npm - delimit-cli - Versions diffs - 4.7.2 → 4.7.3 - Mend

delimit-cli 4.7.2 → 4.7.3

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/CHANGELOG.md CHANGED Viewed

@@ -1,6 +1,21 @@
 # Changelog
+## [4.7.3] - 2026-06-04
+Docs + metadata release. No functional changes to the package.
+### Changed
+- npm README now carries the **"Adopt with minimum privilege"** section
+  (phase-1 read-only tool allowlist, Action SHA-pinning, BYOK vault guidance)
+  that previously only rendered on GitHub.
+- Detection-engine claims corrected to **28 change types (17 breaking,
+  11 non-breaking)** — adds `field_requirement_relaxed` (context-aware
+  severity) to the documented table.
+- `server.json` (MCP registry metadata) version brought current.
 ## [4.7.2] - 2026-06-04
 ### Fixed

package/README.md CHANGED Viewed

@@ -226,6 +226,40 @@ That's it. Delimit auto-fetches the base branch spec, diffs it, and posts a PR c
 ---
+## Adopt with minimum privilege
+You don't have to trust a large tool surface on day one. The safe on-ramp:
+**Phase 1 — read-only governance (free, no account).** Start with the tools that
+only read your repo and write reports: `delimit_lint`, `delimit_diff`,
+`delimit_semver`, `delimit_policy`, `delimit_explain`, `delimit_scan`, and
+`delimit_seal_verify`. If your MCP client supports per-tool allowlists, grant
+exactly those. Nothing in this set executes, deploys, or posts anywhere.
+**Phase 2 — opt into side effects deliberately.** Tools that write evidence
+bundles, open PR comments, or run deploys (`delimit_security_audit`,
+`delimit_deploy_*`, agent orchestration) are tier-gated; enable them once
+phase 1 has earned its keep in your CI.
+**Pin the Action to a commit SHA.** `@v1` is a floating tag. For
+supply-chain-sensitive pipelines, pin the exact commit and bump on review:
+```yaml
+- uses: delimit-ai/delimit-action@<commit-sha>   # gh api repos/delimit-ai/delimit-action/git/refs/tags/v1
+```
+**Keep BYOK keys out of plaintext config.** If you bring your own model keys
+for deliberation, store them with `delimit_secret_store` (encrypted vault,
+access-logged via `delimit_secret_access_log`) rather than in dotfiles.
+Our own releases ship under the same discipline: every release carries a
+signed, replayable Seal receipt (see the latest
+[release assets](https://github.com/delimit-ai/delimit-mcp-server/releases) —
+verify with `npx delimit-cli seal-verify <receipt.json>` or at its
+`delimit.ai/att/<id>` replay URL), plus SLSA provenance on npm.
+---
 ## CLI commands
 ```bash
@@ -290,7 +324,7 @@ When installed into your AI coding assistant, Delimit provides tools across two
 ## What It Detects
-27 change types (17 breaking, 10 non-breaking) -- deterministic rules, not AI inference. Same input always produces the same result.
+28 change types (17 breaking, 11 non-breaking) -- deterministic rules, not AI inference. Same input always produces the same result.
 ### Breaking Changes
@@ -328,6 +362,7 @@ When installed into your AI coding assistant, Delimit provides tools across two
 | 25 | `security_added` | API key security scheme added |
 | 26 | `deprecated_added` | `GET /v1/users` marked as deprecated |
 | 27 | `default_changed` | Default value for `page_size` changed from 10 to 20 |
+| 28 | `field_requirement_relaxed` | Required field `nickname` became optional (context-aware severity) |
 ---
@@ -367,7 +402,7 @@ rules:
 **How does this compare to Obsidian Mind?**
-Obsidian Mind is a great Obsidian vault template for Claude Code users who want persistent memory via markdown files. Delimit takes a different approach: it's an MCP server that works across Claude Code, Codex, Gemini CLI, and Cursor. Your memory, ledger, and governance travel with you when you switch models. Delimit also adds API governance (27-type breaking change detection), CI gates, git hooks, and policy enforcement that Obsidian Mind doesn't cover. Use Obsidian Mind if you're all-in on Claude + Obsidian. Use Delimit if you switch between models or need governance.
+Obsidian Mind is a great Obsidian vault template for Claude Code users who want persistent memory via markdown files. Delimit takes a different approach: it's an MCP server that works across Claude Code, Codex, Gemini CLI, and Cursor. Your memory, ledger, and governance travel with you when you switch models. Delimit also adds API governance (28-type breaking change detection), CI gates, git hooks, and policy enforcement that Obsidian Mind doesn't cover. Use Obsidian Mind if you're all-in on Claude + Obsidian. Use Delimit if you switch between models or need governance.
 **Does this work without Claude Code?**

package/package.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "name": "delimit-cli",
   "mcpName": "io.github.delimit-ai/delimit-mcp-server",
-  "version": "4.7.2",
+  "version": "4.7.3",
   "description": "Unify Claude Code, Codex, Cursor, and Gemini CLI with persistent context, governance, and multi-model debate.",
   "main": "index.js",
   "files": [

package/server.json CHANGED Viewed

@@ -7,13 +7,13 @@
     "url": "https://github.com/delimit-ai/delimit-mcp-server",
     "source": "github"
   },
-  "version": "4.5.13",
+  "version": "4.7.3",
   "websiteUrl": "https://delimit.ai",
   "packages": [
     {
       "registryType": "npm",
       "identifier": "delimit-cli",
-      "version": "4.5.13",
+      "version": "4.7.3",
       "transport": {
         "type": "stdio"
       }