delimit-cli 3.7.0 → 3.8.0

package/README.md

@@ -39,7 +39,7 @@ That's it. Delimit auto-fetches the base branch spec, diffs it, and posts a PR c
 - Step-by-step migration guide
 - Policy violations
 
-[View on GitHub Marketplace →](https://github.com/marketplace/actions/delimit-api-governance) · [See a live PR comment →](https://github.com/delimit-ai/delimit-quickstart/pull/1)
+[View on GitHub Marketplace →](https://github.com/marketplace/actions/delimit-api-governance) · [See a live demo (6 breaking changes) →](https://github.com/delimit-ai/delimit-demo/pull/1)
 
 ### Example PR comment
 

package/bin/delimit-setup.js

@@ -339,7 +339,7 @@ Run full governance compliance checks. Verify security, policy compliance, evide
             models.gemini = { name: 'Gemini', api_url: `https://us-central1-aiplatform.googleapis.com/v1/projects/{project}/locations/us-central1/publishers/google/models/gemini-2.5-flash:generateContent`, model: 'gemini-2.5-flash', format: 'vertex_ai', enabled: true };
         }
         if (process.env.OPENAI_API_KEY) {
-            models.openai = { name: 'GPT', api_url: 'https://api.openai.com/v1/chat/completions', model: 'gpt-4o', env_key: 'OPENAI_API_KEY', enabled: true };
+            models.openai = { name: 'OpenAI', api_url: 'https://api.openai.com/v1/chat/completions', model: 'gpt-4o', env_key: 'OPENAI_API_KEY', prefer_cli: true, enabled: true };
         }
         if (process.env.ANTHROPIC_API_KEY) {
             models.anthropic = { name: 'Claude', api_url: 'https://api.anthropic.com/v1/messages', model: 'claude-sonnet-4-5-20250514', env_key: 'ANTHROPIC_API_KEY', format: 'anthropic', enabled: true };
@@ -365,12 +365,12 @@ Run full governance compliance checks. Verify security, policy compliance, evide
     log('  Try it now:');
     log(`  ${bold('$ claude')}`);
     log('');
-    log(`  Then say: ${blue('"check this project\'s health"')}`);
+    log(`  Then say: ${blue('"scan this project"')}`);
     log('');
     log('  Or try:');
-    log(`  ${dim('-')} "add to ledger: set up CI pipeline"  ${dim('— start tracking tasks')}`);
-    log(`  ${dim('-')} "what\'s on the ledger?"               ${dim('— see what\'s pending')}`);
-    log(`  ${dim('-')} "delimit help"                        ${dim('— see all capabilities')}`);
+    log(`  ${dim('-')} "lint my API spec"                    ${dim('— catch breaking changes')}`);
+    log(`  ${dim('-')} "add to ledger: set up CI pipeline"  ${dim('— track tasks across sessions')}`);
+    log(`  ${dim('-')} "deliberate [question]"               ${dim('— multi-model AI consensus')}`);
     log('');
     log(`  ${dim('Config:')} ${MCP_CONFIG}`);
     log(`  ${dim('Server:')} ${actualServer}`);
@@ -387,10 +387,11 @@ function getClaudeMdContent() {
 One workspace for every AI coding assistant.
 
 ## Try these:
+- "scan this project" -- discover what Delimit can do here
 - "lint my API spec" -- catch breaking changes in your OpenAPI spec
 - "add to ledger: [anything]" -- track tasks across sessions
 - "what's on the ledger?" -- pick up where you left off
-- "check this project's health" -- run governance diagnostics
+- "deliberate [question]" -- get multi-model AI consensus
 
 ## What Delimit does:
 - **API governance** -- lint, diff, semver classification, migration guides

package/gateway/ai/backends/tools_infra.py

@@ -924,7 +924,11 @@ def deploy_site(project_path: str = ".", message: str = "", env_vars: dict = Non
     # 4. Vercel build
     env = {**os.environ}
     if env_vars:
-        env.update(env_vars)
+        # Whitelist safe env var prefixes — block LD_PRELOAD, PATH overrides, etc.
+        blocked = {"LD_PRELOAD", "LD_LIBRARY_PATH", "DYLD_", "PATH", "HOME", "USER", "SHELL"}
+        for k, v in env_vars.items():
+            if not any(k.startswith(b) for b in blocked):
+                env[str(k)] = str(v)
 
     try:
         result = subprocess.run(

package/gateway/ai/backends/tools_real.py

@@ -350,29 +350,35 @@ def test_smoke(project_path: str, test_suite: Optional[str] = None) -> Dict[str,
     framework = detected["framework"]
     cmd = detected["cmd"]
 
-    # If a specific suite is requested, append it
+    # Build command as list (never shell=True with user input)
+    import shlex
+    cmd_list = shlex.split(cmd)
+
+    # If a specific suite is requested, validate and append
     if test_suite:
-        cmd = f"{cmd} {test_suite}"
+        # Sanitize: only allow alphanumeric, slashes, dots, underscores, hyphens, colons
+        import re
+        if not re.match(r'^[\w/.\-:*\[\]]+$', test_suite):
+            return {"tool": "test.smoke", "status": "error", "error": f"Invalid test_suite: {test_suite}"}
+        cmd_list.append(test_suite)
 
     # Detect the right Python executable
     if framework == "pytest":
         python_found = False
-        # Check for venv
         for venv_dir in ["venv", ".venv", "env"]:
             venv_python = project / venv_dir / "bin" / "python"
             if venv_python.exists():
-                cmd = cmd.replace("python", str(venv_python), 1)
+                cmd_list[0] = str(venv_python)
                 python_found = True
                 break
-        # Fallback to the current interpreter (handles systems where `python` is missing)
         if not python_found:
             import sys as _sys
-            cmd = cmd.replace("python", _sys.executable, 1)
+            cmd_list[0] = _sys.executable
 
     try:
         result = subprocess.run(
-            cmd,
-            shell=True,
+            cmd_list,
+            shell=False,
             cwd=str(project),
             capture_output=True,
             text=True,

package/gateway/ai/deliberation.py

@@ -38,13 +38,16 @@ DEFAULT_MODELS = {
         "env_key": "GOOGLE_APPLICATION_CREDENTIALS",
         "enabled": False,
         "format": "vertex_ai",
+        "prefer_cli": True,  # Use gemini CLI if available (Ultra plan), fall back to Vertex AI
+        "cli_command": "gemini",
     },
     "openai": {
-        "name": "GPT",
+        "name": "OpenAI",
         "api_url": "https://api.openai.com/v1/chat/completions",
         "model": "gpt-4o",
         "env_key": "OPENAI_API_KEY",
         "enabled": False,
+        "prefer_cli": True,  # Use Codex CLI if available, fall back to API
     },
     "anthropic": {
         "name": "Claude",
@@ -53,13 +56,8 @@ DEFAULT_MODELS = {
         "env_key": "ANTHROPIC_API_KEY",
         "enabled": False,
         "format": "anthropic",
-    },
-    "codex": {
-        "name": "Codex CLI",
-        "format": "codex_cli",
-        "model": "gpt-5.4",
-        "env_key": "CODEX_CLI",
-        "enabled": False,
+        "prefer_cli": True,  # Use claude CLI if available (Pro/Max), fall back to API
+        "cli_command": "claude",
     },
 }
 
@@ -75,17 +73,31 @@ def get_models_config() -> Dict[str, Any]:
     # Auto-detect from environment
     config = {}
     for model_id, defaults in DEFAULT_MODELS.items():
-        if defaults.get("format") == "codex_cli":
-            # Codex: check if CLI is available
+        key = os.environ.get(defaults.get("env_key", ""), "")
+
+        if defaults.get("prefer_cli"):
+            # Prefer CLI (uses existing subscription) over API (extra cost)
             import shutil
-            codex_path = shutil.which("codex")
-            config[model_id] = {
-                **defaults,
-                "enabled": codex_path is not None,
-                "codex_path": codex_path or "",
-            }
+            cli_cmd = defaults.get("cli_command", "codex")
+            cli_path = shutil.which(cli_cmd)
+            if cli_path:
+                config[model_id] = {
+                    **defaults,
+                    "format": "codex_cli",
+                    "enabled": True,
+                    "codex_path": cli_path,
+                    "backend": "cli",
+                }
+            elif key:
+                config[model_id] = {
+                    **defaults,
+                    "api_key": key,
+                    "enabled": True,
+                    "backend": "api",
+                }
+            else:
+                config[model_id] = {**defaults, "enabled": False}
         else:
-            key = os.environ.get(defaults["env_key"], "")
             config[model_id] = {
                 **defaults,
                 "api_key": key,
@@ -101,47 +113,62 @@ def configure_models() -> Dict[str, Any]:
     available = {k: v for k, v in config.items() if v.get("enabled")}
     missing = {k: v for k, v in config.items() if not v.get("enabled")}
 
+    model_details = {}
+    for k, v in available.items():
+        backend = v.get("backend", "api")
+        if v.get("format") == "codex_cli":
+            backend = "cli"
+        model_details[k] = {"name": v.get("name", k), "backend": backend, "model": v.get("model", "")}
+
     return {
         "configured_models": list(available.keys()),
-        "missing_models": {k: f"Set {v['env_key']} environment variable" for k, v in missing.items()},
+        "model_details": model_details,
+        "missing_models": {k: f"Set {v.get('env_key', 'key')} or install {v.get('cli_command', '')} CLI" for k, v in missing.items()},
         "config_path": str(MODELS_CONFIG),
-        "note": "Add API keys to enable more models for deliberation. "
-                "Set env vars or create ~/.delimit/models.json",
+        "note": "CLI backends use your existing subscription (no extra API cost). "
+                "API backends require separate API keys.",
     }
 
 
-def _call_codex(prompt: str, system_prompt: str = "") -> str:
-    """Call Codex via CLI subprocess."""
+def _call_cli(prompt: str, system_prompt: str = "", cli_path: str = "", cli_command: str = "codex") -> str:
+    """Call an AI CLI tool (codex or claude) via subprocess. Uses existing subscription — no API cost."""
     import subprocess
-    codex_path = shutil.which("codex")
-    if not codex_path:
-        return "[Codex unavailable — codex CLI not found in PATH]"
+
+    if not cli_path:
+        cli_path = shutil.which(cli_command) or ""
+    if not cli_path:
+        return f"[{cli_command} unavailable — CLI not found in PATH]"
 
     full_prompt = f"{system_prompt}\n\n{prompt}" if system_prompt else prompt
+
+    # Build command based on which CLI
+    if "claude" in cli_command:
+        cmd = [cli_path, "--print", "--dangerously-skip-permissions", full_prompt]
+    else:
+        # codex
+        cmd = [cli_path, "exec", "--dangerously-bypass-approvals-and-sandbox", full_prompt]
+
     try:
-        result = subprocess.run(
-            [codex_path, "exec", "--dangerously-bypass-approvals-and-sandbox", full_prompt],
-            capture_output=True,
-            text=True,
-            timeout=120,
-        )
+        result = subprocess.run(cmd, capture_output=True, text=True, timeout=120)
         output = result.stdout.strip()
         if not output and result.stderr:
-            return f"[Codex error: {result.stderr[:300]}]"
-        return output or "[Codex returned empty response]"
+            return f"[{cli_command} error: {result.stderr[:300]}]"
+        return output or f"[{cli_command} returned empty response]"
     except subprocess.TimeoutExpired:
-        return "[Codex timed out after 120s]"
+        return f"[{cli_command} timed out after 120s]"
     except Exception as e:
-        return f"[Codex error: {e}]"
+        return f"[{cli_command} error: {e}]"
 
 
 def _call_model(model_id: str, config: Dict, prompt: str, system_prompt: str = "") -> str:
-    """Call any supported model — OpenAI-compatible API, Vertex AI, or Codex CLI."""
+    """Call any supported model — OpenAI-compatible API, Vertex AI, or CLI (codex/claude)."""
     fmt = config.get("format", "openai")
 
-    # Codex uses CLI, not HTTP API
+    # CLI-based models (codex, claude) — uses existing subscription, no API cost
     if fmt == "codex_cli":
-        return _call_codex(prompt, system_prompt)
+        cli_path = config.get("codex_path", "")
+        cli_command = config.get("cli_command", "codex")
+        return _call_cli(prompt, system_prompt, cli_path=cli_path, cli_command=cli_command)
 
     api_key = config.get("api_key") or os.environ.get(config.get("env_key", ""), "")
     # Vertex AI uses service account auth, not API key

package/gateway/ai/release_sync.py

@@ -0,0 +1,217 @@
+"""
+Delimit Release Sync — single source of truth for all public surfaces.
+
+Audit mode: scans all surfaces and reports inconsistencies.
+Apply mode: fixes what it can automatically.
+
+Central config: ~/.delimit/release.json
+"""
+
+import json
+import os
+import re
+import subprocess
+from pathlib import Path
+from typing import Any, Dict, List, Optional
+
+RELEASE_CONFIG = Path.home() / ".delimit" / "release.json"
+
+DEFAULT_CONFIG = {
+    "product_name": "Delimit",
+    "tagline": "Governance toolkit for AI coding assistants",
+    "description": "Governance toolkit for AI coding assistants — API checks, persistent memory, consensus, security.",
+    "version": {
+        "cli": "",  # filled dynamically
+        "action": "",
+        "gateway": "",
+    },
+    "urls": {
+        "homepage": "https://delimit.ai",
+        "docs": "https://delimit.ai/docs",
+        "github": "https://github.com/delimit-ai/delimit",
+        "action": "https://github.com/marketplace/actions/delimit-api-governance",
+        "npm": "https://www.npmjs.com/package/delimit-cli",
+        "quickstart": "https://github.com/delimit-ai/delimit-quickstart",
+    },
+}
+
+
+def get_release_config() -> Dict[str, Any]:
+    """Load or create the release config."""
+    if RELEASE_CONFIG.exists():
+        try:
+            return json.loads(RELEASE_CONFIG.read_text())
+        except Exception:
+            pass
+    return DEFAULT_CONFIG.copy()
+
+
+def save_release_config(config: Dict[str, Any]) -> None:
+    """Save the release config."""
+    RELEASE_CONFIG.parent.mkdir(parents=True, exist_ok=True)
+    RELEASE_CONFIG.write_text(json.dumps(config, indent=2))
+
+
+def _read_file(path: str) -> Optional[str]:
+    """Read a file, return None if missing."""
+    try:
+        return Path(path).read_text()
+    except Exception:
+        return None
+
+
+def _check_contains(content: str, expected: str, surface: str) -> Dict:
+    """Check if content contains expected string."""
+    if content is None:
+        return {"surface": surface, "status": "missing", "detail": "File not found"}
+    if expected.lower() in content.lower():
+        return {"surface": surface, "status": "ok"}
+    return {
+        "surface": surface,
+        "status": "stale",
+        "expected": expected,
+        "detail": f"Does not contain: {expected[:80]}",
+    }
+
+
+def _get_npm_version(pkg_path: str) -> str:
+    """Read version from package.json."""
+    try:
+        pkg = json.loads(Path(pkg_path).read_text())
+        return pkg.get("version", "")
+    except Exception:
+        return ""
+
+
+def _get_pyproject_version(path: str) -> str:
+    """Read version from pyproject.toml."""
+    try:
+        content = Path(path).read_text()
+        m = re.search(r'version\s*=\s*"([^"]+)"', content)
+        return m.group(1) if m else ""
+    except Exception:
+        return ""
+
+
+def audit(config: Optional[Dict] = None) -> Dict[str, Any]:
+    """Audit all public surfaces for consistency with the release config."""
+    cfg = config or get_release_config()
+    tagline = cfg.get("tagline", "")
+    description = cfg.get("description", "")
+    results = []
+
+    # 1. npm package.json
+    npm_pkg = _read_file(os.path.expanduser("~/.delimit/server/../../../npm-delimit/package.json"))
+    # Try common locations
+    for candidate in [
+        Path.home() / "npm-delimit" / "package.json",
+    ]:
+        if candidate.exists():
+            npm_pkg = candidate.read_text()
+            break
+
+    if npm_pkg:
+        try:
+            pkg = json.loads(npm_pkg)
+            pkg_desc = pkg.get("description", "")
+            if tagline.lower() not in pkg_desc.lower():
+                results.append({"surface": "npm package.json description", "status": "stale", "current": pkg_desc[:100], "expected": description})
+            else:
+                results.append({"surface": "npm package.json description", "status": "ok"})
+            cfg.setdefault("version", {})["cli"] = pkg.get("version", "")
+        except Exception:
+            results.append({"surface": "npm package.json", "status": "error", "detail": "Could not parse"})
+
+    # 2. CLAUDE.md
+    claude_md = _read_file(str(Path.home() / "CLAUDE.md"))
+    results.append(_check_contains(claude_md, tagline, "CLAUDE.md"))
+
+    # 3. GitHub repo descriptions (requires gh CLI)
+    for repo, surface in [
+        ("delimit-ai/delimit", "GitHub: delimit repo"),
+        ("delimit-ai/delimit-action", "GitHub: delimit-action repo"),
+        ("delimit-ai/delimit-quickstart", "GitHub: quickstart repo"),
+    ]:
+        try:
+            r = subprocess.run(
+                ["gh", "api", f"repos/{repo}", "--jq", ".description"],
+                capture_output=True, text=True, timeout=10,
+            )
+            if r.returncode == 0:
+                desc = r.stdout.strip()
+                if tagline.lower() in desc.lower() or "governance" in desc.lower():
+                    results.append({"surface": surface, "status": "ok", "current": desc[:100]})
+                else:
+                    results.append({"surface": surface, "status": "stale", "current": desc[:100], "expected": tagline})
+            else:
+                results.append({"surface": surface, "status": "error", "detail": "gh API failed"})
+        except Exception:
+            results.append({"surface": surface, "status": "skipped", "detail": "gh CLI not available"})
+
+    # 4. GitHub org description
+    try:
+        r = subprocess.run(
+            ["gh", "api", "orgs/delimit-ai", "--jq", ".description"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if r.returncode == 0:
+            org_desc = r.stdout.strip()
+            results.append(_check_contains(org_desc, "governance" if "governance" in tagline.lower() else tagline[:30], "GitHub: org description"))
+    except Exception:
+        results.append({"surface": "GitHub: org description", "status": "skipped"})
+
+    # 5. delimit.ai meta tags
+    for layout_path in [
+        Path.home() / "delimit-ui" / "app" / "layout.tsx",
+    ]:
+        if layout_path.exists():
+            layout = layout_path.read_text()
+            results.append(_check_contains(layout, tagline, "delimit.ai meta title"))
+            break
+    else:
+        results.append({"surface": "delimit.ai meta title", "status": "skipped", "detail": "layout.tsx not found"})
+
+    # 6. Gateway version
+    for pyproject_path in [
+        Path.home() / "delimit-gateway" / "pyproject.toml",
+    ]:
+        if pyproject_path.exists():
+            gw_version = _get_pyproject_version(str(pyproject_path))
+            cfg.setdefault("version", {})["gateway"] = gw_version
+            results.append({"surface": "gateway pyproject.toml", "status": "ok", "version": gw_version})
+            break
+
+    # 7. GitHub releases
+    try:
+        r = subprocess.run(
+            ["gh", "release", "list", "--repo", "delimit-ai/delimit", "--limit", "1", "--json", "tagName"],
+            capture_output=True, text=True, timeout=10,
+        )
+        if r.returncode == 0:
+            releases = json.loads(r.stdout)
+            if releases:
+                release_ver = releases[0].get("tagName", "").lstrip("v")
+                cli_ver = cfg.get("version", {}).get("cli", "")
+                if release_ver == cli_ver:
+                    results.append({"surface": "GitHub release", "status": "ok", "version": release_ver})
+                else:
+                    results.append({"surface": "GitHub release", "status": "stale", "current": release_ver, "expected": cli_ver})
+    except Exception:
+        results.append({"surface": "GitHub release", "status": "skipped"})
+
+    # Summary
+    ok = sum(1 for r in results if r["status"] == "ok")
+    stale = sum(1 for r in results if r["status"] == "stale")
+    errors = sum(1 for r in results if r["status"] in ("error", "missing"))
+
+    return {
+        "config": cfg,
+        "surfaces": results,
+        "summary": {
+            "total": len(results),
+            "ok": ok,
+            "stale": stale,
+            "errors": errors,
+        },
+        "all_synced": stale == 0 and errors == 0,
+    }

package/gateway/ai/server.py

@@ -1497,6 +1497,13 @@ async def delimit_sensor_github_issue(
         issue_number: The issue number to monitor.
         since_comment_id: Last seen comment ID. Pass 0 to get all comments.
     """
+    import re as _re
+    # Validate inputs to prevent injection
+    if not _re.match(r'^[\w.-]+/[\w.-]+$', repo):
+        return _with_next_steps("sensor_github_issue", {"error": f"Invalid repo format: {repo}. Use owner/repo."})
+    if not isinstance(issue_number, int) or issue_number <= 0:
+        return _with_next_steps("sensor_github_issue", {"error": f"Invalid issue number: {issue_number}"})
+
     try:
         # Fetch comments
         comments_jq = (
@@ -1982,17 +1989,110 @@ def delimit_ventures() -> Dict[str, Any]:
 
 
 @mcp.tool()
-def delimit_models(action: str = "list") -> Dict[str, Any]:
+def delimit_models(
+    action: str = "list",
+    provider: str = "",
+    api_key: str = "",
+    model_name: str = "",
+) -> Dict[str, Any]:
     """View and configure AI models for multi-model deliberation.
 
-    Shows which models are available for consensus runs. Models auto-detect
-    from environment variables (XAI_API_KEY, GEMINI_API_KEY, OPENAI_API_KEY).
+    Actions:
+      - "list": show configured models and what's available
+      - "detect": auto-detect API keys from environment and configure
+      - "add": add a model provider (set provider + api_key)
+      - "remove": remove a model provider (set provider)
+
+    Supported providers: grok, gemini, openai, anthropic, codex
 
     Args:
-        action: 'list' to show configured models.
+        action: list, detect, add, or remove.
+        provider: Model provider for add/remove (grok, gemini, openai, anthropic, codex).
+        api_key: API key for the provider (only used with action=add).
+        model_name: Optional model name override (e.g. "gpt-4o", "claude-sonnet-4-5-20250514").
     """
-    from ai.deliberation import configure_models
-    return configure_models()
+    from ai.deliberation import configure_models, get_models_config, MODELS_CONFIG, DEFAULT_MODELS
+    import json as _json
+
+    if action == "list":
+        return configure_models()
+
+    if action == "detect":
+        # Auto-detect from env vars and save
+        config = get_models_config()
+        detected = []
+        env_map = {
+            "grok": "XAI_API_KEY",
+            "gemini": "GOOGLE_APPLICATION_CREDENTIALS",
+            "openai": "OPENAI_API_KEY",
+            "anthropic": "ANTHROPIC_API_KEY",
+        }
+        for pid, env_key in env_map.items():
+            if os.environ.get(env_key) and pid not in config:
+                defaults = DEFAULT_MODELS.get(pid, {})
+                config[pid] = {**defaults, "enabled": True}
+                if "api_key" in defaults:
+                    config[pid]["api_key"] = os.environ[env_key]
+                detected.append(pid)
+        # Check codex CLI
+        import shutil
+        if shutil.which("codex") and "codex" not in config:
+            config["codex"] = {**DEFAULT_MODELS.get("codex", {}), "enabled": True}
+            detected.append("codex")
+
+        if detected:
+            MODELS_CONFIG.parent.mkdir(parents=True, exist_ok=True)
+            MODELS_CONFIG.write_text(_json.dumps(config, indent=2))
+            return {"action": "detect", "detected": detected, "total_models": len(config), "config_path": str(MODELS_CONFIG)}
+        return {"action": "detect", "detected": [], "note": "No new API keys found in environment."}
+
+    if action == "add":
+        if not provider:
+            return {"error": "Specify provider: grok, gemini, openai, anthropic, or codex"}
+
+        config = {}
+        if MODELS_CONFIG.exists():
+            try:
+                config = _json.loads(MODELS_CONFIG.read_text())
+            except Exception:
+                pass
+
+        # Provider templates
+        templates = {
+            "grok": {"name": "Grok", "api_url": "https://api.x.ai/v1/chat/completions", "model": model_name or "grok-4-0709", "env_key": "XAI_API_KEY"},
+            "openai": {"name": "OpenAI", "api_url": "https://api.openai.com/v1/chat/completions", "model": model_name or "gpt-4o", "env_key": "OPENAI_API_KEY", "prefer_cli": True},
+            "anthropic": {"name": "Claude", "api_url": "https://api.anthropic.com/v1/messages", "model": model_name or "claude-sonnet-4-5-20250514", "env_key": "ANTHROPIC_API_KEY", "format": "anthropic"},
+            "gemini": {"name": "Gemini", "api_url": "https://us-central1-aiplatform.googleapis.com/v1/projects/{project}/locations/us-central1/publishers/google/models/gemini-2.5-flash:generateContent", "model": model_name or "gemini-2.5-flash", "format": "vertex_ai"},
+        }
+
+        if provider not in templates:
+            return {"error": f"Unknown provider '{provider}'. Supported: {', '.join(templates.keys())}"}
+
+        entry = {**templates[provider], "enabled": True}
+        if api_key:
+            entry["api_key"] = api_key
+
+        config[provider] = entry
+        MODELS_CONFIG.parent.mkdir(parents=True, exist_ok=True)
+        MODELS_CONFIG.write_text(_json.dumps(config, indent=2))
+        return {"action": "add", "provider": provider, "model": entry.get("model"), "config_path": str(MODELS_CONFIG)}
+
+    if action == "remove":
+        if not provider:
+            return {"error": "Specify provider to remove"}
+        config = {}
+        if MODELS_CONFIG.exists():
+            try:
+                config = _json.loads(MODELS_CONFIG.read_text())
+            except Exception:
+                pass
+        if provider in config:
+            del config[provider]
+            MODELS_CONFIG.write_text(_json.dumps(config, indent=2))
+            return {"action": "remove", "provider": provider, "remaining": list(config.keys())}
+        return {"action": "remove", "provider": provider, "note": "Provider not found in config"}
+
+    return {"error": f"Unknown action '{action}'. Use: list, detect, add, remove"}
 
 
 @mcp.tool()
@@ -2128,6 +2228,151 @@ def _extract_deliberation_actions(result: Dict, question: str) -> List[Dict[str,
     return actions[:10]
 
 
+@mcp.tool()
+def delimit_release_sync(action: str = "audit") -> Dict[str, Any]:
+    """Audit or sync all public surfaces for consistency.
+
+    Checks GitHub repos, npm, site meta tags, CLAUDE.md, and releases
+    against a central config. Reports what's stale and what needs updating.
+
+    Args:
+        action: "audit" to check all surfaces, "config" to view/edit the release config.
+    """
+    from ai.release_sync import audit, get_release_config
+    if action == "config":
+        return get_release_config()
+    return _with_next_steps("release_sync", audit())
+
+
+@mcp.tool()
+def delimit_scan(project_path: str = ".") -> Dict[str, Any]:
+    """Scan a project and show what Delimit can do for it.
+
+    First-run discovery tool. Finds OpenAPI specs, checks for security issues,
+    detects frameworks, and suggests what to track. Use this when you first
+    install Delimit or open a new project.
+
+    Args:
+        project_path: Path to the project to scan.
+    """
+    import glob as _glob
+    p = Path(project_path).resolve()
+    findings = []
+    suggestions = []
+
+    # 1. Find OpenAPI specs
+    spec_patterns = ["**/openapi.yaml", "**/openapi.yml", "**/openapi.json",
+                     "**/swagger.yaml", "**/swagger.yml", "**/swagger.json",
+                     "**/*api*.yaml", "**/*api*.yml"]
+    specs_found = []
+    for pattern in spec_patterns:
+        for match in p.glob(pattern):
+            rel = str(match.relative_to(p))
+            if "node_modules" not in rel and ".next" not in rel and "venv" not in rel:
+                specs_found.append(rel)
+    specs_found = list(set(specs_found))[:10]
+
+    if specs_found:
+        findings.append({"type": "openapi_specs", "count": len(specs_found), "files": specs_found})
+        suggestions.append({"action": "lint", "detail": f"Run delimit_lint on {specs_found[0]} to check for issues"})
+        suggestions.append({"action": "github_action", "detail": "Add the Delimit GitHub Action to catch breaking changes on PRs"})
+    else:
+        # Check for framework that could generate a spec
+        framework = None
+        if (p / "requirements.txt").exists() or (p / "pyproject.toml").exists():
+            for py_file in p.rglob("*.py"):
+                if "node_modules" in str(py_file):
+                    continue
+                try:
+                    content = py_file.read_text(errors="ignore")[:2000]
+                    if "FastAPI" in content or "fastapi" in content:
+                        framework = "FastAPI"
+                        break
+                except Exception:
+                    pass
+        if (p / "package.json").exists():
+            try:
+                pkg = json.loads((p / "package.json").read_text())
+                deps = {**pkg.get("dependencies", {}), **pkg.get("devDependencies", {})}
+                if "@nestjs/core" in deps:
+                    framework = "NestJS"
+                elif "express" in deps:
+                    framework = "Express"
+            except Exception:
+                pass
+
+        if framework:
+            findings.append({"type": "framework_detected", "framework": framework, "has_spec": False})
+            suggestions.append({"action": "zero_spec", "detail": f"Run delimit_zero_spec to extract an OpenAPI spec from your {framework} code"})
+        else:
+            findings.append({"type": "no_api_detected", "note": "No OpenAPI spec or supported framework found"})
+
+    # 2. Check for security patterns (quick scan)
+    security_issues = []
+    for pattern_name, pattern_glob, check in [
+        ("env_file_in_git", ".env", lambda f: True),
+        ("hardcoded_key", "**/*.py", lambda f: "API_KEY" in f.read_text(errors="ignore")[:5000] and "os.environ" not in f.read_text(errors="ignore")[:5000]),
+        ("hardcoded_key_js", "**/*.js", lambda f: "apiKey" in f.read_text(errors="ignore")[:5000] and "process.env" not in f.read_text(errors="ignore")[:5000]),
+    ]:
+        try:
+            for match in p.glob(pattern_glob):
+                rel = str(match.relative_to(p))
+                if "node_modules" in rel or ".next" in rel or "venv" in rel or "__pycache__" in rel:
+                    continue
+                if check(match):
+                    security_issues.append({"issue": pattern_name, "file": rel})
+                    break  # One per pattern is enough
+        except Exception:
+            pass
+
+    if security_issues:
+        findings.append({"type": "security_concerns", "count": len(security_issues), "issues": security_issues})
+        suggestions.append({"action": "security_audit", "detail": "Run delimit_security_audit for a full scan"})
+
+    # 3. Check git status
+    try:
+        import subprocess
+        result = subprocess.run(["git", "log", "--oneline", "-1"], capture_output=True, text=True, timeout=5, cwd=str(p))
+        if result.returncode == 0:
+            findings.append({"type": "git_repo", "latest_commit": result.stdout.strip()})
+    except Exception:
+        pass
+
+    # 4. Check for existing tests
+    test_files = list(p.glob("**/test_*.py")) + list(p.glob("**/*.test.js")) + list(p.glob("**/*.test.ts")) + list(p.glob("**/*.spec.js"))
+    test_files = [f for f in test_files if "node_modules" not in str(f)]
+    if test_files:
+        findings.append({"type": "tests_found", "count": len(test_files)})
+        suggestions.append({"action": "test_coverage", "detail": "Run delimit_test_smoke to verify tests pass and measure coverage"})
+
+    # 5. Check ledger
+    from ai.ledger_manager import list_items
+    ledger = list_items(project_path=str(p))
+    open_items = [i for i in ledger.get("items", []) if isinstance(i, dict) and i.get("status") == "open"]
+    if open_items:
+        findings.append({"type": "ledger_active", "open_items": len(open_items), "top": [i.get("title", "") for i in open_items[:3]]})
+    else:
+        suggestions.append({"action": "ledger", "detail": "Say 'add to ledger: [task]' to start tracking work across sessions"})
+
+    # 6. Check deliberation models
+    from ai.deliberation import get_models_config
+    models = get_models_config()
+    enabled = [v.get("name", k) for k, v in models.items() if v.get("enabled")]
+    if len(enabled) >= 2:
+        findings.append({"type": "deliberation_ready", "models": enabled})
+    elif len(enabled) == 1:
+        suggestions.append({"action": "models", "detail": f"Add 1 more AI model for multi-model deliberation (have {enabled[0]})"})
+    else:
+        suggestions.append({"action": "models", "detail": "Configure AI models for deliberation: say 'configure delimit models'"})
+
+    return _with_next_steps("scan", {
+        "project": str(p),
+        "findings": findings,
+        "suggestions": suggestions,
+        "summary": f"Found {len(findings)} things, {len(suggestions)} suggestions",
+    })
+
+
 # ═══════════════════════════════════════════════════════════════════════
 #  ENTRY POINT
 # ═══════════════════════════════════════════════════════════════════════

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "delimit-cli",
-  "version": "3.7.0",
+  "version": "3.8.0",
   "description": "One workspace for every AI coding assistant. Tasks, memory, and governance carry between Claude Code, Codex, and Gemini CLI.",
   "main": "index.js",
   "files": [