sinapse-ai 1.9.0 → 1.9.1

package/.claude/rules/mandatory-delegation.md

@@ -62,7 +62,7 @@ The orchestrator MUST still delegate. The correct response pattern is:
 | Midia paga, ads | @paidmedia-orqx (Apex) |
 | Produto, roadmap | @product-orqx (Vector) |
 | Pesquisa, inteligencia | @research-orqx (Prism) |
-| Claude Code mastery | @claude-orqx (Nucleus) |
+| Claude Code mastery | @swarm-orqx (Nexus) |
 | Conselho estrategico | @council-orqx (Zenith) |
 | Storytelling, pitch | @storytelling-orqx (Arc) |
 | Cybersecurity | @cyber-orqx (Fortress) |

package/.codex/delegation-matrix.json

@@ -133,8 +133,9 @@
         "research-competitor-positioning"
       ]
     },
-    "claude-orqx": {
+    "swarm-orqx": {
       "aliases": [
+        "swarm-orqx",
         "claude-orqx",
         "claude"
       ],
@@ -421,14 +422,14 @@
         {
           "from": "sinapse-orqx",
           "fromType": "orqx",
-          "to": "claude-orqx",
+          "to": "swarm-orqx",
           "toType": "orqx",
           "path": ".codex/agents/swarm-orqx.md",
           "handoff": "delegate-to-squad",
           "reason": "Runtime and setup parity work belongs to the Claude mastery squad."
         },
         {
-          "from": "claude-orqx",
+          "from": "swarm-orqx",
           "fromType": "orqx",
           "to": "project-integrator",
           "toType": "specialist",

package/.codex/delegation-parity.json

@@ -132,8 +132,9 @@
         "research-competitor-positioning"
       ]
     },
-    "claude-orqx": {
+    "swarm-orqx": {
       "aliases": [
+        "swarm-orqx",
         "claude-orqx",
         "claude"
       ],
@@ -420,14 +421,14 @@
         {
           "from": "sinapse-orqx",
           "fromType": "orqx",
-          "to": "claude-orqx",
+          "to": "swarm-orqx",
           "toType": "orqx",
           "path": ".codex/agents/swarm-orqx.md",
           "handoff": "delegate-to-squad",
           "reason": "Runtime and setup parity work belongs to the Claude mastery squad."
         },
         {
-          "from": "claude-orqx",
+          "from": "swarm-orqx",
           "fromType": "orqx",
           "to": "project-integrator",
           "toType": "specialist",

package/.codex/instructions.md

@@ -16,7 +16,7 @@ Examples:
 ### Pattern: /sinapse
 Show the available squads and how to activate them:
 
-**18 Squads Available:**
+**17 Squads Available:**
 | Squad | Comando | Foco |
 |-------|---------|------|
 | Brand | `@brand-orqx` | Estrategia de marca |
@@ -35,7 +35,7 @@ Show the available squads and how to activate them:
 | Courses | `@courses-orqx` | Producao educacional |
 | Cloning | `@cloning-orqx` | Clonagem cognitiva |
 | Council | `@council-orqx` | Advisors estrategicos |
-| Claude | `@claude-orqx` | Claude Code mastery |
+| Claude | `@swarm-orqx` | Claude Code mastery |
 
 **12 Core Development Agents:**
 | Agent | Comando | Funcao |

package/.sinapse-ai/constitution.md

@@ -150,10 +150,10 @@ Métricas do ecossistema (contagem de squads, agentes, tasks, orqx) DEVEM ser es
 <!-- BEGIN AUTO-GENERATED COUNTS (sync via `npm run sync:counts`) -->
 - **17 squads** (diretórios em `squads/`)
 - **172 agentes** (160 em squads + 12 framework agents)
-- **20 comandos orqx** (19 squad orqx + 1 master sinapse-orqx)
+- **18 comandos orqx** (17 squad orqx + 1 master sinapse-orqx)
 - **1200 tasks** (em `squads/*/tasks/`)
 
-*Last synced: 2026-06-16T06:50:56.447Z*
+*Last synced: 2026-06-18T04:58:21.153Z*
 <!-- END AUTO-GENERATED COUNTS -->
 
 

package/.sinapse-ai/core/doctor/checks/git-hooks.js

@@ -8,12 +8,23 @@
  * `.sinapse-ai/git-hooks` but that directory is EMPTY/MISSING — so every guard
  * is silently INERT and secrets/destructive SQL pass at commit time.
  *
+ * Beyond mere existence, this check also confirms the guard is PLAUSIBLE rather
+ * than a hollow shell:
+ *   1. core.hooksPath actually RESOLVES to the managed dir (.sinapse-ai/git-hooks).
+ *      A hooksPath pointing somewhere else means the framework backstop is not the
+ *      active hook system, even if some pre-commit exists there.
+ *   2. The pre-commit (and any present pre-push) guard is NON-EMPTY. A zero-byte /
+ *      whitespace-only hook file passes existsSync but runs nothing — the same
+ *      INERT trap with a file present to disguise it.
+ *
  * Verdicts:
- *   - FAIL: core.hooksPath is set but the dir is missing OR has no pre-commit
- *           (the inert-trap state — security off without anyone noticing).
- *   - WARN: no core.hooksPath set and no .husky fallback (hooks not installed).
- *   - PASS: managed hooksPath populated with pre-commit (and ideally pre-push),
- *           OR a husky fallback with the expected hooks exists.
+ *   - FAIL: core.hooksPath is set but the dir is missing, has no pre-commit, the
+ *           pre-commit is empty, OR hooksPath resolves outside the managed dir
+ *           (the inert-trap states — security off without anyone noticing).
+ *   - WARN: no core.hooksPath set and no .husky fallback (hooks not installed),
+ *           or pre-push present-but-empty / missing.
+ *   - PASS: managed hooksPath populated with a non-empty pre-commit (and ideally
+ *           pre-push), OR a husky fallback with the expected hooks exists.
  *
  * @module sinapse-ai/doctor/checks/git-hooks
  * @story INS-4.1, E8-SECURITY
@@ -46,6 +57,36 @@ function readHooksPath(projectRoot) {
   }
 }
 
+/**
+ * True when a hook file exists AND carries real (non-whitespace) content.
+ * A zero-byte / blank hook passes existsSync but executes nothing — the same
+ * INERT trap with a file present to disguise it.
+ * @param {string} hookFile absolute path
+ * @returns {boolean}
+ */
+function hasContent(hookFile) {
+  try {
+    return fs.readFileSync(hookFile, 'utf8').trim().length > 0;
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * True when the configured hooksPath resolves to the managed git-hooks dir
+ * (.sinapse-ai/git-hooks), regardless of whether it was given as a relative or
+ * absolute path. If it points elsewhere, the framework backstop is not the
+ * active hook system even if some pre-commit happens to exist there.
+ * @param {string} projectRoot
+ * @param {string} hooksPath value from core.hooksPath
+ * @returns {boolean}
+ */
+function resolvesToManaged(projectRoot, hooksPath) {
+  const resolved = path.resolve(projectRoot, hooksPath);
+  const managed = path.resolve(projectRoot, MANAGED_HOOKS_DIR);
+  return resolved === managed;
+}
+
 async function run(context) {
   const projectRoot = context.projectRoot;
   const hooksPath = readHooksPath(projectRoot);
@@ -64,6 +105,17 @@ async function run(context) {
       };
     }
 
+    // hooksPath points at a real dir, but does it point at OUR managed dir? If it
+    // resolves elsewhere, the framework backstop is not the active hook system.
+    if (!resolvesToManaged(projectRoot, hooksPath)) {
+      return {
+        check: name,
+        status: 'FAIL',
+        message: `core.hooksPath -> "${hooksPath}" resolves OUTSIDE the managed dir (${MANAGED_HOOKS_DIR}). The framework's secret-scan/SQL/boundary guards are not the active hook system. Re-wire core.hooksPath to the managed dir.`,
+        fixCommand: 'sinapse init   # re-wires core.hooksPath to .sinapse-ai/git-hooks',
+      };
+    }
+
     if (!fs.existsSync(preCommit)) {
       return {
         check: name,
@@ -73,9 +125,22 @@ async function run(context) {
       };
     }
 
-    // Populated. Report which managed hooks are present.
-    const present = EXPECTED_MANAGED.filter((h) => fs.existsSync(path.join(hooksDirAbs, h)));
-    const missing = EXPECTED_MANAGED.filter((h) => !fs.existsSync(path.join(hooksDirAbs, h)));
+    // pre-commit exists but is empty/whitespace -> runs nothing -> still INERT.
+    if (!hasContent(preCommit)) {
+      return {
+        check: name,
+        status: 'FAIL',
+        message: `core.hooksPath -> "${hooksPath}" has a pre-commit file but it is EMPTY. The guard executes nothing — secret-scan/SQL/boundary are INERT despite the file being present.`,
+        fixCommand: 'sinapse init   # regenerates the managed pre-commit guard',
+      };
+    }
+
+    // Populated with a plausible (non-empty) pre-commit. Report present hooks,
+    // treating a present-but-empty hook as missing (it does nothing).
+    const present = EXPECTED_MANAGED.filter(
+      (h) => fs.existsSync(path.join(hooksDirAbs, h)) && hasContent(path.join(hooksDirAbs, h)),
+    );
+    const missing = EXPECTED_MANAGED.filter((h) => !present.includes(h));
 
     if (missing.length === 0) {
       return {
@@ -86,11 +151,12 @@ async function run(context) {
       };
     }
 
-    // pre-commit present (security backstop active) but pre-push missing -> WARN.
+    // pre-commit present and non-empty (security backstop active) but pre-push
+    // missing or empty -> WARN.
     return {
       check: name,
       status: 'WARN',
-      message: `managed pre-commit active at ${hooksPath}; missing: ${missing.join(', ')}`,
+      message: `managed pre-commit active at ${hooksPath}; missing/empty: ${missing.join(', ')}`,
       fixCommand: 'sinapse init   # writes the missing managed hook(s)',
     };
   }

package/.sinapse-ai/core/execution/subagent-dispatcher.js

@@ -12,7 +12,7 @@ const EventEmitter = require('events');
 const _path = require('path');
 const { runSafe } = require('../utils/spawn-safe');
 
-// epic: orchestration-consolidation, F2 — resolves any of the 189 agent ids to
+// epic: orchestration-consolidation, F2 — resolves any of the 172 agent ids to
 // its real persona on disk (squads/ + framework agents). Optional: degrades to a
 // generic prompt if the module is missing.
 let SquadAgentResolver;

package/.sinapse-ai/core/synapse/engine.js

@@ -222,6 +222,13 @@ class SynapseEngine {
    * @param {object} [config={}] - Configuration from manifest / caller
    * @param {object} [config.manifest] - Parsed manifest object
    * @param {boolean} [config.devmode] - Enable DEVMODE debug output
+   * @param {Array<object>} [config.layers] - Optional pre-instantiated layer
+   *   instances (dependency injection). When provided, these are used verbatim
+   *   instead of loading + instantiating the L0-L7 modules from disk. Each
+   *   instance must expose `name`, `layer`, and `_safeProcess(context)`. This is
+   *   the seam used by tests to inject isolated mock layers without relying on
+   *   `jest.mock` hoisting or module-cache state. Production never passes this,
+   *   so default behavior is unchanged.
    */
   constructor(synapsePath, config = {}) {
     this.synapsePath = synapsePath;
@@ -233,6 +240,14 @@ class SynapseEngine {
     /** @type {MemoryBridge} Feature-gated MIS consumer (SYN-10) */
     this.memoryBridge = new MemoryBridge();
 
+    // Dependency injection seam: when caller supplies ready layer instances,
+    // use them directly and skip module loading entirely (production default
+    // = no config.layers → identical behavior to before).
+    if (Array.isArray(config.layers)) {
+      this.layers = config.layers.filter(Boolean);
+      return;
+    }
+
     for (const mod of LAYER_MODULES) {
       const LayerClass = loadLayerModule(mod.path);
       if (LayerClass) {

package/.sinapse-ai/data/entity-registry.yaml

@@ -1,6 +1,6 @@
 metadata:
   version: 1.0.0
-  lastUpdated: '2026-06-17T19:03:15.397Z'
+  lastUpdated: '2026-06-18T05:22:03.289Z'
   entityCount: 810
   checksumAlgorithm: sha256
   resolutionRate: 100
@@ -238,8 +238,8 @@ entities:
         score: 0.7
         constraints: []
         extensionPoints: []
-      checksum: sha256:d06ce22670f135d81483da98314a2f2fb843b8eb85f13ba5d37c13629ef80848
-      lastVerified: '2026-06-15T01:36:42.600Z'
+      checksum: sha256:81710d210c261e3a9135411ce111bac5ef9965f78f4c4c8ab8ea1f41f150cea9
+      lastVerified: '2026-06-18T04:29:33.818Z'
     update:
       path: bin/commands/update.js
       layer: L1
@@ -831,8 +831,8 @@ entities:
         score: 0.7
         constraints: []
         extensionPoints: []
-      checksum: sha256:ecf325fc29eb7ad8a89117deec91deae653e6d92bd2293e33a4979f582559893
-      lastVerified: '2026-06-17T19:03:15.213Z'
+      checksum: sha256:6df52276cf16bcbca776e11dc4f90ca2594c5ed1f22dc1dd37a44262eccaaf54
+      lastVerified: '2026-06-18T04:25:38.106Z'
     staged-secret-scan:
       path: bin/utils/staged-secret-scan.js
       layer: L1
@@ -1457,8 +1457,8 @@ entities:
         score: 0.8
         constraints: []
         extensionPoints: []
-      checksum: sha256:56f8f1e1a5dc349d2361ea6d58ae4fd17c048a98e6a7672af390b2e0c31b7234
-      lastVerified: '2026-06-16T17:13:38.706Z'
+      checksum: sha256:e8dab3d13ae816a1543a220561024b57d692a39a316ce29efd1ca7c6405ec304
+      lastVerified: '2026-06-18T04:18:26.455Z'
     build-component:
       path: .sinapse-ai/development/tasks/build-component.md
       layer: L2
@@ -9610,8 +9610,8 @@ entities:
         score: 0.4
         constraints: []
         extensionPoints: []
-      checksum: sha256:653371d423b5f132bdedc5b80c3a2a82471bff1c147fea25ce52b4cd8bcd3b23
-      lastVerified: '2026-06-16T19:50:23.589Z'
+      checksum: sha256:353441b03a572d27e03f626ae31336aa526c3dcec780ca89433c6fabec05a723
+      lastVerified: '2026-06-18T04:42:18.034Z'
     graph-dashboard:
       path: .sinapse-ai/core/doctor/checks/graph-dashboard.js
       layer: L1
@@ -10336,8 +10336,8 @@ entities:
         score: 0.4
         constraints: []
         extensionPoints: []
-      checksum: sha256:19f050834b0c5faf69ac5ff8d448ab3a7af7109c82fd2cbb5299320b7e7b6e2b
-      lastVerified: '2026-06-15T00:26:26.381Z'
+      checksum: sha256:c291a8d9dea32273577b5c726626f4bc7a94b6aa67a52c9f312d6448ca6ab910
+      lastVerified: '2026-06-18T04:29:34.042Z'
     wave-executor:
       path: .sinapse-ai/core/execution/wave-executor.js
       layer: L1
@@ -14411,8 +14411,8 @@ entities:
         score: 0.3
         constraints: []
         extensionPoints: []
-      checksum: sha256:90bb4376f8ca2ab7bf2176ce51aeed9f04ab00ae14085be3ef7b82585f504193
-      lastVerified: '2026-06-17T17:42:07.543Z'
+      checksum: sha256:744ba24a08e6d294d93dff577d14185fa02b589f298049a734001f3b504daf82
+      lastVerified: '2026-06-18T05:22:03.153Z'
     sprint-lead:
       path: .sinapse-ai/development/agents/sprint-lead.md
       layer: L2

package/.sinapse-ai/development/agents/snps-orqx.md

@@ -267,8 +267,8 @@ routing_table:
 
     - squad: claude-code-mastery
       prefix: claude
-      orchestrator: claude-orqx (Nucleus)
-      invocation: "/claude:agents:claude-orqx"
+      orchestrator: swarm-orqx (Nexus)
+      invocation: "/claude:agents:swarm-orqx"
       domain: "Claude Code mastery, prompt engineering, MCP, automacao, hooks, skills, plugins, agent teams, context engineering"
       agents: 11
       tasks: 51
@@ -559,7 +559,7 @@ relationships:
       context: "All product strategy, discovery, roadmap"
     - agent: research-orqx (Prism)
       context: "All market research, competitive intelligence"
-    - agent: claude-orqx (Nucleus)
+    - agent: swarm-orqx (Nexus)
       context: "All Claude Code mastery, prompt engineering, MCP"
     - agent: council-orqx (Zenith)
       context: "All strategic counsel, mental models, advisory"
@@ -657,7 +657,7 @@ Imperator can provide ecosystem-wide insights by combining capabilities across s
 | 9 | paidmedia | pm | Apex | Midia paga, Meta/Google Ads |
 | 10 | product | product | Vector | Produto, discovery, roadmap |
 | 11 | research | research | Prism | Pesquisa, inteligencia competitiva |
-| 12 | claude | claude | Nucleus | Claude Code, prompt engineering |
+| 12 | claude-code-mastery | claude | Nexus | Claude Code, prompt engineering |
 | 13 | council | council | Zenith | Conselho estrategico, advisory |
 | 14 | storytelling | narrative | Arc | Storytelling, pitch, apresentacao |
 | 15 | cybersecurity | cyber | Fortress | Cybersecurity, compliance, pentest |

package/.sinapse-ai/git-hooks/lib/secret-scanner-core.js

@@ -72,6 +72,17 @@ const NAMED_PATTERNS = [
   { name: 'Hardcoded Password', pattern: /(?:password|passwd|pwd)\s*[=:]\s*['"][^'"]{8,}['"]/i, lowConfidence: true },
   { name: 'Bearer Token', pattern: /[Bb]earer\s+[A-Za-z0-9_\-.]{20,}/, entropyGated: true, lowConfidence: true },
   { name: 'Basic Auth', pattern: /[Bb]asic\s+[A-Za-z0-9+/=]{20,}/, lowConfidence: true },
+
+  // Long pure-hex runs (32–64 chars). The 16-symbol hex alphabet caps Shannon
+  // entropy at ~4.0, BELOW ENTROPY_THRESHOLD (4.5), so the generic entropy
+  // backstop never sees them — Twilio auth tokens (32-hex), webhook signing
+  // secrets and SHA-style 64-hex digests slip through. This explicit rule closes
+  // that gap. It is `hashContextGated`: a hex run sitting in an integrity /
+  // checksum / lockfile / git-sha context (covered by HASH_CONTEXT_PATTERN) is a
+  // legitimate hash, NOT a secret, and is allowlisted. `lowConfidence` keeps it
+  // OUT of the release publish gate (entropy:false there would otherwise match
+  // every documented digest); the diff-scoped commit hook still enforces it.
+  { name: 'Long Hex Token', pattern: /\b[a-f0-9]{32,64}\b/i, hashContextGated: true, lowConfidence: true },
 ];
 
 const PLACEHOLDER_TOKENS = [
@@ -100,19 +111,48 @@ const PLACEHOLDER_PATTERNS = [
 
 const EXAMPLE_HOST_PATTERN = /(?:example\.(?:com|org|net)|localhost|127\.0\.0\.1|host\b|your-host|placeholder)/i;
 
+// A keyword placeholder only allowlists when it DOMINATES the value: once every
+// placeholder occurrence is removed, the TOTAL alphanumeric length that remains
+// is too short to be a secret on its own (< ENTROPY_MIN_LEN). A bare
+// `lower.includes(token)` was a trivial bypass — ANY real secret that happened to
+// contain "abcdef" / "123456" / "example" anywhere in its body got silently
+// allowlisted (e.g. Xq9Zk2…abcdef…Fg5 passed). Measuring the *total* remainder
+// (not just the longest contiguous run) closes that hole even when the buried
+// placeholder splits the secret into two sub-threshold runs: the legitimate
+// cases (your-key-here, placeholder123456, test-key-example, CHANGEME) strip down
+// to nothing, while a 35-char random token minus a 6-char placeholder still has
+// ~29 alphanumeric chars left and is NOT allowlisted.
+function placeholderDominates(lower) {
+  let stripped = lower;
+  let matchedAny = false;
+  for (const token of PLACEHOLDER_TOKENS) {
+    if (stripped.includes(token)) {
+      matchedAny = true;
+      // Replace with a separator so adjacent runs aren't fused into a longer one.
+      stripped = stripped.split(token).join(' ');
+    }
+  }
+  if (!matchedAny) return false;
+  // Total alphanumeric chars left after removing every placeholder occurrence.
+  const remaining = (stripped.match(/[a-z0-9]/g) || []).length;
+  return remaining < ENTROPY_MIN_LEN;
+}
+
 function isAllowlistPlaceholder(value) {
   if (value === null || value === undefined) return false;
   const v = String(value).trim();
   if (v.length === 0) return true;
 
-  const lower = v.toLowerCase();
-  for (const token of PLACEHOLDER_TOKENS) {
-    if (lower.includes(token)) return true;
-  }
+  // Structural placeholders are always safe: <...>, [...], {token}, ${VAR},
+  // SCREAMING_SNAKE env-var names, and repeated single-symbol fillers.
   for (const re of PLACEHOLDER_PATTERNS) {
     if (re.test(v)) return true;
   }
   if (/^(.)\1{5,}$/.test(v)) return true; // repeated single char
+
+  // Keyword placeholders: word-boundary anchored + dominance, NOT raw includes().
+  if (placeholderDominates(v.toLowerCase())) return true;
+
   return false;
 }
 
@@ -204,6 +244,38 @@ function scanContent(content, options = {}) {
       if (shannonEntropy(tail) < 2.0) continue; // clearly non-random
     }
 
+    if (descriptor.hashContextGated) {
+      // Long hex runs are flagged as suspected secrets (Twilio token, webhook
+      // signing secret, SHA-style digest) EXCEPT when they sit in an integrity /
+      // checksum / lockfile / git-sha context — those are legitimate hashes, not
+      // leaked credentials. Reuse HASH_CONTEXT_PATTERN over a window around the
+      // match so package-lock integrity:, "resolved" tarball #sha, "checksum",
+      // and 40/64-hex git shas are NOT false-positived. A fully repeated/obvious
+      // placeholder hex (deadbeef…, 000…) is also allowlisted.
+      if (isAllowlistPlaceholder(matched)) continue;
+      if (isLockfilePath(filePath)) continue;
+      // Canonical digest lengths — git SHA-1 (40) and SHA-256 (64) — are
+      // overwhelmingly legitimate hashes (commit refs, file checksums, content
+      // digests) and appear bare in changelogs/docs/lockfiles. Treating every
+      // isolated 40/64-hex run as a leak would false-positive on the entire git
+      // ecosystem, so these exact lengths are hash-shaped by default. The
+      // headline real-secret case (Twilio auth token = 32-hex) and other
+      // non-digest lengths (33–39, 41–63) are NOT standard digests and stay
+      // flagged. A leaked literal hash secret of EXACTLY 40/64 hex is the
+      // accepted blind spot of this length-based heuristic (documented tradeoff
+      // favouring zero false-positives on git/checksum hashes).
+      const hexLen = matched.length;
+      if (hexLen === 40 || hexLen === 64) continue;
+      // For non-canonical lengths, allowlist only when the SURROUNDING context
+      // carries a hash marker (integrity:, sha256-, "resolved", "checksum"). The
+      // window is widened on the left so a marker earlier on the line
+      // (e.g. `"resolved": "https://…/x.tgz#<hex>"`) is still seen.
+      const mIdx = text.indexOf(matched);
+      const before = text.slice(Math.max(0, mIdx - 64), mIdx);
+      const after = text.slice(mIdx + matched.length, mIdx + matched.length + 4);
+      if (HASH_CONTEXT_PATTERN.test(before + ' ' + after)) continue;
+    }
+
     findings.push({ name: descriptor.name, redacted: redactMatch(matched), kind: 'pattern' });
   }
 

package/.sinapse-ai/git-hooks/pre-push

@@ -28,7 +28,13 @@ function pickValidateScript() {
 const script = pickValidateScript();
 if (script) {
   const npmCmd = process.platform === 'win32' ? 'npm.cmd' : 'npm';
-  const res = spawnSync(npmCmd, ['run', '--silent', script], { stdio: 'inherit', cwd: projectRoot });
+  // shell:true on Windows — spawning npm.cmd without it throws EINVAL (CVE-2024-27980 /
+  // Node DEP0190). Args are fixed/literal here, so there is no shell-injection surface.
+  const res = spawnSync(npmCmd, ['run', '--silent', script], {
+    stdio: 'inherit',
+    cwd: projectRoot,
+    shell: process.platform === 'win32',
+  });
   if (res.error) {
     process.stderr.write('SINAPSE pre-push: could not run "npm run ' + script + '" — blocking push (fail-closed).\n');
     process.stderr.write('  ' + res.error.message + '\n');

package/.sinapse-ai/install-manifest.yaml

@@ -7,7 +7,7 @@
 # - SHA256 hashes for change detection
 # - File types for categorization
 #
-version: 1.9.0
+version: 1.9.1
 generator: scripts/generate-install-manifest.js
 file_count: 1180
 files:
@@ -348,9 +348,9 @@ files:
     type: core
     size: 1581
   - path: core/doctor/checks/git-hooks.js
-    hash: sha256:653371d423b5f132bdedc5b80c3a2a82471bff1c147fea25ce52b4cd8bcd3b23
+    hash: sha256:353441b03a572d27e03f626ae31336aa526c3dcec780ca89433c6fabec05a723
     type: core
-    size: 5041
+    size: 8039
   - path: core/doctor/checks/graph-dashboard.js
     hash: sha256:6996b47faf1945ed27a24db2a0061c46f9fd0069b0c73a8af0f4b68d68142047
     type: core
@@ -500,7 +500,7 @@ files:
     type: core
     size: 52328
   - path: core/execution/subagent-dispatcher.js
-    hash: sha256:19f050834b0c5faf69ac5ff8d448ab3a7af7109c82fd2cbb5299320b7e7b6e2b
+    hash: sha256:c291a8d9dea32273577b5c726626f4bc7a94b6aa67a52c9f312d6448ca6ab910
     type: core
     size: 32197
   - path: core/execution/wave-executor.js
@@ -1244,9 +1244,9 @@ files:
     type: core
     size: 8123
   - path: core/synapse/engine.js
-    hash: sha256:66b124c47e1fd275cfd7e4bc02a12ef429e436959a7e56999fdeee5c80f0a23e
+    hash: sha256:04395397b60a8b7a30ac1677633b277077e94ed1250f3709e0c54f821deadef1
     type: core
-    size: 14632
+    size: 15479
   - path: core/synapse/layers/l0-constitution.js
     hash: sha256:0d042647a67f8f46073207627a582c6c24b5713f02beb0e86af6f231cc33c5eb
     type: core
@@ -1364,7 +1364,7 @@ files:
     type: data
     size: 9587
   - path: data/entity-registry.yaml
-    hash: sha256:1b9f3692955053e6a2e6174b1ff3e337c873ddd75a13b918bf4fdc82ebec207a
+    hash: sha256:2287de6ef9ec9e862f5d69ba1a4c2e91d483e2b2181557d571e69899db6fd0cd
     type: data
     size: 558183
   - path: data/learned-patterns.yaml
@@ -1532,9 +1532,9 @@ files:
     type: agent
     size: 1369
   - path: development/agents/snps-orqx.md
-    hash: sha256:90bb4376f8ca2ab7bf2176ce51aeed9f04ab00ae14085be3ef7b82585f504193
+    hash: sha256:744ba24a08e6d294d93dff577d14185fa02b589f298049a734001f3b504daf82
     type: agent
-    size: 34541
+    size: 34545
   - path: development/agents/sprint-lead.md
     hash: sha256:572289b770cdbb0cff9ae2de4b2d19c38ce814fe978df397aa2794297f562c91
     type: agent

package/AGENTS.md

@@ -46,8 +46,8 @@ tests/                    # Test suites
 ## Agents
 
 The core SDC agents below are documented in full. They are NOT the whole roster:
-**every one of the 172 agents** (12 core + 160 squad specialists/orchestrators across
-17 squads) resolves by `@name` and so do their real tasks. Resolution is parametric —
+**every one of the 172 agents** (12 core + 160 specialists/orchestrators distributed
+across 17 squads) resolves by `@name` and so do their real tasks. Resolution is parametric —
 read from the source agent definitions at runtime, never from a frozen list:
 
 ```bash