delimit-cli 4.1.50 → 4.1.52

package/CHANGELOG.md

@@ -1,5 +1,36 @@
 # Changelog
 
+## [4.1.52] - 2026-04-10
+
+### Fixed (exit shim reporting zeros)
+- **Git commit count always zero** — `git log --after="$SESSION_START"` was passing a raw epoch integer. Git's `--after` needs `@` prefix for epoch time (`--after="@$SESSION_START"`).
+- **Ledger item count always zero** — the awk script matched any line with a `created_at` field but never compared the timestamp against the session start. Now converts `SESSION_START` to ISO format and uses string comparison to count only items created during the session.
+- **Deliberation count always zero** — looked for a `deliberations.jsonl` file that doesn't exist. Deliberations are stored as individual JSON files in `~/.delimit/deliberations/`. Now uses `find -newermt "@$SESSION_START"` to count files created during the session.
+
+### Tests
+- 134/134 npm CLI tests passing (no test changes — shell template fix only).
+
+## [4.1.51] - 2026-04-09
+
+### Fixed (gateway loop engine — LED-814)
+- **`ai/loop_engine.run_governed_iteration` mishandled swarm dispatch statuses.** Only `status=='completed'` was treated as success. The swarm dispatcher returns `'dispatched'` for async handoff, so every build-loop tick fell into the failure branch and logged "Dispatch failed" even though the underlying work shipped. Session `build-loop-2026-04-09` accumulated 6 spurious failures (LED-787 / 788 / 755 / 762 / 799 / 807) for tasks that all actually shipped. Now:
+  - `'completed'` → close ledger + notify deploy loop (unchanged)
+  - `'dispatched'` → mark ledger `in_progress` with the swarm `task_id`, NOT a failure
+  - `'blocked'` → record a founder-approval gate without tripping the circuit breaker
+  - anything else → genuine failure, error message includes the unexpected status string for debuggability
+- Verified live against the running MCP session before this release: `iterations 6→7`, `errors 0`, `LED-814` recorded as `dispatched` with `swarm_task_id task-449ecdf9`.
+- Picked up via the standard `npm run sync-gateway` step in `prepublishOnly` (gateway commit `ce802cd` is now on `delimit-ai/delimit-gateway` main).
+
+### Added
+- **`tests/test_loop_engine_dispatch_status.py`** in the gateway — covers all four dispatch status branches (`completed` / `dispatched` / `blocked` / unknown), 154 lines, ships with the bundled gateway.
+
+### Scope
+- Single-purpose patch: gateway loop engine only. This is the deferred half of the multi-model deliberation that produced 4.1.50 — the deliberation explicitly required splitting the gateway fix from the CLAUDE.md regex fix so each ship has a clean rollback story.
+
+### Tests
+- npm CLI: 134/134 still passing (no CLI changes — bundled gateway only).
+- Gateway: new `test_loop_engine_dispatch_status.py` suite passing.
+
 ## [4.1.50] - 2026-04-09
 
