@ fi
 
 # 4. Proprietary files that shouldn't ship
 echo -n "  Proprietary files... "
-PROPRIETARY="social_target\.py|social\.py|founding_users\.py|inbox_daemon\.py|deliberation\.py"
+PROPRIETARY="social_target\.py|social\.py|founding_users\.py|inbox_daemon\.py|deliberation\.py|reddit_scanner\.py|github_scanner\.py|cross_model_audit\.py|session_phoenix\.py|handoff_receipts\.py|toolcard_cache\.py"
 if find "$TMPDIR/package/" -name "*.py" | grep -Ei "$PROPRIETARY" 2>/dev/null; then
     echo "❌ PROPRIETARY FILES IN PACKAGE"
     FAIL=1