delimit-cli 4.5.12 → 4.6.0

package/gateway/ai/dispatch_gate.py

@@ -0,0 +1,399 @@
+"""LED-1279: dispatcher anti-duplicate gate.
+
+Before creating a new agent task tagged with an LED ID, check whether any
+local repository's git history already contains a commit referencing that
+LED. If it does, refuse the dispatch and auto-close the LED — yesterday's
+AGT-65A61AD5 wasted three subagent cycles on LEDs already shipped in
+commit 014fb5c (PR #106) on 2026-05-03.
+
+Cost model: each duplicate dispatch burns 5-30 minutes of subagent + orchestrator
+attention. This gate pays for itself within 1-2 future dispatches.
+
+Design notes:
+  - LED-id parsing is conservative: r"LED-\\d+" only. AGT-... and STR-...
+    do not trigger the gate — only operational ledger items.
+  - Repo discovery: prefer caller-supplied list, then fall back to a small
+    static list of canonical Delimit / wire-report / livetube / dv repos.
+    A missing repo logs a warning and is skipped (don't fail dispatch on
+    infra issues — that's a worse failure mode than a false negative).
+  - Match scope: only commits on the *first-parent* line of `main` count
+    as "shipped" so feature-branch WIP that mentions an LED but never
+    merged doesn't trigger a false positive. PR-merge commits qualify.
+  - Time window: only commits with author/commit date >= LED.created_at
+    are considered. An LED can't have been "shipped" before it existed.
+  - Multiple matches: the FIRST match (oldest commit since created_at) wins.
+"""
+
+from __future__ import annotations
+
+import logging
+import re
+import subprocess
+import time
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Iterable, Optional
+
+logger = logging.getLogger(__name__)
+
+# Default repos to search. Discovered at runtime first via the venture
+# registry; this list is the safety net if discovery returns nothing.
+DEFAULT_REPOS = (
+    "/home/delimit/delimit-gateway",
+    "/home/delimit/delimit-action",
+    "/home/delimit/npm-delimit",
+    "/home/delimit/delimit-ui",
+)
+
+# Conservative LED-id matcher. Plain LED-NNN format.
+LED_ID_RE = re.compile(r"\bLED-(\d+)\b", re.IGNORECASE)
+
+
+def extract_led_id(*texts: str) -> Optional[str]:
+    """Return the first LED-NNN id found in any of the supplied strings.
+
+    Used by the dispatcher to grab the LED tag from title/description/context
+    without forcing callers to plumb it as a separate parameter.
+    """
+    for text in texts:
+        if not text:
+            continue
+        m = LED_ID_RE.search(text)
+        if m:
+            return f"LED-{m.group(1)}"
+    return None
+
+
+def discover_repos() -> list[str]:
+    """Return the list of repo paths to search.
+
+    Reads the venture registry (~/.delimit/ventures.json) and unions in the
+    DEFAULT_REPOS safety net. Filters to existing directories that actually
+    contain a .git subdir — pseudo-ventures pointing at /tmp paths or stale
+    entries get dropped silently.
+    """
+    seen: list[str] = []
+    seen_set: set[str] = set()
+
+    def _add(path: str) -> None:
+        if not path:
+            return
+        p = Path(path).resolve()
+        s = str(p)
+        if s in seen_set:
+            return
+        if not (p / ".git").exists():
+            return
+        seen_set.add(s)
+        seen.append(s)
+
+    # 1. Venture registry — ~/.delimit/ventures.json
+    try:
+        from ai.ledger_manager import VENTURES_FILE  # late import: tests stub VENTURES_FILE
+        import json
+
+        if VENTURES_FILE.exists():
+            ventures = json.loads(VENTURES_FILE.read_text())
+            for info in ventures.values():
+                _add(info.get("path", ""))
+    except Exception as e:  # pragma: no cover — best effort
+        logger.debug("dispatch_gate: venture registry read failed: %s", e)
+
+    # 2. Safety net defaults
+    for path in DEFAULT_REPOS:
+        _add(path)
+
+    return seen
+
+
+def _parse_iso_z(value: str) -> Optional[datetime]:
+    """Parse an ISO-8601 timestamp (with optional trailing Z) to a tz-aware UTC datetime."""
+    if not value:
+        return None
+    v = value.strip()
+    if v.endswith("Z"):
+        v = v[:-1] + "+00:00"
+    try:
+        dt = datetime.fromisoformat(v)
+    except ValueError:
+        return None
+    if dt.tzinfo is None:
+        dt = dt.replace(tzinfo=timezone.utc)
+    return dt.astimezone(timezone.utc)
+
+
+def _git_log_first_parent_grep(
+    repo: str,
+    led_id: str,
+    since_iso: Optional[str],
+    timeout_sec: float = 8.0,
+) -> list[tuple[str, str, str]]:
+    """Run `git log --first-parent main` filtered by --grep=<led_id>.
+
+    Returns a list of (sha, iso_date, subject) tuples, oldest first. Empty
+    list if the repo isn't a git checkout, the ref doesn't exist, or git
+    times out / errors. Errors are logged at DEBUG; we never raise — a
+    missing repo must NOT fail dispatch.
+    """
+    repo_path = Path(repo)
+    if not (repo_path / ".git").exists():
+        logger.debug("dispatch_gate: repo missing or not a git checkout: %s", repo)
+        return []
+
+    cmd = [
+        "git",
+        "-C",
+        str(repo_path),
+        "log",
+        "--first-parent",
+        "main",
+        f"--grep={led_id}",
+        "-i",  # case-insensitive grep — match LED-1208 / led-1208 / Led-1208
+        "--pretty=%H%x09%cI%x09%s",
+        "--reverse",  # oldest first so [0] is the FIRST match
+    ]
+    if since_iso:
+        cmd.append(f"--since={since_iso}")
+
+    try:
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=timeout_sec,
+            check=False,
+        )
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as e:
+        logger.warning("dispatch_gate: git log failed for %s: %s", repo, e)
+        return []
+
+    if result.returncode != 0:
+        # Try `master` as fallback for repos that haven't renamed yet, but
+        # only for the specific "unknown revision" failure — anything else
+        # is a real error we should silently skip.
+        stderr = result.stderr or ""
+        if "unknown revision" in stderr.lower() or "ambiguous argument 'main'" in stderr.lower():
+            cmd[5] = "master"
+            try:
+                result = subprocess.run(
+                    cmd, capture_output=True, text=True, timeout=timeout_sec, check=False
+                )
+            except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as e:
+                logger.warning("dispatch_gate: git log master fallback failed for %s: %s", repo, e)
+                return []
+            if result.returncode != 0:
+                logger.debug("dispatch_gate: git log non-zero for %s: %s", repo, result.stderr)
+                return []
+        else:
+            logger.debug("dispatch_gate: git log non-zero for %s: %s", repo, result.stderr)
+            return []
+
+    matches: list[tuple[str, str, str]] = []
+    for line in (result.stdout or "").splitlines():
+        if not line:
+            continue
+        parts = line.split("\t", 2)
+        if len(parts) < 3:
+            continue
+        matches.append((parts[0], parts[1], parts[2]))
+    return matches
+
+
+def is_led_already_shipped(
+    led_id: str,
+    created_at: str = "",
+    repos: Optional[Iterable[str]] = None,
+) -> tuple[bool, Optional[dict]]:
+    """Search the given repos for a commit on `main`'s first-parent line that
+    mentions ``led_id`` and was committed at or after ``created_at``.
+
+    Args:
+        led_id: e.g. "LED-1208" — must be the bare ID, not "LED-1208 fix something".
+        created_at: ISO-8601 timestamp of when the LED was opened. Commits
+            older than this are treated as unrelated mentions and ignored.
+            Empty string disables the time filter (used by the sweep, which
+            is willing to accept older matches at the cost of false positives).
+        repos: optional iterable of repo paths. Defaults to discover_repos().
+
+    Returns:
+        (shipped: bool, details: dict | None)
+        details, when shipped, is:
+            {
+                "repo": "/home/delimit/delimit-gateway",
+                "sha": "014fb5c...",
+                "short_sha": "014fb5c",
+                "date": "2026-05-03T17:13:45-04:00",
+                "subject": "fix(self-repair): ...",
+            }
+    """
+    if not led_id or not LED_ID_RE.fullmatch(led_id):
+        return False, None
+
+    # Normalize LED ID to canonical "LED-NNN" so the grep is consistent.
+    norm_id = led_id.upper()
+
+    repo_list = list(repos) if repos is not None else discover_repos()
+    if not repo_list:
+        return False, None
+
+    since_iso: Optional[str] = None
+    since_dt = _parse_iso_z(created_at) if created_at else None
+    if since_dt is not None:
+        since_iso = since_dt.strftime("%Y-%m-%dT%H:%M:%S%z")
+
+    # Collect first match per repo, then pick the globally-oldest.
+    candidates: list[tuple[str, str, str, str]] = []
+    for repo in repo_list:
+        rows = _git_log_first_parent_grep(repo, norm_id, since_iso)
+        if not rows:
+            continue
+        # rows are oldest-first; defensively re-check the bare-id token is
+        # in the subject — `git log --grep` would already match but a stray
+        # "LED-12080" could match LED-1208's pattern if regex was loose.
+        # Our LED_ID_RE uses \b boundaries so we're safe; double-check anyway.
+        for sha, date_iso, subject in rows:
+            if not LED_ID_RE.search(subject):
+                continue
+            if since_dt is not None:
+                commit_dt = _parse_iso_z(date_iso)
+                if commit_dt is not None and commit_dt < since_dt:
+                    continue
+            # Verify the LED token in the subject actually equals our target.
+            tokens = {f"LED-{m.group(1)}" for m in LED_ID_RE.finditer(subject)}
+            if norm_id not in tokens:
+                continue
+            candidates.append((repo, sha, date_iso, subject))
+            break  # first match per repo
+
+    if not candidates:
+        return False, None
+
+    # Pick the oldest (smallest commit date) across all repos.
+    candidates.sort(key=lambda t: t[2])
+    repo, sha, date_iso, subject = candidates[0]
+    return True, {
+        "repo": repo,
+        "sha": sha,
+        "short_sha": sha[:7],
+        "date": date_iso,
+        "subject": subject,
+    }
+
+
+def auto_close_shipped_led(led_id: str, details: dict) -> dict:
+    """Mark an already-shipped LED as done with a note pointing to the commit.
+
+    Wraps ``ai.ledger_manager.update_item`` so the dispatcher's refusal path
+    has a single call site. Errors here MUST NOT propagate — if ledger update
+    fails for whatever reason (stale registry, missing file), we still want
+    to refuse the dispatch.
+    """
+    try:
+        from ai.ledger_manager import update_item
+
+        note = (
+            f"Auto-closed by dispatcher gate (LED-1279): shipped in "
+            f"{details.get('repo','?')}@{details.get('short_sha','?')} on "
+            f"{details.get('date','?')}. "
+            f"Refused duplicate AGT dispatch."
+        )
+        result = update_item(
+            item_id=led_id,
+            status="done",
+            note=note,
+            worked_by="dispatcher-gate",
+        )
+        return {"updated": True, "result": result}
+    except Exception as e:  # pragma: no cover — defensive
+        logger.warning("dispatch_gate: auto-close of %s failed: %s", led_id, e)
+        return {"updated": False, "error": str(e)}
+
+
+def evaluate_dispatch(
+    title: str,
+    description: str = "",
+    context: str = "",
+    led_created_at: str = "",
+    repos: Optional[Iterable[str]] = None,
+) -> Optional[dict]:
+    """Run the gate: extract an LED id, check if shipped, return refusal payload or None.
+
+    Returns:
+        - None when dispatch should proceed (no LED tag, or LED not shipped).
+        - A refusal dict when dispatch should be blocked:
+            {
+                "status": "refused",
+                "reason": "led_already_shipped",
+                "led_id": "LED-1208",
+                "shipped_in": {"repo": ..., "sha": ..., "short_sha": ..., "date": ..., "subject": ...},
+                "auto_close": {...},
+                "message": "...",
+            }
+    """
+    led_id = extract_led_id(title, description, context)
+    if not led_id:
+        return None  # No LED tag — orchestrator may dispatch generic work.
+
+    shipped, details = is_led_already_shipped(
+        led_id, created_at=led_created_at, repos=repos
+    )
+    if not shipped or not details:
+        return None
+
+    auto_close = auto_close_shipped_led(led_id, details)
+    return {
+        "status": "refused",
+        "reason": "led_already_shipped",
+        "led_id": led_id,
+        "shipped_in": details,
+        "auto_close": auto_close,
+        "message": (
+            f"Refused: {led_id} already shipped in "
+            f"{details['repo']}@{details['short_sha']} on {details['date'][:10]} "
+            f"({details['subject'][:80]}). LED auto-closed."
+        ),
+    }
+
+
+def lookup_led_created_at(led_id: str) -> str:
+    """Look up the LED's created_at across all known ledger files.
+
+    Returns the original-create timestamp (genesis row, not the latest update).
+    Empty string when the LED isn't found anywhere — the gate then runs without
+    the time filter, accepting the small false-positive risk.
+    """
+    if not led_id:
+        return ""
+    norm = led_id.upper()
+    try:
+        from ai.ledger_manager import LEDGER_V2_DIR
+    except Exception:
+        return ""
+
+    if not LEDGER_V2_DIR.exists():
+        return ""
+
+    import json
+
+    # Walk every ledger file under ledger-v2/* looking for the genesis row.
+    for jsonl in LEDGER_V2_DIR.rglob("*.jsonl"):
+        try:
+            with open(jsonl, "r") as f:
+                for line in f:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    try:
+                        row = json.loads(line)
+                    except json.JSONDecodeError:
+                        continue
+                    if row.get("id") != norm:
+                        continue
+                    if row.get("type") == "update":
+                        continue  # only the genesis row carries created_at-of-LED
+                    ts = row.get("created_at", "")
+                    if ts:
+                        return ts
+        except OSError:
+            continue
+    return ""

package/gateway/ai/hot_reload.py

@@ -35,11 +35,10 @@ import logging
 import os
 import sys
 import threading
-import time
 import traceback
 from datetime import datetime, timezone
 from pathlib import Path
-from typing import Any, Callable, Dict, List, Optional, Set
+from typing import Any, Dict, List, Optional, Set
 
 logger = logging.getLogger("delimit.ai.hot_reload")
 

package/gateway/ai/led193_daemon/executor.py

@@ -346,11 +346,17 @@ def execute_format_fix(
         return out
     ok, reason = _ensure_clean_worktree(repo_path, runner=runner)
     if not ok:
+        # Precondition mismatch (worktree dirty), not a profile failure.
+        # Mark skipped so the consecutive-failure breaker doesn't trip.
+        out.result = "skipped"
         out.reason = reason
         return out
 
     cmd = _detect_format_command(repo_path)
     if cmd is None:
+        # Repo has no formatter config — daemon can't run, but this is
+        # a setup gap not an executor failure. Skip rather than fail.
+        out.result = "skipped"
         out.reason = "no_formatter_detected"
         return out
 
@@ -429,11 +435,13 @@ def execute_lockfile_refresh(
         return out
     ok, reason = _ensure_clean_worktree(repo_path, runner=runner)
     if not ok:
+        out.result = "skipped"
         out.reason = reason
         return out
 
     detected = _detect_lockfile_command(repo_path)
     if detected is None:
+        out.result = "skipped"
         out.reason = "no_lockfile_or_manager_detected"
         return out
     cmd, _lockfile = detected
@@ -551,6 +559,7 @@ def execute_docs_typo(
         return out
     ok, reason = _ensure_clean_worktree(repo_path, runner=runner)
     if not ok:
+        out.result = "skipped"
         out.reason = reason
         return out
 

package/gateway/ai/ledger_manager.py

@@ -619,7 +619,16 @@ def update_item(
         if due_date:
             update["due_date"] = due_date
         if labels is not None:
+            # LED-2221: write to both `labels` and `tags`. The list_items
+            # reconstruction (around line ~870) merges update events into
+            # current state by checking the `tags` key only. Writing only
+            # `labels` silently drops the update at read time, which in
+            # particular meant the build daemon's `autonomous-build` tag
+            # check could never see tags written through the MCP. Keeping
+            # `labels` for any external consumer that reads the raw event
+            # stream; adding `tags` so the live state aggregator picks it up.
             update["labels"] = labels
+            update["tags"] = labels
         if blocked_by:
             update["blocked_by"] = blocked_by
         if blocks:

package/gateway/ai/license_core.pyi

@@ -1,42 +1,38 @@
 # This file was generated by Nuitka
 
 # Stubs included by default
-from __future__ import annotations
+import time
+import json
+import os
 from pathlib import Path
 import hashlib
-import json
-import time
 
-LICENSE_FILE = Path.home() / '.delimit' / 'license.json'
-USAGE_FILE = Path.home() / '.delimit' / 'usage.json'
-LS_VALIDATE_URL = 'https://api.lemonsqueezy.com/v1/licenses/validate'
-REVALIDATION_INTERVAL = 30 * 86400
-GRACE_PERIOD = 7 * 86400
-HARD_BLOCK = 14 * 86400
-PRO_TOOLS = frozenset({'delimit_gov_health', 'delimit_gov_status', 'delimit_gov_evaluate', 'delimit_gov_policy', 'delimit_gov_run', 'delimit_gov_verify', 'delimit_deploy_plan', 'delimit_deploy_build', 'delimit_deploy_publish', 'delimit_deploy_verify', 'delimit_deploy_rollback', 'delimit_deploy_site', 'delimit_deploy_npm', 'delimit_memory_store', 'delimit_memory_search', 'delimit_memory_recent', 'delimit_vault_search', 'delimit_vault_snapshot', 'delimit_vault_health', 'delimit_evidence_collect', 'delimit_evidence_verify', 'delimit_deliberate', 'delimit_models', 'delimit_obs_metrics', 'delimit_obs_logs', 'delimit_obs_status', 'delimit_release_plan', 'delimit_release_status', 'delimit_release_sync', 'delimit_cost_analyze', 'delimit_cost_optimize', 'delimit_cost_alert'})
-FREE_TRIAL_LIMITS = {'delimit_deliberate': 3}
+PRO_TOOLS = frozenset({'delimit_gov_evaluate', 'delimit_gov_policy', 'delimit_gov_run', 'delimit_gov_verify', 'delimit_os_plan', 'delimit_os_status', 'delimit_os_gates', 'delimit_deploy_plan', 'delimit_deploy_build', 'delimit_deploy_publish', 'delimit_deploy_verify', 'delimit_deploy_rollback', 'delimit_deploy_status', 'delimit_deploy_site', 'delimit_deploy_npm', 'delimit_memory_search', 'delimit_vault_search', 'delimit_vault_snapshot', 'delimit_vault_health', 'delimit_evidence_collect', 'delimit_evidence_verify', 'delimit_deliberate', 'delimit_models', 'delimit_obs_metrics', 'delimit_obs_logs', 'delimit_obs_status', 'delimit_release_plan', 'delimit_release_status', 'delimit_release_sync', 'delimit_cost_analyze', 'delimit_cost_optimize', 'delimit_cost_alert', 'delimit_social_post', 'delimit_social_generate', 'delimit_social_history', 'delimit_screen_record', 'delimit_screenshot', 'delimit_notify', 'delimit_agent_dispatch', 'delimit_agent_status', 'delimit_agent_complete', 'delimit_agent_handoff', 'delimit_executor'})
+def needs_revalidation(data: dict) -> bool:
+    ...
+def revalidate_license(data: dict) -> dict:
+    ...
+def is_license_valid(data: dict) -> bool:
+    ...
+def _write_license(data: dict) -> None:
+    ...
+def _call_lemon_squeezy(data: dict) -> bool | None:
+    ...
 def load_license() -> dict:
     ...
-
 def check_premium() -> bool:
     ...
-
 def gate_tool(tool_name: str) -> dict | None:
     ...
-
 def activate(key: str) -> dict:
     ...
-
 def _revalidate(data: dict) -> dict:
     ...
-
 def _get_monthly_usage(tool_name: str) -> int:
     ...
-
 def _increment_usage(tool_name: str) -> int:
     ...
 
-
 __name__ = ...
 
 
@@ -44,7 +40,9 @@ __name__ = ...
 # Modules used internally, to allow implicit dependencies to be seen:
 import hashlib
 import json
+import os
 import time
 import pathlib
 import urllib
-import urllib.request
+import urllib.request
+import re

package/gateway/ai/notify.py

@@ -919,6 +919,45 @@ def send_email(
             "intent_logged": True,
         }
 
+    # RFC 2606 reserved test domains — never relay. A test fixture in
+    # tests/test_notify_routing.py once passed email_to="lead@example.com"
+    # through to a real SMTP send, generating 220 spam-bounces against
+    # pro@delimit.ai before the fixture was patched. Refuse here so any
+    # future regression fails fast instead of silently poisoning sender rep.
+    # Tests that mock smtplib can set DELIMIT_ALLOW_TEST_RECIPIENTS=1 to
+    # bypass this guard since their mocked transport doesn't actually relay.
+    _RFC2606_TEST_DOMAINS = (
+        "example.com", "example.net", "example.org",
+        "test", "invalid", "localhost",
+    )
+    recipient_domain = smtp_to.rsplit("@", 1)[-1].strip().lower()
+    is_reserved = (
+        recipient_domain in _RFC2606_TEST_DOMAINS
+        or recipient_domain.endswith(".example")
+        or recipient_domain.endswith(".test")
+        or recipient_domain.endswith(".invalid")
+        or recipient_domain.endswith(".localhost")
+    )
+    if is_reserved and not os.environ.get("DELIMIT_ALLOW_TEST_RECIPIENTS"):
+        record = {
+            "channel": "email",
+            "event_type": event_type,
+            "to": smtp_to,
+            "from": smtp_from,
+            "subject": subject,
+            "timestamp": timestamp,
+            "success": False,
+            "reason": "reserved_test_domain",
+        }
+        _record_notification(record)
+        return {
+            "channel": "email",
+            "delivered": False,
+            "timestamp": timestamp,
+            "error": f"Refusing to send: '{smtp_to}' is an RFC 2606 reserved test domain.",
+            "intent_logged": True,
+        }
+
     subj = subject or f"Delimit: {event_type or 'Notification'}"
     html_body = _render_html_email(subj, email_body, event_type)