 ### Fixed (CRITICAL — CLAUDE.md in-prose marker clobber)

package/bin/delimit-setup.js

@@ -780,24 +780,24 @@ delimit_exit_screen() {
     else
         DURATION="\${ELAPSED}s"
     fi
-    # Count git commits made during session
+    # Count git commits made during session (@ prefix tells git the value is epoch)
     COMMITS=0
     if [ -d "\$SESSION_CWD/.git" ] || git -C "\$SESSION_CWD" rev-parse --git-dir >/dev/null 2>&1; then
-        COMMITS=\$(git -C "\$SESSION_CWD" log --oneline --after="\$SESSION_START" --format="%H" 2>/dev/null | wc -l | tr -d ' ')
+        COMMITS=\$(git -C "\$SESSION_CWD" log --oneline --after="@\$SESSION_START" --format="%H" 2>/dev/null | wc -l | tr -d ' ')
     fi
     # Count ledger items created during session (by timestamp)
     LEDGER_DIR="\$DELIMIT_HOME/ledger"
     LEDGER_ITEMS=0
-    if [ -d "\$LEDGER_DIR" ]; then
+    # Convert epoch SESSION_START to ISO prefix for string comparison
+    SESSION_ISO=\$(date -u -d "@\$SESSION_START" +%Y-%m-%dT%H:%M:%S 2>/dev/null || date -u -r "\$SESSION_START" +%Y-%m-%dT%H:%M:%S 2>/dev/null || echo "")
+    if [ -d "\$LEDGER_DIR" ] && [ -n "\$SESSION_ISO" ]; then
         for lf in "\$LEDGER_DIR"/*.jsonl; do
             [ -f "\$lf" ] || continue
-            COUNT=\$(awk -v start="\$SESSION_START" '
+            COUNT=\$(awk -v start="\$SESSION_ISO" '
                 BEGIN { n=0 }
                 {
-                    if (match(\$0, /"(created_at|ts)":"[0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2}/)) {
-                        n++
-                    } else if (match(\$0, /"(created_at|ts)":([0-9]+)/, arr)) {
-                        if (arr[2]+0 >= start+0) n++
+                    if (match(\$0, /"created_at":"([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2})"/, arr)) {
+                        if (arr[1] >= start) n++
                     }
                 }
                 END { print n }
@@ -805,14 +805,11 @@ delimit_exit_screen() {
             LEDGER_ITEMS=\$((LEDGER_ITEMS + COUNT))
         done
     fi
-    # Count deliberations (governance decisions)
+    # Count deliberations created during this session (stored as individual JSON files)
     DELIBERATIONS=0
-    if [ -f "\$DELIMIT_HOME/deliberations.jsonl" ]; then
-        DELIBERATIONS=\$(awk -v start="\$SESSION_START" '
-            BEGIN { n=0 }
-            { if (match(\$0, /"ts":([0-9]+)/, arr)) { if (arr[1]+0 >= start+0) n++ } }
-            END { print n }
-        ' "\$DELIMIT_HOME/deliberations.jsonl" 2>/dev/null || echo "0")
+    DELIB_DIR="\$DELIMIT_HOME/deliberations"
+    if [ -d "\$DELIB_DIR" ]; then
+        DELIBERATIONS=\$(find "\$DELIB_DIR" -maxdepth 1 -name '*.json' -newermt "@\$SESSION_START" 2>/dev/null | wc -l | tr -d ' ')
     fi
     # Determine exit status label
     if [ "\$_EXIT_CODE" -eq 0 ]; then

package/gateway/ai/backends/gateway_core.py

@@ -23,10 +23,11 @@ if str(GATEWAY_ROOT) not in sys.path:
 
 
 def _load_specs(spec_path: str) -> Dict[str, Any]:
-    """Load an OpenAPI spec from a file path.
+    """Load an API spec (OpenAPI or JSON Schema) from a file path.
 
     Performs a non-fatal version compatibility check (LED-290) so that
     unknown OpenAPI versions log a warning instead of silently parsing.
+    JSON Schema documents skip the OpenAPI version assert.
     """
     import yaml
 
@@ -41,15 +42,146 @@ def _load_specs(spec_path: str) -> Dict[str, Any]:
         spec = json.loads(content)
 
     # LED-290: warn (non-fatal) if version is outside the validated set.
+    # Only applies to OpenAPI/Swagger documents — bare JSON Schema files
+    # have no "openapi"/"swagger" key and would otherwise trip the assert.
     try:
-        from core.openapi_version import assert_supported
-        assert_supported(spec, strict=False)
+        if isinstance(spec, dict) and ("openapi" in spec or "swagger" in spec):
+            from core.openapi_version import assert_supported
+            assert_supported(spec, strict=False)
     except Exception as exc:  # pragma: no cover -- defensive only
         logger.debug("openapi version check skipped: %s", exc)
 
     return spec
 
 
+# ---------------------------------------------------------------------------
+# LED-713: JSON Schema spec-type dispatch helpers
+# ---------------------------------------------------------------------------
+
+
+def _spec_type(doc: Any) -> str:
+    """Classify a loaded spec doc. 'openapi' or 'json_schema'."""
+    from core.spec_detector import detect_spec_type
+    t = detect_spec_type(doc)
+    # Fallback to openapi for unknown so we never break existing flows.
+    return "json_schema" if t == "json_schema" else "openapi"
+
+
+def _json_schema_changes_to_dicts(changes: List[Any]) -> List[Dict[str, Any]]:
+    return [
+        {
+            "type": c.type.value,
+            "path": c.path,
+            "message": c.message,
+            "is_breaking": c.is_breaking,
+            "details": c.details,
+        }
+        for c in changes
+    ]
+
+
+def _json_schema_semver(changes: List[Any]) -> Dict[str, Any]:
+    """Build an OpenAPI-compatible semver result from JSON Schema changes.
+
+    Mirrors core.semver_classifier.classify_detailed shape so downstream
+    consumers (PR comment, CI formatter, ledger) don't need to branch.
+    """
+    breaking = [c for c in changes if c.is_breaking]
+    non_breaking = [c for c in changes if not c.is_breaking]
+    if breaking:
+        bump = "major"
+    elif non_breaking:
+        bump = "minor"
+    else:
+        bump = "none"
+    return {
+        "bump": bump,
+        "is_breaking": bool(breaking),
+        "counts": {
+            "breaking": len(breaking),
+            "non_breaking": len(non_breaking),
+            "total": len(changes),
+        },
+    }
+
+
+def _bump_semver_version(current: str, bump: str) -> Optional[str]:
+    """Minimal semver bump for JSON Schema path (core.semver_classifier
+    only understands OpenAPI ChangeType enums)."""
+    if not current:
+        return None
+    try:
+        parts = current.lstrip("v").split(".")
+        major, minor, patch = (int(parts[0]), int(parts[1]), int(parts[2]))
+    except Exception:
+        return None
+    if bump == "major":
+        return f"{major + 1}.0.0"
+    if bump == "minor":
+        return f"{major}.{minor + 1}.0"
+    if bump == "patch":
+        return f"{major}.{minor}.{patch + 1}"
+    return current
+
+
+def _run_json_schema_lint(
+    old_doc: Dict[str, Any],
+    new_doc: Dict[str, Any],
+    current_version: Optional[str] = None,
+    api_name: Optional[str] = None,
+) -> Dict[str, Any]:
+    """Build an evaluate_with_policy-compatible result for JSON Schema.
+
+    Policy rules in Delimit are defined against OpenAPI ChangeType values,
+    so they do not apply here. We return zero violations and rely on the
+    breaking-change count + semver bump to drive the governance gate.
+    """
+    from core.json_schema_diff import JSONSchemaDiffEngine
+
+    engine = JSONSchemaDiffEngine()
+    changes = engine.compare(old_doc, new_doc)
+    semver = _json_schema_semver(changes)
+
+    if current_version:
+        semver["current_version"] = current_version
+        semver["next_version"] = _bump_semver_version(current_version, semver["bump"])
+
+    breaking_count = semver["counts"]["breaking"]
+    total = semver["counts"]["total"]
+
+    decision = "pass"
+    exit_code = 0
+    # No policy rules apply to JSON Schema, but breaking changes still
+    # flag MAJOR semver and the downstream gate uses that to block.
+    # Mirror the shape of evaluate_with_policy so the action/CLI renderers
+    # need no JSON Schema-specific branch.
+    result: Dict[str, Any] = {
+        "spec_type": "json_schema",
+        "api_name": api_name or new_doc.get("title") or old_doc.get("title") or "JSON Schema",
+        "decision": decision,
+        "exit_code": exit_code,
+        "violations": [],
+        "summary": {
+            "total_changes": total,
+            "breaking_changes": breaking_count,
+            "violations": 0,
+            "errors": 0,
+            "warnings": 0,
+        },
+        "all_changes": [
+            {
+                "type": c.type.value,
+                "path": c.path,
+                "message": c.message,
+                "is_breaking": c.is_breaking,
+            }
+            for c in changes
+        ],
+        "semver": semver,
+    }
+    return result
+
+
 def _read_jsonl(path: Path) -> List[Dict[str, Any]]:
     """Read JSONL entries from a file, skipping malformed lines."""
     items: List[Dict[str, Any]] = []
@@ -115,29 +247,51 @@ def run_lint(old_spec: str, new_spec: str, policy_file: Optional[str] = None) ->
     """Run the full lint pipeline: diff + policy evaluation.
 
     This is the Tier 1 primary tool — combines diff detection with
-    policy enforcement into a single pass/fail decision.
+    policy enforcement into a single pass/fail decision. Auto-detects
+    spec type (OpenAPI vs JSON Schema, LED-713) and dispatches to the
+    matching engine.
     """
     from core.policy_engine import evaluate_with_policy
 
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    # LED-713: JSON Schema dispatch. Policy rules are OpenAPI-specific,
+    # so JSON Schema takes the no-policy (breaking-count + semver) path.
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        return _run_json_schema_lint(old, new)
+
     return evaluate_with_policy(old, new, policy_file)
 
 
 def run_diff(old_spec: str, new_spec: str) -> Dict[str, Any]:
-    """Run diff engine only — no policy evaluation."""
-    from core.diff_engine_v2 import OpenAPIDiffEngine
+    """Run diff engine only — no policy evaluation.
 
+    Auto-detects OpenAPI vs JSON Schema and dispatches (LED-713).
+    """
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        engine = JSONSchemaDiffEngine()
+        changes = engine.compare(old, new)
+        breaking = [c for c in changes if c.is_breaking]
+        return {
+            "spec_type": "json_schema",
+            "total_changes": len(changes),
+            "breaking_changes": len(breaking),
+            "changes": _json_schema_changes_to_dicts(changes),
+        }
+
+    from core.diff_engine_v2 import OpenAPIDiffEngine
     engine = OpenAPIDiffEngine()
     changes = engine.compare(old, new)
 
     breaking = [c for c in changes if c.is_breaking]
 
     return {
+        "spec_type": "openapi",
         "total_changes": len(changes),
         "breaking_changes": len(breaking),
         "changes": [
@@ -164,13 +318,20 @@ def run_changelog(
     Uses the diff engine to detect changes, then formats them into
     a human-readable changelog grouped by category.
     """
-    from core.diff_engine_v2 import OpenAPIDiffEngine
     from datetime import datetime, timezone
 
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
-    engine = OpenAPIDiffEngine()
+    # LED-713: dispatch on spec type. JSONSchemaChange / Change share the
+    # (.type.value, .path, .message, .is_breaking) duck type.
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        engine = JSONSchemaDiffEngine()
+    else:
+        from core.diff_engine_v2 import OpenAPIDiffEngine
+        engine = OpenAPIDiffEngine()
+
     changes = engine.compare(old, new)
 
     # Categorize changes
@@ -808,14 +969,26 @@ def run_semver(
     """Classify the semver bump for a spec change.
 
     Returns detailed breakdown: bump level, per-category counts,
-    and optionally the bumped version string.
+    and optionally the bumped version string. Auto-detects OpenAPI vs
+    JSON Schema (LED-713).
     """
-    from core.diff_engine_v2 import OpenAPIDiffEngine
-    from core.semver_classifier import classify_detailed, bump_version, classify
-
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    # LED-713: JSON Schema path
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        engine = JSONSchemaDiffEngine()
+        changes = engine.compare(old, new)
+        result = _json_schema_semver(changes)
+        if current_version:
+            result["current_version"] = current_version
+            result["next_version"] = _bump_semver_version(current_version, result["bump"])
+        return result
+
+    from core.diff_engine_v2 import OpenAPIDiffEngine
+    from core.semver_classifier import classify_detailed, bump_version, classify
+
     engine = OpenAPIDiffEngine()
     changes = engine.compare(old, new)
     result = classify_detailed(changes)
@@ -946,7 +1119,6 @@ def run_diff_report(
     """
     from datetime import datetime, timezone
 
-    from core.diff_engine_v2 import OpenAPIDiffEngine
     from core.policy_engine import PolicyEngine
     from core.semver_classifier import classify_detailed, classify
     from core.spec_health import score_spec
@@ -955,6 +1127,43 @@ def run_diff_report(
     old = _load_specs(old_spec)
     new = _load_specs(new_spec)
 
+    # LED-713: JSON Schema dispatch — short-circuit to a minimal report
+    # shape compatible with the JSON renderer (HTML renderer remains
+    # OpenAPI-only; JSON Schema callers should use fmt="json").
+    if _spec_type(new) == "json_schema" or _spec_type(old) == "json_schema":
+        from core.json_schema_diff import JSONSchemaDiffEngine
+        js_engine = JSONSchemaDiffEngine()
+        js_changes = js_engine.compare(old, new)
+        js_breaking = [c for c in js_changes if c.is_breaking]
+        js_semver = _json_schema_semver(js_changes)
+        now_js = datetime.now(timezone.utc)
+        return {
+            "format": fmt,
+            "spec_type": "json_schema",
+            "generated_at": now_js.isoformat(),
+            "old_spec": old_spec,
+            "new_spec": new_spec,
+            "old_title": old.get("title", "") if isinstance(old, dict) else "",
+            "new_title": new.get("title", "") if isinstance(new, dict) else "",
+            "semver": js_semver,
+            "changes": _json_schema_changes_to_dicts(js_changes),
+            "breaking_count": len(js_breaking),
+            "non_breaking_count": len(js_changes) - len(js_breaking),
+            "total_changes": len(js_changes),
+            "policy": {
+                "decision": "pass",
+                "violations": [],
+                "errors": 0,
+                "warnings": 0,
+            },
+            "health": None,
+            "migration": "",
+            "output_file": output_file,
+            "note": "JSON Schema report (policy rules and HTML report are OpenAPI-only in v1)",
+        }
+
+    from core.diff_engine_v2 import OpenAPIDiffEngine
+
     # -- Diff --
     engine = OpenAPIDiffEngine()
     changes = engine.compare(old, new)

package/gateway/ai/backends/repo_bridge.py

@@ -158,21 +158,80 @@ def config_audit(target: str = ".", options: Optional[Dict] = None) -> Dict[str,
 # ─── EvidencePack ───────────────────────────────────────────────────────
 
 def evidence_collect(target: str = ".", options: Optional[Dict] = None) -> Dict[str, Any]:
-    """Collect project evidence: git log, test files, configs, governance data."""
-    import subprocess, time as _time
-    root = Path(target).resolve()
-    evidence: Dict[str, Any] = {"collected_at": _time.time(), "target": str(root)}
-    # Git log
-    try:
-        r = subprocess.run(["git", "-C", str(root), "log", "--oneline", "-10"], capture_output=True, text=True, timeout=10)
-        evidence["git_log"] = r.stdout.strip().splitlines() if r.returncode == 0 else []
-    except Exception:
+    """Collect project evidence: git log, test files, configs, governance data.
+
+    Accepts either a local filesystem path (repo directory) or a remote
+    reference (GitHub URL, owner/repo#N, or any non-filesystem string).
+    Remote targets skip the filesystem walk and store reference metadata.
+    """
+    import re
+    import subprocess
+    import time as _time
+
+    opts = options or {}
+    evidence_type = opts.get("evidence_type", "")
+
+    # Detect non-filesystem targets: URLs, owner/repo#N, bare issue refs, etc.
+    is_remote = (
+        "://" in target
+        or target.startswith("http")
+        or re.match(r"^[\w.-]+/[\w.-]+#\d+$", target) is not None
+        or "#" in target
+    )
+
+    evidence: Dict[str, Any] = {"collected_at": _time.time(), "target": target}
+    if evidence_type:
+        evidence["evidence_type"] = evidence_type
+
+    if is_remote:
+        # Remote/reference target — no filesystem walk, just record metadata.
+        evidence["target_type"] = "remote"
         evidence["git_log"] = []
-    # Test files
-    test_dirs = [d for d in ["tests", "test", "__tests__", "spec"] if (root / d).exists()]
-    evidence["test_directories"] = test_dirs
-    # Configs
-    evidence["configs"] = [f.name for f in root.iterdir() if f.is_file() and (f.suffix in [".json", ".yaml", ".yml", ".toml"] or f.name.startswith("."))]
+        evidence["test_directories"] = []
+        evidence["configs"] = []
+        m = re.match(r"^([\w.-]+)/([\w.-]+)#(\d+)$", target)
+        if m:
+            evidence["repo"] = f"{m.group(1)}/{m.group(2)}"
+            evidence["issue_number"] = int(m.group(3))
+    else:
+        root = Path(target).resolve()
+        evidence["target"] = str(root)
+        evidence["target_type"] = "local"
+
+        if not root.exists():
+            return {
+                "tool": "evidence.collect",
+                "status": "error",
+                "error": "target_not_found",
+                "message": f"Path {root} does not exist. For remote targets, pass a URL or owner/repo#N.",
+                "target": target,
+            }
+
+        # Git log (safe for non-git dirs)
+        try:
+            r = subprocess.run(
+                ["git", "-C", str(root), "log", "--oneline", "-10"],
+                capture_output=True, text=True, timeout=10,
+            )
+            evidence["git_log"] = r.stdout.strip().splitlines() if r.returncode == 0 else []
+        except Exception:
+            evidence["git_log"] = []
+
+        # Test dirs + configs (only if target is a directory)
+        if root.is_dir():
+            test_dirs = [d for d in ["tests", "test", "__tests__", "spec"] if (root / d).exists()]
+            evidence["test_directories"] = test_dirs
+            try:
+                evidence["configs"] = [
+                    f.name for f in root.iterdir()
+                    if f.is_file() and (f.suffix in [".json", ".yaml", ".yml", ".toml"] or f.name.startswith("."))
+                ]
+            except (PermissionError, OSError):
+                evidence["configs"] = []
+        else:
+            evidence["test_directories"] = []
+            evidence["configs"] = []
+
     # Save bundle
     ev_dir = Path(os.environ.get("DELIMIT_HOME", str(Path.home() / ".delimit"))) / "evidence"
     ev_dir.mkdir(parents=True, exist_ok=True)
@@ -180,8 +239,13 @@ def evidence_collect(target: str = ".", options: Optional[Dict] = None) -> Dict[
     bundle_path = ev_dir / f"{bundle_id}.json"
     evidence["bundle_id"] = bundle_id
     bundle_path.write_text(json.dumps(evidence, indent=2))
-    return {"tool": "evidence.collect", "status": "ok", "bundle_id": bundle_id,
-            "bundle_path": str(bundle_path), "summary": {k: len(v) if isinstance(v, list) else v for k, v in evidence.items()}}
+    return {
+        "tool": "evidence.collect",
+        "status": "ok",
+        "bundle_id": bundle_id,
+        "bundle_path": str(bundle_path),
+        "summary": {k: len(v) if isinstance(v, list) else v for k, v in evidence.items()},
+    }
 
 
 def evidence_verify(bundle_id: Optional[str] = None, bundle_path: Optional[str] = None, options: Optional[Dict] = None) -> Dict[str, Any]:

package/gateway/ai/backends/tools_infra.py

@@ -56,6 +56,10 @@ _CREDENTIAL_FALSE_POSITIVES = re.compile(
     r"change[_-]?me|TODO|FIXME|xxx+|\.{4,}|"
     r"\$\{|%\(|None|null|undefined|"
     r"test[_-]?(?:password|secret|token|key)|"
+    # Test fixture patterns — fake keys like hosted-key-1, user-key-2, sk-test, gem-test
+    r"hosted[_-]key[_-]?\d*|user[_-]key[_-]?\d*|"
+    r"(?:codex|gem|grok)[_-]test|sk[_-]test|"
+    r"bad[:\-]token|fake[_-]?(?:key|token|secret)|"
     # Demo/sample literal values used in docs, recordings, fixtures
     r"sk-ant-demo|sk-demo|AIza-demo|xai-demo|demo[_-]?(?:key|secret|token)|"
     r"-demo['\"]|"
@@ -63,7 +67,9 @@ _CREDENTIAL_FALSE_POSITIVES = re.compile(
     r"json\.loads|\.read_text\(|\.slice\(|"
     r"tokens\.get\(|token\s*=\s*_make_token|"
     # RHS that is a parameter reference like token=tokens.get("access_token"...
-    r"=\s*tokens\.get\()",
+    r"=\s*tokens\.get\(|"
+    # Dict index dereference: token_data["token"], result["secret"], etc.
+    r"_data\[|_result\[)",
     re.IGNORECASE,
 )