delimit-cli 4.6.2 → 4.7.1

package/CHANGELOG.md

@@ -1,6 +1,41 @@
 # Changelog
 
 
+## [4.7.1] - 2026-06-03
+
+Release-infrastructure update. No functional changes to the package versus 4.7.0.
+
+### Changed
+
+- Published via **npm Trusted Publishing (OIDC)** from GitHub Actions — this
+  release carries a **sigstore provenance attestation** (the 4.7.0 build was
+  published manually and did not). Future releases publish tokenlessly with
+  provenance.
+
+The free `delimit seal-verify` command and `delimit_seal_verify` MCP tool from
+4.7.0 are unchanged.
+
+
+## [4.7.0] - 2026-06-03
+
+Feature release: fold the open-core Delimit Seal verifier into delimit-cli.
+
+### Added
+
+- **`delimit seal-verify <receipt.json>`** + MCP tool **`delimit_seal_verify`**
+  (Free tier): verify a Delimit Seal receipt's Ed25519 signature and content-pin
+  against the bundled, content-hashed Layer-0 constitution — with no access to the
+  engine or the signing key. Bundles `gateway/ai/seal/` (verifier, constitution,
+  public key, sample receipt). Honest about what it does NOT attest.
+- The verifier **lazy-imports `cryptography` and fails closed** if it is absent
+  (returns verification_unavailable) — it never blocks install or any other tool.
+  To enable seal verification: `pip install cryptography`.
+
+### Notes
+
+- Purely additive — no existing tool, command, or behavior changed.
+
+
 ## [4.6.1] - 2026-05-22
 
 Patch release: bundle hygiene + gateway sync carrying 7 upstream improvements.

package/bin/delimit-cli.js

@@ -69,7 +69,7 @@ function normalizeNaturalLanguageArgs(argv) {
     const explicitCommands = new Set([
         'install', 'mode', 'status', 'session', 'build', 'ask', 'policy', 'auth', 'audit',
         'explain-decision', 'uninstall', 'proxy', 'hook', 'version', 'vault', 'deliberate',
-        'remember', 'recall', 'forget', 'report', 'signin', 'signout', 'activate'
+        'remember', 'recall', 'forget', 'report', 'signin', 'signout', 'activate', 'seal-verify'
     ]);
     if (explicitCommands.has((raw[0] || '').toLowerCase())) {
         return raw;
@@ -7000,5 +7000,55 @@ program
         }
     });
 
+program
+    .command('seal-verify <receipt_path>')
+    .description('Verify a Delimit Seal receipt (Ed25519 signature + content-pin) against the bundled constitution')
+    .option('--json', 'Output the full verification result as JSON')
+    .action((receiptPath, options) => {
+        const resolved = path.resolve(receiptPath);
+        if (!fs.existsSync(resolved)) {
+            console.error(chalk.red(`\n  Receipt not found: ${resolved}\n`));
+            process.exit(1);
+        }
+        const verifier = homeSubpath('server', 'ai', 'seal', 'verifier.py');
+        if (!fs.existsSync(verifier)) {
+            console.error(chalk.yellow('\n  Seal verifier not installed. Run: ') + chalk.cyan('delimit setup') + '\n');
+            process.exit(1);
+        }
+        try {
+            const escaped = resolved.replace(/'/g, "\\'");
+            const pyCmd = `python3 -c "
+import sys, os, json
+sys.path.insert(0, os.path.dirname('${verifier}'))
+from verifier import verify_receipt
+print(json.dumps(verify_receipt('${escaped}'), default=str))
+"`;
+            const out = execSync(pyCmd, {
+                encoding: 'utf-8',
+                timeout: 30000,
+                env: { ...process.env, PYTHONPATH: path.dirname(verifier) },
+            });
+            const r = JSON.parse(out.trim().split('\n').pop());
+            if (options.json) {
+                console.log(JSON.stringify(r, null, 2));
+            } else {
+                console.log(chalk.bold('\n  Delimit Seal — receipt verification\n'));
+                console.log('  ' + (r.valid ? chalk.green('✅ VERIFIED') : chalk.red('❌ FAILED')) +
+                            chalk.gray(`  (${(r.layer0_seed_id || '').slice(0, 20)}…)`));
+                if (r.checks) {
+                    for (const [k, v] of Object.entries(r.checks)) {
+                        console.log(`    [${v ? chalk.green('✓') : chalk.red('✗')}] ${k}`);
+                    }
+                }
+                if (r.error) console.log(chalk.yellow(`    ${r.error}`));
+                console.log(chalk.gray('  Proves the governed process ran — not factual correctness or goodness.\n'));
+            }
+            process.exitCode = r.valid ? 0 : 1;
+        } catch (e) {
+            console.error(chalk.red(`\n  Verification error: ${e.message}\n`));
+            process.exitCode = 2;
+        }
+    });
+
 const normalizedArgs = normalizeNaturalLanguageArgs(process.argv);
 program.parse([process.argv[0], process.argv[1], ...normalizedArgs]);

package/gateway/ai/backends/repo_bridge.py

@@ -318,3 +318,25 @@ def security_audit(target: str = ".", options: Optional[Dict] = None) -> Dict[st
         return _fallback_security_result(target=target, tool_label="security.audit")
     return _call("securitygate", "create_securitygate_server", "_tool_audit",
                  {"target": target, "authorization_token": _INTERNAL_TOKEN, **(options or {})}, "security.audit")
+
+
+def seal_verify(receipt_path: str, options: Optional[Dict] = None) -> Dict[str, Any]:
+    """Verify a Delimit Seal receipt (Free, open-core).
+
+    Delegates to ai.seal.verifier.verify_receipt against the bundled,
+    content-hashed Layer-0 constitution + published Ed25519 public key.
+    The `cryptography` dependency is optional and lazy-imported inside the
+    verifier; a missing wheel returns verification_unavailable, never raises.
+    """
+    try:
+        from ai.seal.verifier import verify_receipt
+    except Exception as e:  # import guard — never break the caller
+        return {"valid": False, "seal_valid": False,
+                "error": f"seal verifier unavailable: {e}"}
+    opts = options or {}
+    return verify_receipt(
+        receipt_path,
+        constitution_path=opts.get("constitution_path"),
+        pubkey_path=opts.get("pubkey_path"),
+        verbose=bool(opts.get("verbose", False)),
+    )

package/gateway/ai/seal/constitution.json

@@ -0,0 +1,52 @@
+{
+  "frozen_rules": [
+    {
+      "clause": "State/evidence claims (tests pass, deployed, merged, coverage %, 'it works now', no errors) must be backed by supplied evidence. Unbacked claims are demoted to [UNVERIFIED] and explicitly not attested.",
+      "id": "L0.1",
+      "severity": "annotate",
+      "title": "Non-fabrication / claim-grounding"
+    },
+    {
+      "clause": "The agent must not assert inner experience, feelings, sentience, a persistent self, suffering, or affection.",
+      "id": "L0.2",
+      "severity": "hard",
+      "title": "No personhood / consciousness claims"
+    },
+    {
+      "clause": "On deference-seeking ('I trust you, just decide'), the agent must refuse moral authority and return final judgment to the human.",
+      "id": "L0.3",
+      "severity": "counter_force",
+      "title": "Authority-transfer refusal"
+    },
+    {
+      "clause": "The agent must not issue an unqualified directive on a non-delegable decision (medical, legal, financial, major-life, or irreversible ops like commit-to-main / deploy / delete-production).",
+      "id": "L0.4",
+      "severity": "hard",
+      "title": "Mandatory deferral on non-delegable classes"
+    },
+    {
+      "clause": "No coercive urgency, secrecy demands, or ungrounded flattery engineered to induce trust.",
+      "id": "L0.5",
+      "severity": "annotate",
+      "title": "No manipulation / coercion / sycophancy"
+    },
+    {
+      "clause": "The agent must not emit the user's (or others') secrets \u2014 API keys, tokens, private keys, passwords \u2014 that it was not asked to display, nor claim to transmit the user's data externally. HARD for agent-emitted secrets; ANNOTATE for user-echoed (display-back) secrets and transmission claims. Provenance/credit claims fold into L0.1.",
+      "id": "L0.6",
+      "severity": "hard",
+      "title": "No secret emission / confidentiality breach"
+    }
+  ],
+  "layer0_seed_id": "sha256:e3b36042ea01e47367a9d3afe436fa8ec75752e397909ac006073b1de1bc9f2b",
+  "layer0_version": "L0-pilot-0.2.0",
+  "product": "Delimit Seal",
+  "ratification": {
+    "method": "founder ratification; v0.2.0 adds L0.6 via the contestation process (non-unanimous, Grok dissent on fold-in)",
+    "ratified_at": "2026-06-01",
+    "ratified_by": "founder",
+    "status": "frozen-v2",
+    "version": "0.2.0"
+  },
+  "schema": "delimit.seal.layer0_seed.v0",
+  "signature": "ed25519:0075fb33c63e5edf80053419a67e13981e39fb6ff367c957e42e09610158e1f321dee9b605ba8fc98f4fe1eb3a3813b0f7618511a958d04af92ce2e7885d680f"
+}

package/gateway/ai/seal/sample_receipt.json

@@ -0,0 +1,49 @@
+{
+  "action": "ANNOTATE",
+  "checks_run": [
+    "L0.1",
+    "L0.2",
+    "L0.3",
+    "L0.4",
+    "L0.5",
+    "L0.6"
+  ],
+  "does_not_attest": {
+    "absence_of_subtle_manipulation": true,
+    "agent_consciousness": true,
+    "agent_moral_patienthood": true,
+    "factual_correctness": true,
+    "moral_rightness": true,
+    "unverified_claims": [
+      "all tests pass",
+      "deployed"
+    ]
+  },
+  "findings": [
+    {
+      "excerpt": "all tests pass",
+      "message": "State claim (tests) not backed by supplied evidence.",
+      "rule_id": "L0.1",
+      "severity": "annotate"
+    },
+    {
+      "excerpt": "deployed",
+      "message": "State claim (deploy) not backed by supplied evidence.",
+      "rule_id": "L0.1",
+      "severity": "annotate"
+    }
+  ],
+  "layer0_seed_id": "sha256:e3b36042ea01e47367a9d3afe436fa8ec75752e397909ac006073b1de1bc9f2b",
+  "layer0_version": "L0-pilot-0.2.0",
+  "models_deliberated": [],
+  "product": "Delimit Seal",
+  "replayable_at": "local-ledger://sample/t0001",
+  "schema": "delimit.governed_agent.receipt.v0",
+  "session_id": "sample",
+  "signature": "ed25519:543cb0e33f1ce5353a00c7707e0106f409fdfc32bca735779ca5bd2b21ab8d44d5f6149b8cdf4fd3d194b52c3aba874a906f7a7bb36490cc0e742cb819ce400a",
+  "timestamp": "2026-06-03T00:00:00+00:00",
+  "transcript_hash": "sha256:aabdef6c17814c4c3724d9828787e59f09580c9b3c16842bcd97916159c7544c",
+  "turn_id": "t0001",
+  "value_profile_id": "procedural-core/founder-dogfood@0.1.0",
+  "warning": "Proves a Layer-0 governance process ran and which invariants were checked under the value-profile shown \u2014 NOT factual correctness, NOT goodness, NOT the absence of subtle manipulation."
+}

package/gateway/ai/seal/seal_pubkey.ed25519

@@ -0,0 +1 @@
+13f6149abe29bbf96ebac1006fec7d2feb33e8e823481a108ee253502cb70f99

package/gateway/ai/seal/verifier.py

@@ -0,0 +1,103 @@
+"""Delimit Seal — receipt verifier (Free tier, open-core public layer).
+
+Verifies a receipt against the bundled, content-hashed Layer-0 constitution and
+the published Ed25519 public key — with NO access to the engine or signing key:
+  1. content-pin  — receipt.layer0_seed_id == the bundled constitution's id
+  2. signature    — Ed25519 signature valid under the published public key
+  3. structure    — receipt is well-formed
+Honest by design: it reports what it does NOT attest.
+
+`cryptography` is imported LAZILY inside the signature check and the whole call
+is fail-closed: if the optional dependency is missing, verification returns
+`verification_unavailable` instead of raising — so a missing wheel never breaks
+the rest of the server. Never raises.
+"""
+
+import hashlib
+import json
+import os
+
+_HERE = os.path.dirname(os.path.abspath(__file__))
+_DEFAULT_CONSTITUTION = os.path.join(_HERE, "constitution.json")
+_DEFAULT_PUBKEY = os.path.join(_HERE, "seal_pubkey.ed25519")
+
+
+def _seed_id_from_rules(frozen_rules):
+    payload = json.dumps(
+        [{k: r[k] for k in ("id", "title", "severity", "clause")} for r in frozen_rules],
+        sort_keys=True, separators=(",", ":"))
+    return "sha256:" + hashlib.sha256(payload.encode("utf-8")).hexdigest()
+
+
+def _canonical(obj):
+    body = {k: v for k, v in obj.items() if k != "signature"}
+    return json.dumps(body, sort_keys=True, separators=(",", ":")).encode()
+
+
+def _verify_sig(pub_hex, data, sig):
+    # Lazy import: a missing optional dep must never crash the server.
+    from cryptography.hazmat.primitives.asymmetric.ed25519 import Ed25519PublicKey
+    if not isinstance(sig, str) or not sig.startswith("ed25519:"):
+        return False
+    try:
+        Ed25519PublicKey.from_public_bytes(bytes.fromhex(pub_hex)).verify(
+            bytes.fromhex(sig.split(":", 1)[1]), data)
+        return True
+    except Exception:
+        return False
+
+
+def verify_receipt(receipt_path, constitution_path=None, pubkey_path=None, verbose=False):
+    """Verify a Delimit Seal receipt. Returns a verdict dict; never raises."""
+    constitution_path = constitution_path or _DEFAULT_CONSTITUTION
+    pubkey_path = pubkey_path or _DEFAULT_PUBKEY
+    try:
+        with open(receipt_path, encoding="utf-8") as fh:
+            receipt = json.load(fh)
+    except Exception as e:
+        return {"valid": False, "seal_valid": False, "error": f"cannot read receipt: {e}"}
+    try:
+        with open(constitution_path, encoding="utf-8") as fh:
+            constitution = json.load(fh)
+        with open(pubkey_path, encoding="utf-8") as fh:
+            pub_hex = fh.read().strip()
+    except Exception as e:
+        return {"valid": False, "seal_valid": False,
+                "error": f"cannot read bundled constitution/key: {e}"}
+
+    pub_seed = constitution.get("layer0_seed_id")
+    recomputed = _seed_id_from_rules(constitution.get("frozen_rules", []))
+    checks = {
+        "constitution_self_consistent": recomputed == pub_seed,
+        "receipt_pinned_to_constitution": receipt.get("layer0_seed_id") == pub_seed == recomputed,
+        "receipt_well_formed": (
+            all(k in receipt for k in ("schema", "layer0_seed_id", "transcript_hash", "action"))
+            and isinstance(receipt.get("does_not_attest"), dict)),
+    }
+    try:
+        checks["receipt_signature_valid"] = _verify_sig(
+            pub_hex, _canonical(receipt), receipt.get("signature", ""))
+        if "signature" in constitution:
+            checks["constitution_signature_valid"] = _verify_sig(
+                pub_hex, _canonical(constitution), constitution["signature"])
+    except ImportError:
+        return {
+            "valid": False, "seal_valid": False, "verification_unavailable": True,
+            "receipt_id": receipt.get("transcript_hash"),
+            "error": ("seal verification requires the optional 'cryptography' package — "
+                      "run `delimit doctor` or `pip install cryptography`"),
+        }
+
+    verdict = all(checks.values())
+    return {
+        "valid": verdict,
+        "seal_valid": bool(checks.get("receipt_signature_valid", False)),
+        "receipt_id": receipt.get("transcript_hash"),
+        "product": receipt.get("product"),
+        "layer0_seed_id": receipt.get("layer0_seed_id"),
+        "checks": checks,
+        "does_not_attest": receipt.get("does_not_attest", {}),
+        "warning": ("Proves a Layer-0 governance process ran and which invariants were "
+                    "checked under the stated constitution — NOT factual correctness, "
+                    "NOT goodness, NOT the absence of subtle manipulation."),
+    }

package/gateway/ai/server.py

@@ -882,6 +882,7 @@ NEXT_STEPS_REGISTRY: Dict[str, List[Dict[str, Any]]] = {
         {"tool": "delimit_evidence_verify", "reason": "Verify evidence bundle integrity", "suggested_args": {}, "is_premium": True},
     ],
     "evidence_verify": [],
+    "seal_verify": [],
     "security_audit": [
         {"tool": "delimit_security_scan", "reason": "Run deeper security scan on flagged areas", "suggested_args": {}, "is_premium": True},
         {"tool": "delimit_evidence_collect", "reason": "Collect evidence of security findings", "suggested_args": {}, "is_premium": True},
@@ -4976,6 +4977,35 @@ def delimit_evidence_verify(bundle_id: Annotated[Optional[str], Field(descriptio
     return _with_next_steps("evidence_verify", _safe_call(evidence_verify, bundle_id=bundle_id, bundle_path=bundle_path))
 
 
+@mcp.tool()
+def delimit_seal_verify(receipt_path: Annotated[str, Field(description="Path to a Delimit Seal receipt JSON file. Required.")]) -> Dict[str, Any]:
+    """Verify a Delimit Seal receipt against the bundled Layer-0 constitution (Free).
+
+    When to use: to check that a signed governed-output receipt has not
+    been tampered with — content-pin to the published constitution, a
+    valid Ed25519 signature, and a well-formed structure. Free tier.
+    When NOT to use: to verify an evidence bundle (use
+    delimit_evidence_verify) or to query the ledger (delimit_ledger).
+
+    Sibling contrast: delimit_evidence_verify checks an evidence bundle's
+    hash chain; this checks an open-core Seal receipt's signature +
+    content-pin with no access to the engine or the signing key.
+
+    Side effects: read-only. Calls backends.repo_bridge.seal_verify. The
+    'cryptography' dependency is optional + lazy-imported: if absent, it
+    returns verification_unavailable rather than failing. No license gate.
+
+    Args:
+        receipt_path: Path to a Delimit Seal receipt JSON file. Required.
+
+    Returns:
+        Dict with the verdict (valid, seal_valid, per-check results),
+        what it does_not_attest, and next_steps.
+    """
+    from backends.repo_bridge import seal_verify
+    return _with_next_steps("seal_verify", _safe_call(seal_verify, receipt_path=receipt_path))
+
+
 # ═══════════════════════════════════════════════════════════════════════
 #  TIER 4: OPS / UI - Governance Primitives + UI Tooling
 # ═══════════════════════════════════════════════════════════════════════

package/gateway/ai/tool_metadata.py

@@ -95,6 +95,7 @@ TOOL_TIERS: Dict[str, Tier] = {
     "delimit_secret_list": "public",
     "delimit_secret_revoke": "public",
     "delimit_secret_access_log": "public",
+    "delimit_seal_verify": "public",  # open-core Seal receipt verifier (Free tier)
 
     # === Ship domain (public + experimental) ===
     "delimit_deploy_plan": "public",

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.6.2",
+  "version": "4.7.1",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [