delimit-cli 4.6.0 → 4.6.2

package/CHANGELOG.md

@@ -1,6 +1,66 @@
 # Changelog
 
 
+## [4.6.1] - 2026-05-22
+
+Patch release: bundle hygiene + gateway sync carrying 7 upstream improvements.
+
+### Fixed
+
+- **`delimit setup hooks`** (LED-1207, #100): bypass broken `npx` fallback in
+  the pre-commit / pre-push hook generator. Fresh installs now produce hooks
+  that work even when the npm-resolved `delimit` shim is absent from `PATH`
+  (the fallback used to fail silently and produce no-op hooks).
+
+### Improved (carried from the gateway)
+
+These ship inside the gateway/ tree that bundles with delimit-cli. They are
+in effect for anyone running the MCP server from a 4.6.1 install:
+
+- **Cross-post dedup for Reddit drafts** — same-author + same-normalized-title
+  within a 7-day window dedupes manual re-submits across subreddits. Reddit's
+  native `crosspost_parent` field is *also* now captured: when set, an O(1)
+  fingerprint lookup catches the native cross-post case before the heuristic.
+  Two-layer coverage: native UI cross-posts (rare, O(1)) + manual re-submits
+  (common, O(N)).
+
+- **Inline follow-up draft in reply-alert emails** — both Reddit reply-alerts
+  and GitHub outreach-reply-alerts now ship with a pre-composed, voice-matched
+  follow-up reply inside the email body. The original "Draft a follow-up
+  reply and post from mobile" sentinel remains as graceful degradation if
+  the drafter falls through. Designed for mobile copy-paste-and-post flow.
+
+- **STR-195 binding founder decisions auto-injected into `delimit_deliberate`** —
+  when a panel question touches a venture name or decision keyword, matching
+  `feedback_*.md` memories surface as a `BINDING FOUNDER DECISIONS — CANNOT BE
+  RE-LITIGATED` block prepended to the panel context. Closed decisions stop
+  getting re-argued every deliberation. Memory walk is mtime-cached; portfolio
+  anchors can be extended via `~/.delimit/social_target_ventures.json` for
+  Pro users whose ventures aren't in the default delimit-portfolio set.
+
+- **`delimit_security_audit` false-positive elimination** (LED-1278 (c)):
+  token-handling code (`const token = readCurrentToken()`,
+  `const token = (options.token || process.env.X)`) no longer trips the
+  `generic_secret` detector. Provider-specific detectors (aws_access_key,
+  github_token, jwt_token, sk-proj API key) remain fully armed. Verified
+  against a regression-guard test set including real AKIA, ghp_, JWT, and
+  bearer-token literal shapes.
+
+### Chores
+
+- **Excluded dev-only build scripts from the customer tarball** (#101):
+  `build-license-core.sh`, `security-check.sh`, and `test-license-core-so.sh`
+  are publish-time hooks invoked from `prepublishOnly`; they never ran on
+  customer installs. Removed from the published bundle (166 → 163 files,
+  ~10KB unpacked) and closed the meta-leak where the scripts' own
+  leak-detection grep patterns contained the patterns they protected against.
+
+### Documentation
+
+- **Retract incorrect 4.6.0 'known issue' line** (LED-1403): the prior
+  CHANGELOG entry referenced a regression that did not actually ship.
+
+
 ## [4.6.0] - 2026-05-15
 
 ### Added — Codex CLI + Gemini CLI auto-trigger directives (LED-1399)
@@ -36,14 +96,17 @@ customizations around our managed section).
 - Documentation refreshes: cross-agent-handoff worked example surfaced on README,
   test-count badge bumped, misleading version stamps removed.
 
-### Known issue (pre-existing, fix tracked)
-
-- **`delimit attest mcp` exit codes** (LED-1403): on tool error (e.g. no
-  lockfile → npm audit unavailable) and unknown attestation kind, the CLI
-  currently returns exit 1 instead of the expected exit 2. CI/CD pipelines
-  that gate on tier-2 (treating "tool unavailable" as a hard error vs.
-  "fail" which is a soft check) should pin this expectation. Tracked for
-  fix in a follow-up release.
+### Known issue (pre-existing, fix tracked) — **RETRACTED 2026-05-15**
+
+> ~~**`delimit attest mcp` exit codes** (LED-1403): on tool error (e.g. no
+> lockfile → npm audit unavailable) and unknown attestation kind, the CLI
+> currently returns exit 1 instead of the expected exit 2.~~
+>
+> **Retraction:** the original report was a phantom test failure caused by a
+> corrupted local git worktree (LED-1401), not a real CLI bug. On a clean
+> clone, all 6 `attest-mcp` test suites pass and the CLI returns the correct
+> exit codes (0 pass+skip / 1 fail / 2 error per STR-656). LED-1403 closed
+> `not_reproducible`. No customer action required.
 
 
 ## [4.5.2] - 2026-05-02

package/bin/delimit-cli.js

@@ -4629,9 +4629,19 @@ program
         const prePushPath = path.join(hooksDir, 'pre-push');
         const marker = '# delimit-governance-hook';
 
-        // Resolution order: local node_modules → global PATH → npx fallback.
-        // npx is last because it can fail with Arborist 'extraneous' errors
-        // when a project's node_modules / lockfile drift (LED-1248).
+        // Resolution order: local node_modules → global PATH →
+        // global node_modules direct → npx fallback.
+        //
+        // npx is the LAST resort because on some npm-arborist environments
+        // it crashes with "Cannot read properties of undefined (reading
+        // 'extraneous')" before reaching the CLI (LED-1207, LED-1248). That
+        // failure mode silently breaks the gate and forces --no-verify,
+        // which violates the no-silent-no-verify rule.
+        //
+        // The third tier (`node $(npm root -g)/delimit-cli/bin/delimit-cli.js`)
+        // catches the case where delimit-cli is globally installed but its bin
+        // shim isn't on PATH (npm-installed-but-symlink-missing, fresh CI
+        // containers, etc.) — bypassing npm/npx entirely.
         const preCommitHook = `#!/bin/sh
 ${marker}
 # Delimit API governance gate
@@ -4640,6 +4650,8 @@ if [ -x ./node_modules/.bin/delimit-cli ]; then
   ./node_modules/.bin/delimit-cli check --staged
 elif command -v delimit-cli >/dev/null 2>&1; then
   delimit-cli check --staged
+elif _delimit_global="$(npm root -g 2>/dev/null)/delimit-cli/bin/delimit-cli.js" && [ -f "$_delimit_global" ]; then
+  node "$_delimit_global" check --staged
 else
   npx delimit-cli check --staged
 fi
@@ -4653,6 +4665,8 @@ if [ -x ./node_modules/.bin/delimit-cli ]; then
   ./node_modules/.bin/delimit-cli check --base origin/main
 elif command -v delimit-cli >/dev/null 2>&1; then
   delimit-cli check --base origin/main
+elif _delimit_global="$(npm root -g 2>/dev/null)/delimit-cli/bin/delimit-cli.js" && [ -f "$_delimit_global" ]; then
+  node "$_delimit_global" check --base origin/main
 else
   npx delimit-cli check --base origin/main
 fi
@@ -6902,12 +6916,43 @@ program
             results = results.filter(m => m.tags && m.tags.some(t => t.includes(tagFilter)));
         }
 
-        // Filter by query (case-insensitive substring on text + tags)
+        // Filter by query — tokenized OR-match on text + tags + context.
+        // Previously this required the entire query as one contiguous
+        // substring (haystack.includes(query)), so any multi-word query
+        // returned zero hits. Now we split on whitespace and keep an entry
+        // if it matches at least one token, then rank by the number of
+        // distinct tokens matched (descending), tie-broken by recency.
         if (query) {
-            results = results.filter(m => {
-                const haystack = (m.text + ' ' + (m.tags || []).join(' ')).toLowerCase();
-                return haystack.includes(query);
+            const tokens = query.split(/\s+/).filter(Boolean);
+            const scored = [];
+            for (const m of results) {
+                const haystack = (
+                    (m.text || '') + ' ' +
+                    (m.tags || []).join(' ') + ' ' +
+                    (m.context || '')
+                ).toLowerCase();
+                let matched = 0;
+                let occurrences = 0;
+                for (const tok of tokens) {
+                    const c = haystack.split(tok).length - 1;
+                    if (c > 0) {
+                        matched += 1;
+                        occurrences += c;
+                    }
+                }
+                if (matched >= 1) {
+                    scored.push({ mem: m, matched, occurrences });
+                }
+            }
+            // Rank: most tokens matched, then most occurrences, then recency.
+            scored.sort((a, b) => {
+                if (b.matched !== a.matched) return b.matched - a.matched;
+                if (b.occurrences !== a.occurrences) return b.occurrences - a.occurrences;
+                const at = new Date(a.mem.created_at || a.mem.created || 0).getTime();
+                const bt = new Date(b.mem.created_at || b.mem.created || 0).getTime();
+                return bt - at;
             });
+            results = scored.map(s => s.mem);
         }
 
         // Unless --all, limit to last 10
@@ -6916,8 +6961,13 @@ program
             results = results.slice(-10);
         }
 
-        // Display newest first
-        results.reverse();
+        // Display order: newest-first for the unfiltered/tag views (memories
+        // arrive newest-first, so reverse only when NOT ranking by query).
+        // Query results are already ordered best-match-first by the ranking
+        // above and must not be reversed.
+        if (!query) {
+            results.reverse();
+        }
 
         console.log(chalk.bold('\n  Delimit Memories\n'));
 

package/bin/delimit-setup.js

@@ -258,18 +258,22 @@ async function main() {
         const venvPy = fs.existsSync(venvPython) ? venvPython : venvPythonWin;
         if (fs.existsSync(reqFile)) {
             execSync(`"${venvPy}" -m pip install --quiet -r "${reqFile}" 2>/dev/null`, { stdio: 'pipe' });
+            // LED-1564: even when reqFile exists, ensure pytest is present.
+            // Older reqFiles (pre-2026-05-22) didn't list it; without pytest
+            // the delimit_test_smoke deploy-gate step fails to run cleanly.
+            execSync(`"${venvPy}" -m pip install --quiet pytest 2>/dev/null`, { stdio: 'pipe' });
         } else {
-            execSync(`"${venvPy}" -m pip install --quiet fastmcp==3.1.0 pyyaml==6.0.3 pydantic==2.12.5 packaging==26.0 2>/dev/null`, { stdio: 'pipe' });
+            execSync(`"${venvPy}" -m pip install --quiet fastmcp==3.1.0 pyyaml==6.0.3 pydantic==2.12.5 packaging==26.0 pytest 2>/dev/null`, { stdio: 'pipe' });
         }
         python = venvPy;  // Use venv python for MCP config
         await logp(`  ${green('✓')} Python dependencies installed (isolated venv)`);
     } catch {
         log(`  ${yellow('!')} venv install failed — trying global pip`);
         try {
-            execSync(`${python} -m pip install --quiet fastmcp==3.1.0 pyyaml==6.0.3 pydantic==2.12.5 packaging==26.0 2>/dev/null`, { stdio: 'pipe' });
+            execSync(`${python} -m pip install --quiet fastmcp==3.1.0 pyyaml==6.0.3 pydantic==2.12.5 packaging==26.0 pytest 2>/dev/null`, { stdio: 'pipe' });
             await logp(`  ${green('✓')} Python dependencies installed (global)`);
         } catch {
-            log(`  ${yellow('!')} pip install failed — run manually: pip install fastmcp pyyaml pydantic packaging`);
+            log(`  ${yellow('!')} pip install failed — run manually: pip install fastmcp pyyaml pydantic packaging pytest`);
         }
     }
 

package/gateway/ai/agent_dispatch.py

@@ -36,6 +36,11 @@ DLQ_AUTO_PAUSE_THRESHOLD = 20
 TASK_TYPE_ROUTER = {
     # Outreach and social work — Gemini Flash is fast and cheap
     "outreach": "gemini",
+    # LED-2214b: substantive github outreach gets the same default
+    # routing as generic outreach (cheap, fast drafter) but is named
+    # distinctly so a regression that resurrects the generic dispatch
+    # path does not silently land here.
+    "outreach_substantive": "gemini",
     "social": "gemini",
     "content": "gemini",
     "sensor": "gemini",

package/gateway/ai/backends/gateway_core.py

@@ -358,6 +358,12 @@ def run_diff(old_spec: str, new_spec: str) -> Dict[str, Any]:
             }
             for c in changes
         ],
+        # LED-1588: structured side-channel for fail-open skips (unresolvable
+        # refs, malformed nodes) so a clean `changes` list is not mistaken for
+        # "proven safe". Additive — existing keys are unchanged. The JSON
+        # Schema branch above intentionally omits this (engine does not yet
+        # populate advisories; a misleading empty field would imply it checked).
+        "advisories": engine.advisories,
     }
 
 

package/gateway/ai/backends/git_health.py

@@ -0,0 +1,175 @@
+"""Git worktree sanity checks (LED-1411).
+
+Single source of truth for "is this directory a healthy git worktree?"
+Used by delimit_test_smoke, delimit_deploy_plan, and delimit_evidence_collect
+as a precheck before they trust ambient checkout state.
+
+Background — LED-1403 / LED-1401 incident (2026-05-14):
+`/home/delimit/npm-delimit/.git` was configured `bare = true` but had source
+files alongside, AND a stranded sibling worktree at `/tmp/delimit-mcp-main`
+where `git status` showed every file as both `D` and `??` (deleted from
+index, untracked on disk). `delimit_test_smoke` ran against this corrupt
+state and reported `attest-mcp Q2 3-tier exit codes` failures that did NOT
+exist on real main. I almost shipped a "fix" for a non-bug (LED-1403,
+closed `not_reproducible` after a fresh clone proved tests passed).
+
+This module exists so the same class of phantom failure can't recur.
+Precheck must:
+  - Add <100ms to caller startup (no network, no fetch)
+  - Emit a single actionable remediation line on failure
+  - Return a structured dict (callers may inline-handle or surface up)
+
+Memory anchor: feedback_corrupted_worktree_phantom_failures.md
+"""
+
+from __future__ import annotations
+
+import subprocess
+from pathlib import Path
+from typing import Any, Dict
+
+
+def _run(cmd: list, cwd: str, timeout: float = 2.0) -> str:
+    """Run a git command with a tight timeout. Returns stdout stripped,
+    or empty string on any failure (intentional — caller decides what
+    constitutes a failure based on the structured result, not exceptions)."""
+    try:
+        return subprocess.check_output(
+            cmd,
+            cwd=cwd,
+            stderr=subprocess.DEVNULL,
+            timeout=timeout,
+            text=True,
+        ).strip()
+    except (subprocess.CalledProcessError, subprocess.TimeoutExpired, FileNotFoundError, OSError):
+        return ""
+
+
+def check_worktree_sanity(repo_path: str) -> Dict[str, Any]:
+    """Verify the directory at `repo_path` is a healthy git worktree.
+
+    Checks (in order; cheapest first):
+      1. Path exists and contains a `.git` directory (or file pointing to one)
+      2. `git rev-parse --is-inside-work-tree` returns `true`
+      3. `git rev-parse --is-bare-repository` returns `false`
+      4. `git worktree list` includes the resolved CWD
+      5. `git status --porcelain=v1` does NOT show every file as BOTH
+         deleted-from-index AND untracked (the LED-1401 corruption signature)
+
+    Returns a dict with:
+      - ok: bool — overall health
+      - reason: str — short failure code (`not_a_repo`, `bare_repo_with_files`,
+        `stranded_worktree`, `corrupt_status`) when ok=False, else `healthy`
+      - detail: str — actionable remediation message
+      - path: str — the path that was checked
+
+    Non-raising: errors return ok=False with a structured reason, so callers
+    can decide whether to halt or warn.
+    """
+    p = Path(repo_path)
+    if not p.exists() or not p.is_dir():
+        return {
+            "ok": False,
+            "reason": "not_a_directory",
+            "detail": f"{repo_path} is not a directory.",
+            "path": repo_path,
+        }
+
+    git_meta = p / ".git"
+    if not git_meta.exists():
+        return {
+            "ok": False,
+            "reason": "not_a_repo",
+            "detail": f"{repo_path} has no .git/ — not a git worktree.",
+            "path": repo_path,
+        }
+
+    # Bare-repo check first (LED-1401 signature: bare=true + source files
+    # alongside). Checked BEFORE is-inside-work-tree because a bare repo
+    # answers "false" to that question — we want the more informative
+    # bare-repo message to win when both conditions hold.
+    is_bare = _run(["git", "rev-parse", "--is-bare-repository"], cwd=repo_path)
+    if is_bare == "true":
+        return {
+            "ok": False,
+            "reason": "bare_repo_with_files",
+            "detail": (
+                f"{repo_path}/.git/ has `core.bare = true` but the directory "
+                f"holds source files. Tests against this state run stale "
+                f"code. Re-clone fresh: `git clone <url> /tmp/<repo>-fresh "
+                f"&& cd /tmp/<repo>-fresh`"
+            ),
+            "path": repo_path,
+        }
+
+    # Inside-work-tree check
+    inside = _run(["git", "rev-parse", "--is-inside-work-tree"], cwd=repo_path)
+    if inside != "true":
+        return {
+            "ok": False,
+            "reason": "not_a_worktree",
+            "detail": (
+                f"{repo_path} is not inside a git work tree "
+                f"(rev-parse --is-inside-work-tree returned {inside!r}). "
+                f"Re-clone fresh: `git clone <url> /tmp/<repo>-fresh && cd /tmp/<repo>-fresh`"
+            ),
+            "path": repo_path,
+        }
+
+    # Worktree-list membership check (catches stranded sibling worktrees)
+    worktrees = _run(["git", "worktree", "list", "--porcelain"], cwd=repo_path)
+    resolved = str(p.resolve())
+    if worktrees and resolved not in worktrees:
+        # The current directory isn't a registered worktree of its own
+        # .git/ — likely a stale checkout that was wiped+repopulated outside
+        # git's awareness. This is the LED-1401 stranded-sibling signature.
+        return {
+            "ok": False,
+            "reason": "stranded_worktree",
+            "detail": (
+                f"{resolved} is not a registered worktree of its own .git/. "
+                f"Run `git worktree list` to inspect; re-clone fresh if "
+                f"orphaned: `git clone <url> /tmp/<repo>-fresh && cd /tmp/<repo>-fresh`"
+            ),
+            "path": repo_path,
+            "worktree_list": worktrees,
+        }
+
+    # LED-1401 corrupt-status signature: every file appears as BOTH `D` and `??`
+    # (deleted from index, untracked on disk). Sample the first 50 status lines
+    # — if >=10 distinct paths show this pattern, it's pathological.
+    status = _run(["git", "status", "--porcelain=v1"], cwd=repo_path, timeout=3.0)
+    if status:
+        lines = status.split("\n")[:200]
+        deleted_paths = set()
+        untracked_paths = set()
+        for line in lines:
+            if len(line) < 4:
+                continue
+            xy = line[:2]
+            path = line[3:].lstrip()
+            if "D" in xy:
+                deleted_paths.add(path)
+            if xy == "??":
+                untracked_paths.add(path)
+        overlap = deleted_paths & untracked_paths
+        if len(overlap) >= 10:
+            return {
+                "ok": False,
+                "reason": "corrupt_status",
+                "detail": (
+                    f"{repo_path} shows >={len(overlap)} files as both deleted-from-index "
+                    f"AND untracked-on-disk — the worktree was wiped and repopulated "
+                    f"outside git's awareness (LED-1401 signature). Re-clone fresh: "
+                    f"`git clone <url> /tmp/<repo>-fresh && cd /tmp/<repo>-fresh`"
+                ),
+                "path": repo_path,
+                "overlap_count": len(overlap),
+            }
+
+    return {
+        "ok": True,
+        "reason": "healthy",
+        "detail": "git worktree is healthy",
+        "path": repo_path,
+    }