delegate-agent-cli 0.11.0__tar.gz
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- delegate_agent_cli-0.11.0/CHANGELOG.md +246 -0
- delegate_agent_cli-0.11.0/CONTRIBUTING.md +55 -0
- delegate_agent_cli-0.11.0/LICENSE +21 -0
- delegate_agent_cli-0.11.0/MANIFEST.in +24 -0
- delegate_agent_cli-0.11.0/PKG-INFO +325 -0
- delegate_agent_cli-0.11.0/README.md +292 -0
- delegate_agent_cli-0.11.0/SECURITY.md +31 -0
- delegate_agent_cli-0.11.0/bin/delegate-profile-shim +119 -0
- delegate_agent_cli-0.11.0/bin/delegate.py +15 -0
- delegate_agent_cli-0.11.0/config.example.json +105 -0
- delegate_agent_cli-0.11.0/docs/agent-setup.md +176 -0
- delegate_agent_cli-0.11.0/docs/assets/delegate-agent-header.png +0 -0
- delegate_agent_cli-0.11.0/docs/cli-reference.md +693 -0
- delegate_agent_cli-0.11.0/docs/configuration.md +448 -0
- delegate_agent_cli-0.11.0/docs/development.md +62 -0
- delegate_agent_cli-0.11.0/docs/live-runtime.md +60 -0
- delegate_agent_cli-0.11.0/docs/publishing-checklist.md +68 -0
- delegate_agent_cli-0.11.0/docs/security-model.md +199 -0
- delegate_agent_cli-0.11.0/docs/troubleshooting.md +344 -0
- delegate_agent_cli-0.11.0/docs/worktrees.md +217 -0
- delegate_agent_cli-0.11.0/examples/task.claude.json +8 -0
- delegate_agent_cli-0.11.0/examples/task.codex.json +8 -0
- delegate_agent_cli-0.11.0/examples/task.cursor.json +7 -0
- delegate_agent_cli-0.11.0/examples/task.droid.json +8 -0
- delegate_agent_cli-0.11.0/examples/task.grok.json +7 -0
- delegate_agent_cli-0.11.0/examples/task.judge.json +7 -0
- delegate_agent_cli-0.11.0/pyproject.toml +83 -0
- delegate_agent_cli-0.11.0/setup.cfg +4 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/__init__.py +5 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/archived_logs.py +44 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/argv_builders.py +423 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/argv_utils.py +36 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/capability_commands.py +99 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/cli.py +987 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/cli_parser.py +1627 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/command_errors.py +29 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/command_help.py +1264 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/config.py +1117 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/config_commands.py +143 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/constants.py +50 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/describe_payload.py +1018 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/errors.py +32 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/git_utils.py +180 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/harness_events.py +719 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/inspection_commands.py +104 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/isolation.py +316 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/json_types.py +18 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/log_output.py +78 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/private_io.py +109 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/profile_commands.py +42 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/profile_guard.py +116 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/profiles.py +389 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/prompt_instructions.py +39 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/prompt_transport.py +12 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/reasoning.py +916 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/redaction.py +193 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/rendering.py +573 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/request_build.py +1681 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/request_models.py +191 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/retention.py +321 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/run_metadata.py +78 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/run_output_commands.py +645 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/run_registry.py +747 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/run_status.py +300 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/runner.py +1830 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/safe_workspace.py +821 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/snapshot_view.py +229 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/wait_cancel_commands.py +559 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_commands.py +218 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_execution.py +654 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_gc.py +529 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_mgmt.py +782 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_records.py +232 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_remove.py +547 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/worktree_summary.py +242 -0
- delegate_agent_cli-0.11.0/src/delegate_agent/wsl.py +65 -0
- delegate_agent_cli-0.11.0/src/delegate_agent_cli.egg-info/PKG-INFO +325 -0
- delegate_agent_cli-0.11.0/src/delegate_agent_cli.egg-info/SOURCES.txt +115 -0
- delegate_agent_cli-0.11.0/src/delegate_agent_cli.egg-info/dependency_links.txt +1 -0
- delegate_agent_cli-0.11.0/src/delegate_agent_cli.egg-info/entry_points.txt +2 -0
- delegate_agent_cli-0.11.0/src/delegate_agent_cli.egg-info/requires.txt +5 -0
- delegate_agent_cli-0.11.0/src/delegate_agent_cli.egg-info/top_level.txt +1 -0
- delegate_agent_cli-0.11.0/tests/test_capability_commands.py +282 -0
- delegate_agent_cli-0.11.0/tests/test_command_help.py +342 -0
- delegate_agent_cli-0.11.0/tests/test_config_commands.py +454 -0
- delegate_agent_cli-0.11.0/tests/test_delegate_help_cli.py +500 -0
- delegate_agent_cli-0.11.0/tests/test_delegate_isolation.py +491 -0
- delegate_agent_cli-0.11.0/tests/test_delegate_parser.py +1551 -0
- delegate_agent_cli-0.11.0/tests/test_delegate_validation.py +1104 -0
- delegate_agent_cli-0.11.0/tests/test_end_to_end_tracking.py +969 -0
- delegate_agent_cli-0.11.0/tests/test_engine_argv.py +1212 -0
- delegate_agent_cli-0.11.0/tests/test_execution_argv_and_prompt.py +1178 -0
- delegate_agent_cli-0.11.0/tests/test_execution_dry_run.py +734 -0
- delegate_agent_cli-0.11.0/tests/test_execution_worktree_failure_cleanup.py +740 -0
- delegate_agent_cli-0.11.0/tests/test_execution_worktree_preflight.py +487 -0
- delegate_agent_cli-0.11.0/tests/test_execution_worktree_run.py +1443 -0
- delegate_agent_cli-0.11.0/tests/test_harness_events.py +800 -0
- delegate_agent_cli-0.11.0/tests/test_inspection_commands.py +261 -0
- delegate_agent_cli-0.11.0/tests/test_kimi_commands.py +119 -0
- delegate_agent_cli-0.11.0/tests/test_packaging.py +31 -0
- delegate_agent_cli-0.11.0/tests/test_profiles.py +1184 -0
- delegate_agent_cli-0.11.0/tests/test_reasoning_capabilities.py +485 -0
- delegate_agent_cli-0.11.0/tests/test_retention.py +484 -0
- delegate_agent_cli-0.11.0/tests/test_run_registry.py +721 -0
- delegate_agent_cli-0.11.0/tests/test_runner_capture.py +2014 -0
- delegate_agent_cli-0.11.0/tests/test_safe_workspace_isolation.py +710 -0
- delegate_agent_cli-0.11.0/tests/test_snapshot_redaction.py +188 -0
- delegate_agent_cli-0.11.0/tests/test_snapshot_rendering.py +135 -0
- delegate_agent_cli-0.11.0/tests/test_snapshot_run_output.py +1426 -0
- delegate_agent_cli-0.11.0/tests/test_snapshot_view.py +157 -0
- delegate_agent_cli-0.11.0/tests/test_utility_modules.py +335 -0
- delegate_agent_cli-0.11.0/tests/test_wait_cancel_commands.py +677 -0
- delegate_agent_cli-0.11.0/tests/test_wave4_launch_features.py +240 -0
- delegate_agent_cli-0.11.0/tests/test_worktree_list_show.py +704 -0
- delegate_agent_cli-0.11.0/tests/test_worktree_prune_gc.py +930 -0
- delegate_agent_cli-0.11.0/tests/test_worktree_remove.py +775 -0
- delegate_agent_cli-0.11.0/tests/test_wsl_guardrails.py +108 -0
|
@@ -0,0 +1,246 @@
|
|
|
1
|
+
# Changelog
|
|
2
|
+
|
|
3
|
+
All notable changes to this project are documented in this file.
|
|
4
|
+
|
|
5
|
+
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
|
+
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
|
+
|
|
8
|
+
## [0.11.0] - 2026-07-05
|
|
9
|
+
|
|
10
|
+
Profile-guard calibration fix for issue #9: a shell carrying `AI_PROFILE=work|personal` with no matching `~/.delegate/config.<profile>.json` no longer presents a half-configured install as a total CLI outage.
|
|
11
|
+
|
|
12
|
+
### Added
|
|
13
|
+
|
|
14
|
+
- `delegate config sync-profiles` materializes missing `~/.delegate/config.<profile>.json` overlays (`work`, `personal`) from the validated base config. It never clobbers an overlay you already edited, validates the merged effective config before any write, and writes each overlay with private-file permissions. `delegate config init` now writes the same overlays alongside the base config. Both share one path convention (`config.profile_config_path`, `config.PROFILE_CONFIG_NAMES`) so the writer and the guard cannot disagree on overlay naming.
|
|
15
|
+
|
|
16
|
+
### Fixed
|
|
17
|
+
|
|
18
|
+
- `AI_PROFILE=work|personal` with a missing or unreadable profile overlay no longer hard-blocks every command, including the read-only diagnostics you would reach for to debug it. Recognized-but-configless profiles now block only launch and mutation commands — with remediation text that points at `delegate config sync-profiles` and the `env -u AI_PROFILE` / `DELEGATE_CONFIG=` bypasses — while read-only diagnostics (`profiles`, `runs`, `run-output`, `snapshot`, cached `capabilities`, `worktree show`/`list`, `describe`, `models`, `help`, `version`) pass with a stderr warning. An unrecognized non-empty `AI_PROFILE` now warns and continues on the base account instead of silently falling through.
|
|
19
|
+
|
|
20
|
+
### Security
|
|
21
|
+
|
|
22
|
+
- The fail-closed profile-crossover guarantee is now enforced inside the Python CLI (`delegate_agent.cli:main` via the new `delegate_agent.profile_guard`), classifying from the real parsed command rather than positional argv guessing. This closes a gap where the guarantee lived only in the optional shell shim: the pip console script, `python -m delegate_agent.cli`, and `bin/delegate.py` all reach `main` with no shim in front, and previously fell through to the base account on a missing overlay. The guard no-ops when `DELEGATE_CONFIG` is already exported (shim precedence) so the two layers compose without a double check. The tracked `bin/delegate-profile-shim` template applies the same check before Python starts, as an additional early gate; it scans all args for `capabilities refresh` so a mutation is never misclassified as a read-only probe.
|
|
23
|
+
|
|
24
|
+
## [0.10.0] - 2026-07-04
|
|
25
|
+
|
|
26
|
+
Usage-audit fix wave: 82 sessions and 1,241 delegate invocations from one week of agent usage were mined for friction and failure modes, and the whole Tier 1–3 backlog was built across four decorrelated implementation waves plus live acceptance.
|
|
27
|
+
|
|
28
|
+
### Added
|
|
29
|
+
|
|
30
|
+
- `delegate wait` blocks on one or more runs until they reach a terminal state, using effective status so a dead child is a terminal failure rather than a hang. Supports bare-harness and `harness:model` latest selectors, `--group`, an optional timeout, and completion-report output; exits 0 (all succeeded), 1 (any failed/cancelled), or 124 (timeout). Replaces the ~100 hand-rolled polling loops agents wrote in the audit week.
|
|
31
|
+
- `delegate cancel` signals a run's recorded process group (SIGTERM → 5s grace judged by group liveness → SIGKILL) with layered safety: workspace-scoped resolution, terminal/stale refusal, `pid`/`pgid <= 1` guards, and a `ps`-lstart start-identity check that refuses to signal a pid older than the run (soft-degrades when `ps` is unavailable). A `cancelRequested` marker is stamped under the registry lock before any signal so the runner finalizer can never record a cancelled run as succeeded.
|
|
32
|
+
- `cancelled` is a first-class terminal status with normalized per-harness `terminalEvent`/`terminalStatus` mapping (e.g. Grok `stopReason: Cancelled` overrides an exit-0 success). Cancelled and failed runs without a child report now get a synthesized completion report (status, failure reason, redacted stderr tail, harness-appropriate remediation) so `run-output --completion-report` never dead-ends.
|
|
33
|
+
- Always-numbered aliases (`codex-1`, `cursor-2`, …). Bare harness names become latest-run selectors and `harness:modelAlias` selectors resolve the newest matching run; envelopes and text banners expose `requestedHandle`/`resolvedHandle`/`resolutionKind`, and generated follow-up commands always use the concrete numbered alias. `run-output` gains `--latest`.
|
|
34
|
+
- `resultQuality` classification on tracked runs (`ok` / `housekeeping_noop` / `empty` / `suspect_short` / `no_assistant_text`), computed at finalization and preferred from stored state at read time — closing the hole where an on-disk Droid "Plan is up-to-date." report surfaced as a clean success. Envelopes always carry `completionReportWritten` and `completionReportSource` (`child` / `delegate_synthesized` / `stdout_recovery`); auth failures classify as `auth_failed` from stderr-only patterns.
|
|
35
|
+
- `--include-dirty` on worktree work launches syncs uncommitted tracked changes and untracked non-ignored files through the same primitives as the safe-mode snapshot, replacing the stash-launch-pop dance; sync failures tear the worktree down before any child launches.
|
|
36
|
+
- `--group NAME` tags launches and selects on `runs`, `wait`, and `worktree remove`/`prune`.
|
|
37
|
+
- A per-run scratch `TMPDIR` is exported to safe and isolated runs after profile env; the codex lane is granted it via `--add-dir`.
|
|
38
|
+
- `did-you-mean` suggestions on unknown handles, a `list` → `runs` alias, corrected-command text on flag-order errors, and copy-paste command forms on invalid-mode errors.
|
|
39
|
+
|
|
40
|
+
### Changed
|
|
41
|
+
|
|
42
|
+
- `--forbid-commit` now implies `--isolation worktree` on both the CLI and JSON paths.
|
|
43
|
+
- Work-mode `noChanges` and quality warnings ride the top-level `warnings` array (including the runs table). Text `run-output` discloses char truncation like JSON, and `--tail`/`--max-chars` without a stream selection is now rejected instead of silently ignored.
|
|
44
|
+
- `describe` full output is a strict superset of `--summary`, both derived from `COMMAND_SPECS`.
|
|
45
|
+
|
|
46
|
+
### Fixed
|
|
47
|
+
|
|
48
|
+
- Registry first-init race fixed with locked init and unique atomic temp names; `write_json_atomic` cleans up temp files on failure. Run-latest tie-breaks use an explicit `registrationOrdinal` stamped under the registry lock (in-memory insertion order degrades through `save_index` on reload).
|
|
49
|
+
- Plaintext progress advances every line instead of freezing on the first; `call` mode returns a redacted `stderrTail` on failure and an empty-text warning instead of raw event noise; `droid call` prevalidates model aliases before creating the workspace and cleans up on every failure path.
|
|
50
|
+
|
|
51
|
+
### Security
|
|
52
|
+
|
|
53
|
+
- The native boundary read empirically reproduced a leak inherited from the safe-mode mirror: an untracked symlink with an absolute target pointing at the repo's own gitignored secret was recreated verbatim — readable and writable-through in an edit-capable worktree. The shared sync now recreates untracked symlinks only when the link is relative, resolves inside the repo, and the target is not gitignored (batched `git check-ignore -z --stdin`, failing closed to placeholders on unexpected exit codes), hardening safe mode and `--include-dirty` together. The hardlink variant cannot be closed by path-based exclusion and is documented as a caveat.
|
|
54
|
+
|
|
55
|
+
## [0.9.0] - 2026-07-01
|
|
56
|
+
|
|
57
|
+
### Added
|
|
58
|
+
|
|
59
|
+
- Stateless `call` mode for every engine (`delegate <engine> call "prompt"`, plus `droid MODEL call`). Call mode sends a one-hop prompt to a model and returns its output without a project tree, run registry, snapshot, or completion report — the generic "call a model, get the answer back" path for agents that don't need repo context. It runs in an empty temporary cwd that is always cleaned up, even on build-time failure.
|
|
60
|
+
- Call mode is **write-capable by default**, inheriting work-level harness permissions (the equivalent of `work` mode minus a repo). A new `--read-only` flag (and `readOnly` JSON input field) opts into the LLM-as-judge/grader contract: it drops the child to each engine's `safe`-mode read-only capability and prepends a neutralizing preamble telling the model there is nothing to inspect or mutate. `--read-only` applies only to `call` and is rejected with `safe`/`work`. Pairs with Codex `--output-schema` for structured verdicts. See `examples/task.judge.json`.
|
|
61
|
+
- Call JSON output includes `textChars` and `textTruncated` so callers can detect when bounded assistant text kept only the head and tail of a large response. Human-mode `dry-run` now prints `warning:` lines.
|
|
62
|
+
|
|
63
|
+
### Security
|
|
64
|
+
|
|
65
|
+
- Call mode is not a security sandbox. The effective harness policy resolves through the work/safe tiers (default call keeps work-tier web-search/network access; `--read-only` call gets the safe policy), and work-mode approval/sandbox bypass never leaks into call mode. On engines without a native read-only sandbox (Cursor, Droid, Kimi) the neutralizing preamble is the only restriction under `--read-only`; `docs/security-model.md` documents the boundary.
|
|
66
|
+
|
|
67
|
+
## [0.8.1] - 2026-07-01
|
|
68
|
+
|
|
69
|
+
### Fixed
|
|
70
|
+
|
|
71
|
+
- Launch and `dry-run` commands now accept `--json` in the launch option tail before inline prompt text begins, so agent callers can append it after flags such as `--prompt-file` without tripping the misplaced-global guard. A later `--json` after prompt text still fails closed as ambiguous flag-like prompt text.
|
|
72
|
+
|
|
73
|
+
## [0.8.0] - 2026-06-29
|
|
74
|
+
|
|
75
|
+
### Added
|
|
76
|
+
|
|
77
|
+
- First-class `delegate grok {safe,work}` for xAI Grok Build CLI: prompt-file transport, tracked `streaming-json` snapshots, safe isolation required, worktree `--cwd` rewrite, harness-scoped bypass at `policy.harness.grok.work.bypassApprovalsAndSandbox`, and Grok `--effort` reasoning mapping. Safe mode pairs Delegate's isolated worktree copy with Grok's kernel-enforced `--sandbox read-only` profile, and the streaming `error` event is surfaced into the snapshot. Grok `--output-schema` is unsupported in this release because Grok `--json-schema` forces final JSON output, which breaks tracked streaming snapshots.
|
|
78
|
+
- `delegate config init` command to write an editable starter config from an installed package, so users no longer need a source checkout just to copy `config.example.json`.
|
|
79
|
+
|
|
80
|
+
### Changed
|
|
81
|
+
|
|
82
|
+
- WSL setup is now documented explicitly: install Python/Git/child CLIs inside WSL, prefer `/home/<user>/...`, and convert Windows paths with `wslpath -u`.
|
|
83
|
+
|
|
84
|
+
### Fixed
|
|
85
|
+
|
|
86
|
+
- Windows-style paths now fail with actionable WSL guidance instead of turning into confusing POSIX relative paths, and WSL runs fail loudly when `git` resolves to Windows `git.exe`. Workspaces under `/mnt/<drive>` now emit a warning about WSL filesystem performance and private-file semantics.
|
|
87
|
+
|
|
88
|
+
## [0.7.0] - 2026-06-29
|
|
89
|
+
|
|
90
|
+
### Added
|
|
91
|
+
|
|
92
|
+
- Profile-aware auth and environment switching. A new top-level `profiles` config block (`detectFrom`, `default`, `definitions.<name>.env`) lets one session run under a chosen credential/environment profile and have every spawned harness inherit it. The active profile is detected from an environment variable (`profiles.detectFrom`, e.g. `DELEGATE_PROFILE`/`AI_PROFILE`) or pinned explicitly with the new global `--auth-profile NAME` flag. Delegate resolves the profile once per request and injects its env into every child across tracked, pass-through, safe-isolation, and persistent-worktree paths. Profile `env` holds non-secret routing pointers only — secret-shaped keys are rejected at config load with `secret_in_profile_env`.
|
|
93
|
+
- `delegate profiles` command (with `--json`): read-only introspection of the resolved profile, its source (`flag`, a detection variable name, or `default`), and the non-secret env keys it injects. It never mutates config.
|
|
94
|
+
- `codex.fallbackProfile`: when a Codex run hits a classified usage limit on a clean work-mode baseline with no tool events, Delegate retries once under the fallback profile's account (same env, `CODEX_HOME` swapped). A fallback that resolves to the same account is a no-op. Completions record `codexAuthFallback` metadata.
|
|
95
|
+
- Codex `--output-schema FILE` flag and `outputSchema` run-input field for structured final output. Codex-only; OpenAI enforces the JSON Schema on Codex's final message. Relative paths resolve against the launch cwd and are locked absolute before isolation. When set, the completion-report prompt injection is suppressed so the schema owns the final message. Other engines reject it with `unsupported_output_schema`, and `delegate --json describe` advertises `engineCapabilities.<engine>.outputSchema` for feature detection.
|
|
96
|
+
- `delegate --json <command> --help` payloads now include `globalOptions` and `unsupportedGlobalOptions`, so agents can discover which global options (such as `--auth-profile`) apply to a command without parsing usage strings.
|
|
97
|
+
|
|
98
|
+
### Changed
|
|
99
|
+
|
|
100
|
+
- Safe-mode runs over a dirty Git tree now inject a bounded changed-file note into the prompt before the per-engine transport split, so the synced working-tree state reaches the child regardless of stdin/prompt-file/argv transport. Documentation across help, `describe`, `agent-help`, README, security-model, and the CLI reference now states plainly that safe mode mirrors uncommitted tracked edits and untracked non-ignored files into the isolated copy.
|
|
101
|
+
- `--auth-profile` is accepted only where a child auth/env selection actually happens: launches, `dry-run`, `run --input-json`, `delegate profiles`, and `capabilities refresh`. It is rejected for the cached `capabilities` report and for run-inspection, worktree-management, and discovery commands.
|
|
102
|
+
|
|
103
|
+
### Fixed
|
|
104
|
+
|
|
105
|
+
- Run retrieval hints (trailer, JSON payload, snapshot, run summary) are now workspace-qualified: the registry is per-workspace, so commands are rendered through `shlex.join` with the source `--cwd`, and the unknown-handle error explains that runs are per-workspace.
|
|
106
|
+
- `--forbid-commit` and reasoning-effort/model preflight errors are now actionable — they name the corrective flag or config key (`codex.defaultModel` / `droid.models`) and, in a non-Git workspace, explain that no-commit enforcement requires Git rather than demanding an impossible `--isolation worktree`.
|
|
107
|
+
- The codex usage-limit fallback retry now injects the active profile's full env with only `CODEX_HOME` swapped, instead of dropping the profile's other pointers onto a bare environment.
|
|
108
|
+
- The internal "codex auth attempt" delimiter is no longer written to a non-Codex run's stderr log when a profile happens to define both a `CODEX_HOME` and a `codex.fallbackProfile`.
|
|
109
|
+
|
|
110
|
+
## [0.6.0] - 2026-06-23
|
|
111
|
+
|
|
112
|
+
### Added
|
|
113
|
+
|
|
114
|
+
- Always-on best-effort credential scrubbing on `describe`/`models` discovery output.
|
|
115
|
+
- Heartbeat opt-in via config: `progress.enabled`, `progress.initialDelaySec`, and `progress.intervalSec`, plus `--no-progress` to override config for one launch.
|
|
116
|
+
- Foreground launch progress via `--progress`, emitted to stderr so JSON stdout remains machine-readable.
|
|
117
|
+
- Persistent worktree `workSummary` metadata, including dirty state, changed file counts, diff stat, and child-created commits. `--forbid-commit` now fails persistent worktree work runs if the child creates commits.
|
|
118
|
+
- `run-output --max-chars` for bounded non-raw stdout/stderr sections, plus `rawOutputBytes` metadata for intentional `--raw` reads.
|
|
119
|
+
|
|
120
|
+
### Changed
|
|
121
|
+
|
|
122
|
+
- Removed discovery `--redacted` cosmetic masking; `--summary` remains the compact discovery surface.
|
|
123
|
+
- `worktree list/show` now distinguish `branchMergedIntoSource` from `mergedIntoSource`; `mergedIntoSource` means the branch is merged and the worktree has no uncommitted changes.
|
|
124
|
+
- Kimi help and docs now match actual argv behavior: Delegate uses Kimi prompt mode and does not emit `--yolo` with `--prompt`.
|
|
125
|
+
|
|
126
|
+
### Fixed
|
|
127
|
+
|
|
128
|
+
- Heartbeat path scrubbing is URL-safe and covers additional container/CI absolute paths without corrupting `https://…` URLs.
|
|
129
|
+
- Global `--json` inference now applies consistently before more subcommands.
|
|
130
|
+
- Completion-report recovery now prefers substantive final assistant output over housekeeping/progress output when no explicit completion report exists.
|
|
131
|
+
- Worktree handle suggestions are scoped to persistent worktrees, and safe-mode prompts more clearly allow read-only investigation and text-only patch proposals.
|
|
132
|
+
- Shared fake-agent test harness output is quiet by default.
|
|
133
|
+
|
|
134
|
+
## [0.5.0] - 2026-06-18
|
|
135
|
+
|
|
136
|
+
### Added
|
|
137
|
+
|
|
138
|
+
- New `claude` engine wrapping Claude Code headless mode (`claude -p`). `delegate claude safe` and `delegate claude work` deliver the prompt on stdin and parse Claude Code's `stream-json` output, the same way the other harnesses are normalized. Requires Claude Code 2.1.x or newer (verified on 2.1.181) for `--effort`, `--permission-mode auto`, and `--no-session-persistence`.
|
|
139
|
+
|
|
140
|
+
- Claude safe mode runs in a temporary isolated workspace (detached worktree or directory copy) with `--permission-mode plan`, `--strict-mcp-config`, a Read/Grep/Glob tool set, and a read-only Bash allowlist (`git diff/status/show/log`, `rg`, `grep`, `ls`). Safe mode is added to the engines that require real isolation, so `--isolation none` is rejected for it.
|
|
141
|
+
|
|
142
|
+
- Claude work mode uses `claude.workPermissionMode` (default `auto`). Delegate only emits `--permission-mode bypassPermissions` when `policy.harness.claude.work.bypassApprovalsAndSandbox` is explicitly set; `workPermissionMode` itself rejects `bypassPermissions` so a global sandbox profile can never silently broaden Claude's permissions.
|
|
143
|
+
|
|
144
|
+
- Reasoning effort for Claude maps directly to Claude Code's native `--effort` (`low`, `medium`, `high`, `xhigh`, `max`), validated before launch and kept independent of the Codex/Droid model-capability cache.
|
|
145
|
+
|
|
146
|
+
- New `claude` config section (`binary`, `defaultModel`, `defaultReasoningEffort`, `workPermissionMode`, `noSessionPersistence`, `bare`) with validation, and Claude coverage across `describe`, `models`, `reasoning-capabilities`, and `dry-run`. Tool activity is surfaced as `tool.started` / `tool.completed` events parsed from Claude's `tool_use` / `tool_result` content blocks.
|
|
147
|
+
|
|
148
|
+
## [0.4.0] - 2026-06-15
|
|
149
|
+
|
|
150
|
+
### Changed
|
|
151
|
+
|
|
152
|
+
- Safe mode now requires real isolation for Cursor, Droid, and Kimi: `--isolation none` (or `isolation.safe = "none"` in config) is rejected for these engines with `invalid_isolation`, so safe runs always execute in a temporary isolated workspace. **Migration:** remove any `{"isolation": {"safe": "none"}}` override for cursor/droid/kimi and use `auto` or `worktree`. Codex safe still permits `none` because it enforces its own `--sandbox read-only`.
|
|
153
|
+
|
|
154
|
+
- `delegate droid safe` now defaults to a temporary isolated worktree instead of running in place in the source tree, matching Cursor, Codex, and Kimi safe.
|
|
155
|
+
|
|
156
|
+
- `delegate snapshot` now surfaces `creationContext` (`sourceHeadOid`, `sourceBranch`, `sourceGitCommonDir`, `plannedExecutionCwd`) for persistent-worktree runs, sourced from the run manifest when the snapshot omits it.
|
|
157
|
+
|
|
158
|
+
- `run-output` stdout/stderr section `truncated` now reflects whether the tail actually cut content, instead of always reporting `true` for live and archived tails. Parent agents that branch on `truncated` to decide whether to fetch `--raw` should re-check.
|
|
159
|
+
|
|
160
|
+
### Fixed
|
|
161
|
+
|
|
162
|
+
- A single corrupt or partially written per-run `state.json` / `manifest.json` no longer aborts whole-registry commands (`runs`, `snapshot`, `run-output`, `worktree list`) or blocks launching new runs. Bulk readers skip the bad file and degrade for that one run, while commands targeting a specific run still fail loud.
|
|
163
|
+
|
|
164
|
+
- `delegate kimi work` no longer passes `--yolo` together with `--prompt`; current Kimi CLI rejects that combination, and Kimi prompt mode already auto-approves tool actions.
|
|
165
|
+
|
|
166
|
+
## [0.3.1] - 2026-06-12
|
|
167
|
+
|
|
168
|
+
### Changed
|
|
169
|
+
|
|
170
|
+
- Troubleshooting guidance now covers Kimi binary checks, active config layer inspection, safe-mode dry-run limits, pass-through option placement, exact-payload completion-report behavior, and worktree cleanup flags.
|
|
171
|
+
- Delegate completion-report instructions now tell child agents to put exact operator-requested payloads, such as bare JSON, after the concise parent-facing report instead of wrapping them inside it.
|
|
172
|
+
- Local planning documents under `docs/plans/` are ignored as private working artifacts.
|
|
173
|
+
|
|
174
|
+
### Fixed
|
|
175
|
+
|
|
176
|
+
- `missing_binary` errors now include actionable JSON diagnostics (`configPath`, `configKey`, and optional `suggestedBinaryPath`) for configured child runtimes, including persistent worktree preflight and launch paths.
|
|
177
|
+
- Launch and dry-run parsing now reject misplaced global completion/pass-through options after the subcommand or mode, matching the documented option placement rules.
|
|
178
|
+
|
|
179
|
+
## [0.3.0] - 2026-06-12
|
|
180
|
+
|
|
181
|
+
### Added
|
|
182
|
+
|
|
183
|
+
- Kimi Code harness (`delegate kimi`). Safe mode runs in an isolated temporary workspace with Delegate's read-only safety prompt; work mode emits Kimi `--yolo` by default for edit-capable prompt-mode runs. Delegate intentionally does not use Kimi `--plan` for safe mode. Kimi prompt mode auto-approves tool actions, so safe mode's effective write boundary is the isolated workspace and the safety prompt is advisory. Model selection uses `kimi.defaultModel` config or the `model` field in JSON run input. Reasoning effort is not supported for Kimi in v1.
|
|
184
|
+
|
|
185
|
+
## [0.2.0] - 2026-06-09
|
|
186
|
+
|
|
187
|
+
### Added
|
|
188
|
+
|
|
189
|
+
- Provider-aware `--reasoning-effort LEVEL` for Codex, Droid, and Cursor runs (plus `reasoningEffort` in JSON run input). Values are literal and validated against per-model capability declarations resolved from config (`reasoning.capabilities`), a refreshable workspace cache, or bundled fallback data. Explicit requests fail closed with `unsupported_reasoning_effort`; an engine `defaultReasoningEffort` config default that cannot be satisfied is skipped with a recorded warning instead of failing every run.
|
|
190
|
+
|
|
191
|
+
- `delegate capabilities` reports the merged reasoning capability matrix; `delegate capabilities refresh` probes `codex debug models` and writes `.delegate/capabilities/reasoning.json` atomically with owner-only permissions. A malformed cache file is ignored at run time and overwritten by the next refresh.
|
|
192
|
+
|
|
193
|
+
- Prompt text no longer travels in child argv: Codex prompts are delivered via stdin and Droid prompts via a private temp file. Dry-run payloads and manifests show redaction placeholders plus a `promptTransport` field, and stdin delivery failures surface as a run warning on stderr and in the snapshot.
|
|
194
|
+
|
|
195
|
+
- `run-output --completion-report` now recovers the last interim assistant message for dead Droid runs as well as Cursor runs (marked `synthetic`); Codex recovery still requires a completed final turn.
|
|
196
|
+
|
|
197
|
+
### Changed
|
|
198
|
+
|
|
199
|
+
- `run-output --stdout`/`--stderr` without `--tail` or `--raw` defaults to a bounded 80-line tail instead of erroring with `missing_tail`. Text output marks tailed sections (`last N lines; full log B bytes`) and synthetic completion reports in the section header; JSON output carries the equivalent flags.
|
|
200
|
+
|
|
201
|
+
- `worktree show --latest HARNESS` resolves the most recent persistent worktree for that harness, intentionally ignoring newer non-worktree runs. `worktree list` JSON gains a `summary`; `totalPersistentWorktrees` is registry-wide while `allStatusCounts` is scoped to the `--harness` filter.
|
|
202
|
+
|
|
203
|
+
- Run listings probe each run's pid once per entry, so `effectiveStatus` and `staleReason` can no longer disagree about a process that exits mid-listing.
|
|
204
|
+
|
|
205
|
+
- `reasoning.capabilities` config keys are restricted to `codex` and `droid` (Cursor uses `cursor.reasoningEffortModels`), and effort strings reject whitespace, double quotes, and backslashes.
|
|
206
|
+
|
|
207
|
+
## [0.1.4] - 2026-06-08
|
|
208
|
+
|
|
209
|
+
### Fixed
|
|
210
|
+
|
|
211
|
+
- Child agent processes now receive EOF on stdin instead of inheriting Delegate's own
|
|
212
|
+
stdin. This prevents Codex runs launched from orchestrators with open stdin pipes
|
|
213
|
+
from hanging before they emit output.
|
|
214
|
+
|
|
215
|
+
## [0.1.3] - 2026-06-05
|
|
216
|
+
|
|
217
|
+
### Added
|
|
218
|
+
|
|
219
|
+
- Codex streaming events are now parsed by the run tracker. `item.started`, `item.completed`, `turn.started`, and `turn.completed` events surface `agent_message` text and `command_execution` tool activity from `codex` runs in snapshots and completion reports.
|
|
220
|
+
|
|
221
|
+
- `run-output --completion-report` recovers a completion report from the recorded child stdout stream when `completion-report.md` is absent and the run has finished. Recovered reports are reconstructed with the same event parser used during live tracking, and are marked `synthetic: true` with `source: "stdout.log"` in JSON output. Codex recovery only promotes an `agent_message` once the stream reaches `turn.completed`, so in-progress messages are never treated as a final report.
|
|
222
|
+
|
|
223
|
+
- Synthetic completion-report recovery is bounded and best-effort. Delegate reads only a limited stdout tail during recovery, including archived stdout, and reports a clean `missing_completion_report` error when no completed final message is available inside that recovery window.
|
|
224
|
+
|
|
225
|
+
- Display-side redaction now covers common credential shapes such as authorization headers, bearer/basic tokens, JWT-like strings, and common secret key-values in snapshots and run-output views.
|
|
226
|
+
|
|
227
|
+
- Prompt input from delayed stdin pipes is now accepted when no direct prompt or prompt file is supplied.
|
|
228
|
+
|
|
229
|
+
### Notes
|
|
230
|
+
|
|
231
|
+
- Releases before 0.1.3 predate this changelog.
|
|
232
|
+
|
|
233
|
+
[0.11.0]: https://github.com/treygoff24/delegate-agent/compare/v0.10.0...v0.11.0
|
|
234
|
+
[0.10.0]: https://github.com/treygoff24/delegate-agent/compare/v0.9.0...v0.10.0
|
|
235
|
+
[0.9.0]: https://github.com/treygoff24/delegate-agent/compare/v0.8.1...v0.9.0
|
|
236
|
+
[0.8.1]: https://github.com/treygoff24/delegate-agent/compare/v0.8.0...v0.8.1
|
|
237
|
+
[0.8.0]: https://github.com/treygoff24/delegate-agent/compare/v0.7.0...v0.8.0
|
|
238
|
+
[0.7.0]: https://github.com/treygoff24/delegate-agent/compare/v0.6.0...v0.7.0
|
|
239
|
+
[0.6.0]: https://github.com/treygoff24/delegate-agent/compare/v0.5.0...v0.6.0
|
|
240
|
+
[0.5.0]: https://github.com/treygoff24/delegate-agent/compare/v0.4.0...v0.5.0
|
|
241
|
+
[0.4.0]: https://github.com/treygoff24/delegate-agent/compare/v0.3.1...v0.4.0
|
|
242
|
+
[0.3.1]: https://github.com/treygoff24/delegate-agent/compare/v0.3.0...v0.3.1
|
|
243
|
+
[0.3.0]: https://github.com/treygoff24/delegate-agent/compare/v0.2.0...v0.3.0
|
|
244
|
+
[0.2.0]: https://github.com/treygoff24/delegate-agent/compare/v0.1.4...v0.2.0
|
|
245
|
+
[0.1.4]: https://github.com/treygoff24/delegate-agent/compare/v0.1.3...v0.1.4
|
|
246
|
+
[0.1.3]: https://github.com/treygoff24/delegate-agent/releases/tag/v0.1.3
|
|
@@ -0,0 +1,55 @@
|
|
|
1
|
+
# Contributing
|
|
2
|
+
|
|
3
|
+
Thanks for your interest in Delegate Agent. The project is early, so small, well-scoped changes are easiest to review.
|
|
4
|
+
|
|
5
|
+
## Local setup
|
|
6
|
+
|
|
7
|
+
```bash
|
|
8
|
+
python3 -m venv .venv
|
|
9
|
+
. .venv/bin/activate
|
|
10
|
+
python -m pip install -e ".[dev]"
|
|
11
|
+
python3 bin/delegate.py --json describe
|
|
12
|
+
python3 -m unittest discover -s tests
|
|
13
|
+
```
|
|
14
|
+
|
|
15
|
+
Use `python3 bin/delegate.py` from this repository when validating development changes. Do not overwrite an installed `delegate` shim, `~/.delegate/config.json`, or any live runtime unless an operator explicitly asks for promotion.
|
|
16
|
+
|
|
17
|
+
## Supported platforms
|
|
18
|
+
|
|
19
|
+
Required CI currently runs on Linux for Python 3.11, 3.12, 3.13, and 3.14. Contributions for macOS or Windows compatibility are welcome, but do not claim support for a platform until tests cover it.
|
|
20
|
+
|
|
21
|
+
## Development guidelines
|
|
22
|
+
|
|
23
|
+
- Keep CLI behavior explicit and predictable.
|
|
24
|
+
- Add or update tests for parser, validation, execution-shape, run-registry, and worktree-management changes.
|
|
25
|
+
- Do not add commands that commit, push, merge, deploy, or publish repositories from Delegate Agent itself.
|
|
26
|
+
- Keep `safe` versus `work` mode boundaries clear in code and docs.
|
|
27
|
+
- Treat worktree isolation as checkout isolation, not a complete security sandbox.
|
|
28
|
+
- Do not commit local runtime state, provider credentials, API keys, machine-specific logs, `.delegate/` run state, or private model aliases.
|
|
29
|
+
- Keep public examples provider-neutral. Prefer local alias names such as `reviewer` and `implementer`.
|
|
30
|
+
|
|
31
|
+
## Verification
|
|
32
|
+
|
|
33
|
+
Run the narrowest useful checks for your change, then the full suite before proposing a release or broad merge:
|
|
34
|
+
|
|
35
|
+
```bash
|
|
36
|
+
python3 -m compileall -q src tests bin
|
|
37
|
+
git diff --check
|
|
38
|
+
python3 -m unittest discover -s tests
|
|
39
|
+
ruff check .
|
|
40
|
+
ruff format --check .
|
|
41
|
+
```
|
|
42
|
+
|
|
43
|
+
`ruff` ships in the `dev` optional-dependencies group; run `ruff format .` to apply formatting. Required CI does not need real Cursor, Droid, Codex, Claude, or Kimi binaries.
|
|
44
|
+
|
|
45
|
+
## Reporting issues
|
|
46
|
+
|
|
47
|
+
When filing an issue, include:
|
|
48
|
+
|
|
49
|
+
- the command you ran,
|
|
50
|
+
- whether you used installed `delegate` or `python3 bin/delegate.py`,
|
|
51
|
+
- sanitized config/model aliases if relevant,
|
|
52
|
+
- expected behavior,
|
|
53
|
+
- actual behavior,
|
|
54
|
+
- whether the issue affects `safe`, `work`, or both,
|
|
55
|
+
- whether the workspace was Git, non-Git, temporary isolation, or persistent worktree isolation.
|
|
@@ -0,0 +1,21 @@
|
|
|
1
|
+
MIT License
|
|
2
|
+
|
|
3
|
+
Copyright (c) 2026 Trey Goff
|
|
4
|
+
|
|
5
|
+
Permission is hereby granted, free of charge, to any person obtaining a copy
|
|
6
|
+
of this software and associated documentation files (the "Software"), to deal
|
|
7
|
+
in the Software without restriction, including without limitation the rights
|
|
8
|
+
to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
|
|
9
|
+
copies of the Software, and to permit persons to whom the Software is
|
|
10
|
+
furnished to do so, subject to the following conditions:
|
|
11
|
+
|
|
12
|
+
The above copyright notice and this permission notice shall be included in all
|
|
13
|
+
copies or substantial portions of the Software.
|
|
14
|
+
|
|
15
|
+
THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
|
|
16
|
+
IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
|
|
17
|
+
FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
|
|
18
|
+
AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
|
|
19
|
+
LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
|
|
20
|
+
OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
|
|
21
|
+
SOFTWARE.
|
|
@@ -0,0 +1,24 @@
|
|
|
1
|
+
include LICENSE
|
|
2
|
+
include README.md
|
|
3
|
+
include CHANGELOG.md
|
|
4
|
+
include CONTRIBUTING.md
|
|
5
|
+
include SECURITY.md
|
|
6
|
+
include config.example.json
|
|
7
|
+
include bin/delegate.py
|
|
8
|
+
include bin/delegate-profile-shim
|
|
9
|
+
include docs/agent-setup.md
|
|
10
|
+
include docs/cli-reference.md
|
|
11
|
+
include docs/configuration.md
|
|
12
|
+
include docs/development.md
|
|
13
|
+
include docs/live-runtime.md
|
|
14
|
+
include docs/publishing-checklist.md
|
|
15
|
+
include docs/security-model.md
|
|
16
|
+
include docs/troubleshooting.md
|
|
17
|
+
include docs/worktrees.md
|
|
18
|
+
recursive-include docs/assets *.png
|
|
19
|
+
recursive-include examples *.json
|
|
20
|
+
prune docs/plans
|
|
21
|
+
prune internal
|
|
22
|
+
exclude CONTEXT.md
|
|
23
|
+
exclude WIP_SPEC.md
|
|
24
|
+
exclude cursor-prereq.example.json
|