delimit-cli 4.5.13 → 4.6.1

package/gateway/ai/delimit_daemon.py

@@ -0,0 +1,67 @@
+"""
+Unified Delimit Daemon (LED-193).
+
+Consolidates three long-running daemons into a single process:
+  - inbox_daemon (5m cadence)
+  - social_daemon (15m cadence)
+  - self_repair_daemon (1h cadence)
+
+Retains the individual modules' internal state files and thread-level
+encapsulation to minimize blast radius and ensure existing MCP interfaces
+(status checks) continue to work without modification.
+"""
+
+import time
+import logging
+import signal
+import sys
+
+from ai.inbox_daemon import start_daemon as start_inbox, stop_daemon as stop_inbox
+from ai.social_daemon import start_daemon as start_social, stop_daemon as stop_social
+from ai.self_repair_daemon import start_daemon as start_self_repair, stop_daemon as stop_self_repair
+
+logging.basicConfig(
+    level=logging.INFO,
+    format="%(asctime)s - %(name)s - %(levelname)s - %(message)s"
+)
+logger = logging.getLogger("delimit.daemon_runner")
+
+def _handle_sigterm(signum, frame):
+    logger.info("Received SIGTERM, shutting down all daemons...")
+    try:
+        stop_inbox()
+    except Exception as e:
+        logger.error(f"Error stopping inbox: {e}")
+    try:
+        stop_social()
+    except Exception as e:
+        logger.error(f"Error stopping social: {e}")
+    try:
+        stop_self_repair()
+    except Exception as e:
+        logger.error(f"Error stopping self_repair: {e}")
+    sys.exit(0)
+
+def main():
+    signal.signal(signal.SIGTERM, _handle_sigterm)
+    signal.signal(signal.SIGINT, _handle_sigterm)
+
+    logger.info("Starting unified delimit_daemon (LED-193)...")
+    
+    inbox_res = start_inbox()
+    logger.info(f"Inbox daemon: {inbox_res.get('status')}")
+    
+    social_res = start_social()
+    logger.info(f"Social daemon: {social_res.get('status')}")
+    
+    repair_res = start_self_repair()
+    logger.info(f"Self-repair daemon: {repair_res.get('status')}")
+
+    try:
+        while True:
+            time.sleep(60)
+    except KeyboardInterrupt:
+        _handle_sigterm(None, None)
+
+if __name__ == "__main__":
+    main()

package/gateway/ai/dispatch_gate.py

@@ -0,0 +1,399 @@
+"""LED-1279: dispatcher anti-duplicate gate.
+
+Before creating a new agent task tagged with an LED ID, check whether any
+local repository's git history already contains a commit referencing that
+LED. If it does, refuse the dispatch and auto-close the LED — yesterday's
+AGT-65A61AD5 wasted three subagent cycles on LEDs already shipped in
+commit 014fb5c (PR #106) on 2026-05-03.
+
+Cost model: each duplicate dispatch burns 5-30 minutes of subagent + orchestrator
+attention. This gate pays for itself within 1-2 future dispatches.
+
+Design notes:
+  - LED-id parsing is conservative: r"LED-\\d+" only. AGT-... and STR-...
+    do not trigger the gate — only operational ledger items.
+  - Repo discovery: prefer caller-supplied list, then fall back to a small
+    static list of canonical Delimit / wire-report / livetube / dv repos.
+    A missing repo logs a warning and is skipped (don't fail dispatch on
+    infra issues — that's a worse failure mode than a false negative).
+  - Match scope: only commits on the *first-parent* line of `main` count
+    as "shipped" so feature-branch WIP that mentions an LED but never
+    merged doesn't trigger a false positive. PR-merge commits qualify.
+  - Time window: only commits with author/commit date >= LED.created_at
+    are considered. An LED can't have been "shipped" before it existed.
+  - Multiple matches: the FIRST match (oldest commit since created_at) wins.
+"""
+
+from __future__ import annotations
+
+import logging
+import re
+import subprocess
+import time
+from datetime import datetime, timezone
+from pathlib import Path
+from typing import Iterable, Optional
+
+logger = logging.getLogger(__name__)
+
+# Default repos to search. Discovered at runtime first via the venture
+# registry; this list is the safety net if discovery returns nothing.
+DEFAULT_REPOS = (
+    "/home/delimit/delimit-gateway",
+    "/home/delimit/delimit-action",
+    "/home/delimit/npm-delimit",
+    "/home/delimit/delimit-ui",
+)
+
+# Conservative LED-id matcher. Plain LED-NNN format.
+LED_ID_RE = re.compile(r"\bLED-(\d+)\b", re.IGNORECASE)
+
+
+def extract_led_id(*texts: str) -> Optional[str]:
+    """Return the first LED-NNN id found in any of the supplied strings.
+
+    Used by the dispatcher to grab the LED tag from title/description/context
+    without forcing callers to plumb it as a separate parameter.
+    """
+    for text in texts:
+        if not text:
+            continue
+        m = LED_ID_RE.search(text)
+        if m:
+            return f"LED-{m.group(1)}"
+    return None
+
+
+def discover_repos() -> list[str]:
+    """Return the list of repo paths to search.
+
+    Reads the venture registry (~/.delimit/ventures.json) and unions in the
+    DEFAULT_REPOS safety net. Filters to existing directories that actually
+    contain a .git subdir — pseudo-ventures pointing at /tmp paths or stale
+    entries get dropped silently.
+    """
+    seen: list[str] = []
+    seen_set: set[str] = set()
+
+    def _add(path: str) -> None:
+        if not path:
+            return
+        p = Path(path).resolve()
+        s = str(p)
+        if s in seen_set:
+            return
+        if not (p / ".git").exists():
+            return
+        seen_set.add(s)
+        seen.append(s)
+
+    # 1. Venture registry — ~/.delimit/ventures.json
+    try:
+        from ai.ledger_manager import VENTURES_FILE  # late import: tests stub VENTURES_FILE
+        import json
+
+        if VENTURES_FILE.exists():
+            ventures = json.loads(VENTURES_FILE.read_text())
+            for info in ventures.values():
+                _add(info.get("path", ""))
+    except Exception as e:  # pragma: no cover — best effort
+        logger.debug("dispatch_gate: venture registry read failed: %s", e)
+
+    # 2. Safety net defaults
+    for path in DEFAULT_REPOS:
+        _add(path)
+
+    return seen
+
+
+def _parse_iso_z(value: str) -> Optional[datetime]:
+    """Parse an ISO-8601 timestamp (with optional trailing Z) to a tz-aware UTC datetime."""
+    if not value:
+        return None
+    v = value.strip()
+    if v.endswith("Z"):
+        v = v[:-1] + "+00:00"
+    try:
+        dt = datetime.fromisoformat(v)
+    except ValueError:
+        return None
+    if dt.tzinfo is None:
+        dt = dt.replace(tzinfo=timezone.utc)
+    return dt.astimezone(timezone.utc)
+
+
+def _git_log_first_parent_grep(
+    repo: str,
+    led_id: str,
+    since_iso: Optional[str],
+    timeout_sec: float = 8.0,
+) -> list[tuple[str, str, str]]:
+    """Run `git log --first-parent main` filtered by --grep=<led_id>.
+
+    Returns a list of (sha, iso_date, subject) tuples, oldest first. Empty
+    list if the repo isn't a git checkout, the ref doesn't exist, or git
+    times out / errors. Errors are logged at DEBUG; we never raise — a
+    missing repo must NOT fail dispatch.
+    """
+    repo_path = Path(repo)
+    if not (repo_path / ".git").exists():
+        logger.debug("dispatch_gate: repo missing or not a git checkout: %s", repo)
+        return []
+
+    cmd = [
+        "git",
+        "-C",
+        str(repo_path),
+        "log",
+        "--first-parent",
+        "main",
+        f"--grep={led_id}",
+        "-i",  # case-insensitive grep — match LED-1208 / led-1208 / Led-1208
+        "--pretty=%H%x09%cI%x09%s",
+        "--reverse",  # oldest first so [0] is the FIRST match
+    ]
+    if since_iso:
+        cmd.append(f"--since={since_iso}")
+
+    try:
+        result = subprocess.run(
+            cmd,
+            capture_output=True,
+            text=True,
+            timeout=timeout_sec,
+            check=False,
+        )
+    except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as e:
+        logger.warning("dispatch_gate: git log failed for %s: %s", repo, e)
+        return []
+
+    if result.returncode != 0:
+        # Try `master` as fallback for repos that haven't renamed yet, but
+        # only for the specific "unknown revision" failure — anything else
+        # is a real error we should silently skip.
+        stderr = result.stderr or ""
+        if "unknown revision" in stderr.lower() or "ambiguous argument 'main'" in stderr.lower():
+            cmd[5] = "master"
+            try:
+                result = subprocess.run(
+                    cmd, capture_output=True, text=True, timeout=timeout_sec, check=False
+                )
+            except (subprocess.TimeoutExpired, FileNotFoundError, OSError) as e:
+                logger.warning("dispatch_gate: git log master fallback failed for %s: %s", repo, e)
+                return []
+            if result.returncode != 0:
+                logger.debug("dispatch_gate: git log non-zero for %s: %s", repo, result.stderr)
+                return []
+        else:
+            logger.debug("dispatch_gate: git log non-zero for %s: %s", repo, result.stderr)
+            return []
+
+    matches: list[tuple[str, str, str]] = []
+    for line in (result.stdout or "").splitlines():
+        if not line:
+            continue
+        parts = line.split("\t", 2)
+        if len(parts) < 3:
+            continue
+        matches.append((parts[0], parts[1], parts[2]))
+    return matches
+
+
+def is_led_already_shipped(
+    led_id: str,
+    created_at: str = "",
+    repos: Optional[Iterable[str]] = None,
+) -> tuple[bool, Optional[dict]]:
+    """Search the given repos for a commit on `main`'s first-parent line that
+    mentions ``led_id`` and was committed at or after ``created_at``.
+
+    Args:
+        led_id: e.g. "LED-1208" — must be the bare ID, not "LED-1208 fix something".
+        created_at: ISO-8601 timestamp of when the LED was opened. Commits
+            older than this are treated as unrelated mentions and ignored.
+            Empty string disables the time filter (used by the sweep, which
+            is willing to accept older matches at the cost of false positives).
+        repos: optional iterable of repo paths. Defaults to discover_repos().
+
+    Returns:
+        (shipped: bool, details: dict | None)
+        details, when shipped, is:
+            {
+                "repo": "/home/delimit/delimit-gateway",
+                "sha": "014fb5c...",
+                "short_sha": "014fb5c",
+                "date": "2026-05-03T17:13:45-04:00",
+                "subject": "fix(self-repair): ...",
+            }
+    """
+    if not led_id or not LED_ID_RE.fullmatch(led_id):
+        return False, None
+
+    # Normalize LED ID to canonical "LED-NNN" so the grep is consistent.
+    norm_id = led_id.upper()
+
+    repo_list = list(repos) if repos is not None else discover_repos()
+    if not repo_list:
+        return False, None
+
+    since_iso: Optional[str] = None
+    since_dt = _parse_iso_z(created_at) if created_at else None
+    if since_dt is not None:
+        since_iso = since_dt.strftime("%Y-%m-%dT%H:%M:%S%z")
+
+    # Collect first match per repo, then pick the globally-oldest.
+    candidates: list[tuple[str, str, str, str]] = []
+    for repo in repo_list:
+        rows = _git_log_first_parent_grep(repo, norm_id, since_iso)
+        if not rows:
+            continue
+        # rows are oldest-first; defensively re-check the bare-id token is
+        # in the subject — `git log --grep` would already match but a stray
+        # "LED-12080" could match LED-1208's pattern if regex was loose.
+        # Our LED_ID_RE uses \b boundaries so we're safe; double-check anyway.
+        for sha, date_iso, subject in rows:
+            if not LED_ID_RE.search(subject):
+                continue
+            if since_dt is not None:
+                commit_dt = _parse_iso_z(date_iso)
+                if commit_dt is not None and commit_dt < since_dt:
+                    continue
+            # Verify the LED token in the subject actually equals our target.
+            tokens = {f"LED-{m.group(1)}" for m in LED_ID_RE.finditer(subject)}
+            if norm_id not in tokens:
+                continue
+            candidates.append((repo, sha, date_iso, subject))
+            break  # first match per repo
+
+    if not candidates:
+        return False, None
+
+    # Pick the oldest (smallest commit date) across all repos.
+    candidates.sort(key=lambda t: t[2])
+    repo, sha, date_iso, subject = candidates[0]
+    return True, {
+        "repo": repo,
+        "sha": sha,
+        "short_sha": sha[:7],
+        "date": date_iso,
+        "subject": subject,
+    }
+
+
+def auto_close_shipped_led(led_id: str, details: dict) -> dict:
+    """Mark an already-shipped LED as done with a note pointing to the commit.
+
+    Wraps ``ai.ledger_manager.update_item`` so the dispatcher's refusal path
+    has a single call site. Errors here MUST NOT propagate — if ledger update
+    fails for whatever reason (stale registry, missing file), we still want
+    to refuse the dispatch.
+    """
+    try:
+        from ai.ledger_manager import update_item
+
+        note = (
+            f"Auto-closed by dispatcher gate (LED-1279): shipped in "
+            f"{details.get('repo','?')}@{details.get('short_sha','?')} on "
+            f"{details.get('date','?')}. "
+            f"Refused duplicate AGT dispatch."
+        )
+        result = update_item(
+            item_id=led_id,
+            status="done",
+            note=note,
+            worked_by="dispatcher-gate",
+        )
+        return {"updated": True, "result": result}
+    except Exception as e:  # pragma: no cover — defensive
+        logger.warning("dispatch_gate: auto-close of %s failed: %s", led_id, e)
+        return {"updated": False, "error": str(e)}
+
+
+def evaluate_dispatch(
+    title: str,
+    description: str = "",
+    context: str = "",
+    led_created_at: str = "",
+    repos: Optional[Iterable[str]] = None,
+) -> Optional[dict]:
+    """Run the gate: extract an LED id, check if shipped, return refusal payload or None.
+
+    Returns:
+        - None when dispatch should proceed (no LED tag, or LED not shipped).
+        - A refusal dict when dispatch should be blocked:
+            {
+                "status": "refused",
+                "reason": "led_already_shipped",
+                "led_id": "LED-1208",
+                "shipped_in": {"repo": ..., "sha": ..., "short_sha": ..., "date": ..., "subject": ...},
+                "auto_close": {...},
+                "message": "...",
+            }
+    """
+    led_id = extract_led_id(title, description, context)
+    if not led_id:
+        return None  # No LED tag — orchestrator may dispatch generic work.
+
+    shipped, details = is_led_already_shipped(
+        led_id, created_at=led_created_at, repos=repos
+    )
+    if not shipped or not details:
+        return None
+
+    auto_close = auto_close_shipped_led(led_id, details)
+    return {
+        "status": "refused",
+        "reason": "led_already_shipped",
+        "led_id": led_id,
+        "shipped_in": details,
+        "auto_close": auto_close,
+        "message": (
+            f"Refused: {led_id} already shipped in "
+            f"{details['repo']}@{details['short_sha']} on {details['date'][:10]} "
+            f"({details['subject'][:80]}). LED auto-closed."
+        ),
+    }
+
+
+def lookup_led_created_at(led_id: str) -> str:
+    """Look up the LED's created_at across all known ledger files.
+
+    Returns the original-create timestamp (genesis row, not the latest update).
+    Empty string when the LED isn't found anywhere — the gate then runs without
+    the time filter, accepting the small false-positive risk.
+    """
+    if not led_id:
+        return ""
+    norm = led_id.upper()
+    try:
+        from ai.ledger_manager import LEDGER_V2_DIR
+    except Exception:
+        return ""
+
+    if not LEDGER_V2_DIR.exists():
+        return ""
+
+    import json
+
+    # Walk every ledger file under ledger-v2/* looking for the genesis row.
+    for jsonl in LEDGER_V2_DIR.rglob("*.jsonl"):
+        try:
+            with open(jsonl, "r") as f:
+                for line in f:
+                    line = line.strip()
+                    if not line:
+                        continue
+                    try:
+                        row = json.loads(line)
+                    except json.JSONDecodeError:
+                        continue
+                    if row.get("id") != norm:
+                        continue
+                    if row.get("type") == "update":
+                        continue  # only the genesis row carries created_at-of-LED
+                    ts = row.get("created_at", "")
+                    if ts:
+                        return ts
+        except OSError:
+            continue
+    return ""

package/gateway/ai/governance.py

@@ -13,7 +13,10 @@ This replaces _with_next_steps — governance IS the next step system.
 import json
 import logging
 import os
+import re
+import subprocess
 import time
+from datetime import datetime, timezone
 from pathlib import Path
 from typing import Any, Dict, List, Optional
 
@@ -826,6 +829,184 @@ def govern(tool_name: str, result: Dict[str, Any], project_path: str = ".") -> D
     return governed_result
 
 
+# ─────────────────────────────────────────────────────────────────────
+# LED-2214b-followup — sensor_github_issue sync impl
+# ─────────────────────────────────────────────────────────────────────
+#
+# The outreach daemon's monitor_phase needs to call the same logic that
+# delimit_sensor_github_issue (MCP tool) runs, but synchronously and
+# without the _with_next_steps wrapping. Before this extraction the
+# daemon tried to import the impl from two paths that don't exist —
+# `ai.governance._sensor_github_issue_impl` and
+# `backends.governance_bridge.sensor_github_issue` — and silently fell
+# back to "monitor skipped" on every tick, leaving the entire reply-
+# tracking cycle dead.
+#
+# Now both callers share this function. The MCP tool wraps the result
+# with `_with_next_steps`; the daemon consumes the raw dict.
+
+_NEGATIVE_KEYWORDS = (
+    "not interested", "won't be", "will not", "don't need", "do not need",
+    "no thanks", "pass on", "not a fit", "not for us", "closing",
+    "won't adopt", "will not adopt", "reject", "declined",
+)
+
+_REPO_FORMAT_RE = re.compile(r"^[\w.-]+/[\w.-]+$")
+
+# Module-local guard so the warning fires at most once per process.
+_REPO_ALLOWLIST_WARNED = False
+
+
+def _check_repo_allowlist(repo: str) -> Optional[Dict[str, Any]]:
+    """Return a refusal dict if the repo isn't in DELIMIT_ALLOWED_REPOS.
+
+    Duplicates the logic of ai.server._check_repo_allowlist intentionally:
+    importing from ai.server would create a circular import (server.py
+    imports from governance). Mirror with care — both copies must stay
+    in sync until LED-216 splits the allowlist into its own module.
+    """
+    global _REPO_ALLOWLIST_WARNED
+    allowlist_raw = os.environ.get("DELIMIT_ALLOWED_REPOS", "").strip()
+    if not allowlist_raw:
+        if not _REPO_ALLOWLIST_WARNED:
+            logger.warning(
+                "DELIMIT_ALLOWED_REPOS unset — sensor_github_issue calls "
+                "pass through to gh api using the caller's token."
+            )
+            _REPO_ALLOWLIST_WARNED = True
+        return None
+    allowed = {entry.strip().lower() for entry in allowlist_raw.split(",") if entry.strip()}
+    if (repo or "").strip().lower() not in allowed:
+        return {
+            "error": "repo_not_allowlisted",
+            "repo": repo,
+            "allowed": sorted(allowed),
+            "hint": (
+                "Repo not in DELIMIT_ALLOWED_REPOS. Add it or use a tool "
+                "that does not reach external APIs."
+            ),
+        }
+    return None
+
+
+def _sensor_github_issue_impl(
+    repo: str,
+    issue_number: int,
+    since_comment_id: int = 0,
+) -> Dict[str, Any]:
+    """Sync implementation of the sensor_github_issue MCP tool.
+
+    Returns the RAW result dict (no _with_next_steps wrapping). Callers
+    that want the MCP wrapping apply it themselves. Returns
+    ``{"error": ..., "has_new_activity": False}`` on any failure mode
+    rather than raising — the outreach daemon's monitor loop relies on
+    fail-soft behavior so one bad LED doesn't kill the whole tick.
+
+    Result schema (success path):
+      {
+        "repo": str, "issue_number": str,
+        "signal": {id, venture, metric, source, timestamp, severity},
+        "issue_state": "open" | "closed" | "unknown",
+        "new_comments": [{id, author, created_at, body}, ...],
+        "latest_comment_id": int,
+        "total_comments": int,
+        "has_new_activity": bool,
+      }
+    """
+    # Validate inputs — defense-in-depth even though subprocess.run with
+    # list argv (no shell=True) makes classic injection inert.
+    if not _REPO_FORMAT_RE.match(repo or ""):
+        return {"error": f"Invalid repo format: {repo!r}. Use owner/repo.",
+                "has_new_activity": False}
+    if ".." in repo:
+        return {"error": "Invalid repo: path traversal sequences not allowed",
+                "has_new_activity": False}
+    if not isinstance(issue_number, int) or issue_number <= 0:
+        return {"error": f"Invalid issue number: {issue_number}",
+                "has_new_activity": False}
+
+    refusal = _check_repo_allowlist(repo)
+    if refusal is not None:
+        refusal.setdefault("has_new_activity", False)
+        return refusal
+
+    try:
+        # Fetch comments
+        comments_jq = (
+            "[.[] | {id: .id, author: .user.login, "
+            "created_at: .created_at, body: (.body | .[0:500])}]"
+        )
+        comments_proc = subprocess.run(
+            ["gh", "api",
+             f"repos/{repo}/issues/{issue_number}/comments",
+             "--jq", comments_jq],
+            capture_output=True, text=True, timeout=30,
+        )
+        if comments_proc.returncode != 0:
+            return {
+                "error": f"gh api comments failed: {(comments_proc.stderr or '').strip()[:200]}",
+                "has_new_activity": False,
+            }
+        all_comments = json.loads(comments_proc.stdout) if comments_proc.stdout.strip() else []
+        new_comments = [c for c in all_comments if c.get("id", 0) > since_comment_id]
+
+        # Fetch issue state
+        issue_jq = "{state: .state, labels: [.labels[].name], reactions: .reactions.total_count}"
+        issue_proc = subprocess.run(
+            ["gh", "api",
+             f"repos/{repo}/issues/{issue_number}",
+             "--jq", issue_jq],
+            capture_output=True, text=True, timeout=30,
+        )
+        if issue_proc.returncode != 0:
+            return {
+                "error": f"gh api issue failed: {(issue_proc.stderr or '').strip()[:200]}",
+                "has_new_activity": False,
+            }
+        issue_info = json.loads(issue_proc.stdout) if issue_proc.stdout.strip() else {}
+        issue_state = issue_info.get("state", "unknown")
+
+        # Severity classification — green default; amber on closed; red on
+        # negative keyword in any new comment body.
+        severity = "green"
+        combined_body = " ".join(c.get("body", "") or "" for c in new_comments).lower()
+        has_negative = any(kw in combined_body for kw in _NEGATIVE_KEYWORDS)
+        if has_negative:
+            severity = "red"
+        elif issue_state == "closed":
+            severity = "amber"
+
+        latest_comment_id = max((c.get("id", 0) for c in all_comments), default=since_comment_id)
+        repo_key = repo.replace("/", "_")
+
+        return {
+            "repo": repo,
+            "issue_number": str(issue_number),
+            "signal": {
+                "id": f"sensor:github_issue:{repo_key}:{issue_number}",
+                "venture": "delimit",
+                "metric": "outreach_issue_activity",
+                "source": f"https://github.com/{repo}/issues/{issue_number}",
+                "timestamp": datetime.now(timezone.utc).isoformat(),
+                "severity": severity,
+            },
+            "issue_state": issue_state,
+            "new_comments": new_comments,
+            "latest_comment_id": latest_comment_id,
+            "total_comments": len(all_comments),
+            "has_new_activity": len(new_comments) > 0,
+        }
+    except subprocess.TimeoutExpired:
+        return {"error": "gh command timed out after 30s",
+                "has_new_activity": False}
+    except json.JSONDecodeError as exc:
+        return {"error": f"Failed to parse gh output: {exc}",
+                "has_new_activity": False}
+    except Exception as exc:  # noqa: BLE001 — sensor must fail soft
+        logger.error("sensor_github_issue impl error: %s", exc)
+        return {"error": str(exc), "has_new_activity": False}
+
+
 def _deep_get(d: Dict, key: str) -> Any:
     """Get a value from a dict, supporting nested keys with dots."""
     if "." in key: