delimit-cli 4.3.4 → 4.5.0

package/gateway/ai/license_core.py

@@ -24,7 +24,9 @@ PRO_TOOLS = frozenset({
     "delimit_deploy_plan", "delimit_deploy_build", "delimit_deploy_publish",
     "delimit_deploy_verify", "delimit_deploy_rollback", "delimit_deploy_status",
     "delimit_deploy_site", "delimit_deploy_npm",
-    "delimit_memory_store", "delimit_memory_search", "delimit_memory_recent",
+    # delimit_memory_store + delimit_memory_recent are FREE (LED-193 — basic
+    # store + recent retrieval). Only delimit_memory_search is Pro.
+    "delimit_memory_search",
     "delimit_vault_search", "delimit_vault_snapshot", "delimit_vault_health",
     "delimit_evidence_collect", "delimit_evidence_verify",
     "delimit_deliberate", "delimit_models",

package/gateway/ai/mcp_bridge.py

@@ -28,7 +28,7 @@ class MCPSubprocessClient:
         self._request_id = 0
 
     def start(self):
-        self._proc = subprocess.Popen(
+        self._proc = subprocess.Popen(  # nosec B-subprocess_shell: MCP bridge spawns user-configured CLI via shell; argv validated upstream
             self.command, shell=True,
             stdin=subprocess.PIPE, stdout=subprocess.PIPE, stderr=subprocess.PIPE,
         )

package/gateway/ai/reddit_proxy.py

@@ -54,9 +54,10 @@ def fetch_subreddit(subreddit: str, sort: str = "new", limit: int = 10) -> List[
         try:
             fetch_url = f"{proxy_url}?url={urllib.parse.quote(reddit_url, safe='')}"
             headers = {"User-Agent": "Delimit/1.0"}
-            token = proxy_cfg.get("token", "")
-            if token:
-                headers["Authorization"] = f"Bearer {token}"
+            # nosec B105 — reads proxy auth credential from config, not a hardcoded secret
+            auth_token = proxy_cfg.get("token", "")
+            if auth_token:
+                headers["Authorization"] = f"Bearer {auth_token}"
             req = urllib.request.Request(fetch_url, headers=headers)
             with urllib.request.urlopen(req, timeout=10) as resp:
                 body = json.loads(resp.read().decode())
@@ -100,9 +101,10 @@ def fetch_thread(thread_id: str) -> Optional[Dict[str, Any]]:
         try:
             fetch_url = f"{proxy_url}?url={urllib.parse.quote(reddit_url, safe='')}"
             headers = {"User-Agent": "Delimit/1.0"}
-            token = proxy_cfg.get("token", "")
-            if token:
-                headers["Authorization"] = f"Bearer {token}"
+            # nosec B105 — reads proxy auth credential from config, not a hardcoded secret
+            auth_token = proxy_cfg.get("token", "")
+            if auth_token:
+                headers["Authorization"] = f"Bearer {auth_token}"
             req = urllib.request.Request(fetch_url, headers=headers)
             with urllib.request.urlopen(req, timeout=10) as resp:
                 data = json.loads(resp.read().decode())

package/gateway/ai/server.py

@@ -2045,6 +2045,33 @@ def delimit_gov_verify(task_id: str = "", repo: str = ".") -> Dict[str, Any]:
     return _delimit_gov_impl(action="verify", task_id=task_id, repo=repo)
 
 
+@mcp.tool()
+def delimit_external_pr_check(
+    repo: str,
+    author: str = "",
+    state: str = "all",
+) -> Dict[str, Any]:
+    """Pre-PR duplicate guard for external repos. Run BEFORE drafting.
+
+    Lists existing PRs from `author` against `repo` via gh CLI. Returns
+    fail-closed verdict — any open PR or PR merged in the last 30 days
+    yields verdict='duplicate' so the caller stops drafting before any
+    deliberation or submission work.
+
+    Args:
+        repo: External GitHub repo, e.g. "goharbor/harbor".
+        author: GitHub username to filter by (recommended). Empty = all.
+        state: "open" | "closed" | "merged" | "all". Default "all".
+    """
+    from backends.governance_bridge import external_pr_check
+    return _safe_call(
+        external_pr_check,
+        repo=repo,
+        author=author or None,
+        state=state,
+    )
+
+
 # ─── Memory ─────────────────────────────────────────────────────────────
 
 @mcp.tool()
@@ -2068,6 +2095,7 @@ def delimit_memory_store(
     content: str,
     tags: Optional[Union[str, List[str]]] = None,
     context: Optional[str] = None,
+    hot_load: bool = False,
 ) -> Dict[str, Any]:
     """Store a memory entry for future retrieval.
 
@@ -2078,6 +2106,12 @@ def delimit_memory_store(
         content: The content to remember.
         tags: Optional categorization tags.
         context: Optional context about when/why this was stored.
+        hot_load: LED-1165 Phase 2 #5: when True, mark the entry for
+            one-way projection into the Claude Code auto-memory
+            `MEMORY.md` hot-load index. Existing entries default to False
+            (durable in delimit_memory, not projected). The projection
+            writer that consumes this flag is shipped separately as PR-B;
+            this PR only persists the flag.
     """
     # LED-193: memory_store is now free (basic store)
     try:
@@ -2085,7 +2119,10 @@ def delimit_memory_store(
     except ValueError as e:
         return _with_next_steps("memory_store", {"error": str(e)})
     from backends.memory_bridge import store
-    return _with_next_steps("memory_store", _safe_call(store, content=content, tags=tags, context=context))
+    return _with_next_steps(
+        "memory_store",
+        _safe_call(store, content=content, tags=tags, context=context, hot_load=hot_load),
+    )
 
 
 @mcp.tool()
@@ -2102,6 +2139,50 @@ def delimit_memory_recent(limit: int = 5) -> Dict[str, Any]:
     return _with_next_steps("memory_recent", _safe_call(get_recent, limit=limit))
 
 
+@mcp.tool()
+def delimit_memory_index(
+    target_path: str = "",
+    dry_run: bool = False,
+    limit: int = 200,
+) -> Dict[str, Any]:
+    """Project delimit_memory hot entries into Claude Code's MEMORY.md.
+
+    LED-1165 Phase 2 #5 PR-B. One-way projection of all delimit_memory
+    entries flagged `hot_load=True` into a managed section of the
+    target Markdown file. Lets Claude Code see hot entries on session
+    start without making delimit_memory dependent on Anthropic's
+    auto-memory format.
+
+    Behavior:
+      - If target_path's file has `<!-- delimit:start -->` /
+        `<!-- delimit:end -->` markers, ONLY the content between them
+        is replaced. Anything outside the markers is preserved.
+      - If markers are missing, the managed section is APPENDED to the
+        end of the file (existing content is never touched).
+      - If the file doesn't exist, it's created with just the section.
+      - **One-way projection only.** Reading MEMORY.md back into
+        delimit_memory is explicitly out of scope (Anthropic owns the
+        auto-memory format; format-drift risk).
+
+    Args:
+        target_path: file to write. Empty = default
+            ~/.claude/projects/-root/memory/MEMORY.md.
+        dry_run: True returns the rendered content size without writing.
+        limit: cap on entries projected. Default 200.
+
+    Returns:
+        {target, dry_run, entries, wrote_chars or would_write_chars,
+         had_existing_block, had_existing_file, preserved_user_content}
+    """
+    from backends.memory_bridge import project_to_memory_md
+    from pathlib import Path
+    target = Path(target_path) if target_path else None
+    return _with_next_steps(
+        "memory_index",
+        _safe_call(project_to_memory_md, target_path=target, dry_run=dry_run, limit=limit),
+    )
+
+
 # ─── Vault ──────────────────────────────────────────────────────────────
 
 @mcp.tool()
@@ -5436,26 +5517,309 @@ def delimit_ledger_done(item_id: str, note: str = "", venture: str = "") -> Dict
     return _with_next_steps("ledger_done", result)
 
 
+@mcp.tool()
+def delimit_ledger_bulk(
+    item_ids: str,
+    action: str,
+    dry_run: bool = True,
+    note: str = "",
+    new_status: str = "",
+    new_priority: str = "",
+    tag: str = "",
+    venture: str = "",
+) -> Dict[str, Any]:
+    """Apply one action to many ledger items in a single call.
+
+    LED-1145 Phase 1 PR-B. Default `dry_run=True` returns what would change
+    without writing — callers must explicitly pass `dry_run=False` to apply.
+    Per-item failures don't block other items in the batch.
+
+    Allowed actions:
+      - archive         -> sets status="archived" (soft, replay-preserving)
+      - mark_done       -> sets status="done"
+      - cancel          -> sets status="cancelled"
+      - set_status      -> sets status to `new_status`
+                           (one of open/in_progress/blocked/done/cancelled/archived/completed)
+      - set_priority    -> sets priority to `new_priority`
+                           (one of P0/P1/P2/P3)
+      - add_tag         -> appends `tag` if not already present (idempotent)
+
+    NO hard delete. Items remain in the append-only JSONL forever; archive is
+    a status transition that can be reversed via set_status.
+
+    Args:
+        item_ids: comma-separated LED ids (e.g. "LED-915,LED-916,LED-918")
+            or a JSON array of strings.
+        action: one of the actions above.
+        dry_run: True (default) returns `would_change`; False applies and
+            returns `changed`.
+        note: optional note attached to every successful update event.
+        new_status: required when action="set_status".
+        new_priority: required when action="set_priority".
+        tag: required when action="add_tag".
+        venture: project name or path. Auto-detects if empty.
+    """
+    from ai.ledger_manager import bulk_action
+    project = _resolve_venture(venture)
+    result = bulk_action(
+        item_ids=item_ids,
+        action=action,
+        dry_run=dry_run,
+        note=note or None,
+        new_status=new_status or None,
+        new_priority=new_priority or None,
+        tag=tag or None,
+        project_path=project,
+    )
+    return _with_next_steps("ledger_bulk", result)
+
+
+@mcp.tool()
+def delimit_ledger_auto_close_external(
+    venture: str = "",
+    dry_run: bool = True,
+    max_items: int = 200,
+) -> Dict[str, Any]:
+    """Walk open ledger items, find ones linked to a GitHub issue/PR, and
+    close LEDs whose external counterpart already resolved.
+
+    LED-1145 Phase 2 #1. Fixes the "ledger drifts from external reality"
+    problem (e.g., LED-1023 stayed open even though goharbor/harbor#23089
+    merged 16 days earlier).
+
+    Detection scans description / context / last_note / tags for:
+      - https://github.com/<owner>/<repo>/(issues|pull)/<num>
+      - <owner>/<repo>#<num>  (short form)
+      - gh:<owner>/<repo>/<num>  (explicit tag form)
+
+    Action map (per LED-1146 deliberation):
+      - PR with merged=true → mark_done with merge SHA in note
+      - issue/PR closed with state_reason="completed" → mark_done with closed_at
+      - issue/PR closed with state_reason="not_planned" or no reason → archive
+      - state="open" → leave alone
+      - gh API error / 404 → leave alone, recorded in `errors`
+
+    Implementation re-uses bulk_action() under the hood; nothing new on the
+    write path. dry_run=True (default) returns a plan; dry_run=False applies.
+
+    Args:
+        venture: project name or path. Auto-detects if empty.
+        dry_run: True (default) returns a plan without writing.
+        max_items: hard cap on items processed in one call (default 200).
+            When the candidate set exceeds this, the response is `truncated=True`.
+    """
+    from ai.ledger_manager import auto_close_linked_external
+    project = _resolve_venture(venture)
+    result = auto_close_linked_external(
+        project_path=project,
+        dry_run=dry_run,
+        max_items=max_items,
+    )
+    return _with_next_steps("ledger_auto_close_external", result)
+
+
+@mcp.tool()
+def delimit_ledger_groom(
+    venture: str = "",
+    stale_days: int = 30,
+    dup_min_count: int = 3,
+    max_per_category: int = 50,
+) -> Dict[str, Any]:
+    """Read-only grooming proposal: surfaces stale, duplicate, and
+    garbage-venture items for the founder to review.
+
+    LED-1145 Phase 2 #2. Risky operations (mass-cancellation, dedup-merge)
+    must NOT be a single atomic action — this tool only PROPOSES; the
+    founder applies via `delimit_ledger_bulk` after review. Each proposal
+    in the response includes a copy-pasteable `ready_to_apply` invocation.
+
+    Categories detected:
+      - stale_open: status open|in_progress|blocked AND updated_at older
+        than `stale_days`. Suggested action: archive.
+      - duplicate_titles: groups of >= `dup_min_count` items sharing the
+        same normalised title prefix (50 chars, [BRACKETED] prefixes
+        stripped, lowercased). Suggested: keep the most-recent item;
+        archive the others.
+      - garbage_venture: items in tmp* / test_* / venture_<letter> /
+        custom-venture buckets. Suggested action: archive.
+
+    Categories NOT detected here (separate tools / future PRs):
+      - linked-external resolved → use `delimit_ledger_auto_close_external`
+      - P0 inflation review
+      - cross-venture orphan cleanup
+
+    Args:
+        venture: project name or path. Auto-detects if empty.
+        stale_days: threshold for stale_open detector (default 30).
+        dup_min_count: minimum group size for duplicate_titles (default 3).
+        max_per_category: cap per category in the response (default 50).
+    """
+    from ai.ledger_manager import groom_proposal
+    project = _resolve_venture(venture)
+    result = groom_proposal(
+        project_path=project,
+        stale_days=stale_days,
+        dup_min_count=dup_min_count,
+        max_per_category=max_per_category,
+    )
+    return _with_next_steps("ledger_groom", result)
+
+
+@mcp.tool()
+def delimit_ledger_auto_cancel_stale(
+    venture: str = "",
+    threshold_days: int = 0,
+    dry_run: bool = True,
+    max_items: int = 200,
+) -> Dict[str, Any]:
+    """Auto-archive open ledger items dormant past the stale-TTL threshold.
+
+    LED-1145 Phase 2 #4. Composes the stale-detector logic with
+    `bulk_action(action="archive")` from Phase 1 PR-B. Same dry_run-default
+    safety pattern as `delimit_ledger_auto_close_external` — caller passes
+    `dry_run=False` to apply.
+
+    Distinct from `delimit_ledger_groom`'s stale_open category:
+      - The threshold is stricter (default 60 days vs groom's 30)
+      - It auto-applies on dry_run=False (groom is purely propose)
+      - Intended for nightly automation / scripted cleanup
+
+    Items go through bulk_action(archive) so the no-hard-delete invariant
+    is preserved — the JSONL append-only log keeps the full record.
+
+    Args:
+        venture: Project name or path. Auto-detects if empty.
+        threshold_days: dormancy threshold in days. 0 = read default
+            (60 from STALE_TTL_DEFAULT_DAYS or DELIMIT_STALE_TTL_DAYS env).
+            Pass an int to override.
+        dry_run: True (default) returns the plan; False applies via
+            bulk_action(archive).
+        max_items: cap items processed per call. When the candidate list
+            exceeds this, response includes truncated=True so the caller
+            can run again to drain.
+    """
+    from ai.ledger_manager import auto_cancel_stale
+    project = _resolve_venture(venture)
+    threshold = threshold_days if threshold_days > 0 else None
+    result = auto_cancel_stale(
+        project_path=project,
+        threshold_days=threshold,
+        dry_run=dry_run,
+        max_items=max_items,
+    )
+    return _with_next_steps("ledger_auto_cancel_stale", result)
+
+
+@mcp.tool()
+def delimit_ledger_health(
+    venture: str = "",
+    stale_days: int = 30,
+    dup_min_count: int = 3,
+) -> Dict[str, Any]:
+    """One-shot ledger health check — composes list_items + groom_proposal
+    + the P0 quota helper into a single traffic-light verdict and a list
+    of concrete next actions.
+
+    LED-1145 capstone — closes the loop on the entire ledger-tooling
+    refactor. Designed for nightly/weekly review or session-start status
+    snapshot. Returns:
+      - totals (unresolved / open / in_progress / blocked)
+      - p0 (count vs quota + health)
+      - stale (count >stale_days + health)
+      - duplicates (group count + total items + health)
+      - garbage_venture (count + health)
+      - overall_health (worst-of: green / yellow / red)
+      - next_actions: pre-formatted list of {reason, tool, args, follow_up}
+
+    All Phase 1+2 tools are referenced in the suggested actions, so the
+    response is self-contained for an AI agent that wants to act on it.
+
+    Args:
+        venture: project name or path. Auto-detects if empty.
+        stale_days: stale-detector threshold passed to groom_proposal.
+        dup_min_count: duplicate-detector threshold passed to groom_proposal.
+    """
+    from ai.ledger_manager import health_summary
+    project = _resolve_venture(venture)
+    result = health_summary(
+        project_path=project,
+        stale_days=stale_days,
+        dup_min_count=dup_min_count,
+    )
+    return _with_next_steps("ledger_health", result)
+
+
 @mcp.tool()
 def delimit_ledger_list(
     venture: str = "",
     ledger: str = "both",
     status: str = "",
     priority: str = "",
+    status_in: str = "",
+    priority_in: str = "",
+    tags_contains_all: str = "",
+    text: str = "",
+    linked_external_id: str = "",
+    created_before: str = "",
+    created_after: str = "",
+    updated_before: str = "",
+    updated_after: str = "",
+    sort: str = "updated_at",
+    order: str = "desc",
+    fields: str = "",
     limit: int = 20,
+    cursor: str = "",
 ) -> Dict[str, Any]:
     """List ledger items for a venture/project.
 
+    LED-1145 Phase 1 PR-A: extended with multi-value filters, sort + projection,
+    and cursor pagination. Single-value `status` / `priority` remain for
+    backward compatibility — old callers continue to work unchanged.
+
     Args:
         venture: Project name or path. Auto-detects if empty.
-        ledger: "ops", "strategy", or "both".
-        status: Filter by status - "open", "done", "in_progress", or empty for all.
-        priority: Filter by priority - "P0", "P1", "P2", or empty for all.
-        limit: Max items to return.
+        ledger: "ops" | "strategy" | "both".
+        status: single-value status filter (back-compat).
+        priority: single-value priority filter (back-compat).
+        status_in: comma-separated statuses (e.g. "open,blocked,in_progress").
+        priority_in: comma-separated priorities (e.g. "P0,P1").
+        tags_contains_all: comma-separated tags; item must contain ALL.
+        text: case-insensitive substring match against title + description.
+        linked_external_id: substring match in description / tags / context
+            (e.g. a github URL, a Linear ticket id, a Discord thread).
+        created_before / created_after / updated_before / updated_after:
+            ISO-8601 timestamp boundaries (e.g. "2026-04-01T00:00:00Z").
+        sort: "updated_at" | "created_at" | "priority". Default updated_at.
+        order: "asc" | "desc". Default desc.
+        fields: response projection. "" or "*" = full (default, back-compat).
+            "slim" = id+title+status+priority+type+venture+updated_at only.
+            CSV of field names = those only. Unknown field names → ERROR.
+        limit: page size (default 20).
+        cursor: opaque pagination token from a prior call's `next_cursor`.
+            Cursor is invalidated when filters change between calls.
     """
     from ai.ledger_manager import list_items
     project = _resolve_venture(venture)
-    result = list_items(ledger=ledger, status=status or None, priority=priority or None, limit=limit, project_path=project)
+    result = list_items(
+        ledger=ledger,
+        status=status or None,
+        priority=priority or None,
+        status__in=status_in or None,
+        priority__in=priority_in or None,
+        tags__contains_all=tags_contains_all or None,
+        text=text or None,
+        linked_external_id=linked_external_id or None,
+        created_before=created_before or None,
+        created_after=created_after or None,
+        updated_before=updated_before or None,
+        updated_after=updated_after or None,
+        sort=sort,
+        order=order,
+        fields=fields or None,
+        limit=limit,
+        cursor=cursor or None,
+        project_path=project,
+    )
     return _with_next_steps("ledger_list", result)
 
 
@@ -7876,7 +8240,11 @@ def delimit_changelog(old_spec: str = "", new_spec: str = "", format: str = "mar
 def delimit_notify(channel: str = "webhook", message: str = "",
                    webhook_url: str = "", subject: str = "",
                    event_type: str = "", to: str = "",
-                   from_account: str = "") -> Dict[str, Any]:
+                   from_account: str = "",
+                   draft_kind: str = "",
+                   draft_payload: Optional[Union[str, Dict[str, Any]]] = None,
+                   draft_target: Optional[Union[str, Dict[str, Any]]] = None,
+                   led_ref: str = "") -> Dict[str, Any]:
     """Send a notification (Pro).
 
     IMPORTANT - AUTO-TRIGGER RULE:
@@ -7905,9 +8273,80 @@ def delimit_notify(channel: str = "webhook", message: str = "",
             Send to any address - leave empty for default.
         from_account: Sender account key from ~/.delimit/secrets/smtp-all.json
             (e.g. 'notifications@example.com'). Email only.
+
+    Optional inbox-executor binding (LED-1129 Phase 1, no auto-execution yet):
+        draft_kind: One of github_comment, social_post, ledger_done,
+            notify_routing_update, deploy_publish_prevalidated_artifact.
+            When set, registers a signed draft in the local SQLite registry
+            so a future executor can match founder Ship-it replies against it.
+        draft_payload: The action contents (e.g. {"body": "..."} for github_comment).
+            JSON string or dict. Required when draft_kind is set.
+        draft_target: Where the action lands (e.g. {"repo":"x/y","issue":1}).
+            JSON string or dict. Required when draft_kind is set.
+        led_ref: Optional LED-XXXX tag tying the draft to its tracking item.
+            Surfaced in subject-line matching by the executor.
+
+    Returns the notify result. When a draft was registered, also includes
+    a `draft` block: {draft_id, draft_kind, signature, registered}.
     """
     from ai.notify import send_notification
-    return _with_next_steps("notify", _safe_call(
+
+    draft_meta: Optional[Dict[str, Any]] = None
+    if draft_kind:
+        # LED-1129 Phase 1: register a signed draft alongside the email
+        # send. Phase 2 will wire the executor to consume these.
+        try:
+            from ai.inbox_drafts import (
+                DraftKind,
+                insert_draft,
+                sign_draft,
+            )
+
+            # Validate kind against the allowlist enum.
+            try:
+                DraftKind(draft_kind)
+            except ValueError:
+                return _with_next_steps("notify", {
+                    "error": (
+                        f"draft_kind must be one of "
+                        f"{[k.value for k in DraftKind]}; got '{draft_kind}'"
+                    ),
+                })
+
+            # Coerce string args to dicts for callers that pass JSON strings.
+            payload = _coerce_dict_arg(draft_payload, "draft_payload",
+                                        string_key="body") if draft_payload is not None else None
+            target = _coerce_dict_arg(draft_target, "draft_target",
+                                       string_key="target") if draft_target is not None else None
+
+            if payload is None or target is None:
+                return _with_next_steps("notify", {
+                    "error": "draft_kind requires both draft_payload and draft_target",
+                })
+
+            signed = sign_draft(
+                draft_kind=draft_kind,
+                target=target,
+                payload=payload,
+            )
+            insert_draft(signed, led_ref=(led_ref or None))
+            draft_meta = {
+                "draft_id": signed.draft_id,
+                "draft_kind": signed.draft_kind,
+                "signature": signed.signature,
+                "registered": True,
+                "led_ref": led_ref or None,
+            }
+        except Exception as e:
+            # Draft registration must not break the notify itself —
+            # the email still goes out, the draft just isn't tracked.
+            # Log the failure in the response so callers can audit.
+            draft_meta = {
+                "registered": False,
+                "error": f"{type(e).__name__}: {e}",
+            }
+
+    result = _safe_call(
         send_notification,
         channel=channel,
         message=message,
@@ -7916,7 +8355,10 @@ def delimit_notify(channel: str = "webhook", message: str = "",
         event_type=event_type,
         to=to,
         from_account=from_account,
-    ))
+    )
+    if draft_meta is not None:
+        result["draft"] = draft_meta
+    return _with_next_steps("notify", result)
 
 
 @mcp.tool()

package/gateway/ai/supabase_sync.py

@@ -1,7 +1,34 @@
-"""Supabase sync -- writes gateway data to cloud for dashboard access.
-
-Writes are fire-and-forget (never blocks tool execution).
-If Supabase is unreachable, data stays in local files (always the source of truth).
+"""Supabase sync — OPT-IN cloud mirror of local governance events.
+
+This module is OFF BY DEFAULT. It only activates if the user supplies BOTH
+of the following:
+  - SUPABASE_URL environment variable (or `url` key in ~/.delimit/secrets/supabase.json)
+  - SUPABASE_SERVICE_ROLE_KEY env var (or `service_role_key` key in the same file)
+
+When activated, it mirrors locally-written events/ledger/work-order/deliberation
+rows into the user's own Supabase project so they can view them in
+app.delimit.ai. The local files under ~/.delimit/ remain the source of truth;
+this is a read-side convenience, never a write-side requirement.
+
+Data scope (what gets sent when enabled):
+  - events: tool name, timestamp, status, model id, venture tag, session id,
+    risk level, trace id, span id. NO source code. NO prompts. NO responses.
+  - ledger items: id, title, priority, venture, status, description snippet.
+  - work orders: id, metadata fields, status.
+  - deliberations: summary metadata.
+
+KILL SWITCH:
+  Set DELIMIT_DISABLE_CLOUD_SYNC=1 in the environment to disable ALL cloud
+  mirroring even if Supabase credentials are present. The local files continue
+  to work. This is the same-session runtime equivalent of simply not configuring
+  SUPABASE_URL/SUPABASE_SERVICE_ROLE_KEY in the first place.
+
+Transport:
+  Writes are fire-and-forget. Tool execution never blocks on Supabase
+  reachability. All sync_* functions swallow exceptions silently; the
+  failure mode is "nothing appears in your dashboard" not "nothing runs."
+
+LED-1056: disclosure added per external issue #56 (delimit-ai/delimit-mcp-server).
 """
 import json
 import os
@@ -17,8 +44,14 @@ _init_attempted = False
 SUPABASE_URL = os.environ.get("SUPABASE_URL", "")
 SUPABASE_KEY = os.environ.get("SUPABASE_SERVICE_ROLE_KEY", "")
 
-# Also check local secrets file
-if not SUPABASE_URL:
+# LED-1056: explicit user kill switch. Overrides any credentials the user
+# might have configured. Setting this env var forces ALL sync_* operations
+# to no-op, making cloud sync unconditionally off for the session.
+_CLOUD_SYNC_DISABLED = os.environ.get("DELIMIT_DISABLE_CLOUD_SYNC", "").strip().lower() in ("1", "true", "yes", "on")
+
+# Also check local secrets file — only if env vars weren't already provided
+# AND the kill switch is not set.
+if not SUPABASE_URL and not _CLOUD_SYNC_DISABLED:
     secrets_file = Path.home() / ".delimit" / "secrets" / "supabase.json"
     if secrets_file.exists():
         try:
@@ -57,8 +90,15 @@ def _normalize_venture(value) -> str:
 
 
 def _get_client():
-    """Lazy-init Supabase client. Returns the SDK client, 'http' for fallback, or None."""
+    """Lazy-init Supabase client. Returns the SDK client, 'http' for fallback, or None.
+
+    Returns None (disabled) if:
+      - DELIMIT_DISABLE_CLOUD_SYNC=1 is set (user kill switch, LED-1056), OR
+      - SUPABASE_URL / SUPABASE_SERVICE_ROLE_KEY are not configured.
+    """
     global _client, _init_attempted
+    if _CLOUD_SYNC_DISABLED:
+        return None
     if _client is not None:
         return _client
     if _init_attempted:

package/gateway/ai/swarm.py

@@ -846,7 +846,7 @@ def create_tool(
 
     # Security scan — check for dangerous patterns
     dangerous = [
-        "subprocess.call", "os.system", "exec(", "eval(",
+        "subprocess.call", "os.system", "exec(", "eval(",  # nosec B-eval_usage: MCP tool dispatch — evaluates a whitelisted tool function reference
         "import socket", "import http.server",
         "__import__", "compile(",
     ]