sinapse-ai 1.6.1 → 1.8.0

package/.sinapse-ai/core/orchestration/executors/epic-6-executor.js

@@ -37,20 +37,12 @@ class Epic6Executor extends EpicExecutor {
     this._qaOrchestrator = null;
   }
 
-  /**
-   * Get QA Loop Orchestrator
-   * @private
-   */
-  _getQAOrchestrator() {
-    if (!this._qaOrchestrator) {
-      try {
-        this._qaOrchestrator = require('../../infrastructure/scripts/qa-loop-orchestrator');
-      } catch (error) {
-        this._log(`QA Loop Orchestrator not available: ${error.message}`, 'warn');
-      }
-    }
-    return this._qaOrchestrator;
-  }
+  // NOTE: the previous `_getQAOrchestrator()` path was triple-broken theater —
+  // it did `new` on the module object (not the QALoopOrchestrator class), passed
+  // the wrong constructor shape, and called a `runReview()` method that doesn't
+  // exist. It ALWAYS threw and silently fell back to basic checks while reporting
+  // success:true. Replaced by a real @quality-gate agent invocation (_reviewViaAgent),
+  // same proven path as epic-3 spec generation (epic: orchestration-consolidation).
 
   /**
    * Execute QA Loop
@@ -98,7 +90,9 @@ class Epic6Executor extends EpicExecutor {
 
         if (currentVerdict === QAVerdict.NEEDS_REVISION && iteration < this.maxIterations) {
           this._log('Review needs revision, applying fixes...');
-          await this._applyFixes(reviewResult.issues, context);
+          // Record whether fixes were really applied (honesty invariant): a
+          // stubbed fix must not look like a real one in the QA report.
+          reviewResult.fixResult = await this._applyFixes(reviewResult.issues, context);
         }
       }
 
@@ -107,53 +101,60 @@ class Epic6Executor extends EpicExecutor {
       this._addArtifact('qa-report', reportPath);
 
       const passed = currentVerdict === QAVerdict.APPROVED;
+      const anyRealReview = reviewHistory.some((r) => r.reviewSource === 'agent');
 
-      return this._completeExecution({
+      const baseResult = {
         verdict: currentVerdict,
         passed,
         iterations: iteration,
         reviewHistory,
         reportPath,
-      });
+      };
+
+      // Honesty invariant (F0a/F7): a QA loop that only ran deterministic basic
+      // checks did NOT really review the work — it must report STUB, not success.
+      if (!anyRealReview) {
+        return this._stubExecution(
+          'QA ran deterministic basic checks only — no real review agent wired',
+          baseResult,
+        );
+      }
+
+      return this._completeExecution(baseResult);
     } catch (error) {
       return this._failExecution(error);
     }
   }
 
   /**
-   * Run a single review cycle
+   * Run a single review cycle.
+   *
+   * Tries a REAL review via the @quality-gate agent (orchestrator.invokeAgent →
+   * SubagentDispatcher → claude). Falls back to deterministic basic checks when
+   * no executor is wired or real execution isn't allowed — and marks the source
+   * (`agent` vs `basic-checks`) so the epic can report honestly.
    * @private
    */
   async _runReview(context) {
-    const { storyId, iteration, techStack: _techStack } = context;
-
+    const { iteration } = context;
     this._log(`Running review cycle ${iteration}`);
 
-    // Check for QA orchestrator
-    const QAOrchestrator = this._getQAOrchestrator();
-
-    if (QAOrchestrator) {
+    const invokeAgent = this.orchestrator && this.orchestrator.invokeAgent;
+    if (typeof invokeAgent === 'function' && this._realExecutionAllowed()) {
       try {
-        const orchestrator = new QAOrchestrator({
-          storyId,
-          rootPath: this.projectRoot,
-        });
-
-        return await orchestrator.runReview(context);
+        const realReview = await this._reviewViaAgent(invokeAgent, context);
+        if (realReview) return realReview;
       } catch (error) {
-        this._log(`QA orchestrator error: ${error.message}`, 'warn');
+        this._log(`Real review failed, falling back to basic checks: ${error.message}`, 'warn');
       }
     }
 
-    // Fallback: perform basic checks
+    // Honest fallback: deterministic basic checks (clearly marked as a stub source).
     const issues = await this._performBasicChecks(context);
 
-    // Determine verdict based on issues
     let verdict = QAVerdict.APPROVED;
-
     const criticalIssues = issues.filter((i) => i.severity === 'critical');
     const majorIssues = issues.filter((i) => i.severity === 'major');
-
     if (criticalIssues.length > 0) {
       verdict = QAVerdict.BLOCKED;
     } else if (majorIssues.length > 0 || issues.length > 5) {
@@ -164,10 +165,71 @@ class Epic6Executor extends EpicExecutor {
       iteration,
       verdict,
       issues,
+      reviewSource: 'basic-checks',
       timestamp: new Date().toISOString(),
     };
   }
 
