delimit-cli 4.4.0 → 4.5.1

package/CHANGELOG.md

@@ -1,5 +1,75 @@
 # Changelog
 
+
+## [4.5.1] - 2026-04-28
+
+### Security — attestation `canonicalize()` strengthened (LED-1180)
+
+The `canonicalize()` helper used to derive attestation IDs and HMAC signatures was passing `Object.keys(bundle).sort()` as the second argument to `JSON.stringify`. JSON.stringify treats that argument as a property **allowlist**, not a sort order, and the allowlist contained only top-level keys — so nested objects serialised as `{}` and the HMAC committed only to the bundle's top-level shape.
+
+Practical effect: a bundle with `{governance: {violations: ["safe"]}}` and one with `{governance: {violations: ["malicious"]}}` produced **identical signatures**. Tampering nested fields was undetectable through signature verification.
+
+**This release replaces canonicalize with a proper recursive sorted-key serializer.** Old (v4.3 – v4.5.0) attestations remain readable but verify with the new canonicalize and will report `signature_mismatch`. New attestations produced by v4.5.1+ commit to the full content of the bundle.
+
+- `lib/wrap-engine.js` — fixed `canonicalize()`, exported it for reuse
+- `lib/trust-page-engine.js` — verifier now imports the corrected canonicalize
+- `tests/v43-wrap-engine.test.js` — added LED-1180 regression: tampering a nested field MUST change the signature; if it doesn't, canonicalize is silently dropping nested keys
+- `tests/v43-trust-page-engine.test.js` — test fixtures sign with the corrected canonicalize
+
+If you have a corpus of v4.5.0 or earlier attestations and need them re-signed under the new primitive, the migration tool is on the LED-1180 follow-up. For most users, attestations are short-lived merge-decision artifacts and re-signing is unnecessary.
+
+### Other
+
+- (Internal) LED-1175 + LED-1177 MVP shipped in `delimit-private`: signed deliberation attestations + Scanner Input v0 schema. Public docs: [delimit.ai/docs/scanner-input](https://delimit.ai/docs/scanner-input), [delimit.ai/docs/vs-bugcrawl](https://delimit.ai/docs/vs-bugcrawl). No customer-facing CLI changes in 4.5.1.
+
+## [4.5.0] - 2026-04-27
+
+### Added — Ledger hygiene toolkit (LED-1145, 7 PRs)
+
+The full hygiene loop is now a single MCP surface — call `delimit_ledger_health` to see what's wrong, then run the suggested tool to fix it.
+
+- **`delimit_ledger_health`** — one-shot traffic-light status (P0 inflation / stale / duplicates / garbage venture) with ranked next-action list
+- **`delimit_ledger_groom`** — read-only proposal: stale-open + duplicate-titles + garbage-venture detection. Each proposal includes a copy-pasteable `delimit_ledger_bulk` invocation
+- **`delimit_ledger_bulk(item_ids, action, dry_run=True)`** — batch operations (`archive`, `set_status`, `set_priority`, `add_tag`, `mark_done`, `cancel`). `dry_run=True` is the safety default. **No hard delete** — archive is an append-only soft transition
+- **`delimit_ledger_auto_close_external`** — find LEDs linked to a GitHub issue/PR and auto-close when the upstream resolves (mark_done for merged PRs / closed-as-completed; archive for not_planned closures)
+- **`delimit_ledger_auto_cancel_stale`** — auto-archive items dormant past `DELIMIT_STALE_TTL_DAYS` (default 60). Composes `bulk_action(archive)`. dry_run default
+- **Extended `delimit_ledger_list`** — new filters: `status_in`, `priority_in`, `tags_contains_all`, `text`, `linked_external_id`, `created_before/after`, `updated_before/after`, `sort`, `order`, `fields` projection (`"slim"` / explicit list / unknown=error), cursor pagination
+- **P0 soft-quota** on `delimit_ledger_add` — soft warning when count > `DELIMIT_P0_SOFT_QUOTA` (default 50). Item still added; surfaces a nudge to groom
+
+### Added — Memory-system convergence (LED-1165)
+
+`delimit_memory` is now the canonical durable memory; Claude Code auto-memory becomes a one-way client projection.
+
+- **`hot_load: bool` parameter** on `delimit_memory_store` — opt-in, default False. Marks an entry for projection
+- **`delimit_memory_index(target_path, dry_run, limit)`** — projects hot_load=True entries into a managed section of MEMORY.md (`<!-- delimit:start -->` / `<!-- delimit:end -->` markers). User content outside markers is preserved verbatim. **One-way only** — never reads MEMORY.md back into delimit_memory
+
+### Fixed — Secret-scanner false positives in `tools_infra`
+
+The `_CREDENTIAL_FALSE_POSITIVES` regex now suppresses three additional benign patterns so legitimate credential-loading code (env-var lookup, dict-getter, control-flow guards) doesn't trip the audit:
+- `\w+\.get(` (any object-method getter, was tokens-only)
+- `if not <var>:` (Python control-flow with credential variable)
+- `:\n` matched-text (block-opener colon, not key-value separator)
+
+### Fixed — OpenAPI diff engine defensive coverage
+
+Real-world specs can ship malformed shapes. The diff engine now defends against the entire dict-iteration crash class without losing any actual finding:
+
+- **`required: bool` in object schemas** (legal in parameter objects but seen leaking into nested schemas) — was raising `TypeError: 'bool' object is not iterable`. Treats as no-required-fields and continues
+- **`properties: [...]` instead of dict** (Kong-class) — `.keys()` no longer crashes; treats as empty properties and continues
+- **`paths: []`, `responses: []`, `content: []` (request and response)** — all coerce to `{}` at function entry. Diffs against the well-formed side still produce correct findings
+
+### Tests
+- 108 ledger-manager tests (15 originals + 93 new across 7 features + E2E hygiene-loop integration)
+- 24 memory-bridge tests (new test file)
+- 60 diff-engine tests (49 + 11 new defensive)
+- All backward-compatible — existing test suites pass without modification
+
+### Backward compatibility
+- All MCP tool parameter additions are optional with safe defaults
+- Existing storage format is unchanged (`hot_load` and `archived` are additive on the entry/status side)
+- No CLI command renamed or removed
+- Default `delimit_ledger_list` response shape preserved (full record by default; `fields="slim"` opts into the 90% payload reduction)
+
 ## [4.4.0] - 2026-04-25
 
 ### Added — Pre-external-PR duplicate guard

package/adapters/cursor-rules.js

@@ -10,6 +10,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const { upsertManagedSection } = require('../lib/managed-section');
 
 // LED-213: Import canonical template for cross-model parity
 const { getDelimitSection } = require('../lib/delimit-template');
@@ -26,14 +27,26 @@ const CURSORRULES_FILE = path.join(HOME, '.cursorrules');
 function installRules(version) {
     const rules = getDelimitRules(version);
 
-    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+)
+    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+).
+    // LED-1180 follow-up: use upsertManagedSection so user-customized
+    // content above/below the delimit:start/end markers is preserved.
+    // The previous implementation did fs.writeFileSync(rulesFile, rules)
+    // — full overwrite — which clobbered any user customizations on every
+    // `delimit-cli setup`.
+    let action = 'unchanged';
+    let rulesFile = null;
     if (fs.existsSync(CURSOR_DIR)) {
         fs.mkdirSync(CURSOR_RULES_DIR, { recursive: true });
-        const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
-        fs.writeFileSync(rulesFile, rules);
+        rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
+        const result = upsertManagedSection(rulesFile, rules, version);
+        action = result.action;
     }
 
-    return { installed: true, paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')] };
+    return {
+        installed: true,
+        action,
+        paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')],
+    };
 }
 
 /**

package/gateway/ai/backends/memory_bridge.py

@@ -19,8 +19,28 @@ def _ensure_dir():
     MEMORY_DIR.mkdir(parents=True, exist_ok=True)
 
 
-def store(content: str, tags: Optional[list] = None, context: Optional[str] = None) -> Dict[str, Any]:
-    """Store a memory entry."""
+def store(
+    content: str,
+    tags: Optional[list] = None,
+    context: Optional[str] = None,
+    hot_load: bool = False,
+) -> Dict[str, Any]:
+    """Store a memory entry.
+
+    LED-1165 Phase 2 #5 PR-A: opt-in `hot_load` flag marks an entry for
+    one-way projection into the Claude Code auto-memory `MEMORY.md` file
+    (managed-section). The projection writer is shipped in PR-B; this PR
+    only persists the flag.
+
+    Args:
+        content: The content to remember.
+        tags: Optional categorization tags.
+        context: Optional context about when/why this was stored.
+        hot_load: When True, mark the entry for projection into the
+            Claude Code MEMORY.md hot-load index. Default False — entries
+            are durable in delimit_memory but not projected. Existing
+            entries are unaffected (treated as hot_load=False).
+    """
     _ensure_dir()
 
     # Generate ID from content hash
@@ -33,12 +53,18 @@ def store(content: str, tags: Optional[list] = None, context: Optional[str] = No
         "tags": tags or [],
         "context": context or "",
         "created_at": ts,
+        "hot_load": bool(hot_load),
     }
 
     path = MEMORY_DIR / f"{mem_id}.json"
     path.write_text(json.dumps(entry, indent=2))
 
-    return {"stored": mem_id, "path": str(path), "created_at": ts}
+    return {
+        "stored": mem_id,
+        "path": str(path),
+        "created_at": ts,
+        "hot_load": bool(hot_load),
+    }
 
 
 def search(query: str, limit: int = 10) -> Dict[str, Any]:
@@ -88,8 +114,197 @@ def get_recent(limit: int = 5) -> Dict[str, Any]:
                 "content": entry.get("content", "")[:500],
                 "tags": entry.get("tags", []),
                 "created_at": entry.get("created_at", ""),
+                "hot_load": bool(entry.get("hot_load", False)),
+            })
+        except Exception:
+            pass
+
+    return {"results": entries, "count": len(entries)}
+
+
+def list_hot(limit: int = 200) -> Dict[str, Any]:
+    """Return all entries marked hot_load=True, newest first.
+
+    LED-1165 Phase 2 #5 PR-A: backing query for the MEMORY.md projection
+    writer that PR-B will introduce. Returned entries are full content
+    (not truncated) so the projection writer can render them faithfully.
+
+    Args:
+        limit: cap on entries returned. Default 200; the projection
+            writer hard-caps the rendered MEMORY.md size so this is
+            mostly belt-and-braces.
+
+    Returns:
+        {
+            "results": [{id, content, tags, context, created_at, hot_load}, ...],
+            "count": int,
+        }
+    """
+    _ensure_dir()
+    entries = []
+
+    for f in sorted(MEMORY_DIR.glob("*.json"), key=lambda p: p.stat().st_mtime, reverse=True):
+        if len(entries) >= limit:
+            break
+        try:
+            entry = json.loads(f.read_text())
+            if not entry.get("hot_load"):
+                continue
+            entries.append({
+                "id": entry.get("id", f.stem),
+                "content": entry.get("content", ""),
+                "tags": entry.get("tags", []),
+                "context": entry.get("context", ""),
+                "created_at": entry.get("created_at", ""),
+                "hot_load": True,
             })
         except Exception:
             pass
 
     return {"results": entries, "count": len(entries)}
+
+
+# ── LED-1165 Phase 2 #5 PR-B: MEMORY.md projection writer ──────────────
+
+# Default target — Claude Code's auto-memory MEMORY.md for the current
+# project (this is where Claude Code reads memory entries on session
+# start). Override via env or function arg for testing / non-default
+# project layouts.
+DEFAULT_MEMORY_MD = Path.home() / ".claude" / "projects" / "-root" / "memory" / "MEMORY.md"
+
+PROJECTION_START_MARKER = "<!-- delimit:start -->"
+PROJECTION_END_MARKER = "<!-- delimit:end -->"
+
+
+def _format_hot_entry_as_markdown(entry: Dict[str, Any]) -> str:
+    """Render one delimit_memory entry as a Markdown bullet for the
+    MEMORY.md hot-load index. Intentionally compact — the index loads
+    into every Claude Code session, so each entry should fit on a
+    line or two."""
+    mid = entry.get("id", "?")
+    content = (entry.get("content") or "").strip()
+    # Single-line the content but cap at ~280 chars so the line stays
+    # readable. Long content stays in delimit_memory; index is just
+    # the hook for Claude to know it exists.
+    one_line = " ".join(content.split())
+    if len(one_line) > 280:
+        one_line = one_line[:277] + "..."
+    tags = entry.get("tags") or []
+    tag_str = (" [tags: " + ", ".join(tags) + "]") if tags else ""
+    ctx = (entry.get("context") or "").strip()
+    ctx_line = f"\n  > {ctx[:200]}" if ctx else ""
+    return f"- **{mid}**{tag_str} — {one_line}{ctx_line}"
+
+
+def _render_managed_block(entries: List[Dict[str, Any]]) -> str:
+    """Render the full managed section (between markers) for the
+    MEMORY.md hot-load index. Includes a one-line preamble explaining
+    the section so anyone editing the file understands what it is."""
+    if not entries:
+        body = (
+            "_No hot-load memory entries. Add one with "
+            "`delimit_memory_store(content=\"...\", hot_load=True)`._\n"
+        )
+    else:
+        bullets = "\n".join(_format_hot_entry_as_markdown(e) for e in entries)
+        body = bullets + "\n"
+
+    # Brief header + body + caveat
+    header = (
+        "## Delimit hot memory (auto-projected from delimit_memory)\n"
+        "\n"
+        f"_Auto-managed by `delimit_memory_index` — projection of {len(entries)} "
+        "entry/entries flagged `hot_load=True`. Edits inside this block are "
+        "overwritten on next projection. Add an entry via "
+        "`delimit_memory_store(content=\"...\", hot_load=True)`._\n"
+        "\n"
+    )
+    return PROJECTION_START_MARKER + "\n" + header + body + PROJECTION_END_MARKER
+
+
+def project_to_memory_md(
+    target_path: Optional[Path] = None,
+    dry_run: bool = False,
+    limit: int = 200,
+) -> Dict[str, Any]:
+    """One-way projection: render hot_load=True entries from delimit_memory
+    into a managed section of Claude Code's MEMORY.md.
+
+    LED-1165 Phase 2 #5 PR-B. Composes PR-A's `list_hot` helper with a
+    managed-section markdown writer. NEVER reads MEMORY.md back into
+    delimit_memory — that's the explicit deliberation rule (Anthropic
+    owns auto-memory's format; we don't risk drift).
+
+    Behavior:
+      - If target_path's file does NOT exist, create it with just the
+        managed section (no other content).
+      - If target_path's file exists and contains markers, replace the
+        section between them. Content outside markers is preserved.
+      - If target_path's file exists but has no markers, APPEND a new
+        managed section to the end. Does NOT touch existing content.
+
+    Args:
+        target_path: where to write. Default DEFAULT_MEMORY_MD.
+        dry_run: True returns the rendered content without writing.
+        limit: cap on entries projected. Default 200 (matches list_hot).
+
+    Returns:
+        {
+            "target": str,
+            "dry_run": bool,
+            "entries": int,
+            "wrote_chars": int (or "would_write_chars"),
+            "had_existing_block": bool,
+            "had_existing_file": bool,
+            "preserved_user_content": bool,
+        }
+    """
+    if target_path is None:
+        target_path = DEFAULT_MEMORY_MD
+
+    target_path = Path(target_path)
+    hot = list_hot(limit=limit)
+    entries = hot.get("results", [])
+
+    block = _render_managed_block(entries)
+
+    had_existing_file = target_path.exists()
+    had_existing_block = False
+    preserved_user_content = False
+
+    if had_existing_file:
+        existing = target_path.read_text()
+        start_idx = existing.find(PROJECTION_START_MARKER)
+        end_idx = existing.find(PROJECTION_END_MARKER)
+        if start_idx != -1 and end_idx != -1 and end_idx > start_idx:
+            had_existing_block = True
+            preserved_user_content = bool(
+                existing[:start_idx].strip() or existing[end_idx + len(PROJECTION_END_MARKER):].strip()
+            )
+            new_content = (
+                existing[:start_idx]
+                + block
+                + existing[end_idx + len(PROJECTION_END_MARKER):]
+            )
+        else:
+            # No markers — append to end, preserving everything above
+            preserved_user_content = bool(existing.strip())
+            sep = "" if existing.endswith("\n\n") else ("\n" if existing.endswith("\n") else "\n\n")
+            new_content = existing + sep + block + "\n"
+    else:
+        # Brand new file — just the managed section
+        new_content = block + "\n"
+
+    if not dry_run:
+        target_path.parent.mkdir(parents=True, exist_ok=True)
+        target_path.write_text(new_content)
+
+    return {
+        "target": str(target_path),
+        "dry_run": dry_run,
+        "entries": len(entries),
+        "wrote_chars" if not dry_run else "would_write_chars": len(new_content),
+        "had_existing_block": had_existing_block,
+        "had_existing_file": had_existing_file,
+        "preserved_user_content": preserved_user_content,
+    }

package/gateway/ai/backends/tools_infra.py

@@ -65,11 +65,18 @@ _CREDENTIAL_FALSE_POSITIVES = re.compile(
     r"-demo['\"]|"
     # Function-call RHS (reading from parsed JSON, env, getters, slicing strings)
     r"json\.loads|\.read_text\(|\.slice\(|"
-    r"tokens\.get\(|token\s*=\s*_make_token|"
+    r"\w+\.get\(|token\s*=\s*_make_token|"
     # RHS that is a parameter reference like token=tokens.get("access_token"...
-    r"=\s*tokens\.get\(|"
+    r"=\s*\w+\.get\(|"
     # Dict index dereference: token_data["token"], result["secret"], etc.
-    r"_data\[|_result\[)",
+    r"_data\[|_result\[|"
+    # Bare `if not <var>:` and similar control-flow lines that mention
+    # the credential variable name but contain no value.
+    r"if\s+not\s+\w+:|"
+    # Python control-flow block-opener: a colon immediately followed by
+    # a newline (no quoted value on the same line). Such a colon is an
+    # if/while/def/class block-opener, not a key-value separator.
+    r":\s*\n)",
     re.IGNORECASE,
 )
 

package/gateway/ai/content_grounding/consume.py

@@ -192,7 +192,7 @@ def unreleased_feature_detector(
                 if token in feats:
                     continue
                 # Don't spam: only flag once per token per text.
-                if token not in unknown_specifics and len(token) > 8 and "-" in token:
+                if token not in unknown_specifics and len(token) > 8 and "-" in token:  # nosec B-secret-detection: `token` here is a Python variable holding one word from the text being grounded, not a credential
                     unknown_specifics.append(token)
 
     # If we have no whitelist and triggers fired, flag regardless — the

package/gateway/ai/inbox_drafts/__init__.py

@@ -0,0 +1,61 @@
+"""Inbox drafts registry — LED-1129 Phase 1.
+
+Foundation for the autonomous-executor that closes the email→action loop.
+Phase 1 (this module): schema, canonicalization, HMAC binding, SQLite registry.
+NO behavior change — drafts get registered + signed; nobody consumes them yet.
+Phase 2 will add the separate-process executor that reads this registry.
+
+See docs/inbox_executor_v1.md for the canonicalization + state-machine spec.
+"""
+
+from ai.inbox_drafts.schema import (
+    DEFAULT_TTL_SECONDS,
+    HMAC_KEY_PATH,
+    DraftKind,
+    DraftStatus,
+    SignedDraft,
+    canonicalize,
+    content_hash,
+    new_draft_id,
+    sign_draft,
+    verify_draft,
+)
+from ai.inbox_drafts.registry import (
+    DEFAULT_DB_PATH,
+    DraftRow,
+    expire_pending,
+    find_draft_by_led_ref,
+    get_draft,
+    insert_draft,
+    list_attempts,
+    list_drafts,
+    migrate,
+    record_attempt,
+    transition,
+)
+
+__all__ = [
+    # schema
+    "DEFAULT_TTL_SECONDS",
+    "HMAC_KEY_PATH",
+    "DraftKind",
+    "DraftStatus",
+    "SignedDraft",
+    "canonicalize",
+    "content_hash",
+    "new_draft_id",
+    "sign_draft",
+    "verify_draft",
+    # registry
+    "DEFAULT_DB_PATH",
+    "DraftRow",
+    "expire_pending",
+    "find_draft_by_led_ref",
+    "get_draft",
+    "insert_draft",
+    "list_attempts",
+    "list_drafts",
+    "migrate",
+    "record_attempt",
+    "transition",
+]