delimit-cli 4.1.43 → 4.1.47

package/scripts/demo-v420.sh

@@ -0,0 +1,55 @@
+#!/bin/bash
+# v4.20 Demo Script — recorded via asciinema for YouTube Short + GIF
+# Shows: doctor → simulate → status → report flow
+# Each command has a pause so the viewer can read the output
+
+set -e
+
+# Simulated typing effect
+type_cmd() {
+    echo ""
+    echo -n "$ "
+    for ((i=0; i<${#1}; i++)); do
+        echo -n "${1:$i:1}"
+        sleep 0.04
+    done
+    echo ""
+    sleep 0.3
+}
+
+clear
+echo ""
+echo "  Delimit v4.20 — The Highest State of AI Governance"
+echo "  ─────────────────────────────────────────────────────"
+echo ""
+sleep 2
+
+# 1. Doctor
+type_cmd "delimit doctor"
+delimit doctor 2>/dev/null || node /home/delimit/npm-delimit/bin/delimit-cli.js doctor 2>/dev/null
+sleep 3
+
+# 2. Simulate
+type_cmd "delimit simulate"
+delimit simulate 2>/dev/null || node /home/delimit/npm-delimit/bin/delimit-cli.js simulate 2>/dev/null
+sleep 3
+
+# 3. Status
+type_cmd "delimit status"
+delimit status 2>/dev/null || node /home/delimit/npm-delimit/bin/delimit-cli.js status 2>/dev/null
+sleep 3
+
+# 4. Report
+type_cmd "delimit report --since 7d"
+delimit report --since 7d 2>/dev/null || node /home/delimit/npm-delimit/bin/delimit-cli.js report --since 7d 2>/dev/null
+sleep 3
+
+# 5. Remember
+type_cmd "delimit remember 'v4.20 demo recorded successfully'"
+delimit remember 'v4.20 demo recorded successfully' 2>/dev/null || node /home/delimit/npm-delimit/bin/delimit-cli.js remember 'v4.20 demo recorded successfully' 2>/dev/null
+sleep 2
+
+echo ""
+echo "  npm i -g delimit-cli@4.20.0"
+echo ""
+sleep 3

package/scripts/postinstall.js

@@ -10,12 +10,13 @@ console.log('');
 console.log('  \x1b[1m\x1b[35mDelimit\x1b[0m v' + v + ' installed');
 console.log('');
 console.log('  Quick start:');
-console.log('    \x1b[32mdelimit init\x1b[0m          Auto-detect framework, set policy, first lint');
-console.log('    \x1b[32mdelimit lint\x1b[0m          Check for breaking API changes');
+console.log('    \x1b[32mdelimit doctor\x1b[0m        Check your setup, fix what\'s missing');
+console.log('    \x1b[32mdelimit simulate\x1b[0m      Dry-run: see what governance would block');
+console.log('    \x1b[32mdelimit status\x1b[0m        Visual dashboard of your governance posture');
 console.log('    \x1b[32mdelimit setup\x1b[0m         Install MCP governance for AI assistants');
 console.log('');
-console.log('  Dashboard:  \x1b[36mhttps://app.delimit.ai\x1b[0m');
 console.log('  Docs:       \x1b[36mhttps://delimit.ai/docs\x1b[0m');
+console.log('  Star us:    \x1b[36mhttps://github.com/delimit-ai/delimit-mcp-server\x1b[0m');
 console.log('');
 
 // Anonymous telemetry ping — no PII, just "someone installed"

package/scripts/publish-ci-guard.sh

@@ -0,0 +1,30 @@
+#!/bin/bash
+# Publish CI Guard — warns when npm publish is run outside of CI
+#
+# In CI (GitHub Actions sets CI=true), this is a no-op.
+# Locally, it prints a warning recommending the tag-based flow,
+# but still allows the publish for emergency hotfixes.
+
+set -euo pipefail
+
+if [ "${CI:-}" = "true" ]; then
+    # Running in CI — all good, proceed silently
+    exit 0
+fi
+
+echo ""
+echo "========================================================"
+echo "  WARNING: You are running npm publish directly."
+echo ""
+echo "  The recommended flow is tag-based publishing:"
+echo "    ./scripts/release.sh <version>"
+echo ""
+echo "  This bumps the version, creates a git tag, and pushes."
+echo "  GitHub Actions then handles the npm publish with"
+echo "  provenance, security checks, and a GitHub Release."
+echo ""
+echo "  Continuing in 5 seconds (Ctrl+C to abort)..."
+echo "========================================================"
+echo ""
+
+sleep 5

package/scripts/record-and-upload.sh

@@ -0,0 +1,132 @@
+#!/usr/bin/env bash
+#
+# record-and-upload.sh -- Record a terminal demo and optionally upload to YouTube.
+#
+# Full pipeline:
+#   1. Record terminal via asciinema  -> /tmp/delimit-demo.cast
+#   2. Convert to GIF via agg         -> /tmp/delimit-demo.gif
+#   3. Convert to MP4 via ffmpeg       -> /tmp/delimit-demo.mp4
+#   4. Upload to YouTube via API       -> prints video URL
+#
+# Usage:
+#   ./scripts/record-and-upload.sh [OPTIONS]
+#
+# Options:
+#   --script <path>       Shell script to record (non-interactive). Omit for interactive.
+#   --title <title>       YouTube video title (default: "Delimit Demo")
+#   --description <desc>  YouTube video description
+#   --gif-only            Only produce the GIF, skip MP4 and upload
+#   --no-upload           Produce GIF + MP4 but skip YouTube upload
+#   -h, --help            Show this help message
+#
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
+# --- Defaults ---
+DEMO_SCRIPT=""
+TITLE="Delimit Demo"
+DESCRIPTION="API governance in action with Delimit CLI."
+GIF_ONLY=false
+NO_UPLOAD=false
+
+CAST_FILE="/tmp/delimit-demo.cast"
+GIF_FILE="/tmp/delimit-demo.gif"
+MP4_FILE="/tmp/delimit-demo.mp4"
+
+# --- Arg parsing ---
+while [[ $# -gt 0 ]]; do
+    case "$1" in
+        --script)
+            DEMO_SCRIPT="$2"
+            shift 2
+            ;;
+        --title)
+            TITLE="$2"
+            shift 2
+            ;;
+        --description)
+            DESCRIPTION="$2"
+            shift 2
+            ;;
+        --gif-only)
+            GIF_ONLY=true
+            shift
+            ;;
+        --no-upload)
+            NO_UPLOAD=true
+            shift
+            ;;
+        -h|--help)
+            head -25 "$0" | tail -22
+            exit 0
+            ;;
+        *)
+            echo "Unknown option: $1" >&2
+            exit 1
+            ;;
+    esac
+done
+
+# --- Step 1: Record with asciinema ---
+echo "[record] Starting asciinema recording -> ${CAST_FILE}"
+if [[ -n "${DEMO_SCRIPT}" ]]; then
+    if [[ ! -f "${DEMO_SCRIPT}" ]]; then
+        echo "Error: script not found: ${DEMO_SCRIPT}" >&2
+        exit 1
+    fi
+    asciinema rec --overwrite --command "bash ${DEMO_SCRIPT}" "${CAST_FILE}"
+else
+    echo "[record] Interactive mode -- press Ctrl-D or type 'exit' when done."
+    asciinema rec --overwrite "${CAST_FILE}"
+fi
+echo "[record] Recording saved to ${CAST_FILE}"
+
+# --- Step 2: Convert to GIF via agg ---
+echo "[gif] Converting cast -> GIF (theme: monokai, font-size: 16)"
+agg --theme monokai --font-size 16 "${CAST_FILE}" "${GIF_FILE}"
+echo "[gif] GIF saved to ${GIF_FILE}"
+
+if [[ "${GIF_ONLY}" == true ]]; then
+    echo "[done] GIF-only mode. Output: ${GIF_FILE}"
+    exit 0
+fi
+
+# --- Step 3: Convert GIF to MP4 (YouTube Shorts: 1080x1920, 9:16) ---
+echo "[mp4] Converting GIF -> MP4 (1080x1920, h264, Shorts-ready)"
+ffmpeg -y -i "${GIF_FILE}" \
+    -vf "scale='if(gt(iw/ih,1080/1920),1080,-2)':'if(gt(iw/ih,1080/1920),-2,1920)',pad=1080:1920:(1080-iw)/2:(1920-ih)/2:black" \
+    -c:v libx264 \
+    -pix_fmt yuv420p \
+    -preset slow \
+    -crf 18 \
+    -movflags +faststart \
+    -r 15 \
+    "${MP4_FILE}"
+echo "[mp4] MP4 saved to ${MP4_FILE}"
+
+if [[ "${NO_UPLOAD}" == true ]]; then
+    echo "[done] No-upload mode. Outputs:"
+    echo "  GIF: ${GIF_FILE}"
+    echo "  MP4: ${MP4_FILE}"
+    exit 0
+fi
+
+# --- Step 4: Upload to YouTube ---
+echo "[upload] Uploading to YouTube (unlisted) ..."
+VIDEO_URL=$(python3 "${SCRIPT_DIR}/youtube-upload.py" \
+    "${MP4_FILE}" \
+    --title "${TITLE}" \
+    --description "${DESCRIPTION}" \
+    --privacy unlisted)
+
+echo ""
+echo "=============================="
+echo " Pipeline complete"
+echo "=============================="
+echo " CAST: ${CAST_FILE}"
+echo " GIF:  ${GIF_FILE}"
+echo " MP4:  ${MP4_FILE}"
+echo " URL:  ${VIDEO_URL}"
+echo "=============================="

package/scripts/release.sh

@@ -0,0 +1,126 @@
+#!/bin/bash
+# Tag-based release script for delimit-cli
+# Usage: ./scripts/release.sh 4.2.0
+#
+# This script:
+#   1. Validates the version argument
+#   2. Syncs gateway files locally
+#   3. Runs tests
+#   4. Bumps package.json version
+#   5. Commits the version bump
+#   6. Creates and pushes the git tag
+#
+# The GitHub Actions workflow (.github/workflows/publish.yml) handles
+# the actual npm publish when it sees the v* tag push.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_DIR="$(dirname "$SCRIPT_DIR")"
+cd "$PROJECT_DIR"
+
+# ── Argument validation ──────────────────────────────────────────────
+VERSION="${1:-}"
+if [ -z "$VERSION" ]; then
+    echo "Usage: ./scripts/release.sh <version>"
+    echo "  e.g. ./scripts/release.sh 4.2.0"
+    exit 1
+fi
+
+# Strip leading v if provided (we add it to the tag ourselves)
+VERSION="${VERSION#v}"
+
+# Validate semver format
+if ! echo "$VERSION" | grep -qE '^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$'; then
+    echo "Error: '$VERSION' is not a valid semver version"
+    exit 1
+fi
+
+CURRENT=$(node -p "require('./package.json').version")
+TAG="v$VERSION"
+
+echo ""
+echo "Delimit CLI Release"
+echo "==================="
+echo "  Current version: $CURRENT"
+echo "  New version:     $VERSION"
+echo "  Tag:             $TAG"
+echo ""
+
+# ── Pre-flight checks ────────────────────────────────────────────────
+
+# Check for uncommitted changes
+if [ -n "$(git status --porcelain)" ]; then
+    echo "Error: working tree is dirty. Commit or stash changes first."
+    exit 1
+fi
+
+# Check tag doesn't already exist
+if git rev-parse "$TAG" >/dev/null 2>&1; then
+    echo "Error: tag $TAG already exists"
+    exit 1
+fi
+
+# Check we're on main branch
+BRANCH=$(git rev-parse --abbrev-ref HEAD)
+if [ "$BRANCH" != "main" ] && [ "$BRANCH" != "master" ]; then
+    echo "Warning: releasing from branch '$BRANCH' (not main)"
+    read -p "Continue? [y/N] " -n 1 -r
+    echo
+    if [[ ! $REPLY =~ ^[Yy]$ ]]; then
+        exit 1
+    fi
+fi
+
+# ── Step 1: Sync gateway ─────────────────────────────────────────────
+echo "[1/5] Syncing gateway..."
+npm run sync-gateway
+
+# ── Step 2: Run tests ────────────────────────────────────────────────
+echo ""
+echo "[2/5] Running tests..."
+npm test
+
+# ── Step 3: Run security check ───────────────────────────────────────
+echo ""
+echo "[3/5] Running security check..."
+bash scripts/security-check.sh
+
+# ── Step 4: Bump version ─────────────────────────────────────────────
+echo ""
+echo "[4/5] Bumping version to $VERSION..."
+npm version "$VERSION" --no-git-tag-version
+
+# ── Step 5: Commit, tag, and push ────────────────────────────────────
+echo ""
+echo "[5/5] Committing and tagging..."
+
+# Stage synced gateway files too (sync-gateway may have updated them)
+git add package.json package-lock.json gateway/
+
+# Use a release branch to avoid main branch protection
+RELEASE_BRANCH="release/v$VERSION"
+git checkout -b "$RELEASE_BRANCH"
+git commit -m "release: v$VERSION"
+git push -u origin "$RELEASE_BRANCH" --no-verify
+
+# Create PR and merge
+echo "Creating release PR..."
+PR_URL=$(gh pr create --title "release: v$VERSION" --body "Automated release v$VERSION" 2>&1)
+echo "  PR: $PR_URL"
+gh pr merge --squash --admin "$RELEASE_BRANCH" 2>/dev/null || {
+    echo "  Merge manually or with: gh pr merge --squash --admin $RELEASE_BRANCH"
+}
+
+# Switch back to main and pull the merge
+git checkout main
+git pull origin main
+
+# Tag the merged commit
+git tag -a "$TAG" -m "Release $VERSION"
+git push origin "$TAG"
+
+echo ""
+echo "Done. GitHub Actions will handle npm publish."
+echo "  Monitor: https://github.com/delimit-ai/delimit-mcp-server/actions"
+echo "  Release: https://github.com/delimit-ai/delimit-mcp-server/releases/tag/$TAG"

package/scripts/sync-gateway.sh

@@ -0,0 +1,112 @@
+#!/bin/bash
+# Sync gateway Python files into npm bundle before publish.
+# Source of truth: /home/delimit/delimit-gateway/
+# Destination: ./gateway/ (relative to npm-delimit root)
+#
+# This runs as part of prepublishOnly to guarantee the npm package
+# always contains the latest gateway code. Drift is impossible.
+
+set -euo pipefail
+
+SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+NPM_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+GATEWAY_SRC="${GATEWAY_OVERRIDE:-/home/delimit/delimit-gateway}"
+
+# ── Verify gateway source exists ─────────────────────────────────────
+if [ ! -d "$GATEWAY_SRC/ai" ]; then
+    echo "⚠️  Gateway source not found at $GATEWAY_SRC"
+    echo "   Skipping sync (CI or customer machine — bundle as-is)"
+    exit 0
+fi
+
+echo "🔄 Syncing gateway → npm bundle..."
+
+# ── Proprietary files to EXCLUDE from npm bundle ─────────────────────
+# These are Pro-only or internal and must never ship in the public package
+EXCLUDE=(
+    "social_target.py"
+    "social.py"
+    "founding_users.py"
+    "inbox_daemon.py"
+    "deliberation.py"
+)
+
+# ── Sync ai/ directory ───────────────────────────────────────────────
+rsync -a --delete \
+    --exclude='__pycache__' \
+    --exclude='*.pyc' \
+    "$GATEWAY_SRC/ai/" "$NPM_ROOT/gateway/ai/"
+
+# ── Remove proprietary files that rsync copied ───────────────────────
+for f in "${EXCLUDE[@]}"; do
+    rm -f "$NPM_ROOT/gateway/ai/$f"
+done
+
+# ── Sync core/ directory ─────────────────────────────────────────────
+rsync -a --delete \
+    --exclude='__pycache__' \
+    --exclude='*.pyc' \
+    "$GATEWAY_SRC/core/" "$NPM_ROOT/gateway/core/"
+
+# ── Sync tasks/ directory ────────────────────────────────────────────
+rsync -a --delete \
+    --exclude='__pycache__' \
+    --exclude='*.pyc' \
+    "$GATEWAY_SRC/tasks/" "$NPM_ROOT/gateway/tasks/"
+
+# ── Sync requirements.txt ────────────────────────────────────────────
+cp "$GATEWAY_SRC/requirements.txt" "$NPM_ROOT/gateway/requirements.txt" 2>/dev/null || true
+
+# ── Also sync to installed server (if present) ────────────────────────
+# Skip with SKIP_SERVER_SYNC=1 to avoid disconnecting active MCP sessions
+INSTALLED_SERVER="$HOME/.delimit/server"
+if [ "${SKIP_SERVER_SYNC:-}" = "1" ]; then
+    echo "  ⏭️  Skipping installed server sync (SKIP_SERVER_SYNC=1)"
+elif [ -d "$INSTALLED_SERVER/ai" ]; then
+    echo "  Syncing to installed server ($INSTALLED_SERVER)..."
+    rsync -a --delete \
+        --exclude='__pycache__' \
+        --exclude='*.pyc' \
+        "$GATEWAY_SRC/ai/" "$INSTALLED_SERVER/ai/"
+    rsync -a --delete \
+        --exclude='__pycache__' \
+        --exclude='*.pyc' \
+        "$GATEWAY_SRC/core/" "$INSTALLED_SERVER/core/" 2>/dev/null || true
+    echo "  ✅ installed server synced"
+fi
+
+# ── Report ────────────────────────────────────────────────────────────
+AI_COUNT=$(find "$NPM_ROOT/gateway/ai" -name '*.py' -not -name '__pycache__' | wc -l)
+CORE_COUNT=$(find "$NPM_ROOT/gateway/core" -name '*.py' -not -name '__pycache__' | wc -l)
+TASKS_COUNT=$(find "$NPM_ROOT/gateway/tasks" -name '*.py' -not -name '__pycache__' | wc -l)
+
+echo "  ✅ ai/: $AI_COUNT files"
+echo "  ✅ core/: $CORE_COUNT files"
+echo "  ✅ tasks/: $TASKS_COUNT files"
+
+# ── Verify no proprietary files leaked ────────────────────────────────
+LEAKED=0
+for f in "${EXCLUDE[@]}"; do
+    if [ -f "$NPM_ROOT/gateway/ai/$f" ]; then
+        echo "  ❌ PROPRIETARY FILE LEAKED: $f"
+        LEAKED=1
+    fi
+done
+if [ $LEAKED -ne 0 ]; then
+    echo "❌ Sync failed — proprietary files in bundle"
+    exit 1
+fi
+
+# ── Run credential scan on synced gateway files ─────────────────────
+echo -n "  Credential scan... "
+CRED_HITS=$(grep -rEin '["'"'"'](?:password|passwd|secret|api_key|apikey|token|auth_token|access_token|private_key)["'"'"']\s*:\s*["'"'"'][^"'"'"']{4,}["'"'"']' "$NPM_ROOT/gateway/" --include="*.py" --include="*.js" --include="*.json" 2>/dev/null | grep -v 'environ\|getenv\|process\.env\|os\.environ\|example\|placeholder\|REDACTED\|your_\|change.me\|TODO\|FIXME\|xxx\|None\|null\|undefined\|test_password\|test_secret' || true)
+if [ -n "$CRED_HITS" ]; then
+    echo "FAILED"
+    echo "  Hardcoded credentials detected in gateway bundle:"
+    echo "$CRED_HITS" | while read -r line; do echo "    $line"; done
+    echo "  Fix: replace hardcoded values with env var lookups"
+    exit 1
+fi
+echo "clean"
+
+echo "Gateway sync complete"

package/scripts/youtube-upload.py

@@ -0,0 +1,141 @@
+#!/usr/bin/env python3
+"""Upload an MP4 video to YouTube as a Short (unlisted by default).
+
+Usage:
+    python3 youtube-upload.py <mp4_path> [--title TITLE] [--description DESC] [--privacy PRIVACY]
+
+Reads OAuth credentials from:
+    /root/.delimit/secrets/youtube-oauth-client.json  (client_id, client_secret)
+    /root/.delimit/secrets/youtube-tokens.json         (refresh_token, access_token)
+
+Tokens are refreshed automatically when expired.
+"""
+
+import argparse
+import json
+import os
+import sys
+
+from google.oauth2.credentials import Credentials
+from googleapiclient.discovery import build
+from googleapiclient.http import MediaFileUpload
+
+TOKENS_PATH = "/root/.delimit/secrets/youtube-tokens.json"
+CLIENT_PATH = "/root/.delimit/secrets/youtube-oauth-client.json"
+
+SCOPES = [
+    "https://www.googleapis.com/auth/youtube.upload",
+    "https://www.googleapis.com/auth/youtube",
+]
+
+
+def load_credentials():
+    """Build OAuth2 credentials from stored tokens + client secrets."""
+    with open(TOKENS_PATH) as f:
+        tokens = json.load(f)
+    with open(CLIENT_PATH) as f:
+        client_raw = json.load(f)
+
+    # Handle both wrapped {"installed": {...}} and flat formats.
+    client = client_raw.get("installed") or client_raw.get("web") or client_raw
+
+    creds = Credentials(
+        token=tokens.get("access_token"),
+        refresh_token=tokens["refresh_token"],
+        token_uri=client.get("token_uri", "https://oauth2.googleapis.com/token"),
+        client_id=client["client_id"],
+        client_secret=client["client_secret"],
+        scopes=SCOPES,
+    )
+
+    # Force a refresh so we always have a valid access token.
+    if creds.expired or not creds.token:
+        from google.auth.transport.requests import Request
+        creds.refresh(Request())
+        # Persist the refreshed token for future use.
+        tokens["access_token"] = creds.token
+        with open(TOKENS_PATH, "w") as f:
+            json.dump(tokens, f)
+        print("[youtube-upload] Access token refreshed.", file=sys.stderr)
+
+    return creds
+
+
+def upload(mp4_path, title, description, privacy="unlisted"):
+    """Upload mp4_path to YouTube and return the video URL."""
+    if not os.path.isfile(mp4_path):
+        print(f"Error: file not found: {mp4_path}", file=sys.stderr)
+        sys.exit(1)
+
+    creds = load_credentials()
+    youtube = build("youtube", "v3", credentials=creds)
+
+    # Ensure #Shorts tag is in the description for YouTube Shorts detection.
+    if "#Shorts" not in description:
+        description = f"{description}\n\n#Shorts"
+
+    body = {
+        "snippet": {
+            "title": title,
+            "description": description,
+            "tags": ["delimit", "api-governance", "developer-tools", "shorts"],
+            "categoryId": "28",  # Science & Technology
+        },
+        "status": {
+            "privacyStatus": privacy,
+            "selfDeclaredMadeForKids": False,
+        },
+    }
+
+    media = MediaFileUpload(
+        mp4_path,
+        mimetype="video/mp4",
+        resumable=True,
+        chunksize=10 * 1024 * 1024,  # 10 MB chunks
+    )
+
+    request = youtube.videos().insert(
+        part="snippet,status",
+        body=body,
+        media_body=media,
+    )
+
+    print(f"[youtube-upload] Uploading {mp4_path} ...", file=sys.stderr)
+
+    response = None
+    while response is None:
+        status, response = request.next_chunk()
+        if status:
+            pct = int(status.progress() * 100)
+            print(f"[youtube-upload] {pct}% uploaded", file=sys.stderr)
+
+    video_id = response["id"]
+    url = f"https://youtu.be/{video_id}"
+    print(f"[youtube-upload] Upload complete.", file=sys.stderr)
+    print(f"[youtube-upload] Video URL: {url}", file=sys.stderr)
+    # Print bare URL to stdout for scripting.
+    print(url)
+    return url
+
+
+def main():
+    parser = argparse.ArgumentParser(description="Upload MP4 to YouTube")
+    parser.add_argument("mp4_path", help="Path to the MP4 file")
+    parser.add_argument("--title", default="Delimit Demo", help="Video title")
+    parser.add_argument(
+        "--description",
+        default="API governance in action with Delimit CLI.",
+        help="Video description",
+    )
+    parser.add_argument(
+        "--privacy",
+        default="unlisted",
+        choices=["public", "unlisted", "private"],
+        help="Privacy status (default: unlisted)",
+    )
+    args = parser.parse_args()
+    upload(args.mp4_path, args.title, args.description, args.privacy)
+
+
+if __name__ == "__main__":
+    main()