+  /**
+   * Perform a real QA review by invoking the @quality-gate agent.
+   * @param {Function} invokeAgent - orchestrator.invokeAgent
+   * @param {Object} context - review context
+   * @returns {Promise<Object|null>} review result with verdict, or null when the
+   *   agent produced nothing usable (caller falls back to basic checks).
+   * @private
+   */
+  async _reviewViaAgent(invokeAgent, context) {
+    const { storyId, iteration, codeChanges, testResults } = context;
+
+    const description =
+      `Perform a QA review for story "${storyId || 'unknown'}". ` +
+      'Assess correctness, test coverage, and adherence to acceptance criteria. ' +
+      `${Array.isArray(codeChanges) ? `${codeChanges.length} code change(s). ` : ''}` +
+      `${Array.isArray(testResults) ? `${testResults.length} test result(s). ` : ''}` +
+      'End your response with a single verdict line in the form: ' +
+      'VERDICT: APPROVED | NEEDS_REVISION | BLOCKED.';
+
+    const result = await invokeAgent(
+      { name: 'quality-gate' },
+      { id: `qa-review-${storyId || 'story'}-${iteration}`, type: 'review', description },
+      { storyId, iteration },
+    );
+
+    const output = result && (result.output || result.content);
+    if (!result || result.success === false || !output || output.trim().length === 0) {
+      return null;
+    }
+
+    return {
+      iteration,
+      verdict: this._parseVerdict(output),
+      issues: [],
+      reviewSource: 'agent',
+      raw: output,
+      timestamp: new Date().toISOString(),
+    };
+  }
+
+  /**
+   * Parse a QA verdict from free-form agent output. Defaults to NEEDS_REVISION
+   * (the safe, non-approving default) when no explicit verdict is found.
+   * @param {string} output
+   * @returns {string} QAVerdict
+   * @private
+   */
+  _parseVerdict(output) {
+    const text = String(output).toUpperCase();
+    const m = text.match(/VERDICT:\s*(APPROVED|NEEDS[_\s]?REVISION|BLOCKED)/);
+    const token = (m ? m[1] : '').replace(/\s/g, '_');
+    if (token === 'APPROVED') return QAVerdict.APPROVED;
+    if (token === 'BLOCKED') return QAVerdict.BLOCKED;
+    if (token === 'NEEDS_REVISION') return QAVerdict.NEEDS_REVISION;
+    // No explicit verdict → don't fabricate approval.
+    if (/\bBLOCKED\b/.test(text)) return QAVerdict.BLOCKED;
+    if (/\bAPPROVED\b/.test(text)) return QAVerdict.APPROVED;
+    return QAVerdict.NEEDS_REVISION;
+  }
+
   /**
    * Perform basic quality checks
    * @private
@@ -193,17 +255,67 @@ class Epic6Executor extends EpicExecutor {
   }
 
   /**
-   * Apply fixes for found issues
+   * Apply fixes for found issues by invoking the real @developer agent through
+   * the orchestrator (orchestrator.invokeAgent → SubagentDispatcher → claude).
+   *
+   * epic: orchestration-consolidation — connects Epic 6 to the real executor,
+   * same pattern as Epic 3. Falls back honestly (logs that no real fix ran) when
+   * no executor is wired or real execution isn't allowed in this environment.
+   *
+   * @param {Array} issues - Issues found by the review
+   * @param {Object} context - Execution context (storyId, techStack, ...)
+   * @returns {Promise<Object>} { applied: boolean, fixed: number, stub: boolean }
    * @private
    */
-  async _applyFixes(issues, _context) {
+  async _applyFixes(issues, context = {}) {
     this._log(`Applying fixes for ${issues.length} issues`);
 
-    // In full implementation, this would invoke @developer agent
-    // to fix each issue. For now, just log.
-    for (const issue of issues) {
-      this._log(`Would fix: ${issue.type} - ${issue.message}`);
+    const invokeAgent = this.orchestrator && this.orchestrator.invokeAgent;
+    const canRunReal = typeof invokeAgent === 'function' && this._realExecutionAllowed();
+
+    if (!canRunReal || issues.length === 0) {
+      // Honest fallback: do NOT claim fixes were applied.
+      for (const issue of issues) {
+        this._log(`Fix not applied (no real executor): ${issue.type} - ${issue.message}`, 'warn');
+      }
+      return { applied: false, fixed: 0, stub: true };
+    }
+
+    const issueList = issues
+      .map((i, n) => `${n + 1}. [${i.severity || 'unknown'}] ${i.type}: ${i.message}`)
+      .join('\n');
+
+    const description =
+      `Fix the following QA issues found during review of story "${context.storyId || 'unknown'}". ` +
+      'Apply the minimal, correct change for each; preserve existing patterns and tests.\n\n' +
+      `Issues:\n${issueList}`;
+
+    try {
+      const result = await invokeAgent(
+        { name: 'developer' },
+        { id: `qa-fix-${context.storyId || 'story'}`, type: 'bugfix', description },
+        {
+          storyId: context.storyId,
+          techStack: context.techStack,
+          issues: issues.map((i) => ({ type: i.type, severity: i.severity, message: i.message })),
+        },
+      );
+
+      if (result && result.success !== false) {
+        this._log(`Applied fixes via real agent (${issues.length} issues addressed)`);
+        return {
+          applied: true,
+          fixed: issues.length,
+          stub: false,
+          filesModified: result.filesModified || [],
+        };
+      }
+      this._log(`Fix agent returned no success: ${result && result.error}`, 'warn');
+    } catch (err) {
+      this._log(`Fix agent invocation failed: ${err.message}`, 'warn');
     }
+
+    return { applied: false, fixed: 0, stub: true };
   }
 
   /**

package/.sinapse-ai/core/orchestration/executors/epic-executor.js

@@ -22,6 +22,7 @@ const ExecutionStatus = {
   SUCCESS: 'success',
   FAILED: 'failed',
   SKIPPED: 'skipped',
+  STUB: 'stub',
 };
 
 /**
@@ -146,6 +147,45 @@ class EpicExecutor {
     };
   }
 
+  /**
+   * Complete execution in STUB mode — work was NOT actually performed.
+   *
+   * Honesty invariant (epic: orchestration-consolidation, Frente F0a):
+   * a stub MUST NOT report success:true. getResult() yields success:false
+   * because this.status !== SUCCESS.
+   *
+   * @param {string} reason - What real work is missing
+   * @param {Object} [result] - Optional result data to merge
+   * @protected
+   */
+  _stubExecution(reason, result = {}) {
+    this.status = ExecutionStatus.STUB;
+    this.endTime = new Date().toISOString();
+    this._log(`Epic ${this.epicNum} ran in STUB mode (no real work performed): ${reason}`, 'warn');
+
+    return {
+      ...this.getResult(),
+      status: ExecutionStatus.STUB,
+      stub: true,
+      stubReason: reason,
+      ...result,
+    };
+  }
+
+  /**
+   * Whether real execution (spawning claude / running the real build) is allowed.
+   * Returns false inside the test runner unless SINAPSE_REAL_DISPATCH=1 — this
+   * prevents slow, costly, non-deterministic CLI/build calls during unit tests.
+   * epic: orchestration-consolidation, F1.
+   * @returns {boolean}
+   * @protected
+   */
+  _realExecutionAllowed() {
+    return (
+      process.env.JEST_WORKER_ID === undefined || process.env.SINAPSE_REAL_DISPATCH === '1'
+    );
+  }
+
   /**
    * Add artifact to results
    * @param {string} type - Artifact type (file, report, data)

package/.sinapse-ai/core/orchestration/greenfield-handler.js

@@ -39,6 +39,35 @@ const DEFAULT_GREENFIELD_INDICATORS = [
   '.sinapse-ai/',
 ];
 
+/**
+ * Maps a classified project_type to its greenfield workflow variant. The
+ * variants stay separate files (distinct phase/agent contracts — fusion was
+ * refuted in the deep-dive); the handler just dispatches to the right one.
+ * Unknown/absent type falls back to fullstack (the historical default).
+ * @see project-intelligence.md classification matrix
+ */
+const GREENFIELD_WORKFLOW_BY_TYPE = Object.freeze({
+  site: 'greenfield-ui',
+  lp: 'greenfield-ui',
+  app: 'greenfield-ui',
+  platform: 'greenfield-fullstack',
+  saas: 'greenfield-fullstack',
+  api: 'greenfield-service',
+  service: 'greenfield-service',
+});
+
+const DEFAULT_GREENFIELD_WORKFLOW = 'greenfield-fullstack';
+
+/**
+ * Resolve the greenfield workflow basename for a project_type.
+ * @param {string} [projectType]
+ * @returns {string} workflow name (without extension)
+ */
+function resolveGreenfieldWorkflow(projectType) {
+  const key = String(projectType || '').toLowerCase();
+  return GREENFIELD_WORKFLOW_BY_TYPE[key] || DEFAULT_GREENFIELD_WORKFLOW;
+}
+
 /**
  * Greenfield workflow phases
  * @enum {string}
@@ -112,10 +141,12 @@ class GreenfieldHandler extends EventEmitter {
     this._surfaceChecker = options.surfaceChecker || null;
     this._sessionState = options.sessionState || null;
 
-    // Workflow path
+    // Workflow variant dispatched by project_type (site/lp/app → ui,
+    // platform/saas → fullstack, api/service → service). Default fullstack.
+    this.workflowName = resolveGreenfieldWorkflow(options.projectType);
     this.workflowPath = path.join(
       projectRoot,
-      '.sinapse-ai/development/workflows/greenfield-fullstack.yaml',
+      `.sinapse-ai/development/workflows/${this.workflowName}.yaml`,
     );
 
     // Phase progress tracking
@@ -224,6 +255,12 @@ class GreenfieldHandler extends EventEmitter {
   async handle(context = {}) {
     this._log('Greenfield handler invoked');
 
+    // Stream B (Frente 4.2): ensure the secret-scan git guard is wired into the
+    // target project. Runs on EVERY entry (Phase 0 bootstrap AND the
+    // skip-bootstrap / resume paths) so a project that already has package.json
+    // + .git still gets the guard. Best-effort, idempotent, never throws.
+    await this._ensureGitHooks();
+
     // Check for resume (AC14)
     const resumePhase = context.resumeFromPhase;
     if (typeof resumePhase === 'number' && resumePhase >= 0) {
@@ -273,6 +310,51 @@ class GreenfieldHandler extends EventEmitter {
     }
   }
 
+  /**
+   * Ensures the SINAPSE secret-scan git guard is installed in the project.
+   *
+   * Stream B (Frente 4.2): wires `core.hooksPath` to a managed Node pre-commit
+   * hook so every greenfield project the framework bootstraps blocks staged
+   * secrets. Best-effort and idempotent — re-running never duplicates hooks and
+   * a failure here never aborts the workflow.
+   *
+   * @returns {Promise<boolean>} true if the guard is wired
+   * @private
+   */
+  async _ensureGitHooks() {
+    // Resolve the installer across both layouts: the sinapse-ai dev repo
+    // (`<root>/packages/installer/...`) and an installed project copy (where
+    // the framework lives under `.sinapse-ai/`). First match wins.
+    const candidates = [
+      path.join(this.projectRoot, 'packages', 'installer', 'src', 'installer', 'git-hooks-installer'),
+      path.join(this.projectRoot, '.sinapse-ai', 'packages', 'installer', 'src', 'installer', 'git-hooks-installer'),
+    ];
+
+    let installGitHooks = null;
+    for (const candidate of candidates) {
+      try {
+        ({ installGitHooks } = require(candidate));
+        if (typeof installGitHooks === 'function') break;
+      } catch {
+        // Try the next candidate.
+      }
+    }
+
+    if (typeof installGitHooks !== 'function') {
+      this._log('Git secret-scan guard not installed: git-hooks-installer not found', 'warn');
+      return false;
+    }
+
+    try {
+      const res = await installGitHooks({ projectDir: this.projectRoot });
+      this._log(`Git secret-scan guard: ${res.success ? 'installed' : 'skipped'}${res.error ? ` (${res.error})` : ''}`);
+      return res.success;
+    } catch (error) {
+      this._log(`Git secret-scan guard not installed: ${error.message}`, 'warn');
+      return false;
+    }
+  }
+
   // ═══════════════════════════════════════════════════════════════════════════════════
   //                              PHASE 0: BOOTSTRAP (AC2)
   // ═══════════════════════════════════════════════════════════════════════════════════
@@ -820,7 +902,7 @@ class GreenfieldHandler extends EventEmitter {
       const exists = await sessionState.exists();
       if (exists) {
         await sessionState.loadSessionState();
-        await sessionState.recordPhaseChange(`greenfield_${phase}`, 'greenfield-fullstack', '@pm');
+        await sessionState.recordPhaseChange(`greenfield_${phase}`, this.workflowName, '@pm');
         this._log(`Phase recorded in session state: ${phase}`);
       }
     } catch (error) {
@@ -944,5 +1026,7 @@ module.exports = {
   PhaseFailureAction,
   DEFAULT_GREENFIELD_INDICATORS,
   PHASE_1_SEQUENCE,
+  GREENFIELD_WORKFLOW_BY_TYPE,
+  resolveGreenfieldWorkflow,
 };