delimit-cli 3.15.14 → 4.0.0

package/gateway/ai/license_core.py

@@ -5,6 +5,7 @@ This module is distributed as a native binary (.so/.pyd), not readable Python.
 """
 import hashlib
 import json
+import os
 import time
 from pathlib import Path
 
@@ -166,7 +167,7 @@ def activate(key: str) -> dict:
 def _revalidate(data: dict) -> dict:
     """Re-validate against Lemon Squeezy."""
     key = data.get("key", "")
-    if not key or key.startswith("JAMSONS"):
+    if not key or key.startswith(os.environ.get("DELIMIT_INTERNAL_KEY_PREFIX", "")):
         return {"valid": True}
     try:
         import urllib.request

package/gateway/ai/notify.py

@@ -34,10 +34,10 @@ HISTORY_FILE = Path.home() / ".delimit" / "notifications.jsonl"
 INBOX_ROUTING_FILE = Path.home() / ".delimit" / "inbox_routing.jsonl"
 
 # ── Inbound email configuration ──────────────────────────────────────
-IMAP_HOST = "mail.spacemail.com"
-IMAP_PORT = 993
-IMAP_USER = "pro@delimit.ai"
-FORWARD_TO = "owner@example.com"
+IMAP_HOST = os.environ.get("DELIMIT_IMAP_HOST", "")
+IMAP_PORT = int(os.environ.get("DELIMIT_IMAP_PORT", "993"))
+IMAP_USER = os.environ.get("DELIMIT_IMAP_USER", "")
+FORWARD_TO = os.environ.get("DELIMIT_FORWARD_TO", "")
 
 # Domains/senders whose emails require owner action
 OWNER_ACTION_DOMAINS = {
@@ -60,9 +60,9 @@ OWNER_ACTION_DOMAINS = {
     "digitalocean.com",
 }
 
-OWNER_ACTION_SENDERS = {
-    "owner@example.com",
-}
+OWNER_ACTION_SENDERS = set(
+    filter(None, [os.environ.get("DELIMIT_OWNER_EMAIL", "")])
+)
 
 # Subject patterns that indicate owner-action (compiled once)
 import re as _re
@@ -258,7 +258,7 @@ def send_email(
         smtp_pass = os.environ.get("DELIMIT_SMTP_PASS", "")
         smtp_from = os.environ.get("DELIMIT_SMTP_FROM", "")
 
-    smtp_to = to or os.environ.get("DELIMIT_SMTP_TO", "owner@example.com")
+    smtp_to = to or os.environ.get("DELIMIT_SMTP_TO", "")
 
     if not all([smtp_host, smtp_from, smtp_to]):
         record = {

package/gateway/ai/server.py

@@ -19,9 +19,8 @@ All tools follow the Adapter Boundary Contract v1.0:
 - Stateless between calls
 """
 
-# ── Founder Voice Doctrine ──────────────────────────────────────────────
+# ── Output Quality Rules ──────────────────────────────────────────────
 # Applies to ALL outward-facing text generated by any tool in this server.
-# Full doctrine: /home/delimit/delimit-private/style/FOUNDER_VOICE_DOCTRINE.md
 #
 # Core: serious builder/operator, not a marketer. Credibility over persuasion.
 # Truth over excitement. Concrete mechanisms, not vague benefits.
@@ -3438,7 +3437,7 @@ async def delimit_sensor_github_issue(
     with new comments, issue state, and severity classification.
 
     Args:
-        repo: GitHub repository in owner/repo format (e.g. "activepieces/activepieces").
+        repo: GitHub repository in owner/repo format (e.g. "owner/repo").
         issue_number: The issue number to monitor.
         since_comment_id: Last seen comment ID. Pass 0 to get all comments.
     """
@@ -6080,12 +6079,12 @@ def delimit_github_scan(
 
     Three cadences:
       pulse: Own repo health (stars, forks, issues, traffic). Fast, run often.
-      hunter: Competitor users, adoption leads, pain threads. Medium, run hourly.
+      hunter: Repository signals, engagement threads. Medium, run hourly.
       deep: Full ecosystem intel. Slow, run daily.
 
