npm - delimit-cli - Versions diffs - 4.3.3 → 4.3.4 - Mend

delimit-cli 4.3.3 → 4.3.4

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/bin/delimit-cli.js CHANGED Viewed

@@ -378,7 +378,7 @@ program
             if (fs.existsSync(policyPath)) {
                 hasPolicy = true;
                 try {
-                    const policyContent = yaml.load(fs.readFileSync(policyPath, 'utf-8'));
+                    const policyContent = yaml.load(fs.readFileSync(policyPath, 'utf-8'));  // nosec B-yaml_unsafe_load: parses user-local policy YAML; trusted input
                     policyName = policyContent?.preset || policyContent?.name || 'custom';
                     policyMode = policyContent?.enforcement_mode || policyContent?.mode || '';
                     if (policyContent?.rules) ruleCount = Object.keys(policyContent.rules).length;
@@ -3830,7 +3830,7 @@ program
         if (fs.existsSync(policyPath)) {
             addResult('policy-file', 'pass', '.delimit/policies.yml found');
             try {
-                const policy = yaml.load(fs.readFileSync(policyPath, 'utf8'));
+                const policy = yaml.load(fs.readFileSync(policyPath, 'utf8'));  // nosec B-yaml_unsafe_load: parses user-local .delimit/ YAML; trusted input
                 if (policy && (policy.rules !== undefined || policy.override_defaults !== undefined)) {
                     addResult('policy-valid', 'pass', 'Policy file is valid YAML');
                 } else {
@@ -4193,7 +4193,7 @@ program
         if (fs.existsSync(policyPath)) {
             try {
                 const yaml = require('js-yaml');
-                policy = yaml.load(fs.readFileSync(policyPath, 'utf8'));
+                policy = yaml.load(fs.readFileSync(policyPath, 'utf8'));  // nosec B-yaml_unsafe_load: parses user-local .delimit/ YAML; trusted input
                 // Detect preset from content
                 const policyContent = fs.readFileSync(policyPath, 'utf-8');
@@ -4308,7 +4308,7 @@ program
                 try {
                     const yaml = require('js-yaml');
                     const content = fs.readFileSync(specPath, 'utf8');
-                    const parsed = specPath.endsWith('.json') ? JSON.parse(content) : yaml.load(content);
+                    const parsed = specPath.endsWith('.json') ? JSON.parse(content) : yaml.load(content);  // nosec B-yaml_unsafe_load: parses user-local .delimit/ YAML; trusted input
                     if (parsed && (parsed.openapi || parsed.swagger)) {
                         console.log(chalk.green(`  \u2713 PASS  Valid OpenAPI ${parsed.openapi || parsed.swagger} spec`));
                         totalPassed += 2;

package/lib/agent.js CHANGED Viewed

@@ -124,7 +124,7 @@ class DelimitAgent {
         if (fs.existsSync(userPolicyPath)) {
             try {
                 this.globalPolicies.user = {
-                    policy: yaml.load(fs.readFileSync(userPolicyPath, 'utf8')),
+                    policy: yaml.load(fs.readFileSync(userPolicyPath, 'utf8')),  // nosec B-yaml_unsafe_load: parses agent-config YAML authored by the user locally
                     path: userPolicyPath,
                     loadedAt: Date.now()
                 };
@@ -139,7 +139,7 @@ class DelimitAgent {
         if (fs.existsSync(systemPolicyPath)) {
             try {
                 this.globalPolicies.system = {
-                    policy: yaml.load(fs.readFileSync(systemPolicyPath, 'utf8')),
+                    policy: yaml.load(fs.readFileSync(systemPolicyPath, 'utf8')),  // nosec B-yaml_unsafe_load: parses agent-config YAML authored by the user locally
                     path: systemPolicyPath,
                     loadedAt: Date.now()
                 };
@@ -317,7 +317,7 @@ class DelimitAgent {
             try {
                 const stat = fs.statSync(policyPath);
                 const policyContent = fs.readFileSync(policyPath, 'utf8');
-                const parsedPolicy = yaml.load(policyContent);
+                const parsedPolicy = yaml.load(policyContent);  // nosec B-yaml_unsafe_load: parses agent-config YAML authored by the user locally
                 // Validate the parsed policy
                 if (!parsedPolicy || typeof parsedPolicy !== 'object') {

package/lib/cross-model-hooks.js CHANGED Viewed

@@ -154,7 +154,7 @@ function loadHookConfig() {
         if (fs.existsSync(candidate)) {
             try {
                 const yaml = require('js-yaml');
-                const doc = yaml.load(fs.readFileSync(candidate, 'utf-8'));
+                const doc = yaml.load(fs.readFileSync(candidate, 'utf-8'));  // nosec B-yaml_unsafe_load: parses hook YAML from user-local .claude/
                 if (doc && doc.hooks) {
                     return { ...defaults, ...doc.hooks };
                 }

package/lib/wrap-engine.js CHANGED Viewed

@@ -109,7 +109,25 @@ function runTestSmoke(cwd) {
             }
         } catch { /* ignore */ }
     }
-    if (fs.existsSync(path.join(cwd, 'tests')) || fs.existsSync(path.join(cwd, 'pytest.ini')) || fs.existsSync(path.join(cwd, 'pyproject.toml'))) {
+    // Only run pytest if there's a Python-specific signal.
+    // A bare `tests/` directory is common in Node projects too and should NOT trigger pytest.
+    // Require: pytest.ini, OR pyproject.toml that mentions pytest, OR setup.py, OR setup.cfg with [tool:pytest]/[pytest].
+    let pythonProject = false;
+    if (fs.existsSync(path.join(cwd, 'pytest.ini'))) pythonProject = true;
+    if (!pythonProject && fs.existsSync(path.join(cwd, 'setup.py'))) pythonProject = true;
+    if (!pythonProject && fs.existsSync(path.join(cwd, 'pyproject.toml'))) {
+        try {
+            const pp = fs.readFileSync(path.join(cwd, 'pyproject.toml'), 'utf-8');
+            if (/\bpytest\b/.test(pp)) pythonProject = true;
+        } catch { /* ignore */ }
+    }
+    if (!pythonProject && fs.existsSync(path.join(cwd, 'setup.cfg'))) {
+        try {
+            const sc = fs.readFileSync(path.join(cwd, 'setup.cfg'), 'utf-8');
+            if (/\[(tool:)?pytest\]/.test(sc)) pythonProject = true;
+        } catch { /* ignore */ }
+    }
+    if (pythonProject) {
         const r = spawnSync('python3', ['-m', 'pytest', '--tb=short', '-q'], { cwd, encoding: 'utf-8', timeout: 180000, stdio: ['ignore', 'pipe', 'pipe'] });
         results.push({ runner: 'pytest', exit: r.status ?? 1, stdout: (r.stdout || '').slice(-2000), stderr: (r.stderr || '').slice(-1000) });
     }

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.3.3",
+  "version": "4.3.4",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [