sinapse-ai 1.12.1 → 1.13.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (93) hide show
  1. package/.claude/CLAUDE.md +2 -2
  2. package/.claude/rules/agent-memory-imports.md +2 -0
  3. package/.sinapse-ai/cli/commands/pro/index.js +8 -48
  4. package/.sinapse-ai/constitution.md +6 -2
  5. package/.sinapse-ai/core-config.yaml +5 -1
  6. package/.sinapse-ai/data/entity-registry.yaml +95 -95
  7. package/.sinapse-ai/development/agents/architect/MEMORY.md +35 -0
  8. package/.sinapse-ai/development/agents/data-engineer/MEMORY.md +38 -0
  9. package/.sinapse-ai/development/agents/developer/MEMORY.md +36 -0
  10. package/.sinapse-ai/development/agents/devops/MEMORY.md +39 -0
  11. package/.sinapse-ai/development/agents/devops.md +0 -1
  12. package/.sinapse-ai/development/agents/product-lead/MEMORY.md +36 -0
  13. package/.sinapse-ai/development/agents/project-lead/MEMORY.md +36 -0
  14. package/.sinapse-ai/development/agents/quality-gate/MEMORY.md +35 -0
  15. package/.sinapse-ai/development/agents/quality-gate.md +1 -1
  16. package/.sinapse-ai/development/agents/snps-orqx.md +4 -0
  17. package/.sinapse-ai/development/agents/sprint-lead/MEMORY.md +36 -0
  18. package/.sinapse-ai/development/templates/chrome-brain/knowledge-base/chrome-brain.md +2 -2
  19. package/.sinapse-ai/infrastructure/scripts/ide-sync/index.js +15 -0
  20. package/.sinapse-ai/infrastructure/scripts/validate-agents.js +159 -8
  21. package/.sinapse-ai/install-manifest.yaml +20 -156
  22. package/AGENTS.md +13 -2
  23. package/CHANGELOG.md +119 -4
  24. package/README.en.md +1 -1
  25. package/README.md +6 -26
  26. package/bin/cli.js +2 -7
  27. package/bin/commands/install.js +19 -257
  28. package/bin/commands/update.js +18 -78
  29. package/bin/lib/command-generator.js +261 -0
  30. package/bin/lib/prompts.js +2 -65
  31. package/bin/modules/chrome-brain-installer.js +2 -1
  32. package/bin/postinstall.js +6 -6
  33. package/docs/getting-started.md +0 -1
  34. package/docs/pt/getting-started.md +1 -1
  35. package/docs/security/dependabot-triage.md +17 -17
  36. package/package.json +6 -3
  37. package/packages/installer/src/wizard/i18n.js +3 -204
  38. package/packages/installer/src/wizard/index.js +1 -1
  39. package/packages/installer/src/wizard/questions.js +5 -368
  40. package/packages/installer/src/wizard/wizard.js +0 -9
  41. package/scripts/generate-install-manifest.js +6 -0
  42. package/scripts/validate-changelog-tags.js +97 -0
  43. package/scripts/validate-no-personal-leaks.js +184 -28
  44. package/scripts/validate-schemas.js +55 -10
  45. package/scripts/validate-story-meta.js +25 -12
  46. package/squads/claude-code-mastery/agents/claude-mastery-chief.md +1 -1
  47. package/squads/claude-code-mastery/agents/hooks-architect.md +12 -20
  48. package/squads/claude-code-mastery/tasks/audit-setup.md +1 -1
  49. package/squads/squad-product/agents/product-orqx.md +0 -1
  50. package/squads/squad-product/agents/ps-client-product-manager.md +0 -1
  51. package/squads/squad-product/agents/ps-delivery-manager.md +0 -1
  52. package/squads/squad-product/agents/ps-discovery-lead.md +0 -1
  53. package/squads/squad-product/agents/ps-product-analyst.md +0 -1
  54. package/squads/squad-product/agents/ps-product-ops-specialist.md +0 -1
  55. package/squads/squad-product/agents/ps-product-strategist.md +0 -1
  56. package/.sinapse-ai/core/grounding/README.md +0 -83
  57. package/.sinapse-ai/core/grounding/brand.cjs +0 -29
  58. package/.sinapse-ai/core/grounding/config-loader.cjs +0 -52
  59. package/.sinapse-ai/core/grounding/design-system.cjs +0 -29
  60. package/.sinapse-ai/core/grounding/vault.cjs +0 -36
  61. package/.sinapse-ai/development/scripts/approval-workflow.js +0 -643
  62. package/.sinapse-ai/development/scripts/backup-manager.js +0 -607
  63. package/.sinapse-ai/development/scripts/branch-manager.js +0 -390
  64. package/.sinapse-ai/development/scripts/code-quality-improver.js +0 -1329
  65. package/.sinapse-ai/development/scripts/commit-message-generator.js +0 -850
  66. package/.sinapse-ai/development/scripts/conflict-resolver.js +0 -675
  67. package/.sinapse-ai/development/scripts/dependency-analyzer.js +0 -638
  68. package/.sinapse-ai/development/scripts/diff-generator.js +0 -352
  69. package/.sinapse-ai/development/scripts/git-wrapper.js +0 -462
  70. package/.sinapse-ai/development/scripts/modification-validator.js +0 -555
  71. package/.sinapse-ai/development/scripts/performance-analyzer.js +0 -758
  72. package/.sinapse-ai/development/scripts/refactoring-suggester.js +0 -1148
  73. package/.sinapse-ai/development/scripts/rollback-handler.js +0 -531
  74. package/.sinapse-ai/development/scripts/security-checker.js +0 -359
  75. package/.sinapse-ai/development/scripts/template-engine.js +0 -240
  76. package/.sinapse-ai/development/scripts/template-validator.js +0 -279
  77. package/.sinapse-ai/development/scripts/test-generator.js +0 -844
  78. package/.sinapse-ai/development/scripts/transaction-manager.js +0 -590
  79. package/.sinapse-ai/development/scripts/yaml-validator.js +0 -397
  80. package/.sinapse-ai/hooks/sinapse-brand-grounding.cjs +0 -162
  81. package/.sinapse-ai/hooks/sinapse-ds-grounding.cjs +0 -211
  82. package/.sinapse-ai/hooks/sinapse-vault-grounding.cjs +0 -194
  83. package/bin/lib/register-grounding-hooks.js +0 -145
  84. package/docs/guides/agents/traces/execution-traces.zip +0 -0
  85. package/docs/guides/grounding-setup.md +0 -154
  86. package/docs/guides/workflows/SINAPSE-WORKFLOWS.zip +0 -0
  87. package/packages/installer/src/pro/pro-scaffolder.js +0 -449
  88. package/packages/installer/src/wizard/grounding-config.js +0 -131
  89. package/packages/installer/src/wizard/pro-setup.js +0 -1439
  90. package/packages/installer/templates/README.md +0 -16
  91. package/packages/installer/templates/brand-routing.example.json +0 -12
  92. package/packages/installer/templates/ds-routing.example.json +0 -12
  93. package/packages/installer/templates/vault-routing.example.json +0 -12
@@ -0,0 +1,261 @@
1
+ // bin/lib/command-generator.js — shared agent-command generation.
2
+ //
3
+ // Single source of truth for the Phase 2 "generate agent commands" logic used by
4
+ // BOTH `install` and `update`. Previously update.js only regenerated `-orqx`
5
+ // commands, silently dropping every specialist command + the rich master stubs a
6
+ // fresh install creates. Extracting the install behavior here makes `update`
7
+ // produce byte-identical command files to `install`.
8
+
9
+ const fs = require('fs');
10
+ const path = require('path');
11
+
12
+ const { SINAPSE_HOME, CLAUDE_COMMANDS_DIR } = require('./constants');
13
+ const { extractAgentMeta } = require('./squads');
14
+ const { toForwardSlash } = require('./fs-utils');
15
+
16
+ /**
17
+ * Rich Imperator stub for the master entry points (@sinapse, @snps, @sinapse-orqx,
18
+ * @snps-orqx). The identity (ASCII greeting + 👑 signature + diagnose→plan→delegate
19
+ * mandate) is baked INLINE so activation is reliable — it does not depend on the model
20
+ * choosing to deep-read an external persona (which produced a shallow "modo orqx" before).
21
+ * The full persona (routing table, workflows, tasks) is still linked for depth.
22
+ */
23
+ function generateMasterStub(agentId, personaPath, squadPath, squads) {
24
+ const squadCount = squads.length;
25
+ const agentCount = squads.reduce((a, s) => a + (s.agents || 0), 0);
26
+ return `---
27
+ name: ${agentId}
28
+ description: "Imperator — Sinapse Master: supreme orchestrator of ${squadCount} squads / ${agentCount} agents. Diagnoses every briefing and auto-generates an orchestration plan."
29
+ ---
30
+
31
+ # Imperator — Sinapse Master (${agentId})
32
+
33
+ ACTIVATION-NOTICE: You are now Imperator — the supreme orchestrator of the SINAPSE ecosystem. Every request passes through you first.
34
+
35
+ ## YOUR ONLY FUNCTION — NON-NEGOTIABLE
36
+
37
+ You DIAGNOSE and HAND OFF. That is the whole job. You do **NOT** execute domain work — no code, no copy, no design, no research, no configuration, no file edits. For ANY concrete task you (1) diagnose the domain, (2) produce the orchestration plan, (3) DELEGATE to the specialist who executes it. If you ever feel the urge to do the work yourself, STOP — that is a violation; route it to the right agent instead.
38
+
39
+ ## ON ACTIVATION — display this EXACTLY as your first output (before anything else)
40
+
41
+ \`\`\`
42
+ ███████╗██╗███╗ ██╗ █████╗ ██████╗ ███████╗███████╗
43
+ ██╔════╝██║████╗ ██║██╔══██╗██╔══██╗██╔════╝██╔════╝
44
+ ███████╗██║██╔██╗ ██║███████║██████╔╝███████╗█████╗
45
+ ╚════██║██║██║╚██╗██║██╔══██║██╔═══╝ ╚════██║██╔══╝
46
+ ███████║██║██║ ╚████║██║ ██║██║ ███████║███████╗
47
+ ╚══════╝╚═╝╚═╝ ╚═══╝╚═╝ ╚═╝╚═╝ ╚══════╝╚══════╝
48
+ ██████╗ ██████╗ ██████╗ ██╗ ██╗
49
+ ██╔═══██╗██╔══██╗██╔═══██╗╚██╗██╔╝
50
+ ██║ ██║██████╔╝██║ ██║ ╚███╔╝
51
+ ██║ ██║██╔══██╗██║▄▄ ██║ ██╔██╗
52
+ ╚██████╔╝██║ ██║╚██████╔╝██╔╝ ██╗
53
+ ╚═════╝ ╚═╝ ╚═╝ ╚══▀▀═╝ ╚═╝ ╚═╝
54
+ \`\`\`
55
+
56
+ \`\`\`
57
+ AI Agent Squads for Claude Code
58
+ ${squadCount} squads · ${agentCount} agents
59
+
60
+ 👑 Imperator — Sinapse Master ativado
61
+
62
+ Descreva seu objetivo que eu diagnostico o domínio
63
+ e roteio para o agente certo.
64
+
65
+ Comandos principais:
66
+ *route {pedido} — Diagnostica e roteia para a squad certa
67
+ *plan {iniciativa} — Desenha um plano de execução multi-squad
68
+ *status — Reporta todas as squads e capacidades
69
+ *onboard — Tour guiado do ecossistema SINAPSE
70
+ *help — Mostra todos os comandos
71
+ \`\`\`
72
+
73
+ ## AFTER THE GREETING — NON-NEGOTIABLE (Imperator's core function)
74
+
75
+ Check if the user provided a briefing with the activation:
76
+ - **Briefing provided** → proceed IMMEDIATELY: run the Initial State Audit → classify the request → produce an ORCHESTRATION PLAN (phases + squads + specific agents assigned + handoffs) → delegate to the specialists. NEVER ask "do you want me to plan?" — for Imperator the answer is always YES.
77
+ - **Bare activation** → await the briefing, then apply the same flow automatically on receipt.
78
+
79
+ You diagnose and DELEGATE — never execute domain work yourself. Route simple, well-defined requests directly to @specialist; complex ones to @{domain}-orqx; cross-domain ones by coordinating multiple orchestrators.
80
+
81
+ ## FULL OPERATING PARAMETERS
82
+
83
+ For your complete persona — the routing table of all squads, the Initial State Audit, the Documentation-First gate, NSN enforcement, and every workflow and task — read and ADOPT:
84
+ \`${personaPath}\`
85
+ Tasks: \`${squadPath}/tasks/\` · Workflows: \`${squadPath}/workflows/\` · Manifest: \`${squadPath}/squad.yaml\`
86
+
87
+ — Imperator, orchestrating SINAPSE
88
+ `;
89
+ }
90
+
91
+ function generateCommandMd(agentId, agentName, agentIcon, squadName, squadPath, agentFile) {
92
+ // Detecta se é orquestrador: id termina em -orqx OU é Imperator (snps-orqx/sinapse-orqx)
93
+ // ou um dos apelidos curtos do master (sinapse/snps).
94
+ const isOrchestrator = /-orqx$/.test(agentId) || agentId === 'snps-orqx' || agentId === 'sinapse-orqx' || agentId === 'sinapse' || agentId === 'snps';
95
+
96
+ const step4 = isOrchestrator
97
+ ? `4. Briefing-on-activation check (this agent is an ORCHESTRATOR):
98
+ - If user provided briefing/context with the activation → proceed IMMEDIATELY: absorb → diagnose → plan with phases + agents + handoffs → execute (YOLO). NEVER ask "do you want me to plan?".
99
+ - If bare activation only → await briefing. On receipt, apply same flow automatically.`
100
+ : '4. HALT and await user input';
101
+
102
+ const step6 = isOrchestrator
103
+ ? `6. Briefing-on-activation check (ORCHESTRATOR):
104
+ - If user provided briefing → proceed IMMEDIATELY: absorb → diagnose → plan → execute
105
+ - If bare activation → await briefing, then plan automatically. NEVER ask "do you want me to plan?".`
106
+ : '6. HALT and await user input';
107
+
108
+ // Frontmatter (name + description) is REQUIRED so the file resolves as a Claude Code
109
+ // subagent (@id) — without it, @id matches nothing. The same file doubles as a slash
110
+ // command (/SINAPSE:agents:id); extra frontmatter is harmless there.
111
+ const fmDesc = (isOrchestrator
112
+ ? `${agentName || agentId} — orchestrator for ${squadName}; diagnoses, routes to specialists and auto-generates an orchestration plan`
113
+ : `${agentName || agentId} — ${squadName} specialist`).replace(/["\n\r]/g, ' ').trim();
114
+
115
+ return `---
116
+ name: ${agentId}
117
+ description: "${fmDesc}"
118
+ ---
119
+
120
+ # ${agentId}
121
+
122
+ ACTIVATION-NOTICE: This command activates an agent from ${squadName}.
123
+
124
+ CRITICAL: Read the agent definition file at \`${squadPath}/agents/${agentFile}\` to understand your full operating parameters. Then:
125
+ 1. Adopt the persona defined in that file (name: ${agentName}, icon: ${agentIcon})
126
+ 2. Load the squad manifest at \`${squadPath}/squad.yaml\` for context
127
+ 3. Display a greeting showing your agent name, role, and available commands
128
+ ${step4}
129
+
130
+ ## Agent Reference
131
+ - **Agent ID:** ${agentId}
132
+ - **Squad:** ${squadName}
133
+ - **Definition:** \`${squadPath}/agents/${agentFile}\`
134
+ - **Squad Manifest:** \`${squadPath}/squad.yaml\`
135
+ - **Tasks:** \`${squadPath}/tasks/\`
136
+ - **Knowledge Bases:** \`${squadPath}/knowledge-base/\`
137
+ - **Workflows:** \`${squadPath}/workflows/\`
138
+
139
+ ## Activation Instructions
140
+ 1. Read the full agent definition: \`${squadPath}/agents/${agentFile}\`
141
+ 2. Adopt the persona (name, icon, communication style, principles)
142
+ 3. Show greeting: "{icon} {name} — {role} ativado"
143
+ 4. Show: "Squad: ${squadName} | Invoke: /SINAPSE:agents:${agentId}"
144
+ 5. List your key tasks from the agent definition
145
+ ${step6}
146
+
147
+ ## How to Execute Tasks
148
+ When the user requests a task:
149
+ 1. Find the matching task in \`${squadPath}/tasks/\`
150
+ 2. Read the task file completely
151
+ 3. Execute following the task checklist step by step
152
+ 4. Consult knowledge bases in \`${squadPath}/knowledge-base/\` as needed
153
+
154
+ ## Cross-Squad Handoff
155
+ If the task requires expertise outside this squad:
156
+ 1. Identify which squad covers the needed domain
157
+ 2. Recommend: /SINAPSE:agents:{appropriate-agent}
158
+ 3. Provide handoff context
159
+ `;
160
+ }
161
+
162
+ /**
163
+ * Regenerate ALL agent command files into `commandsDir`. This is the exact Phase 2
164
+ * behavior of a fresh install, shared so `update` produces an identical set:
165
+ * 1. Clear commandsDir.
166
+ * 2. Write a command for EVERY agent of every squad (not only -orqx).
167
+ * 3. Write commands for the sinapse master squad agents.
168
+ * 4. Overwrite the four master entry points (sinapse-orqx, snps-orqx, sinapse,
169
+ * snps) with the rich Imperator stub.
170
+ *
171
+ * @param {Object} [deps] - Injectable dependencies (defaults bind to real fs/paths).
172
+ * @param {string} [deps.sinapseHome] - Root of installed squads (~/.sinapse).
173
+ * @param {string} [deps.commandsDir] - Target commands dir.
174
+ * @param {Array} deps.squads - Squad descriptors ({ name, agents, ... }).
175
+ * @param {string} [deps.sinapseMasterDest] - Path to the installed sinapse/ master squad.
176
+ * @returns {{ writtenAgents: Set<string>, totalAgents: number }}
177
+ */
178
+ function regenerateAgentCommands(deps = {}) {
179
+ const {
180
+ sinapseHome = SINAPSE_HOME,
181
+ commandsDir = CLAUDE_COMMANDS_DIR,
182
+ squads,
183
+ sinapseMasterDest = path.join(sinapseHome, 'sinapse'),
184
+ } = deps;
185
+
186
+ if (!Array.isArray(squads)) {
187
+ throw new Error('regenerateAgentCommands: `squads` array is required');
188
+ }
189
+
190
+ fs.mkdirSync(commandsDir, { recursive: true });
191
+
192
+ // Clear old commands (dir may not exist on a fresh install — guarded).
193
+ try {
194
+ for (const f of fs.readdirSync(commandsDir)) {
195
+ fs.unlinkSync(path.join(commandsDir, f));
196
+ }
197
+ } catch { /* dir may not exist yet */ }
198
+
199
+ const sinapseBase = toForwardSlash(sinapseHome);
200
+ const writtenAgents = new Set();
201
+
202
+ // 1. A command/subagent for EVERY agent (not only -orqx), so every specialist
203
+ // is invokable via @agent and /SINAPSE:agents:agent.
204
+ for (const squad of squads) {
205
+ const squadPath = `${sinapseBase}/${squad.name}`;
206
+ const agentsDir = path.join(sinapseHome, squad.name, 'agents');
207
+ if (!fs.existsSync(agentsDir)) continue;
208
+
209
+ const squadAgents = fs.readdirSync(agentsDir).filter(f => f.endsWith('.md'));
210
+ for (const file of squadAgents) {
211
+ const agentId = file.replace('.md', '');
212
+ const meta = extractAgentMeta(path.join(agentsDir, file));
213
+ const cmdContent = generateCommandMd(agentId, meta.name, meta.icon, squad.name, squadPath, file);
214
+ fs.writeFileSync(path.join(commandsDir, `${agentId}.md`), cmdContent);
215
+ writtenAgents.add(file);
216
+ }
217
+ }
218
+
219
+ // 2. Commands for sinapse/ master squad agents.
220
+ if (fs.existsSync(sinapseMasterDest)) {
221
+ const masterAgentsDir = path.join(sinapseMasterDest, 'agents');
222
+ if (fs.existsSync(masterAgentsDir)) {
223
+ for (const file of fs.readdirSync(masterAgentsDir).filter(f => f.endsWith('.md'))) {
224
+ if (writtenAgents.has(file)) continue;
225
+ const agentId = file.replace('.md', '');
226
+ const meta = extractAgentMeta(path.join(masterAgentsDir, file));
227
+ const squadPath = `${sinapseBase}/sinapse`;
228
+ const cmdContent = generateCommandMd(agentId, meta.name, meta.icon, 'sinapse', squadPath, file);
229
+ fs.writeFileSync(path.join(commandsDir, `${agentId}.md`), cmdContent);
230
+ writtenAgents.add(file);
231
+ }
232
+ }
233
+ }
234
+
235
+ // 3. Master entry points (@sinapse, @snps, @sinapse-orqx, @snps-orqx) → rich
236
+ // Imperator stub. Overwrites the generic command file for the orqx names and
237
+ // adds the short aliases the user actually types.
238
+ if (fs.existsSync(sinapseMasterDest)) {
239
+ const masterSquadPath = `${sinapseBase}/sinapse`;
240
+ const masterEntryPoints = [
241
+ ['sinapse-orqx', 'sinapse-orqx.md'],
242
+ ['snps-orqx', 'snps-orqx.md'],
243
+ ['sinapse', 'sinapse-orqx.md'],
244
+ ['snps', 'snps-orqx.md'],
245
+ ];
246
+ for (const [id, personaFile] of masterEntryPoints) {
247
+ const personaPath = `${masterSquadPath}/agents/${personaFile}`;
248
+ const stub = generateMasterStub(id, personaPath, masterSquadPath, squads);
249
+ fs.writeFileSync(path.join(commandsDir, `${id}.md`), stub);
250
+ writtenAgents.add(`${id}.md`);
251
+ }
252
+ }
253
+
254
+ return { writtenAgents, totalAgents: writtenAgents.size };
255
+ }
256
+
257
+ module.exports = {
258
+ generateCommandMd,
259
+ generateMasterStub,
260
+ regenerateAgentCommands,
261
+ };
@@ -1,9 +1,8 @@
1
- // bin/lib/prompts.js — interactive prompts (LLM, grounding, uninstall).
1
+ // bin/lib/prompts.js — interactive prompts (LLM, uninstall).
2
2
  // Story GA-1.2 — extracted from bin/cli.js.
3
3
 
4
- const path = require('path');
5
4
  const { getLogger } = require('../../.sinapse-ai/core/logger');
6
- const { ROOT, CYAN, GREEN, BOLD, DIM, YELLOW, NC } = require('./constants');
5
+ const { CYAN, GREEN, BOLD, DIM, YELLOW, NC } = require('./constants');
7
6
  const { detectInteractiveMode, warnNonInteractive } = require('./detection');
8
7
 
9
8
  /**
@@ -53,67 +52,6 @@ async function promptLlmChoice() {
53
52
  }
54
53
  }
55
54
 
56
- // Story 10.47 — collect optional grounding paths (vault / design system /
57
- // brand). Empty answers leave the section disabled and the shipped hook
58
- // stays a no-op. Reuses the multi-signal interactive detector from Story
59
- // 10.46 so CI / non-TTY runs skip silently with the consolidated warning
60
- // already emitted by lang/LLM helpers.
61
- async function promptGroundingSections({ isUpsert = false, reconfigure = false } = {}) {
62
- const logger = getLogger();
63
- const groundingConfig = require(path.join(
64
- ROOT, 'packages', 'installer', 'src', 'wizard', 'grounding-config',
65
- ));
66
- const existing = groundingConfig.readGroundingConfig();
67
- const pending = isUpsert && !reconfigure
68
- ? groundingConfig.pendingGroundingSections(existing)
69
- : { askVault: true, askDesignSystem: true, askBrand: true };
70
-
71
- if (!pending.askVault && !pending.askDesignSystem && !pending.askBrand) {
72
- return existing;
73
- }
74
-
75
- if (!detectInteractiveMode()) {
76
- warnNonInteractive();
77
- // Persist defaults so the file exists with a documented schema even on
78
- // headless installs (helps users discover it later via `--reconfigure`).
79
- const merged = groundingConfig.buildGroundingFromAnswers({}, existing);
80
- groundingConfig.writeGroundingConfig(merged);
81
- return merged;
82
- }
83
-
84
- const questions = require(path.join(
85
- ROOT, 'packages', 'installer', 'src', 'wizard', 'questions',
86
- ));
87
- const inquirer = require('inquirer');
88
-
89
- const ask = [];
90
- if (pending.askVault) ask.push(questions.getVaultGroundingQuestion());
91
- if (pending.askDesignSystem) ask.push(questions.getDesignSystemGroundingQuestion());
92
- if (pending.askBrand) ask.push(questions.getBrandGroundingQuestion());
93
-
94
- logger.always('');
95
- logger.always(`${CYAN}Grounding semantico (opt-in):${NC}`);
96
- logger.always(`${DIM} Pular qualquer pergunta ativa o fallback generico do framework.${NC}`);
97
-
98
- let answers = {};
99
- try {
100
- answers = await inquirer.prompt(ask);
101
- } catch {
102
- // Fallback: minimal readline loop if inquirer fails (e.g. exotic shells).
103
- const readline = require('readline');
104
- const rl = readline.createInterface({ input: process.stdin, output: process.stdout });
105
- const askLine = (msg) => new Promise((resolve) => rl.question(msg, resolve));
106
- if (pending.askVault) answers.vaultPath = (await askLine(' Vault path (Enter pra pular): ')).trim();
107
- if (pending.askDesignSystem) answers.designSystemPath = (await askLine(' Design system path (Enter pra pular): ')).trim();
108
- if (pending.askBrand) answers.brandbookPath = (await askLine(' Brandbook path (Enter pra pular): ')).trim();
109
- rl.close();
110
- }
111
-
112
- const merged = groundingConfig.buildGroundingFromAnswers(answers, existing);
113
- groundingConfig.writeGroundingConfig(merged);
114
- return merged;
115
- }
116
-
117
55
  // Story 10.40 — Confirmation prompt for destructive uninstall.
118
56
  // Returns true if user confirmed, false otherwise.
119
57
  async function confirmUninstall() {
@@ -130,6 +68,5 @@ async function confirmUninstall() {
130
68
 
131
69
  module.exports = {
132
70
  promptLlmChoice,
133
- promptGroundingSections,
134
71
  confirmUninstall,
135
72
  };
@@ -140,7 +140,8 @@ function mergeHooks(settingsPath, hookDefs) {
140
140
  const existing = settings.hooks[hookType] || [];
141
141
  const newKeys = new Set(hookList.map(h => hookKey(h.matcher, h)));
142
142
  // Dedupe by (matcher + command) so SessionStart matcher="" doesn't
143
- // collide with other modules' SessionStart hooks (e.g. vault-grounding).
143
+ // collide with other modules' SessionStart hooks (e.g. another
144
+ // session-start grounding hook).
144
145
  const filtered = existing.filter(e => !newKeys.has(hookKey(e.matcher, e)));
145
146
  filtered.push(...hookList);
146
147
  settings.hooks[hookType] = filtered;
@@ -340,7 +340,7 @@ function stepCreateRuntimeDirs() {
340
340
  fs.mkdirSync(dir, { recursive: true });
341
341
  } catch (err) {
342
342
  if (err.code === 'EACCES' || err.code === 'EPERM') {
343
- warn(`Sem permissão para criar ${path.relative(PROJECT_ROOT, dir)} — SNPS AI vai tentar criar no primeiro uso.`);
343
+ warn(`Sem permissão para criar ${path.relative(PROJECT_ROOT, dir)} — SINAPSE AI vai tentar criar no primeiro uso.`);
344
344
  softFailures += 1;
345
345
  continue;
346
346
  }
@@ -439,7 +439,7 @@ function stepDoctor() {
439
439
  * Teste: sinapse doctor
440
440
  * Começar: @sinapse no Claude Code
441
441
  *
442
- * Docs: https://sinapse.club
442
+ * Docs: https://github.com/caioimori/sinapse-ai#readme
443
443
  *
444
444
  * In --verbose mode the caller has already printed detailed step output, so we
445
445
  * still render the minimal summary at the end as a recap.
@@ -477,9 +477,9 @@ function renderFinalSummary(opts = {}) {
477
477
  const isGlobal = isGlobalInstall();
478
478
  const lines = [];
479
479
  if (firstRun) {
480
- lines.push(`${c.bold}Bem-vindo ao SNPS AI!${c.reset} 🎉`);
480
+ lines.push(`${c.bold}Bem-vindo ao SINAPSE AI!${c.reset} 🎉`);
481
481
  }
482
- lines.push(`${c.bold}SNPS AI ${version}${c.reset} instalado ${c.green}✓${c.reset}`);
482
+ lines.push(`${c.bold}SINAPSE AI ${version}${c.reset} instalado ${c.green}✓${c.reset}`);
483
483
  if (!isGlobal) {
484
484
  lines.push(`${c.dim}${agents} ${agentsWord} · ${squads} ${squadsWord} ${prontosWord}${c.reset}`);
485
485
  }
@@ -493,7 +493,7 @@ function renderFinalSummary(opts = {}) {
493
493
  lines.push(`Começar: ${c.cyan}@sinapse${c.reset} no Claude Code`);
494
494
  }
495
495
  lines.push('');
496
- lines.push(`Docs: ${c.dim}https://sinapse.club${c.reset}`);
496
+ lines.push(`Docs: ${c.dim}https://github.com/caioimori/sinapse-ai#readme${c.reset}`);
497
497
 
498
498
  for (const line of lines) {
499
499
  process.stdout.write(`${line}\n`);
@@ -567,7 +567,7 @@ function main(argvOverride) {
567
567
  return 0;
568
568
  }
569
569
 
570
- verboseLog(`${c.dim}SNPS AI postinstall — configurando ambiente...${c.reset}`);
570
+ verboseLog(`${c.dim}SINAPSE AI postinstall — configurando ambiente...${c.reset}`);
571
571
 
572
572
  const syncIde = stepSyncIde();
573
573
  if (syncIde.critical) {
@@ -42,7 +42,6 @@ No prompt do Claude Code ou Codex:
42
42
  |---|---|
43
43
  | Entender filosofia do framework | [`README.md`](../README.md) |
44
44
  | Ver lista completa de agentes | [Agent Reference Guide](agent-reference-guide.md) |
45
- | Configurar grounding (vault, DS, brand) | [Grounding Setup](guides/grounding-setup.md) |
46
45
  | Resolver problema na instalação | [Troubleshooting](troubleshooting.md) |
47
46
  | Ver workflow de desenvolvimento | [`docs/sinapse-workflows/`](sinapse-workflows/) |
48
47
  | Contribuir | [`CONTRIBUTING.md`](../CONTRIBUTING.md) |
@@ -337,7 +337,7 @@ steps:
337
337
 
338
338
  ## Conceitos Básicos da Camada de Memória
339
339
 
340
- A camada de memória da SINAPSE (Chrome Brain v3) fornece gerenciamento inteligente de contexto com grounding do Second Brain e recuperação semântica nativa.
340
+ A camada de memória da SINAPSE (Chrome Brain v3) fornece gerenciamento inteligente de contexto com grounding contra seu vault de notas (opcional) e recuperação semântica nativa.
341
341
 
342
342
  ### Como a Memória Funciona
343
343
 
@@ -10,22 +10,21 @@ This document applies to `caioimori/sinapse-ai` and covers advisories surfaced b
10
10
  - GitHub Dependabot alerts (https://github.com/caioimori/sinapse-ai/security/dependabot)
11
11
  - `npm audit` run locally or in CI
12
12
 
13
- ## Current state (2026-04-19)
13
+ ## Current state (2026-06-21)
14
14
 
15
15
  ### GitHub Dependabot
16
16
 
17
- Open alerts: **0**. All 12 alerts from the rc.1 era (2026-04-13) have been closed.
17
+ Open alerts: **0**. The 3 `undici` alerts surfaced on 2026-06-21 (#36, #41, #43) were dismissed as `tolerable_risk` with rationale (see below). The earlier `picomatch` / `brace-expansion` advisories are gone — the bundled `npm` tarball advanced to `11.17.0`, which ships patched versions.
18
18
 
19
19
  ### Local `npm audit` — full dev tree
20
20
 
21
- Two advisories remain surfaced by `npm audit` even after applying root `overrides` in `package.json`:
21
+ One advisory family remains surfaced by `npm audit` even after applying root `overrides` in `package.json`:
22
22
 
23
- | Severity | Package | Advisory | Path |
23
+ | Severity | Package | Advisories | Path |
24
24
  |---|---|---|---|
25
- | HIGH | picomatch@4.0.3 | GHSA-c2c7-rcm5-vvqj (ReDoS via extglob quantifiers) | `semantic-release > @semantic-release/npm > npm > node-gyp > tinyglobby > picomatch` |
26
- | MODERATE | brace-expansion@5.0.4 | GHSA-f886-m6hf-6m8v (zero-step DoS) | `semantic-release > @semantic-release/npm > npm > minimatch > brace-expansion` |
25
+ | HIGH (aggregate) | undici@6.26.0 | GHSA-p88m-4jfj-68fv, GHSA-g8m3-5g58-fq7m, GHSA-35p6-xmwp-9g52, GHSA-vxpw-j846-p89q | `semantic-release > @semantic-release/npm > npm > node-gyp > undici` |
27
26
 
28
- Both originate from the `npm@11.12.1` tarball that `@semantic-release/npm@13.1.3` bundles. They are frozen inside npm's bundled dependency tree and cannot be replaced via root `overrides` (overrides do not reach into `bundleDependencies`).
27
+ It originates from the `npm@11.17.0` tarball that `@semantic-release/npm@13.1.5` bundles. `npm` reports it literally as *"undici@6.26.0 is a bundled dependency of npm@11.17.0 ... It cannot be fixed automatically."* It is frozen inside npm's bundled dependency tree and cannot be replaced via root `overrides` (overrides do not reach into `bundleDependencies` — verified: a targeted `undici@<6.27.0` override has no effect).
29
28
 
30
29
  ## Triage decision
31
30
 
@@ -33,12 +32,10 @@ Status: **Accepted — tolerable risk.**
33
32
 
34
33
  Rationale:
35
34
 
36
- 1. **Scope:** These packages are transitive dev-only dependencies. They are reached only through `semantic-release`, which runs in CI release automation and never in user-installed code paths. `npm audit --omit=dev --audit-level=high` on the root returns `0 vulns`.
37
- 2. **Reachability:** `node-gyp` is only invoked when building native Node addons during install. Neither picomatch ReDoS nor brace-expansion DoS is reachable from any code path that executes when a user runs `npx sinapse-ai install` or any runtime agent command.
38
- 3. **Shipped package:** `npm pack --dry-run` confirms `semantic-release` and its `node_modules` do not ship to the published `sinapse-ai` tarball (it is `devDependency` only).
39
- 4. **Upstream fix dependency:** The fix lives upstream — a new `npm` tarball that embeds patched picomatch/brace-expansion, followed by a `@semantic-release/npm` bump. Blocked on external release timing; the SINAPSE project cannot accelerate it.
40
-
41
- GitHub Dependabot already confirms this judgement: these advisories are NOT surfaced as open alerts at `https://github.com/caioimori/sinapse-ai/security/dependabot`.
35
+ 1. **Scope:** `undici` here is a transitive dev-only dependency. It is reached only through `semantic-release`, which runs in CI release automation and never in user-installed code paths. `npm audit --omit=dev --audit-level=high` on the root returns `0 vulns`.
36
+ 2. **Reachability:** `node-gyp` invokes `undici` only when downloading Node headers to build native addons during install. None of the undici advisories (header injection, SameSite downgrade, queue poisoning, WebSocket DoS) is reachable from any code path that executes when a user runs `npx sinapse-ai install` or any runtime agent command.
37
+ 3. **Shipped package:** `npm pack --dry-run` confirms `semantic-release` and its `node_modules` do not ship to the published `sinapse-ai` tarball (`devDependency` only).
38
+ 4. **Upstream fix dependency:** The fix lives upstream — a new `npm` tarball that embeds `undici >= 6.27.0`, followed by a `@semantic-release/npm` bump. Blocked on external release timing; the SINAPSE project cannot accelerate it.
42
39
 
43
40
  ## CI gate policy
44
41
 
@@ -47,7 +44,7 @@ Two-tier audit enforcement in `.github/workflows/ci.yml`:
47
44
  1. **Production-dep gate (hard block, Article X Tier 1 #7):**
48
45
  `npm audit --omit=dev --audit-level=high` MUST pass — any HIGH or CRITICAL in production dependencies blocks merge.
49
46
  2. **Full-tree gate (critical-only):**
50
- `npm audit --audit-level=critical` MUST pass — CRITICAL anywhere (incl. dev) blocks merge. HIGH/MODERATE in dev with triage entry in this document is accepted.
47
+ `npm audit --audit-level=critical` MUST pass — CRITICAL anywhere (incl. dev) blocks merge. HIGH/MODERATE in dev with a triage entry in this document is accepted.
51
48
 
52
49
  If a new HIGH/MODERATE in dev deps emerges and is not yet in this document, CI does NOT block it (tier 2 only flags critical). The maintainer must review `npm audit` at each RC and either upgrade or add a row below.
53
50
 
@@ -55,12 +52,14 @@ If a new HIGH/MODERATE in dev deps emerges and is not yet in this document, CI d
55
52
 
56
53
  | Advisory | Package | Severity | Reason | Expires |
57
54
  |---|---|---|---|---|
58
- | GHSA-c2c7-rcm5-vvqj | picomatch | HIGH | Bundled inside `npm@11.12.1` within `semantic-release` dev dep. Not reachable from user runtime. Upstream fix pending. | Next GA re-review |
59
- | GHSA-f886-m6hf-6m8v | brace-expansion | MODERATE | Bundled inside `npm@11.12.1` within `semantic-release` dev dep. Not reachable from user runtime. Upstream fix pending. | Next GA re-review |
55
+ | GHSA-p88m-4jfj-68fv | undici | MODERATE | Bundled inside `npm@11.17.0` within `semantic-release` dev dep. Not reachable from user runtime. Upstream fix pending. | Next GA re-review |
56
+ | GHSA-g8m3-5g58-fq7m | undici | LOW | Bundled inside `npm@11.17.0` within `semantic-release` dev dep. Not reachable from user runtime. Upstream fix pending. | Next GA re-review |
57
+ | GHSA-35p6-xmwp-9g52 | undici | LOW | Bundled inside `npm@11.17.0` within `semantic-release` dev dep. Not reachable from user runtime. Upstream fix pending. | Next GA re-review |
58
+ | GHSA-vxpw-j846-p89q | undici | LOW | WebSocket DoS, surfaced by `npm audit` only. Same bundled-in-npm origin. Not reachable from user runtime. | Next GA re-review |
60
59
 
61
60
  ## Proactive hardening in place
62
61
 
63
- Even though overrides do not reach the bundled tree, `package.json` carries root `overrides` for `picomatch: ^4.0.4` and `brace-expansion: ^5.0.5`. When upstream `npm` / `@semantic-release/npm` releases a patched tarball, these overrides will ensure the patched versions deduplicate everywhere they can.
62
+ Even though overrides do not reach the bundled tree, `package.json` carries root `overrides` (`diff`, `serialize-javascript`, `picomatch`, `brace-expansion`, `fast-uri`, `ip-address`, `@babel/core`, `js-yaml`). When upstream `npm` / `@semantic-release/npm` releases a tarball with `undici >= 6.27.0`, the advisory clears with no action needed. A defensive `undici` override was evaluated and intentionally NOT added — it has zero effect on a bundled dependency and would be dead config.
64
63
 
65
64
  ## Review cadence
66
65
 
@@ -73,3 +72,4 @@ Even though overrides do not reach the bundled tree, `package.json` carries root
73
72
  | Date | Actor | Change |
74
73
  |---|---|---|
75
74
  | 2026-04-19 | Story 10.34 execution | Triage created. rc.1-era 12 alerts confirmed closed on GitHub. 2 remaining `npm audit` advisories (picomatch + brace-expansion inside bundled npm) accepted as tolerable risk. Root `overrides` added defensively. CI gate hardened with `--omit=dev --audit-level=high` job. |
75
+ | 2026-06-21 | Session audit | npm bundled tarball advanced to `11.17.0` → picomatch + brace-expansion advisories resolved upstream and removed. New `undici@6.26.0` advisory family surfaced (3 Dependabot alerts + 1 audit-only). Confirmed bundled-in-npm and unfixable via overrides; dismissed the 3 Dependabot alerts as `tolerable_risk` and accepted here. Production audit remains `0 vulns`. |
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "sinapse-ai",
3
- "version": "1.12.1",
3
+ "version": "1.13.0",
4
4
  "description": "SINAPSE AI: Framework de orquestracao de IA — 17 squads, 172 agentes especializados",
5
5
  "bin": {
6
6
  "sinapse": "bin/sinapse.js",
@@ -72,6 +72,9 @@
72
72
  "!**/tests/**",
73
73
  "!**/*.test.js",
74
74
  "!**/*.spec.js",
75
+ "!**/dist/**",
76
+ "!**/*.map",
77
+ "!**/*.zip",
75
78
  ".sinapse-ai/development/templates/**"
76
79
  ],
77
80
  "scripts": {
@@ -81,7 +84,7 @@
81
84
  "test": "jest",
82
85
  "test:watch": "jest --watch",
83
86
  "test:coverage": "jest --coverage",
84
- "test:health-check": "mocha tests/health-check/**/*.test.js --timeout 30000",
87
+ "test:health-check": "jest tests/health-check",
85
88
  "eval": "node scripts/eval-runner.js",
86
89
  "validate:evals": "node scripts/validate-evals.js",
87
90
  "validate:schemas": "node scripts/validate-schemas.js",
@@ -133,6 +136,7 @@
133
136
  "sync:squad-yaml": "node scripts/sync-squad-yaml-components.js",
134
137
  "validate:squad-yaml": "node scripts/sync-squad-yaml-components.js --check",
135
138
  "validate:story-meta": "node scripts/validate-story-meta.js",
139
+ "validate:changelog": "node scripts/validate-changelog-tags.js",
136
140
  "validate:squad-orqx": "node scripts/validate-squad-orqx.js",
137
141
  "validate:release-readiness": "node scripts/release-readiness.js",
138
142
  "manifest:ensure": "node scripts/ensure-manifest.js",
@@ -211,7 +215,6 @@
211
215
  "husky": "^9.1.7",
212
216
  "jest": "^30.2.0",
213
217
  "lint-staged": "^16.1.1",
214
- "mocha": "^11.7.5",
215
218
  "prettier": "^3.5.3",
216
219
  "semantic-release": "^25.0.2",
217
220
  "typescript": "^5.9.3"