delimit-ai/delimit

v4.2.0 Feature

This release adds 2 notable features for engineering teams evaluating rollout.

Published 1mo MCP Developer Tools

View tool

✓ No known CVEs patched

Read the diff → Tool health → What is this tool? →

✓ No known CVEs patched in this version

Topics

ai-governance api-governance breaking-changes claude-code codex cross-model

+8 more

cursor deliberation devtools gemini-cli mcp mcp-server model-context-protocol openapi

Affected surfaces

auth rbac

Summary

AI summary

ACTION_DENYLIST adds an explicit denylist of prohibited action categories for the executor.

Full changelog

Full-stack deploy: gateway + UI + npm bundle

Added (LED-987 through LED-1008)

ACTION_DENYLIST (LED-988) — executor gains an explicit denylist of prohibited action categories (money, legal/identity, credentials, deploy, contracts) that fires BEFORE the ACTION_SPEC whitelist check. Defense in depth against LLM-driven executor drift.
propose_pr autonomous build primitive (LED-988) — executor can propose PRs against an allowlisted repo set (PROPOSE_PR_ALLOWED_REPOS) with a fixed branch prefix (delimit/) and author (delimit-bot). Guarded by denylist + whitelist.
Reddit residential-IP proxy (LED-987) — scoped service bypasses 429s on reddit34.p.rapidapi.com by routing through a residential IP. Systemd-managed, auto-restart, rate-limited.
Reversible stale cleanup (LED-990) — weekly timer demotes blocked items to a cold lane after 30d instead of deleting. Restore with a single status flip. First-run safe with DRY_RUN=1.
Warm-thread PR watcher (LED-989) — 14-day warm window on outreach follow-ups; skip threads inactive longer than that. MAX_ACTIVE_THREADS=8 cap prevents dog-piling a single repository.
Lemon Squeezy → Supabase reconciler (LED-996) — trial watcher now polls LS every 6h and upserts subscription_status + role into the Supabase users table. Catches webhook drops without manual SQL.

Fixed

Exit-shim counter undercounting — previously missed commits outside SESSION_CWD and dropped Z-suffixed timestamps; both now captured.
Proprietary path leaks — sync-gateway.sh EXCLUDE list hardened to keep internal portfolio files out of the npm bundle.

Security

0 real findings across gateway + UI pre-release audit (false positives only — test fixtures and TypeScript token: parameter types).
js-yaml v4 safe-by-default confirmed.

Compatibility

MCP tool signatures: no removals. All existing tool contracts preserved.
CLI commands: no renames. delimit activate, delimit doctor, delimit think, delimit build, etc. all unchanged.
Storage formats: no migration required. Supabase migration 025 (venture column) is nullable/backward-compatible.

Install / upgrade

npm install -g [email protected]

Or if already installed:

npm update -g delimit-cli
delimit doctor

Companion deploys shipped alongside

delimit-gateway tag gateway-2026-04-21 merged to main
delimit-ui tag ui-2026-04-21 merged to main, Vercel auto-deployed to app.delimit.ai
- New: Billing + API Keys pages wired to Supabase
- New: Inbox "Blocked" tab showing sanitizer-killed drafts with reason + override
- New: Venture tag chips + filter on all inbox rows
Supabase migration 025 applied (venture TEXT column on work_orders / deliberations / social_drafts / resolution_events)

View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track delimit-ai/delimit

Get notified when new releases ship.

About delimit-ai/delimit

API governance server that detects breaking changes in OpenAPI specs. Diffs two spec versions, applies configurable policy rules (strict/default/relaxed), and returns structured pass/fail verdicts. 23 change types, 10 breaking. Supports OpenAPI 3.0, 3.1, and Swagger 2.0.

All releases →