delimit-cli 4.1.43 → 4.1.47

package/gateway/ai/inbox_daemon_runner.py

@@ -0,0 +1,217 @@
+#!/usr/bin/env python3
+"""
+Standalone runner for the Delimit inbox polling daemon.
+
+Designed for use with systemd or manual invocation. Adds:
+- Structured logging with timestamps
+- Graceful SIGTERM handling for clean systemd stop
+- PID file to prevent duplicate instances
+- Startup validation of required configuration
+
+Usage:
+    # Via systemd (see deploy/inbox-daemon.service)
+    systemctl start delimit-inbox-daemon
+
+    # Manual foreground run
+    python3 ai/inbox_daemon_runner.py
+
+    # Single poll cycle (for testing)
+    python3 ai/inbox_daemon_runner.py --once
+
+Environment variables:
+    DELIMIT_SMTP_PASS              Required. IMAP/SMTP password.
+    DELIMIT_INBOX_POLL_INTERVAL    Poll interval in seconds (default: 300).
+    DELIMIT_HOME                   Delimit config directory (default: ~/.delimit).
+    PYTHONPATH                     Must include the gateway root for ai.* imports.
+"""
+
+import logging
+import os
+import signal
+import sys
+import time
+from datetime import datetime, timezone
+from pathlib import Path
+
+# Ensure the gateway root is on sys.path so ai.* imports work
+_gateway_root = Path(__file__).resolve().parent.parent
+if str(_gateway_root) not in sys.path:
+    sys.path.insert(0, str(_gateway_root))
+
+# PID file to prevent duplicate instances
+PID_DIR = Path(os.environ.get("DELIMIT_HOME", Path.home() / ".delimit"))
+PID_FILE = PID_DIR / "inbox-daemon.pid"
+
+
+def _setup_logging() -> logging.Logger:
+    """Configure structured logging for journald and console."""
+    log_format = "%(asctime)s [%(name)s] %(levelname)s: %(message)s"
+    logging.basicConfig(
+        level=logging.INFO,
+        format=log_format,
+        stream=sys.stdout,
+    )
+    # Suppress noisy libraries
+    logging.getLogger("urllib3").setLevel(logging.WARNING)
+    logging.getLogger("imaplib").setLevel(logging.WARNING)
+    return logging.getLogger("delimit.inbox_daemon_runner")
+
+
+def _write_pid() -> None:
+    """Write PID file. Check for stale processes first."""
+    PID_DIR.mkdir(parents=True, exist_ok=True)
+
+    if PID_FILE.exists():
+        try:
+            old_pid = int(PID_FILE.read_text().strip())
+            # Check if the old process is still running
+            os.kill(old_pid, 0)
+            # Process exists -- abort to prevent duplicates
+            print(
+                f"ERROR: Another inbox daemon is running (PID {old_pid}). "
+                f"Remove {PID_FILE} if stale.",
+                file=sys.stderr,
+            )
+            sys.exit(1)
+        except (ValueError, ProcessLookupError, PermissionError):
+            # Stale PID file -- safe to overwrite
+            pass
+        except OSError:
+            pass
+
+    PID_FILE.write_text(str(os.getpid()))
+
+
+def _remove_pid() -> None:
+    """Remove PID file on clean shutdown."""
+    try:
+        if PID_FILE.exists():
+            current_pid = PID_FILE.read_text().strip()
+            if current_pid == str(os.getpid()):
+                PID_FILE.unlink()
+    except OSError:
+        pass
+
+
+def _validate_config(logger: logging.Logger) -> bool:
+    """Validate required configuration before starting the daemon."""
+    ok = True
+
+    if not os.environ.get("DELIMIT_SMTP_PASS"):
+        # Check if the notify module can load credentials from config
+        try:
+            from ai.notify import _load_smtp_account, IMAP_USER
+            if IMAP_USER:
+                account = _load_smtp_account(IMAP_USER)
