sinapse-ai 1.7.0 → 1.8.0

package/.sinapse-ai/data/registry-update-log.jsonl

@@ -70,3 +70,89 @@
 {"timestamp":"2026-06-02T05:33:13.938Z","action":"change","path":".sinapse-ai/product/templates/engine/renderer.js","trigger":"watcher"}
 {"timestamp":"2026-06-02T13:29:02.813Z","action":"add","path":".sinapse-ai/core/ids/gates/g5-semantic-handshake.js","trigger":"watcher"}
 {"timestamp":"2026-06-02T13:29:02.814Z","action":"change","path":".sinapse-ai/core/ids/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T00:54:57.904Z","action":"change","path":".sinapse-ai/core-config.yaml","trigger":"watcher"}
+{"timestamp":"2026-06-03T00:54:57.906Z","action":"add","path":".sinapse-ai/core/ids/gate-evaluator.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T00:54:57.907Z","action":"change","path":".sinapse-ai/core/ids/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T00:54:57.908Z","action":"change","path":".sinapse-ai/core/orchestration/workflow-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T01:35:03.557Z","action":"add","path":".sinapse-ai/development/tasks/delegate-to-external-executor.md","trigger":"watcher"}
+{"timestamp":"2026-06-03T02:28:55.332Z","action":"change","path":".sinapse-ai/core/orchestration/greenfield-handler.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T02:58:23.890Z","action":"change","path":".sinapse-ai/core/ids/gate-evaluator.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T02:58:23.892Z","action":"add","path":".sinapse-ai/core/telemetry/ids-sink.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.518Z","action":"change","path":".sinapse-ai/core-config.yaml","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.520Z","action":"add","path":".sinapse-ai/core/health-check/checks/services/gemini-cli.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.520Z","action":"change","path":".sinapse-ai/core/health-check/checks/services/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.521Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/gemini-commands.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.522Z","action":"change","path":".sinapse-ai/infrastructure/scripts/ide-sync/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.523Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/antigravity.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.523Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/cursor.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.524Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/github-copilot.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:08:44.525Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/kimi.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:41:14.143Z","action":"change","path":".sinapse-ai/core/health-check/checks/project/framework-config.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:41:14.144Z","action":"change","path":".sinapse-ai/core/health-check/checks/project/package-json.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T04:41:14.145Z","action":"change","path":".sinapse-ai/core/health-check/healers/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:35.890Z","action":"change","path":".sinapse-ai/core/orchestration/greenfield-handler.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:40.836Z","action":"change","path":".sinapse-ai/core/ids/gate-evaluator.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:40.837Z","action":"add","path":".sinapse-ai/core/telemetry/ids-sink.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.410Z","action":"change","path":".sinapse-ai/core-config.yaml","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.411Z","action":"add","path":".sinapse-ai/core/health-check/checks/services/gemini-cli.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.412Z","action":"change","path":".sinapse-ai/core/health-check/checks/services/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.413Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/gemini-commands.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.413Z","action":"change","path":".sinapse-ai/infrastructure/scripts/ide-sync/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.414Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/antigravity.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.414Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/cursor.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.415Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/github-copilot.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:47.415Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/kimi.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:51.748Z","action":"change","path":".sinapse-ai/core/health-check/checks/project/framework-config.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:51.749Z","action":"change","path":".sinapse-ai/core/health-check/checks/project/package-json.js","trigger":"watcher"}
+{"timestamp":"2026-06-03T05:09:51.750Z","action":"change","path":".sinapse-ai/core/health-check/healers/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-04T17:41:51.104Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-3-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-04T17:41:51.105Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-4-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-04T17:41:51.106Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-04T17:41:51.107Z","action":"change","path":".sinapse-ai/core/orchestration/master-orchestrator.js","trigger":"watcher"}
+{"timestamp":"2026-06-04T22:42:49.542Z","action":"change","path":".sinapse-ai/core/orchestration/agent-invoker.js","trigger":"watcher"}
+{"timestamp":"2026-06-04T22:42:49.544Z","action":"change","path":".sinapse-ai/core/orchestration/master-orchestrator.js","trigger":"watcher"}
+{"timestamp":"2026-06-08T21:43:49.050Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-3-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-08T21:43:49.052Z","action":"change","path":".sinapse-ai/core/orchestration/master-orchestrator.js","trigger":"watcher"}
