Lint two OpenAPI specs for breaking changes and policy violations. Primary CI integration point. Combines diff + policy into pass/fail. Auto-chains: semver classification, governance evaluation on breaking changes.

When dry_run=True, returns violations and semver classification without recording evidence, triggering notifications, or enforcing governance. Useful for CI preview comments ("what would block") without side effects.

Diff two OpenAPI specs and list all changes. Pure diff, no policy.

Generate a shareable API diff report with full analysis.

Runs the complete pipeline (diff, policy evaluation, semver classification, spec health scoring, migration guide) and produces a self-contained HTML report or structured JSON. The HTML has inline CSS with no external dependencies -- open it in any browser.

Use this when teams need a shareable artifact for API review, PR comments, or compliance records.

Score an OpenAPI spec on quality dimensions. Instant health grade.

Evaluates completeness, security, consistency, documentation, and best practices. Returns an overall score (0-100), letter grade (A-F), per-dimension breakdowns, and specific recommendations for improvement.

Use this for quick spec quality checks during onboarding or code review. Works on any valid OpenAPI 3.x or Swagger 2.0 spec.

Inspect, validate, or simulate governance policy configuration.

Query the append-only contract ledger (hash-chained JSONL).

Analyze downstream impact of an API change. Informational only.

Classify the semver bump for a spec change (MAJOR/MINOR/PATCH/NONE).

Deterministic classification based on diff engine output. Optionally computes the next version string.

Generate a human-readable explanation of API changes.

7 templates: developer, team_lead, product, migration, changelog, pr_comment, slack.

Extract OpenAPI spec from framework source code (no spec file needed).

Detects the API framework (FastAPI, Express, NestJS) and extracts a complete OpenAPI specification directly from the source code. Currently supports FastAPI with full fidelity.

Initialize Delimit governance for a project. Creates .delimit/policies.yml and ledger directory.

Also auto-configures filesystem permissions: chmod 755 on .delimit/, chmod 600 on any .delimit/secrets/* files, and creates a project-local .claude/settings.json with a reasonable Edit/Write/Bash allowlist if one does not already exist. Pass no_permissions=True to skip permission setup.

Create a governed execution plan (Pro).

Get current Delimit OS status with plan/task/token counts (Pro).

Check governance gates for a plan (Pro).

Manage governance (Pro for policy/evaluate/new_task/run/verify).

Actions: health, status, policy, evaluate, new_task, run, verify.

Check governance system health.

Get current governance status for a repository.

Get governance policy for a repository (Pro).

Evaluate if governance is required for an action (Pro).

Create a new governance task (Pro).

Run a governance task (Pro).

Verify a governance task (Pro).

Pre-PR duplicate guard for external repos. Run BEFORE drafting.

Lists existing PRs from author against repo via gh CLI. Returns fail-closed verdict — any open PR or PR merged in the last 30 days yields verdict='duplicate' so the caller stops drafting before any deliberation or submission work.

Search conversation memory semantically (Pro).

Store a memory entry for future retrieval.

Free: basic store and recent retrieval. Pro: structured search across all memories.

Get recent work summary from memory.

Free: retrieve recent entries. Pro: structured search.

Search vault entries (Pro).

Check vault health status (Pro).

Get a vault state snapshot (Pro).

Manage deployments (Pro).

Actions: plan, build, npm, publish, site, status, verify, rollback.

Plan deployment with build steps (Pro). Auto-chains: security audit preflight, governance evaluation. Halts on critical security findings.

Build Docker images with SHA tags (Pro).

Publish images to registry (Pro).

Verify deployment health (experimental) (Pro).

Rollback to previous SHA (Pro).

Get deployment status (Pro).

Register a new dataset in the file-based intel registry.

List all registered datasets from the intel registry.

Mark a dataset as immutable (frozen). Prevents further modifications.

Store a research snapshot with provenance metadata in the local intel store.

Search saved intel snapshots by keyword, date, or dataset.

Generate a daily digest of loop activity (LED-966).

Manage work orders — structured task artifacts for the founder (STR-177).

Work orders bridge strategy deliberations and interactive execution. Each is a copy-pasteable markdown file the founder can hand to a Claude Code session.

Run approved work orders from the dashboard inbox (Pro, Worker Pool v2).

Execution is bounded to a narrow whitelist of state-changing actions (gh_issue_create, gh_pr_comment, gh_issue_comment). Every invocation is logged to ~/.delimit/workers/audit/executor.jsonl. Dry-run is the default — pass live=True to actually fire the actions.

The dashboard Approve button flips a work order to status=approved. The poller (or a one-shot call with action=poll) then runs the typed executable_actions list. Touch ~/.delimit/pause_executor to stop the autonomous path at the next tick.

Review and manage the signal corpus (LED-877).

Signals are sensed observations stored at ~/.delimit/intel/signals/, physically separated from the ledger. Use this tool to inspect, cluster, or explicitly promote a signal to a ledger item.

Generate code template.

Scaffold new project structure.

Diagnose repository health issues (experimental) (Pro).

Analyze repository structure and quality (experimental) (Pro).

Validate configuration files (experimental) (Pro).

Audit configuration compliance (experimental) (Pro).

Scan for security vulnerabilities.

Ingest security scan results from external tools (Pro).

Accepts JSON output from Trivy, Semgrep, npm audit, pip-audit, Snyk, or CodeQL. Normalizes findings into a canonical schema, tracks in the ledger, and enables deploy gating on unresolved criticals.

This is the orchestrator model - Delimit doesn't run the scanner, it adds intelligence on top of results you already have.

Multi-model triage of security findings (Pro).

Runs deliberation on ingested security findings to classify each as: real risk, false positive, accepted risk, or needs immediate action.

Can work on findings from the ledger (auto) or from a JSON string.

Manage SIEM streaming - forward audit events to Splunk, Datadog, EventBridge, or webhooks.

Audit security: dependency vulnerabilities, anti-patterns, and secret detection. Auto-chains: evidence collection on all findings, governance task + notification on critical findings.

Scans for:

• Dependency vulnerabilities (pip-audit, npm audit)

• Hardcoded secrets (API keys, tokens, passwords)

• Dangerous patterns (eval, exec, SQL injection, XSS)

• .env files tracked in git

Optional: Set SNYK_TOKEN or install Trivy for enhanced scanning.

Collect evidence artifacts for governance (Pro).

Verify evidence bundle integrity (Pro).

Manage releases: plan, validate, status, rollback, history, sync (Pro for plan/status/sync).

Actions: plan, validate, status, rollback, history, sync.

Generate a release plan from git history (Pro).

Validate release readiness. Auto-chains on failure: evidence collection, notification, ledger recording.

Check release/deploy status (Pro).

Rollback deployment to previous version (experimental).

Show release history (experimental).

(Pro). Analyze project costs by scanning Dockerfiles, dependencies, and cloud configs.

(Pro). Find cost optimization opportunities: unused deps, oversized images, uncompressed assets.

(Pro). Manage cost alerts (file-based). CRUD operations on spending thresholds.

Manage MCP rate limits and session cost controls.

View current usage, check quota for a specific tool, adjust per-tool rate limits, set the session cost cap, or reset all tracking.

Validate data files: JSON parse, CSV structure, SQLite integrity check.

Check for migration files (alembic, Django, Prisma, Knex) and report status.

Back up SQLite and JSON data files to ~/.delimit/backups/ with timestamp.

Manage observability: metrics, logs, alerts, status (Pro for metrics/logs/status).

Actions: metrics, logs, alerts, status.

Query live system metrics (Pro).

Search system and application logs (Pro).

Manage alerting rules (experimental).

System health check (Pro).

Extract design tokens from project CSS/SCSS/Tailwind config.

Works without any API keys (scans local CSS/Tailwind). Figma integration auto-activates when a token is found in: FIGMA_TOKEN env var, or ~/.delimit/secrets/figma.json, or via delimit_secret_store.

Generate a React/Next.js component skeleton with props interface and Tailwind support.

Read existing tailwind.config or generate one from detected CSS tokens.

Validate responsive design patterns via static CSS analysis.

Scans for media queries, viewport meta, mobile-first patterns, fixed widths.

Scan for React/Vue/Svelte components and generate a component catalog.

Generate a .stories.tsx file for a component (no Storybook install required).

Run visual regression test -- screenshot and compare to baseline.

Works without external tools (returns guidance). Enhanced with:

• Playwright (recommended): full visual regression with baseline comparison

• Puppeteer (fallback): screenshot capture via npx

Build Storybook static site.

Works without Storybook installed (returns setup guidance). If Storybook is configured in the project, runs the build automatically.

Run WCAG accessibility checks by scanning HTML/JSX/TSX for common issues.

Checks: missing alt, missing labels, empty buttons, heading order, aria-hidden on focusable.

Generate test skeletons for source code.

Scans source files using AST parsing (Python) or regex (JS/TS), extracts public function signatures, and generates test file skeletons.

Analyze test coverage (experimental) (Pro).

Run smoke tests for a project.

Detects the test framework (pytest/jest/vitest/mocha) from project config, runs the test suite, and parses pass/fail/error counts.

Generate API reference documentation for a project.

Scans Python files for docstrings and JS/TS files for JSDoc comments. Produces a markdown API reference organized by source file.

Validate documentation quality and completeness.

Checks README existence, docstring coverage on public functions, and broken internal links in markdown files.

Check a GitHub issue for new comments since the last check.

Sensor tool for monitoring outreach issues. Returns a structured signal with new comments, issue state, and severity classification.

Scan GitHub issues/PRs for migration patterns across target repos.

Detects language like "migrated from X to Y", "switched to Y", "replaced X with Y", "no longer using X" etc. Returns structured migration signals with source/target tools, sentiment, and strength.

Useful for competitive intelligence: see what tools repos are moving away from and what they are adopting.

Return Delimit unified server version, tool count, and environment status.

Shows auto-detected API keys, CLIs, and security tools so users know what capabilities are available without manual configuration.

Manage the agent swarm - ventures, personas, namespace isolation.

Each venture gets 5 AI agent roles (Architect, Senior Dev, Reviewer, QA, Ops) with namespace isolation and model binding per Agent Swarm Standard v1.2.

Run a multi-model code review on a diff or file.

Sends the code change to multiple AI models and consolidates their feedback into a single structured review. The output can be posted as a GitHub PR comment.

Provide either a diff string or a file path to review.

Scan or redact sensitive data (API keys, secrets, PII) from text.

Use before sending prompts to external LLMs to prevent data leakage. Detects: API keys (OpenAI, xAI, Google, GitHub, npm), passwords, bearer tokens, emails, phone numbers, SSNs, credit cards, IPs, DB URLs.

Detect prompt drift - when the same task behaves differently across models.

Track how prompts perform across Claude, Codex, and Gemini. Find which model is best for each task type on YOUR codebase.

Detect and prevent two AI models from editing the same file.

Call before editing a file to check if another model is already working on it.

Manage delimit.yml project configuration.

A committable YAML file that defines AI governance for your repo. Your teammates get the same AI setup when they clone.

Manage reusable prompt templates - save, run, list, delete.

Save your best prompts as named commands. Use {{variables}} for dynamic parts. Works across all AI assistants through the shared MCP workspace.