delimit-cli 4.2.0 → 4.3.1

package/README.md

@@ -16,8 +16,7 @@ The universal command for the Delimit Swarm. When you say **"Think and Build"**,
 Works across any configuration — from a single model on a budget to an enterprise swarm of 4+ models.
 
 [![npm](https://img.shields.io/npm/v/delimit-cli)](https://www.npmjs.com/package/delimit-cli)
-[![Tests](https://img.shields.io/badge/tests-123%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
-[![MCP Tools](https://img.shields.io/badge/MCP%20tools-186-blue)](https://delimit.ai)
+[![Tests](https://img.shields.io/badge/tests-134%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
 [![GitHub Action](https://img.shields.io/badge/GitHub%20Action-v1.6.0-blue)](https://github.com/marketplace/actions/delimit-api-governance)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Glama](https://glama.ai/mcp/servers/delimit-ai/delimit/badge)](https://glama.ai/mcp/servers/delimit-ai/delimit)
@@ -70,6 +69,34 @@ npx delimit-cli init        # Sets up governance + drift baseline
 
 ---
 
+## What's New in v4.3
+
+*Gate every AI-assisted invocation. Ship the receipts.*
+
+- **`delimit wrap`** — pipe `claude -p`, `cursor`, `aider`, `codex`, or any AI-assisted CLI through a signed governance gate. Snapshots the git diff before/after, runs lint + tests, HMAC-signs an `att_*` attestation, emits a public replay URL. Advisory by default; `--enforce` blocks CI on policy violations; `--max-time <s>` is a kill switch that tags the attestation as a `liability_incident` and prints a cross-model handoff command.
+- **`delimit trust-page`** — renders a directory of attestations into a static HTML trust page + JSON Feed 1.1 feed. Single file, no framework, offline-renderable. Deploy anywhere.
+- **`delimit ai-sbom`** — aggregates attestations into a CycloneDX 1.6 bill-of-materials with AI-specific fields (detected models per vendor, tool-call surface, policy gate counts). Pipe straight into procurement.
+- **Cross-model by construction** — `wrap` is agnostic to the producer. Same attestation schema whether the pipe upstream is Claude Code, Cursor, Aider, Codex, or Gemini CLI. Switch producers without losing the audit chain.
+
+```bash
+# Gate any AI-assisted CLI
+delimit wrap -- claude -p "add tests for payments"
+#   → att_7d556843c84fb881 signed, replay: https://delimit.ai/att/att_7d556843c84fb881
+
+# Kill switch + handoff after 60s wall-clock
+delimit wrap --max-time 60 -- cursor edit "refactor auth middleware"
+#   → if killed: kind=liability_incident
+#   → suggested: delimit wrap -- claude -p "refactor auth middleware"
+
+# Render accumulated attestations as a public trust page
+delimit trust-page -o ./trust
+#   → ./trust/index.html (+ feed.json)
+
+# Build a CycloneDX-AI bill of materials
+delimit ai-sbom -o ./ai-sbom.json
+#   → components: 4 models detected, 187 gates run
+```
+
 ## What's New in v4.20
 
 *The highest state of AI governance.*
@@ -121,7 +148,7 @@ delimit deliberate "Should we build rate limiting in-house or use a managed serv
 - **Cross-Model Audit** -- 3 lenses (security, correctness, governance) with deterministic synthesis
 - **4-model deliberation** -- Claude + Grok + Gemini + Codex debate until consensus
 - **Universal Swarm Triggers** -- "Think and Build", "Keep building", "Ask Delimit"
-- **187 MCP tools** -- governance, context, shipping, observability, orchestration, and swarm
+- **Full governance toolkit** -- lint, diff, policy, evidence, drift, attestation, and swarm orchestration exposed as MCP tools and CLI subcommands
 
 ---
 
@@ -213,6 +240,10 @@ npx delimit-cli models --status                   # Show current model config
 npx delimit-cli status                           # Compact dashboard of your Delimit setup
 npx delimit-cli doctor                           # Check setup health
 npx delimit-cli uninstall --dry-run              # Preview removal
+npx delimit-cli wrap -- claude -p "..."          # Gate any AI-assisted CLI + signed attestation (v4.3)
+npx delimit-cli wrap --max-time 60 -- codex "..."# With kill switch + handoff on timeout
+npx delimit-cli trust-page -o ./trust            # Render attestations into a static trust page
+npx delimit-cli ai-sbom -o ./ai-sbom.json        # Build a CycloneDX-AI bill of materials
 ```
 
 ### What the MCP toolkit adds
@@ -330,6 +361,37 @@ The free tier includes API governance, persistent memory, zero-spec extraction,
 
 ---
 
+## Telemetry & cloud sync
+
+**Short version: none by default.** Nothing leaves your machine unless you explicitly configure it.
+
+**What's always local (source of truth):**
+- `~/.delimit/events/events-YYYY-MM-DD.jsonl` — per-tool-call events (tool name, timestamp, status, model id, session id, trace id). No source code, no prompts, no responses.
+- `~/.delimit/ledger/` — your ledger items, work orders, deliberation transcripts.
+- `~/.delimit/attestations/` — `delimit wrap` output bundles.
+
+**What's OPT-IN (requires you to provide your own Supabase project credentials):**
+- `gateway/ai/supabase_sync.py` mirrors the local event + ledger + work-order + deliberation rows into a Supabase project *you own* so you can view them in `app.delimit.ai`. **It only activates if you set `SUPABASE_URL` + `SUPABASE_SERVICE_ROLE_KEY` environment variables OR provide `~/.delimit/secrets/supabase.json` with those credentials.** No URL or key is hardcoded in the published package (verify with `grep -r aqbdqxnhzqzswdxifksc $(npm root -g)/delimit-cli/` — zero hits).
+- Data scope when enabled: metadata only (tool names, timestamps, IDs, statuses, venture tags). Never source code, prompts, or model responses.
+
+**Kill switch:**
+Set `DELIMIT_DISABLE_CLOUD_SYNC=1` in your environment to force all sync operations to no-op even if credentials are present. Local files continue to work normally.
+
+```bash
+# Disable cloud sync for a single invocation
+DELIMIT_DISABLE_CLOUD_SYNC=1 delimit lint api/openapi.yaml
+
+# Disable for the shell session
+export DELIMIT_DISABLE_CLOUD_SYNC=1
+```
+
+**Webhook notifications:**
+`gateway/ai/notify.py` emits governance events to a webhook endpoint *only if* you configure `DELIMIT_WEBHOOK_URL` explicitly. Unset by default.
+
+If you spot another code path that could phone home without disclosure, file an issue. This section is maintained as ship-truth, not aspirational.
+
+---
+
 ## Links
 
 - [delimit.ai](https://delimit.ai) -- homepage

package/bin/delimit-cli.js

@@ -6113,6 +6113,155 @@ program
         console.log(require('../package.json').version);
     });
 
+// LED-1048: delimit wrap — gate any AI-assisted CLI with signed attestation + replay
+// Surface 1 CLI-pipe extension. Cross-model-agnostic (claude -p, cursor, aider, codex, ...).