+                if account and (account.get("pass") or account.get("password")):
+                    logger.info("SMTP credentials loaded from config for %s", IMAP_USER)
+                else:
+                    logger.error(
+                        "DELIMIT_SMTP_PASS not set and no credentials found in config for %s",
+                        IMAP_USER,
+                    )
+                    ok = False
+            else:
+                logger.error("DELIMIT_SMTP_PASS not set and IMAP_USER not configured")
+                ok = False
+        except ImportError:
+            logger.error("DELIMIT_SMTP_PASS not set and ai.notify module not importable")
+            ok = False
+    else:
+        logger.info("SMTP credentials provided via environment")
+
+    return ok
+
+
+def main() -> None:
+    import argparse
+
+    parser = argparse.ArgumentParser(
+        description="Delimit inbox daemon runner -- persistent email governance polling",
+    )
+    parser.add_argument(
+        "--once",
+        action="store_true",
+        help="Run a single poll cycle and exit",
+    )
+    parser.add_argument(
+        "--interval",
+        type=int,
+        default=None,
+        help="Override poll interval in seconds",
+    )
+    args = parser.parse_args()
+
+    logger = _setup_logging()
+    logger.info(
+        "Delimit inbox daemon runner starting (PID %d, Python %s)",
+        os.getpid(),
+        sys.version.split()[0],
+    )
+
+    # Validate config before doing anything else
+    if not _validate_config(logger):
+        logger.error("Configuration validation failed. Exiting.")
+        sys.exit(1)
+
+    # Import the daemon module (after PYTHONPATH is set up)
+    from ai.inbox_daemon import (
+        _daemon_state,
+        _daemon_loop,
+        poll_once,
+        POLL_INTERVAL,
+    )
+
+    # Override poll interval if requested
+    if args.interval is not None:
+        import ai.inbox_daemon
+        ai.inbox_daemon.POLL_INTERVAL = args.interval
+        logger.info("Poll interval overridden to %d seconds", args.interval)
+
+    # Single-shot mode
+    if args.once:
+        logger.info("Running single poll cycle (--once mode)")
+        result = poll_once()
+        if "error" in result:
+            logger.error("Poll failed: %s", result["error"])
+            sys.exit(1)
+        logger.info(
+            "Poll complete: %d processed, %d forwarded",
+            result.get("processed", 0),
+            result.get("forwarded", 0),
+        )
+        return
+
+    # Write PID file (only for long-running mode)
+    _write_pid()
+
+    # Graceful shutdown handler
+    def _handle_signal(signum, frame):
+        sig_name = signal.Signals(signum).name
+        logger.info("Received %s -- initiating graceful shutdown", sig_name)
+        _daemon_state._stop_event.set()
+
+    signal.signal(signal.SIGTERM, _handle_signal)
+    signal.signal(signal.SIGINT, _handle_signal)
+
+    # Start the daemon loop (blocks until stop event)
+    logger.info(
+        "Inbox daemon entering main loop (poll interval: %ds)",
+        ai.inbox_daemon.POLL_INTERVAL,
+    )
+    _daemon_state.running = True
+    _daemon_state._stop_event.clear()
+
+    try:
+        _daemon_loop()
+    except Exception as e:
+        logger.critical("Daemon loop crashed: %s", e, exc_info=True)
+        sys.exit(1)
+    finally:
+        _daemon_state.running = False
+        _remove_pid()
+        logger.info("Inbox daemon runner exiting cleanly")
+
+
+if __name__ == "__main__":
+    main()

package/gateway/ai/key_resolver.py

@@ -1,2 +1,95 @@
-# key_resolver — Pro module (stubbed in npm package)
-# Full implementation available on delimit.ai server
+"""Auto-resolve API keys from multiple sources.
+
+Priority: env var -> secrets broker -> return None (free fallback).
+
+Every MCP tool that depends on an external service should use this module
+so it works out of the box without API keys, with enhanced functionality
+unlocked when keys are available.
+"""
+
+import json
+import logging
+import os
+import shutil
+import subprocess
+from pathlib import Path
+from typing import Optional, Tuple
+
+logger = logging.getLogger("delimit.ai.key_resolver")
+
+SECRETS_DIR = Path.home() / ".delimit" / "secrets"
+
+
+def get_key(name: str, env_var: str = "", _secrets_dir: Optional[Path] = None) -> Tuple[Optional[str], str]:
+    """Get an API key.  Returns (key, source) or (None, "not_found").
+
+    Sources checked in order:
+    1. Environment variable (explicit *env_var*, then common conventions)
+    2. ~/.delimit/secrets/{name}.json
+    3. None (free fallback)
+    """
+    # 1. Env var — explicit, then common patterns
+    candidates = [env_var] if env_var else []
+    candidates += [
+        f"{name.upper()}_TOKEN",
+        f"{name.upper()}_API_KEY",
+        f"{name.upper()}_KEY",
+    ]
+    for var in candidates:
+        if not var:
+            continue
+        val = os.environ.get(var)
+        if val:
+            return val, "env"
+
+    # 2. Secrets broker
+    secrets_dir = _secrets_dir if _secrets_dir is not None else SECRETS_DIR
+    secrets_file = secrets_dir / f"{name.lower()}.json"
+    if secrets_file.exists():
+        try:
+            data = json.loads(secrets_file.read_text())
+            for field in ("value", "api_key", "token", "key"):
+                if data.get(field):
+                    return data[field], "secrets_broker"
+        except Exception:
+            logger.debug("Failed to read secrets file %s", secrets_file)
+
+    # 3. Not found
+    return None, "not_found"
+
+
+# ---------------------------------------------------------------------------
+# Convenience wrappers
+# ---------------------------------------------------------------------------
+
+def get_figma_token() -> Tuple[Optional[str], str]:
+    """Resolve Figma API token."""
+    return get_key("figma", "FIGMA_TOKEN")
+
+
+def get_trivy_path() -> Tuple[Optional[str], str]:
+    """Check if Trivy binary is available on PATH."""
+    path = shutil.which("trivy")
+    return (path, "installed") if path else (None, "not_found")
+
+
+def get_playwright() -> Tuple[bool, str]:
+    """Check whether Playwright is usable (Python package installed)."""
+    try:
+        import playwright  # noqa: F401
+        return True, "installed"
+    except ImportError:
+        return False, "not_found"
+
+
+def get_puppeteer() -> Tuple[bool, str]:
+    """Check whether puppeteer (npx) is available for screenshot fallback."""
+    try:
+        result = subprocess.run(
+            ["npx", "puppeteer", "--version"],
+            capture_output=True,
+            timeout=15,
+        )
+        return (True, "installed") if result.returncode == 0 else (False, "not_found")
+    except Exception:
+        return False, "not_found"

package/gateway/ai/ledger_manager.py

@@ -91,10 +91,54 @@ def _register_venture(info: Dict[str, str]):
         VENTURES_FILE.write_text(json.dumps(ventures, indent=2))
 
 
+CENTRAL_LEDGER_DIR = Path.home() / ".delimit" / "ledger"
+
+
+def _detect_model() -> str:
+    """Auto-detect which AI model is running this session.
+
+    Checks environment variables set by various AI coding assistants:
+    - CLAUDE_MODEL / CLAUDE_CODE_MODEL: Claude Code
+    - CODEX_MODEL: OpenAI Codex CLI
+    - GEMINI_MODEL: Gemini CLI
+    - MCP_CLIENT_NAME: Generic MCP client identifier
+    Falls back to "unknown" if none are set.
+    """
+    # Claude Code
+    for var in ("CLAUDE_MODEL", "CLAUDE_CODE_MODEL"):
+        val = os.environ.get(var)
+        if val:
+            return val
+
+    # OpenAI Codex
+    val = os.environ.get("CODEX_MODEL")
+    if val:
+        return val
+
+    # Gemini
+    val = os.environ.get("GEMINI_MODEL")
+    if val:
+        return val
+
+    # Generic MCP client
+    val = os.environ.get("MCP_CLIENT_NAME")
+    if val:
+        return val
+
+    return "unknown"
+
+
 def _project_ledger_dir(project_path: str = ".") -> Path:
-    """Get the ledger directory for the current project."""
-    p = Path(project_path).resolve()
-    return p / ".delimit" / "ledger"
+    """Get the ledger directory — ALWAYS uses central ~/.delimit/ledger/.
+
+    Cross-model handoff fix: Codex and Gemini were writing to $PWD/.delimit/ledger/
+    which caused ledger fragmentation. All models must use the same central location
+    so Claude, Codex, and Gemini see the same items.
+
+    The central ledger at ~/.delimit/ledger/ is the source of truth.
+    Per-project .delimit/ dirs are for policies and config only, not ledger state.
+    """
+    return CENTRAL_LEDGER_DIR
 
 
 def _ensure(project_path: str = "."):
@@ -151,6 +195,7 @@ def add_item(
     context: str = "",
     tools_needed: Optional[List[str]] = None,
     estimated_complexity: str = "",
+    worked_by: str = "",
 ) -> Dict[str, Any]:
     """Add a new item to the project's strategy or operational ledger.
 
@@ -181,6 +226,7 @@ def add_item(
         "venture": venture["name"],
         "status": "open",
         "tags": tags or [],
+        "worked_by": worked_by or _detect_model(),
     }
     # LED-189: Optional acceptance criteria
     if acceptance_criteria:
@@ -234,6 +280,7 @@ def update_item(
     blocked_by: Optional[str] = None,
     blocks: Optional[str] = None,
     project_path: str = ".",
+    worked_by: str = "",
 ) -> Dict[str, Any]:
     """Update an existing ledger item's fields."""
     _ensure(project_path)
@@ -271,6 +318,7 @@ def update_item(
             "id": item_id,
             "type": "update",
             "updated_at": time.strftime("%Y-%m-%dT%H:%M:%SZ"),
+            "worked_by": worked_by or _detect_model(),
         }
         if status:
             update["status"] = status
@@ -338,6 +386,8 @@ def list_items(
                         state[item_id]["last_note"] = item["note"]
                     if "priority" in item:
                         state[item_id]["priority"] = item["priority"]
+                    if "worked_by" in item:
+                        state[item_id]["last_worked_by"] = item["worked_by"]
                     state[item_id]["updated_at"] = item.get("updated_at")
             else:
                 state[item_id] = {**item}

package/gateway/ai/license.py

@@ -14,6 +14,9 @@ try:
         check_premium as is_premium,
         gate_tool as require_premium,
         activate as activate_license,
+        needs_revalidation,
+        revalidate_license,
+        is_license_valid,
         PRO_TOOLS as _CORE_PRO_TOOLS,
         FREE_TRIAL_LIMITS,
     )
@@ -78,17 +81,114 @@ except ImportError:
     })
     FREE_TRIAL_LIMITS = {"delimit_deliberate": 3}
 
+    REVALIDATION_INTERVAL = 30 * 86400  # 30 days
+    GRACE_PERIOD = 7 * 86400
+    HARD_BLOCK = 14 * 86400
+
     def get_license() -> dict:
         if not LICENSE_FILE.exists():
             return {"tier": "free", "valid": True}
         try:
-            return json.loads(LICENSE_FILE.read_text())
+            data = json.loads(LICENSE_FILE.read_text())
+            if data.get("expires_at") and data["expires_at"] < time.time():
+                return {"tier": "free", "valid": True, "expired": True}
+            if data.get("tier") in ("pro", "enterprise") and data.get("valid"):
+                if needs_revalidation(data):
+                    result = revalidate_license(data)
+                    data = result["updated_data"]
+                    if result["status"] == "expired":
+                        return {"tier": "free", "valid": True, "revoked": True,
+                                "reason": result.get("reason", "License expired.")}
+            return data
         except Exception:
             return {"tier": "free", "valid": True}
 
+    def needs_revalidation(data: dict) -> bool:
+        if data.get("tier") not in ("pro", "enterprise"):
+            return False
+        last_validated = data.get("last_validated_at", data.get("activated_at", 0))
+        if last_validated == 0:
+            return True
+        return (time.time() - last_validated) > REVALIDATION_INTERVAL
+
+    def revalidate_license(data: dict) -> dict:
+        import hashlib
+        import urllib.request
+        key = data.get("key", "")
+        if not key or key.startswith("JAMSONS"):
+            data["last_validated_at"] = time.time()
+            data["validation_status"] = "current"
+            _write_license(data)
+            return {"status": "valid", "updated_data": data}
+
+        last_validated = data.get("last_validated_at", data.get("activated_at", 0))
+        elapsed = time.time() - last_validated
+        machine_hash = data.get("machine_hash", hashlib.sha256(str(Path.home()).encode()).hexdigest()[:16])
+
+        api_valid = None
+        try:
+            req_data = json.dumps({"license_key": key, "instance_name": machine_hash}).encode()
+            req = urllib.request.Request(
+                "https://api.lemonsqueezy.com/v1/licenses/validate",
+                data=req_data,
+                headers={"Content-Type": "application/json", "Accept": "application/json"},
+                method="POST",
+            )
+            with urllib.request.urlopen(req, timeout=10) as resp:
+                result = json.loads(resp.read())
+            api_valid = result.get("valid", False)
+        except Exception:
+            api_valid = None
+
+        if api_valid is True:
+            data["last_validated_at"] = time.time()
+            data["validation_status"] = "current"
+            data.pop("grace_days_remaining", None)
+            _write_license(data)
+            return {"status": "valid", "updated_data": data}
+
+        if elapsed > REVALIDATION_INTERVAL + HARD_BLOCK:
+            data["validation_status"] = "expired"
+            data["valid"] = False
+            _write_license(data)
+            return {"status": "expired", "updated_data": data,
+                    "reason": "License expired — no successful re-validation in 44 days."}
+
+        if elapsed > REVALIDATION_INTERVAL + GRACE_PERIOD:
+            days_left = max(0, int((REVALIDATION_INTERVAL + HARD_BLOCK - elapsed) / 86400))
+            data["validation_status"] = "grace_period"
+            data["grace_days_remaining"] = days_left
+            _write_license(data)
+            return {"status": "grace", "updated_data": data, "grace_days_remaining": days_left}
+
+        data["validation_status"] = "revalidation_pending"
+        _write_license(data)
+        return {"status": "grace", "updated_data": data}
+
+    def is_license_valid(data: dict) -> bool:
+        if data.get("tier") not in ("pro", "enterprise"):
+            return False
+        if not data.get("valid", False):
+            return False
+        key = data.get("key", "")
+        if key.startswith("JAMSONS"):
+            return True
+        last_validated = data.get("last_validated_at", data.get("activated_at", 0))
+        if last_validated == 0:
+            return True
+        elapsed = time.time() - last_validated
+        return elapsed <= (REVALIDATION_INTERVAL + HARD_BLOCK)
+
+    def _write_license(data: dict) -> None:
+        try:
+            LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
+            LICENSE_FILE.write_text(json.dumps(data, indent=2))
+        except Exception:
+            pass
+
     def is_premium() -> bool:
         lic = get_license()
-        return lic.get("tier") in ("pro", "enterprise") and lic.get("valid", False)
+        return is_license_valid(lic)
 
     def require_premium(tool_name: str) -> dict | None:
         full_name = tool_name if tool_name.startswith("delimit_") else f"delimit_{tool_name}"
@@ -121,7 +221,8 @@ except ImportError:
         # Store key for offline validation
         license_data = {
             "key": key, "tier": "pro", "valid": True,
-            "activated_at": time.time(), "validated_via": "offline_fallback",
+            "activated_at": time.time(), "last_validated_at": time.time(),
+            "validated_via": "offline_fallback",
         }
         LICENSE_FILE.parent.mkdir(parents=True, exist_ok=True)
         LICENSE_FILE.write_text(json.dumps(license_data, indent=2))