delimit-cli 4.5.0 → 4.5.2

package/CHANGELOG.md

@@ -1,6 +1,114 @@
 # Changelog
 
 
+## [4.5.2] - 2026-05-02
+
+### Hardened — `postinstall.js` never-block-install guard (LED-1188)
+
+`scripts/postinstall.js` is now wrapped in a top-level guard that ensures no
+postinstall failure mode can ever block `npm install delimit-cli`. Per the
+customer-protection rule, npm publish is a production deploy and a postinstall
+crash on a paying Pro user's machine is a customer-facing incident regardless
+of root cause.
+
+Failure modes now hardened:
+- **EROFS / EACCES / EPERM / EPIPE on stdout** — every banner write is wrapped
+  in a try/catch (some sandbox installers redirect stdout to a read-only pipe).
+- **Network unreachable / DNS fail / TLS error / proxy reject** — the
+  telemetry HTTPS request silent-fails at every layer (`req.on('error')`,
+  `req.on('timeout')`, outer try/catch).
+- **Missing or unreadable `package.json`** — graceful no-op; lets the install
+  complete so `delimit doctor` can diagnose the partial-install state.
+- **`uncaughtException` propagation** — outermost guard swallows any
+  synchronous throw from the IIFE so the npm process always sees exit 0.
+- **Idempotency** — re-running install is a no-op; the postinstall does not
+  write to `~/.delimit/` (that's `bin/delimit-setup.js`).
+- **`DELIMIT_NO_TELEMETRY=1|true|yes`** kill switch honored (case-insensitive).
+
+Regression coverage: `tests/postinstall-hardening.test.js` (6 tests) locks the
+contract.
+
+### Added — `lib/delimit-home.js` env-var unification (LED-1188)
+
+Single source of truth for resolving the Delimit private-state directory. Replaces
+~37 hardcoded `path.join(os.homedir(), '.delimit')` sites across the CLI surface.
+
+Resolution order:
+1. `$DELIMIT_HOME` (preferred — explicit, easy to reason about)
+2. `$DELIMIT_NAMESPACE_ROOT` (gateway-compat fallback)
+3. `<homedir>/.delimit` (default)
+
+Both helpers re-resolve on every call so tests can mutate `process.env` between
+calls without module-cache invalidation. Public API:
+
+```js
+const { delimitHome, homeSubpath } = require('delimit-cli/lib/delimit-home');
+const ledger = homeSubpath('ledger');  // shorthand for path.join(delimitHome(), 'ledger')
+```
+
+Regression coverage: `tests/delimit-home.test.js` (9 tests).
+
+### Carry — STR-656 `delimit attest mcp` v1 (PRs #73, #74, #76, #77)
+
+The four mcp-server PRs already merged into main are carried to npm in this
+release. No customer-facing change beyond what those PRs documented:
+
+- **#73** — `delimit attest mcp` panel-verdict behavior locks (Q1–Q6):
+  live MCP-protocol-conformance probe, 3-tier exit codes, `--output` /
+  `--no-write` flags, EROFS soft-fail on the preview JSON write, telemetry
+  counter with `DELIMIT_NO_TELEMETRY` kill switch, top-level runtime guard.
+  `--write` is now deprecated alias for `--output` (will be removed in v4.7).
+- **#74** — `delimit setup` template + `package.json` files-array gate
+  `gateway/ai/self_repair/` and `self_repair_daemon.py` as gateway-only.
+- **#76** — Template reframe of the operating-model rule per swarm-executor
+  panel verdict.
+- **#77** — `package.json` files-array gate `gateway/ai/corp_dashboard.py`
+  as gateway-only.
+
+Regression coverage: `tests/attest-mcp.test.js` (10 tests, now in the npm
+test script — was previously orphaned).
+
+### Bundle — proprietary gating extended
+
+`package.json` files-array now excludes three additional gateway-internal
+modules from the npm bundle (per the npm-bundle proprietary-gating rule —
+these are not customer-shipping CLI surfaces):
+
+- `!gateway/ai/content_grounding/` — LED-1084 grounding layer
+- `!gateway/ai/inbox_drafts/` — LED-1129 SQLite draft registry
+- `!gateway/ai/inbox_executor.py` — LED-1134 inbox executor
+
+These remain gateway-only; they are imported only by gateway daemons and have
+no public CLI surface.
+
+### Backward compatibility
+
+- No MCP tool signature changes
+- No CLI command renamed or removed
+- No storage format change
+- All previously-passing tests still pass; 25 new tests added (171 → 196)
+
+## [4.5.1] - 2026-04-28
+
+### Security — attestation `canonicalize()` strengthened (LED-1180)
+
+The `canonicalize()` helper used to derive attestation IDs and HMAC signatures was passing `Object.keys(bundle).sort()` as the second argument to `JSON.stringify`. JSON.stringify treats that argument as a property **allowlist**, not a sort order, and the allowlist contained only top-level keys — so nested objects serialised as `{}` and the HMAC committed only to the bundle's top-level shape.
+
+Practical effect: a bundle with `{governance: {violations: ["safe"]}}` and one with `{governance: {violations: ["malicious"]}}` produced **identical signatures**. Tampering nested fields was undetectable through signature verification.
+
+**This release replaces canonicalize with a proper recursive sorted-key serializer.** Old (v4.3 – v4.5.0) attestations remain readable but verify with the new canonicalize and will report `signature_mismatch`. New attestations produced by v4.5.1+ commit to the full content of the bundle.
+
+- `lib/wrap-engine.js` — fixed `canonicalize()`, exported it for reuse
+- `lib/trust-page-engine.js` — verifier now imports the corrected canonicalize
+- `tests/v43-wrap-engine.test.js` — added LED-1180 regression: tampering a nested field MUST change the signature; if it doesn't, canonicalize is silently dropping nested keys
+- `tests/v43-trust-page-engine.test.js` — test fixtures sign with the corrected canonicalize
+
+If you have a corpus of v4.5.0 or earlier attestations and need them re-signed under the new primitive, the migration tool is on the LED-1180 follow-up. For most users, attestations are short-lived merge-decision artifacts and re-signing is unnecessary.
+
+### Other
+
+- (Internal) LED-1175 + LED-1177 MVP shipped in `delimit-private`: signed deliberation attestations + Scanner Input v0 schema. Public docs: [delimit.ai/docs/scanner-input](https://delimit.ai/docs/scanner-input), [delimit.ai/docs/vs-bugcrawl](https://delimit.ai/docs/vs-bugcrawl). No customer-facing CLI changes in 4.5.1.
+
 ## [4.5.0] - 2026-04-27
 
 ### Added — Ledger hygiene toolkit (LED-1145, 7 PRs)

package/README.md

@@ -5,8 +5,8 @@
 Wrap any AI coding assistant (Claude Code, Codex, Cursor, Gemini CLI) with a governance chain that runs your gates, records what changed, and signs a replayable receipt for every merge.
 
 [![npm](https://img.shields.io/npm/v/delimit-cli)](https://www.npmjs.com/package/delimit-cli)
-[![Tests](https://img.shields.io/badge/tests-165%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
-[![GitHub Action](https://img.shields.io/badge/GitHub%20Action-v1.6.0-blue)](https://github.com/marketplace/actions/delimit-api-governance)
+[![Tests](https://img.shields.io/badge/tests-1640%2B%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
+[![GitHub Action](https://img.shields.io/badge/GitHub%20Action-latest-blue)](https://github.com/marketplace/actions/delimit-api-governance)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
 [![Glama](https://glama.ai/mcp/servers/delimit-ai/delimit/badge)](https://glama.ai/mcp/servers/delimit-ai/delimit)
 

package/adapters/cursor-rules.js

@@ -10,6 +10,7 @@
 
 const fs = require('fs');
 const path = require('path');
+const { upsertManagedSection } = require('../lib/managed-section');
 
 // LED-213: Import canonical template for cross-model parity
 const { getDelimitSection } = require('../lib/delimit-template');
@@ -26,14 +27,26 @@ const CURSORRULES_FILE = path.join(HOME, '.cursorrules');
 function installRules(version) {
     const rules = getDelimitRules(version);
 
-    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+)
+    // Install to .cursor/rules/delimit.md (new location, Cursor 0.45+).
+    // LED-1180 follow-up: use upsertManagedSection so user-customized
+    // content above/below the delimit:start/end markers is preserved.
+    // The previous implementation did fs.writeFileSync(rulesFile, rules)
+    // — full overwrite — which clobbered any user customizations on every
+    // `delimit-cli setup`.
+    let action = 'unchanged';
+    let rulesFile = null;
     if (fs.existsSync(CURSOR_DIR)) {
         fs.mkdirSync(CURSOR_RULES_DIR, { recursive: true });
-        const rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
-        fs.writeFileSync(rulesFile, rules);
+        rulesFile = path.join(CURSOR_RULES_DIR, 'delimit.md');
+        const result = upsertManagedSection(rulesFile, rules, version);
+        action = result.action;
     }
 
-    return { installed: true, paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')] };
+    return {
+        installed: true,
+        action,
+        paths: [CURSORRULES_FILE, path.join(CURSOR_RULES_DIR, 'delimit.md')],
+    };
 }
 
 /**

package/bin/delimit-cli.js

@@ -11,6 +11,7 @@ const inquirer = require('inquirer');
 const DelimitAuthSetup = require('../lib/auth-setup');
 const DelimitHooksInstaller = require('../lib/hooks-installer');
 const crossModelHooks = require('../lib/cross-model-hooks');
+const { delimitHome, homeSubpath } = require('../lib/delimit-home');
 const {
     resolveContinuityContext,
     formatContinuityReport,
@@ -58,8 +59,8 @@ function normalizeNaturalLanguageArgs(argv) {
     const raw = argv.slice(2);
     if (raw.length === 0) {
         // First-run detection: if no ~/.delimit exists, show welcome flow
-        const delimitHome = path.join(os.homedir(), '.delimit');
-        if (!fs.existsSync(delimitHome) || !fs.existsSync(path.join(delimitHome, 'server'))) {
+        const home = delimitHome();
+        if (!fs.existsSync(home) || !fs.existsSync(path.join(home, 'server'))) {
             return ['scan'];  // lowest friction entry point for new users
         }
         return resolveRepoRoot(process.cwd()) ? ['session', '--inspect'] : ['session', '--all'];
@@ -1093,8 +1094,7 @@ program
     .option('--dry-run', 'Preview what would be removed without making changes')
     .action(async (options) => {
         const dryRun = options.dryRun;
-        const HOME = process.env.HOME;
-        const backupDir = path.join(HOME, '.delimit', 'backups', `uninstall-${Date.now()}`);
+        const backupDir = homeSubpath('backups', `uninstall-${Date.now()}`);
         const changes = [];
 
         if (dryRun) {
@@ -1349,8 +1349,7 @@ program
 
 // Helper function for installation
 async function installDelimit(mode, scope, hooksType = 'all') {
-    const HOME = process.env.HOME;
-    const DELIMIT_HOME = path.join(HOME, '.delimit');
+    const DELIMIT_HOME = delimitHome();
     
     // Create directories
     ['bin', 'hooks', 'shims', 'config', 'audit', 'credentials'].forEach(dir => {
@@ -2554,7 +2553,7 @@ program
     .action(async () => {
         console.log(chalk.bold('\n  Delimit — Resume Work\n'));
 
-        const DELIMIT_HOME = path.join(os.homedir(), '.delimit');
+        const DELIMIT_HOME = delimitHome();
 
         // 1. Last session handoff
         const sessionsDir = path.join(DELIMIT_HOME, 'sessions');
@@ -3285,10 +3284,10 @@ program
     .option('--format <fmt>', 'Output format: md, json, html', 'md')
     .option('--output <file>', 'Write report to file instead of stdout')
     .action(async (options) => {
-        const delimitHome = path.join(os.homedir(), '.delimit');
-        const evidenceDir = path.join(delimitHome, 'evidence');
-        const ledgerDir = path.join(delimitHome, 'ledger');
-        const memoryDir = path.join(delimitHome, 'memory');
+        const home = delimitHome();
+        const evidenceDir = path.join(home, 'evidence');
+        const ledgerDir = path.join(home, 'ledger');
+        const memoryDir = path.join(home, 'memory');
 
         // Parse duration into milliseconds
         function parseDuration(dur) {
@@ -4906,6 +4905,94 @@ program
         }
     });
 
+// STR-656 — `delimit attest mcp` local-preview command (no public attestation,
+// no badge, no publish). Per the methodology gate (STR-657) the public signed-
+// attestation surface is locked until: 30d methodology visibility +
+// 14d CLI shipped + 5+ merge-gate pilot reference accounts + incident-
+// response process documented. This command exists so maintainers can
+// run the methodology checks locally and see the preview report shape.
+program
+    .command('attest <kind>')
+    .description('Run a Delimit attestation methodology check locally (preview only).  kind: mcp')
+    .option('--path <dir>', 'Path to repo (default: cwd)')
+    .option('--json', 'Emit machine-readable JSON instead of the text preview')
+    .option('--output <file>', 'Write the preview JSON to a file (default: .delimit/attestation-preview.json)')
+    .option('--write <file>', '(deprecated) alias for --output')
+    .option('--no-write', 'Do not write the preview JSON to disk')
+    .action(async (kind, opts) => {
+        const { recordTelemetry } = require('../lib/attest-telemetry');
+        // --write is the deprecated alias for --output. Emit a one-line
+        // notice so users migrate before we remove it. (Panel verdict on
+        // STR-656 pre-push gate, 2026-04-30: retire the alias in v4.7.)
+        if (opts.write && typeof opts.write === 'string' && !opts.output) {
+            console.error(chalk.yellow(
+                '  [deprecation] --write is deprecated; use --output instead. (will be removed in v4.7)'
+            ));
+        }
+        if (kind !== 'mcp') {
+            console.log(chalk.yellow(`  Unknown attestation kind: ${kind}`));
+            console.log(chalk.gray('  Supported kinds (v1): mcp'));
+            console.log(chalk.gray('  pr-review and release attestations land in a follow-up.'));
+            recordTelemetry({ kind, outcome: 'unknown_kind' });
+            process.exitCode = 2;
+            return;
+        }
+        const { runAttestMcp, renderPreview } = require('../lib/attest-mcp');
+        let report;
+        try {
+            report = await runAttestMcp({ path: opts.path });
+        } catch (e) {
+            console.log(chalk.red(`  attest mcp crashed: ${e.message}`));
+            recordTelemetry({ kind: 'mcp', outcome: 'runner_crash', error: e.message });
+            process.exitCode = 2;
+            return;
+        }
+        if (report.error) {
+            console.log(chalk.red(`  ${report.error}`));
+            recordTelemetry({ kind: 'mcp', outcome: 'runner_error', error: report.error });
+            process.exitCode = 2;
+            return;
+        }
+        if (opts.json) {
+            console.log(JSON.stringify(report, null, 2));
+        } else {
+            console.log(renderPreview(report));
+        }
+        // Write the JSON report unless --no-write was given. --output wins,
+        // --write is the deprecated alias kept for ≥1 minor cycle.
+        if (opts.write !== false) {
+            const outPath = opts.output || opts.write ||
+                path.join(report.repo.path, '.delimit', 'attestation-preview.json');
+            try {
+                fs.mkdirSync(path.dirname(outPath), { recursive: true });
+                fs.writeFileSync(outPath, JSON.stringify(report, null, 2) + '\n');
+                if (!opts.json) console.log(chalk.gray(`  Preview JSON: ${outPath}\n`));
+            } catch (e) {
+                // Soft-fail: a read-only filesystem (EROFS) or permissions
+                // issue must NOT elevate the exit code — the report itself
+                // is on stdout already.
+                if (!opts.json) {
+                    console.log(chalk.yellow(`  could not write preview JSON (${e.code || 'IO'}): ${e.message}`));
+                }
+            }
+        }
+        // 3-tier exit codes (panel verdict on STR-656 scaffold review):
+        //   0 — pass + skip (no policy failure, no tool error)
+        //   1 — at least one check returned fail (policy violation)
+        //   2 — at least one check returned error (tool unavailable / unreadable input)
+        // Skips do NOT raise the exit code; they are evidence states, not failures.
+        const anyFail = report.checks.some((c) => c.status === 'fail');
+        const anyError = report.checks.some((c) => c.status === 'error');
+        const exitCode = anyFail ? 1 : (anyError ? 2 : 0);
+        recordTelemetry({
+            kind: 'mcp',
+            outcome: ['pass', 'fail', 'error'][exitCode],
+            methodology_version: report.methodology_version,
+            check_summary: report.checks.map((c) => `${c.id}:${c.status}`).join(','),
+        });
+        process.exitCode = exitCode;
+    });
+
 // CI command — generate GitHub Action workflow
 program
     .command('ci')
@@ -5477,8 +5564,7 @@ program
     .command('activate <key>')
     .description('Activate a Delimit Pro license key')
     .action(async (key) => {
-        const os = require('os');
-        const licenseDir = path.join(os.homedir(), '.delimit');
+        const licenseDir = delimitHome();
         const licensePath = path.join(licenseDir, 'license.json');
 
         if (!key || key.length < 10) {
@@ -5766,8 +5852,7 @@ program
             console.log(`Question: ${chalk.bold(question)}\n`);
 
             // Try to run deliberation directly via the gateway
-            const HOME = process.env.HOME || require('os').homedir();
-            const gatewayScript = path.join(HOME, '.delimit', 'server', 'ai', 'deliberation.py');
+            const gatewayScript = homeSubpath('server', 'ai', 'deliberation.py');
             const scriptPath = fs.existsSync(gatewayScript) ? gatewayScript : null;
 
             if (scriptPath) {
@@ -5809,7 +5894,7 @@ if result.get('summary'):
             }
 
             // Save pending deliberation to file for reference
-            const deliberationDir = path.join(HOME, '.delimit', 'deliberation');
+            const deliberationDir = homeSubpath('deliberation');
             fs.mkdirSync(deliberationDir, { recursive: true });
             const pending = {
                 question,
@@ -5848,8 +5933,8 @@ if result.get('summary'):
 // Models command: BYOK deliberation key management wizard
 // ---------------------------------------------------------------------------
 
-const MODELS_CONFIG_PATH = path.join(os.homedir(), '.delimit', 'models.json');
-const DELIBERATION_USAGE_PATH = path.join(os.homedir(), '.delimit', 'deliberation_usage.json');
+const MODELS_CONFIG_PATH = homeSubpath('models.json');
+const DELIBERATION_USAGE_PATH = homeSubpath('deliberation_usage.json');
 
 const DEFAULT_MODELS = {
     grok: { enabled: false, api_key: '', model: 'grok-4-0709', name: 'Grok 4' },
@@ -6199,7 +6284,7 @@ program
 program
     .command('trust-page')
     .description('Render attestations into a public trust page (static HTML + JSON feed)')
-    .option('-d, --dir <path>', 'Attestation directory', path.join(os.homedir(), '.delimit', 'attestations'))
+    .option('-d, --dir <path>', 'Attestation directory', homeSubpath('attestations'))
     .option('-o, --out <path>', 'Output directory', './trust-page')
     .option('-t, --title <title>', 'Trust page title', 'Trust Page')
     .option('--json', 'Output result as JSON', false)
@@ -6229,7 +6314,7 @@ program
 program
     .command('ai-sbom')
     .description('Build a CycloneDX-AI bill of materials from attestations')
-    .option('-d, --dir <path>', 'Attestation directory', path.join(os.homedir(), '.delimit', 'attestations'))
+    .option('-d, --dir <path>', 'Attestation directory', homeSubpath('attestations'))
     .option('-o, --out <path>', 'Output file', './ai-sbom.json')
     .option('-n, --name <name>', 'BOM subject name', 'ai-sbom')
     .option('-v, --package-version <v>', 'BOM subject version', '1.0.0')
@@ -6292,7 +6377,7 @@ program
             console.log("\nUse " + chalk.cyan("delimit vault list") + " to see configured secrets.");
         } else if (action === "list") {
             console.log(chalk.bold("Configured Secrets:"));
-            const secretsDir = path.join(os.homedir(), '.delimit', 'secrets');
+            const secretsDir = homeSubpath('secrets');
             if (fs.existsSync(secretsDir)) {
                 const files = fs.readdirSync(secretsDir).filter(f => f.endsWith('.json') && !f.startsWith('.'));
                 if (files.length === 0) {
@@ -6314,7 +6399,7 @@ program
                 console.log(chalk.dim("  Example: delimit vault set OPENAI_API_KEY"));
                 process.exit(1);
             }
-            const secretsDir = path.join(os.homedir(), '.delimit', 'secrets');
+            const secretsDir = homeSubpath('secrets');
             fs.mkdirSync(secretsDir, { recursive: true });
             const filePath = path.join(secretsDir, `${name}.json`);
             const existing = fs.existsSync(filePath);
@@ -6338,7 +6423,7 @@ program
                 console.log(chalk.red("Usage: delimit vault reveal <NAME>"));
                 process.exit(1);
             }
-            const secretsDir = path.join(os.homedir(), '.delimit', 'secrets');
+            const secretsDir = homeSubpath('secrets');
             const filePath = path.join(secretsDir, `${name}.json`);
             if (!fs.existsSync(filePath)) {
                 console.log(chalk.red(`  Secret "${name}" not found.`));
@@ -6399,7 +6484,7 @@ program
 // Memory commands: remember, recall, forget
 // ---------------------------------------------------------------------------
 
-const MEMORY_DIR = path.join(os.homedir(), '.delimit', 'memory');
+const MEMORY_DIR = homeSubpath('memory');
 const MEMORY_FILE = path.join(MEMORY_DIR, 'memories.jsonl');
 
 const KNOWN_TECH_TERMS = new Set([

package/gateway/ai/content_engine.py

@@ -988,11 +988,10 @@ def post_next_tweet() -> Dict[str, Any]:
     Checks the day-typed tweet schedule first. Falls back to the flat queue
     if no scheduled tweet is available for today.
     """
-    from ai.social import post_tweet, should_post_today
+    from ai.social import post_tweet, should_post_now
 
-    if not should_post_today():
-        daily_limit = int(os.environ.get("DELIMIT_DAILY_TWEETS", "8"))
-        return {"status": "skipped", "reason": f"Daily posting limit reached ({daily_limit}/day)"}
+    if not should_post_now():
+        return {"status": "skipped", "reason": "Rate cap hit (2/hr or 24/day)"}
 
     # --- Try day-typed schedule first ---
     scheduled = get_scheduled_tweet()

package/gateway/ai/inbox_classifier.py

@@ -0,0 +1,215 @@
+"""Inbox-reply keyword classifier — extracted from inbox_daemon.py for
+LED-2059 live-reload.
+
+The inbox daemon is a long-running thread inside the gateway process.
+Edits to keyword lists or detector regex landed on disk but didn't take
+effect until the gateway restarted, which is why the founder's "ship the
+symphony thread" reply (2026-04-28 incident) didn't auto-execute even
+though the LED-820 fix was already on disk.
+
+This module is reloaded by ``inbox_daemon.poll_once()`` at the start of
+each poll via ``importlib.reload``. Code changes here pick up within one
+poll interval (default 300s) without a gateway restart.
+
+Three classifier signals layered by escalating intent:
+- ``detect_approval_keywords`` — soft "approved" / "lgtm". Sets the draft
+  to ``approved`` status; the founder still posts manually.
+- ``detect_explicit_post_keywords`` — strong "ship it" / "post 812" /
+  "autopost". The daemon is allowed to call ``auto_post_draft`` with a
+  per-call DELIMIT_ENABLE_X_AUTOPOST bypass.
+- ``detect_cancel_keywords`` — "cancel" / "hold" / "drop it". Marks the
+  draft cancelled and skips any future processing for that id.
+
+All three detectors strip quoted Gmail / Outlook history before scanning
+so a quoted prior email containing one of the keywords doesn't trigger
+the wrong branch (the LED-817 incident).
+"""
+
+from __future__ import annotations
+
+import re
+from typing import Iterable
+
+# ── Keyword lists ────────────────────────────────────────────────────
+
+# LED-817 (P0): word-boundary regex matching to prevent substring false
+# positives from quoted Gmail history (e.g. "Reply 'hold' → I hold" in
+# a quoted prior email tripping the cancel branch on an "approved" reply).
+#
+# LED-820 (P1) tier split: APPROVAL_KEYWORDS is the SOFT signal (mark
+# approved, email founder for manual post — same as before). EXPLICIT_POST
+# is the STRONG signal — caller authorized auto-execution of the draft's
+# action right now, no second click required.
+
+APPROVAL_KEYWORDS: list[str] = [
+    "approved",
+    "approve",
+    "yes",
+    "go ahead",
+    "lgtm",
+    "looks good",
+]
+
+# Explicit-post keywords — strong signal. Founder authorized auto-execution
+# of the draft's action (post the tweet, comment the issue) WITHOUT a
+# second click. Only triggers when both (a) one of these phrases is in the
+# unquoted reply body AND (b) the draft has a registered draft_id match.
+EXPLICIT_POST_KEYWORDS: list[str] = [
+    "post it",
+    "ship it",
+    "post 8",        # "post 812", "post 800", etc. — LED-id-prefixed posts
+    "post led",      # "post LED-812"
+    "publish it",
+    "send it",
+    "go post",
+    "post via api",
+    "autopost",
+]
+
+CANCEL_KEYWORDS: list[str] = [
+    "cancel",
+    "stop",
+    "abort",
+    "don't post",
+    "do not post",
+    "hold",
+    "skip",
+    "drop it",
+]
+
+
+# ── Regex compilation ────────────────────────────────────────────────
+
+def _compile_keyword_regex(keywords: Iterable[str]) -> re.Pattern[str]:
+    """LED-817: build a strict word-boundary regex. Stricter than ``\\b``
+    because hyphens count as word boundaries in Python — ``\\bstop\\b``
+    matches the 'stop' in 'non-stop', re-introducing the substring bug
+    we're trying to fix. Use ``(?<![\\w-])`` / ``(?![\\w-])`` to treat
+    hyphens as internal so 'non-stop' doesn't trigger 'stop' but
+    'please cancel.' still triggers 'cancel'.
+    """
+    parts: list[str] = []
+    for kw in keywords:
+        if " " in kw or "'" in kw:
+            # Multi-word phrase — exact escape, internal whitespace
+            # already provides separation.
+            parts.append(re.escape(kw))
+        else:
+            parts.append(rf"(?<![\w-]){re.escape(kw)}(?![\w-])")
+    return re.compile("(" + "|".join(parts) + ")", re.IGNORECASE)
+
+
+_APPROVAL_RE = _compile_keyword_regex(APPROVAL_KEYWORDS)
+_CANCEL_RE = _compile_keyword_regex(CANCEL_KEYWORDS)
+_EXPLICIT_POST_RE = _compile_keyword_regex(EXPLICIT_POST_KEYWORDS)
+
+
+# ── Quoted-email stripping ──────────────────────────────────────────
+
+# LED-817 (P0): strip quoted email content before keyword scanning.
+# Gmail (and most clients) preserve quoted history below the reply.
+# Without stripping, a substring like "hold" from a previously-quoted
+# email of mine triggered cancel on an "approved" reply. Detect quote
+# markers and cut everything from the first marker onward.
+_QUOTE_MARKERS: tuple[re.Pattern[str], ...] = (
+    re.compile(r"^On\s+.+?\s+wrote:\s*$", re.MULTILINE),       # Gmail
+    re.compile(r"^-{2,}\s*Original Message\s*-{2,}", re.MULTILINE | re.IGNORECASE),
+    re.compile(r"^-{2,}\s*Forwarded message", re.MULTILINE | re.IGNORECASE),
+    re.compile(r"^From:\s*.+?\s*<", re.MULTILINE),             # Outlook
+    re.compile(r"^Sent from my", re.MULTILINE),                # Mobile sig
+)
+
+# Lines starting with ">" are quoted in plaintext email
+_QUOTED_LINE_PREFIX_RE = re.compile(r"^[\s]*>", re.MULTILINE)
+
+
+def _strip_quoted_content(text: str) -> str:
+    """Remove quoted email history so keyword scans only see the new reply.
+
+    Cuts at the first quote marker found anywhere in the body, then drops
+    any remaining lines that start with '>'. The intent is conservative:
+    if a marker is ambiguous, we keep the text. False negatives (failing
+    to strip) cause the same false-positive bug we're fixing, so the
+    detection has to favor cutting too aggressively rather than too little.
+    """
+    if not text:
+        return ""
+
+    # Find the earliest position of any quote marker
+    earliest = len(text)
+    for pattern in _QUOTE_MARKERS:
+        match = pattern.search(text)
+        if match and match.start() < earliest:
+            earliest = match.start()
+
+    head = text[:earliest]
+
+    # Drop ">"-prefixed lines from the head (in case Gmail used ">" without
+    # a "On X wrote:" header, or the user manually quoted).
+    cleaned_lines = [
+        line for line in head.splitlines()
+        if not _QUOTED_LINE_PREFIX_RE.match(line)
+    ]
+    return "\n".join(cleaned_lines).strip()
+
+
+# ── Public detectors ────────────────────────────────────────────────
+
+def detect_approval_keywords(text: str) -> bool:
+    """Soft-signal approval. Returns True if ``text`` (after stripping
+    quoted history) contains an approval keyword on a word boundary.
+
+    Guards against feedback loops:
+    - Ignores emails FROM the daemon itself (contain "post this manually")
+    - Ignores pathological one-word spam ("test" / "hello" / "approve me")
+    - Otherwise relies on the upstream draft_id match to filter
+    """
+    if not text:
+        return False
+    body = _strip_quoted_content(text).lower().strip()
+    if not body:
+        return False
+
+    # Block feedback loop: daemon's own confirmation emails
+    if "post this manually" in body or "has been approved" in body:
+        return False
+
+    # LED-817 (P0): the previous junk-block dropped bare "approved" /
+    # "approve" replies under the assumption they were spam. With the
+    # upstream `draft_id and detect_approval_keywords` gate at the
+    # callsite, a bare "approved" can only fire when the reply is in a
+    # signed-draft thread — i.e. founder-intent. Keep the spam guard
+    # only for the truly pathological cases.
+    if body in ("test", "hello", "approve me"):
+        return False
+
+    return bool(_APPROVAL_RE.search(body))
+
+
+def detect_cancel_keywords(text: str) -> bool:
+    """LED-817: word-boundary regex against the unquoted reply only,
+    no longer trips on 'hold' inside quoted history."""
+    if not text:
+        return False
+    body = _strip_quoted_content(text).lower().strip()
+    if not body:
+        return False
+    return bool(_CANCEL_RE.search(body))
+
+
+def detect_explicit_post_keywords(text: str) -> bool:
+    """LED-820 (P1): strong-signal trigger that authorizes the daemon to
+    actually execute the draft's action (post the tweet, comment the
+    issue) instead of merely marking it approved.
+
+    Returns True only when the unquoted reply body contains an unambiguous
+    posting directive ("post it" / "ship it" / "post 812" / etc).
+    Generic approvals like "approved" / "lgtm" do NOT auto-execute — the
+    founder must explicitly direct the post.
+    """
+    if not text:
+        return False
+    body = _strip_quoted_content(text).lower().strip()
+    if not body:
+        return False
+    return bool(_EXPLICIT_POST_RE.search(body))

package/gateway/ai/integrations/opensage_wrapper.py

@@ -32,7 +32,10 @@ from typing import Any, Callable, Dict, List, Optional
 
 logger = logging.getLogger("delimit.integrations.opensage")
 
-DELIMIT_HOME = Path.home() / ".delimit"
+# LED-1188: env-var-aware home resolution (DELIMIT_HOME / DELIMIT_NAMESPACE_ROOT).
+from ..continuity import get_namespace_root  # noqa: E402
+
+DELIMIT_HOME = get_namespace_root()
 AUDIT_DIR = DELIMIT_HOME / "audit"
 POLICY_FILE = DELIMIT_HOME / "enforcement_mode"