+// Advisory by default; opt-in --enforce to block on policy violations.
+program
+    .command('wrap')
+    .description('Gate an AI-assisted CLI invocation with signed attestation (advisory-first)')
+    .argument('<cmd...>', 'The command to wrap (e.g. `claude -p "add tests"`)')
+    .option('--enforce', 'Block exit on policy violation (default: advisory)', false)
+    .option('--deliberate', 'Also run multi-model deliberation (advisory)', false)
+    .option('--no-attest', 'Skip attestation emission (dry run)')
+    .option('--max-time <seconds>', 'Kill switch: SIGKILL the wrapped command after N seconds (liability_incident attestation + handoff)', parseInt)
+    .option('--json', 'Output result as JSON', false)
+    .action(async (cmdParts, options) => {
+        const { runWrap, replayUrl } = require('../lib/wrap-engine');
+        try {
+            const result = await runWrap(cmdParts, {
+                enforce: !!options.enforce,
+                deliberate: !!options.deliberate,
+                attest: options.attest !== false,
+                maxTimeSeconds: options.maxTime || 0,
+                cwd: process.cwd(),
+            });
+
+            if (result.error === 'quota_exceeded') {
+                console.error(chalk.red(`\n  [wrap] ${result.message}\n`));
+                process.exit(1);
+                return;
+            }
+
+            if (options.json) {
+                console.log(JSON.stringify(result, null, 2));
+                process.exit(result.exit);
+                return;
+            }
+
+            console.log();
+            const banner = result.kind === 'liability_incident'
+                ? chalk.bold.red(`  delimit wrap — ${result.attestation_id || '(no attestation)'} [liability_incident]`)
+                : chalk.bold.cyan(`  delimit wrap — ${result.attestation_id || '(no attestation)'}`);
+            console.log(banner);
+            console.log(chalk.gray(`  wrapped exit: ${result.wrapped_exit}   mode: ${result.advisory ? 'advisory' : 'enforce'}   tier: ${result.tier || 'n/a'}`));
+            if (result.killed_by_timeout) {
+                console.log(chalk.yellow(`  ⚠ kill switch fired — wrapped command exceeded --max-time`));
+            }
+            if (result.gates.length) {
+                console.log();
+                for (const g of result.gates) {
+                    const tag = g.exit === undefined
+                        ? chalk.gray('·')
+                        : (g.exit === 0 ? chalk.green('✓') : chalk.red('✗'));
+                    const name = g.name + (g.runner ? ':' + g.runner : '') + (g.spec ? ':' + path.basename(g.spec) : '');
+                    const note = g.result ? ` (${g.result})` : '';
+                    console.log(`  ${tag} ${name}${note}`);
+                }
+            }
+            if (result.violations.length) {
+                console.log();
+                console.log(chalk.yellow(`  ${result.violations.length} violation(s):`));
+                for (const v of result.violations) console.log(chalk.yellow(`    - ${v}`));
+                if (result.advisory) console.log(chalk.gray('  advisory mode — wrap exit unaffected. Re-run with --enforce to block.'));
+            }
+            if (result.attestation_id) {
+                console.log();
+                console.log(chalk.gray(`  attestation: ${result.attestation_path || '(not saved)'}`));
+                console.log(chalk.gray(`  replay:      ${result.replay_url}`));
+            }
+            if (result.handoff_suggestion) {
+                console.log();
+                console.log(chalk.bold('  cross-model handoff suggestion:'));
+                console.log(`    ${chalk.cyan(result.handoff_suggestion.suggested_command)}`);
+                console.log(chalk.gray(`    (alternates: ${result.handoff_suggestion.alternates.join(', ')})`));
+            }
+            console.log();
+            process.exit(result.exit);
+        } catch (e) {
+            console.error(chalk.red(`\n  [wrap] ${e.message || e}\n`));
+            process.exit(1);
+        }
+    });
+
+// LED-1018 Venture #6 MVP: trust-page + ai-sbom subcommands
+// Render aggregated attestations (from `delimit wrap`) into a public static
+// trust page (HTML + JSON Feed) and a CycloneDX-AI bill of materials.
+program
+    .command('trust-page')
+    .description('Render attestations into a public trust page (static HTML + JSON feed)')
+    .option('-d, --dir <path>', 'Attestation directory', path.join(os.homedir(), '.delimit', 'attestations'))
+    .option('-o, --out <path>', 'Output directory', './trust-page')
+    .option('-t, --title <title>', 'Trust page title', 'Trust Page')
+    .option('--json', 'Output result as JSON', false)
+    .action(async (options) => {
+        const { renderTrustPage } = require('../lib/trust-page-engine');
+        try {
+            const result = renderTrustPage(options.dir, options.out, options.title);
+            if (options.json) {
+                console.log(JSON.stringify(result, null, 2));
+                return;
+            }
+            console.log();
+            console.log(chalk.bold.cyan(`  delimit trust-page`));
+            console.log(chalk.gray(`  source: ${options.dir}`));
+            console.log(chalk.gray(`  output: ${result.outDir}/`));
+            console.log(chalk.gray(`  attestations rendered: ${result.count}`));
+            console.log(chalk.gray(`  feed items: ${result.feed_items}   html bytes: ${result.html_bytes}`));
+            console.log();
+            console.log(chalk.bold(`  Open: ${path.resolve(result.outDir)}/index.html`));
+            console.log();
+        } catch (e) {
+            console.error(chalk.red(`\n  [trust-page] ${e.message || e}\n`));
+            process.exit(1);
+        }
+    });
+
+program
+    .command('ai-sbom')
+    .description('Build a CycloneDX-AI bill of materials from attestations')
+    .option('-d, --dir <path>', 'Attestation directory', path.join(os.homedir(), '.delimit', 'attestations'))
+    .option('-o, --out <path>', 'Output file', './ai-sbom.json')
+    .option('-n, --name <name>', 'BOM subject name', 'ai-sbom')
+    .option('-v, --package-version <v>', 'BOM subject version', '1.0.0')
+    .option('--json', 'Print the SBOM to stdout instead of writing to file', false)
+    .action(async (options) => {
+        const { buildAISBOM } = require('../lib/ai-sbom-engine');
+        try {
+            const { sbom, aggregate, attestation_count } = buildAISBOM(options.dir, {
+                name: options.name,
+                version: options.packageVersion,
+            });
+            if (options.json) {
+                console.log(JSON.stringify(sbom, null, 2));
+                return;
+            }
+            fs.writeFileSync(options.out, JSON.stringify(sbom, null, 2));
+            console.log();
+            console.log(chalk.bold.cyan(`  delimit ai-sbom`));
+            console.log(chalk.gray(`  source: ${options.dir}`));
+            console.log(chalk.gray(`  output: ${path.resolve(options.out)}`));
+            console.log(chalk.gray(`  attestations scanned: ${attestation_count}`));
+            console.log(chalk.gray(`  models detected:      ${aggregate.models.length}`));
+            console.log(chalk.gray(`  tool-call surface:    ${aggregate.tool_calls.length}`));
+            console.log(chalk.gray(`  total gates run:      ${aggregate.total_gates_run}`));
+            console.log(chalk.gray(`  total violations:     ${aggregate.total_violations}`));
+            console.log();
+        } catch (e) {
+            console.error(chalk.red(`\n  [ai-sbom] ${e.message || e}\n`));
+            process.exit(1);
+        }
+    });
+
 // Hide legacy/internal commands from --help
 ['install', 'mode', 'status', 'policy', 'auth', 'audit',
  'explain-decision', 'uninstall', 'proxy', 'hook'].forEach(name => {

package/lib/ai-sbom-engine.js

@@ -0,0 +1,154 @@
+// lib/ai-sbom-engine.js
+//
+// LED-1018 Venture #6 MVP: `delimit ai-sbom` aggregation.
