delimit-cli 4.1.53 → 4.3.0

package/CHANGELOG.md

@@ -1,5 +1,31 @@
 # Changelog
 
+## [4.2.0] - 2026-04-21
+
+### Added (gateway sync — LED-987 through LED-1008)
+- **Venture tagging (LED-1008)** — work orders, deliberations, and social drafts carry a canonical venture tag propagated through `save_draft` and the Supabase sync writers. `_normalize_venture` maps freeform strings (e.g., "DomainVested", "wire.report", "LT") to the canonical 4-member vocabulary (delimit / domainvested / wirereport / livetube). Unknown values pass through lowercased so they surface instead of dropping.
+- **Warm-window filter for social targets (LED-998)** — 72h window on X scans, 14d on reddit. Env-tunable via `DELIMIT_X_WARM_HOURS` and `DELIMIT_REDDIT_WARM_HOURS`. Fail-open on missing timestamps so parser bugs don't silently drop everything.
+- **X draft salvage (LED-997)** — `_try_trim_twitter_draft` trims LLM output at sentence boundary when it exceeds 3 sentences or 280 chars. Runs before the max-length check so a good-but-long draft becomes a good-and-short one instead of dying in the sanitizer. Proven live: salvaged a 626-char draft to 241 chars on the first post-deploy cycle.
+- **Reversible stale cleanup (LED-990)** — weekly systemd timer demotes blocked items to a cold lane after 30d instead of deleting. Ledger update restores cold → blocked/open with a single status flip. First-run safe with DRY_RUN=1.
+- **Warm-thread PR watcher (LED-989)** — 14-day warm window on outreach follow-ups; skip threads inactive longer than that. MAX_ACTIVE_THREADS=8 cap prevents dog-piling a single repository.
+- **Lemon Squeezy → Supabase reconciler (LED-996)** — trial watcher now polls LS every 6h and upserts subscription_status + role into the Supabase users table. Catches webhook drops without manual SQL intervention.
+- **ACTION_DENYLIST (LED-988)** — executor v2 gains an explicit denylist of prohibited action categories (money, legal/identity, credentials, deploy, contracts) that fires BEFORE the ACTION_SPEC whitelist check. Defense-in-depth against LLM-driven executor drift.
+- **Reddit residential-IP proxy (LED-987)** — scoped service bypasses 429s on reddit34.p.rapidapi.com by routing through a residential IP. Systemd-managed, auto-restart, rate-limited.
+- **propose_pr autonomous build primitive (LED-988)** — executor can propose PRs against an allowlisted repo set (`PROPOSE_PR_ALLOWED_REPOS`) with a fixed branch prefix (`delimit/`) and author (`delimit-bot`). Guarded by denylist + whitelist.
+
+### Fixed
+- **Exit-shim counter undercounting** — previously missed commits outside `SESSION_CWD` and dropped Z-suffixed timestamps; both now captured.
+- **Proprietary path leaks** — sync-gateway.sh EXCLUDE list hardened to keep Jamsons-portfolio-specific files (social.py, social_target.py, inbox_daemon.py, founding_users.py, deliberation.py) out of the npm bundle.
+
+### Tests
+- Gateway: 163/163 passing on changed-file tests (social.py, social_target.py, supabase_sync).
+- npm CLI: 134/134 passing (no CLI behavior changes — bundled gateway update).
+- Security audit: 0 real findings across gateway + UI (false positives only — test fixtures and TypeScript `token:` parameter types).
+
+### Notes
+- Companion dashboard changes at app.delimit.ai (LED-995 Billing + API Keys wiring, LED-997 Blocked drafts tab, LED-1008 venture chips + filters) shipped via delimit-ui/main.
+- Supabase migration 025 (venture TEXT column on 4 tables) applied separately via Management API.
+
 ## [4.1.53] - 2026-04-10
 
 ### Fixed (cycle engine — think→build→deploy)

package/README.md

@@ -16,8 +16,7 @@ The universal command for the Delimit Swarm. When you say **"Think and Build"**,
 Works across any configuration — from a single model on a budget to an enterprise swarm of 4+ models.
 
