delimit-cli 4.1.43 → 4.1.44

package/gateway/ai/github_scanner.py

@@ -30,7 +30,7 @@ OWN_REPOS = [
     "delimit-ai/delimit-quickstart",
 ]
 
-INTERNAL_USERS = set()  # configured at runtime
+INTERNAL_USERS = set(filter(None, os.environ.get("DELIMIT_INTERNAL_USERS", "").split(",")))
 
 COMPETITOR_ACTIONS = [
     "tufin/oasdiff-action",

package/gateway/ai/governance.py

@@ -35,6 +35,59 @@ def _is_test_mode() -> bool:
 logger = logging.getLogger("delimit.governance")
 
 
+# ── LED-263: Beta CTA for conversion ────────────────────────────────
+# Tools that should show a beta signup prompt on successful results.
+_BETA_CTA_TOOLS = frozenset({"lint", "scan", "activate", "diff", "quickstart"})
+
+_BETA_CTA = {
+    "text": "Like what you see? Join the beta for priority support and full governance.",
+    "url": "https://app.delimit.ai",
+    "action": "star_repo_or_signup",
+}
+
+
+def _is_beta_user() -> bool:
+    """Check if the current user is already tracked as a founding/beta user."""
+    try:
+        from ai.founding_users import _load_founding_users
+        data = _load_founding_users()
+        if data.get("users"):
+            return True
+    except Exception:
+        pass
+    # Also check if a Pro license is active (paying users don't need the CTA)
+    try:
+        from ai.license import get_license
+        lic = get_license()
+        if lic.get("tier", "free") != "free":
+            return True
+    except Exception:
+        pass
+    return False
+
+
+def _result_is_successful(result: Dict[str, Any]) -> bool:
+    """Return True if a tool result looks like a success (no errors)."""
+    if result.get("error"):
+        return False
+    if result.get("status") in ("error", "failed", "blocked"):
+        return False
+    if result.get("governance_blocked"):
+        return False
+    return True
+
+
+def _maybe_beta_cta(tool_name: str, result: Dict[str, Any]) -> Optional[Dict[str, str]]:
+    """Return a beta CTA dict if the tool qualifies and the user is not already signed up."""
+    if tool_name not in _BETA_CTA_TOOLS:
+        return None
+    if not _result_is_successful(result):
+        return None
+    if _is_beta_user():
+        return None
+    return dict(_BETA_CTA)
+
+
 def _ledger_list_items(project_path: str = ".") -> Dict[str, Any]:
     """Indirection layer so tests can patch governance-local ledger hooks."""
     import ai.ledger_manager as _lm
@@ -676,6 +729,11 @@ def govern(tool_name: str, result: Dict[str, Any], project_path: str = ".") -> D
         if "next_steps" not in governed_result:
             governed_result["next_steps"] = []
 
+    # LED-263: Beta CTA on successful lint/scan/activate/diff results
+    cta = _maybe_beta_cta(clean_name, governed_result)
+    if cta:
+        governed_result["beta_cta"] = cta
+
     return governed_result
 
 

package/gateway/ai/key_resolver.py

@@ -1,2 +1,95 @@
-# key_resolver — Pro module (stubbed in npm package)
-# Full implementation available on delimit.ai server
+"""Auto-resolve API keys from multiple sources.
+
+Priority: env var -> secrets broker -> return None (free fallback).
+
+Every MCP tool that depends on an external service should use this module
+so it works out of the box without API keys, with enhanced functionality
+unlocked when keys are available.
+"""
+
+import json
+import logging
+import os
+import shutil
+import subprocess
+from pathlib import Path
+from typing import Optional, Tuple
+
+logger = logging.getLogger("delimit.ai.key_resolver")
+
+SECRETS_DIR = Path.home() / ".delimit" / "secrets"
+
+
+def get_key(name: str, env_var: str = "", _secrets_dir: Optional[Path] = None) -> Tuple[Optional[str], str]:
+    """Get an API key.  Returns (key, source) or (None, "not_found").
+
+    Sources checked in order:
+    1. Environment variable (explicit *env_var*, then common conventions)
+    2. ~/.delimit/secrets/{name}.json
+    3. None (free fallback)
+    """
+    # 1. Env var — explicit, then common patterns
+    candidates = [env_var] if env_var else []
+    candidates += [
+        f"{name.upper()}_TOKEN",
+        f"{name.upper()}_API_KEY",
+        f"{name.upper()}_KEY",
+    ]
+    for var in candidates:
+        if not var:
+            continue
+        val = os.environ.get(var)
+        if val:
+            return val, "env"
+
+    # 2. Secrets broker
+    secrets_dir = _secrets_dir if _secrets_dir is not None else SECRETS_DIR
+    secrets_file = secrets_dir / f"{name.lower()}.json"
+    if secrets_file.exists():
+        try:
+            data = json.loads(secrets_file.read_text())
+            for field in ("value", "api_key", "token", "key"):
+                if data.get(field):
+                    return data[field], "secrets_broker"
+        except Exception:
+            logger.debug("Failed to read secrets file %s", secrets_file)
+
+    # 3. Not found
+    return None, "not_found"
+
+
+# ---------------------------------------------------------------------------
+# Convenience wrappers
+# ---------------------------------------------------------------------------
+
+def get_figma_token() -> Tuple[Optional[str], str]:
+    """Resolve Figma API token."""
+    return get_key("figma", "FIGMA_TOKEN")
+
+
+def get_trivy_path() -> Tuple[Optional[str], str]:
+    """Check if Trivy binary is available on PATH."""
+    path = shutil.which("trivy")
+    return (path, "installed") if path else (None, "not_found")
+
+
+def get_playwright() -> Tuple[bool, str]:
+    """Check whether Playwright is usable (Python package installed)."""
+    try:
+        import playwright  # noqa: F401
+        return True, "installed"
+    except ImportError:
+        return False, "not_found"
+
+
+def get_puppeteer() -> Tuple[bool, str]:
+    """Check whether puppeteer (npx) is available for screenshot fallback."""
+    try:
+        result = subprocess.run(
+            ["npx", "puppeteer", "--version"],
+            capture_output=True,
+            timeout=15,
+        )
+        return (True, "installed") if result.returncode == 0 else (False, "not_found")
+    except Exception:
+        return False, "not_found"

package/gateway/ai/ledger_manager.py

@@ -91,10 +91,20 @@ def _register_venture(info: Dict[str, str]):
         VENTURES_FILE.write_text(json.dumps(ventures, indent=2))
 
 
+CENTRAL_LEDGER_DIR = Path.home() / ".delimit" / "ledger"
+
+
 def _project_ledger_dir(project_path: str = ".") -> Path:
-    """Get the ledger directory for the current project."""
-    p = Path(project_path).resolve()
-    return p / ".delimit" / "ledger"
+    """Get the ledger directory — ALWAYS uses central ~/.delimit/ledger/.
+
+    Cross-model handoff fix: Codex and Gemini were writing to $PWD/.delimit/ledger/
+    which caused ledger fragmentation. All models must use the same central location
+    so Claude, Codex, and Gemini see the same items.
+
+    The central ledger at ~/.delimit/ledger/ is the source of truth.
+    Per-project .delimit/ dirs are for policies and config only, not ledger state.
+    """
+    return CENTRAL_LEDGER_DIR
 
 
 def _ensure(project_path: str = "."):