+{"timestamp":"2026-06-09T12:07:18.916Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-4-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-09T12:07:18.917Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-10T21:22:08.944Z","action":"change","path":".sinapse-ai/core/execution/subagent-dispatcher.js","trigger":"watcher"}
+{"timestamp":"2026-06-10T21:22:08.946Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-3-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T04:23:35.214Z","action":"change","path":".sinapse-ai/core/execution/build-orchestrator.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T04:23:35.217Z","action":"change","path":".sinapse-ai/core/execution/subagent-dispatcher.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T04:23:35.218Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-6-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T04:23:35.219Z","action":"add","path":".sinapse-ai/core/registry/squad-agent-resolver.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T05:03:25.244Z","action":"change","path":".sinapse-ai/core/orchestration/executors/epic-6-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T06:24:04.878Z","action":"change","path":".sinapse-ai/core/ideation/ideation-engine.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T06:28:07.428Z","action":"change","path":".sinapse-ai/core/config/config-loader.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T12:50:54.736Z","action":"change","path":".sinapse-ai/core/execution/subagent-dispatcher.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:01:18.675Z","action":"add","path":".sinapse-ai/infrastructure/scripts/ide-sync/persona-renderer.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:01:18.677Z","action":"change","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/antigravity.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:01:18.677Z","action":"change","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/cursor.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:01:18.678Z","action":"change","path":".sinapse-ai/infrastructure/scripts/ide-sync/transformers/github-copilot.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:07:24.325Z","action":"change","path":".sinapse-ai/core/registry/squad-agent-resolver.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:13:02.297Z","action":"change","path":".sinapse-ai/core/execution/parallel-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:13:02.298Z","action":"change","path":".sinapse-ai/core/orchestration/parallel-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:23:23.014Z","action":"change","path":".sinapse-ai/development/scripts/squad/squad-downloader.js","trigger":"watcher"}
+{"timestamp":"2026-06-11T13:28:29.589Z","action":"change","path":".sinapse-ai/core-config.yaml","trigger":"watcher"}
+{"timestamp":"2026-06-13T17:22:58.704Z","action":"change","path":".sinapse-ai/core/execution/wave-executor.js","trigger":"watcher"}
+{"timestamp":"2026-06-14T18:54:46.575Z","action":"change","path":".sinapse-ai/core/ids/gate-evaluator.js","trigger":"watcher"}
+{"timestamp":"2026-06-14T18:54:46.577Z","action":"add","path":".sinapse-ai/core/ids/gates/g6-ci-integrity.js","trigger":"watcher"}
+{"timestamp":"2026-06-14T18:54:46.577Z","action":"change","path":".sinapse-ai/core/ids/index.js","trigger":"watcher"}
+{"timestamp":"2026-06-14T18:54:46.578Z","action":"change","path":".sinapse-ai/development/tasks/github-devops-pre-push-quality-gate.md","trigger":"watcher"}
+{"timestamp":"2026-06-14T19:13:12.133Z","action":"unlink","path":".sinapse-ai/development/scripts/elicitation-engine.js","trigger":"watcher"}
+{"timestamp":"2026-06-14T19:13:12.142Z","action":"unlink","path":".sinapse-ai/development/scripts/elicitation-session-manager.js","trigger":"watcher"}
+{"timestamp":"2026-06-14T19:13:12.143Z","action":"unlink","path":".sinapse-ai/development/tasks/test-validation-task.md","trigger":"watcher"}
+{"timestamp":"2026-06-15T00:41:14.369Z","action":"change","path":".sinapse-ai/development/scripts/populate-entity-registry.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T01:00:41.030Z","action":"change","path":".sinapse-ai/core/utils/output-formatter.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T01:09:04.926Z","action":"change","path":".sinapse-ai/development/agents/devops.md","trigger":"watcher"}
+{"timestamp":"2026-06-15T01:41:48.134Z","action":"change","path":".sinapse-ai/development/scripts/populate-entity-registry.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T04:47:32.755Z","action":"change","path":"bin/sinapse.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T04:51:53.560Z","action":"change","path":".sinapse-ai/development/agents/developer.md","trigger":"watcher"}
+{"timestamp":"2026-06-15T04:51:53.562Z","action":"change","path":".sinapse-ai/development/agents/devops.md","trigger":"watcher"}
+{"timestamp":"2026-06-15T05:05:54.364Z","action":"change","path":".sinapse-ai/core/orchestration/agent-invoker.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T05:05:54.366Z","action":"change","path":".sinapse-ai/core/orchestration/master-orchestrator.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T05:21:11.730Z","action":"change","path":".sinapse-ai/core/memory/__tests__/active-modules.verify.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T05:21:11.732Z","action":"change","path":".sinapse-ai/development/tasks/update-sinapse.md","trigger":"watcher"}
+{"timestamp":"2026-06-15T05:48:16.335Z","action":"change","path":"bin/sinapse.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T06:10:08.880Z","action":"change","path":".sinapse-ai/core/orchestration/brownfield-handler.js","trigger":"watcher"}
+{"timestamp":"2026-06-15T06:10:08.884Z","action":"change","path":".sinapse-ai/core/orchestration/greenfield-handler.js","trigger":"watcher"}

package/.sinapse-ai/development/agents/developer.md

@@ -272,6 +272,8 @@ dependencies:
     - create-worktree.md
     - list-worktrees.md
     - remove-worktree.md
+    # Execution Mode (task→agent binding gap closed)
+    - yolo-toggle.md
   scripts:
     # Recovery System (Epic 5)
     - recovery-tracker.js # Track implementation attempts

package/.sinapse-ai/development/agents/devops.md

@@ -280,6 +280,15 @@ dependencies:
     - merge-worktree.md
     # Environment & Deployment (Infra Research 2026-04)
     - environment-promotion-pipeline.md
+    # Release & Contributor Flow (task→agent binding gap closed)
+    - publish-npm.md
+    - review-contributor-pr.md
+    # IDS Governance & Registry (task→agent binding gap closed — devops owns CI/G6)
+    - ids-governor.md
+    - ids-health.md
+    - ids-query.md
+    - sync-registry-intel.md
+    - delegate-to-external-executor.md
   knowledge_bases:
     - environment-deployment-patterns.md
   workflows:

package/.sinapse-ai/development/external-executors/README.md

@@ -0,0 +1,18 @@
+# External Executors
+
+External executors let one SINAPSE runtime keep orchestration authority while another CLI runtime performs the implementation work in an isolated run directory.
+
+This pattern is opt-in. The default development mode remains `native`, where the active SINAPSE agent plans, implements, validates, and updates story state in the same runtime.
+
+## Contract
+
+- The orchestrator owns story selection, acceptance criteria, scope, review, and story state updates.
+- The external executor owns only the delegated implementation attempt.
+- Run artifacts live under `.sinapse/external-runs/<timestamp>-<slug>/`.
+- The orchestrator must read the executor output and inspect the diff before updating checkboxes, File List, or story status.
+
+## Providers
+
+- `codex.md`: reference provider for Codex CLI headless execution.
+
+Future provider files can document `aider`, `cline`, `cursor-cli`, `gemini-cli`, or any other runtime that supports non-interactive execution.

package/.sinapse-ai/development/external-executors/codex.md

@@ -0,0 +1,56 @@
+# Codex External Executor Adapter
+
+## Provider ID
+
+`codex`
+
+## Invocation
+
+The `sinapse-delegate` wrapper launches Codex in non-interactive exec mode and sends the prompt through stdin:
+
+```bash
+codex -a never -s workspace-write exec -C <workdir> -o <run_dir>/output.md -
+```
+
+For `--sandbox danger-full-access`, the wrapper uses the explicit Codex bypass flag:
+
+```bash
+codex --dangerously-bypass-approvals-and-sandbox exec -C <workdir> -o <run_dir>/output.md -
+```
+
+## Sandbox Mapping
+
+| SINAPSE sandbox | Codex behavior |
+| --- | --- |
+| `read-only` | `-a never -s read-only` |
+| `workspace-write` | `-a never -s workspace-write` |
+| `full-auto` | `-a never -s workspace-write` |
+| `danger-full-access` | `--dangerously-bypass-approvals-and-sandbox` |
+
+`full-auto` is retained as a SINAPSE abstraction for background executor runs. On current Codex CLI versions, it maps to `workspace-write` plus `approval=never` rather than bypassing the sandbox.
+
+## Supported Options
+
+- `--model <model>` maps to `codex -m <model>`.
+- `--profile <name>` maps to `codex -p <name>`.
+- `--image <path>` maps to `codex exec -i <path>`.
+- `--workdir <path>` maps to `codex exec -C <path>`.
+- `--prompt` and `--prompt-file` are sent via stdin.
+- `--output-last-message` is managed by the wrapper through `-o <run_dir>/output.md`.
+
+## Exit Code Semantics
+
+- In background mode, `sinapse-delegate` returns after a process is spawned and prints the PID.
+- In foreground mode, `sinapse-delegate` waits for Codex and returns Codex's exit code.
+- Missing Codex binary is a pre-condition failure.
+- Dirty git worktrees are blocked unless `--allow-dirty` is explicit.
+
+## Run Artifacts
+
+Each run directory contains:
+
+- `prompt.md`: prompt sent to Codex
+- `output.md`: last Codex message, written by Codex
+- `codex.log`: stdout/stderr stream
+- `command.txt`: exact command line
+- `metadata.json`: provider, workdir, sandbox, PID, and artifact paths

package/.sinapse-ai/development/scripts/populate-entity-registry.js

@@ -12,6 +12,12 @@ const REPO_ROOT = path.resolve(__dirname, '../../..');
 const REGISTRY_PATH = path.resolve(__dirname, '../../data/entity-registry.yaml');
 
 const SCAN_CONFIG = [
+  // `bin` scanned FIRST on purpose: buildNameIndex is last-wins for the entity
+  // id key, so scanning bin before the other categories lets later categories
+  // win on the few generic id collisions (cli, constants) — preserving existing
+  // dependency resolution — while still indexing bin entry-points so their
+  // requires (e.g. bin/commands/ideate.js → ideation-engine) populate usedBy.
+  { category: 'bin', basePath: 'bin', glob: '**/*.js', type: 'script' },
   { category: 'tasks', basePath: '.sinapse-ai/development/tasks', glob: '**/*.md', type: 'task' },
   { category: 'templates', basePath: '.sinapse-ai/product/templates', glob: '**/*.{yaml,yml,md}', type: 'template' },
   { category: 'scripts', basePath: '.sinapse-ai/development/scripts', glob: '**/*.{js,mjs}', type: 'script' },
@@ -32,6 +38,11 @@ const SCAN_CONFIG = [
   { category: 'product-data', basePath: '.sinapse-ai/product/data', glob: '**/*.{yaml,yml,md}', type: 'data' }
 ];
 
+// Generated/self-referential artifacts excluded from scanning. The registry
+// must not track ITSELF as an entity — its checksum would change every regen
+// (each run rewrites the file), so it could never reach a stable fixed point.
+const SCAN_IGNORE = ['**/entity-registry.yaml'];
+
 const ADAPTABILITY_DEFAULTS = {
   agent: 0.3,
   module: 0.4,
@@ -322,7 +333,17 @@ function scanCategory(config, verbose = false) {
   }
 
   const globPattern = path.posix.join(absBase.replace(/\\/g, '/'), config.glob);
-  const files = fg.sync(globPattern, { onlyFiles: true, absolute: true });
+  // Sort the glob result: fast-glob returns files in filesystem (readdir) order,
+  // which varies across machines/runs and reorders the entire registry on every
+  // regen (non-deterministic churn). A stable sort makes entity insertion order —
+  // and everything derived from it (usedBy push order, YAML key order) —
+  // deterministic.
+  // `ignore` drops self-referential / generated artifacts (the registry file
+  // itself) — tracking the registry as an entity makes its checksum oscillate
+  // every run (each regen rewrites the file), which can never stabilize.
+  const files = fg
+    .sync(globPattern, { onlyFiles: true, absolute: true, ignore: SCAN_IGNORE })
+    .sort();
 
   const entities = {};
   const seenIds = new Set();
@@ -474,6 +495,14 @@ function resolveUsedBy(allEntities) {
       }
     }
   }
+
+  // Sort usedBy lists so the serialized order is deterministic regardless of the
+  // order entities were scanned in.
+  for (const entities of Object.values(allEntities)) {
+    for (const entity of Object.values(entities)) {
+      entity.usedBy.sort();
+    }
+  }
 }
 
 function classifyDependencies(allEntities, nameIndex) {
@@ -551,14 +580,23 @@ function populate(options = {}) {
       for (const [category, entities] of Object.entries(existingRegistry.entities)) {
         if (!allEntities[category]) continue;
         for (const [entityId, entity] of Object.entries(entities)) {
-          if (entity.invocationExamples && Array.isArray(entity.invocationExamples) && allEntities[category][entityId]) {
+          const fresh = allEntities[category][entityId];
+          if (!fresh) continue;
+          if (entity.invocationExamples && Array.isArray(entity.invocationExamples)) {
             // Enforce limits: max 3 examples, each max 200 chars
             const examples = entity.invocationExamples.slice(0, 3).map((e) => String(e).slice(0, 200));
-            allEntities[category][entityId].invocationExamples = examples;
+            fresh.invocationExamples = examples;
+          }
+          // Preserve lastVerified when the file content (checksum) is unchanged.
+          // Re-stamping every entity on each regen — even untouched ones — was a
+          // primary source of registry churn; the timestamp only carries meaning
+          // when the entity was actually re-verified (i.e. its checksum changed).
+          if (entity.lastVerified && entity.checksum === fresh.checksum) {
+            fresh.lastVerified = entity.lastVerified;
           }
         }
       }
-      console.log('[IDS] Preserved invocationExamples from existing registry');
+      console.log('[IDS] Preserved invocationExamples + lastVerified from existing registry');
     }
   } catch {
     // No existing registry or parse error — skip preservation
@@ -599,11 +637,28 @@ function populate(options = {}) {
     categories
   };
 
-  const yamlContent = yaml.dump(registry, {
-    lineWidth: 120,
-    noRefs: true,
-    sortKeys: false
-  });
+  const dumpOpts = { lineWidth: 120, noRefs: true, sortKeys: false };
+
+  // Idempotent timestamp: only bump `lastUpdated` when the substantive content
+  // (everything except the timestamp itself) actually changed. Without this,
+  // every regen rewrites the file solely because of a new timestamp, producing
+  // churn on each commit even when nothing meaningful changed.
+  try {
+    const existing = yaml.load(fs.readFileSync(REGISTRY_PATH, 'utf8'));
+    if (existing && existing.metadata && existing.metadata.lastUpdated) {
+      const stripStamp = (r) => yaml.dump(
+        { ...r, metadata: { ...r.metadata, lastUpdated: null } },
+        dumpOpts,
+      );
+      if (stripStamp(existing) === stripStamp(registry)) {
+        registry.metadata.lastUpdated = existing.metadata.lastUpdated;
+      }
+    }
+  } catch {
+    // No existing registry or parse error — keep the fresh timestamp.
+  }
+
+  const yamlContent = yaml.dump(registry, dumpOpts);
 
   try {
     fs.writeFileSync(REGISTRY_PATH, yamlContent, 'utf8');
@@ -618,6 +673,7 @@ function populate(options = {}) {
 
 function getCategoryDescription(category) {
   const descriptions = {
+    bin: 'CLI entry points and command implementations',
     tasks: 'Executable task workflows for agent operations',
     templates: 'Document and code generation templates',
     scripts: 'Utility and automation scripts',

package/.sinapse-ai/development/scripts/squad/squad-downloader.js

@@ -52,6 +52,20 @@ const ALLOWED_REDIRECT_HOSTS = new Set([
  */
 const MAX_REDIRECTS = 5;
 
+/**
+ * Per-request timeout (ms). Aborts a hung/slow remote so a compromised or
+ * unresponsive host can't stall the installer indefinitely (P3-001).
+ * @constant {number}
+ */
+const REQUEST_TIMEOUT_MS = 30000;
+
+/**
+ * Maximum response size (bytes). Caps a single download so a malicious/
+ * misconfigured host can't exhaust memory (10 MB is ample for a squad).
+ * @constant {number}
+ */
+const MAX_RESPONSE_BYTES = 10 * 1024 * 1024;
+
 /**
  * Error codes for SquadDownloaderError
  * @enum {string}
@@ -483,8 +497,7 @@ class SquadDownloader {
         }
       }
 
-      https
-        .get(url, options, (res) => {
+      const req = https.get(url, options, (res) => {
           // Check for rate limiting
           if (res.statusCode === 403) {
             const rateLimitRemaining = res.headers['x-ratelimit-remaining'];
@@ -565,25 +578,55 @@ class SquadDownloader {
             return;
           }
 
-          // Collect chunks as Buffer objects to support binary files
+          // Collect chunks as Buffer objects to support binary files, capping
+          // total size to prevent a malicious host from exhausting memory.
           const chunks = [];
+          let total = 0;
           res.on('data', (chunk) => {
+            total += chunk.length;
+            if (total > MAX_RESPONSE_BYTES) {
+              const err = new SquadDownloaderError(
+                DownloaderErrorCodes.NETWORK_ERROR,
+                `Response exceeded ${MAX_RESPONSE_BYTES} bytes — aborting`,
+                'The remote file is unexpectedly large; verify the source',
+              );
+              if (typeof req.destroy === 'function') req.destroy(err);
+              else reject(err);
+              return;
+            }
             chunks.push(chunk);
           });
           res.on('end', () => {
             // Concatenate all chunks into a single Buffer
             resolve(Buffer.concat(chunks));
           });
-        })
-        .on('error', (error) => {
-          reject(
-            new SquadDownloaderError(
-              DownloaderErrorCodes.NETWORK_ERROR,
-              `Network error: ${error.message}`,
-              'Check internet connection',
-            ),
+        });
+
+      // Abort hung requests (P3-001) — destroy() surfaces via the 'error' handler.
+      // Guarded: test doubles for https.get may not implement setTimeout/destroy.
+      if (typeof req.setTimeout === 'function') {
+        req.setTimeout(REQUEST_TIMEOUT_MS, () => {
+          const err = new SquadDownloaderError(
+            DownloaderErrorCodes.NETWORK_ERROR,
+            `Request timed out after ${REQUEST_TIMEOUT_MS}ms fetching ${url}`,
+            'Check internet connection or try again later',
           );
+          if (typeof req.destroy === 'function') req.destroy(err);
+          else reject(err);
         });
+      }
+
+      req.on('error', (error) => {
+        reject(
+          error instanceof SquadDownloaderError
+            ? error
+            : new SquadDownloaderError(
+                DownloaderErrorCodes.NETWORK_ERROR,
+                `Network error: ${error.message}`,
+                'Check internet connection',
+              ),
+        );
+      });
     });
   }
 

package/.sinapse-ai/development/tasks/delegate-to-external-executor.md

@@ -0,0 +1,152 @@
+# delegate-to-external-executor.md
+
+**Task**: Delegate Implementation to External Executor
+
+**Purpose**: Standardize the orchestrator/executor split for SINAPSE workflows. The active SINAPSE runtime keeps authority over story interpretation, acceptance criteria validation, constitutional gates, review, and story updates while a separate CLI runtime performs only the implementation attempt.
+
+**When to use**: Use only for `@developer` implementation work where the story scope is clear enough to hand to another runtime. Do not use for @product-lead, @quality-gate, @sprint-lead, @devops, architecture approval, or release authority.
+
+## Task Definition
+
+```yaml
+task: delegateToExternalExecutor()
+responsavel: Orchestrating agent
+responsavel_type: Agente
+atomic_layer: Organism
+
+inputs:
+  - campo: prompt
+    tipo: string
+    obrigatorio: true
+    validacao: Must cite acceptance criteria, story path, file scope, and explicit non-goals
+  - campo: slug
+    tipo: string
+    obrigatorio: true
+    validacao: Stable filesystem-safe run slug
+  - campo: story_id
+    tipo: string
+    obrigatorio: false
+  - campo: story_path
+    tipo: string
+    obrigatorio: false
+  - campo: workdir
+    tipo: string
+    obrigatorio: false
+    default: Current project root
+  - campo: provider
+    tipo: string
+    obrigatorio: false
+    default: codex
+
+outputs:
+  - campo: run_dir
+    tipo: string
+    destino: Orchestrator
+  - campo: output
+    tipo: file
+    destino: <run_dir>/output.md
+  - campo: log
+    tipo: file
+    destino: <run_dir>/<provider>.log
+  - campo: diff
+    tipo: git-diff
+    destino: Orchestrator review
+```
+
+## Configuration
+
+Delegation is disabled by default.
+
+```yaml
+dev:
+  execution_mode: native       # native | delegate
+  delegate_to: codex
+  auto_review: true
+
+external_executors:
+  enabled: false
+  default_sandbox: workspace-write   # read-only | workspace-write | full-auto | danger-full-access
+  run_dir: .sinapse/external-runs
+```
+
+## Pre-Conditions
+
+```yaml
+pre_conditions:
+  - [ ] External executor provider is installed and available on PATH.
+  - [ ] Working tree is clean, or existing intentional changes are already committed.
+  - [ ] Prompt cites the story path and acceptance criteria.
+  - [ ] Prompt lists allowed file scope and explicit non-goals.
+  - [ ] Delegated work is implementation work owned by @developer.
+  - [ ] Orchestrator has enough context to review the resulting diff.
+```
+
+## Execution
+
+### 1. Build the Prompt
+
+The orchestrator writes a prompt that contains:
+
+- Story ID and story path
+- Acceptance criteria copied or summarized from the story
+- Allowed file paths or modules
+- Testing expectations
+- Constraints from Constitution and project rules
+- Explicit instruction that the executor must not update story status, checkboxes, File List, PRs, or releases
+
+### 2. Start the Delegate Run
+
+Use the wrapper:
+
+```bash
+sinapse-delegate codex -t <slug> -f <prompt_file> -d <workdir>
+```
+
+The wrapper prints:
+
+```text
+STATUS=started
+RUN_DIR=.sinapse/external-runs/<timestamp>-<slug>
+PID=<pid>
+LOG=<run_dir>/codex.log
+OUTPUT=<run_dir>/output.md
+PROMPT=<run_dir>/prompt.md
+COMMAND=<provider command>
+```
+
+### 3. Monitor Completion
+
+The orchestrator may tail the log or wait for the PID. Do not mark story progress while the external executor is still running.
+
+### 4. Review Output and Diff
+
+The orchestrator must read:
+
+- `<run_dir>/output.md`
+- `<run_dir>/<provider>.log`
+- `git diff`
+
+Then validate:
+
+```yaml
+review_checklist:
+  - [ ] Every acceptance criterion is satisfied.
+  - [ ] Diff scope matches the story and prompt.
+  - [ ] Article IV No Invention: every change traces to a requirement.
+  - [ ] Tests were added or updated when behavior changed.
+  - [ ] Lint, typecheck, and relevant tests pass.
+  - [ ] No story state was mutated before review approval.
+```
+
+### 5. Accept or Iterate
+
+- **Approved**: orchestrator updates story checkboxes, File List, status, and final validation evidence.
+- **Rejected**: orchestrator writes specific feedback and may start a new run with a new slug or iteration suffix.
+
+## Anti-Patterns
+
+- Marking a story done by trusting the executor summary without reading the diff.
+- Delegating @product-lead, @quality-gate, @sprint-lead, or @devops authority to an external runtime.
+- Letting the executor create PRs, push, release, or mutate story state.
+- Delegating vague work without acceptance criteria and file scope.
+- Running with `danger-full-access` unless the surrounding environment is externally sandboxed.