delimit-cli 4.5.12 → 4.6.0

package/CHANGELOG.md

@@ -1,6 +1,51 @@
 # Changelog
 
 
+## [4.6.0] - 2026-05-15
+
+### Added — Codex CLI + Gemini CLI auto-trigger directives (LED-1399)
+
+`delimit setup` now installs governance directives at the **verified-effective**
+locations for Codex CLI and Gemini CLI, closing the gap where users of those
+CLIs got the delimit MCP server wired but **not** the auto-trigger behaviors
+(`delimit_test_smoke` after edits, `delimit_repo_diagnose` before commit, etc.)
+that Claude Code users already get.
+
+**What changed:**
+- **Codex CLI**: writes `~/AGENTS.md` (verified against the Codex binary spec —
+  Codex auto-loads `AGENTS.md` "from CWD up to the root"). The previous
+  `~/.codex/instructions.md` write was dead code; Codex never read that path.
+- **Gemini CLI**: writes `~/.gemini/GEMINI.md` (verified against the gemini-cli
+  bundle: `return ["GEMINI.md"]` is the discovery list; the global tier is
+  `~/.gemini/GEMINI.md`).
+- Both gated on the respective CLI being installed (directory exists OR
+  `which` finds the binary). Both use the existing managed-section markers
+  (`<!-- delimit:start -->` / `<!-- delimit:end -->`) so user content is
+  preserved on upgrade per the LED-1257 customer-protection rule.
+
+**Backwards-compat:** existing `~/.codex/instructions.md` files from prior
+installs are NOT removed (harmless dead config; deleting could clobber user
+customizations around our managed section).
+
+### Other changes
+
+- **server.json merge-gate framing** (LED-2178): formal merge-gate framing in
+  the public server.json descriptor.
+- **Memory Rules in `delimit init` template** (STR-143): the init-generated
+  CLAUDE.md now includes the canonical Memory Rules section.
+- Documentation refreshes: cross-agent-handoff worked example surfaced on README,
+  test-count badge bumped, misleading version stamps removed.
+
+### Known issue (pre-existing, fix tracked)
+
+- **`delimit attest mcp` exit codes** (LED-1403): on tool error (e.g. no
+  lockfile → npm audit unavailable) and unknown attestation kind, the CLI
+  currently returns exit 1 instead of the expected exit 2. CI/CD pipelines
+  that gate on tier-2 (treating "tool unavailable" as a hard error vs.
+  "fail" which is a soft check) should pin this expectation. Tracked for
+  fix in a follow-up release.
+
+
 ## [4.5.2] - 2026-05-02
 
 ### Hardened — `postinstall.js` never-block-install guard (LED-1188)

package/README.md

@@ -5,10 +5,10 @@
 Wrap any AI coding assistant (Claude Code, Codex, Cursor, Gemini CLI) with a governance chain that runs your gates, records what changed, and signs a replayable receipt for every merge.
 
 [![npm](https://img.shields.io/npm/v/delimit-cli)](https://www.npmjs.com/package/delimit-cli)
-[![Tests](https://img.shields.io/badge/tests-1640%2B%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
+[![Tests](https://img.shields.io/badge/tests-4800%2B%20passing-brightgreen)](https://github.com/delimit-ai/delimit-mcp-server)
 [![GitHub Action](https://img.shields.io/badge/GitHub%20Action-latest-blue)](https://github.com/marketplace/actions/delimit-api-governance)
 [![License: MIT](https://img.shields.io/badge/License-MIT-blue.svg)](https://opensource.org/licenses/MIT)
-[![Glama](https://glama.ai/mcp/servers/delimit-ai/delimit/badge)](https://glama.ai/mcp/servers/delimit-ai/delimit)
+[![Glama Score](https://glama.ai/mcp/servers/delimit-ai/delimit-mcp-server/badges/score.svg)](https://glama.ai/mcp/servers/delimit-ai/delimit-mcp-server/score)
 
 ```console
 $ delimit wrap -- claude "fix the flaky test in tests/api.spec.ts"
@@ -32,8 +32,9 @@ Every wrapped run emits a `delimit.attestation.v1` bundle: repo head before/afte
 
 ## See it in action
 
-Worked example, real OSS repo, every claim verifiable:
+Worked examples, real artifacts, every claim verifiable:
 
+- **[Cross-agent handoff: one artifact, four CLIs](https://delimit.ai/reports/cross-agent-handoff)**: structured session handoff between Claude Code, Codex, Cursor, and Gemini CLI through a single JSON record at `~/.delimit/sessions/`. Persistent context across sessions, same artifact across four CLIs.
 - **[cal.com v2 API attestation](https://delimit.ai/reports/cal-com-v2-attestation)**: full diff, signed verdict, replayable bundle. Runs the same chain you get on day one.
 
 For the schema and signing methodology behind every report, see **[delimit.ai/methodology/mcp-attestation](https://delimit.ai/methodology/mcp-attestation)**.
@@ -86,7 +87,7 @@ npx delimit-cli init        # Sets up governance + drift baseline
 
 ---
 
-## What's New in v4.3
+## What's New
 
 *Gate every AI-assisted invocation. Ship the receipts.*
 
@@ -114,9 +115,9 @@ delimit ai-sbom -o ./ai-sbom.json
 #   → components: 4 models detected, 187 gates run
 ```
 