 [![npm](https://img.shields.io/npm/v/delimit-cli)](https://www.npmjs.com/package/delimit-cli)
-[![Tests](https://img.shields.io/badge/tests-123%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
-[![MCP Tools](https://img.shields.io/badge/MCP%20tools-186-blue)](https://delimit.ai)
+[![Tests](https://img.shields.io/badge/tests-134%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
 [![GitHub Action](https://img.shields.io/badge/GitHub%20Action-v1.6.0-blue)](https://github.com/marketplace/actions/delimit-api-governance)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Glama](https://glama.ai/mcp/servers/delimit-ai/delimit/badge)](https://glama.ai/mcp/servers/delimit-ai/delimit)
@@ -70,6 +69,34 @@ npx delimit-cli init        # Sets up governance + drift baseline
 
 ---
 
+## What's New in v4.3
+
+*Gate every AI-assisted invocation. Ship the receipts.*
+
+- **`delimit wrap`** — pipe `claude -p`, `cursor`, `aider`, `codex`, or any AI-assisted CLI through a signed governance gate. Snapshots the git diff before/after, runs lint + tests, HMAC-signs an `att_*` attestation, emits a public replay URL. Advisory by default; `--enforce` blocks CI on policy violations; `--max-time <s>` is a kill switch that tags the attestation as a `liability_incident` and prints a cross-model handoff command.
+- **`delimit trust-page`** — renders a directory of attestations into a static HTML trust page + JSON Feed 1.1 feed. Single file, no framework, offline-renderable. Deploy anywhere.
+- **`delimit ai-sbom`** — aggregates attestations into a CycloneDX 1.6 bill-of-materials with AI-specific fields (detected models per vendor, tool-call surface, policy gate counts). Pipe straight into procurement.
+- **Cross-model by construction** — `wrap` is agnostic to the producer. Same attestation schema whether the pipe upstream is Claude Code, Cursor, Aider, Codex, or Gemini CLI. Switch producers without losing the audit chain.
+
+```bash
+# Gate any AI-assisted CLI
+delimit wrap -- claude -p "add tests for payments"
+#   → att_7d556843c84fb881 signed, replay: https://delimit.ai/att/att_7d556843c84fb881
+
+# Kill switch + handoff after 60s wall-clock
+delimit wrap --max-time 60 -- cursor edit "refactor auth middleware"
+#   → if killed: kind=liability_incident
+#   → suggested: delimit wrap -- claude -p "refactor auth middleware"
+
+# Render accumulated attestations as a public trust page
+delimit trust-page -o ./trust
+#   → ./trust/index.html (+ feed.json)
+
+# Build a CycloneDX-AI bill of materials
+delimit ai-sbom -o ./ai-sbom.json
+#   → components: 4 models detected, 187 gates run
+```
+
 ## What's New in v4.20
 
 *The highest state of AI governance.*
@@ -121,7 +148,7 @@ delimit deliberate "Should we build rate limiting in-house or use a managed serv
 - **Cross-Model Audit** -- 3 lenses (security, correctness, governance) with deterministic synthesis
 - **4-model deliberation** -- Claude + Grok + Gemini + Codex debate until consensus
 - **Universal Swarm Triggers** -- "Think and Build", "Keep building", "Ask Delimit"
-- **187 MCP tools** -- governance, context, shipping, observability, orchestration, and swarm
+- **Full governance toolkit** -- lint, diff, policy, evidence, drift, attestation, and swarm orchestration exposed as MCP tools and CLI subcommands
 
 ---
 
@@ -213,6 +240,10 @@ npx delimit-cli models --status                   # Show current model config
 npx delimit-cli status                           # Compact dashboard of your Delimit setup
 npx delimit-cli doctor                           # Check setup health
 npx delimit-cli uninstall --dry-run              # Preview removal
+npx delimit-cli wrap -- claude -p "..."          # Gate any AI-assisted CLI + signed attestation (v4.3)
+npx delimit-cli wrap --max-time 60 -- codex "..."# With kill switch + handoff on timeout
+npx delimit-cli trust-page -o ./trust            # Render attestations into a static trust page
+npx delimit-cli ai-sbom -o ./ai-sbom.json        # Build a CycloneDX-AI bill of materials
 ```
 
 ### What the MCP toolkit adds

package/bin/delimit-cli.js

@@ -5768,8 +5768,7 @@ program
             // Try to run deliberation directly via the gateway
             const HOME = process.env.HOME || require('os').homedir();
             const gatewayScript = path.join(HOME, '.delimit', 'server', 'ai', 'deliberation.py');
-            const gatewayAlt = '/home/delimit/delimit-gateway/ai/deliberation.py';
-            const scriptPath = fs.existsSync(gatewayScript) ? gatewayScript : fs.existsSync(gatewayAlt) ? gatewayAlt : null;
+            const scriptPath = fs.existsSync(gatewayScript) ? gatewayScript : null;
 
             if (scriptPath) {
                 console.log(chalk.dim('Running multi-model deliberation...\n'));
@@ -6114,6 +6113,155 @@ program
         console.log(require('../package.json').version);
     });
 
+// LED-1048: delimit wrap — gate any AI-assisted CLI with signed attestation + replay
+// Surface 1 CLI-pipe extension. Cross-model-agnostic (claude -p, cursor, aider, codex, ...).
+// Advisory by default; opt-in --enforce to block on policy violations.
+program
+    .command('wrap')
+    .description('Gate an AI-assisted CLI invocation with signed attestation (advisory-first)')
+    .argument('<cmd...>', 'The command to wrap (e.g. `claude -p "add tests"`)')
+    .option('--enforce', 'Block exit on policy violation (default: advisory)', false)
+    .option('--deliberate', 'Also run multi-model deliberation (advisory)', false)
+    .option('--no-attest', 'Skip attestation emission (dry run)')
+    .option('--max-time <seconds>', 'Kill switch: SIGKILL the wrapped command after N seconds (liability_incident attestation + handoff)', parseInt)
+    .option('--json', 'Output result as JSON', false)
+    .action(async (cmdParts, options) => {
+        const { runWrap, replayUrl } = require('../lib/wrap-engine');
+        try {
+            const result = await runWrap(cmdParts, {
+                enforce: !!options.enforce,
+                deliberate: !!options.deliberate,
+                attest: options.attest !== false,
+                maxTimeSeconds: options.maxTime || 0,
+                cwd: process.cwd(),
+            });
+
+            if (result.error === 'quota_exceeded') {
+                console.error(chalk.red(`\n  [wrap] ${result.message}\n`));
+                process.exit(1);
+                return;
+            }
+
+            if (options.json) {
+                console.log(JSON.stringify(result, null, 2));
+                process.exit(result.exit);
+                return;
+            }
+
+            console.log();
+            const banner = result.kind === 'liability_incident'
+                ? chalk.bold.red(`  delimit wrap — ${result.attestation_id || '(no attestation)'} [liability_incident]`)
+                : chalk.bold.cyan(`  delimit wrap — ${result.attestation_id || '(no attestation)'}`);
+            console.log(banner);
+            console.log(chalk.gray(`  wrapped exit: ${result.wrapped_exit}   mode: ${result.advisory ? 'advisory' : 'enforce'}   tier: ${result.tier || 'n/a'}`));
+            if (result.killed_by_timeout) {
+                console.log(chalk.yellow(`  ⚠ kill switch fired — wrapped command exceeded --max-time`));
+            }
+            if (result.gates.length) {
+                console.log();
+                for (const g of result.gates) {
+                    const tag = g.exit === undefined
+                        ? chalk.gray('·')
+                        : (g.exit === 0 ? chalk.green('✓') : chalk.red('✗'));
+                    const name = g.name + (g.runner ? ':' + g.runner : '') + (g.spec ? ':' + path.basename(g.spec) : '');
+                    const note = g.result ? ` (${g.result})` : '';
+                    console.log(`  ${tag} ${name}${note}`);
+                }
+            }
+            if (result.violations.length) {
+                console.log();
+                console.log(chalk.yellow(`  ${result.violations.length} violation(s):`));
+                for (const v of result.violations) console.log(chalk.yellow(`    - ${v}`));
+                if (result.advisory) console.log(chalk.gray('  advisory mode — wrap exit unaffected. Re-run with --enforce to block.'));
+            }
+            if (result.attestation_id) {
+                console.log();
+                console.log(chalk.gray(`  attestation: ${result.attestation_path || '(not saved)'}`));
+                console.log(chalk.gray(`  replay:      ${result.replay_url}`));
+            }
+            if (result.handoff_suggestion) {
+                console.log();
+                console.log(chalk.bold('  cross-model handoff suggestion:'));
+                console.log(`    ${chalk.cyan(result.handoff_suggestion.suggested_command)}`);
+                console.log(chalk.gray(`    (alternates: ${result.handoff_suggestion.alternates.join(', ')})`));
+            }
+            console.log();
+            process.exit(result.exit);
+        } catch (e) {
+            console.error(chalk.red(`\n  [wrap] ${e.message || e}\n`));
+            process.exit(1);
+        }
+    });
+
+// LED-1018 Venture #6 MVP: trust-page + ai-sbom subcommands
+// Render aggregated attestations (from `delimit wrap`) into a public static
+// trust page (HTML + JSON Feed) and a CycloneDX-AI bill of materials.
+program
+    .command('trust-page')
+    .description('Render attestations into a public trust page (static HTML + JSON feed)')
+    .option('-d, --dir <path>', 'Attestation directory', path.join(os.homedir(), '.delimit', 'attestations'))
+    .option('-o, --out <path>', 'Output directory', './trust-page')
+    .option('-t, --title <title>', 'Trust page title', 'Trust Page')
+    .option('--json', 'Output result as JSON', false)
+    .action(async (options) => {
+        const { renderTrustPage } = require('../lib/trust-page-engine');
+        try {
+            const result = renderTrustPage(options.dir, options.out, options.title);
+            if (options.json) {
+                console.log(JSON.stringify(result, null, 2));
+                return;
+            }
+            console.log();
+            console.log(chalk.bold.cyan(`  delimit trust-page`));
+            console.log(chalk.gray(`  source: ${options.dir}`));
+            console.log(chalk.gray(`  output: ${result.outDir}/`));
+            console.log(chalk.gray(`  attestations rendered: ${result.count}`));
+            console.log(chalk.gray(`  feed items: ${result.feed_items}   html bytes: ${result.html_bytes}`));
+            console.log();
+            console.log(chalk.bold(`  Open: ${path.resolve(result.outDir)}/index.html`));
+            console.log();
+        } catch (e) {
+            console.error(chalk.red(`\n  [trust-page] ${e.message || e}\n`));
+            process.exit(1);
+        }
+    });
+
+program
+    .command('ai-sbom')
+    .description('Build a CycloneDX-AI bill of materials from attestations')
+    .option('-d, --dir <path>', 'Attestation directory', path.join(os.homedir(), '.delimit', 'attestations'))
+    .option('-o, --out <path>', 'Output file', './ai-sbom.json')
+    .option('-n, --name <name>', 'BOM subject name', 'ai-sbom')
+    .option('-v, --package-version <v>', 'BOM subject version', '1.0.0')
+    .option('--json', 'Print the SBOM to stdout instead of writing to file', false)
+    .action(async (options) => {
+        const { buildAISBOM } = require('../lib/ai-sbom-engine');
+        try {
+            const { sbom, aggregate, attestation_count } = buildAISBOM(options.dir, {
+                name: options.name,
+                version: options.packageVersion,
+            });
+            if (options.json) {
+                console.log(JSON.stringify(sbom, null, 2));
+                return;
+            }
+            fs.writeFileSync(options.out, JSON.stringify(sbom, null, 2));
+            console.log();
+            console.log(chalk.bold.cyan(`  delimit ai-sbom`));
+            console.log(chalk.gray(`  source: ${options.dir}`));
+            console.log(chalk.gray(`  output: ${path.resolve(options.out)}`));
+            console.log(chalk.gray(`  attestations scanned: ${attestation_count}`));
+            console.log(chalk.gray(`  models detected:      ${aggregate.models.length}`));
+            console.log(chalk.gray(`  tool-call surface:    ${aggregate.tool_calls.length}`));
+            console.log(chalk.gray(`  total gates run:      ${aggregate.total_gates_run}`));
+            console.log(chalk.gray(`  total violations:     ${aggregate.total_violations}`));
+            console.log();
+        } catch (e) {
+            console.error(chalk.red(`\n  [ai-sbom] ${e.message || e}\n`));
+            process.exit(1);
+        }
+    });
+
 // Hide legacy/internal commands from --help
 ['install', 'mode', 'status', 'policy', 'auth', 'audit',
  'explain-decision', 'uninstall', 'proxy', 'hook'].forEach(name => {

package/bin/delimit-setup.js

@@ -780,15 +780,30 @@ delimit_exit_screen() {
     else
         DURATION="\${ELAPSED}s"
     fi
-    # Count git commits made during session (@ prefix tells git the value is epoch)
+    # Count git commits made during session. SESSION_CWD is captured at shim
+    # launch; commits made in other repos during the session would be missed.
+    # Scan a best-effort set of known roots plus the launch cwd.
     COMMITS=0
-    if [ -d "\$SESSION_CWD/.git" ] || git -C "\$SESSION_CWD" rev-parse --git-dir >/dev/null 2>&1; then
-        COMMITS=\$(git -C "\$SESSION_CWD" log --oneline --after="@\$SESSION_START" --format="%H" 2>/dev/null | wc -l | tr -d ' ')
-    fi
-    # Count ledger items created during session (by timestamp)
+    # Customer-facing: scan launch cwd, its parent, and common project roots.
+    # If an org or solo dev keeps multiple repos in \$HOME or \$HOME/code, commits
+    # there during a session get counted.
+    REPO_ROOTS="\$SESSION_CWD"
+    for parent in "\$SESSION_CWD/.." "\$HOME" "\$HOME/code" "\$HOME/src" "\$HOME/projects"; do
+        [ -d "\$parent" ] || continue
+        for d in "\$parent"/*/.git; do
+            [ -d "\$d" ] && REPO_ROOTS="\$REPO_ROOTS \$(dirname \$d)"
+        done
+    done
+    for r in \$REPO_ROOTS; do
+        [ -d "\$r/.git" ] || continue
+        C=\$(git -C "\$r" log --after="@\$SESSION_START" --format="%H" 2>/dev/null | wc -l | tr -d ' ')
+        COMMITS=\$((COMMITS + C))
+    done
+    # Count ledger items created during session (by timestamp).
+    # Ledger JSON is written with ": " (space) between key and value, and ISO
+    # timestamps end with "Z" (UTC), so the regex must tolerate both.
     LEDGER_DIR="\$DELIMIT_HOME/ledger"
     LEDGER_ITEMS=0
-    # Convert epoch SESSION_START to ISO prefix for string comparison
     SESSION_ISO=\$(date -u -d "@\$SESSION_START" +%Y-%m-%dT%H:%M:%S 2>/dev/null || date -u -r "\$SESSION_START" +%Y-%m-%dT%H:%M:%S 2>/dev/null || echo "")
     if [ -d "\$LEDGER_DIR" ] && [ -n "\$SESSION_ISO" ]; then
         for lf in "\$LEDGER_DIR"/*.jsonl; do
@@ -796,7 +811,7 @@ delimit_exit_screen() {
             COUNT=\$(awk -v start="\$SESSION_ISO" '
                 BEGIN { n=0 }
                 {
-                    if (match(\$0, /"created_at":"([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2})"/, arr)) {
+                    if (match(\$0, /"created_at"[[:space:]]*:[[:space:]]*"([0-9]{4}-[0-9]{2}-[0-9]{2}T[0-9]{2}:[0-9]{2}:[0-9]{2})Z?"/, arr)) {
                         if (arr[1] >= start) n++
                     }
                 }

package/gateway/ai/agent_dispatch.py

@@ -18,11 +18,38 @@ from typing import Any, Dict, List, Optional
 AGENTS_DIR = Path.home() / ".delimit" / "agents"
 TASKS_FILE = AGENTS_DIR / "tasks.json"
 AUDIT_FILE = AGENTS_DIR / "audit.jsonl"
+PAUSE_FILE = Path.home() / ".delimit" / "pause_dispatch"
 
 VALID_PRIORITIES = {"P0", "P1", "P2"}
 VALID_ASSIGNEES = {"claude", "codex", "gemini", "any"}
 VALID_STATUSES = {"dispatched", "in_progress", "done", "handed_off", "failed"}
 
