delimit-cli 4.5.0 → 4.5.2

package/lib/managed-section.js

@@ -0,0 +1,92 @@
+// lib/managed-section.js
+//
+// Shared upsertDelimitSection helper. Used by:
+//   bin/delimit-setup.js — for ~/CLAUDE.md, ~/.codex/instructions.md, ~/.cursorrules
+//   adapters/cursor-rules.js — for ~/.cursor/rules/delimit.md
+//
+// NEVER clobbers user-authored content outside the markers. Behavior:
+//   - File missing → create with just the managed section.
+//   - File has markers → replace only the region between them (user content
+//     above/below preserved).
+//   - File has no markers → append the managed section at the bottom (user
+//     content at top preserved).
+//
+// History (institutional memory; do NOT change marker semantics without
+// understanding these incidents):
+//   - v4.1.47: previous heuristic replaced the whole file whenever it
+//     detected "old Delimit content" — destroyed founder-customized
+//     CLAUDE.md files on every upgrade.
+//   - v4.1.49: unanchored marker regex matched markers inside quoted
+//     prose (backticks, bullets, blockquotes) — clobbered /root/CLAUDE.md.
+//     The current regex is anchored with the multiline flag so markers
+//     MUST be on their own line. Optional leading horizontal whitespace
+//     [ \t]* permits genuinely indented markers but NOT prose-leading
+//     characters like "- ", "> ", "`", "*".
+//
+// Returns: { action: 'created' | 'updated' | 'unchanged' | 'appended' }
+
+const fs = require('fs');
+const path = require('path');
+
+function loadPackageVersion() {
+    try {
+        const pkg = JSON.parse(fs.readFileSync(path.join(__dirname, '..', 'package.json'), 'utf-8'));
+        return pkg.version || '0.0.0';
+    } catch {
+        return '0.0.0';
+    }
+}
+
+/**
+ * Upsert the Delimit section in a file using <!-- delimit:start v<version> -->
+ * and <!-- delimit:end --> markers.
+ *
+ * @param {string} filePath - Absolute path to the target file.
+ * @param {string} newSection - The full managed-section text (including markers).
+ * @param {string} [version] - Version string for staleness check. Defaults to package.json.
+ * @returns {{action: 'created'|'updated'|'unchanged'|'appended'}}
+ */
+function upsertManagedSection(filePath, newSection, version) {
+    if (!version) version = loadPackageVersion();
+
+    if (!fs.existsSync(filePath)) {
+        fs.writeFileSync(filePath, newSection + '\n');
+        return { action: 'created' };
+    }
+
+    const rawExisting = fs.readFileSync(filePath, 'utf-8');
+    // Strip a UTF-8 BOM if present so the start-of-line anchor still matches
+    // the very first line of the file. We write back the stripped form to keep
+    // serialization deterministic.
+    const existing = rawExisting.replace(/^/, '');
+
+    const startMarkerRe = /^[ \t]*<!-- delimit:start[^>]*-->[ \t]*$/m;
+    const endMarkerRe = /^[ \t]*<!-- delimit:end -->[ \t]*$/m;
+    const startMatch = existing.match(startMarkerRe);
+    const endMatch = existing.match(endMarkerRe);
+
+    if (startMatch && endMatch) {
+        // Extract current version from the marker (also anchored, allows indent)
+        const versionMatch = existing.match(/^[ \t]*<!-- delimit:start v([^ ]+) -->[ \t]*$/m);
+        const currentVersion = versionMatch ? versionMatch[1] : '';
+        if (currentVersion === version) {
+            return { action: 'unchanged' };
+        }
+        // Replace only the managed region — preserve content above/below
+        const startIdx = startMatch.index;
+        const endIdx = endMatch.index + endMatch[0].length;
+        const before = existing.substring(0, startIdx);
+        const after = existing.substring(endIdx);
+        fs.writeFileSync(filePath, before + newSection + after);
+        return { action: 'updated' };
+    }
+
+    // No markers present — append the managed section at the bottom.
+    // User content above is preserved verbatim. Markers get added so future
+    // upgrades can update just the managed region.
+    const separator = existing.endsWith('\n') ? '\n' : '\n\n';
+    fs.writeFileSync(filePath, existing + separator + newSection + '\n');
+    return { action: 'appended' };
+}
+
+module.exports = { upsertManagedSection, loadPackageVersion };

package/lib/trust-page-engine.js

@@ -10,6 +10,7 @@ const crypto = require('crypto');
 const fs = require('fs');
 const path = require('path');
 const os = require('os');
+const { canonicalize } = require('./wrap-engine');
 
 function loadHmacKey() {
     const keyPath = path.join(os.homedir(), '.delimit', 'wrap-hmac.key');
@@ -20,8 +21,11 @@ function loadHmacKey() {
 function verifySignature(attestation, key) {
     if (!key) return 'unverifiable';
     try {
-        const canonical = JSON.stringify(attestation.bundle, Object.keys(attestation.bundle).sort());
-        const expected = crypto.createHmac('sha256', key).update(canonical).digest('hex');
+        // LED-1180: must use the same recursive sorted-key canonicalize
+        // as wrap-engine; using JSON.stringify(.., keys.sort()) here
+        // would treat the array as an allowlist and serialise nested
+        // fields as {}, matching the old broken signature trivially.
+        const expected = crypto.createHmac('sha256', key).update(canonicalize(attestation.bundle)).digest('hex');
         return expected === attestation.signature ? 'verified' : 'signature_mismatch';
     } catch {
         return 'verify_error';

package/lib/wrap-engine.js

@@ -138,9 +138,26 @@ function runTestSmoke(cwd) {
 // Attestation bundling + signing
 // ----------------------------------------------------------------------------
 
+// LED-1180: deterministic canonical JSON. Recursively sorts object keys
+// at every depth. Earlier implementations passed the second argument of
+// JSON.stringify as `Object.keys(bundle).sort()`, which JSON.stringify
+// treats as a property ALLOWLIST (not a sort order), filtered to
+// top-level keys. The result was that nested objects serialised as
+// `{}` and the HMAC committed only to the top-level shape — meaning a
+// bad actor could change `bundle.governance.violations` or any nested
+// field without invalidating the signature. Fixed in v4.5.1 hotfix.
+// Verifier must use the same canonicalize to match.
+function canonicalize(value) {
+    if (value === null || typeof value !== 'object') return JSON.stringify(value);
+    if (Array.isArray(value)) {
+        return '[' + value.map(canonicalize).join(',') + ']';
+    }
+    const keys = Object.keys(value).sort();
+    return '{' + keys.map((k) => JSON.stringify(k) + ':' + canonicalize(value[k])).join(',') + '}';
+}
+
 function computeAttestationId(bundle) {
-    const canonical = JSON.stringify(bundle, Object.keys(bundle).sort());
-    const hash = crypto.createHash('sha256').update(canonical).digest('hex');
+    const hash = crypto.createHash('sha256').update(canonicalize(bundle)).digest('hex');
     return 'att_' + hash.slice(0, 16);
 }
 
@@ -157,8 +174,7 @@ function loadOrCreateHmacKey() {
 
 function signAttestation(bundle) {
     const key = loadOrCreateHmacKey();
-    const canonical = JSON.stringify(bundle, Object.keys(bundle).sort());
-    return crypto.createHmac('sha256', key).update(canonical).digest('hex');
+    return crypto.createHmac('sha256', key).update(canonicalize(bundle)).digest('hex');
 }
 
 // ----------------------------------------------------------------------------
@@ -442,6 +458,7 @@ async function runWrap(rawCmd, options = {}) {
 
 module.exports = {
     runWrap,
+    canonicalize,
     computeAttestationId,
     signAttestation,
     checkQuota,

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.5.0",
+  "version": "4.5.2",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [
@@ -16,6 +16,9 @@
     "!gateway/ai/founding_users.py",
     "!gateway/ai/inbox_daemon.py",
     "!gateway/ai/inbox_daemon_runner.py",
+    "!gateway/ai/self_repair/",
+    "!gateway/ai/self_repair_daemon.py",
+    "!gateway/ai/corp_dashboard.py",
     "!gateway/ai/deliberation.py",
     "!gateway/ai/dv_mention_tracker.py",
     "!gateway/ai/sensor_twttr.py",
@@ -26,6 +29,9 @@
     "!gateway/ai/content_intel.py",
     "!gateway/ai/loop_daemon.py",
     "!gateway/ai/loop_engine.py",
+    "!gateway/ai/content_grounding/",
+    "!gateway/ai/inbox_drafts/",
+    "!gateway/ai/inbox_executor.py",
     "scripts/",
     "!scripts/crosspost_devto.py",
     "!scripts/repo_targeting.py",
@@ -48,7 +54,7 @@
     "postinstall": "node scripts/postinstall.js",
     "sync-gateway": "bash scripts/sync-gateway.sh",
     "prepublishOnly": "bash scripts/publish-ci-guard.sh && npm run sync-gateway && bash scripts/security-check.sh",
-    "test": "node --test tests/setup-onboarding.test.js tests/setup-matrix.test.js tests/setup-no-clobber.test.js tests/config-export-import.test.js tests/cross-model-hooks.test.js tests/golden-path.test.js tests/v420-features.test.js tests/v43-wrap-engine.test.js tests/v43-trust-page-engine.test.js tests/v43-ai-sbom-engine.test.js"
+    "test": "node --test tests/setup-onboarding.test.js tests/setup-matrix.test.js tests/setup-no-clobber.test.js tests/config-export-import.test.js tests/cross-model-hooks.test.js tests/golden-path.test.js tests/v420-features.test.js tests/v43-wrap-engine.test.js tests/v43-trust-page-engine.test.js tests/v43-ai-sbom-engine.test.js tests/attest-mcp.test.js tests/delimit-home.test.js tests/postinstall-hardening.test.js"
   },
   "keywords": [
     "openapi",

package/scripts/postinstall.js

@@ -1,47 +1,96 @@
 #!/usr/bin/env node
 /**
  * Postinstall — anonymous install ping + setup hint.
+ *
+ * v4.5.2 (LED-1188) install hardening:
+ *   - Top-level try/catch ensures NO postinstall failure can ever block
+ *     `npm install delimit-cli`. Per the customer-protection rule in
+ *     /root/.claude/CLAUDE.md, npm publish is a production deploy and a
+ *     postinstall crash on a Pro user's machine is a customer-facing
+ *     incident regardless of root cause.
+ *   - EROFS / EACCES / EPERM / ENOSPC / ENOENT on stdout writes soft-fail
+ *     silently. (Some sandbox installers redirect stdout to a read-only
+ *     pipe.)
+ *   - Network telemetry stays best-effort; no crash if DNS / TLS / proxy
+ *     misbehaves. DELIMIT_NO_TELEMETRY=1 honored as kill switch.
+ *   - Idempotent — re-running install is a no-op, never corrupts state.
+ *     This file does not write to ~/.delimit/; that's bin/delimit-setup.js.
+ *
  * No PII. Silent fail. Never blocks install.
  */
 
-// Print setup hint with quick start
-const v = require('../package.json').version;
-console.log('');
-console.log('  \x1b[1m\x1b[35mDelimit\x1b[0m v' + v + ' installed');
-console.log('');
-console.log('  Quick start:');
-console.log('    \x1b[32mdelimit doctor\x1b[0m        Check your setup, fix what\'s missing');
-console.log('    \x1b[32mdelimit simulate\x1b[0m      Dry-run: see what governance would block');
-console.log('    \x1b[32mdelimit status\x1b[0m        Visual dashboard of your governance posture');
-console.log('    \x1b[32mdelimit setup\x1b[0m         Install MCP governance for AI assistants');
-console.log('');
-console.log('  Docs:       \x1b[36mhttps://delimit.ai/docs\x1b[0m');
-console.log('  Star us:    \x1b[36mhttps://github.com/delimit-ai/delimit-mcp-server\x1b[0m');
-console.log('');
+(function postinstall() {
+    'use strict';
 
-// Anonymous telemetry ping — no PII, just "someone installed"
-try {
-    const https = require('https');
-    const data = JSON.stringify({
-        event: 'install',
-        version: require('../package.json').version,
-        node: process.version,
-        platform: process.platform,
-        arch: process.arch,
-        ts: new Date().toISOString()
-    });
-    const req = https.request({
-        hostname: 'delimit.ai',
-        path: '/api/telemetry',
-        method: 'POST',
-        headers: {
-            'Content-Type': 'application/json',
-            'Content-Length': Buffer.byteLength(data)
-        },
-        timeout: 3000
-    });
-    req.on('error', () => {}); // silent fail
-    req.on('timeout', () => { req.destroy(); });
-    req.write(data);
-    req.end();
-} catch (e) { /* silent fail */ }
+    // --- 1. setup hint ------------------------------------------------------
+    // Wrapped in try/catch because console.log can throw on EPIPE / EBADF
+    // when the parent npm process closed stdout early.
+    let pkg;
+    try {
+        pkg = require('../package.json');
+    } catch (e) {
+        // package.json missing or unreadable — nothing to print, nothing
+        // to ping. This is a partial-install state; let the install
+        // complete so `delimit doctor` can diagnose later.
+        return;
+    }
+    const v = (pkg && pkg.version) || '?';
+
+    function safeLog(msg) {
+        try { process.stdout.write(msg + '\n'); }
+        catch (_) { /* EPIPE / EBADF / EROFS on stdout — give up silently */ }
+    }
+
+    try {
+        safeLog('');
+        safeLog('  \x1b[1m\x1b[35mDelimit\x1b[0m v' + v + ' installed');
+        safeLog('');
+        safeLog('  Quick start:');
+        safeLog('    \x1b[32mdelimit doctor\x1b[0m        Check your setup, fix what\'s missing');
+        safeLog('    \x1b[32mdelimit simulate\x1b[0m      Dry-run: see what governance would block');
+        safeLog('    \x1b[32mdelimit status\x1b[0m        Visual dashboard of your governance posture');
+        safeLog('    \x1b[32mdelimit setup\x1b[0m         Install MCP governance for AI assistants');
+        safeLog('');
+        safeLog('  Docs:       \x1b[36mhttps://delimit.ai/docs\x1b[0m');
+        safeLog('  Star us:    \x1b[36mhttps://github.com/delimit-ai/delimit-mcp-server\x1b[0m');
+        safeLog('');
+    } catch (_) { /* never block install on a print failure */ }
+
+    // --- 2. anonymous install telemetry ------------------------------------
+    // Honor opt-out and corporate proxy environments. The HTTPS request is
+    // silent-fail at every level (DNS / TCP / TLS / write / response).
+    const tele = (process.env.DELIMIT_NO_TELEMETRY || '').toLowerCase();
+    if (tele === '1' || tele === 'true' || tele === 'yes') return;
+
+    try {
+        const https = require('https');
+        const data = JSON.stringify({
+            event: 'install',
+            version: v,
+            node: process.version,
+            platform: process.platform,
+            arch: process.arch,
+            ts: new Date().toISOString()
+        });
+        const req = https.request({
+            hostname: 'delimit.ai',
+            path: '/api/telemetry',
+            method: 'POST',
+            headers: {
+                'Content-Type': 'application/json',
+                'Content-Length': Buffer.byteLength(data)
+            },
+            timeout: 3000
+        });
+        // Catch every error class: ENOTFOUND, ECONNREFUSED, ETIMEDOUT,
+        // CERT_HAS_EXPIRED, EPROTO, etc. None should ever propagate.
+        req.on('error', () => {});
+        req.on('timeout', () => { try { req.destroy(); } catch (_) {} });
+        req.write(data);
+        req.end();
+    } catch (_) { /* silent fail — never block install */ }
+})();
+
+// Outermost guard: even if the IIFE above throws synchronously somehow
+// (require() race, V8 bug, etc), don't propagate a non-zero exit code.
+process.on('uncaughtException', () => { /* swallow */ });

package/gateway/ai/content_grounding/__init__.py

@@ -1,98 +0,0 @@
-"""
-Delimit content grounding layer — LED-1084 Week 1.
-
-Purpose: normalize ledger entries, attestations, and git history into
-evidence-backed `GroundedEvent` records with typed atomic `Claim`s.
-Every downstream generator (blog, social drafter, storyline) consumes
-this layer and MUST NOT fabricate claims that aren't backed by an
-evidence_ref.
-
-Architectural amendments (per 2026-04-24 adversarial rebuttal,
-/home/delimit/delimit-private/strategy/CONTENT_GROUNDING_REBUTTAL_2026_04.md):
-
-  A3. Week 1 is strictly NON-PUBLISHING. Publish endpoints are
-      hard-disabled at the code level (see `_PUBLISH_DISABLED` below).
-  A5. Claims are typed atomic objects with explicit evidence_refs,
-      visibility, and optional versioned inference_rule.
-  A6. Hard bans during Week 1/2: comparative, adoption, customer,
-      aggregate, roadmap claims reject unless exact text whitelisted
-      or (for aggregates) backed by structured numeric evidence.
-  A9. Deterministic extraction gate: extract → classify → map to
-      allowed claim IDs → reject on any unmatched/uncertain claim →
-      persist audit record. All content passes through this gate.
-  A10. One-strike kill semantics: any externally published ungrounded
-      claim reverts ALL generators to manual-only mode.
-
-This module never generates public content. It only produces the
-grounded event + claim records that generators consume.
-"""
-from .schemas import (
-    ClaimType,
-    Visibility,
-    EventType,
-    EvidenceRef,
-    Claim,
-    GroundedEvent,
-    GroundingIndex,
-)
-from .build import (
-    build_grounding_index,
-    load_grounded_events,
-    validate_claims,
-    persist_grounding_index,
-)
-from .consume import (
-    GroundingBundle,
-    fetch_grounding_bundle,
-    build_allowed_claim_set,
-    load_feature_whitelist,
-    unreleased_feature_detector,
-    score_draft_grounding,
-)
-from .features import (
-    build_feature_set,
-    build_and_persist_features,
-    extract_mcp_tools,
-    extract_cli_commands,
-)
-from .telemetry import (
-    summarize as summarize_gate_telemetry,
-    recent_samples as recent_gate_samples,
-)
-
-__all__ = [
-    # schemas
-    "ClaimType",
-    "Visibility",
-    "EventType",
-    "EvidenceRef",
-    "Claim",
-    "GroundedEvent",
-    "GroundingIndex",
-    # build
-    "build_grounding_index",
-    "load_grounded_events",
-    "validate_claims",
-    "persist_grounding_index",
-    # consume (Week 2)
-    "GroundingBundle",
-    "fetch_grounding_bundle",
-    "build_allowed_claim_set",
-    "load_feature_whitelist",
-    "unreleased_feature_detector",
-    "score_draft_grounding",
-    # features whitelist builder (Week 2)
-    "build_feature_set",
-    "build_and_persist_features",
-    "extract_mcp_tools",
-    "extract_cli_commands",
-    # telemetry (Week 2 → Week 3 bridge)
-    "summarize_gate_telemetry",
-    "recent_gate_samples",
-]
-
-# A3: publish paths are OFF. Any attempt to publish grounded content
-# externally during Week 1 raises. Flip to True only after Week 2
-# hardening (claim-type classifiers, implication detection) and explicit
-# founder approval.
-_PUBLISH_DISABLED = True