-## What's New in v4.20
+## Earlier releases
 
-*The highest state of AI governance.*
+*The highest state of AI governance — earlier features still active.*
 
 - **`delimit doctor`** -- 14 prescriptive diagnostics. Every failure prints the exact command to fix it. `--ci` for pipelines, `--fix` for auto-repair.
 - **`delimit simulate`** -- policy dry-run. See what would be blocked before you commit. The `terraform plan` for API governance.
@@ -257,7 +258,7 @@ npx delimit-cli models --status                   # Show current model config
 npx delimit-cli status                           # Compact dashboard of your Delimit setup
 npx delimit-cli doctor                           # Check setup health
 npx delimit-cli uninstall --dry-run              # Preview removal
-npx delimit-cli wrap -- claude -p "..."          # Gate any AI-assisted CLI + signed attestation (v4.3)
+npx delimit-cli wrap -- claude -p "..."          # Gate any AI-assisted CLI + signed attestation
 npx delimit-cli wrap --max-time 60 -- codex "..."# With kill switch + handoff on timeout
 npx delimit-cli trust-page -o ./trust            # Render attestations into a static trust page
 npx delimit-cli ai-sbom -o ./ai-sbom.json        # Build a CycloneDX-AI bill of materials
@@ -419,4 +420,4 @@ If you spot another code path that could phone home without disclosure, file an
 - [npm](https://www.npmjs.com/package/delimit-cli) -- CLI package
 - [Pricing](https://delimit.ai/pricing) -- free tier + Pro
 
-MIT License
+MIT License

package/bin/delimit-cli.js

@@ -69,7 +69,7 @@ function normalizeNaturalLanguageArgs(argv) {
     const explicitCommands = new Set([
         'install', 'mode', 'status', 'session', 'build', 'ask', 'policy', 'auth', 'audit',
         'explain-decision', 'uninstall', 'proxy', 'hook', 'version', 'vault', 'deliberate',
-        'remember', 'recall', 'forget', 'report'
+        'remember', 'recall', 'forget', 'report', 'signin', 'signout', 'activate'
     ]);
     if (explicitCommands.has((raw[0] || '').toLowerCase())) {
         return raw;
@@ -5653,6 +5653,140 @@ program
         } catch {}
     });
 
+// ---------------------------------------------------------------------------
+// LED-2100: `delimit signin` — capture delimit.ai OAuth bearer token so the
+// hosted-deliberation tier (LED-2092) can authenticate from the CLI. The
+// token is written to ~/.delimit/auth.json (mode 0600) where the gateway
+// reads it via deliberation.py::_read_oauth_token. Existing keys in
+// auth.json (e.g. from `delimit auth`) are preserved.
+//
+// Surface contract (do not change without coordinating with the gateway):
+//   - Writes `delimit_token` and `access_token` (same value, dual-key for
+//     compatibility with the gateway resolver's preferred-then-fallback read)
+//   - Writes `signed_in_at` (ISO8601) and `email` (when supplied)
+//   - Distinct from `delimit activate <key>` which writes license.json for
+//     the Pro license-key flow. Sign-in is OAuth-bearer-token only.
+//
+// Default flow is paste-token (works in headless / SSH sessions). The
+// browser-callback flow is a follow-up once delimit.ai/account/cli ships
+// the cli-aware redirect endpoint.
+// ---------------------------------------------------------------------------
+program
+    .command('signin')
+    .description('Sign in to delimit.ai to enable hosted multi-model deliberation')
+    .option('--token <token>', 'Provide the bearer token directly (skip prompt)')
+    .option('--email <email>', 'Associate the token with an email address')
+    .option('--status', 'Print current sign-in status without changes')
+    .action(async (options) => {
+        const { writeAuthToken, readCurrentToken, authFilePath } = require('../lib/auth-signin');
+
+        if (options.status) {
+            const token = readCurrentToken();
+            if (!token) {
+                console.log(chalk.yellow('  Not signed in.'));
+                console.log(chalk.dim(`  Run: delimit signin`));
+                process.exit(1);
+            }
+            console.log(chalk.green('  Signed in.'));
+            console.log(chalk.dim(`  Auth file: ${authFilePath()}`));
+            return;
+        }
+
+        let token = (options.token || process.env.DELIMIT_AUTH_TOKEN || '').trim();
+        let email = (options.email || '').trim();
+
+        if (!token) {
+            console.log(chalk.blue.bold('\n  Delimit sign-in\n'));
+            console.log('  1. Open: ' + chalk.cyan('https://delimit.ai/account/cli'));
+            console.log('  2. Sign in and copy your CLI token');
+            console.log('  3. Paste it below\n');
+
+            const answers = await inquirer.prompt([
+                {
+                    type: 'password',
+                    name: 'token',
+                    message: 'Paste token:',
+                    mask: '*',
+                    validate: (input) => {
+                        const v = (input || '').trim();
+                        if (!v) return 'Token cannot be empty.';
+                        if (v.length < 16) return 'Token looks too short — copy the full string from delimit.ai/account/cli.';
+                        return true;
+                    },
+                },
+                {
+                    type: 'input',
+                    name: 'email',
+                    message: 'Email (optional, for display only):',
+                    default: '',
+                },
+            ]);
+            token = (answers.token || '').trim();
+            email = email || (answers.email || '').trim();
+        }
+
+        try {
+            const result = writeAuthToken({ token, email });
+            console.log('');
+            if (email) {
+                console.log(chalk.green(`  Signed in as ${email}. Hosted deliberation enabled.`));
+            } else {
+                console.log(chalk.green('  Signed in. Hosted deliberation enabled.'));
+            }
+            console.log(chalk.dim(`  Auth file: ${result.path} (mode 0600)`));
+            if (result.merged) {
+                console.log(chalk.dim('  Existing auth.json keys preserved.'));
+            }
+            console.log(chalk.dim('  To sign out: delimit signout'));
+            console.log('');
+        } catch (err) {
+            console.error(chalk.red(`  Sign-in failed: ${err.message}`));
+            process.exit(1);
+        }
+    });
+
+// ---------------------------------------------------------------------------
+// LED-2106: `delimit signout` — remove the OAuth bearer token written by
+// `delimit signin` (LED-2100) without clobbering the legacy bookkeeping
+// keys (configured / timestamp / tools) written by `delimit auth`. Today
+// users sign out via `rm ~/.delimit/auth.json` which wipes everything;
+// this command scrubs only the OAuth-related keys.
+//
+// Surface contract:
+//   - Removes ONLY: delimit_token, access_token, signed_in_at, email
+//   - Preserves: every other key (e.g. configured, timestamp, tools)
+//   - Deletes auth.json entirely if it has no remaining keys after scrub
+//   - Idempotent: safe to run when not signed in (prints "Not signed in.")
+// ---------------------------------------------------------------------------
+program
+    .command('signout')
+    .description('Sign out of delimit.ai (removes the hosted-deliberation token)')
+    .action(async () => {
+        const { removeAuthToken } = require('../lib/auth-signout');
+        try {
+            const result = removeAuthToken();
+            if (!result.changed) {
+                console.log(chalk.yellow('  Not signed in.'));
+                return;
+            }
+            console.log('');
+            if (result.email) {
+                console.log(chalk.green(`  Signed out (${result.email}).`));
+            } else {
+                console.log(chalk.green('  Signed out.'));
+            }
+            if (result.deleted) {
+                console.log(chalk.dim(`  Removed: ${result.path}`));
+            } else {
+                console.log(chalk.dim(`  Auth file: ${result.path} (other keys preserved)`));
+            }
+            console.log('');
+        } catch (err) {
+            console.error(chalk.red(`  Sign-out failed: ${err.message}`));
+            process.exit(1);
+        }
+    });
+
 // ---------------------------------------------------------------------------
 // LED-187: Export governance config as shareable JSON
 // ---------------------------------------------------------------------------
@@ -5842,6 +5976,21 @@ program
     .option('--mode <mode>', 'Deliberation mode: quick | dialogue | debate', 'dialogue')
     .option('--question <q>', 'Question to deliberate (alternative to positional arg)')
     .action(async (questionParts, options) => {
+        // LED-2095: one-time migration banner for Free + BYOK users to
+        // surface the LED-2092 / LED-2093 ephemeral-Free-tier change.
+        // This fires on the first deliberation-adjacent call after the
+        // upgrade and never again on this machine.
+        try {
+            const { maybeShowMigrationBanner } = require('../lib/migration-2092-banner');
+            const banner = maybeShowMigrationBanner();
+            if (banner.shown) {
+                console.log(chalk.yellow(banner.text));
+            }
+        } catch {
+            // Banner is purely informational; never block deliberation
+            // because of a flag-file write or models.json read error.
+        }
+
         const question = options.question || (questionParts.length > 0 ? questionParts.join(' ') : null);
 
         if (options.list) {
@@ -6058,6 +6207,18 @@ program
     .description('Configure deliberation model API keys (BYOK)')
     .option('--status', 'Show current model configuration (non-interactive)')
     .action(async (options) => {
+        // LED-2095: deliberation-adjacent surface — also a valid trigger
+        // point for the one-time migration banner. See lib/migration-2092-banner.js.
+        try {
+            const { maybeShowMigrationBanner } = require('../lib/migration-2092-banner');
+            const banner = maybeShowMigrationBanner();
+            if (banner.shown) {
+                console.log(chalk.yellow(banner.text));
+            }
+        } catch {
+            // Banner is informational; never block the command on banner errors.
+        }
+
         const config = loadModelsConfig();
 
         // --status: non-interactive output

package/bin/delimit-setup.js

@@ -633,12 +633,52 @@ Run full governance compliance checks. Verify security, policy compliance, evide
         log(`  ${dim('  CLAUDE.md already up to date')}`);
     }
 
-    // Codex instructions
-    const codexInstructions = path.join(os.homedir(), '.codex', 'instructions.md');
-    if (fs.existsSync(path.join(os.homedir(), '.codex'))) {
-        const codexResult = upsertDelimitSection(codexInstructions);
-        if (codexResult.action !== 'unchanged') {
-            log(`  ${green('✓')} ${codexResult.action === 'created' ? 'Created' : 'Updated'} ${codexInstructions}`);
+    // Codex instructions: AGENTS.md is the file Codex CLI auto-loads
+    // ("from CWD up to the root", per Codex binary spec). The previous
+    // ~/.codex/instructions.md write was dead code — Codex never read it.
+    // LED-1399: install ~/AGENTS.md (parallels ~/CLAUDE.md) when codex CLI
+    // is present so user-home-rooted sessions pick up governance triggers.
+    const codexHome = path.join(os.homedir(), '.codex');
+    let hasCodex = fs.existsSync(codexHome);
+    if (!hasCodex) {
+        try { execSync('which codex 2>/dev/null', { stdio: 'pipe' }); hasCodex = true; } catch {}
+    }
+    if (hasCodex) {
+        const agentsMd = path.join(os.homedir(), 'AGENTS.md');
+        const agentsResult = upsertDelimitSection(agentsMd);
+        if (agentsResult.action === 'created') {
+            await logp(`  ${green('✓')} Created ${agentsMd} (Codex CLI auto-loads from CWD up to home)`);
+        } else if (agentsResult.action === 'updated') {
+            await logp(`  ${green('✓')} Updated Delimit section in ${agentsMd}`);
+        } else if (agentsResult.action === 'appended') {
+            await logp(`  ${green('✓')} Appended Delimit section to ${agentsMd} (user content preserved)`);
+        } else {
+            log(`  ${dim('  AGENTS.md already up to date')}`);
+        }
+    }
+
+    // Gemini CLI: GEMINI.md is the auto-loaded instruction file
+    // (~/.gemini/GEMINI.md is the user-global tier per Gemini CLI bundle).
+    // LED-1399: install when Gemini CLI is present so governance triggers
+    // fire across-projects without per-repo setup.
+    const geminiHome = path.join(os.homedir(), '.gemini');
+    let hasGemini = fs.existsSync(geminiHome);
+    if (!hasGemini) {
+        try { execSync('which gemini 2>/dev/null', { stdio: 'pipe' }); hasGemini = true; } catch {}
+    }
+    if (hasGemini) {
+        // Ensure ~/.gemini exists before writing the user-global GEMINI.md.
+        try { fs.mkdirSync(geminiHome, { recursive: true, mode: 0o755 }); } catch {}
+        const geminiMd = path.join(geminiHome, 'GEMINI.md');
+        const geminiResult = upsertDelimitSection(geminiMd);
+        if (geminiResult.action === 'created') {
+            await logp(`  ${green('✓')} Created ${geminiMd} (Gemini CLI user-global instructions)`);
+        } else if (geminiResult.action === 'updated') {
+            await logp(`  ${green('✓')} Updated Delimit section in ${geminiMd}`);
+        } else if (geminiResult.action === 'appended') {
+            await logp(`  ${green('✓')} Appended Delimit section to ${geminiMd} (user content preserved)`);
+        } else {
+            log(`  ${dim('  GEMINI.md already up to date')}`);
         }
     }
 

package/gateway/ai/_compile_status.py

@@ -0,0 +1,154 @@
+"""LED-2087 Phase 1a — proprietary-module compilation status helper.
+
+Customers can run on the Python source fallback (slower; no compiled-
+attestation parity) when the platform-appropriate ``.so`` /``.pyd``
+isn't shipped in their bundle. The 3 proprietary modules
+(``license_core``, ``deliberation``, ``governance``) each get this
+treatment via the LED-1259 warn-and-fallback path for ``license_core``
+and (post-LED-2087-phase-1a) the same introspection here for the
+other two.
+
+This module is intentionally minimal-surface:
+- No modification of the proprietary source modules
+- No new MCP tool added to the customer-facing surface
+- One INFO-level log line at gateway startup (silent on the happy
+  Linux x86_64 / py3.10 path where all three are native-loaded)
+- Importable status helper for tests + future replay tooling
+"""
+from __future__ import annotations
+
+import importlib
+import logging
+from typing import Dict, Iterable, List, Optional, Tuple
+
+logger = logging.getLogger("delimit.ai._compile_status")
+
+# Modules audited by this helper. Each tuple is (import_name, friendly_label).
+# ai.license_core already has the LED-1259 warn-and-fallback path in
+# ai/license.py — we still introspect it here for the consolidated
+# startup report.
+PROPRIETARY_MODULES: Tuple[Tuple[str, str], ...] = (
+    ("ai.license_core", "license_core"),
+    ("ai.deliberation", "deliberation"),
+    ("ai.governance", "governance"),
+)
+
+# Extensions Python uses for native compiled modules across platforms.
+# .so   — Linux + macOS
+# .pyd  — Windows
+# .dylib — macOS dynamic libs (Python typically uses .so on macOS too,
+#         but include for defensive coverage)
+_NATIVE_EXTS: Tuple[str, ...] = (".so", ".pyd", ".dylib")
+
+
+def is_native_compiled(import_name: str) -> Optional[bool]:
+    """Return True if the named module loaded from a native binary
+    (``.so`` / ``.pyd`` / ``.dylib``), False if it loaded from
+    ``.py`` source, or None if the module isn't importable at all.
+
+    Pure introspection — no side effects beyond the import call itself.
+    The import is harmless: if the module is already imported (almost
+    always true at gateway startup) ``importlib`` returns the cached
+    module without re-executing.
+    """
+    try:
+        mod = importlib.import_module(import_name)
+    except ImportError:
+        return None
+    path = getattr(mod, "__file__", "") or ""
+    if not path:
+        # Some build pipelines produce modules without ``__file__``
+        # (e.g. frozen modules). Conservatively treat as "unknown but
+        # importable" — surface as None so callers don't assume either
+        # native or source state.
+        return None
+    for ext in _NATIVE_EXTS:
+        if path.endswith(ext):
+            return True
+    if path.endswith(".py"):
+        return False
+    # Unknown extension (e.g. .pyc) — conservatively treat as not-native.
+    return False
+
+
+def compilation_status_report(
+    modules: Iterable[Tuple[str, str]] = PROPRIETARY_MODULES,
+) -> Dict[str, str]:
+    """Return ``{friendly_label: status}`` for each module.
+
+    Status values:
+      - ``"native"``  — loaded from .so / .pyd / .dylib
+      - ``"source"``  — loaded from .py (fallback path)
+      - ``"missing"`` — module not importable at all
+      - ``"unknown"`` — importable but ``__file__`` unrecognized
+
+    Used by the startup logger + tests + future status-query tooling.
+    Deterministic given the same set of imported modules + the same
+    platform (no clock-dependent state).
+    """
+    report: Dict[str, str] = {}
+    for import_name, label in modules:
+        native = is_native_compiled(import_name)
+        if native is True:
+            report[label] = "native"
+        elif native is False:
+            # Distinguish source-known-extension from unknown.
+            try:
+                mod = importlib.import_module(import_name)
+                path = getattr(mod, "__file__", "") or ""
+                report[label] = "source" if path.endswith(".py") else "unknown"
+            except ImportError:
+                # Should not happen post-is_native_compiled returning False,
+                # but cover the race anyway.
+                report[label] = "missing"
+        else:
+            report[label] = "missing"
+    return report
+
+
+def log_compilation_status_on_startup(
+    modules: Iterable[Tuple[str, str]] = PROPRIETARY_MODULES,
+) -> None:
+    """Emit one log line summarizing the proprietary-module load state.
+
+    Silent on the happy path (Linux x86_64 / Python 3.10 dev box where
+    all three modules are native-loaded — actually emits INFO, but
+    the message clearly says "all native" so ops can scan past).
+
+    Calls this exactly once at gateway server startup. Idempotent: if
+    a future caller invokes it twice, both emissions show the same
+    state because is_native_compiled is pure.
+    """
+    report = compilation_status_report(modules)
+    native = [label for label, status in report.items() if status == "native"]
+    source = [label for label, status in report.items() if status == "source"]
+    missing = [label for label, status in report.items() if status == "missing"]
+    unknown = [label for label, status in report.items() if status == "unknown"]
+
+    if not source and not missing and not unknown:
+        logger.info(
+            "[LED-2087] proprietary modules native-loaded: %s",
+            ", ".join(native) if native else "(none)",
+        )
+        return
+
+    # Customer-facing: ANY non-native module gets surfaced clearly so the
+    # operator knows performance / attestation parity is degraded for
+    # those specific modules. This is the LED-1259 warn-and-fallback
+    # pattern extended to deliberation + governance.
+    fragments: List[str] = []
+    if native:
+        fragments.append(f"native={','.join(native)}")
+    if source:
+        fragments.append(f"source-fallback={','.join(source)}")
+    if missing:
+        fragments.append(f"missing={','.join(missing)}")
+    if unknown:
+        fragments.append(f"unknown={','.join(unknown)}")
+    logger.warning(
+        "[LED-2087] proprietary-module load state — %s. Source-fallback "
+        "and missing modules run Python source path (slower; no compiled-"
+        "attestation parity). Cross-platform binaries land per the "
+        "LED-2087 Phase 1 build matrix.",
+        " ".join(fragments),
+    )

package/gateway/ai/agent_dispatch.py

@@ -161,6 +161,42 @@ def dispatch_task(
     if priority not in VALID_PRIORITIES:
         return {"error": f"priority must be one of: {', '.join(sorted(VALID_PRIORITIES))}"}
 
+    # LED-1279: anti-duplicate gate. If the title/description/context tags an
+    # LED that's already been shipped (i.e. there's a commit on main mentioning
+    # the LED with date >= LED.created_at), refuse the dispatch and auto-close
+    # the LED. Yesterday's AGT-65A61AD5 wasted three subagent cycles on
+    # LED-1208/9/10, all of which had been shipped in commit 014fb5c on
+    # 2026-05-03. This gate prevents that class of duplicate.
+    try:
+        from ai.dispatch_gate import evaluate_dispatch, extract_led_id, lookup_led_created_at
+
+        led_id_for_gate = extract_led_id(title, description, context)
+        if led_id_for_gate:
+            led_created_at = lookup_led_created_at(led_id_for_gate)
+            refusal = evaluate_dispatch(
+                title=title,
+                description=description,
+                context=context,
+                led_created_at=led_created_at,
+            )
+            if refusal is not None:
+                _append_audit({
+                    "action": "dispatch_refused_shipped",
+                    "title": stripped,
+                    "led_id": refusal.get("led_id"),
+                    "shipped_in": refusal.get("shipped_in", {}).get("short_sha"),
+                    "shipped_repo": refusal.get("shipped_in", {}).get("repo"),
+                })
+                return refusal
+    except Exception as e:  # pragma: no cover — gate must never crash dispatch
+        # If the gate itself blows up, log it and proceed — losing a dispatch
+        # to a gate bug is a worse failure mode than the duplicate it would
+        # have caught.
+        _append_audit({
+            "action": "dispatch_gate_error",
+            "error": str(e)[:200],
+        })
+
     tasks = _load_tasks()
 
     normalized_external_key = external_key.strip()