delimit-cli 3.6.2 → 3.6.4

package/README.md

@@ -1,60 +1,155 @@
-# delimit
+# Delimit
 
-Your AI Remembers. Verifies. Ships.
+Catch breaking API changes before they reach production.
 
 [![npm](https://img.shields.io/npm/v/delimit-cli)](https://www.npmjs.com/package/delimit-cli)
+[![GitHub Action](https://img.shields.io/badge/GitHub%20Action-v1.4.0-blue)](https://github.com/marketplace/actions/delimit-api-governance)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 
-Governance layer for AI coding assistants. Your AI verifies its own work -- confirms tests ran, catches breaking API changes, audits security, and enforces policies. Works with Claude Code, Codex, and Cursor.
+Delimit diffs your OpenAPI spec on every pull request. Breaking changes get flagged, semver gets classified, and your team gets a migration guide — automatically.
 
-## Install
+---
+
+## GitHub Action
+
+Add to any repo with an OpenAPI spec:
+
+```yaml
+name: API Contract Check
+on: pull_request
+
+jobs:
+  delimit:
+    runs-on: ubuntu-latest
+    permissions:
+      pull-requests: write
+    steps:
+      - uses: actions/checkout@v4
+        with:
+          fetch-depth: 0
+      - uses: delimit-ai/delimit-action@v1
+        with:
+          spec: api/openapi.yaml
+```
+
+That's it. Delimit auto-fetches the base branch spec, diffs it, and posts a PR comment with:
+
+- Breaking changes with severity badges
+- Semver classification (major/minor/patch)
+- Step-by-step migration guide
+- Policy violations
+
+[View on GitHub Marketplace →](https://github.com/marketplace/actions/delimit-api-governance)
+
+### Example PR comment
+
+> **Breaking Changes Detected**
+>
+> | Change | Path | Severity |
+> |--------|------|----------|
+> | endpoint_removed | `DELETE /pets/{petId}` | error |
+> | type_changed | `/pets:GET:200[].id` (string → integer) | warning |
+> | enum_value_removed | `/pets:GET:200[].status` | warning |
+>
+> **Semver**: MAJOR (1.0.0 → 2.0.0)
+>
+> **Migration Guide**: 3 steps to update your integration
+
+---
+
+## CLI + MCP Toolkit
+
+Governance tools for AI coding assistants (Claude Code, Codex, Cursor, Gemini CLI):
 
 ```bash
 npx delimit-cli setup
 ```
 
-10 seconds. No API keys. No account. Installs into your existing AI coding assistant.
+No API keys. No account. Installs in 10 seconds.
 
-## What it does
+### CLI commands
 
-Your AI agent gains the ability to verify its own work:
+```bash
+npx delimit-cli lint api/openapi.yaml           # Check for breaking changes
+npx delimit-cli diff old.yaml new.yaml           # Compare two specs
+npx delimit-cli explain old.yaml new.yaml        # Generate migration guide
+npx delimit-cli init --preset strict             # Initialize policies
+npx delimit-cli doctor                           # Check setup health
+```
+
+### What the MCP toolkit adds
 
+When installed into your AI coding assistant, Delimit provides:
+
+- **API governance** -- lint, diff, policy enforcement, semver classification
 - **Test verification** -- confirms tests actually ran, measures coverage
-- **Security audit** -- scans dependencies, detects hardcoded secrets and anti-patterns
-- **API governance** -- catches breaking changes in OpenAPI specs before they ship
-- **Repo analysis** -- code quality, health checks, config validation
-- **Deploy tracking** -- plan, build, publish, verify, rollback
-- **Multi-model consensus** -- multiple AI models deliberate on strategic decisions
+- **Security audit** -- scans dependencies, detects secrets and anti-patterns
+- **Persistent ledger** -- tracks tasks across sessions, auto-creates items from governance
+- **Multi-model consensus** -- Grok, Gemini, and Codex debate until they agree
+- **Zero-spec extraction** -- generate OpenAPI specs from FastAPI, Express, or NestJS source
+
+---
+
+## What it catches
 
-## Real examples
+10 categories of breaking changes:
 
-These happened in a single session:
+| Change | Example |
+|--------|---------|
+| Endpoint removed | `DELETE /users/{id}` disappeared |
+| HTTP method removed | `PATCH /orders` no longer exists |
+| Required parameter added | New required header on `GET /items` |
+| Field removed from response | `email` dropped from user object |
+| Type changed | `id` went from string to integer |
+| Enum value removed | `status: "pending"` no longer valid |
+| Response code removed | `200 OK` response dropped |
+| Parameter removed | `sort` query param removed |
+| Required field added to request | Body now requires `tenant_id` |
+| Format changed | `date-time` changed to `date` |
 
-| Command | Result |
-|---------|--------|
-| "fix the 502 error" | Traced Vercel to Caddy to Docker, found wrong IP, fixed, verified |
-| "run test coverage" | 299 to 1,113 tests, zero written manually |
-| "run consensus on pricing" | 3 AI models debated, reached unanimous agreement |
+Detection is deterministic — rules, not AI inference. Same input always produces the same result.
 
-## Free vs Pro
+---
 
-**Free**: lint, diff, policy, semver, test coverage, security audit, repo analysis, zero-spec extraction, and more.
+## Policy presets
 
-**Pro ($10/mo)**: governance, deploy tracking, memory/vault, multi-model deliberation, evidence collection. Activate with `delimit activate YOUR_KEY`.
+```bash
+npx delimit-cli init --preset strict    # All violations are errors
+npx delimit-cli init --preset default   # Balanced (default)
+npx delimit-cli init --preset relaxed   # All violations are warnings
+```
 
-## Also works in CI
+Or write custom rules in `.delimit/policies.yml`:
 
 ```yaml
-- uses: delimit-ai/delimit-action@v1
-  with:
-    spec: api/openapi.yaml
+rules:
+  - id: freeze_v1
+    name: Freeze V1 API
+    change_types: [endpoint_removed, method_removed, field_removed]
+    severity: error
+    action: forbid
+    conditions:
+      path_pattern: "^/v1/.*"
+    message: "V1 API is frozen. Changes must be made in V2."
 ```
 
+---
+
+## Supported formats
+
+- OpenAPI 3.0 and 3.1
+- Swagger 2.0
+- YAML and JSON
+
+---
+
 ## Links
 
-- [delimit.ai](https://delimit.ai)
-- [GitHub](https://github.com/delimit-ai/delimit)
-- [Pricing](https://delimit.ai/pricing)
-- [Docs](https://delimit.ai/docs)
+- [delimit.ai](https://delimit.ai) -- homepage
+- [Docs](https://delimit.ai/docs) -- full documentation
+- [GitHub Action](https://github.com/marketplace/actions/delimit-api-governance) -- Marketplace listing
+- [Quickstart](https://github.com/delimit-ai/delimit-quickstart) -- try it in 2 minutes
+- [npm](https://www.npmjs.com/package/delimit-cli) -- CLI package
+- [Pricing](https://delimit.ai/pricing) -- free tier + Pro
 
 MIT License

package/gateway/ai/governance.py

@@ -231,6 +231,10 @@ def govern(tool_name: str, result: Dict[str, Any], project_path: str = ".") -> D
                 "reason": "Check ledger for what's next",
                 "premium": False,
             })
+    else:
+        # Excluded tools still get the next_steps field (empty) for schema consistency
+        if "next_steps" not in governed_result:
+            governed_result["next_steps"] = []
 
     return governed_result
 

package/package.json

@@ -1,8 +1,17 @@
 {
   "name": "delimit-cli",
-  "version": "3.6.2",
-  "description": "Stop Describing. Start Building. 77 MCP governance tools for AI coding assistants.",
+  "version": "3.6.4",
+  "description": "Catch breaking API changes before they ship. GitHub Action + CLI for OpenAPI specs.",
   "main": "index.js",
+  "files": [
+    "bin/",
+    "lib/",
+    "gateway/",
+    "server.json",
+    "README.md",
+    "LICENSE",
+    "CHANGELOG.md"
+  ],
   "bin": {
     "delimit": "./bin/delimit-cli.js",
     "delimit-cli": "./bin/delimit-cli.js"

package/.dockerignore

@@ -1,7 +0,0 @@
-node_modules
-.git
-tests
-junit.xml
-playwright-report
-test-results
-test-results.json

package/.github/workflows/api-governance.yml

@@ -1,43 +0,0 @@
-name: API Governance
-
-on:
-  pull_request:
-    paths:
-      - '**/*.yaml'
-      - '**/*.yml'
-      - '**/*.json'
-      - 'lib/**'
-
-jobs:
-  api-check:
-    name: Delimit API Check
-    runs-on: ubuntu-latest
-    permissions:
-      pull-requests: write
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/checkout@v4
-        with:
-          ref: ${{ github.event.pull_request.base.sha }}
-          path: base
-
-      - name: Check for spec changes
-        id: spec-check
-        run: |
-          # Find any OpenAPI/Swagger specs in the repo
-          SPECS=$(find . -path ./base -prune -o \( -name "openapi*.yaml" -o -name "openapi*.yml" -o -name "openapi*.json" -o -name "swagger*.yaml" -o -name "swagger*.json" \) -print | head -1)
-          if [ -n "$SPECS" ]; then
-            echo "spec_found=true" >> $GITHUB_OUTPUT
-            echo "spec_path=$SPECS" >> $GITHUB_OUTPUT
-          else
-            echo "spec_found=false" >> $GITHUB_OUTPUT
-          fi
-
-      - name: Run Delimit
-        if: steps.spec-check.outputs.spec_found == 'true'
-        uses: delimit-ai/delimit-action@v1
-        with:
-          old_spec: base/${{ steps.spec-check.outputs.spec_path }}
-          new_spec: ${{ steps.spec-check.outputs.spec_path }}
-          mode: advisory

package/.github/workflows/ci.yml

@@ -1,22 +0,0 @@
-name: Tests
-
-on: [push, pull_request]
-
-jobs:
-  test:
-    runs-on: ubuntu-latest
-    strategy:
-      matrix:
-        node-version: ['18', '20', '22']
-
-    name: Test Node ${{ matrix.node-version }}
-    steps:
-      - uses: actions/checkout@v4
-
-      - uses: actions/setup-node@v4
-        with:
-          node-version: ${{ matrix.node-version }}
-
-      - run: npm install
-
-      - run: npm test

package/CODE_OF_CONDUCT.md

@@ -1,48 +0,0 @@
-# Code of Conduct
-
-## Our Pledge
-
-We as members, contributors, and leaders pledge to make participation in our
-community a harassment-free experience for everyone, regardless of age, body
-size, visible or invisible disability, ethnicity, sex characteristics, gender
-identity and expression, level of experience, education, socio-economic status,
-nationality, personal appearance, race, caste, color, religion, or sexual
-identity and orientation.
-
-## Our Standards
-
-Examples of behavior that contributes to a positive environment:
-
-* Using welcoming and inclusive language
-* Being respectful of differing viewpoints and experiences
-* Gracefully accepting constructive criticism
-* Focusing on what is best for the community
-* Showing empathy towards other community members
-
-Examples of unacceptable behavior:
-
-* The use of sexualized language or imagery
-* Trolling, insulting or derogatory comments, and personal attacks
-* Public or private harassment
-* Publishing others' private information without permission
-* Other conduct which could reasonably be considered inappropriate
-
-## Enforcement Responsibilities
-
-Community leaders are responsible for clarifying and enforcing our standards of
-acceptable behavior and will take appropriate and fair corrective action in
-response to any behavior that they deem inappropriate, threatening, offensive,
-or harmful.
-
-## Enforcement
-
-Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at
-opensource@delimit.ai.
-
-All complaints will be reviewed and investigated promptly and fairly.
-
-## Attribution
-
-This Code of Conduct is adapted from the [Contributor Covenant](https://www.contributor-covenant.org/),
-version 2.1.

package/CONTRIBUTING.md

@@ -1,67 +0,0 @@
-# Contributing to Delimit
-
-Thank you for your interest in contributing to Delimit. We welcome contributions from the community.
-
-## How to Contribute
-
-### Reporting Issues
-
-1. Check if the issue already exists
-2. Create a new issue with:
-   - Clear title and description
-   - Steps to reproduce
-   - Expected vs actual behavior
-   - Environment details (OS, Node version, etc.)
-
-### Submitting Pull Requests
-
-1. Fork the repository
-2. Create a feature branch: `git checkout -b feature/your-feature`
-3. Make your changes
-4. Run the test suite
-5. Commit with clear messages
-6. Push to your fork
-7. Open a PR with:
-   - Description of changes
-   - Related issue numbers
-   - Test results
-
-## Development Setup
-
-### CLI (npm)
-
-```bash
-npm install -g delimit-cli
-delimit doctor
-```
-
-### GitHub Action
-
-See [delimit-action](https://github.com/delimit-ai/delimit-action) for CI integration.
-
-## Code Style
-
-- Follow existing conventions in the codebase
-- Use type hints where appropriate
-- Document functions and classes
-- Keep functions focused and small
-
-## Testing
-
-All PRs must:
-- Pass existing tests
-- Include tests for new features
-- Not introduce regressions
-
-## Areas for Contribution
-
-- Documentation improvements
-- Bug fixes
-- New governance rules and policy presets
-- Performance improvements
-- Framework integrations (Zero-Spec extractors)
-
-## Questions?
-
-- Open a [Discussion](https://github.com/delimit-ai/delimit/discussions) on GitHub
-- Email opensource@delimit.ai

package/Dockerfile

@@ -1,9 +0,0 @@
-FROM node:20-slim
-RUN apt-get update && apt-get install -y --no-install-recommends python3 python3-pip && rm -rf /var/lib/apt/lists/*
-RUN pip3 install --break-system-packages pyyaml pydantic packaging
-WORKDIR /app
-COPY package*.json ./
-RUN npm install --production --ignore-scripts
-COPY . .
-ENV DELIMIT_GATEWAY_ROOT=/app/gateway
-ENTRYPOINT ["node", "bin/delimit-cli.js"]

