delimit-cli 4.5.0 → 4.5.1

package/CHANGELOG.md

@@ -1,6 +1,27 @@
 # Changelog
 
 
+## [4.5.1] - 2026-04-28
+
+### Security — attestation `canonicalize()` strengthened (LED-1180)
+
+The `canonicalize()` helper used to derive attestation IDs and HMAC signatures was passing `Object.keys(bundle).sort()` as the second argument to `JSON.stringify`. JSON.stringify treats that argument as a property **allowlist**, not a sort order, and the allowlist contained only top-level keys — so nested objects serialised as `{}` and the HMAC committed only to the bundle's top-level shape.
+
+Practical effect: a bundle with `{governance: {violations: ["safe"]}}` and one with `{governance: {violations: ["malicious"]}}` produced **identical signatures**. Tampering nested fields was undetectable through signature verification.
+
+**This release replaces canonicalize with a proper recursive sorted-key serializer.** Old (v4.3 – v4.5.0) attestations remain readable but verify with the new canonicalize and will report `signature_mismatch`. New attestations produced by v4.5.1+ commit to the full content of the bundle.
+
+- `lib/wrap-engine.js` — fixed `canonicalize()`, exported it for reuse
+- `lib/trust-page-engine.js` — verifier now imports the corrected canonicalize
+- `tests/v43-wrap-engine.test.js` — added LED-1180 regression: tampering a nested field MUST change the signature; if it doesn't, canonicalize is silently dropping nested keys
+- `tests/v43-trust-page-engine.test.js` — test fixtures sign with the corrected canonicalize
+
+If you have a corpus of v4.5.0 or earlier attestations and need them re-signed under the new primitive, the migration tool is on the LED-1180 follow-up. For most users, attestations are short-lived merge-decision artifacts and re-signing is unnecessary.
+
+### Other
+
+- (Internal) LED-1175 + LED-1177 MVP shipped in `delimit-private`: signed deliberation attestations + Scanner Input v0 schema. Public docs: [delimit.ai/docs/scanner-input](https://delimit.ai/docs/scanner-input), [delimit.ai/docs/vs-bugcrawl](https://delimit.ai/docs/vs-bugcrawl). No customer-facing CLI changes in 4.5.1.
+
 ## [4.5.0] - 2026-04-27
 
 ### Added — Ledger hygiene toolkit (LED-1145, 7 PRs)

package/adapters/cursor-rules.js

@@ -10,6 +10,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const { upsertManagedSection } = require('../lib/managed-section');
 
 // LED-213: Import canonical template for cross-model parity
 const { getDelimitSection } = require('../lib/delimit-template');
@@ -26,14 +27,26 @@ const CURSORRULES_FILE = path.join(HOME, '.cursorrules');
 function installRules(version) {
     const rules = getDelimitRules(version);
 
-    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+)
+    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+).
+    // LED-1180 follow-up: use upsertManagedSection so user-customized
+    // content above/below the delimit:start/end markers is preserved.
+    // The previous implementation did fs.writeFileSync(rulesFile, rules)
+    // — full overwrite — which clobbered any user customizations on every
+    // `delimit-cli setup`.
+    let action = 'unchanged';
+    let rulesFile = null;
     if (fs.existsSync(CURSOR_DIR)) {
         fs.mkdirSync(CURSOR_RULES_DIR, { recursive: true });
-        const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
-        fs.writeFileSync(rulesFile, rules);
+        rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
+        const result = upsertManagedSection(rulesFile, rules, version);
+        action = result.action;
     }
 
-    return { installed: true, paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')] };
+    return {
+        installed: true,
+        action,
+        paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')],
+    };
 }
 
