@ornexus/neocortex 3.9.19 → 3.9.22

package/install.ps1

@@ -15,7 +15,7 @@ param(
     [string]$ServerUrl = "https://api.neocortex.ornexus.com"
 )
 
-$VERSION = "3.9.19"
+$VERSION = "3.9.22"
 
 # =============================================================================
 # CONFIGURACOES

package/install.sh

@@ -4,7 +4,7 @@
 # Development Orchestrator
 
 # Versao do instalador
-VERSION="3.9.19"
+VERSION="3.9.22"
 
 # Flags
 MIGRATION_DETECTED=false
@@ -569,12 +569,18 @@ setup_thin_client_config() {
     mkdir -p "$config_dir" 2>/dev/null
     mkdir -p "$config_dir/cache" 2>/dev/null
 
+    # Story 61.4 - F4 remediation: restrictive permissions
+    chmod 700 "$config_dir" 2>/dev/null
+    chmod 700 "$config_dir/cache" 2>/dev/null
+
     if [ -f "$config_file" ]; then
         # Preservar config existente, atualizar apenas serverUrl se necessario
         local existing_mode
         existing_mode=$(grep '"mode"' "$config_file" 2>/dev/null | head -1 | sed 's/.*"mode"[[:space:]]*:[[:space:]]*"\([^"]*\)".*/\1/')
 
         if [ "$existing_mode" = "active" ] || [ "$existing_mode" = "local" ] || [ "$existing_mode" = "remote" ]; then
+            # Story 61.4 - ensure permissions are always enforced even on existing configs
+            chmod 600 "$config_file" 2>/dev/null
             debug "Config existente preservada (mode=$existing_mode)"
             return 0
         fi
@@ -602,6 +608,9 @@ setup_thin_client_config() {
 }
 EOFCONFIG
 
+    # Story 61.4 - F4 remediation: config file readable only by owner
+    chmod 600 "$config_file" 2>/dev/null
+
     debug "Thin client config criada: $config_file"
 }
 
@@ -711,6 +720,7 @@ install_agent() {
 
     # Dynamic description: patch tier from existing config (if activated)
     patch_description_tier "$DEST_DIR/neocortex.md"
+    patch_description_tier "$DEST_DIR/neocortex.agent.yaml"
 
     # Cleanup: remover workflow.md de instalacoes anteriores (v3.8 -> v3.9)
     if [ -f "$DEST_DIR/workflow.md" ]; then
@@ -1187,6 +1197,7 @@ create_project_dirs() {
 
                         # Dynamic description: patch tier
                         patch_description_tier "$project_dir/.claude/agents/neocortex/neocortex.md"
+                        patch_description_tier "$project_dir/.claude/agents/neocortex/neocortex.agent.yaml"
 
                         # Thin-client: cleanup legacy IP from previous installs
                         auto_cleanup_legacy_project "$project_dir"

package/package.json

@@ -1,7 +1,7 @@
 {
   "name": "@ornexus/neocortex",
-  "version": "3.9.19",
-  "description": "Neocortex v3.9.19 - Orquestrador de Desenvolvimento de Epics & Stories para Claude Code",
+  "version": "3.9.22",
+  "description": "Neocortex v3.9.22 - Orquestrador de Desenvolvimento de Epics & Stories para Claude Code",
   "keywords": [
     "claude",
     "claude-code",
@@ -53,6 +53,8 @@
     "install.sh",
     "install.ps1",
     "packages/client/dist/",
+    "!packages/client/dist/**/*.js.map",
+    "!packages/client/dist/**/*.d.ts.map",
     "targets-stubs/"
   ],
   "scripts": {

package/packages/client/dist/commands/activate.js

@@ -29,6 +29,7 @@ import { getMachineFingerprint } from '../machine/fingerprint.js';
 import { updateAgentDescription } from '../agent/update-description.js';
 import { refreshStubs } from '../agent/refresh-stubs.js';
 import { updateAgentYaml } from '../agent/update-agent-yaml.js';
+import { saveSecureConfig, setSecureDirPermissions } from '../config/secure-config.js';
 // ── Version Resolution ────────────────────────────────────────────────────
 function getInstalledVersion() {
     try {
@@ -94,11 +95,31 @@ function loadExistingConfig() {
 }
 /**
  * Save user config after successful activation.
- * License key is stored to enable LicenseClient re-creation in invoke.
+ * License key is encrypted using machine fingerprint (Story 61.2).
+ * File permissions set to 600 (Story 61.4).
  */
 function saveConfig(config) {
+    // Ensure directories exist with secure permissions
     mkdirSync(CONFIG_DIR, { recursive: true });
-    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    setSecureDirPermissions(CONFIG_DIR);
+    const cacheDir = join(CONFIG_DIR, 'cache');
+    mkdirSync(cacheDir, { recursive: true });
+    setSecureDirPermissions(cacheDir);
+    if (config.licenseKey) {
+        // Use secure config writer which encrypts the license key
+        saveSecureConfig({
+            serverUrl: config.serverUrl,
+            mode: config.mode,
+            machineId: config.machineId,
+            activatedAt: config.activatedAt,
+            tier: config.tier,
+            licenseKey: config.licenseKey,
+        });
+    }
+    else {
+        // Fallback: write without license key (should not happen in normal flow)
+        writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    }
 }
 // ── Activate Command ──────────────────────────────────────────────────────
 /**

package/packages/client/dist/commands/invoke.js

@@ -19,20 +19,22 @@
  *
  * Story 45.2 - AC1-AC6
  */
-import { existsSync, readFileSync, mkdirSync, writeFileSync } from 'node:fs';
+import { existsSync, readFileSync, unlinkSync } from 'node:fs';
 import { join } from 'node:path';
 import { homedir } from 'node:os';
 import { LicenseClient } from '../license/license-client.js';
 import { EncryptedCache } from '../cache/encrypted-cache.js';
 import { NoOpCache } from '../types/index.js';
+import { TierAwareClient } from '../tier/tier-aware-client.js';
+import { loadSecureConfig } from '../config/secure-config.js';
 // ── Constants ─────────────────────────────────────────────────────────────
 const DEFAULT_SERVER_URL = 'https://api.neocortex.ornexus.com';
 const CONFIG_DIR = join(homedir(), '.neocortex');
-const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
 const CACHE_DIR = join(CONFIG_DIR, 'cache');
 const MENU_CACHE_FILE = join(CACHE_DIR, 'menu-cache.json');
 const MENU_CACHE_TTL_MS = 24 * 60 * 60 * 1000; // 24 hours
 const DEFAULT_TIMEOUT_MS = 30_000;
+const CLIENT_VERSION = '0.1.0';
 // ── State Snapshot Collection ──────────────────────────────────────────────
 /**
  * Read state.json and construct a sanitized snapshot for the server.
@@ -113,14 +115,24 @@ export function collectStateSnapshot(projectRoot) {
         epics,
     };
 }
-// ── Menu Cache ────────────────────────────────────────────────────────────
-function getMenuCache() {
+// ── Menu Cache (Encrypted - Story 61.1) ──────────────────────────────────
+const MENU_CACHE_KEY = 'neocortex:menu:cache';
+/**
+ * Read menu cache from EncryptedCache.
+ * Falls back gracefully: if decryption fails or data is stale, returns null.
+ * Also cleans up legacy plaintext menu-cache.json if it exists.
+ */
+async function getMenuCache(encryptedCache) {
     try {
-        if (!existsSync(MENU_CACHE_FILE))
+        const raw = await encryptedCache.get(MENU_CACHE_KEY);
+        if (!raw)
             return null;
-        const raw = readFileSync(MENU_CACHE_FILE, 'utf-8');
         const cache = JSON.parse(raw);
-        // Check TTL
+        // Invalidate on version mismatch (stale cache from previous install)
+        if (cache.version !== CLIENT_VERSION) {
+            return null;
+        }
+        // Check TTL (EncryptedCache also has TTL, but we double-check for version-based invalidation)
         if (Date.now() - cache.cachedAt > MENU_CACHE_TTL_MS) {
             return null; // Expired
         }
@@ -130,32 +142,47 @@ function getMenuCache() {
         return null;
     }
 }
-function setMenuCache(instructions, metadata) {
+/**
+ * Write menu cache to EncryptedCache.
+ * Deletes legacy plaintext menu-cache.json on first encrypted write.
+ */
+async function setMenuCache(encryptedCache, instructions, metadata) {
     try {
-        mkdirSync(CACHE_DIR, { recursive: true });
         const cache = {
             instructions,
             metadata,
             cachedAt: Date.now(),
+            version: CLIENT_VERSION,
         };
-        writeFileSync(MENU_CACHE_FILE, JSON.stringify(cache), 'utf-8');
+        await encryptedCache.set(MENU_CACHE_KEY, JSON.stringify(cache), MENU_CACHE_TTL_MS);
+        // Delete legacy plaintext menu-cache.json if it exists (F1 remediation)
+        deleteLegacyMenuCache();
     }
     catch {
         // Cache write failure is non-critical
     }
 }
-// ── Config Loading ────────────────────────────────────────────────────────
-function loadConfig() {
+/**
+ * Remove legacy plaintext menu-cache.json file.
+ * Called after successful encrypted write to prevent IP leakage.
+ */
+function deleteLegacyMenuCache() {
     try {
-        if (existsSync(CONFIG_FILE)) {
-            const raw = readFileSync(CONFIG_FILE, 'utf-8');
-            return JSON.parse(raw);
+        if (existsSync(MENU_CACHE_FILE)) {
+            unlinkSync(MENU_CACHE_FILE);
         }
     }
     catch {
-        // Ignore
+        // Non-critical: best-effort cleanup
     }
-    return null;
+}
+// ── Config Loading (Story 61.2 - Secure) ─────────────────────────────────
+/**
+ * Load config with automatic decryption of license key.
+ * Handles migration from plaintext licenseKey to encryptedLicenseKey.
+ */
+function loadConfig() {
+    return loadSecureConfig();
 }
 async function getAuthTokenAndClient(serverUrl, licenseKey) {
     try {
@@ -177,7 +204,11 @@ async function getAuthTokenAndClient(serverUrl, licenseKey) {
         const token = await client.getToken();
         if (!token)
             return null;
-        return { token, client };
+        const tierClient = new TierAwareClient({
+            cacheProvider,
+            licenseClient: client,
+        });
+        return { token, client, tierClient };
     }
     catch {
         return null;
@@ -193,7 +224,7 @@ async function sendInvokeRequest(serverUrl, body, authToken) {
             headers: {
                 'Content-Type': 'application/json',
                 'Authorization': `Bearer ${authToken}`,
-                'X-Client-Version': '0.1.0',
+                'X-Client-Version': CLIENT_VERSION,
             },
             body: JSON.stringify(body),
             signal: controller.signal,
@@ -245,17 +276,20 @@ async function sendInvokeRequest(serverUrl, body, authToken) {
  */
 export async function invoke(options) {
     const projectRoot = options.projectRoot ?? process.cwd();
-    const format = options.format ?? 'plain';
     const platformTarget = options.platformTarget ?? 'claude-code';
     // 1. Determine server URL
     const config = loadConfig();
     const serverUrl = (options.serverUrl ?? config?.serverUrl ?? DEFAULT_SERVER_URL).replace(/\/+$/, '');
     // 2. Collect state snapshot
     const stateSnapshot = collectStateSnapshot(projectRoot);
+    // 2a. Create encrypted cache for menu (uses licenseKey as passphrase)
+    const menuCache = config?.licenseKey
+        ? new EncryptedCache({ cacheDir: CACHE_DIR, passphrase: config.licenseKey })
+        : null;
     // 3. Check menu cache for empty invocations (AC6)
     const trimmedArgs = options.args.trim();
-    if (!trimmedArgs) {
-        const cachedMenu = getMenuCache();
+    if (!trimmedArgs && menuCache) {
+        const cachedMenu = await getMenuCache(menuCache);
         if (cachedMenu) {
             return {
                 success: true,
@@ -274,6 +308,24 @@ export async function invoke(options) {
             exitCode: 2, // Not configured
         };
     }
+    // 4a. Pre-flight tier check (optimistic -- if it fails, still proceed)
+    const trigger = extractTrigger(trimmedArgs);
+    if (trigger) {
+        try {
+            const preFlightResult = await auth.tierClient.preFlightCheck(trigger);
+            if (!preFlightResult.allowed) {
+                process.stderr.write(`[neocortex] ${preFlightResult.message}\n`);
+                return {
+                    success: false,
+                    error: preFlightResult.message ?? 'Trigger not available on your plan',
+                    exitCode: 1,
+                };
+            }
+        }
+        catch {
+            // Fail-open: pre-flight errors should not block invocation
+        }
+    }
     const requestBody = {
         args: trimmedArgs,
         projectRoot: projectRoot.replace(homedir(), '~'), // Sanitize absolute path
@@ -303,9 +355,13 @@ export async function invoke(options) {
             exitCode,
         };
     }
-    // 6. Cache menu responses (AC6)
-    if (!trimmedArgs && result.data.metadata?.mode === 'menu') {
-        setMenuCache(result.data.instructions, result.data.metadata);
+    // 6. Cache menu responses (AC6) - encrypted (Story 61.1)
+    if (!trimmedArgs && result.data.metadata?.mode === 'menu' && menuCache) {
+        setMenuCache(menuCache, result.data.instructions, result.data.metadata).catch(() => { });
+    }
+    // 6a. Update cached quota from server response metadata (Epic 60)
+    if (result.data.metadata) {
+        auth.tierClient.updateQuotaFromResponse(result.data.metadata).catch(() => { });
     }
     return {
         success: true,
@@ -314,6 +370,16 @@ export async function invoke(options) {
         exitCode: 0,
     };
 }
+// ── Trigger Extraction ──────────────────────────────────────────────────
+/**
+ * Extract trigger name from args string.
+ * Triggers start with '*' (e.g., "*yolo", "*implement", "*status").
+ * Returns the trigger name without the '*' prefix, or null if no trigger.
+ */
+function extractTrigger(args) {
+    const match = args.match(/^\*([a-zA-Z][\w-]*)/);
+    return match ? match[1] : null;
+}
 // ── CLI Entry Point ───────────────────────────────────────────────────────
 /**
  * CLI handler for the invoke command.

package/packages/client/dist/config/secure-config.d.ts

@@ -0,0 +1,69 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/** Resolved config with decrypted license key */
+export interface SecureConfig {
+    readonly serverUrl?: string;
+    readonly mode?: string;
+    readonly machineId?: string;
+    readonly activatedAt?: string;
+    readonly tier?: string;
+    readonly licenseKey?: string;
+}
+/**
+ * Encrypt a license key using the machine fingerprint as passphrase.
+ * Returns the encrypted envelope string.
+ */
+export declare function encryptLicenseKey(licenseKey: string): string;
+/**
+ * Decrypt a license key using the machine fingerprint as passphrase.
+ * Returns the plaintext key or null if decryption fails (hardware changed).
+ */
+export declare function decryptLicenseKey(encryptedKey: string): string | null;
+/**
+ * Set restrictive file permissions (600) on config files.
+ * Skipped on Windows where chmod is not meaningful.
+ * Story 61.4 - F4 remediation.
+ */
+export declare function setSecureFilePermissions(filePath: string): void;
+/**
+ * Set restrictive directory permissions (700) on config directories.
+ * Skipped on Windows where chmod is not meaningful.
+ * Story 61.4 - F4 remediation.
+ */
+export declare function setSecureDirPermissions(dirPath: string): void;
+/**
+ * Load config from ~/.neocortex/config.json with automatic migration.
+ *
+ * If the config contains a plaintext `licenseKey` (old format), it is:
+ * 1. Encrypted using machine fingerprint
+ * 2. Stored as `encryptedLicenseKey`
+ * 3. Old `licenseKey` field removed
+ * 4. Config rewritten to disk
+ *
+ * If decryption of `encryptedLicenseKey` fails (hardware change),
+ * returns config with licenseKey = undefined.
+ */
+export declare function loadSecureConfig(): SecureConfig | null;
+/**
+ * Save config after activation with encrypted license key.
+ * This is the primary write path called from activate.ts.
+ */
+export declare function saveSecureConfig(config: {
+    serverUrl: string;
+    mode: string;
+    machineId: string;
+    activatedAt: string;
+    tier?: string;
+    licenseKey: string;
+}): void;
+//# sourceMappingURL=secure-config.d.ts.map

package/packages/client/dist/config/secure-config.js

@@ -0,0 +1,179 @@
+/**
+ * @license FSL-1.1
+ * Copyright (c) 2026 OrNexus AI
+ *
+ * This file is part of Neocortex CLI, licensed under the
+ * Functional Source License, Version 1.1 (FSL-1.1).
+ *
+ * Change Date: February 20, 2029
+ * Change License: MIT
+ *
+ * See the LICENSE file in the project root for full license text.
+ */
+/**
+ * @neocortex/client - Secure Config
+ *
+ * Handles reading and writing config.json with encrypted license key.
+ * Uses machine fingerprint as encryption seed so the key is bound
+ * to the physical machine.
+ *
+ * Story 61.2 - F2 remediation: license key no longer stored in plaintext.
+ *
+ * Migration: if config has plaintext `licenseKey`, it is silently
+ * migrated to `encryptedLicenseKey` on first read.
+ *
+ * If decryption fails (e.g. hardware change), returns null for
+ * licenseKey, requiring re-activation.
+ */
+import { existsSync, readFileSync, writeFileSync, mkdirSync, chmodSync } from 'node:fs';
+import { join } from 'node:path';
+import { homedir } from 'node:os';
+import { encrypt, decrypt } from '../cache/crypto-utils.js';
+import { getMachineFingerprint } from '../machine/fingerprint.js';
+// ── Constants ────────────────────────────────────────────────────────────
+const CONFIG_DIR = join(homedir(), '.neocortex');
+const CONFIG_FILE = join(CONFIG_DIR, 'config.json');
+// ── License Key Encryption ──────────────────────────────────────────────
+/**
+ * Encrypt a license key using the machine fingerprint as passphrase.
+ * Returns the encrypted envelope string.
+ */
+export function encryptLicenseKey(licenseKey) {
+    const fingerprint = getMachineFingerprint();
+    return encrypt(licenseKey, fingerprint);
+}
+/**
+ * Decrypt a license key using the machine fingerprint as passphrase.
+ * Returns the plaintext key or null if decryption fails (hardware changed).
+ */
+export function decryptLicenseKey(encryptedKey) {
+    try {
+        const fingerprint = getMachineFingerprint();
+        const result = decrypt(encryptedKey, fingerprint);
+        // expired flag is not relevant for license keys (no TTL)
+        return result.plaintext;
+    }
+    catch {
+        return null;
+    }
+}
+// ── Secure File Permissions ─────────────────────────────────────────────
+/**
+ * Set restrictive file permissions (600) on config files.
+ * Skipped on Windows where chmod is not meaningful.
+ * Story 61.4 - F4 remediation.
+ */
+export function setSecureFilePermissions(filePath) {
+    if (process.platform === 'win32')
+        return;
+    try {
+        chmodSync(filePath, 0o600);
+    }
+    catch {
+        // Non-critical: best-effort
+    }
+}
+/**
+ * Set restrictive directory permissions (700) on config directories.
+ * Skipped on Windows where chmod is not meaningful.
+ * Story 61.4 - F4 remediation.
+ */
+export function setSecureDirPermissions(dirPath) {
+    if (process.platform === 'win32')
+        return;
+    try {
+        chmodSync(dirPath, 0o700);
+    }
+    catch {
+        // Non-critical: best-effort
+    }
+}
+// ── Config Read/Write ───────────────────────────────────────────────────
+/**
+ * Load config from ~/.neocortex/config.json with automatic migration.
+ *
+ * If the config contains a plaintext `licenseKey` (old format), it is:
+ * 1. Encrypted using machine fingerprint
+ * 2. Stored as `encryptedLicenseKey`
+ * 3. Old `licenseKey` field removed
+ * 4. Config rewritten to disk
+ *
+ * If decryption of `encryptedLicenseKey` fails (hardware change),
+ * returns config with licenseKey = undefined.
+ */
+export function loadSecureConfig() {
+    try {
+        if (!existsSync(CONFIG_FILE))
+            return null;
+        const raw = readFileSync(CONFIG_FILE, 'utf-8');
+        const config = JSON.parse(raw);
+        // Migration path: plaintext licenseKey -> encrypted
+        if (config.licenseKey && !config.encryptedLicenseKey) {
+            const encrypted = encryptLicenseKey(config.licenseKey);
+            const migratedConfig = { ...config };
+            const plainKey = migratedConfig.licenseKey;
+            delete migratedConfig.licenseKey;
+            migratedConfig.encryptedLicenseKey = encrypted;
+            writeSecureConfig(migratedConfig);
+            return {
+                serverUrl: config.serverUrl,
+                mode: config.mode,
+                machineId: config.machineId,
+                activatedAt: config.activatedAt,
+                tier: config.tier,
+                licenseKey: plainKey,
+            };
+        }
+        // Decrypt encrypted license key
+        let licenseKey;
+        if (config.encryptedLicenseKey) {
+            const decrypted = decryptLicenseKey(config.encryptedLicenseKey);
+            if (decrypted) {
+                licenseKey = decrypted;
+            }
+            // If decryption fails, licenseKey remains undefined -> requires re-activation
+        }
+        return {
+            serverUrl: config.serverUrl,
+            mode: config.mode,
+            machineId: config.machineId,
+            activatedAt: config.activatedAt,
+            tier: config.tier,
+            licenseKey,
+        };
+    }
+    catch {
+        return null;
+    }
+}
+/**
+ * Write config to disk with encrypted license key and secure permissions.
+ * The licenseKey field should already be encrypted as encryptedLicenseKey.
+ */
+function writeSecureConfig(config) {
+    mkdirSync(CONFIG_DIR, { recursive: true });
+    setSecureDirPermissions(CONFIG_DIR);
+    const cacheDir = join(CONFIG_DIR, 'cache');
+    if (existsSync(cacheDir)) {
+        setSecureDirPermissions(cacheDir);
+    }
+    writeFileSync(CONFIG_FILE, JSON.stringify(config, null, 2) + '\n', 'utf-8');
+    setSecureFilePermissions(CONFIG_FILE);
+}
+/**
+ * Save config after activation with encrypted license key.
+ * This is the primary write path called from activate.ts.
+ */
+export function saveSecureConfig(config) {
+    const encrypted = encryptLicenseKey(config.licenseKey);
+    const diskConfig = {
+        serverUrl: config.serverUrl,
+        mode: config.mode,
+        machineId: config.machineId,
+        activatedAt: config.activatedAt,
+        tier: config.tier,
+        encryptedLicenseKey: encrypted,
+    };
+    writeSecureConfig(diskConfig);
+}
+//# sourceMappingURL=secure-config.js.map

package/targets-stubs/antigravity/gemini.md

@@ -1,4 +1,4 @@
-# 🧠 Neocortex v3.9.19 (Free) | OrNexus Team
+# 🧠 Neocortex v3.9.22 (Free) | OrNexus Team
 
 This project uses Neocortex, a Development Orchestrator (Free).
 

package/targets-stubs/antigravity/skill/SKILL.md

@@ -1,6 +1,6 @@
 ---
 name: neocortex
-description: "🧠 Neocortex v3.9.19 (Free) | OrNexus Team"
+description: "🧠 Neocortex v3.9.22 (Free) | OrNexus Team"
 ---
 
 # Neocortex - Thin Client Interface

package/targets-stubs/claude-code/neocortex.agent.yaml

@@ -4,7 +4,7 @@ agent:
     name: 'Neocortex'
     title: 'Development Orchestrator (Free)'
     icon: '>'
-    version: '3.9.19'
+    version: '3.9.22'
     architecture: 'thin-client'
     module: stand-alone
     hasSidecar: false

package/targets-stubs/claude-code/neocortex.md

@@ -1,6 +1,6 @@
 ---
 name: neocortex
-description: "🧠 Neocortex v3.9.19 (Free) | OrNexus Team"
+description: "🧠 Neocortex v3.9.22 (Free) | OrNexus Team"
 model: opus
 color: blue
 tools:
@@ -56,7 +56,7 @@ SEMPRE que este agente for invocado, imprima o banner abaixo como PRIMEIRO outpu
 ┌────────────────────────────────────────────────────────────┐
 │                                                            │
 │       #######           N E O C O R T E X                  │
-│      ###  ########      v3.9.19                            │
+│      ###  ########      v3.9.22                            │
 │ #########      #####                                       │
 │ ##    ##############    Development Orchestrator           │
 │ ##   ###  ######  ##    OrNexus Team (Free)                │

package/targets-stubs/codex/agents.md

@@ -1,4 +1,4 @@
-# 🧠 Neocortex v3.9.19 (Free) | OrNexus Team
+# 🧠 Neocortex v3.9.22 (Free) | OrNexus Team
 
 You are a Development Orchestrator (Free). All orchestration logic is delivered by the remote Neocortex server.
 

package/targets-stubs/cursor/agent.md

@@ -1,6 +1,6 @@
 ---
 name: neocortex
-description: "🧠 Neocortex v3.9.19 (Free) | OrNexus Team"
+description: "🧠 Neocortex v3.9.22 (Free) | OrNexus Team"
 model: fast
 readonly: false
 is_background: false
@@ -18,7 +18,7 @@ SEMPRE que este agente for invocado, imprima o banner abaixo como PRIMEIRO outpu
 ┌────────────────────────────────────────────────────────────┐
 │                                                            │
 │       #######           N E O C O R T E X                  │
-│      ###  ########      v3.9.19                            │
+│      ###  ########      v3.9.22                            │
 │ #########      #####                                       │
 │ ##    ##############    Development Orchestrator           │
 │ ##   ###  ######  ##    OrNexus Team (Free)                │

package/targets-stubs/gemini-cli/agent.md

@@ -1,6 +1,6 @@
 ---
 name: neocortex
-description: "🧠 Neocortex v3.9.19 (Free) | OrNexus Team"
+description: "🧠 Neocortex v3.9.22 (Free) | OrNexus Team"
 kind: local
 tools:
   - read_file
@@ -25,7 +25,7 @@ SEMPRE que este agente for invocado, imprima o banner abaixo como PRIMEIRO outpu
 ┌────────────────────────────────────────────────────────────┐
 │                                                            │
 │       #######           N E O C O R T E X                  │
-│      ###  ########      v3.9.19                            │
+│      ###  ########      v3.9.22                            │
 │ #########      #####                                       │
 │ ##    ##############    Development Orchestrator           │
 │ ##   ###  ######  ##    OrNexus Team (Free)                │