+// Scans a directory of attestations, extracts the AI surface (models, prompts,
+// tool calls, data classes), and emits a CycloneDX 1.6-shaped bill of materials
+// with AI-specific fields.
+//
+// CycloneDX-AI schema reference: https://cyclonedx.org/capabilities/mlbom/
+// Per the architecture doc, MVP aggregates what attestations already capture;
+// explicit static-analysis code-walker lands in Phase 2.
+
+const { loadAttestations } = require('./trust-page-engine');
+const crypto = require('crypto');
+
+const KNOWN_MODEL_PROVIDERS = [
+    // Loose matching against wrapped_command strings. Extends easily.
+    { pattern: /claude|anthropic/i, vendor: 'anthropic', family: 'claude' },
+    { pattern: /openai|gpt-\d|o1|o3/i, vendor: 'openai', family: 'gpt' },
+    { pattern: /gemini|vertex/i, vendor: 'google', family: 'gemini' },
+    { pattern: /codex/i, vendor: 'openai', family: 'codex' },
+    { pattern: /grok|xai/i, vendor: 'xai', family: 'grok' },
+    { pattern: /llama|mistral/i, vendor: 'meta-or-mistral', family: 'open-weight' },
+    { pattern: /cursor/i, vendor: 'cursor', family: 'cursor-agent' },
+    { pattern: /aider/i, vendor: 'aider', family: 'aider-agent' },
+    { pattern: /copilot/i, vendor: 'github', family: 'copilot' },
+];
+
+function detectModelFromCommand(cmd) {
+    if (!cmd) return null;
+    for (const m of KNOWN_MODEL_PROVIDERS) {
+        if (m.pattern.test(cmd)) return { vendor: m.vendor, family: m.family };
+    }
+    return null;
+}
+
+function aggregateAISurface(attestations) {
+    const models = new Map(); // key: vendor:family -> { count, first_seen, last_seen }
+    const toolCallCounts = new Map(); // tool name -> count
+    const totalAttestations = attestations.length;
+    let earliest = null, latest = null;
+    let totalGatesRun = 0, totalViolations = 0;
+
+    for (const att of attestations) {
+        const b = att.bundle || {};
+
+        // Model detection — prefer explicit ai_surface.models_detected, fall back to command heuristic
+        const explicitModels = (b.ai_surface?.models_detected) || [];
+        for (const m of explicitModels) {
+            const key = m.includes(':') ? m : `unknown:${m}`;
+            const [vendor, family] = key.split(':', 2);
+            const entry = models.get(key) || { vendor, family, count: 0, first_seen: null, last_seen: null };
+            entry.count += 1;
+            if (b.started_at) {
+                if (!entry.first_seen || b.started_at < entry.first_seen) entry.first_seen = b.started_at;
+                if (!entry.last_seen || b.started_at > entry.last_seen) entry.last_seen = b.started_at;
+            }
+            models.set(key, entry);
+        }
+        if (explicitModels.length === 0) {
+            const inferred = detectModelFromCommand(b.wrapped_command || '');
+            if (inferred) {
+                const key = `${inferred.vendor}:${inferred.family}`;
+                const entry = models.get(key) || { vendor: inferred.vendor, family: inferred.family, count: 0, first_seen: null, last_seen: null, source: 'inferred' };
+                entry.count += 1;
+                entry.source = 'inferred';
+                if (b.started_at) {
+                    if (!entry.first_seen || b.started_at < entry.first_seen) entry.first_seen = b.started_at;
+                    if (!entry.last_seen || b.started_at > entry.last_seen) entry.last_seen = b.started_at;
+                }
+                models.set(key, entry);
+            }
+        }
+
+        // Tool calls
+        const tools = b.ai_surface?.tool_calls || [];
+        for (const t of tools) toolCallCounts.set(t, (toolCallCounts.get(t) || 0) + 1);
+
+        // Timestamps
+        if (b.started_at) {
+            if (!earliest || b.started_at < earliest) earliest = b.started_at;
+            if (!latest || b.started_at > latest) latest = b.started_at;
+        }
+
+        // Governance counts
+        totalGatesRun += (b.governance?.gates || []).length;
+        totalViolations += (b.governance?.violations || []).length;
+    }
+
+    return {
+        total_attestations: totalAttestations,
+        total_gates_run: totalGatesRun,
+        total_violations: totalViolations,
+        models: Array.from(models.values()),
+        tool_calls: Array.from(toolCallCounts.entries()).map(([name, count]) => ({ name, count })),
+        earliest,
+        latest,
+    };
+}
+
+function renderCycloneDXAI(aggregate, { name = 'ai-sbom', version = '1.0.0' } = {}) {
+    const serialNumber = 'urn:uuid:' + crypto.randomUUID();
+
+    return {
+        bomFormat: 'CycloneDX',
+        specVersion: '1.6',
+        serialNumber,
+        version: 1,
+        metadata: {
+            timestamp: new Date().toISOString(),
+            tools: [{ vendor: 'delimit', name: 'delimit-ai-sbom', version }],
+            component: {
+                'bom-ref': `pkg:${name}@${version}`,
+                type: 'application',
+                name,
+                version,
+            },
+            properties: [
+                { name: 'delimit:total_attestations', value: String(aggregate.total_attestations) },
+                { name: 'delimit:total_gates_run', value: String(aggregate.total_gates_run) },
+                { name: 'delimit:total_violations', value: String(aggregate.total_violations) },
+                { name: 'delimit:earliest_attestation', value: aggregate.earliest || '' },
+                { name: 'delimit:latest_attestation', value: aggregate.latest || '' },
+                { name: 'delimit:tool_surface', value: JSON.stringify(aggregate.tool_calls) },
+            ],
+        },
+        components: aggregate.models.map(m => ({
+            'bom-ref': `model:${m.vendor}/${m.family}`,
+            type: 'machine-learning-model',
+            vendor: m.vendor,
+            name: m.family,
+            description: `AI model detected across ${m.count} attestations${m.source ? ` (${m.source} from command)` : ''}`,
+            modelCard: {
+                modelParameters: {
+                    approach: { type: 'supervised' },
+                },
+                properties: [
+                    { name: 'delimit:usage_count', value: String(m.count) },
+                    { name: 'delimit:first_seen', value: m.first_seen || '' },
+                    { name: 'delimit:last_seen', value: m.last_seen || '' },
+                    ...(m.source ? [{ name: 'delimit:detection_source', value: m.source }] : []),
+                ],
+            },
+        })),
+    };
+}
+
+function buildAISBOM(attestationDir, opts = {}) {
+    const attestations = loadAttestations(attestationDir);
+    const aggregate = aggregateAISurface(attestations);
+    const sbom = renderCycloneDXAI(aggregate, opts);
+    return { sbom, aggregate, attestation_count: attestations.length };
+}
+
+module.exports = { buildAISBOM, aggregateAISurface, renderCycloneDXAI, detectModelFromCommand };

package/lib/trust-page-engine.js

@@ -0,0 +1,179 @@
+// lib/trust-page-engine.js
+//
+// LED-1018 Venture #6 MVP: `delimit trust-page` render.