+# LED-876: auto-pause when dead-letter queue depth (stuck 'dispatched' tasks)
+# hits this threshold. Prevents runaway dispatch when no workers are pulling.
+DLQ_AUTO_PAUSE_THRESHOLD = 20
+
+# LED-878: router table — resolves assignee='any' to a specific model at
+# dispatch time based on task_type. This eliminates the dead-letter 'any'
+# bucket without requiring a worker process to exist yet. The mapping is
+# deliberately conservative: if the task type is unknown, fall through to
+# gemini (cheapest, highest throughput) rather than pile onto claude.
+TASK_TYPE_ROUTER = {
+    # Outreach and social work — Gemini Flash is fast and cheap
+    "outreach": "gemini",
+    "social": "gemini",
+    "content": "gemini",
+    "sensor": "gemini",
+    # Engineering — Claude / Codex for code, Claude for governance
+    "fix": "claude",
+    "feat": "claude",
+    "refactor": "claude",
+    "test": "codex",
+    "research": "gemini",
+    "strategy": "gemini",
+    "deliberation": "claude",
+}
+ROUTER_DEFAULT_ASSIGNEE = "gemini"
+
 
 def _ensure_dir():
     """Create the agents directory if it doesn't exist."""
@@ -74,10 +101,62 @@ def dispatch_task(
     if not title or not title.strip():
         return {"error": "title is required"}
 
+    # LED-876: reject ghost "[VENTURE] Engage:  on x" titles with empty author
+    # slot. The social_target fix drops these at the scanner, but keep this as
+    # a belt-and-suspenders check since agent_dispatch has other callers too.
+    stripped = title.strip()
+    if "Engage:  on " in stripped or "Engage: on " in stripped:
+        return {"error": f"rejected ghost engage task with empty author: {stripped!r}"}
+
+    # LED-876: manual kill switch. Touch ~/.delimit/pause_dispatch to halt all
+    # dispatches instantly without touching loop_config. Remove the file to
+    # resume. Kept deliberately simple so it works from any shell.
+    if PAUSE_FILE.exists():
+        _append_audit({
+            "action": "dispatch_rejected_paused",
+            "title": stripped,
+            "reason": str(PAUSE_FILE),
+        })
+        return {"error": f"dispatch paused: {PAUSE_FILE} exists"}
+
+    # LED-876: automatic circuit breaker. If the DLQ (count of 'dispatched'
+    # tasks that never moved to in_progress/done/failed) exceeds the threshold,
+    # auto-create the pause file and reject. This stops the cycle from growing
+    # the queue unboundedly when workers aren't consuming.
+    existing_tasks = _load_tasks()
+    dlq_depth = sum(1 for t in existing_tasks.values() if t.get("status") == "dispatched")
+    if dlq_depth >= DLQ_AUTO_PAUSE_THRESHOLD:
+        PAUSE_FILE.parent.mkdir(parents=True, exist_ok=True)
+        PAUSE_FILE.write_text(
+            f"auto-paused at {time.strftime('%Y-%m-%dT%H:%M:%SZ')} "
+            f"(dlq_depth={dlq_depth} >= {DLQ_AUTO_PAUSE_THRESHOLD})\n"
+        )
+        _append_audit({
+            "action": "dispatch_auto_paused",
+            "dlq_depth": dlq_depth,
+            "threshold": DLQ_AUTO_PAUSE_THRESHOLD,
+        })
+        return {
+            "error": (
+                f"auto-paused: DLQ depth {dlq_depth} >= {DLQ_AUTO_PAUSE_THRESHOLD}. "
+                f"Clear stuck tasks then delete {PAUSE_FILE} to resume."
+            )
+        }
+
     assignee = assignee.lower().strip() if assignee else "any"
     if assignee not in VALID_ASSIGNEES:
         return {"error": f"assignee must be one of: {', '.join(sorted(VALID_ASSIGNEES))}"}
 
+    # LED-878: resolve 'any' to a specific model via the router table so
+    # tasks never land in a bucket no worker pulls from. The mapping uses
+    # task_type as the primary key; if unknown, falls through to the
+    # default (gemini — cheapest + highest throughput).
+    if assignee == "any":
+        tt = (task_type or "").lower().strip()
+        routed = TASK_TYPE_ROUTER.get(tt, ROUTER_DEFAULT_ASSIGNEE)
+        if routed in VALID_ASSIGNEES and routed != "any":
+            assignee = routed
+
     priority = priority.upper().strip() if priority else "P1"
     if priority not in VALID_PRIORITIES:
         return {"error": f"priority must be one of: {', '.join(sorted(VALID_PRIORITIES))}"}