     IMPORTANT -- TOOL CHAINING RULE:
     After scanning, the AI MUST process high-score findings:
-    1. Auto-ledger items (score >= 75 competitor users) via delimit_ledger_add
+    1. Auto-ledger high-score findings via delimit_ledger_add
     2. Pain threads with existing_feature relevance via delimit_notify
     Never just return findings and stop. Always chain to the next action.
 
@@ -6514,7 +6513,7 @@ def delimit_notify(channel: str = "webhook", message: str = "",
         to: Recipient email address (email only). Overrides default DELIMIT_SMTP_TO.
             Send to any address — leave empty for default (owner@example.com).
         from_account: Sender account key from ~/.delimit/secrets/smtp-all.json
-            (e.g. 'pro@delimit.ai', 'admin@wire.report'). Email only.
+            (e.g. 'notifications@example.com'). Email only.
     """
     from ai.notify import send_notification
     return _with_next_steps("notify", _safe_call(

package/gateway/ai/swarm.py

@@ -39,7 +39,7 @@ DEFAULT_ROSTER = {
         "fallback_model": "codex-gpt-5.4",
     },
     "ops": {
-        "role": "Strategy, Deliberation, Outreach, Competitive Intel",
+        "role": "Strategy, Deliberation, Community, Analysis",
         "default_model": "grok-4",
         "fallback_model": "gemini-3.1-pro-preview",
     },
@@ -274,7 +274,7 @@ APPROVAL_TIERS = {
     "deploy_staging": "auto_approved",
     "social_post": "founder_email",
     "social_low_risk": "auto_after_consensus",
-    "outreach_issue": "founder_email",
+    "community_issue": "founder_email",
     "ledger_update": "auto_approved",
     "code_commit": "auto_approved",
     "security_audit": "auto_approved",

package/gateway/core/contract_ledger.py

@@ -3,7 +3,7 @@ Delimit Contract Ledger
 Reads, validates, and queries the append-only JSONL event ledger.
 Optional SQLite index for fast lookups (never required for CI).
 
-Per Jamsons Doctrine:
+Per Delimit Stability Contract:
 - Deterministic outputs
 - Append-only artifacts
 - SQLite index is optional, not required for CI

package/gateway/core/dependency_graph.py

@@ -5,7 +5,7 @@ Constructs a deterministic service dependency graph from manifests.
 The graph maps each API/service to its downstream consumers,
 enabling impact analysis when an API contract changes.
 
-Per Jamsons Doctrine:
+Per Delimit Stability Contract:
 - Deterministic outputs (sorted, reproducible)
 - No telemetry
 - Graceful degradation when manifests are missing

package/gateway/core/dependency_manifest.py

@@ -2,7 +2,7 @@
 Delimit Dependency Manifest
 Parses and validates .delimit/dependencies.yaml service dependency declarations.
 
-Per Jamsons Doctrine:
+Per Delimit Stability Contract:
 - Deterministic outputs
 - No credential discovery
 - No telemetry

package/gateway/core/event_backbone.py

@@ -3,7 +3,7 @@ Delimit Event Backbone
 Constructs ledger events, generates SHA-256 hashes, links hash chains,
 and appends to the append-only JSONL ledger.
 
-Per Jamsons Doctrine:
+Per Delimit Stability Contract:
 - Deterministic outputs
 - Append-only artifacts
 - Fail-closed CI behavior (ledger failures never affect CI)
@@ -199,7 +199,7 @@ class EventBackbone:
         This is the primary API for event generation. It is best-effort:
         if the ledger write fails, the event is still returned but not persisted.
 
-        CRITICAL: This method NEVER raises exceptions. Per Jamsons Doctrine,
+        CRITICAL: This method NEVER raises exceptions. Per Delimit Stability Contract,
         ledger failures must not affect CI pass/fail outcome.
 
         Returns:

package/gateway/core/event_schema.py

@@ -1,7 +1,7 @@
 """
 Delimit Event Schema
 Canonical event schema for API contract evolution tracking.
-Deterministic validation and serialization per Jamsons Doctrine.
+Deterministic validation and serialization per Delimit Stability Contract.
 """
 
 import hashlib

package/gateway/core/impact_analyzer.py

@@ -3,7 +3,7 @@ Delimit Impact Analyzer
 Determines downstream consumers affected by an API change
 and produces informational impact summaries for CI output.
 
-Per Jamsons Doctrine:
+Per Delimit Stability Contract:
 - Impact analysis is INFORMATIONAL ONLY
 - NEVER affects CI pass/fail outcome
 - Deterministic outputs

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "3.15.14",
+  "version": "4.0.0",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [

package/scripts/security-check.sh

@@ -42,7 +42,15 @@ else
     echo "✅ clean"
 fi
 
-# 4. Proprietary files that shouldn't ship
+# 4. Internal ticket IDs
+echo -n "  Internal ticket IDs... "
+if grep -rE "LED-[0-9]{3}|STR-[0-9]{3}" "$TMPDIR/package/" --include="*.py" --include="*.js" 2>/dev/null | grep -v "node_modules" | head -1; then
+    echo "  WARNING: Internal ticket IDs found (cosmetic, not blocking)"
+else
+    echo "clean"
+fi
+
+# 5. Proprietary files that shouldn't ship
 echo -n "  Proprietary files... "
 PROPRIETARY="social_target\.py|social\.py|founding_users\.py|inbox_daemon\.py|deliberation\.py|reddit_scanner\.py|github_scanner\.py|cross_model_audit\.py|session_phoenix\.py|handoff_receipts\.py|toolcard_cache\.py"
 if find "$TMPDIR/package/" -name "*.py" | grep -Ei "$PROPRIETARY" 2>/dev/null; then
@@ -52,15 +60,51 @@ else
     echo "✅ clean"
 fi
 
-# Cleanup
+# Cleanup npm tarball
 rm -rf "$TMPDIR"
 
+# ── PyPI dist scan (if dist/ exists) ─────────────────────────────────
+PYPI_DIST="/home/delimit/delimit-gateway/dist"
+if [ -d "$PYPI_DIST" ] && ls "$PYPI_DIST"/*.tar.gz 1>/dev/null 2>&1; then
+    echo ""
+    echo "PyPI dist scan..."
+    PYPI_TMPDIR=$(mktemp -d)
+    PYPI_TARBALL=$(ls -t "$PYPI_DIST"/*.tar.gz | head -1)
+    tar -xzf "$PYPI_TARBALL" -C "$PYPI_TMPDIR" 2>/dev/null
+
+    echo -n "  Credentials... "
+    if grep -rEi '(password|passwd|secret|api_key|apikey)\s*[:=]\s*["\x27][^"\x27]{4,}' "$PYPI_TMPDIR/" --include="*.py" 2>/dev/null | grep -v 'environ\|getenv\|os\.environ\|<configured\|example\|placeholder\|REDACTED'; then
+        echo "FOUND CREDENTIALS IN PYPI DIST"
+        FAIL=1
+    else
+        echo "clean"
+    fi
+
+    echo -n "  Blocklist... "
+    if grep -rEi "$BLOCKLIST" "$PYPI_TMPDIR/" --include="*.py" 2>/dev/null; then
+        echo "BLOCKED TERMS IN PYPI DIST"
+        FAIL=1
+    else
+        echo "clean"
+    fi
+
+    echo -n "  PII... "
+    if grep -rEi '[a-z0-9._%+-]+@(gmail|yahoo|hotmail|outlook|proton|jamsons|wire\.report|domainvested)' "$PYPI_TMPDIR/" --include="*.py" 2>/dev/null | grep -v "example\|placeholder\|<configured\|noreply\|e\.g\.\|docstring"; then
+        echo "PII IN PYPI DIST"
+        FAIL=1
+    else
+        echo "clean"
+    fi
+
+    rm -rf "$PYPI_TMPDIR"
+fi
+
 if [ $FAIL -ne 0 ]; then
     echo ""
-    echo "❌ SECURITY CHECK FAILED — do not publish"
+    echo "SECURITY CHECK FAILED -- do not publish"
     exit 1
 fi
 
 echo ""
-echo "✅ All security checks passed"
+echo "All security checks passed"
 exit 0