npm - @luanpdd/kit-mcp - Versions diffs - 1.28.0 → 1.30.0 - Mend

@luanpdd/kit-mcp 1.28.0 → 1.30.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (332) hide show

package/LICENSE +21 -21
package/README.md +168 -168
package/gates/agent-no-recursive-dispatch.md +82 -82
package/kit/COMANDOS.md +138 -138
package/kit/README.md +76 -76
package/kit/agents/advisor-researcher.md +106 -106
package/kit/agents/assumptions-analyzer.md +107 -107
package/kit/agents/audit-log-implementer.md +313 -313
package/kit/agents/auditor-consistencia-isolamento.md +413 -413
package/kit/agents/b2b-saas-architect.md +156 -156
package/kit/agents/cascading-failures-auditor.md +298 -298
package/kit/agents/codebase-mapper.md +768 -768
package/kit/agents/crm-pipeline-implementer.md +256 -256
package/kit/agents/debugger.md +813 -813
package/kit/agents/detector-tenant-quente.md +337 -337
package/kit/agents/evolution-go-integrator.md +200 -200
package/kit/agents/example-reviewer.md +21 -21
package/kit/agents/executor.md +564 -564
package/kit/agents/integration-checker.md +200 -200
package/kit/agents/invite-flow-implementer.md +189 -189
package/kit/agents/legacy-characterizer.md +368 -368
package/kit/agents/lgpd-compliance-auditor.md +295 -295
package/kit/agents/multi-tenant-isolation-auditor.md +253 -253
package/kit/agents/multi-tenant-rls-writer.md +340 -340
package/kit/agents/nyquist-auditor.md +178 -178
package/kit/agents/observability-coverage-auditor.md +315 -315
package/kit/agents/org-onboarding-implementer.md +223 -223
package/kit/agents/payload-capture-instrumenter.md +273 -273
package/kit/agents/phase-researcher.md +696 -696
package/kit/agents/plan-checker.md +272 -272
package/kit/agents/planner.md +922 -922
package/kit/agents/project-researcher.md +652 -652
package/kit/agents/refactor-safety-auditor.md +404 -404
package/kit/agents/research-synthesizer.md +245 -245
package/kit/agents/roadmapper.md +677 -677
package/kit/agents/seam-finder.md +359 -359
package/kit/agents/shotgun-surgery-detector.md +349 -349
package/kit/agents/supabase-branching-architect.md +562 -562
package/kit/agents/supabase-cicd-pipeline-implementer.md +777 -777
package/kit/agents/supabase-column-privileges-writer.md +399 -399
package/kit/agents/supabase-edge-fn-tester.md +287 -0
package/kit/agents/supabase-edge-fn-writer.md +239 -210
package/kit/agents/supabase-migration-writer.md +385 -385
package/kit/agents/supabase-rbac-implementer.md +392 -392
package/kit/agents/supabase-realtime-implementer.md +363 -267
package/kit/agents/supabase-rls-hardener.md +521 -521
package/kit/agents/supabase-rls-writer.md +323 -323
package/kit/agents/supabase-roles-implementer.md +355 -355
package/kit/agents/super-admin-implementer.md +281 -281
package/kit/agents/ui-auditor.md +437 -437
package/kit/agents/ui-checker.md +302 -302
package/kit/agents/ui-researcher.md +355 -355
package/kit/agents/user-profiler.md +175 -175
package/kit/agents/validador-evolucao-schema.md +335 -335
package/kit/agents/verifier.md +728 -728
package/kit/commands/adicionar-backlog.md +75 -75
package/kit/commands/adicionar-fase.md +42 -42
package/kit/commands/adicionar-tarefa.md +45 -45
package/kit/commands/adicionar-testes.md +41 -41
package/kit/commands/ajuda.md +21 -21
package/kit/commands/atualizar.md +37 -37
package/kit/commands/auditar-cascading.md +111 -111
package/kit/commands/auditar-marco.md +179 -179
package/kit/commands/auditar-observabilidade-cobertura.md +183 -183
package/kit/commands/auditar-refactor.md +219 -219
package/kit/commands/auditar-release.md +109 -109
package/kit/commands/auditar-uat.md +23 -23
package/kit/commands/autonomo.md +40 -40
package/kit/commands/branch-pr.md +24 -24
package/kit/commands/burn-rate-status.md +408 -408
package/kit/commands/capturar-payloads.md +193 -193
package/kit/commands/caracterizar.md +212 -212
package/kit/commands/concluir-marco.md +247 -247
package/kit/commands/configuracoes.md +36 -36
package/kit/commands/dados-distribuidos.md +188 -188
package/kit/commands/definir-perfil.md +10 -10
package/kit/commands/depurar.md +190 -190
package/kit/commands/detectar-duplicacao.md +197 -197
package/kit/commands/discutir-fase.md +131 -131
package/kit/commands/encontrar-seams.md +136 -136
package/kit/commands/entrar-discord.md +17 -17
package/kit/commands/estatisticas.md +18 -18
package/kit/commands/example-greeting.md +33 -33
package/kit/commands/executar-fase.md +58 -58
package/kit/commands/expresso.md +56 -56
package/kit/commands/fase-ui.md +34 -34
package/kit/commands/fazer.md +57 -57
package/kit/commands/fio.md +125 -125
package/kit/commands/fluxos-trabalho.md +64 -64
package/kit/commands/forense.md +176 -176
package/kit/commands/gerenciador.md +38 -38
package/kit/commands/inserir-fase.md +31 -31
package/kit/commands/legacy.md +263 -263
package/kit/commands/limpeza.md +17 -17
package/kit/commands/listar-hipoteses-fase.md +45 -45
package/kit/commands/listar-workspaces.md +18 -18
package/kit/commands/load-shedding.md +117 -117
package/kit/commands/mapear-codebase.md +70 -70
package/kit/commands/multi-tenant.md +163 -163
package/kit/commands/nota.md +33 -33
package/kit/commands/novo-marco.md +43 -43
package/kit/commands/novo-projeto.md +41 -41
package/kit/commands/novo-workspace.md +43 -43
package/kit/commands/pausar-trabalho.md +37 -37
package/kit/commands/perfil-usuario.md +45 -45
package/kit/commands/pesquisar-fase.md +195 -195
package/kit/commands/planejar-fase.md +67 -67
package/kit/commands/planejar-lacunas.md +33 -33
package/kit/commands/plantar-ideia.md +25 -25
package/kit/commands/progresso.md +24 -24
package/kit/commands/proximo.md +30 -30
package/kit/commands/publicar.md +490 -490
package/kit/commands/rapido.md +35 -35
package/kit/commands/reaplicar-patches.md +124 -124
package/kit/commands/refactor-seguro.md +321 -321
package/kit/commands/relatorio-sessao.md +19 -19
package/kit/commands/remover-fase.md +31 -31
package/kit/commands/remover-workspace.md +26 -26
package/kit/commands/resumo-marco.md +50 -50
package/kit/commands/retomar-trabalho.md +40 -40
package/kit/commands/revisar-backlog.md +60 -60
package/kit/commands/revisar-ui.md +32 -32
package/kit/commands/revisar.md +37 -37
package/kit/commands/saude.md +21 -21
package/kit/commands/setup-notion.md +93 -93
package/kit/commands/storytelling.md +179 -179
package/kit/commands/supabase.md +30 -7
package/kit/commands/sync-main.md +68 -68
package/kit/commands/validar-fase.md +35 -35
package/kit/commands/verificar-tarefas.md +44 -44
package/kit/commands/verificar-trabalho.md +64 -64
package/kit/file-manifest.json +14 -8
package/kit/framework/bin/lib/commands.cjs +959 -959
package/kit/framework/bin/lib/config.cjs +442 -442
package/kit/framework/bin/lib/core.cjs +1230 -1230
package/kit/framework/bin/lib/frontmatter.cjs +336 -336
package/kit/framework/bin/lib/init.cjs +1442 -1442
package/kit/framework/bin/lib/milestone.cjs +252 -252
package/kit/framework/bin/lib/model-profiles.cjs +68 -68
package/kit/framework/bin/lib/phase.cjs +888 -888
package/kit/framework/bin/lib/profile-output.cjs +952 -952
package/kit/framework/bin/lib/profile-pipeline.cjs +539 -539
package/kit/framework/bin/lib/roadmap.cjs +329 -329
package/kit/framework/bin/lib/security.cjs +382 -382
package/kit/framework/bin/lib/state.cjs +1031 -1031
package/kit/framework/bin/lib/template.cjs +222 -222
package/kit/framework/bin/lib/uat.cjs +282 -282
package/kit/framework/bin/lib/verify.cjs +888 -888
package/kit/framework/bin/lib/workstream.cjs +491 -491
package/kit/framework/bin/tools.cjs +918 -918
package/kit/framework/commands/workstreams.md +63 -63
package/kit/framework/references/checkpoints.md +778 -778
package/kit/framework/references/continuation-format.md +249 -249
package/kit/framework/references/decimal-phase-calculation.md +64 -64
package/kit/framework/references/git-integration.md +295 -295
package/kit/framework/references/git-planning-commit.md +38 -38
package/kit/framework/references/model-profile-resolution.md +36 -36
package/kit/framework/references/model-profiles.md +139 -139
package/kit/framework/references/phase-argument-parsing.md +61 -61
package/kit/framework/references/planning-config.md +202 -202
package/kit/framework/references/questioning.md +162 -162
package/kit/framework/references/tdd.md +263 -263
package/kit/framework/references/ui-brand.md +160 -160
package/kit/framework/references/user-profiling.md +657 -657
package/kit/framework/references/verification-patterns.md +612 -612
package/kit/framework/references/workstream-flag.md +58 -58
package/kit/framework/templates/DEBUG.md +164 -164
package/kit/framework/templates/UAT.md +265 -265
package/kit/framework/templates/UI-SPEC.md +100 -100
package/kit/framework/templates/VALIDATION.md +76 -76
package/kit/framework/templates/claude-md.md +122 -122
package/kit/framework/templates/codebase/architecture.md +185 -185
package/kit/framework/templates/codebase/concerns.md +205 -205
package/kit/framework/templates/codebase/conventions.md +204 -204
package/kit/framework/templates/codebase/integrations.md +192 -192
package/kit/framework/templates/codebase/stack.md +158 -158
package/kit/framework/templates/codebase/structure.md +199 -199
package/kit/framework/templates/codebase/testing.md +301 -301
package/kit/framework/templates/config.json +44 -44
package/kit/framework/templates/context.md +352 -352
package/kit/framework/templates/continue-here.md +78 -78
package/kit/framework/templates/copilot-instructions.md +7 -7
package/kit/framework/templates/debug-subagent-prompt.md +91 -91
package/kit/framework/templates/dev-preferences.md +20 -20
package/kit/framework/templates/discovery.md +146 -146
package/kit/framework/templates/discussion-log.md +63 -63
package/kit/framework/templates/milestone-archive.md +123 -123
package/kit/framework/templates/milestone.md +115 -115
package/kit/framework/templates/phase-prompt.md +610 -610
package/kit/framework/templates/planner-subagent-prompt.md +117 -117
package/kit/framework/templates/project.md +186 -186
package/kit/framework/templates/requirements.md +231 -231
package/kit/framework/templates/research-project/ARCHITECTURE.md +204 -204
package/kit/framework/templates/research-project/FEATURES.md +147 -147
package/kit/framework/templates/research-project/PITFALLS.md +200 -200
package/kit/framework/templates/research-project/STACK.md +120 -120
package/kit/framework/templates/research-project/SUMMARY.md +170 -170
package/kit/framework/templates/research.md +419 -419
package/kit/framework/templates/retrospective.md +54 -54
package/kit/framework/templates/roadmap.md +202 -202
package/kit/framework/templates/state.md +176 -176
package/kit/framework/templates/summary-complex.md +59 -59
package/kit/framework/templates/summary-minimal.md +41 -41
package/kit/framework/templates/summary-standard.md +48 -48
package/kit/framework/templates/summary.md +209 -209
package/kit/framework/templates/user-profile.md +146 -146
package/kit/framework/templates/user-setup.md +256 -256
package/kit/framework/templates/verification-report.md +258 -258
package/kit/framework/workflows/add-phase.md +112 -112
package/kit/framework/workflows/add-tests.md +351 -351
package/kit/framework/workflows/add-todo.md +158 -158
package/kit/framework/workflows/audit-milestone.md +340 -340
package/kit/framework/workflows/audit-uat.md +109 -109
package/kit/framework/workflows/autonomous.md +891 -891
package/kit/framework/workflows/check-todos.md +177 -177
package/kit/framework/workflows/cleanup.md +152 -152
package/kit/framework/workflows/complete-milestone.md +696 -696
package/kit/framework/workflows/diagnose-issues.md +231 -231
package/kit/framework/workflows/discovery-phase.md +289 -289
package/kit/framework/workflows/discuss-phase-assumptions.md +653 -653
package/kit/framework/workflows/discuss-phase.md +784 -784
package/kit/framework/workflows/do.md +104 -104
package/kit/framework/workflows/execute-phase.md +838 -838
package/kit/framework/workflows/execute-plan.md +510 -510
package/kit/framework/workflows/fast.md +102 -102
package/kit/framework/workflows/forensics.md +265 -265
package/kit/framework/workflows/health.md +181 -181
package/kit/framework/workflows/help.md +619 -619
package/kit/framework/workflows/insert-phase.md +130 -130
package/kit/framework/workflows/list-phase-assumptions.md +178 -178
package/kit/framework/workflows/list-workspaces.md +56 -56
package/kit/framework/workflows/manager.md +362 -362
package/kit/framework/workflows/map-codebase.md +377 -377
package/kit/framework/workflows/milestone-summary.md +223 -223
package/kit/framework/workflows/new-milestone.md +486 -486
package/kit/framework/workflows/new-project.md +1159 -1159
package/kit/framework/workflows/new-workspace.md +237 -237
package/kit/framework/workflows/next.md +97 -97
package/kit/framework/workflows/node-repair.md +92 -92
package/kit/framework/workflows/note.md +156 -156
package/kit/framework/workflows/pause-work.md +176 -176
package/kit/framework/workflows/plan-milestone-gaps.md +273 -273
package/kit/framework/workflows/plan-phase.md +765 -765
package/kit/framework/workflows/plant-seed.md +169 -169
package/kit/framework/workflows/pr-branch.md +129 -129
package/kit/framework/workflows/profile-user.md +450 -450
package/kit/framework/workflows/progress.md +507 -507
package/kit/framework/workflows/quick.md +757 -757
package/kit/framework/workflows/remove-phase.md +155 -155
package/kit/framework/workflows/remove-workspace.md +90 -90
package/kit/framework/workflows/research-phase.md +82 -82
package/kit/framework/workflows/resume-project.md +326 -326
package/kit/framework/workflows/review.md +228 -228
package/kit/framework/workflows/session-report.md +146 -146
package/kit/framework/workflows/settings.md +283 -283
package/kit/framework/workflows/ship.md +228 -228
package/kit/framework/workflows/stats.md +60 -60
package/kit/framework/workflows/transition.md +671 -671
package/kit/framework/workflows/ui-phase.md +302 -302
package/kit/framework/workflows/ui-review.md +165 -165
package/kit/framework/workflows/update.md +323 -323
package/kit/framework/workflows/validate-phase.md +174 -174
package/kit/framework/workflows/verify-phase.md +252 -252
package/kit/framework/workflows/verify-work.md +637 -637
package/kit/hooks/check-update.js +118 -118
package/kit/hooks/context-monitor.js +163 -163
package/kit/hooks/prompt-guard.js +103 -103
package/kit/hooks/statusline.js +125 -125
package/kit/hooks/workflow-guard.js +101 -101
package/kit/settings.json +45 -45
package/kit/skills/_shared-supabase/glossary.md +17 -0
package/kit/skills/ai-prompt-characterization/SKILL.md +335 -335
package/kit/skills/armadilhas-sistemas-distribuidos/SKILL.md +447 -447
package/kit/skills/audit-log-multi-tenant/SKILL.md +340 -340
package/kit/skills/b2b-saas-architecture/SKILL.md +300 -300
package/kit/skills/consistencia-leitura-replica/SKILL.md +385 -385
package/kit/skills/crm-lead-pipeline-patterns/SKILL.md +343 -343
package/kit/skills/escolha-modelo-consistencia/SKILL.md +494 -494
package/kit/skills/evolucao-schema-compativel/SKILL.md +448 -448
package/kit/skills/evolution-go-whatsapp-integration/SKILL.md +322 -322
package/kit/skills/example-skill/SKILL.md +42 -42
package/kit/skills/legacy-api-only-applications/SKILL.md +358 -358
package/kit/skills/legacy-characterization-tests/SKILL.md +330 -330
package/kit/skills/legacy-effect-analysis/SKILL.md +331 -331
package/kit/skills/legacy-extract-class/SKILL.md +203 -203
package/kit/skills/legacy-programming-by-difference/SKILL.md +252 -252
package/kit/skills/legacy-seams-and-test-harness/SKILL.md +460 -460
package/kit/skills/legacy-shotgun-surgery/SKILL.md +286 -286
package/kit/skills/legacy-sprout-wrap-techniques/SKILL.md +434 -434
package/kit/skills/legacy-storytelling-naked-crc/SKILL.md +270 -270
package/kit/skills/lgpd-multi-tenant-compliance/SKILL.md +340 -340
package/kit/skills/member-invite-flow/SKILL.md +305 -305
package/kit/skills/member-management-react-shadcn/SKILL.md +328 -328
package/kit/skills/multi-tenant-performance-scaling/SKILL.md +316 -316
package/kit/skills/multi-tenant-rls-hierarchy/SKILL.md +342 -342
package/kit/skills/org-onboarding-flow/SKILL.md +257 -257
package/kit/skills/org-switcher-react-pattern/SKILL.md +349 -349
package/kit/skills/permission-gate-react-pattern/SKILL.md +271 -271
package/kit/skills/postgres-isolamento-concorrencia/SKILL.md +552 -552
package/kit/skills/pre-refactor-characterization/SKILL.md +421 -421
package/kit/skills/rbac-permissions-matrix-supabase/SKILL.md +338 -338
package/kit/skills/streams-eventos-cdc/SKILL.md +711 -711
package/kit/skills/supabase-branching-workflow/SKILL.md +544 -544
package/kit/skills/supabase-ci-cd-github-actions/SKILL.md +880 -880
package/kit/skills/supabase-column-level-security/SKILL.md +426 -426
package/kit/skills/supabase-config-toml-remotes/SKILL.md +807 -807
package/kit/skills/supabase-custom-claims-rbac/SKILL.md +472 -472
package/kit/skills/supabase-edge-functions/SKILL.md +229 -141
package/kit/skills/supabase-edge-functions-auth/SKILL.md +309 -0
package/kit/skills/supabase-edge-functions-limits/SKILL.md +302 -0
package/kit/skills/supabase-edge-functions-mcp-server/SKILL.md +279 -0
package/kit/skills/supabase-edge-functions-testing/SKILL.md +277 -0
package/kit/skills/supabase-edge-runtime-builtins/SKILL.md +357 -0
package/kit/skills/supabase-migration-repair/SKILL.md +823 -823
package/kit/skills/supabase-migrations/SKILL.md +297 -297
package/kit/skills/supabase-pgtap-testing/SKILL.md +1053 -1053
package/kit/skills/supabase-postgres-roles/SKILL.md +392 -392
package/kit/skills/supabase-realtime/SKILL.md +460 -236
package/kit/skills/supabase-rls-defense-in-depth/SKILL.md +418 -418
package/kit/skills/supabase-rls-policies/SKILL.md +635 -635
package/kit/skills/super-admin-platform-pattern/SKILL.md +326 -326
package/kit/skills/tenant-quente-mitigacao/SKILL.md +605 -605
package/kit/skills/whatsapp-conversation-state-machine/SKILL.md +287 -287
package/package.json +1 -1
package/src/cli/index.js +33 -0
package/src/core/kit.js +216 -216
package/src/core/reflect.js +247 -247
package/src/core/reverse-sync.js +372 -372
package/src/core/sync.js +418 -418
package/src/core/watch.js +121 -121
package/src/mcp-server/index.js +693 -490
package/src/mcp-server/roots.js +124 -0

package/kit/commands/auditar-refactor.md CHANGED Viewed

@@ -1,219 +1,219 @@
----
-name: auditar-refactor
-description: Invoca refactor-safety-auditor — gate canônico antes de qualquer refactor. Coleta evidências (linhas, contrato externo, coverage, mutation) e retorna veredito GO/BLOCK/WARN/GO-OVERRIDE.
-argument-hint: "<target_file> [--change-kind refactor|sprout|safe-extract|override] [--mode blocking|consultive] [--ticket REQ-N] [--reason \"...\"]"
-allowed-tools:
-  - Read
-  - Write
-  - Bash
-  - Grep
-  - Glob
-  - Task
----
-<objective>
-Auditar arquivo alvo de refactor ANTES da execução para decidir se safety net (characterization tests) é adequado. Invoca o agente [`refactor-safety-auditor`](../agents/refactor-safety-auditor.md) que aplica a skill [`pre-refactor-characterization`](../skills/pre-refactor-characterization/SKILL.md) — 3 critérios de risco canônicos (tamanho > 500 linhas, contrato externo, cobertura < 60%) + matriz de decisão.
-**Cria/Atualiza:**
-- `.planning/REFACTOR-SAFETY.md` — relatório com evidências, veredito, caminhos recomendados, audit trail
-**Após:** o user tem decisão **objetiva** (não gut-feeling) sobre se refactor pode prosseguir. Se BLOCK, oferece 4 caminhos concretos. Se GO-OVERRIDE, registra ticket + reason para débito técnico.
-</objective>
-<context>
-**Argumentos:**
-- `<target_file>` — caminho do arquivo a auditar — OBRIGATÓRIO
-- `--change-kind <kind>` — tipo da mudança (default: `refactor`):
-  - `refactor` — mudança comportamental (gate roda completo)
-  - `sprout` — adiciona via sprout method/class (legado intocado, gate libera com 100% no novo)
-  - `safe-extract` — refactor mecânico (rename, IDE-extract bloco contíguo, sem mudar control flow)
-  - `override` — bypass com justificativa (requer --ticket + --reason)
-- `--mode blocking|consultive` — força modo do gate (default: lido de `.planning/config.json`)
-- `--ticket REQ-N` — ticket linkado (obrigatório com --change-kind=override)
-- `--reason "<texto>"` — justificativa (obrigatória com --change-kind=override)
-- `--output PATH` — caminho do output (default: `.planning/REFACTOR-SAFETY.md`)
-**Exemplos:**
-```
-/auditar-refactor src/orders/handler.ts                                  # default refactor
-/auditar-refactor src/orders/handler.ts --change-kind sprout             # libera (sprout)
-/auditar-refactor src/orders/handler.ts --change-kind safe-extract       # libera (mecânico)
-/auditar-refactor src/orders/handler.ts \
-  --change-kind override --ticket REQ-2026-Q2-1234 \
-  --reason "hot fix de SEV1, char será adicionado em REQ-2026-Q2-1235"   # bypass com audit trail
-/auditar-refactor src/orders/handler.ts --mode consultive                # warning em vez de block
-```
-**Fluxo típico:**
-1. `/discutir-fase` detecta refactor intent → automaticamente invoca este comando
-2. Veredito BLOCK → user escolhe um dos 4 caminhos (caracterizar, sprout, safe-extract, override)
-3. Aplicar caminho + re-rodar este comando até veredito GO
-4. Refactor executado com confiança
-**Quando invocar manualmente:**
-- Antes de planejar fase de refactor
-- Antes de PR de refactor de arquivo grande
-- Periodicamente em milestones para identificar gaps de coverage
-- Como parte de `/auditar-marco` quando `workflow.audit_milestone_legacy_refactor=true`
-</context>
-<process>
-## 1. Parsear argumentos
-```bash
-TARGET_FILE=$(echo "$ARGUMENTS" | awk '{print $1}')
-CHANGE_KIND=$(echo "$ARGUMENTS" | grep -oE -- '--change-kind [^ ]+' | awk '{print $2}')
-MODE=$(echo "$ARGUMENTS" | grep -oE -- '--mode [^ ]+' | awk '{print $2}')
-TICKET=$(echo "$ARGUMENTS" | grep -oE -- '--ticket [^ ]+' | awk '{print $2}')
-REASON=$(echo "$ARGUMENTS" | grep -oE -- '--reason "[^"]+"' | sed 's/--reason "\(.*\)"/\1/')
-OUTPUT_PATH=$(echo "$ARGUMENTS" | grep -oE -- '--output [^ ]+' | awk '{print $2}')
-[ -z "$CHANGE_KIND" ] && CHANGE_KIND="refactor"
-[ -z "$OUTPUT_PATH" ] && OUTPUT_PATH=".planning/REFACTOR-SAFETY.md"
-if [ -z "$TARGET_FILE" ]; then
-  echo "ERROR: target_file é obrigatório."
-  echo "Uso: /auditar-refactor <target_file> [opções]"
-  exit 1
-fi
-if [ ! -f "$TARGET_FILE" ]; then
-  echo "ERROR: arquivo não encontrado: $TARGET_FILE"
-  exit 1
-fi
-# PT-BR: validar override → exige ticket + reason
-if [ "$CHANGE_KIND" = "override" ]; then
-  if [ -z "$TICKET" ] || [ -z "$REASON" ]; then
-    echo "ERROR: --change-kind=override requer --ticket REQ-N E --reason \"<texto>\"."
-    echo "Sem audit trail, override é proibido."
-    exit 1
-  fi
-fi
-mkdir -p "$(dirname "$OUTPUT_PATH")"
-```
-## 2. Detectar mode default via config + omm
-```bash
-# PT-BR: ler config para mode default
-CONFIG_MODE=""
-if [ -f ".planning/config.json" ] && command -v jq >/dev/null; then
-  GATE_BLOCKING=$(jq -r '.workflow.legacy_refactor_gate_blocking // empty' .planning/config.json)
-  if [ "$GATE_BLOCKING" = "true" ]; then
-    CONFIG_MODE="blocking"
-  elif [ "$GATE_BLOCKING" = "false" ]; then
-    CONFIG_MODE="consultive"
-  fi
-fi
-# PT-BR: integração com omm-auditor — Capacidade 1 (Resilience) calibra mode
-if [ -z "$MODE" ] && [ -z "$CONFIG_MODE" ]; then
-  if [ -f ".planning/OMM-REPORT.md" ]; then
-    OMM_RESILIENCE=$(grep -oE 'Capacidade 1.*Resilience.*[0-9]/5' .planning/OMM-REPORT.md | grep -oE '[0-9]/5' | head -1 | sed 's|/5||')
-    if [ -n "$OMM_RESILIENCE" ] && [ "$OMM_RESILIENCE" -ge 3 ]; then
-      MODE="blocking"
-    else
-      MODE="consultive"
-    fi
-  fi
-fi
-[ -z "$MODE" ] && MODE="${CONFIG_MODE:-blocking}"
-```
-## 3. Dispatch para `refactor-safety-auditor`
-```text
-Task(
-  subagent_type="refactor-safety-auditor",
-  prompt="
-target_file: ${TARGET_FILE}
-change_kind: ${CHANGE_KIND}
-output_path: ${OUTPUT_PATH}
-mode: ${MODE}
-${TICKET:+ticket: ${TICKET}}
-${REASON:+reason: ${REASON}}
-Aplicar skill pre-refactor-characterization. Etapas:
-1. Preflight: detectar linguagem, validar input
-2. Coletar evidências:
-   - line count + heurística de aninhamento
-   - external contract (path patterns, content markers, cross-package refs)
-   - coverage atual (line coverage como proxy)
-   - characterization tests existentes
-   - mutation kill score (se disponível)
-3. Aplicar matriz de decisão (3 critérios canônicos)
-4. Determinar caminho recomendado (caracterizar/sprout/safe-extract/override)
-5. Escrever REFACTOR-SAFETY.md com evidências, veredito, paths, audit trail
-6. Output curto para caller (veredito + custo + próximos passos)
-"
-)
-```
-## 4. Pós-output
-```
-═══════════════════════════════════════════════════════════
- framework ► AUDITAR-REFACTOR ▸ ${OUTPUT_PATH}
-═══════════════════════════════════════════════════════════
-[output do refactor-safety-auditor]
-## Decision matrix referência
-| Veredito | Significado | Próxima ação |
-|---|---|---|
-| **GO** | Safety net adequado | Refactor pode prosseguir |
-| **GO-OVERRIDE** | Bypass com audit trail | Refactor pode prosseguir, débito documentado em ticket |
-| **WARN** | Risco médio | Considere `/caracterizar --gap-fill` antes; ou prosseguir + monitor |
-| **BLOCK** | Risco alto sem safety net | Escolha um dos 4 caminhos abaixo |
-## Caminhos quando BLOCK (em ordem de preferência)
-1. **Caracterizar primeiro** (recomendado para refactor real)
-   ```
-   /caracterizar <file>
-   ```
-   Custo: 8-16h. Cobertura behavioral ≥ 70%. Gate retorna GO após.
-2. **Sprout/Wrap** (não toca legado, ADICIONA comportamento)
-   ```
-   /refactor-seguro --mode=sprout <file>
-   ```
-   Custo: 0.5-4h. Legado intocado, novo testado isolado.
-3. **Safe extraction** (mecânico — rename, IDE-extract)
-   ```
-   /refactor-seguro --mode=safe-extract <file>
-   ```
-   Custo: 1-2h. Apenas refactor sem mudança comportamental.
-4. **Override** (último recurso, audit trail)
-   ```
-   /refactor-seguro --mode=override --ticket REQ-N --reason "<texto>" <file>
-   ```
-   Custo: 0h refactor + custo do débito. Aprovação humana obrigatória.
-## Cross-suite
-- **/instrumentar-fase** (v1.9) — durante refactor com BLOCK→GO via override, instrumentar para detecção precoce de regressão via golden signals
-- **/burn-rate-status** (v1.9) — refactor pode regredir SLO; monitor budget pós-deploy
-- **/prr** (v1.10) — Production Readiness Review Axe 5 (Change Management) consume veredito deste gate
-- **/postmortem** (v1.10) — postmortems de regression em refactor sem char referenciam essa auditoria como lesson learned
-```
-</process>
-<success_criteria>
-- [ ] $ARGUMENTS parseados (target_file obrigatório, --change-kind=override exige ticket + reason)
-- [ ] Mode resolvido: argument explícito > config.json > omm-auditor (Capacidade 1) > default blocking
-- [ ] `refactor-safety-auditor` invocado via `Task(subagent_type=...)` com prompt completo (6 etapas)
-- [ ] `.planning/REFACTOR-SAFETY.md` criado pelo agent
-- [ ] Output forwarded transparentemente
-- [ ] Decision matrix exibida para referência
-- [ ] 4 caminhos oferecidos quando BLOCK (com comandos prontos para copy-paste)
-- [ ] Cross-references com Suíte Observabilidade + SRE
-</success_criteria>
+---
+name: auditar-refactor
+description: Invoca refactor-safety-auditor — gate canônico antes de qualquer refactor. Coleta evidências (linhas, contrato externo, coverage, mutation) e retorna veredito GO/BLOCK/WARN/GO-OVERRIDE.
+argument-hint: "<target_file> [--change-kind refactor|sprout|safe-extract|override] [--mode blocking|consultive] [--ticket REQ-N] [--reason \"...\"]"
+allowed-tools:
+  - Read
+  - Write
+  - Bash
+  - Grep
+  - Glob
+  - Task
+---
+<objective>
+Auditar arquivo alvo de refactor ANTES da execução para decidir se safety net (characterization tests) é adequado. Invoca o agente [`refactor-safety-auditor`](../agents/refactor-safety-auditor.md) que aplica a skill [`pre-refactor-characterization`](../skills/pre-refactor-characterization/SKILL.md) — 3 critérios de risco canônicos (tamanho > 500 linhas, contrato externo, cobertura < 60%) + matriz de decisão.
+**Cria/Atualiza:**
+- `.planning/REFACTOR-SAFETY.md` — relatório com evidências, veredito, caminhos recomendados, audit trail
+**Após:** o user tem decisão **objetiva** (não gut-feeling) sobre se refactor pode prosseguir. Se BLOCK, oferece 4 caminhos concretos. Se GO-OVERRIDE, registra ticket + reason para débito técnico.
+</objective>
+<context>
+**Argumentos:**
+- `<target_file>` — caminho do arquivo a auditar — OBRIGATÓRIO
+- `--change-kind <kind>` — tipo da mudança (default: `refactor`):
+  - `refactor` — mudança comportamental (gate roda completo)
+  - `sprout` — adiciona via sprout method/class (legado intocado, gate libera com 100% no novo)
+  - `safe-extract` — refactor mecânico (rename, IDE-extract bloco contíguo, sem mudar control flow)
+  - `override` — bypass com justificativa (requer --ticket + --reason)
+- `--mode blocking|consultive` — força modo do gate (default: lido de `.planning/config.json`)
+- `--ticket REQ-N` — ticket linkado (obrigatório com --change-kind=override)
+- `--reason "<texto>"` — justificativa (obrigatória com --change-kind=override)
+- `--output PATH` — caminho do output (default: `.planning/REFACTOR-SAFETY.md`)
+**Exemplos:**
+```
+/auditar-refactor src/orders/handler.ts                                  # default refactor
+/auditar-refactor src/orders/handler.ts --change-kind sprout             # libera (sprout)
+/auditar-refactor src/orders/handler.ts --change-kind safe-extract       # libera (mecânico)
+/auditar-refactor src/orders/handler.ts \
+  --change-kind override --ticket REQ-2026-Q2-1234 \
+  --reason "hot fix de SEV1, char será adicionado em REQ-2026-Q2-1235"   # bypass com audit trail
+/auditar-refactor src/orders/handler.ts --mode consultive                # warning em vez de block
+```
+**Fluxo típico:**
+1. `/discutir-fase` detecta refactor intent → automaticamente invoca este comando
+2. Veredito BLOCK → user escolhe um dos 4 caminhos (caracterizar, sprout, safe-extract, override)
+3. Aplicar caminho + re-rodar este comando até veredito GO
+4. Refactor executado com confiança
+**Quando invocar manualmente:**
+- Antes de planejar fase de refactor
+- Antes de PR de refactor de arquivo grande
+- Periodicamente em milestones para identificar gaps de coverage
+- Como parte de `/auditar-marco` quando `workflow.audit_milestone_legacy_refactor=true`
+</context>
+<process>
+## 1. Parsear argumentos
+```bash
+TARGET_FILE=$(echo "$ARGUMENTS" | awk '{print $1}')
+CHANGE_KIND=$(echo "$ARGUMENTS" | grep -oE -- '--change-kind [^ ]+' | awk '{print $2}')
+MODE=$(echo "$ARGUMENTS" | grep -oE -- '--mode [^ ]+' | awk '{print $2}')
+TICKET=$(echo "$ARGUMENTS" | grep -oE -- '--ticket [^ ]+' | awk '{print $2}')
+REASON=$(echo "$ARGUMENTS" | grep -oE -- '--reason "[^"]+"' | sed 's/--reason "\(.*\)"/\1/')
+OUTPUT_PATH=$(echo "$ARGUMENTS" | grep -oE -- '--output [^ ]+' | awk '{print $2}')
+[ -z "$CHANGE_KIND" ] && CHANGE_KIND="refactor"
+[ -z "$OUTPUT_PATH" ] && OUTPUT_PATH=".planning/REFACTOR-SAFETY.md"
+if [ -z "$TARGET_FILE" ]; then
+  echo "ERROR: target_file é obrigatório."
+  echo "Uso: /auditar-refactor <target_file> [opções]"
+  exit 1
+fi
+if [ ! -f "$TARGET_FILE" ]; then
+  echo "ERROR: arquivo não encontrado: $TARGET_FILE"
+  exit 1
+fi
+# PT-BR: validar override → exige ticket + reason
+if [ "$CHANGE_KIND" = "override" ]; then
+  if [ -z "$TICKET" ] || [ -z "$REASON" ]; then
+    echo "ERROR: --change-kind=override requer --ticket REQ-N E --reason \"<texto>\"."
+    echo "Sem audit trail, override é proibido."
+    exit 1
+  fi
+fi
+mkdir -p "$(dirname "$OUTPUT_PATH")"
+```
+## 2. Detectar mode default via config + omm
+```bash
+# PT-BR: ler config para mode default
+CONFIG_MODE=""
+if [ -f ".planning/config.json" ] && command -v jq >/dev/null; then
+  GATE_BLOCKING=$(jq -r '.workflow.legacy_refactor_gate_blocking // empty' .planning/config.json)
+  if [ "$GATE_BLOCKING" = "true" ]; then
+    CONFIG_MODE="blocking"
+  elif [ "$GATE_BLOCKING" = "false" ]; then
+    CONFIG_MODE="consultive"
+  fi
+fi
+# PT-BR: integração com omm-auditor — Capacidade 1 (Resilience) calibra mode
+if [ -z "$MODE" ] && [ -z "$CONFIG_MODE" ]; then
+  if [ -f ".planning/OMM-REPORT.md" ]; then
+    OMM_RESILIENCE=$(grep -oE 'Capacidade 1.*Resilience.*[0-9]/5' .planning/OMM-REPORT.md | grep -oE '[0-9]/5' | head -1 | sed 's|/5||')
+    if [ -n "$OMM_RESILIENCE" ] && [ "$OMM_RESILIENCE" -ge 3 ]; then
+      MODE="blocking"
+    else
+      MODE="consultive"
+    fi
+  fi
+fi
+[ -z "$MODE" ] && MODE="${CONFIG_MODE:-blocking}"
+```
+## 3. Dispatch para `refactor-safety-auditor`
+```text
+Task(
+  subagent_type="refactor-safety-auditor",
+  prompt="
+target_file: ${TARGET_FILE}
+change_kind: ${CHANGE_KIND}
+output_path: ${OUTPUT_PATH}
+mode: ${MODE}
+${TICKET:+ticket: ${TICKET}}
+${REASON:+reason: ${REASON}}
+Aplicar skill pre-refactor-characterization. Etapas:
+1. Preflight: detectar linguagem, validar input
+2. Coletar evidências:
+   - line count + heurística de aninhamento
+   - external contract (path patterns, content markers, cross-package refs)
+   - coverage atual (line coverage como proxy)
+   - characterization tests existentes
+   - mutation kill score (se disponível)
+3. Aplicar matriz de decisão (3 critérios canônicos)
+4. Determinar caminho recomendado (caracterizar/sprout/safe-extract/override)
+5. Escrever REFACTOR-SAFETY.md com evidências, veredito, paths, audit trail
+6. Output curto para caller (veredito + custo + próximos passos)
+"
+)
+```
+## 4. Pós-output
+```
+═══════════════════════════════════════════════════════════
+ framework ► AUDITAR-REFACTOR ▸ ${OUTPUT_PATH}
+═══════════════════════════════════════════════════════════
+[output do refactor-safety-auditor]
+## Decision matrix referência
+| Veredito | Significado | Próxima ação |
+|---|---|---|
+| **GO** | Safety net adequado | Refactor pode prosseguir |
+| **GO-OVERRIDE** | Bypass com audit trail | Refactor pode prosseguir, débito documentado em ticket |
+| **WARN** | Risco médio | Considere `/caracterizar --gap-fill` antes; ou prosseguir + monitor |
+| **BLOCK** | Risco alto sem safety net | Escolha um dos 4 caminhos abaixo |
+## Caminhos quando BLOCK (em ordem de preferência)
+1. **Caracterizar primeiro** (recomendado para refactor real)
+   ```
+   /caracterizar <file>
+   ```
+   Custo: 8-16h. Cobertura behavioral ≥ 70%. Gate retorna GO após.
+2. **Sprout/Wrap** (não toca legado, ADICIONA comportamento)
+   ```
+   /refactor-seguro --mode=sprout <file>
+   ```
+   Custo: 0.5-4h. Legado intocado, novo testado isolado.
+3. **Safe extraction** (mecânico — rename, IDE-extract)
+   ```
+   /refactor-seguro --mode=safe-extract <file>
+   ```
+   Custo: 1-2h. Apenas refactor sem mudança comportamental.
+4. **Override** (último recurso, audit trail)
+   ```
+   /refactor-seguro --mode=override --ticket REQ-N --reason "<texto>" <file>
+   ```
+   Custo: 0h refactor + custo do débito. Aprovação humana obrigatória.
+## Cross-suite
+- **/instrumentar-fase** (v1.9) — durante refactor com BLOCK→GO via override, instrumentar para detecção precoce de regressão via golden signals
+- **/burn-rate-status** (v1.9) — refactor pode regredir SLO; monitor budget pós-deploy
+- **/prr** (v1.10) — Production Readiness Review Axe 5 (Change Management) consume veredito deste gate
+- **/postmortem** (v1.10) — postmortems de regression em refactor sem char referenciam essa auditoria como lesson learned
+```
+</process>
+<success_criteria>
+- [ ] $ARGUMENTS parseados (target_file obrigatório, --change-kind=override exige ticket + reason)
+- [ ] Mode resolvido: argument explícito > config.json > omm-auditor (Capacidade 1) > default blocking
+- [ ] `refactor-safety-auditor` invocado via `Task(subagent_type=...)` com prompt completo (6 etapas)
+- [ ] `.planning/REFACTOR-SAFETY.md` criado pelo agent
+- [ ] Output forwarded transparentemente
+- [ ] Decision matrix exibida para referência
+- [ ] 4 caminhos oferecidos quando BLOCK (com comandos prontos para copy-paste)
+- [ ] Cross-references com Suíte Observabilidade + SRE
+</success_criteria>

package/kit/commands/auditar-release.md CHANGED Viewed

@@ -1,109 +1,109 @@
----
-name: auditar-release
-description: Invoca release-pipeline-auditor — audita CI/CD para hermeticidade (lockfile + frozen-install + image SHA + sem network), reprodutibilidade (versions pinned), policy enforcement (branch protection…
-argument-hint: "[--dimensions hermeticidade,reprodutibilidade,policy-enforcement] [--gh-repo OWNER/REPO]"
-allowed-tools:
-  - Read
-  - Bash
-  - Grep
-  - Glob
-  - Task
-  - Write
----
-<objective>
-Auditar **release pipeline** (CI/CD + Dockerfile + branch protection) em 3 dimensões: hermeticidade, reprodutibilidade, policy enforcement. Invoca o agente [`release-pipeline-auditor`](../agents/release-pipeline-auditor.md) que aplica skills [`hermetic-builds`](../skills/hermetic-builds/SKILL.md) + [`release-engineering`](../skills/release-engineering/SKILL.md).
-**Cria/Atualiza:**
-- `.planning/RELEASE-AUDIT.md` — relatório scored 30 pontos com top 5 fixes priorizados
-**Após:** o user vê fragility quantificada (não opinião). Resultado feeds PRR Axe 5 (Change Management) v1.10 e gate `release-pipeline-policy` opt-in.
-</objective>
-<context>
-**Argumentos:**
-- `--dimensions <list>` — subset de `[hermeticidade, reprodutibilidade, policy-enforcement]` (default: todas)
-- `--gh-repo OWNER/REPO` — override de repo detection (default: `gh repo view`)
-- `--output PATH` — caminho do output (default: `.planning/RELEASE-AUDIT.md`)
-**Exemplos:**
-```
-/auditar-release                                          # full audit (3 dims)
-/auditar-release --dimensions hermeticidade               # só hermeticidade
-/auditar-release --gh-repo myorg/myrepo                   # override repo
-```
-**Pré-requisitos opcionais:**
-- `gh` CLI autenticado (`gh auth status`) — para checks de branch protection via API
-- Sem `gh`: agent skip dimension policy-enforcement parcialmente (filesystem only)
-</context>
-<process>
-## 1. Parsear argumentos
-```bash
-DIMENSIONS=$(echo "$ARGUMENTS" | grep -oE -- '--dimensions [^ ]+' | awk '{print $2}')
-GH_REPO=$(echo "$ARGUMENTS" | grep -oE -- '--gh-repo [^ ]+' | awk '{print $2}')
-OUTPUT_PATH=$(echo "$ARGUMENTS" | grep -oE -- '--output [^ ]+' | awk '{print $2}')
-[ -z "$OUTPUT_PATH" ] && OUTPUT_PATH=".planning/RELEASE-AUDIT.md"
-mkdir -p "$(dirname "$OUTPUT_PATH")"
-```
-## 2. Dispatch para `release-pipeline-auditor`
-```text
-Task(
-  subagent_type="release-pipeline-auditor",
-  prompt="
-project_root: .
-output_path: ${OUTPUT_PATH}
-${DIMENSIONS:+dimensions: ${DIMENSIONS}}
-${GH_REPO:+gh_repo: ${GH_REPO}}
-Aplicar skills hermetic-builds + release-engineering. Etapas:
-1. Detectar lockfile, CI files, Dockerfile
-2. Auditar Hermeticidade (10pts): lockfile commitado, frozen-install, image SHA, sem network, SLSA provenance
-3. Auditar Reprodutibilidade (10pts): actions pinned, node version pinned, package manager pinned, sem timestamps, build cache
-4. Auditar Policy Enforcement (10pts): branch protection, required PR + reviewers + status checks, CODEOWNERS, signed commits, workflow permissions, release via tag
-5. Score agregado (0-30) com veredito ROBUST/ADEQUATE/FRAGILE/BROKEN
-6. Top 5 fixes priorizados com esforço estimado
-"
-)
-```
-## 3. Pós-output
-```
-═══════════════════════════════════════════════════════════
- framework ► AUDITAR-RELEASE ▸ ${OUTPUT_PATH}
-═══════════════════════════════════════════════════════════
-[output do agent]
-## Próximos passos
-1. **Aplicar top 5 fixes** do RELEASE-AUDIT.md (esforço total ~1-2h)
-2. **/prr <service>** (v1.10) — Axe 5 (Change Management) consume este audit
-3. **Re-audit em 30d** — verificar progresso
-4. **/concluir-marco** (framework + patch v1.11) — opt-in gate `release-pipeline-policy`
-## Cross-suite
-- v1.10 SRE — PRR Axe 5 (Change Management)
-- v1.11 SRE Resilience — esse audit
-- v1.12 Legacy — overrides de refactor têm audit trail aqui
-- Framework flow — /concluir-marco gate opt-in
-```
-</process>
-<success_criteria>
-- [ ] $ARGUMENTS parseados (todos opcionais)
-- [ ] `release-pipeline-auditor` invocado via Task
-- [ ] RELEASE-AUDIT.md scored 30 pts criado
-- [ ] Veredito ROBUST/ADEQUATE/FRAGILE/BROKEN
-- [ ] Top 5 fixes priorizados com esforço
-- [ ] Cross-references com /prr e /concluir-marco
-</success_criteria>
+---
+name: auditar-release
+description: Invoca release-pipeline-auditor — audita CI/CD para hermeticidade (lockfile + frozen-install + image SHA + sem network), reprodutibilidade (versions pinned), policy enforcement (branch protection…
+argument-hint: "[--dimensions hermeticidade,reprodutibilidade,policy-enforcement] [--gh-repo OWNER/REPO]"
+allowed-tools:
+  - Read
+  - Bash
+  - Grep
+  - Glob
+  - Task
+  - Write
+---
+<objective>
+Auditar **release pipeline** (CI/CD + Dockerfile + branch protection) em 3 dimensões: hermeticidade, reprodutibilidade, policy enforcement. Invoca o agente [`release-pipeline-auditor`](../agents/release-pipeline-auditor.md) que aplica skills [`hermetic-builds`](../skills/hermetic-builds/SKILL.md) + [`release-engineering`](../skills/release-engineering/SKILL.md).
+**Cria/Atualiza:**
+- `.planning/RELEASE-AUDIT.md` — relatório scored 30 pontos com top 5 fixes priorizados
+**Após:** o user vê fragility quantificada (não opinião). Resultado feeds PRR Axe 5 (Change Management) v1.10 e gate `release-pipeline-policy` opt-in.
+</objective>
+<context>
+**Argumentos:**
+- `--dimensions <list>` — subset de `[hermeticidade, reprodutibilidade, policy-enforcement]` (default: todas)
+- `--gh-repo OWNER/REPO` — override de repo detection (default: `gh repo view`)
+- `--output PATH` — caminho do output (default: `.planning/RELEASE-AUDIT.md`)
+**Exemplos:**
+```
+/auditar-release                                          # full audit (3 dims)
+/auditar-release --dimensions hermeticidade               # só hermeticidade
+/auditar-release --gh-repo myorg/myrepo                   # override repo
+```
+**Pré-requisitos opcionais:**
+- `gh` CLI autenticado (`gh auth status`) — para checks de branch protection via API
+- Sem `gh`: agent skip dimension policy-enforcement parcialmente (filesystem only)
+</context>
+<process>
+## 1. Parsear argumentos
+```bash
+DIMENSIONS=$(echo "$ARGUMENTS" | grep -oE -- '--dimensions [^ ]+' | awk '{print $2}')
+GH_REPO=$(echo "$ARGUMENTS" | grep -oE -- '--gh-repo [^ ]+' | awk '{print $2}')
+OUTPUT_PATH=$(echo "$ARGUMENTS" | grep -oE -- '--output [^ ]+' | awk '{print $2}')
+[ -z "$OUTPUT_PATH" ] && OUTPUT_PATH=".planning/RELEASE-AUDIT.md"
+mkdir -p "$(dirname "$OUTPUT_PATH")"
+```
+## 2. Dispatch para `release-pipeline-auditor`
+```text
+Task(
+  subagent_type="release-pipeline-auditor",
+  prompt="
+project_root: .
+output_path: ${OUTPUT_PATH}
+${DIMENSIONS:+dimensions: ${DIMENSIONS}}
+${GH_REPO:+gh_repo: ${GH_REPO}}
+Aplicar skills hermetic-builds + release-engineering. Etapas:
+1. Detectar lockfile, CI files, Dockerfile
+2. Auditar Hermeticidade (10pts): lockfile commitado, frozen-install, image SHA, sem network, SLSA provenance
+3. Auditar Reprodutibilidade (10pts): actions pinned, node version pinned, package manager pinned, sem timestamps, build cache
+4. Auditar Policy Enforcement (10pts): branch protection, required PR + reviewers + status checks, CODEOWNERS, signed commits, workflow permissions, release via tag
+5. Score agregado (0-30) com veredito ROBUST/ADEQUATE/FRAGILE/BROKEN
+6. Top 5 fixes priorizados com esforço estimado
+"
+)
+```
+## 3. Pós-output
+```
+═══════════════════════════════════════════════════════════
+ framework ► AUDITAR-RELEASE ▸ ${OUTPUT_PATH}
+═══════════════════════════════════════════════════════════
+[output do agent]
+## Próximos passos
+1. **Aplicar top 5 fixes** do RELEASE-AUDIT.md (esforço total ~1-2h)
+2. **/prr <service>** (v1.10) — Axe 5 (Change Management) consume este audit
+3. **Re-audit em 30d** — verificar progresso
+4. **/concluir-marco** (framework + patch v1.11) — opt-in gate `release-pipeline-policy`
+## Cross-suite
+- v1.10 SRE — PRR Axe 5 (Change Management)
+- v1.11 SRE Resilience — esse audit
+- v1.12 Legacy — overrides de refactor têm audit trail aqui
+- Framework flow — /concluir-marco gate opt-in
+```
+</process>
+<success_criteria>
+- [ ] $ARGUMENTS parseados (todos opcionais)
+- [ ] `release-pipeline-auditor` invocado via Task
+- [ ] RELEASE-AUDIT.md scored 30 pts criado
+- [ ] Veredito ROBUST/ADEQUATE/FRAGILE/BROKEN
+- [ ] Top 5 fixes priorizados com esforço
+- [ ] Cross-references com /prr e /concluir-marco
+</success_criteria>