 /**

package/lib/managed-section.js

@@ -0,0 +1,92 @@
+// lib/managed-section.js
+//
+// Shared upsertDelimitSection helper. Used by:
+//   bin/delimit-setup.js — for ~/CLAUDE.md, ~/.codex/instructions.md, ~/.cursorrules
+//   adapters/cursor-rules.js — for ~/.cursor/rules/delimit.md
+//
+// NEVER clobbers user-authored content outside the markers. Behavior:
+//   - File missing → create with just the managed section.
+//   - File has markers → replace only the region between them (user content
+//     above/below preserved).
+//   - File has no markers → append the managed section at the bottom (user
+//     content at top preserved).
+//
+// History (institutional memory; do NOT change marker semantics without
+// understanding these incidents):
+//   - v4.1.47: previous heuristic replaced the whole file whenever it
+//     detected "old Delimit content" — destroyed founder-customized
+//     CLAUDE.md files on every upgrade.
+//   - v4.1.49: unanchored marker regex matched markers inside quoted
+//     prose (backticks, bullets, blockquotes) — clobbered /root/CLAUDE.md.
+//     The current regex is anchored with the multiline flag so markers
+//     MUST be on their own line. Optional leading horizontal whitespace
+//     [ \t]* permits genuinely indented markers but NOT prose-leading
+//     characters like "- ", "> ", "`", "*".
+//
+// Returns: { action: 'created' | 'updated' | 'unchanged' | 'appended' }
+
+const fs = require('fs');
+const path = require('path');
+
+function loadPackageVersion() {
+    try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf-8'));
+        return pkg.version || '0.0.0';
+    } catch {
+        return '0.0.0';
+    }
+}
+
+/**
+ * Upsert the Delimit section in a file using <!-- delimit:start v<version> -->
+ * and <!-- delimit:end --> markers.
+ *
+ * @param {string} filePath - Absolute path to the target file.
+ * @param {string} newSection - The full managed-section text (including markers).
+ * @param {string} [version] - Version string for staleness check. Defaults to package.json.
+ * @returns {{action: 'created'|'updated'|'unchanged'|'appended'}}
+ */
+function upsertManagedSection(filePath, newSection, version) {
+    if (!version) version = loadPackageVersion();
+
+    if (!fs.existsSync(filePath)) {
+        fs.writeFileSync(filePath, newSection + '\n');
+        return { action: 'created' };
+    }
+
+    const rawExisting = fs.readFileSync(filePath, 'utf-8');
+    // Strip a UTF-8 BOM if present so the start-of-line anchor still matches
+    // the very first line of the file. We write back the stripped form to keep
+    // serialization deterministic.
+    const existing = rawExisting.replace(/^/, '');
+
+    const startMarkerRe = /^[ \t]*<!-- delimit:start[^>]*-->[ \t]*$/m;
+    const endMarkerRe = /^[ \t]*<!-- delimit:end -->[ \t]*$/m;
+    const startMatch = existing.match(startMarkerRe);
+    const endMatch = existing.match(endMarkerRe);
+
+    if (startMatch && endMatch) {
+        // Extract current version from the marker (also anchored, allows indent)
+        const versionMatch = existing.match(/^[ \t]*<!-- delimit:start v([^ ]+) -->[ \t]*$/m);
+        const currentVersion = versionMatch ? versionMatch[1] : '';
+        if (currentVersion === version) {
+            return { action: 'unchanged' };
+        }
+        // Replace only the managed region — preserve content above/below
+        const startIdx = startMatch.index;
+        const endIdx = endMatch.index + endMatch[0].length;
+        const before = existing.substring(0, startIdx);
+        const after = existing.substring(endIdx);
+        fs.writeFileSync(filePath, before + newSection + after);
+        return { action: 'updated' };
+    }
+
+    // No markers present — append the managed section at the bottom.
+    // User content above is preserved verbatim. Markers get added so future
+    // upgrades can update just the managed region.
+    const separator = existing.endsWith('\n') ? '\n' : '\n\n';
+    fs.writeFileSync(filePath, existing + separator + newSection + '\n');
+    return { action: 'appended' };
+}
+
+module.exports = { upsertManagedSection, loadPackageVersion };

package/lib/trust-page-engine.js

@@ -10,6 +10,7 @@ const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const { canonicalize } = require('./wrap-engine');
 
 function loadHmacKey() {
     const keyPath = path.join(os.homedir(), '.delimit', 'wrap-hmac.key');
@@ -20,8 +21,11 @@ function loadHmacKey() {
 function verifySignature(attestation, key) {
     if (!key) return 'unverifiable';
     try {
-        const canonical = JSON.stringify(attestation.bundle, Object.keys(attestation.bundle).sort());
-        const expected = crypto.createHmac('sha256', key).update(canonical).digest('hex');
+        // LED-1180: must use the same recursive sorted-key canonicalize
+        // as wrap-engine; using JSON.stringify(.., keys.sort()) here
+        // would treat the array as an allowlist and serialise nested
+        // fields as {}, matching the old broken signature trivially.
+        const expected = crypto.createHmac('sha256', key).update(canonicalize(attestation.bundle)).digest('hex');
         return expected === attestation.signature ? 'verified' : 'signature_mismatch';
     } catch {
         return 'verify_error';

package/lib/wrap-engine.js

@@ -138,9 +138,26 @@ function runTestSmoke(cwd) {
 // Attestation bundling + signing
 // ----------------------------------------------------------------------------
 
+// LED-1180: deterministic canonical JSON. Recursively sorts object keys
+// at every depth. Earlier implementations passed the second argument of
+// JSON.stringify as `Object.keys(bundle).sort()`, which JSON.stringify
+// treats as a property ALLOWLIST (not a sort order), filtered to
+// top-level keys. The result was that nested objects serialised as
+// `{}` and the HMAC committed only to the top-level shape — meaning a
+// bad actor could change `bundle.governance.violations` or any nested
+// field without invalidating the signature. Fixed in v4.5.1 hotfix.
+// Verifier must use the same canonicalize to match.
+function canonicalize(value) {
+    if (value === null || typeof value !== 'object') return JSON.stringify(value);
+    if (Array.isArray(value)) {
+        return '[' + value.map(canonicalize).join(',') + ']';
+    }
+    const keys = Object.keys(value).sort();
+    return '{' + keys.map((k) => JSON.stringify(k) + ':' + canonicalize(value[k])).join(',') + '}';
+}
+
 function computeAttestationId(bundle) {
-    const canonical = JSON.stringify(bundle, Object.keys(bundle).sort());
-    const hash = crypto.createHash('sha256').update(canonical).digest('hex');
+    const hash = crypto.createHash('sha256').update(canonicalize(bundle)).digest('hex');
     return 'att_' + hash.slice(0, 16);
 }
 
@@ -157,8 +174,7 @@ function loadOrCreateHmacKey() {
 
 function signAttestation(bundle) {
     const key = loadOrCreateHmacKey();
-    const canonical = JSON.stringify(bundle, Object.keys(bundle).sort());
-    return crypto.createHmac('sha256', key).update(canonical).digest('hex');
+    return crypto.createHmac('sha256', key).update(canonicalize(bundle)).digest('hex');
 }
 
 // ----------------------------------------------------------------------------
@@ -442,6 +458,7 @@ async function runWrap(rawCmd, options = {}) {
 
 module.exports = {
     runWrap,
+    canonicalize,
     computeAttestationId,
     signAttestation,
     checkQuota,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.5.0",
+  "version": "4.5.1",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [