delimit-cli 4.5.1 → 4.5.3

package/gateway/ai/server.py

@@ -1428,112 +1428,144 @@ def delimit_lint(old_spec: str, new_spec: str, policy_file: Optional[str] = None
     recording evidence, triggering notifications, or enforcing governance.
     Useful for CI preview comments ("what would block") without side effects.
 
+    Spec arguments accept local paths or http(s) URLs. URLs are fetched
+    once into a tempfile (size cap, SSRF guard) and the resolved local
+    path is used for the rest of the pipeline.
+
     Args:
-        old_spec: Path to the old (baseline) OpenAPI spec file.
-        new_spec: Path to the new (proposed) OpenAPI spec file.
+        old_spec: Path or URL to the old (baseline) OpenAPI spec file.
+        new_spec: Path or URL to the new (proposed) OpenAPI spec file.
         policy_file: Optional path to a .delimit/policies.yml file.
         dry_run: If True, return violations without side effects (no evidence, no chains).
     """
     from backends.gateway_core import run_lint, run_semver
+    from ai.remote_resolve import RemoteResolveError, resolve_spec_input
 
-    # Step 1: Core lint
-    lint_result = _safe_call(run_lint, old_spec=old_spec, new_spec=new_spec, policy_file=policy_file)
+    # Resolve any URL inputs up-front. Both contextmanagers share a
+    # single ExitStack so cleanup happens once at the end.
+    import contextlib as _contextlib
+    try:
+        with _contextlib.ExitStack() as stack:
+            old_resolved, old_meta = stack.enter_context(resolve_spec_input(old_spec))
+            new_resolved, new_meta = stack.enter_context(resolve_spec_input(new_spec))
+            resolved_from = [old_meta["resolved_from"], new_meta["resolved_from"]]
+
+            # Step 1: Core lint (against resolved local paths)
+            lint_result = _safe_call(
+                run_lint,
+                old_spec=old_resolved,
+                new_spec=new_resolved,
+                policy_file=policy_file,
+            )
 
-    # Dry-run mode: return raw lint + semver, skip all chains and governance
-    if dry_run:
-        lint_result["dry_run"] = True
-        lint_result["simulated"] = True
-        # Still classify semver (informational, no side effects)
-        semver_result = _safe_call(run_semver, old_spec=old_spec, new_spec=new_spec)
-        if not semver_result.get("error"):
+            # Dry-run mode: return raw lint + semver, skip all chains and governance
+            if dry_run:
+                lint_result["dry_run"] = True
+                lint_result["simulated"] = True
+                # Still classify semver (informational, no side effects)
+                semver_result = _safe_call(run_semver, old_spec=old_resolved, new_spec=new_resolved)
+                if not semver_result.get("error"):
+                    lint_result["semver"] = semver_result
+                lint_result["resolved_from"] = resolved_from
+                return lint_result
+
+            chain: Dict[str, Any] = {"id": "lint_chain", "steps": []}
+
+            if lint_result.get("error"):
+                lint_result["chain"] = chain
+                lint_result["resolved_from"] = resolved_from
+                return _with_next_steps("lint", lint_result)
+
+            # Step 2: Auto-classify semver bump (non-blocking on failure)
+            semver_result = _chain_call("lint", "semver", run_semver,
+                                        required=False, old_spec=old_resolved, new_spec=new_resolved)
+            chain["steps"].append({"step": "semver", "ok": not _chain_is_error(semver_result)})
             lint_result["semver"] = semver_result
-        return lint_result
 
-    chain: Dict[str, Any] = {"id": "lint_chain", "steps": []}
+            if _chain_is_error(semver_result):
+                chain["status"] = "semver_failed_nonfatal"
+                lint_result["chain"] = chain
+                lint_result["resolved_from"] = resolved_from
+                return _with_next_steps("lint", lint_result)
 
-    if lint_result.get("error"):
-        lint_result["chain"] = chain
-        return _with_next_steps("lint", lint_result)
-
-    # Step 2: Auto-classify semver bump (non-blocking on failure)
-    semver_result = _chain_call("lint", "semver", run_semver,
-                                required=False, old_spec=old_spec, new_spec=new_spec)
-    chain["steps"].append({"step": "semver", "ok": not _chain_is_error(semver_result)})
-    lint_result["semver"] = semver_result
-
-    if _chain_is_error(semver_result):
-        chain["status"] = "semver_failed_nonfatal"
-        lint_result["chain"] = chain
-        return _with_next_steps("lint", lint_result)
-
-    bump = str(semver_result.get("bump", "")).upper()
-
-    # Step 2b: Impact-based notification routing (LED-233, non-blocking)
-    try:
-        from ai.notify import route_by_impact
-        all_changes = lint_result.get("all_changes", lint_result.get("violations", []))
-        if all_changes:
-            routing_result = route_by_impact(all_changes, dry_run=False)
-            chain["steps"].append({"step": "impact_routing", "ok": True})
-            lint_result["impact_routing"] = routing_result
-    except Exception as e:
-        logger.debug("Impact routing non-fatal error: %s", e)
-        chain["steps"].append({"step": "impact_routing", "ok": False, "error": str(e)})
+            bump = str(semver_result.get("bump", "")).upper()
 
-    if bump != "MAJOR":
-        chain["status"] = f"complete_{bump.lower() or 'none'}"
-        lint_result["chain"] = chain
-        return _with_next_steps("lint", lint_result)
-
-    # Step 3: MAJOR bump detected -- evaluate governance
-    # Note: _delimit_gov_impl has its own Pro gate. Free-tier gets lint+semver only.
-    gov_result = _delimit_gov_impl(
-        action="evaluate",
-        eval_action="api_breaking_change",
-        context={
-            "tool": "delimit_lint",
-            "old_spec": old_spec,
-            "new_spec": new_spec,
-            "semver_bump": bump,
-            "breaking_changes": lint_result.get("breaking", []),
-        },
-        repo=".",
-    )
-    chain["steps"].append({"step": "gov_evaluate", "ok": not _chain_is_error(gov_result)})
-    lint_result["gov_evaluate"] = gov_result
-
-    # If Pro gate blocked governance, return gracefully with lint+semver
-    if gov_result.get("status") == "premium_required":
-        chain["status"] = "governance_skipped_free_tier"
-        lint_result["chain"] = chain
-        return _with_next_steps("lint", lint_result)
-
-    # Step 4: If governance blocked, record in ledger (best-effort)
-    gov_blocked = (
-        str(gov_result.get("status", "")).lower() == "blocked"
-        or gov_result.get("governance", {}).get("action") == "policy_blocked"
-    )
+            # Step 2b: Impact-based notification routing (LED-233, non-blocking)
+            try:
+                from ai.notify import route_by_impact
+                all_changes = lint_result.get("all_changes", lint_result.get("violations", []))
+                if all_changes:
+                    routing_result = route_by_impact(all_changes, dry_run=False)
+                    chain["steps"].append({"step": "impact_routing", "ok": True})
+                    lint_result["impact_routing"] = routing_result
+            except Exception as e:
+                logger.debug("Impact routing non-fatal error: %s", e)
+                chain["steps"].append({"step": "impact_routing", "ok": False, "error": str(e)})
+
+            if bump != "MAJOR":
+                chain["status"] = f"complete_{bump.lower() or 'none'}"
+                lint_result["chain"] = chain
+                lint_result["resolved_from"] = resolved_from
+                return _with_next_steps("lint", lint_result)
+
+            # Step 3: MAJOR bump detected -- evaluate governance
+            # Note: _delimit_gov_impl has its own Pro gate. Free-tier gets lint+semver only.
+            # Pass the *original* user inputs (not the tempfile paths) into the
+            # governance context so audit trails capture the real spec source.
+            gov_result = _delimit_gov_impl(
+                action="evaluate",
+                eval_action="api_breaking_change",
+                context={
+                    "tool": "delimit_lint",
+                    "old_spec": old_spec,
+                    "new_spec": new_spec,
+                    "semver_bump": bump,
+                    "breaking_changes": lint_result.get("breaking", []),
+                },
+                repo=".",
+            )
+            chain["steps"].append({"step": "gov_evaluate", "ok": not _chain_is_error(gov_result)})
+            lint_result["gov_evaluate"] = gov_result
+
+            # If Pro gate blocked governance, return gracefully with lint+semver
+            if gov_result.get("status") == "premium_required":
+                chain["status"] = "governance_skipped_free_tier"
+                lint_result["chain"] = chain
+                lint_result["resolved_from"] = resolved_from
+                return _with_next_steps("lint", lint_result)
+
+            # Step 4: If governance blocked, record in ledger (best-effort)
+            gov_blocked = (
+                str(gov_result.get("status", "")).lower() == "blocked"
+                or gov_result.get("governance", {}).get("action") == "policy_blocked"
+            )
 
-    if gov_blocked:
-        from ai.ledger_manager import add_item
-        ledger_result = _chain_call(
-            "lint", "ledger_add", add_item,
-            required=False,
-            title=f"Governance blocked: MAJOR API change in {new_spec}",
-            ledger="ops",
-            item_type="fix",
-            priority="P0",
-            description="MAJOR semver bump detected. Governance blocked the change.",
-            source="chain:lint:gov_blocked",
-        )
-        chain["steps"].append({"step": "ledger_add", "ok": not _chain_is_error(ledger_result)})
-        lint_result["governance_blocked"] = True
-    else:
-        lint_result["governance_blocked"] = False
+            if gov_blocked:
+                from ai.ledger_manager import add_item
+                ledger_result = _chain_call(
+                    "lint", "ledger_add", add_item,
+                    required=False,
+                    title=f"Governance blocked: MAJOR API change in {new_spec}",
+                    ledger="ops",
+                    item_type="fix",
+                    priority="P0",
+                    description="MAJOR semver bump detected. Governance blocked the change.",
+                    source="chain:lint:gov_blocked",
+                )
+                chain["steps"].append({"step": "ledger_add", "ok": not _chain_is_error(ledger_result)})
+                lint_result["governance_blocked"] = True
+            else:
+                lint_result["governance_blocked"] = False
 
-    chain["status"] = "major_change_evaluated"
-    lint_result["chain"] = chain
-    return _with_next_steps("lint", lint_result)
+            chain["status"] = "major_change_evaluated"
+            lint_result["chain"] = chain
+            lint_result["resolved_from"] = resolved_from
+            return _with_next_steps("lint", lint_result)
+    except RemoteResolveError as e:
+        out = e.to_dict()
+        out["old_spec"] = old_spec
+        out["new_spec"] = new_spec
+        return out
 
 
 @mcp.tool()
@@ -2911,49 +2943,79 @@ def delimit_repo_diagnose(target: str = ".") -> Dict[str, Any]:
     return _safe_call(diagnose, target=target)
 
 
+def _run_repo_tool_with_remote(
+    target: str,
+    backend_fn,
+    pro_capability: str,
+) -> Dict[str, Any]:
+    """Shared wrapper for repo-bridge tools with remote-input support (LED-1237).
+
+    Resolves ``target`` (local path, ``owner/repo`` shorthand, or
+    GitHub URL) into a local path, calls the backend, and merges the
+    resolution metadata into the response so panel members can see
+    what got cloned.
+    """
+    from ai.license import require_premium
+    gate = require_premium(pro_capability)
+    if gate:
+        return gate
+
+    from ai.remote_resolve import RemoteResolveError, resolve_repo_target
+
+    try:
+        with resolve_repo_target(target) as (resolved_path, meta):
+            result = _safe_call(backend_fn, target=resolved_path)
+            if isinstance(result, dict):
+                # Don't clobber a backend-supplied resolved_from field.
+                for k, v in meta.items():
+                    result.setdefault(k, v)
+            return result
+    except RemoteResolveError as e:
+        out = e.to_dict()
+        # Preserve the user's original input for debuggability.
+        out["target"] = target
+        return out
+
+
 @mcp.tool()
 def delimit_repo_analyze(target: str = ".") -> Dict[str, Any]:
     """Analyze repository structure and quality (experimental) (Pro).
 
+    Accepts a local path, an ``owner/repo`` shorthand
+    (e.g. ``calcom/cal.com``), or a full GitHub URL. Remote inputs
+    are shallow-cloned into a tempdir for the duration of the call.
+
     Args:
-        target: Repository path.
+        target: Repository path, owner/repo, or GitHub URL.
     """
-    from ai.license import require_premium
-    gate = require_premium("repo_analyze")
-    if gate:
-        return gate
     from backends.repo_bridge import analyze
-    return _safe_call(analyze, target=target)
+    return _run_repo_tool_with_remote(target, analyze, "repo_analyze")
 
 
 @mcp.tool()
 def delimit_repo_config_validate(target: str = ".") -> Dict[str, Any]:
     """Validate configuration files (experimental) (Pro).
 
+    Accepts a local path, ``owner/repo`` shorthand, or a GitHub URL.
+
     Args:
-        target: Repository or config path.
+        target: Repository or config path, owner/repo, or GitHub URL.
     """
-    from ai.license import require_premium
-    gate = require_premium("repo_config_validate")
-    if gate:
-        return gate
     from backends.repo_bridge import config_validate
-    return _safe_call(config_validate, target=target)
+    return _run_repo_tool_with_remote(target, config_validate, "repo_config_validate")
 
 
 @mcp.tool()
 def delimit_repo_config_audit(target: str = ".") -> Dict[str, Any]:
     """Audit configuration compliance (experimental) (Pro).
 
+    Accepts a local path, ``owner/repo`` shorthand, or a GitHub URL.
+
     Args:
-        target: Repository or config path.
+        target: Repository or config path, owner/repo, or GitHub URL.
     """
-    from ai.license import require_premium
-    gate = require_premium("repo_config_audit")
-    if gate:
-        return gate
     from backends.repo_bridge import config_audit
-    return _safe_call(config_audit, target=target)
+    return _run_repo_tool_with_remote(target, config_audit, "repo_config_audit")
 
 
 # ─── Security ───────────────────────────────────────────────────────────
@@ -7302,7 +7364,8 @@ def delimit_social_post(text: str = "", category: str = "", platform: str = "twi
     Categories: tip, changelog, insight, engagement.
     Leave text empty to auto-generate from templates.
     Every post provides value - tips, insights, governance wisdom.
-    Max 2 posts per day to stay authentic.
+    Rate cap: 2 original posts per hour, 24 per day (founder-approved
+    2026-04-30). Override via DELIMIT_HOURLY_TWEETS / DELIMIT_DAILY_TWEETS.
 
     IMPORTANT - Platform tone rules (these are DIFFERENT per platform):
     - Twitter: confident technical brand. Direct, professional, ALWAYS POSITIVE.
@@ -7323,10 +7386,10 @@ def delimit_social_post(text: str = "", category: str = "", platform: str = "twi
         draft: If True, save as draft for approval instead of posting immediately.
         context: WHY this post should be made. Strategic reasoning shown in the approval email.
     """
-    from ai.social import generate_post, post_tweet, should_post_today, save_draft
+    from ai.social import generate_post, post_tweet, should_post_now, save_draft
 
-    if not draft and not should_post_today():
-        return {"status": "skipped", "reason": "Already posted twice today. Authenticity > volume."}
+    if not draft and not should_post_now():
+        return {"status": "skipped", "reason": "Rate cap hit (2/hr or 24/day). Wait or pass draft=True for email-approval flow."}
 
     post = generate_post(category, text)
 
@@ -7443,9 +7506,16 @@ def delimit_social_post(text: str = "", category: str = "", platform: str = "twi
                 _lines.append("Reply APPROVED to approve, CANCEL to reject.")
 
                 _handle = f"u/{_acct}"
+                # LED-1129 Phase 2 — append [draft_id:<8>] token to subject so
+                # the inbox daemon's draft_id fallback can match the approval
+                # reply even when no LED/STR token is present.
+                _reddit_subject = f"[Reddit Post] {_handle}: {_reddit_title[:60]}..."
+                _reg_id = entry.get("registry_draft_id")
+                if _reg_id:
+                    _reddit_subject = f"{_reddit_subject} [draft_id:{_reg_id[:8]}]"
                 email_result = send_email(
                     message="\n".join(_lines),
-                    subject=f"[Reddit Post] {_handle}: {_reddit_title[:60]}...",
+                    subject=_reddit_subject,
                     event_type="social_draft",
                 )
                 if email_result.get("delivered") and email_result.get("message_id"):
@@ -7487,9 +7557,16 @@ def delimit_social_post(text: str = "", category: str = "", platform: str = "twi
             _subject_type = "Tweet"
 
         _handle = f"u/{_acct}" if platform == "reddit" else f"@{_acct}"
+        # LED-1129 Phase 2 — append [draft_id:<8>] token to subject so the
+        # inbox daemon's draft_id fallback can match the approval reply even
+        # when no LED/STR token is present.
+        _social_subject = f"[{_subject_type}] {_handle}: {post['text'][:60]}..."
+        _reg_id = entry.get("registry_draft_id")
+        if _reg_id:
+            _social_subject = f"{_social_subject} [draft_id:{_reg_id[:8]}]"
         email_result = send_email(
             message="\n".join(_lines),
-            subject=f"[{_subject_type}] {_handle}: {post['text'][:60]}...",
+            subject=_social_subject,
             event_type="social_draft",
         )
         # Store the outbound Message-ID on the draft record so the
@@ -7529,6 +7606,55 @@ def delimit_social_accounts() -> Dict[str, Any]:
     return _with_next_steps("social_accounts", {"accounts": accounts, "count": len(accounts)})
 
 
+@mcp.tool()
+def delimit_x_fetch(id_or_url: str = "", ids: str = "") -> Dict[str, Any]:
+    """LED-825: fetch tweets from X by id or URL via twttr241 (RapidAPI).
+
+    Inherits the LRU + SQLite cache + budget gate already wired for the
+    social-target scanner, so repeated reads of the same tweet are free.
+
+    Args:
+        id_or_url: A single status id ("2048825010371039648") OR a full
+            x.com / twitter.com URL — the id is extracted automatically.
+            Mutually exclusive with `ids`.
+        ids: Comma-separated list of status ids OR URLs for a batch fetch.
+            Each is normalized to a status id and fetched independently.
+
+    Returns:
+        Single-fetch shape: {id, text, author, author_name, created_at,
+            metrics: {favorite_count, retweet_count, reply_count,
+            quote_count, bookmark_count, view_count}, url, from_cache}
+        Batch shape: {tweets: [<single-shape>, ...], count}
+        Errors: {error: <reason>}
+
+    Why this exists: WebFetch hits 402 on x.com (auth-walled), and going
+    around to tweepy + the X API direct creds skips the cache + budget
+    gate. This tool is the cheap, cached, governable read path.
+    """
+    from ai.social_target import fetch_tweet_by_id, fetch_tweets_by_ids, extract_status_id
+
+    if ids:
+        # Batch mode — accept commas, newlines, or whitespace as separators
+        raw = [r.strip() for r in ids.replace("\n", ",").split(",") if r.strip()]
+        normalized: List[str] = []
+        for item in raw:
+            sid = extract_status_id(item)
+            if sid:
+                normalized.append(sid)
+        if not normalized:
+            return _with_next_steps("x_fetch", {"error": "no valid ids/URLs in `ids`"})
+        results = fetch_tweets_by_ids(normalized)
+        return _with_next_steps("x_fetch", {"tweets": results, "count": len(results)})
+
+    if not id_or_url:
+        return _with_next_steps("x_fetch", {"error": "provide either id_or_url or ids"})
+
+    sid = extract_status_id(id_or_url)
+    if not sid:
+        return _with_next_steps("x_fetch", {"error": f"could not parse status id from {id_or_url!r}"})
+    return _with_next_steps("x_fetch", fetch_tweet_by_id(sid))
+
+
 @mcp.tool()
 def delimit_social_history(limit: int = 20, platform: str = "",
                            user: str = "", subreddit: str = "") -> Dict[str, Any]:
@@ -7985,6 +8111,64 @@ def delimit_social_daemon(action: str = "status") -> Dict[str, Any]:
     else:
         return _with_next_steps("social_daemon", get_daemon_status())
 
+
+@mcp.tool()
+def delimit_self_repair_daemon(action: str = "status") -> Dict[str, Any]:
+    """Control the self-repair watcher daemon (LED-191, internal).
+
+    Polls function KPIs on a cadence (default 1h) and emits founder
+    alerts on fresh breaches. Higher modes (diagnose/deliberate/apply/
+    verify) chain through the watcher when configured per-function in
+    ~/.delimit/self_repair.yaml.
+
+    Idempotent start; circuit-breakered stop after 3 consecutive
+    pass failures. Honors DELIMIT_SELF_REPAIR_PAUSE=1 at every pass
+    without requiring a daemon restart.
+
+    Args:
+        action: 'start' (begin polling), 'stop' (halt polling),
+                'status' (running / last_pass / breaches_emitted /
+                consecutive_failures).
+    """
+    from ai.self_repair_daemon import (
+        start_daemon as _sr_start,
+        stop_daemon as _sr_stop,
+        get_daemon_status as _sr_status,
+    )
+
+    if action == "start":
+        return _with_next_steps("self_repair_daemon", _sr_start())
+    elif action == "stop":
+        return _with_next_steps("self_repair_daemon", _sr_stop())
+    else:
+        return _with_next_steps("self_repair_daemon", _sr_status())
+
+
+# ═══════════════════════════════════════════════════════════════════════
+#  LED-189: Corp dashboard — single-call session-start synthesis
+# ═══════════════════════════════════════════════════════════════════════
+
+
+@mcp.tool()
+def delimit_corp_dashboard() -> Dict[str, Any]:
+    """One-call corp status — replaces the 6-call session-start ritual (LED-189).
+
+    Returns daemon states (systemd + in-process), self-repair status,
+    social/inbox activity, ledger pending counts, agent queue (audit-only),
+    latest session, and a synthesized one-line summary like:
+
+        "Corp status: 3 daemons active (self-repair, inbox, social),
+        12 ledger open, 2 approvals waiting, 4 breaches in 24h."
+
+    Every sub-section is failure-isolated: a partial failure returns
+    {"error": "..."} for that key only and never crashes the whole call.
+    Gateway-only — not shipped in the npm bundle.
+    """
+    from ai.corp_dashboard import get_corp_dashboard
+    result = get_corp_dashboard()
+    return _with_next_steps("corp_dashboard", result)
+
+
 # ═══════════════════════════════════════════════════════════════════════
 #  LED-187: Shareable Governance Config - export / import
 # ═══════════════════════════════════════════════════════════════════════

package/gateway/ai/social_capability/__init__.py

@@ -0,0 +1,6 @@
+"""Social outreach capability-currency module (LED-216 Phase 1).
+
+Curated capability inventory + draft-emit validator. Lives outside
+``ai/social.py`` so the existing module stays focused on draft generation
+and Python doesn't get a package/module name collision.
+"""