Skip to content

delimit-ai/delimit

v4.5.3 Security

This release includes 2 security fixes for security teams reviewing exposed deployments.

Published 28d MCP Developer Tools
✓ No known CVEs patched
Read the diff → Tool health → What is this tool? →
This release patches 2 known CVEs

Topics

ai-governance api-governance breaking-changes claude-code codex cross-model
+8 more
cursor deliberation devtools gemini-cli mcp mcp-server model-context-protocol openapi

Affected surfaces

auth

Summary

AI summary

Hardcoded license‑bypass prefix removed and canonicalize() now signs full content.

Full changelog

What's Changed

  • fix(security): LED-1180 canonicalize() — sign full content not just shape (v4.5.1) by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/70
  • chore(readme): refresh stale badges (Action v1.6→latest, tests 165→1640+) by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/72
  • attest mcp: panel verdict (Q1-Q6) + framing audit + --write deprecation by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/73
  • template+package: dispatch-rule sync + gate self-repair as gateway-only by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/74
  • template: reframe operating-model rule per swarm-executor verdict by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/76
  • package: gate corp_dashboard as gateway-only (LED-189 follow-up) by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/77
  • chore(release): v4.5.2 — install hardening + carry-over cleanup + STR-656 ride by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/78
  • chore(readme): cal.com worked-example link, methodology in nav, LED-1037 pricing canon, +16 keywords by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/79
  • fix(security): remove hardcoded license-bypass prefix (LED-1246, P0) — 4.5.3 by @infracore in https://github.com/delimit-ai/delimit-mcp-server/pull/80

Full Changelog: https://github.com/delimit-ai/delimit-mcp-server/compare/v4.4.0...v4.5.3

Breaking Changes

  • Removed hardcoded license-bypass prefix (LED-1246).
  • canonicalize() now signs full content instead of just shape.

Security Fixes

  • fix(security): LED-1180 canonicalize() — sign full content not just shape.
  • fix(security): remove hardcoded license-bypass prefix (LED-1246, P0).
View diff on GitHub

Weekly OSS security release digest.

The CVE patches and breaking changes that affected production tools this week. One email, every Sunday.

No spam, unsubscribe anytime.

Share this release

Share on X Share on Bluesky

Track delimit-ai/delimit

Get notified when new releases ship.

Sign up free

About delimit-ai/delimit

API governance server that detects breaking changes in OpenAPI specs. Diffs two spec versions, applies configurable policy rules (strict/default/relaxed), and returns structured pass/fail verdicts. 23 change types, 10 breaking. Supports OpenAPI 3.0, 3.1, and Swagger 2.0.

All releases →

Related context

Beta — feedback welcome: [email protected]