delimit-cli 4.1.43 → 4.1.47

package/gateway/ai/backends/deploy_bridge.py

@@ -154,20 +154,175 @@ def publish(app: str, git_ref: Optional[str] = None) -> Dict[str, Any]:
     return latest
 
 
+DEPLOY_TARGETS = [
+    {"name": "delimit.ai", "url": "https://delimit.ai", "kind": "vercel"},
+    {"name": "electricgrill.com", "url": "https://electricgrill.com", "kind": "vercel"},
+    {"name": "robotax.com", "url": "https://robotax.com", "kind": "vercel"},
+    {"name": "npm:delimit-cli", "url": "https://www.npmjs.com/package/delimit-cli", "kind": "npm"},
+    {"name": "github:delimit-mcp-server", "url": "https://github.com/delimit-ai/delimit-mcp-server", "kind": "github"},
+]
+
+
+def _check_http_health(url: str, timeout: int = 10) -> Dict[str, Any]:
+    """Check HTTP health for a single URL. Returns status, response time, headers."""
+    import ssl
+    import time
+    import urllib.request
+
+    result: Dict[str, Any] = {"url": url, "healthy": False}
+    try:
+        ctx = ssl.create_default_context()
+        req = urllib.request.Request(url, method="GET", headers={"User-Agent": "delimit-deploy-verify/1.0"})
+        start = time.monotonic()
+        with urllib.request.urlopen(req, timeout=timeout, context=ctx) as resp:
+            elapsed_ms = round((time.monotonic() - start) * 1000)
+            result["status_code"] = resp.status
+            result["response_time_ms"] = elapsed_ms
+            result["healthy"] = 200 <= resp.status < 400
+    except Exception as exc:
+        result["error"] = str(exc)
+        result["status_code"] = None
+        result["response_time_ms"] = None
+    return result
+
+
+def _check_ssl_cert(hostname: str, port: int = 443, warn_days: int = 30) -> Dict[str, Any]:
+    """Validate SSL certificate for a hostname. Checks expiry within warn_days."""
+    import socket
+    import ssl
+
+    result: Dict[str, Any] = {"hostname": hostname, "ssl_valid": False}
+    try:
+        ctx = ssl.create_default_context()
+        with socket.create_connection((hostname, port), timeout=10) as sock:
+            with ctx.wrap_socket(sock, server_hostname=hostname) as ssock:
+                cert = ssock.getpeercert()
+                if not cert:
+                    result["error"] = "No certificate returned"
+                    return result
+                not_after_str = cert.get("notAfter", "")
+                # Python ssl cert dates: 'Mon DD HH:MM:SS YYYY GMT'
+                not_after = datetime.strptime(not_after_str, "%b %d %H:%M:%S %Y %Z").replace(tzinfo=timezone.utc)
+                now = datetime.now(timezone.utc)
+                days_remaining = (not_after - now).days
+                result["ssl_valid"] = True
+                result["expires"] = not_after.isoformat()
+                result["days_remaining"] = days_remaining
+                result["expiry_warning"] = days_remaining < warn_days
+                if days_remaining < warn_days:
+                    result["warning"] = f"SSL certificate expires in {days_remaining} days (threshold: {warn_days})"
+                # Extract issuer for diagnostics
+                issuer = dict(x[0] for x in cert.get("issuer", ()))
+                result["issuer"] = issuer.get("organizationName", issuer.get("commonName", "unknown"))
+    except Exception as exc:
+        result["error"] = str(exc)
+    return result
+
+
+def _check_npm_version(expected_version: Optional[str] = None) -> Dict[str, Any]:
+    """Check the published npm version of delimit-cli."""
+    import subprocess
+
+    result: Dict[str, Any] = {"package": "delimit-cli", "healthy": False}
+    try:
+        proc = subprocess.run(
+            ["npm", "view", "delimit-cli", "version"],
+            capture_output=True, text=True, timeout=15,
+        )
+        if proc.returncode == 0:
+            published = proc.stdout.strip()
+            result["published_version"] = published
+            result["healthy"] = True
+            if expected_version:
+                result["expected_version"] = expected_version
+                result["version_match"] = published == expected_version
+                if published != expected_version:
+                    result["warning"] = f"Version mismatch: published={published}, expected={expected_version}"
+        else:
+            result["error"] = proc.stderr.strip() or "npm view returned non-zero"
+    except FileNotFoundError:
+        result["error"] = "npm not found on PATH"
+    except subprocess.TimeoutExpired:
+        result["error"] = "npm view timed out after 15s"
+    except Exception as exc:
+        result["error"] = str(exc)
+    return result
+
+
+def _extract_hostname(url: str) -> str:
+    """Extract hostname from a URL."""
+    from urllib.parse import urlparse
+    return urlparse(url).hostname or ""
+
+
 def verify(app: str, env: str, git_ref: Optional[str] = None) -> Dict[str, Any]:
-    """Verify deployment health (stub — returns plan status)."""
-    plans = _list_plans(app=app, env=env)
-    if not plans:
-        return {"app": app, "env": env, "status": "no_deploys", "healthy": False}
-    latest = plans[0]
-    return {
-        "app": app,
-        "env": env,
-        "plan_id": latest["plan_id"],
-        "status": latest["status"],
-        "healthy": latest["status"] in ("published", "planned"),
-        "message": "Health check is a stub — no real endpoint verification yet.",
+    """Verify deployment health with real HTTP checks, SSL validation, and npm version.
+
+    Checks every deployment target for:
+    - HTTP 2xx reachability and response time
+    - SSL certificate validity (warns if expiring within 30 days)
+    - npm published version (for npm targets)
+
+    Also cross-references local deploy plan status when available.
+    """
+    now = datetime.now(timezone.utc).isoformat()
+    checks: List[Dict[str, Any]] = []
+    all_healthy = True
+    warnings: List[str] = []
+
+    for target in DEPLOY_TARGETS:
+        entry: Dict[str, Any] = {"name": target["name"], "kind": target["kind"]}
+
+        # HTTP health
+        http = _check_http_health(target["url"])
+        entry["http"] = http
+        if not http.get("healthy"):
+            all_healthy = False
+
+        # SSL cert check
+        hostname = _extract_hostname(target["url"])
+        if hostname:
+            ssl_result = _check_ssl_cert(hostname)
+            entry["ssl"] = ssl_result
+            if ssl_result.get("expiry_warning"):
+                warnings.append(ssl_result.get("warning", f"SSL expiry warning for {hostname}"))
+            if not ssl_result.get("ssl_valid"):
+                all_healthy = False
+
+        # npm version check (only for npm targets)
+        if target["kind"] == "npm":
+            npm_result = _check_npm_version()
+            entry["npm"] = npm_result
+            if not npm_result.get("healthy"):
+                all_healthy = False
+
+        checks.append(entry)
+
+    # Cross-reference deploy plan if one exists
+    plan_info: Optional[Dict[str, Any]] = None
+    plans = _list_plans(app=app or None, env=env or None)
+    if plans:
+        latest = plans[0]
+        plan_info = {
+            "plan_id": latest["plan_id"],
+            "plan_status": latest["status"],
+            "updated_at": latest.get("updated_at"),
+        }
+
+    result: Dict[str, Any] = {
+        "app": app or "all",
+        "env": env or "production",
+        "verified_at": now,
+        "healthy": all_healthy,
+        "targets_checked": len(checks),
+        "targets_healthy": sum(1 for c in checks if c.get("http", {}).get("healthy")),
+        "checks": checks,
     }
+    if warnings:
+        result["warnings"] = warnings
+    if plan_info:
+        result["deploy_plan"] = plan_info
+    return result
 
 
 def rollback(app: str, env: str, to_sha: Optional[str] = None) -> Dict[str, Any]:

package/gateway/ai/backends/gateway_core.py

@@ -23,7 +23,12 @@ if str(GATEWAY_ROOT) not in sys.path:
 
 
 def _load_specs(spec_path: str) -> Dict[str, Any]:
-    """Load an OpenAPI spec from a file path."""
+    """Load an API spec (OpenAPI or JSON Schema) from a file path.
+
+    Performs a non-fatal version compatibility check (LED-290) so that
+    unknown OpenAPI versions log a warning instead of silently parsing.
+    JSON Schema documents skip the OpenAPI version assert.
+    """
     import yaml
 
     p = Path(spec_path)
@@ -32,8 +37,149 @@ def _load_specs(spec_path: str) -> Dict[str, Any]:
 
     content = p.read_text(encoding="utf-8")
     if p.suffix in (".yaml", ".yml"):
-        return yaml.safe_load(content)
-    return json.loads(content)
+        spec = yaml.safe_load(content)
+    else:
+        spec = json.loads(content)
+
+    # LED-290: warn (non-fatal) if version is outside the validated set.
+    # Only applies to OpenAPI/Swagger documents — bare JSON Schema files
+    # have no "openapi"/"swagger" key and would otherwise trip the assert.
+    try:
+        if isinstance(spec, dict) and ("openapi" in spec or "swagger" in spec):
+            from core.openapi_version import assert_supported
+            assert_supported(spec, strict=False)
+    except Exception as exc:  # pragma: no cover -- defensive only
+        logger.debug("openapi version check skipped: %s", exc)
+
+    return spec
+
+
+# ---------------------------------------------------------------------------
+# LED-713: JSON Schema spec-type dispatch helpers
+# ---------------------------------------------------------------------------
+
+
+def _spec_type(doc: Any) -> str:
+    """Classify a loaded spec doc. 'openapi' or 'json_schema'."""
+    from core.spec_detector import detect_spec_type
+    t = detect_spec_type(doc)
+    # Fallback to openapi for unknown so we never break existing flows.
+    return "json_schema" if t == "json_schema" else "openapi"
+
+
+def _json_schema_changes_to_dicts(changes: List[Any]) -> List[Dict[str, Any]]:
+    return [
+        {
+            "type": c.type.value,
+            "path": c.path,
+            "message": c.message,
+            "is_breaking": c.is_breaking,
+            "details": c.details,
+        }
+        for c in changes
+    ]
+
+
+def _json_schema_semver(changes: List[Any]) -> Dict[str, Any]:
+    """Build an OpenAPI-compatible semver result from JSON Schema changes.
+
+    Mirrors core.semver_classifier.classify_detailed shape so downstream
+    consumers (PR comment, CI formatter, ledger) don't need to branch.
+    """
+    breaking = [c for c in changes if c.is_breaking]
+    non_breaking = [c for c in changes if not c.is_breaking]
+    if breaking:
+        bump = "major"
+    elif non_breaking:
+        bump = "minor"
+    else:
+        bump = "none"
+    return {
+        "bump": bump,
+        "is_breaking": bool(breaking),
+        "counts": {
+            "breaking": len(breaking),
+            "non_breaking": len(non_breaking),
+            "total": len(changes),
+        },
+    }
+
+
+def _bump_semver_version(current: str, bump: str) -> Optional[str]:
+    """Minimal semver bump for JSON Schema path (core.semver_classifier
+    only understands OpenAPI ChangeType enums)."""
+    if not current:
+        return None
+    try:
+        parts = current.lstrip("v").split(".")
+        major, minor, patch = (int(parts[0]), int(parts[1]), int(parts[2]))
+    except Exception:
+        return None
+    if bump == "major":
+        return f"{major + 1}.0.0"
+    if bump == "minor":
+        return f"{major}.{minor + 1}.0"
+    if bump == "patch":
+        return f"{major}.{minor}.{patch + 1}"
+    return current
+
+
+def _run_json_schema_lint(
+    old_doc: Dict[str, Any],
+    new_doc: Dict[str, Any],
+    current_version: Optional[str] = None,
+    api_name: Optional[str] = None,
+) -> Dict[str, Any]:
+    """Build an evaluate_with_policy-compatible result for JSON Schema.
+
+    Policy rules in Delimit are defined against OpenAPI ChangeType values,
+    so they do not apply here. We return zero violations and rely on the
+    breaking-change count + semver bump to drive the governance gate.
+    """
+    from core.json_schema_diff import JSONSchemaDiffEngine
+
+    engine = JSONSchemaDiffEngine()
+    changes = engine.compare(old_doc, new_doc)
+    semver = _json_schema_semver(changes)
+
+    if current_version:
+        semver["current_version"] = current_version
+        semver["next_version"] = _bump_semver_version(current_version, semver["bump"])
+
+    breaking_count = semver["counts"]["breaking"]
+    total = semver["counts"]["total"]
+
+    decision = "pass"
+    exit_code = 0
+    # No policy rules apply to JSON Schema, but breaking changes still
+    # flag MAJOR semver and the downstream gate uses that to block.
+    # Mirror the shape of evaluate_with_policy so the action/CLI renderers
+    # need no JSON Schema-specific branch.
+    result: Dict[str, Any] = {
+        "spec_type": "json_schema",
+        "api_name": api_name or new_doc.get("title") or old_doc.get("title") or "JSON Schema",
+        "decision": decision,
+        "exit_code": exit_code,
+        "violations": [],
+        "summary": {
+            "total_changes": total,
+            "breaking_changes": breaking_count,
+            "violations": 0,
+            "errors": 0,
+            "warnings": 0,
+        },
+        "all_changes": [
+            {
+                "type": c.type.value,
+                "path": c.path,
+                "message": c.message,
+                "is_breaking": c.is_breaking,
+            }
+            for c in changes
+        ],
+        "semver": semver,
+    }
+    return result
 
 
 def _read_jsonl(path: Path) -> List[Dict[str, Any]]:
@@ -101,29 +247,51 @@ def run_lint(old_spec: str, new_spec: str, policy_file: Optional[str] = None) ->
     """Run the full lint pipeline: diff + policy evaluation.
 
     This is the Tier 1 primary tool — combines diff detection with
-    policy enforcement into a single pass/fail decision.
+    policy enforcement into a single pass/fail decision. Auto-detects
+    spec type (OpenAPI vs JSON Schema, LED-713) and dispatches to the
+    matching engine.
     """
     from core.policy_engine import evaluate_with_policy
 
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    # LED-713: JSON Schema dispatch. Policy rules are OpenAPI-specific,
+    # so JSON Schema takes the no-policy (breaking-count + semver) path.
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        return _run_json_schema_lint(old, new)
+
     return evaluate_with_policy(old, new, policy_file)
 
 
 def run_diff(old_spec: str, new_spec: str) -> Dict[str, Any]:
-    """Run diff engine only — no policy evaluation."""
-    from core.diff_engine_v2 import OpenAPIDiffEngine
+    """Run diff engine only — no policy evaluation.
 
+    Auto-detects OpenAPI vs JSON Schema and dispatches (LED-713).
+    """
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        engine = JSONSchemaDiffEngine()
+        changes = engine.compare(old, new)
+        breaking = [c for c in changes if c.is_breaking]
+        return {
+            "spec_type": "json_schema",
+            "total_changes": len(changes),
+            "breaking_changes": len(breaking),
+            "changes": _json_schema_changes_to_dicts(changes),
+        }
+
+    from core.diff_engine_v2 import OpenAPIDiffEngine
     engine = OpenAPIDiffEngine()
     changes = engine.compare(old, new)
 
     breaking = [c for c in changes if c.is_breaking]
 
     return {
+        "spec_type": "openapi",
         "total_changes": len(changes),
         "breaking_changes": len(breaking),
         "changes": [
@@ -150,13 +318,20 @@ def run_changelog(
     Uses the diff engine to detect changes, then formats them into
     a human-readable changelog grouped by category.
     """
-    from core.diff_engine_v2 import OpenAPIDiffEngine
     from datetime import datetime, timezone
 
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
-    engine = OpenAPIDiffEngine()
+    # LED-713: dispatch on spec type. JSONSchemaChange / Change share the
+    # (.type.value, .path, .message, .is_breaking) duck type.
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        engine = JSONSchemaDiffEngine()
+    else:
+        from core.diff_engine_v2 import OpenAPIDiffEngine
+        engine = OpenAPIDiffEngine()
+
     changes = engine.compare(old, new)
 
     # Categorize changes
@@ -794,14 +969,26 @@ def run_semver(
     """Classify the semver bump for a spec change.
 
     Returns detailed breakdown: bump level, per-category counts,
-    and optionally the bumped version string.
+    and optionally the bumped version string. Auto-detects OpenAPI vs
+    JSON Schema (LED-713).
     """
-    from core.diff_engine_v2 import OpenAPIDiffEngine
-    from core.semver_classifier import classify_detailed, bump_version, classify
-
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    # LED-713: JSON Schema path
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        engine = JSONSchemaDiffEngine()
+        changes = engine.compare(old, new)
+        result = _json_schema_semver(changes)
+        if current_version:
+            result["current_version"] = current_version
+            result["next_version"] = _bump_semver_version(current_version, result["bump"])
+        return result
+
+    from core.diff_engine_v2 import OpenAPIDiffEngine
+    from core.semver_classifier import classify_detailed, bump_version, classify
+
     engine = OpenAPIDiffEngine()
     changes = engine.compare(old, new)
     result = classify_detailed(changes)
@@ -932,7 +1119,6 @@ def run_diff_report(
     """
     from datetime import datetime, timezone
 
-    from core.diff_engine_v2 import OpenAPIDiffEngine
     from core.policy_engine import PolicyEngine
     from core.semver_classifier import classify_detailed, classify
     from core.spec_health import score_spec
@@ -941,6 +1127,43 @@ def run_diff_report(
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    # LED-713: JSON Schema dispatch — short-circuit to a minimal report
+    # shape compatible with the JSON renderer (HTML renderer remains
+    # OpenAPI-only; JSON Schema callers should use fmt="json").
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        js_engine = JSONSchemaDiffEngine()
+        js_changes = js_engine.compare(old, new)
+        js_breaking = [c for c in js_changes if c.is_breaking]
+        js_semver = _json_schema_semver(js_changes)
+        now_js = datetime.now(timezone.utc)
+        return {
+            "format": fmt,
+            "spec_type": "json_schema",
+            "generated_at": now_js.isoformat(),
+            "old_spec": old_spec,
+            "new_spec": new_spec,
+            "old_title": old.get("title", "") if isinstance(old, dict) else "",
+            "new_title": new.get("title", "") if isinstance(new, dict) else "",
+            "semver": js_semver,
+            "changes": _json_schema_changes_to_dicts(js_changes),
+            "breaking_count": len(js_breaking),
+            "non_breaking_count": len(js_changes) - len(js_breaking),
+            "total_changes": len(js_changes),
+            "policy": {
+                "decision": "pass",
+                "violations": [],
+                "errors": 0,
+                "warnings": 0,
+            },
+            "health": None,
+            "migration": "",
+            "output_file": output_file,
+            "note": "JSON Schema report (policy rules and HTML report are OpenAPI-only in v1)",
+        }
+
+    from core.diff_engine_v2 import OpenAPIDiffEngine
+
     # -- Diff --
     engine = OpenAPIDiffEngine()
     changes = engine.compare(old, new)

package/gateway/ai/backends/repo_bridge.py

@@ -158,21 +158,80 @@ def config_audit(target: str = ".", options: Optional[Dict] = None) -> Dict[str,
 # ─── EvidencePack ───────────────────────────────────────────────────────
 
 def evidence_collect(target: str = ".", options: Optional[Dict] = None) -> Dict[str, Any]:
-    """Collect project evidence: git log, test files, configs, governance data."""
-    import subprocess, time as _time
-    root = Path(target).resolve()
-    evidence: Dict[str, Any] = {"collected_at": _time.time(), "target": str(root)}
-    # Git log
-    try:
-        r = subprocess.run(["git", "-C", str(root), "log", "--oneline", "-10"], capture_output=True, text=True, timeout=10)
-        evidence["git_log"] = r.stdout.strip().splitlines() if r.returncode == 0 else []
-    except Exception:
+    """Collect project evidence: git log, test files, configs, governance data.
+
+    Accepts either a local filesystem path (repo directory) or a remote
+    reference (GitHub URL, owner/repo#N, or any non-filesystem string).
+    Remote targets skip the filesystem walk and store reference metadata.
+    """
+    import re
+    import subprocess
+    import time as _time
+
+    opts = options or {}
+    evidence_type = opts.get("evidence_type", "")
+
+    # Detect non-filesystem targets: URLs, owner/repo#N, bare issue refs, etc.
+    is_remote = (
+        "://" in target
+        or target.startswith("http")
+        or re.match(r"^[\w.-]+/[\w.-]+#\d+$", target) is not None
+        or "#" in target
+    )
+
+    evidence: Dict[str, Any] = {"collected_at": _time.time(), "target": target}
+    if evidence_type:
+        evidence["evidence_type"] = evidence_type
+
+    if is_remote:
+        # Remote/reference target — no filesystem walk, just record metadata.
+        evidence["target_type"] = "remote"
         evidence["git_log"] = []
-    # Test files
-    test_dirs = [d for d in ["tests", "test", "__tests__", "spec"] if (root / d).exists()]
-    evidence["test_directories"] = test_dirs
-    # Configs
-    evidence["configs"] = [f.name for f in root.iterdir() if f.is_file() and (f.suffix in [".json", ".yaml", ".yml", ".toml"] or f.name.startswith("."))]
+        evidence["test_directories"] = []
+        evidence["configs"] = []
+        m = re.match(r"^([\w.-]+)/([\w.-]+)#(\d+)$", target)
+        if m:
+            evidence["repo"] = f"{m.group(1)}/{m.group(2)}"
+            evidence["issue_number"] = int(m.group(3))
+    else:
+        root = Path(target).resolve()
+        evidence["target"] = str(root)
+        evidence["target_type"] = "local"
+
+        if not root.exists():
+            return {
+                "tool": "evidence.collect",
+                "status": "error",
+                "error": "target_not_found",
+                "message": f"Path {root} does not exist. For remote targets, pass a URL or owner/repo#N.",
+                "target": target,
+            }
+
+        # Git log (safe for non-git dirs)
+        try:
+            r = subprocess.run(
+                ["git", "-C", str(root), "log", "--oneline", "-10"],
+                capture_output=True, text=True, timeout=10,
+            )
+            evidence["git_log"] = r.stdout.strip().splitlines() if r.returncode == 0 else []
+        except Exception:
+            evidence["git_log"] = []
+
+        # Test dirs + configs (only if target is a directory)
+        if root.is_dir():
+            test_dirs = [d for d in ["tests", "test", "__tests__", "spec"] if (root / d).exists()]
+            evidence["test_directories"] = test_dirs
+            try:
+                evidence["configs"] = [
+                    f.name for f in root.iterdir()
+                    if f.is_file() and (f.suffix in [".json", ".yaml", ".yml", ".toml"] or f.name.startswith("."))
+                ]
+            except (PermissionError, OSError):
+                evidence["configs"] = []
+        else:
+            evidence["test_directories"] = []
+            evidence["configs"] = []
+
     # Save bundle
     ev_dir = Path(os.environ.get("DELIMIT_HOME", str(Path.home() / ".delimit"))) / "evidence"
     ev_dir.mkdir(parents=True, exist_ok=True)
@@ -180,8 +239,13 @@ def evidence_collect(target: str = ".", options: Optional[Dict] = None) -> Dict[
     bundle_path = ev_dir / f"{bundle_id}.json"
     evidence["bundle_id"] = bundle_id
     bundle_path.write_text(json.dumps(evidence, indent=2))
-    return {"tool": "evidence.collect", "status": "ok", "bundle_id": bundle_id,
-            "bundle_path": str(bundle_path), "summary": {k: len(v) if isinstance(v, list) else v for k, v in evidence.items()}}
+    return {
+        "tool": "evidence.collect",
+        "status": "ok",
+        "bundle_id": bundle_id,
+        "bundle_path": str(bundle_path),
+        "summary": {k: len(v) if isinstance(v, list) else v for k, v in evidence.items()},
+    }
 
 
 def evidence_verify(bundle_id: Optional[str] = None, bundle_path: Optional[str] = None, options: Optional[Dict] = None) -> Dict[str, Any]: