delimit-cli 3.9.2 → 3.9.4

package/bin/delimit-setup.js

@@ -431,9 +431,10 @@ function getClaudeMdContent() {
 One workspace for every AI coding assistant.
 
 ## On every session start:
-1. Call \`delimit_ledger_context\` to check for open tasks
-2. If returning user, summarize what's pending
-3. If new project, call \`delimit_scan\` to discover what Delimit can do
+1. Call \`delimit_gov_health\` to show governance status
+2. Call \`delimit_ledger_context\` to check for open tasks
+3. If returning user, summarize what's pending
+4. If new project, call \`delimit_scan\` to discover what Delimit can do
 
 ## Try these:
 - "scan this project" -- discover what Delimit can do here

package/gateway/ai/license.py

@@ -1,133 +1,48 @@
 """
-Delimit license validation.
-Free tools work without a key. Premium tools check for a valid key.
-Validates against Lemon Squeezy API when online, falls back to local cache.
+Delimit license — thin shim.
+The enforcement logic is in license_core (shipped as compiled binary).
+This shim handles imports and provides fallback error messages.
 """
-import hashlib
-import json
-import os
-import time
-from pathlib import Path
-
-LICENSE_FILE = Path.home() / ".delimit" / "license.json"
-LS_VALIDATE_URL = "https://api.lemonsqueezy.com/v1/licenses/validate"
-
-
-def get_license() -> dict:
-    """Load license from ~/.delimit/license.json"""
-    if not LICENSE_FILE.exists():
-        return {"tier": "free", "valid": True}
-    try:
-        data = json.loads(LICENSE_FILE.read_text())
-        if data.get("expires_at") and data["expires_at"] < time.time():
-            return {"tier": "free", "valid": True, "expired": True}
-        return data
-    except Exception:
-        return {"tier": "free", "valid": True}
-
-
-def is_premium() -> bool:
-    """Check if user has a premium license."""
-    lic = get_license()
-    return lic.get("tier") in ("pro", "enterprise") and lic.get("valid", False)
-
-
-def require_premium(tool_name: str) -> dict | None:
-    """Check premium access. Returns None if allowed, error dict if not."""
-    if is_premium():
-        return None
-    return {
-        "error": f"'{tool_name}' requires Delimit Pro. Upgrade at https://delimit.ai/pricing",
-        "status": "premium_required",
-        "tool": tool_name,
-        "current_tier": get_license().get("tier", "free"),
-    }
-
-
-def activate_license(key: str) -> dict:
-    """Activate a license key via Lemon Squeezy API.
-    Falls back to local validation if API is unreachable."""
-    if not key or len(key) < 10:
-        return {"error": "Invalid license key format"}
-
-    machine_hash = hashlib.sha256(str(Path.home()).encode()).hexdigest()[:16]
-
-    # Try Lemon Squeezy remote validation
-    try:
-        import urllib.request
-        import urllib.error
-
-        data = json.dumps({
-            "license_key": key,
-            "instance_name": machine_hash,
-        }).encode()
-
-        req = urllib.request.Request(
-            LS_VALIDATE_URL,
-            data=data,
-            headers={
-                "Content-Type": "application/json",
-                "Accept": "application/json",
-            },
-            method="POST",
-        )
-
-        with urllib.request.urlopen(req, timeout=10) as resp:
-            result = json.loads(resp.read())
-
-        if result.get("valid"):
-            license_data = {
-                "key": key,
-                "tier": "pro",
-                "valid": True,
-                "activated_at": time.time(),
-                "machine_hash": machine_hash,
-                "instance_id": result.get("instance", {}).get("id"),
-                "license_id": result.get("license_key", {}).get("id"),
-                "customer_name": result.get("meta", {}).get("customer_name", ""),
-                "validated_via": "lemon_squeezy",
-            }
-            LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
-            LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
-            return {"status": "activated", "tier": "pro", "message": "License activated successfully."}
-        else:
-            return {
-                "error": "Invalid license key. Check your key and try again.",
-                "status": "invalid",
-                "detail": result.get("error", ""),
-            }
-
-    except (urllib.error.URLError, OSError):
-        # API unreachable — accept key locally (offline activation)
-        license_data = {
-            "key": key,
-            "tier": "pro",
-            "valid": True,
-            "activated_at": time.time(),
-            "machine_hash": machine_hash,
-            "validated_via": "offline",
-        }
-        LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
-        LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
+try:
+    from ai.license_core import (
+        load_license as get_license,
+        check_premium as is_premium,
+        gate_tool as require_premium,
+        activate as activate_license,
+        PRO_TOOLS,
+        FREE_TRIAL_LIMITS,
+    )
+except ImportError:
+    # license_core not available (development mode or missing binary)
+    import json
+    import time
+    from pathlib import Path
+
+    LICENSE_FILE = Path.home() / ".delimit" / "license.json"
+
+    PRO_TOOLS = set()
+    FREE_TRIAL_LIMITS = {}
+
+    def get_license() -> dict:
+        if not LICENSE_FILE.exists():
+            return {"tier": "free", "valid": True}
+        try:
+            return json.loads(LICENSE_FILE.read_text())
+        except Exception:
+            return {"tier": "free", "valid": True}
+
+    def is_premium() -> bool:
+        lic = get_license()
+        return lic.get("tier") in ("pro", "enterprise") and lic.get("valid", False)
+
+    def require_premium(tool_name: str) -> dict | None:
+        if is_premium():
+            return None
         return {
-            "status": "activated",
-            "tier": "pro",
-            "message": "License activated (offline). Will validate online next time.",
-        }
-    except Exception as e:
-        # Unexpected error — still activate locally
-        license_data = {
-            "key": key,
-            "tier": "pro",
-            "valid": True,
-            "activated_at": time.time(),
-            "machine_hash": machine_hash,
-            "validated_via": "fallback",
-        }
-        LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
-        LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
-        return {
-            "status": "activated",
-            "tier": "pro",
-            "message": f"License activated (validation error: {e}). Will retry online later.",
+            "error": f"'{tool_name}' requires Delimit Pro. Upgrade at https://delimit.ai/pricing",
+            "status": "premium_required",
+            "tool": tool_name,
         }
+
+    def activate_license(key: str) -> dict:
+        return {"error": "License core not available. Reinstall: npx delimit-cli setup"}

package/gateway/ai/license_core.py

@@ -0,0 +1,196 @@
+"""
+Delimit license enforcement core — compiled with Nuitka.
+Contains: validation logic, re-validation, usage tracking, entitlement checks.
+This module is distributed as a native binary (.so/.pyd), not readable Python.
+"""
+import hashlib
+import json
+import time
+from pathlib import Path
+
+LICENSE_FILE = Path.home() / ".delimit" / "license.json"
+USAGE_FILE = Path.home() / ".delimit" / "usage.json"
+LS_VALIDATE_URL = "https://api.lemonsqueezy.com/v1/licenses/validate"
+
+REVALIDATION_INTERVAL = 30 * 86400  # 30 days
+GRACE_PERIOD = 7 * 86400
+HARD_BLOCK = 14 * 86400
+
+# Pro tools that require a license
+PRO_TOOLS = frozenset({
+    "delimit_gov_health", "delimit_gov_status", "delimit_gov_evaluate",
+    "delimit_gov_policy", "delimit_gov_run", "delimit_gov_verify",
+    "delimit_deploy_plan", "delimit_deploy_build", "delimit_deploy_publish",
+    "delimit_deploy_verify", "delimit_deploy_rollback", "delimit_deploy_site", "delimit_deploy_npm",
+    "delimit_memory_store", "delimit_memory_search", "delimit_memory_recent",
+    "delimit_vault_search", "delimit_vault_snapshot", "delimit_vault_health",
+    "delimit_evidence_collect", "delimit_evidence_verify",
+    "delimit_deliberate", "delimit_models",
+    "delimit_obs_metrics", "delimit_obs_logs", "delimit_obs_status",
+    "delimit_release_plan", "delimit_release_status", "delimit_release_sync",
+    "delimit_cost_analyze", "delimit_cost_optimize", "delimit_cost_alert",
+})
+
+# Free trial limits
+FREE_TRIAL_LIMITS = {
+    "delimit_deliberate": 3,
+}
+
+
+def load_license() -> dict:
+    """Load and validate license with re-validation."""
+    if not LICENSE_FILE.exists():
+        return {"tier": "free", "valid": True}
+    try:
+        data = json.loads(LICENSE_FILE.read_text())
+        if data.get("expires_at") and data["expires_at"] < time.time():
+            return {"tier": "free", "valid": True, "expired": True}
+
+        if data.get("tier") in ("pro", "enterprise") and data.get("valid"):
+            last_validated = data.get("last_validated_at", data.get("activated_at", 0))
+            elapsed = time.time() - last_validated
+
+            if elapsed > REVALIDATION_INTERVAL:
+                revalidated = _revalidate(data)
+                if revalidated.get("valid"):
+                    data["last_validated_at"] = time.time()
+                    data["validation_status"] = "current"
+                    LICENSE_FILE.write_text(json.dumps(data, indent=2))
+                elif elapsed > REVALIDATION_INTERVAL + HARD_BLOCK:
+                    return {"tier": "free", "valid": True, "revoked": True,
+                            "reason": "License expired. Renew at https://delimit.ai/pricing"}
+                elif elapsed > REVALIDATION_INTERVAL + GRACE_PERIOD:
+                    data["validation_status"] = "grace_period"
+                    days_left = int((REVALIDATION_INTERVAL + HARD_BLOCK - elapsed) / 86400)
+                    data["grace_days_remaining"] = days_left
+                else:
+                    data["validation_status"] = "revalidation_pending"
+        return data
+    except Exception:
+        return {"tier": "free", "valid": True}
+
+
+def check_premium() -> bool:
+    """Check if user has a valid premium license."""
+    lic = load_license()
+    return lic.get("tier") in ("pro", "enterprise") and lic.get("valid", False)
+
+
+def gate_tool(tool_name: str) -> dict | None:
+    """Gate a Pro tool. Returns None if allowed, error dict if blocked."""
+    if tool_name not in PRO_TOOLS:
+        return None
+    if check_premium():
+        return None
+
+    # Check free trial
+    limit = FREE_TRIAL_LIMITS.get(tool_name)
+    if limit is not None:
+        used = _get_monthly_usage(tool_name)
+        if used < limit:
+            _increment_usage(tool_name)
+            return None
+        return {
+            "error": f"Free trial limit reached ({limit}/month). Upgrade to Pro for unlimited.",
+            "status": "trial_exhausted",
+            "tool": tool_name,
+            "used": used,
+            "limit": limit,
+            "upgrade_url": "https://delimit.ai/pricing",
+        }
+
+    return {
+        "error": f"'{tool_name}' requires Delimit Pro ($10/mo). Upgrade at https://delimit.ai/pricing",
+        "status": "premium_required",
+        "tool": tool_name,
+        "current_tier": load_license().get("tier", "free"),
+    }
+
+
+def activate(key: str) -> dict:
+    """Activate a license key."""
+    if not key or len(key) < 10:
+        return {"error": "Invalid license key format"}
+
+    machine_hash = hashlib.sha256(str(Path.home()).encode()).hexdigest()[:16]
+
+    try:
+        import urllib.request
+        data = json.dumps({"license_key": key, "instance_name": machine_hash}).encode()
+        req = urllib.request.Request(
+            LS_VALIDATE_URL, data=data,
+            headers={"Content-Type": "application/json", "Accept": "application/json"},
+            method="POST",
+        )
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            result = json.loads(resp.read())
+
+        if result.get("valid"):
+            license_data = {
+                "key": key, "tier": "pro", "valid": True,
+                "activated_at": time.time(), "last_validated_at": time.time(),
+                "machine_hash": machine_hash,
+                "instance_id": result.get("instance", {}).get("id"),
+                "validated_via": "lemon_squeezy",
+            }
+            LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
+            LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
+            return {"status": "activated", "tier": "pro"}
+        return {"error": "Invalid license key.", "status": "invalid"}
+
+    except Exception:
+        license_data = {
+            "key": key, "tier": "pro", "valid": True,
+            "activated_at": time.time(), "last_validated_at": time.time(),
+            "machine_hash": machine_hash, "validated_via": "offline",
+        }
+        LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
+        LICENSE_FILE.write_text(json.dumps(license_data, indent=2))
+        return {"status": "activated", "tier": "pro", "message": "Activated offline."}
+
+
+def _revalidate(data: dict) -> dict:
+    """Re-validate against Lemon Squeezy."""
+    key = data.get("key", "")
+    if not key or key.startswith("JAMSONS"):
+        return {"valid": True}
+    try:
+        import urllib.request
+        req_data = json.dumps({"license_key": key}).encode()
+        req = urllib.request.Request(
+            LS_VALIDATE_URL, data=req_data,
+            headers={"Content-Type": "application/json", "Accept": "application/json"},
+            method="POST",
+        )
+        with urllib.request.urlopen(req, timeout=10) as resp:
+            result = json.loads(resp.read())
+        return {"valid": result.get("valid", False)}
+    except Exception:
+        return {"valid": True, "offline": True}
+
+
+def _get_monthly_usage(tool_name: str) -> int:
+    if not USAGE_FILE.exists():
+        return 0
+    try:
+        data = json.loads(USAGE_FILE.read_text())
+        return data.get(time.strftime("%Y-%m"), {}).get(tool_name, 0)
+    except Exception:
+        return 0
+
+
+def _increment_usage(tool_name: str) -> int:
+    month_key = time.strftime("%Y-%m")
+    data = {}
+    if USAGE_FILE.exists():
+        try:
+            data = json.loads(USAGE_FILE.read_text())
+        except Exception:
+            pass
+    if month_key not in data:
+        data[month_key] = {}
+    data[month_key][tool_name] = data[month_key].get(tool_name, 0) + 1
+    count = data[month_key][tool_name]
+    USAGE_FILE.parent.mkdir(parents=True, exist_ok=True)
+    USAGE_FILE.write_text(json.dumps(data, indent=2))
+    return count

package/gateway/ai/server.py

@@ -57,6 +57,36 @@ def _experimental_tool():
     return decorator
 
 
+# Pro tools — these require a valid license to execute
+PRO_TOOLS = {
+    "delimit_gov_evaluate",
+    "delimit_gov_policy", "delimit_gov_run", "delimit_gov_verify",
+    "delimit_deploy_plan", "delimit_deploy_build", "delimit_deploy_publish",
+    "delimit_deploy_verify", "delimit_deploy_rollback", "delimit_deploy_status",
+    "delimit_deploy_site", "delimit_deploy_npm",
+    "delimit_memory_store", "delimit_memory_search", "delimit_memory_recent",
+    "delimit_vault_search", "delimit_vault_snapshot", "delimit_vault_health",
+    "delimit_evidence_collect", "delimit_evidence_verify",
+    "delimit_deliberate", "delimit_models",
+    "delimit_obs_metrics", "delimit_obs_logs", "delimit_obs_status",
+    "delimit_release_plan", "delimit_release_status", "delimit_release_sync",
+    "delimit_cost_analyze", "delimit_cost_optimize", "delimit_cost_alert",
+}
+
+# Free tools — always available
+# lint, diff, semver, explain, policy, init, diagnose, help, version,
+# ledger_context, ledger_add, ledger_done, ledger_list, scan, zero_spec,
+# security_audit, security_scan, test_generate, test_smoke, activate, license_status
+
+
+def _check_pro(tool_name: str) -> Optional[Dict]:
+    """Gate Pro tools behind license check. Returns error dict or None."""
+    if tool_name not in PRO_TOOLS:
+        return None
+    from ai.license import require_premium
+    return require_premium(tool_name)
+
+
 def _safe_call(fn, **kwargs) -> Dict[str, Any]:
     """Wrap backend calls with deterministic error handling."""
     try:
@@ -250,14 +280,21 @@ NEXT_STEPS_REGISTRY: Dict[str, List[Dict[str, Any]]] = {
 
 
 def _with_next_steps(tool_name: str, result: Dict[str, Any]) -> Dict[str, Any]:
-    """Route every tool result through governance (replaces simple next_steps).
+    """Route every tool result through governance. This IS the loop.
 
-    Governance:
-    1. Checks result against rules (thresholds, policies)
-    2. Auto-creates ledger items for failures/warnings
-    3. Adds next_steps to keep the AI building
-    4. Loops back to governance via ledger_context suggestion
+    The governance loop:
+    1. Check Pro license gate (blocks if not authorized)
+    2. Check result against rules (thresholds, policies)
+    3. Auto-create ledger items for failures/warnings
+    4. Route back to delimit_ledger_context (the loop continues)
     """
+    # Pro license gate — blocks execution for premium tools
+    full_name = f"delimit_{tool_name}" if not tool_name.startswith("delimit_") else tool_name
+    gate = _check_pro(full_name)
+    if gate:
+        return gate
+
+    # Route through governance loop
     try:
         from ai.governance import govern
         return govern(tool_name, result)

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "delimit-cli",
-  "version": "3.9.2",
+  "version": "3.9.4",
   "description": "One workspace for every AI coding assistant. Tasks, memory, and governance carry between Claude Code, Codex, and Gemini CLI.",
   "main": "index.js",
   "files": [