package/SECURITY.md

@@ -1,42 +0,0 @@
-# Security Policy
-
-## Supported Versions
-
-| Version | Supported |
-| ------- | --------- |
-| 2.x     | Yes       |
-| 1.x     | No        |
-
-## Reporting a Vulnerability
-
-We take security seriously at Delimit. If you discover a security vulnerability, please follow these steps:
-
-1. **Do NOT** create a public GitHub issue
-2. Email security@delimit.ai with:
-   - Description of the vulnerability
-   - Steps to reproduce
-   - Potential impact
-   - Your suggested fix (if any)
-
-## Response Timeline
-
-- **Acknowledgment**: Within 24 hours
-- **Initial Assessment**: Within 72 hours
-- **Fix Timeline**: Based on severity
-  - Critical: Within 7 days
-  - High: Within 14 days
-  - Medium: Within 30 days
-  - Low: Next release
-
-## Security Best Practices
-
-When using Delimit:
-
-1. **Never commit API keys or tokens** to your repository
-2. **Use environment variables** for sensitive configuration
-3. **Keep Delimit updated** to the latest version
-4. **Review PR annotations** before merging
-
-## Data Privacy
-
-Delimit processes your API specifications locally. The CLI and GitHub Action do not send your specs to external servers.

package/adapters/codex-forge.js

@@ -1,107 +0,0 @@
-#!/usr/bin/env node
-/**
- * Delimit™ Codex Forge Adapter
- * Layer: Forge (execution governance)
- * Surfaces test failures, deploy state, and release gates before accepting code.
- */
-
-'use strict';
-
-const axios = require('axios');
-const AGENT_URL = `http://127.0.0.1:${process.env.DELIMIT_AGENT_PORT || 7823}`;
-
-class DelimitCodexForge {
-    constructor() {
-        this.name = 'delimit-forge';
-        this.version = '1.0.0';
-    }
-
-    /**
-     * Before accepting code: check test gate and deploy state.
-     */
-    async onBeforeSuggestion(context) {
-        const [testState, deployState] = await Promise.allSettled([
-            this._getTestGate(),
-            this._getDeployState(),
-        ]);
-
-        const warnings = [];
-
-        if (testState.status === 'fulfilled' && testState.value.failing > 0) {
-            warnings.push(`[FORGE] ${testState.value.failing} test(s) failing — fix before accepting`);
-        }
-
-        if (deployState.status === 'fulfilled' && deployState.value.locked) {
-            warnings.push(`[FORGE] Deploy locked: ${deployState.value.reason || 'release in progress'}`);
-        }
-
-        if (warnings.length > 0) {
-            return { allow: true, warning: warnings.join(' | ') };
-        }
-
-        return { allow: true };
-    }
-
-    async onAfterAccept(context) {
-        try {
-            await axios.post(`${AGENT_URL}/audit`, {
-                action: 'forge_accept',
-                context,
-                timestamp: new Date().toISOString(),
-            }, { timeout: 2000 });
-        } catch (_) { /* silent */ }
-    }
-
-    async _getTestGate() {
-        const r = await axios.get(`${AGENT_URL}/test/status`, { timeout: 3000 });
-        return r.data;
-    }
-
-    async _getDeployState() {
-        const r = await axios.get(`${AGENT_URL}/deploy/status`, { timeout: 3000 });
-        return r.data;
-    }
-
-    async handleCommand(command, _args) {
-        const { execSync } = require('child_process');
-        const cmds = {
-            'forge': 'delimit status --layer=forge',
-            'tests': 'delimit test --summary',
-            'deploy': 'delimit deploy --status',
-            'release': 'delimit release --status',
-        };
-        if (cmds[command]) {
-            try {
-                return execSync(cmds[command], { timeout: 10000 }).toString();
-            } catch (e) {
-                return `[FORGE] Command failed: ${e.message}`;
-            }
-        }
-    }
-
-    /**
-     * Returns structured Forge context for consensus use.
-     */
-    async getContext() {
-        const [tests, deploy, release] = await Promise.allSettled([
-            axios.get(`${AGENT_URL}/test/status`, { timeout: 3000 }),
-            axios.get(`${AGENT_URL}/deploy/status`, { timeout: 3000 }),
-            axios.get(`${AGENT_URL}/release/status`, { timeout: 3000 }),
-        ]);
-
-        return {
-            layer: 'forge',
-            tests: tests.status === 'fulfilled' ? tests.value.data : null,
-            deploy: deploy.status === 'fulfilled' ? deploy.value.data : null,
-            release: release.status === 'fulfilled' ? release.value.data : null,
-        };
-    }
-}
-
-if (typeof module !== 'undefined' && module.exports) {
-    module.exports = new DelimitCodexForge();
-}
-
-if (typeof registerSkill === 'function') {
-    registerSkill(new DelimitCodexForge());
-}