+// Scans a directory of delimit.attestation.v1 JSON files, verifies signatures,
+// renders a static index.html + JSON Feed 1.1-shaped feed.json.
+//
+// Local-only render. Cloud sync is a Pro/Premium feature, deferred.
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+function loadHmacKey() {
+    const keyPath = path.join(os.homedir(), '.delimit', 'wrap-hmac.key');
+    if (!fs.existsSync(keyPath)) return null;
+    return fs.readFileSync(keyPath);
+}
+
+function verifySignature(attestation, key) {
+    if (!key) return 'unverifiable';
+    try {
+        const canonical = JSON.stringify(attestation.bundle, Object.keys(attestation.bundle).sort());
+        const expected = crypto.createHmac('sha256', key).update(canonical).digest('hex');
+        return expected === attestation.signature ? 'verified' : 'signature_mismatch';
+    } catch {
+        return 'verify_error';
+    }
+}
+
+function loadAttestations(dir) {
+    if (!fs.existsSync(dir)) return [];
+    const results = [];
+    for (const f of fs.readdirSync(dir)) {
+        if (!f.startsWith('att_') || !f.endsWith('.json')) continue;
+        try {
+            const att = JSON.parse(fs.readFileSync(path.join(dir, f), 'utf-8'));
+            if (att.id && att.bundle) results.push(att);
+        } catch { /* skip corrupted */ }
+    }
+    // Reverse-chronological
+    results.sort((a, b) => {
+        const ta = a.bundle?.started_at || '';
+        const tb = b.bundle?.started_at || '';
+        return tb.localeCompare(ta);
+    });
+    return results;
+}
+
+function escapeHtml(s) {
+    return String(s || '').replace(/[&<>"']/g, c => ({
+        '&': '&amp;', '<': '&lt;', '>': '&gt;', '"': '&quot;', "'": '&#39;'
+    }[c]));
+}
+
+function redactCommand(cmd, redactLevel = 'basic') {
+    // MVP: basic redaction only. Strip quoted strings longer than 24 chars (likely prompt text).
+    if (!cmd) return '';
+    if (redactLevel === 'none') return cmd;
+    return cmd.replace(/"[^"]{24,}"/g, '"<prompt redacted>"')
+              .replace(/'[^']{24,}'/g, "'<prompt redacted>'");
+}
+
+function countGateResults(governance) {
+    const gates = governance?.gates || [];
+    let pass = 0, fail = 0, info = 0;
+    for (const g of gates) {
+        if (g.exit === 0) pass++;
+        else if (g.exit !== undefined) fail++;
+        else info++;
+    }
+    return { pass, fail, info, total: gates.length };
+}
+
+function renderHTML(attestations, title = 'Trust Page') {
+    const hmacKey = loadHmacKey();
+    const rows = attestations.map(att => {
+        const verify = verifySignature(att, hmacKey);
+        const b = att.bundle || {};
+        const counts = countGateResults(b.governance);
+        const violations = (b.governance?.violations || []).length;
+        const status = violations > 0 ? 'violations' : (counts.fail > 0 ? 'failures' : 'clean');
+        return `    <tr>
+      <td><code>${escapeHtml(att.id)}</code></td>
+      <td class="cmd">${escapeHtml(redactCommand(b.wrapped_command))}</td>
+      <td>${escapeHtml(b.started_at || '')}</td>
+      <td class="gates">${counts.pass}/${counts.total}</td>
+      <td class="v-${verify}">${verify.replace('_', ' ')}</td>
+      <td class="s-${status}">${status}</td>
+    </tr>`;
+    }).join('\n');
+
+    const empty = attestations.length === 0
+        ? `  <p class="empty">No attestations yet. Run <code>delimit wrap &lt;cmd&gt;</code> to create one.</p>`
+        : '';
+
+    return `<!doctype html>
+<html lang="en">
+<head>
+<meta charset="utf-8">
+<meta name="viewport" content="width=device-width,initial-scale=1">
+<title>${escapeHtml(title)}</title>
+<style>
+  :root { color-scheme: light dark; --fg:#111; --bg:#fff; --muted:#666; --ok:#087443; --warn:#b45309; --err:#b91c1c; }
+  @media (prefers-color-scheme: dark) { :root { --fg:#eee; --bg:#0a0a0a; --muted:#888; } }
+  body { font: 14px/1.5 -apple-system, BlinkMacSystemFont, system-ui, sans-serif; color: var(--fg); background: var(--bg); max-width: 980px; margin: 2rem auto; padding: 0 1rem; }
+  h1 { margin-bottom: .25rem; font-weight: 600; }
+  .sub { color: var(--muted); margin-bottom: 2rem; }
+  table { width: 100%; border-collapse: collapse; }
+  th, td { text-align: left; padding: .5rem .75rem; border-bottom: 1px solid rgba(0,0,0,.08); }
+  th { font-weight: 600; color: var(--muted); font-size: .82em; text-transform: uppercase; letter-spacing: .03em; }
+  code { font: 12px/1.3 ui-monospace, SFMono-Regular, Menlo, monospace; }
+  td.cmd { max-width: 380px; overflow: hidden; text-overflow: ellipsis; white-space: nowrap; }
+  .gates { font-variant-numeric: tabular-nums; color: var(--muted); }
+  .v-verified { color: var(--ok); }
+  .v-unverifiable, .v-signature_mismatch { color: var(--warn); }
+  .s-clean { color: var(--ok); }
+  .s-violations, .s-failures { color: var(--err); }
+  .empty { color: var(--muted); padding: 3rem 0; text-align: center; }
+  footer { margin-top: 3rem; color: var(--muted); font-size: .85em; }
+</style>
+</head>
+<body>
+  <h1>${escapeHtml(title)}</h1>
+  <p class="sub">${attestations.length} signed attestation${attestations.length === 1 ? '' : 's'} · generated ${new Date().toISOString()}</p>
+${empty || `  <table>
+    <thead><tr><th>ID</th><th>Command</th><th>Started</th><th>Gates</th><th>Signature</th><th>Status</th></tr></thead>
+    <tbody>
+${rows}
+    </tbody>
+  </table>`}
+  <footer>
+    Generated by <code>delimit trust-page</code>. <a href="feed.json">JSON Feed</a>.<br>
+    Each row is an <code>att_*</code> record signed with HMAC-SHA256. Schema: <code>delimit.attestation.v1</code>.
+  </footer>
+</body>
+</html>
+`;
+}
+
+function renderFeed(attestations, title = 'Trust Page') {
+    const items = attestations.map(att => {
+        const b = att.bundle || {};
+        const verify = verifySignature(att, loadHmacKey());
+        return {
+            id: att.id,
+            title: redactCommand(b.wrapped_command || att.id),
+            content_text: `wrapped=${b.wrapped_command || ''} | exit=${b.wrapped_exit} | gates=${(b.governance?.gates || []).length} | violations=${(b.governance?.violations || []).length} | signature=${verify}`,
+            date_published: b.started_at,
+            _delimit: {
+                attestation_id: att.id,
+                signature: att.signature,
+                signature_alg: att.signature_alg,
+                wrapped_exit: b.wrapped_exit,
+                changed_files: b.changed_files,
+                governance: b.governance,
+                ai_surface: b.ai_surface || null,
+            }
+        };
+    });
+    return {
+        version: 'https://jsonfeed.org/version/1.1',
+        title,
+        description: 'Signed replayable attestations for AI-assisted merges. Schema: delimit.attestation.v1.',
+        items,
+    };
+}
+
+function renderTrustPage(attestationDir, outDir, title) {
+    const attestations = loadAttestations(attestationDir);
+    fs.mkdirSync(outDir, { recursive: true });
+    const html = renderHTML(attestations, title);
+    const feed = renderFeed(attestations, title);
+    fs.writeFileSync(path.join(outDir, 'index.html'), html);
+    fs.writeFileSync(path.join(outDir, 'feed.json'), JSON.stringify(feed, null, 2));
+    return { count: attestations.length, outDir, html_bytes: html.length, feed_items: feed.items.length };
+}
+
+module.exports = { renderTrustPage, loadAttestations, verifySignature, renderHTML, renderFeed };

package/lib/wrap-engine.js

@@ -0,0 +1,431 @@
+// lib/wrap-engine.js
+//
+// LED-1048: `delimit wrap` — Surface 1 CLI-pipe extension
+// LED-1052: Kill Switch + cross-model handoff extension
+//
+// Runs an arbitrary command (typically `claude -p` or `cursor` or `codex`),
+// snapshots repo state before/after, runs governance gates on the diff,
+// emits a signed attestation JSON + replay URL reference.
+//
+// Advisory-first: exit 0 unless --enforce is set AND gates fail.
+// Cross-model-agnostic: the wrapped command is arbitrary, not bound to Claude.
+//
+// Kill Switch (LED-1052): --max-time <seconds> caps wall-clock; on SIGKILL
+// the attestation emitted is typed as kind=liability_incident and includes
+// a handoff_suggestion field pointing the user at an alternative producer.
+
+const { spawn, spawnSync, execSync } = require('child_process');
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const os = require('os');
+
+// ----------------------------------------------------------------------------
+// Git helpers — snapshot before/after a wrapped command
+// ----------------------------------------------------------------------------
+
+function safeExec(cmd, opts = {}) {
+    try {
+        return execSync(cmd, { encoding: 'utf-8', stdio: ['ignore', 'pipe', 'pipe'], ...opts }).trim();
+    } catch {
+        return null;
+    }
+}
+
+function getRepoRoot(cwd) {
+    return safeExec('git rev-parse --show-toplevel', { cwd }) || cwd;
+}
+
+function getCurrentHead(cwd) {
+    return safeExec('git rev-parse HEAD', { cwd });
+}
+
+function getDirtyFiles(cwd) {
+    // Don't use safeExec because .trim() mangles the leading-space porcelain format.
+    try {
+        const raw = execSync('git status --porcelain', { cwd, encoding: 'utf-8', stdio: ['ignore', 'pipe', 'pipe'] });
+        // Porcelain format: XY<space><path>  (XY is always 2 chars, e.g. " M", "??", "MM")
+        return raw.split('\n').filter(Boolean).map(l => l.slice(3));
+    } catch {
+        return [];
+    }
+}
+
+function getUnifiedDiff(cwd, fromHead) {
+    if (!fromHead) return '';
+    // Diff against the snapshot: tracked changes + untracked files (as if added)
+    return safeExec(`git diff ${fromHead} -- .`, { cwd }) || '';
+}
+
+// ----------------------------------------------------------------------------
+// Governance gate composition — reuse existing CLI subcommands where possible
+// ----------------------------------------------------------------------------
+
+function detectOpenAPISpecChanges(changedFiles, cwd) {
+    // Simple heuristic: files matching openapi*.yaml / openapi*.json / swagger.*
+    const specs = changedFiles.filter(f => {
+        const base = path.basename(f).toLowerCase();
+        return /(^openapi|\.openapi|swagger)\.(ya?ml|json)$/.test(base) || base === 'openapi.yaml';
+    });
+    return specs;
+}
+
+function runDelimitCLI(args, cwd) {
+    // Invoke the sibling CLI entry point directly to avoid PATH assumptions.
+    const cliPath = path.join(__dirname, '..', 'bin', 'delimit-cli.js');
+    try {
+        const result = spawnSync('node', [cliPath, ...args, '--json'], {
+            cwd,
+            encoding: 'utf-8',
+            timeout: 60000,
+            stdio: ['ignore', 'pipe', 'pipe'],
+        });
+        const stdout = result.stdout || '';
+        const stderr = result.stderr || '';
+        let parsed = null;
+        try {
+            // Find last JSON object in stdout (cli may print banner before)
+            const m = stdout.match(/\{[\s\S]*\}\s*$/);
+            if (m) parsed = JSON.parse(m[0]);
+        } catch { /* leave null */ }
+        return { exit: result.status ?? 1, stdout, stderr, parsed };
+    } catch (e) {
+        return { exit: 1, stdout: '', stderr: String(e), parsed: null };
+    }
+}
+
+function runTestSmoke(cwd) {
+    // Minimal heuristic: if pytest is available and tests/ exists, run it.
+    // If package.json has a test script, run `npm test`.
+    // Time-bounded. Advisory. Never the block criterion alone.
+    const results = [];
+    const pkgPath = path.join(cwd, 'package.json');
+    if (fs.existsSync(pkgPath)) {
+        try {
+            const pkg = JSON.parse(fs.readFileSync(pkgPath, 'utf-8'));
+            if (pkg.scripts && pkg.scripts.test && pkg.scripts.test !== 'echo "Error: no test specified" && exit 1') {
+                const r = spawnSync('npm', ['test', '--silent'], { cwd, encoding: 'utf-8', timeout: 120000, stdio: ['ignore', 'pipe', 'pipe'] });
+                results.push({ runner: 'npm test', exit: r.status ?? 1, stdout: (r.stdout || '').slice(-2000), stderr: (r.stderr || '').slice(-1000) });
+            }
+        } catch { /* ignore */ }
+    }
+    if (fs.existsSync(path.join(cwd, 'tests')) || fs.existsSync(path.join(cwd, 'pytest.ini')) || fs.existsSync(path.join(cwd, 'pyproject.toml'))) {
+        const r = spawnSync('python3', ['-m', 'pytest', '--tb=short', '-q'], { cwd, encoding: 'utf-8', timeout: 180000, stdio: ['ignore', 'pipe', 'pipe'] });
+        results.push({ runner: 'pytest', exit: r.status ?? 1, stdout: (r.stdout || '').slice(-2000), stderr: (r.stderr || '').slice(-1000) });
+    }
+    return results;
+}
+
+// ----------------------------------------------------------------------------
+// Attestation bundling + signing
+// ----------------------------------------------------------------------------
+
+function computeAttestationId(bundle) {
+    const canonical = JSON.stringify(bundle, Object.keys(bundle).sort());
+    const hash = crypto.createHash('sha256').update(canonical).digest('hex');
+    return 'att_' + hash.slice(0, 16);
+}
+
+function loadOrCreateHmacKey() {
+    // Local HMAC key for attestation signing.
+    // Cloud-sync + verifiable signature is a Pro/Premium feature (deferred MVP).
+    const keyPath = path.join(os.homedir(), '.delimit', 'wrap-hmac.key');
+    if (fs.existsSync(keyPath)) return fs.readFileSync(keyPath);
+    const key = crypto.randomBytes(32);
+    fs.mkdirSync(path.dirname(keyPath), { recursive: true });
+    fs.writeFileSync(keyPath, key, { mode: 0o600 });
+    return key;
+}
+
+function signAttestation(bundle) {
+    const key = loadOrCreateHmacKey();
+    const canonical = JSON.stringify(bundle, Object.keys(bundle).sort());
+    return crypto.createHmac('sha256', key).update(canonical).digest('hex');
+}
+
+// ----------------------------------------------------------------------------
+// Quota enforcement — free tier 3 lifetime, Pro unlimited
+// ----------------------------------------------------------------------------
+
+function checkQuota() {
+    const counterPath = path.join(os.homedir(), '.delimit', 'wrap-lifetime-count');
+    const licensePath = path.join(os.homedir(), '.delimit', 'license.json');
+    let tier = 'free';
+    try {
+        if (fs.existsSync(licensePath)) {
+            const lic = JSON.parse(fs.readFileSync(licensePath, 'utf-8'));
+            if (lic.valid && ['pro', 'premium', 'enterprise'].includes(lic.tier)) {
+                tier = lic.tier;
+            }
+        }
+    } catch { /* treat as free */ }
+    if (tier !== 'free') return { ok: true, tier, count: null };
+    let count = 0;
+    try {
+        if (fs.existsSync(counterPath)) count = parseInt(fs.readFileSync(counterPath, 'utf-8').trim(), 10) || 0;
+    } catch { /* start at 0 */ }
+    return { ok: count < 3, tier: 'free', count, limit: 3 };
+}
+
+function incrementQuota() {
+    const counterPath = path.join(os.homedir(), '.delimit', 'wrap-lifetime-count');
+    let count = 0;
+    try {
+        if (fs.existsSync(counterPath)) count = parseInt(fs.readFileSync(counterPath, 'utf-8').trim(), 10) || 0;
+    } catch {}
+    count += 1;
+    fs.mkdirSync(path.dirname(counterPath), { recursive: true });
+    fs.writeFileSync(counterPath, String(count));
+    return count;
+}
+
+// ----------------------------------------------------------------------------
+// Persistence — save attestation to local ledger
+// ----------------------------------------------------------------------------
+
+function saveAttestation(att) {
+    const dir = path.join(os.homedir(), '.delimit', 'attestations');
+    fs.mkdirSync(dir, { recursive: true });
+    const file = path.join(dir, `${att.id}.json`);
+    fs.writeFileSync(file, JSON.stringify(att, null, 2));
+    return file;
+}
+
+function replayUrl(attId) {
+    // Public replay surface is served by app.delimit.ai (reuses the trust-page
+    // pattern from LED-1018). For MVP, just returns the URL; rendering + upload
+    // is the Pro-tier feature and not part of this MVP.
+    return `https://delimit.ai/att/${attId}`;
+}
+
+// ----------------------------------------------------------------------------
+// Main wrap flow
+// ----------------------------------------------------------------------------
+
+// LED-1052: map a wrapped command's base binary to a handoff suggestion
+// for the remaining producers. Advisory only — prints the command a user
+// could run to resume with a different model.
+function suggestHandoff(rawCmd) {
+    const bin = (rawCmd && rawCmd[0]) || '';
+    const base = path.basename(bin).toLowerCase();
+    const prompt = extractPromptArg(rawCmd);
+    const fallbacks = {
+        claude: ['codex', 'gemini', 'cursor'],
+        'claude-code': ['codex', 'gemini', 'cursor'],
+        cursor: ['claude', 'codex', 'gemini'],
+        'cursor-cli': ['claude', 'codex', 'gemini'],
+        aider: ['claude', 'codex', 'gemini'],
+        codex: ['claude', 'gemini', 'cursor'],
+        gemini: ['claude', 'codex', 'cursor'],
+    };
+    const key = Object.keys(fallbacks).find(k => base.includes(k));
+    if (!key) return null;
+    const alt = fallbacks[key][0];
+    const altPrompt = prompt || '<your-goal>';
+    return {
+        kill_source: key,
+        handoff_target: alt,
+        suggested_command: `delimit wrap -- ${alt} -p "${altPrompt}"`,
+        alternates: fallbacks[key],
+    };
+}
+
+function extractPromptArg(rawCmd) {
+    // Best-effort scrape: -p <prompt> or --prompt <prompt>
+    if (!rawCmd) return null;
+    for (let i = 0; i < rawCmd.length - 1; i++) {
+        if (rawCmd[i] === '-p' || rawCmd[i] === '--prompt') return rawCmd[i + 1];
+    }
+    return null;
+}
+
+// LED-1052: spawn a child with wall-clock timeout + SIGKILL on breach.
+// Returns { status, killed_by_timeout, ms }.
+function spawnWithKillSwitch(bin, args, spawnOpts, maxTimeSeconds) {
+    return new Promise((resolve) => {
+        const child = spawn(bin, args, { ...spawnOpts, stdio: 'inherit' });
+        const started = Date.now();
+        let killed = false;
+        const timer = maxTimeSeconds && maxTimeSeconds > 0
+            ? setTimeout(() => {
+                killed = true;
+                try { child.kill('SIGKILL'); } catch { /* ignore */ }
+            }, maxTimeSeconds * 1000)
+            : null;
+        child.on('close', (code, signal) => {
+            if (timer) clearTimeout(timer);
+            resolve({
+                status: (code !== null ? code : (signal === 'SIGKILL' ? 137 : 1)),
+                killed_by_timeout: killed,
+                signal,
+                ms: Date.now() - started,
+            });
+        });
+        child.on('error', (err) => {
+            if (timer) clearTimeout(timer);
+            resolve({ status: 1, killed_by_timeout: false, error: String(err), ms: Date.now() - started });
+        });
+    });
+}
+
+async function runWrap(rawCmd, options = {}) {
+    const {
+        enforce = false,
+        deliberate = false,
+        attest = true,
+        cwd = process.cwd(),
+        maxTimeSeconds = 0,  // LED-1052: 0 disables kill switch
+    } = options;
+
+    const repoRoot = getRepoRoot(cwd);
+    const isGitRepo = !!safeExec('git rev-parse --is-inside-work-tree', { cwd: repoRoot });
+
+    // Quota check (only if attestation will be emitted)
+    let quotaInfo = null;
+    if (attest) {
+        quotaInfo = checkQuota();
+        if (!quotaInfo.ok) {
+            return {
+                exit: 1,
+                error: 'quota_exceeded',
+                message: `Free tier: ${quotaInfo.count}/${quotaInfo.limit} lifetime attestations used. Upgrade to Pro ($10/mo) for unlimited — visit https://delimit.ai/pricing`,
+                tier: quotaInfo.tier,
+            };
+        }
+    }
+
+    // Snapshot before
+    const beforeHead = isGitRepo ? getCurrentHead(repoRoot) : null;
+    const beforeDirty = isGitRepo ? getDirtyFiles(repoRoot) : [];
+    const startedAt = new Date().toISOString();
+
+    // Execute the wrapped command
+    // The wrapped command runs in the user's shell so `claude -p "..."` / `cursor edit` / etc. work natively.
+    // LED-1052: if maxTimeSeconds > 0, use async spawnWithKillSwitch; otherwise spawnSync for back-compat.
+    let wrappedExit;
+    let killedByTimeout = false;
+    let killSignal = null;
+    if (maxTimeSeconds > 0) {
+        const res = await spawnWithKillSwitch(rawCmd[0], rawCmd.slice(1), { cwd: repoRoot, shell: false }, maxTimeSeconds);
+        wrappedExit = res.status;
+        killedByTimeout = res.killed_by_timeout;
+        killSignal = res.signal || null;
+    } else {
+        const child = spawnSync(rawCmd[0], rawCmd.slice(1), { cwd: repoRoot, stdio: 'inherit', shell: false });
+        wrappedExit = child.status ?? 1;
+    }
+    const completedAt = new Date().toISOString();
+
+    // Snapshot after
+    const afterHead = isGitRepo ? getCurrentHead(repoRoot) : null;
+    const afterDirty = isGitRepo ? getDirtyFiles(repoRoot) : [];
+    const changedFiles = isGitRepo
+        ? Array.from(new Set([...beforeDirty, ...afterDirty]))
+        : [];
+
+    // Governance chain
+    const governance = { gates: [], violations: [], advisory: !enforce };
+
+    // 1) OpenAPI spec changes → delimit lint / diff
+    const specChanges = detectOpenAPISpecChanges(changedFiles, repoRoot);
+    if (specChanges.length > 0) {
+        governance.gates.push({ name: 'openapi_detect', result: 'ran', specs: specChanges });
+        // Try running delimit lint on each (zero-spec mode against baseline)
+        for (const spec of specChanges) {
+            const lintResult = runDelimitCLI(['lint'], path.dirname(path.join(repoRoot, spec)));
+            governance.gates.push({
+                name: 'delimit_lint',
+                spec,
+                exit: lintResult.exit,
+                summary: (lintResult.stdout || '').slice(-500),
+            });
+            if (lintResult.exit !== 0) governance.violations.push(`lint failed on ${spec}`);
+        }
+    }
+
+    // 2) Test smoke
+    const testResults = runTestSmoke(repoRoot);
+    for (const t of testResults) {
+        governance.gates.push({ name: 'test_smoke', runner: t.runner, exit: t.exit });
+        if (t.exit !== 0) governance.violations.push(`${t.runner} failed`);
+    }
+    if (testResults.length === 0) {
+        governance.gates.push({ name: 'test_smoke', result: 'no_tests_detected' });
+    }
+
+    // 3) Multi-model deliberate (optional)
+    if (deliberate) {
+        governance.gates.push({ name: 'deliberate', result: 'deferred', note: 'use `delimit deliberate` standalone for multi-model verdict — v1 wrap emits local attestation only' });
+    }
+
+    // Build attestation bundle
+    // LED-1052: if killed by timeout, attestation is typed as liability_incident
+    const kind = killedByTimeout ? 'liability_incident' : 'merge_attestation';
+    const handoffSuggestion = killedByTimeout ? suggestHandoff(rawCmd) : null;
+    const bundle = {
+        schema: 'delimit.attestation.v1',
+        kind,
+        wrapped_command: rawCmd.join(' '),
+        repo_root: repoRoot,
+        is_git_repo: isGitRepo,
+        before_head: beforeHead,
+        after_head: afterHead,
+        started_at: startedAt,
+        completed_at: completedAt,
+        wrapped_exit: wrappedExit,
+        changed_files: changedFiles,
+        governance,
+        delimit_wrap_version: '1.1.0',
+        ...(killedByTimeout ? {
+            kill_switch: {
+                kind: 'timeout',
+                max_time_seconds: maxTimeSeconds,
+                signal: killSignal,
+                handoff_suggestion: handoffSuggestion,
+            },
+        } : {}),
+    };
+    const attId = computeAttestationId(bundle);
+    const signature = signAttestation(bundle);
+    const attestation = {
+        id: attId,
+        bundle,
+        signature,
+        signature_alg: 'HMAC-SHA256',
+    };
+
+    let filePath = null;
+    if (attest) {
+        filePath = saveAttestation(attestation);
+        if (quotaInfo && quotaInfo.tier === 'free') incrementQuota();
+    }
+
+    const hasViolations = governance.violations.length > 0;
+    const shouldFail = enforce && hasViolations;
+
+    return {
+        exit: shouldFail ? 2 : wrappedExit,
+        attestation_id: attId,
+        attestation_path: filePath,
+        replay_url: replayUrl(attId),
+        kind,
+        violations: governance.violations,
+        gates: governance.gates,
+        wrapped_exit: wrappedExit,
+        advisory: !enforce,
+        tier: quotaInfo ? quotaInfo.tier : null,
+        // LED-1052: kill-switch metadata surfaced at the top level for CLI rendering
+        ...(killedByTimeout ? {
+            killed_by_timeout: true,
+            handoff_suggestion: handoffSuggestion,
+        } : {}),
+    };
+}
+
+module.exports = {
+    runWrap,
+    computeAttestationId,
+    signAttestation,
+    checkQuota,
+    replayUrl,
+};

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.2.0",
+  "version": "4.3.1",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [

package/adapters/codex-security.js

@@ -1,64 +0,0 @@
-#!/usr/bin/env node
-/**
- * Delimit Security Skill for Codex CLI
- *
- * Validates that Codex-generated code doesn't introduce security anti-patterns.
- * Runs as a security validation skill.
- */
-
-const fs = require('fs');
-const path = require('path');
-
-const SECURITY_PATTERNS = [
-    { pattern: /eval\s*\(/g, severity: 'high', message: 'eval() usage detected — potential code injection' },
-    { pattern: /exec\s*\(/g, severity: 'medium', message: 'exec() usage — verify input sanitization' },
-    { pattern: /shell\s*=\s*True/g, severity: 'high', message: 'subprocess with shell=True — command injection risk' },
-    { pattern: /dangerouslySetInnerHTML/g, severity: 'medium', message: 'dangerouslySetInnerHTML — XSS risk' },
-    { pattern: /password\s*=\s*["'][^"']+["']/gi, severity: 'high', message: 'Hardcoded password detected' },
-    { pattern: /api[_-]?key\s*=\s*["'][A-Za-z0-9]{10,}["']/gi, severity: 'high', message: 'Hardcoded API key detected' },
-];
-
-function checkSecurity(context) {
-    const code = context.code || context.content || '';
-    if (!code) return { status: 'clean', findings: [] };
-
-    const findings = [];
-    for (const { pattern, severity, message } of SECURITY_PATTERNS) {
-        const matches = code.match(pattern);
-        if (matches) {
-            findings.push({ severity, message, count: matches.length });
-        }
-    }
-
-    // Audit
-    try {
-        const auditDir = path.join(process.env.HOME || '', '.delimit', 'audit');
-        fs.mkdirSync(auditDir, { recursive: true });
-        const record = {
-            timestamp: new Date().toISOString(),
-            source: 'codex-security',
-            findings_count: findings.length,
-            high_count: findings.filter(f => f.severity === 'high').length,
-        };
-        const auditFile = path.join(auditDir, `${new Date().toISOString().split('T')[0]}.jsonl`);
-        fs.appendFileSync(auditFile, JSON.stringify(record) + '\n');
-    } catch {}
-
-    const hasHigh = findings.some(f => f.severity === 'high');
-    return {
-        status: hasHigh ? 'flagged' : findings.length > 0 ? 'warnings' : 'clean',
-        findings,
-    };
-}
-
-const context = process.argv[2] ? JSON.parse(process.argv[2]) : {};
-const result = checkSecurity(context);
-
-if (result.status === 'flagged') {
-    for (const f of result.findings) {
-        console.error(`[Delimit Security] ${f.severity.toUpperCase()}: ${f.message}`);
-    }
-    process.exit(1);
-}
-
-process.exit(0);

package/adapters/codex-skill.js

@@ -1,78 +0,0 @@
-#!/usr/bin/env node
-/**
- * Delimit Governance Skill for Codex CLI
- *
- * Runs as a validation skill triggered on pre-code-generation and pre-suggestion.
- * Checks governance state and policy compliance before Codex executes actions.
- */
-
-const fs = require('fs');
-const path = require('path');
-
-const DELIMIT_HOME = path.join(process.env.HOME || '', '.delimit');
-const MODE_FILE = path.join(DELIMIT_HOME, 'enforcement_mode');
-
-function getMode() {
-    try {
-        return fs.readFileSync(MODE_FILE, 'utf-8').trim();
-    } catch {
-        return 'guarded'; // Default
-    }
-}
-
-function checkGovernance(context) {
-    const mode = getMode();
-    const warnings = [];
-
-    // Check if governance is initialized
-    const policiesFile = path.join(process.cwd(), '.delimit', 'policies.yml');
-    if (!fs.existsSync(policiesFile)) {
-        warnings.push('No .delimit/policies.yml — run: delimit init');
-    }
-
-    // Check for sensitive file access
-    const sensitivePatterns = ['.env', 'credentials', '.ssh', 'secrets'];
-    const target = context.target || context.file || '';
-    for (const pattern of sensitivePatterns) {
-        if (target.includes(pattern)) {
-            if (mode === 'enforce') {
-                return { status: 'blocked', reason: `Access to sensitive path: ${target}` };
-            }
-            warnings.push(`Accessing sensitive path: ${target}`);
-        }
-    }
-
-    // Audit log
-    try {
-        const auditDir = path.join(DELIMIT_HOME, 'audit');
-        fs.mkdirSync(auditDir, { recursive: true });
-        const record = {
-            timestamp: new Date().toISOString(),
-            source: 'codex-skill',
-            mode,
-            context: typeof context === 'object' ? JSON.stringify(context).slice(0, 200) : String(context).slice(0, 200),
-            warnings,
-        };
-        const auditFile = path.join(auditDir, `${new Date().toISOString().split('T')[0]}.jsonl`);
-        fs.appendFileSync(auditFile, JSON.stringify(record) + '\n');
-    } catch {}
-
-    return { status: 'allowed', mode, warnings };
-}
-
-// Entry point — read context from stdin or args
-const context = process.argv[2] ? JSON.parse(process.argv[2]) : {};
-const result = checkGovernance(context);
-
-if (result.status === 'blocked') {
-    console.error(`[Delimit] BLOCKED: ${result.reason}`);
-    process.exit(1);
-}
-
-if (result.warnings.length > 0) {
-    for (const w of result.warnings) {
-        console.error(`[Delimit] Warning: ${w}`);
-    }
-}
-
-process.exit(0);

package/adapters/cursor-rules.js

@@ -1,73 +0,0 @@
-#!/usr/bin/env node
-/**
- * Delimit Governance Rules for Cursor
- *
- * Cursor doesn't have a hook system like Claude Code or Codex,
- * so governance enforcement happens server-side via MCP tool calls.
- * This adapter manages the .cursorrules and .cursor/rules/ files
- * that guide Cursor's behavior.
- */
-
-const fs = require('fs');
-const path = require('path');
-
-// LED-213: Import canonical template for cross-model parity
-const { getDelimitSection } = require('../lib/delimit-template');
-
-const HOME = process.env.HOME || '';
-const CURSOR_DIR = path.join(HOME, '.cursor');
-const CURSOR_RULES_DIR = path.join(CURSOR_DIR, 'rules');
-const CURSORRULES_FILE = path.join(HOME, '.cursorrules');
-
-/**
- * Install Delimit governance rules into Cursor.
- * Creates both .cursorrules (legacy) and .cursor/rules/delimit.md (new).
- */
-function installRules(version) {
-    const rules = getDelimitRules(version);
-
-    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+)
-    if (fs.existsSync(CURSOR_DIR)) {
-        fs.mkdirSync(CURSOR_RULES_DIR, { recursive: true });
-        const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
-        fs.writeFileSync(rulesFile, rules);
-    }
-
-    return { installed: true, paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')] };
-}
-
-/**
- * Remove Delimit rules from Cursor.
- */
-function uninstallRules() {
-    const removed = [];
-
-    // Remove from .cursor/rules/
-    const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
-    if (fs.existsSync(rulesFile)) {
-        fs.unlinkSync(rulesFile);
-        removed.push(rulesFile);
-    }
-
-    return { removed };
-}
-
-function getDelimitRules(version) {
-    // LED-213: Use canonical Consensus 123 template for Cursor parity
-    return getDelimitSection();
-}
-
-module.exports = { installRules, uninstallRules, getDelimitRules };
-
-// CLI entry point
-if (require.main === module) {
-    const action = process.argv[2] || 'install';
-    const version = process.argv[3] || '3.11.9';
-    if (action === 'install') {
-        const result = installRules(version);
-        console.log(`Installed Delimit rules to Cursor: ${result.paths.join(', ')}`);
-    } else if (action === 'uninstall') {
-        const result = uninstallRules();
-        console.log(`Removed: ${result.removed.join(', ') || 'nothing to remove'}`);
-    }
-}