Public attestation reports
What a merge gate sees on real public APIs.
Delimit's merge gate run against recognizable open-source API surfaces. Each report is reproducible byte-for-byte from the cited commits and ships under the Delimit team byline.
- 2026-06-17/Delimit (delimit-ai/delimit-mcp-server)
delimit-cli 4.11.0: shipping our own release through our own merge gate
On 2026-06-17 we shipped a real, npm-installable release — delimit-cli@4.11.0 then 4.11.1 (compiled Pro engine proModuleVersion 3.10.0) — through Delimit's own governance. Five pull requests, each adjudicated by three independent models (Claude Opus 4.8, GPT-5.3-codex, Grok 4.3) under the deliberation-as-review pattern, all unanimous AGREE: PR #235 + #134 (revenue-consistency fix + Golden-Path docs), PR #236 (security_audit dedup), PR #237 + #238 (Twitter freshness gate + Pro-gate denial telemetry). Clean security audit (0/0/0/0) with a signed evidence bundle, a deploy-gate chain per publish, compiled-engine guards re-asserted per artifact, and a free user verified gated on both the Python-fallback and live compiled-.so paths. The same day, a separate strategic deliberation hit MAX-ROUNDS with no consensus and was correctly held, and a model-hallucinated security finding was caught and corrected. We don't just sell the merge gate; we ship our own releases through it.
read the report - 2026-05-31/European Commission (TED v3 Public API)
EU TED v3 procurement API: $ref'd component-schema drift under a merge gate
Three surgical mutations inside #/components/schemas/Metadata on the live EU TED v3 procurement API (OpenAPI 3.1.0, 11 paths, 28 component schemas): a required-field drop, a property retype, and a new-required-field add. All three reached through the $ref chain (NoticeSubmitRequest → Metadata) and flagged as breaking at the JSON Pointer level, semver classified major, deploy gate blocked. Path-level diff tools miss this entire class.
read the report - 2026-05-13/Cross-CLI session handoff (worked example)
Cross-agent handoff: one artifact, four CLIs
Claude Code hits its daily quota mid-task. Codex (or Cursor, or Gemini CLI) needs to pick up at the same file, the same open interface question, the same task. The underlying CLIs do not share session state; a structured JSON record at ~/.delimit/sessions/ does. delimit_session_handoff writes the seven named fields, delimit_revive reads them. Persistent context across sessions, same artifact across four CLIs.
read the report - 2026-05-08/delimit-mcp-server (self-attestation)
delimit-mcp-server (self-attestation): same merge gate, third artifact class
We turned the classifier inward. Glama added the Tool Definition Quality Score in April 2026; on the rollout, delimit-mcp-server scored C-quality. On 2026-05-08 a deterministic TDQS linter (LED-2108) drove a truth-preserving retrofit of 197 of 202 tool docstrings (LED-2109). The aggregate grade moved from C (mean 2.66, distribution 1 A / 16 B / 145 C / 40 D) to A (mean 4.52, distribution 139 A / 63 B / 0 C / 0 D), no tool below B, gateway tests 4539 to 4574 (+35) all pass. Same primitive that runs the merge gate on AI-written code, third artifact class.
read the report - 2026-05-08/Anthropic (anthropics/anthropic-sdk-python)
Anthropic API: 76 days under a cross-vendor merge gate
Between the SDK-pinned spec snapshot at .stats.yml commit 7ecac54 (2026-02-19) and the snapshot at commit 2c15407 (2026-05-06), the public Anthropic OpenAPI shipped 88 surface deltas: 37 new beta endpoints across six new product surfaces (Managed Agents, Sessions, Memory Stores, Vaults, Environments, User Profiles), claude-opus-4-7 added to the Model union, structured stop_details now required on every Message response, classical sampling parameters (temperature, top_k, top_p) flagged for deprecation, GA Files and Skills surfaces narrowed back to beta-only. info.version absent on both ends because Anthropic carries its version contract in the request header, not the document. Same gate, any vendor, same signed attestation.
read the report - 2026-05-07/OpenAI (openai/openai-openapi)
OpenAI OpenAPI: a year of AI frontier evolution under a cross-vendor merge gate
Between commit 498c71d (2025-04-29, last in-repo manual update) and the live Stainless-hosted spec retrieved 2026-05-07, the OpenAI public OpenAPI shipped 553 surface deltas: 62 new paths (Conversations, Realtime calls, ChatKit, Videos, Containers, Skills, RBAC), Assistants formally deprecated, AdminApiKeyAuth applied to fifty admin operations, OpenAPI dialect upgraded 3.0 to 3.1, info.version unchanged at 2.3.0 the whole way. Same gate, any vendor, same signed attestation.
read the report - 2026-05-07/Docusign (docusign/OpenAPI-Specifications)
Docusign eSignature v2.1 OpenAPI: 46 days under a merge gate
Between 2026-01-27 and 2026-03-14, two release updates of the canonical Docusign eSignature REST v2.1 OpenAPI added one new envelope-shares endpoint, six supporting definitions, and a uniform signingGroupType property across eleven recipient roles. 405 operations, 21 surface deltas, 0 breaking changes. Here is what additive expansion at enterprise scale looks like under the gate.
read the report - 2026-05-06/Twilio (twilio/twilio-oai)
Twilio v2010 OpenAPI: 55 days under a merge gate
Between 2026-02-18 and 2026-04-14, three librarian regenerations of the canonical Twilio Voice / SMS / Messaging OpenAPI produced four additive enum values on a single PCI capture field and nothing else on the wire. 197 operations unchanged, 0 breaking changes. Here is what compatibility-as-discipline looks like under the gate.
read the report - 2026-05-06/Supabase Auth (supabase/auth)
Supabase Auth OpenAPI: 57 days under a merge gate
Between 2026-03-02 and 2026-04-28, one commit touched the Supabase Auth (GoTrue) OpenAPI: a WebAuthn relying-party config hardening that drops two required fields from the MFA verify endpoint. info.version stayed latest. Here is what a small, surgical, intentional break looks like under the gate.
read the report - 2026-05-05/Stripe (stripe/openapi)
Stripe v1 OpenAPI: 57 days under a merge gate
Between 2026-02-23 and 2026-04-20, Stripe shipped 125 changes across its public OpenAPI: 19 breaking, 106 additive, 414 endpoints unchanged, info.version cleanly bumped from clover to dahlia. Here is what disciplined versioning looks like under the gate.
read the report - 2026-05-04/cal.com (calcom/cal.com)
cal.com v2 OpenAPI: 60 days under a merge gate
Between 2026-03-05 and 2026-05-03, cal.com v2 dropped from 174 endpoints to 82 and renamed itself Cal.diy. info.version stayed 1.0.0. Here is what the merge gate saw.
read the report