npm - sinapse-ai - Versions diffs - 7.0.5 → 7.2.0 - Mend

sinapse-ai 7.0.5 → 7.2.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (93) hide show

package/squads/claude-code-mastery/tasks/sandbox-setup.md ADDED Viewed

@@ -0,0 +1,279 @@
+# Task: Configure Sandbox Environment
+**Task ID:** CCM-CONFIG-006
+**Version:** 1.0.0
+**Command:** `*sandbox-setup`
+**Orchestrator:** Sigil (config-engineer)
+**Purpose:** Configure Claude Code's sandbox environment for filesystem isolation, network restrictions, and process boundaries to ensure safe command execution with minimal friction.
+---
+## Overview
+```
+  +------------------+     +------------------+     +------------------+
+  | 1. Assess        | --> | 2. Configure     | --> | 3. Set Up        |
+  |    Isolation     |     |    Sandbox Mode  |     |    Network       |
+  |    Needs         |     |    in Settings   |     |    Restrictions  |
+  +------------------+     +------------------+     +------------------+
+       |                                                    |
+       v                                                    v
+  +------------------+     +------------------+
+  | 4. Configure     | --> | 5. Test Sandbox  |
+  |    File System   |     |    Isolation     |
+  |    Boundaries    |     |                  |
+  +------------------+     +------------------+
+```
+---
+## Inputs
+| Field | Type | Source | Required | Validation |
+|-------|------|--------|----------|------------|
+| project_root | string | Working directory | Yes | Valid project directory |
+| platform | string | Auto-detected | No | `macos`, `linux`, `wsl2`, `windows` |
+| isolation_level | string | User parameter | No | `standard` (default), `strict`, `airgapped` |
+---
+## Preconditions
+- Claude Code installed and operational
+- Understanding of the project's required filesystem access and network needs
+- Platform supports sandboxing (macOS, Linux, WSL2 -- Windows has limited support)
+---
+## Execution Phases
+### Phase 1: Assess Isolation Needs
+1. Determine the platform and available sandbox features:
+| Platform | Sandbox Technology | Filesystem | Network | Status |
+|----------|--------------------|------------|---------|--------|
+| macOS | Apple Sandbox (Seatbelt) | Full support | Full support | Production |
+| Linux | Landlock + Seccomp | Full support | Full support | Production |
+| WSL2 | Linux sandbox in WSL | Full support | Full support | Production |
+| Windows (native) | Limited | Partial | Limited | Limited |
+2. Survey project requirements:
+   - Which directories need write access? (src/, tests/, docs/, node_modules/)
+   - Which directories should be read-only? (.sinapse-ai/, config files)
+   - Which directories should be invisible? (secrets/, .env files)
+   - What external network access is needed? (npm registry, API servers, CDN)
+   - Are any system commands needed outside sandbox? (git, docker)
+3. Choose isolation level:
+| Level | Filesystem | Network | Use Case |
+|-------|-----------|---------|----------|
+| standard | Write to project, read home | Allow known domains | General development |
+| strict | Write to src/ only | Allow only essential | Sensitive projects |
+| airgapped | Write to src/ only | No external network | Regulated/offline |
+### Phase 2: Configure Sandbox Mode in Settings
+Generate the sandbox configuration in settings.json:
+```json
+{
+  "sandbox": {
+    "enabled": true,
+    "autoAllowBashIfSandboxed": true,
+    "excludedCommands": ["git", "docker"],
+    "allowUnsandboxedCommands": false
+  }
+}
+```
+**Key settings explained:**
+| Setting | Purpose | Recommendation |
+|---------|---------|----------------|
+| `enabled` | Enable sandbox for bash commands | `true` for all shared projects |
+| `autoAllowBashIfSandboxed` | Skip permission prompts for sandboxed bash | `true` -- sandbox provides safety |
+| `excludedCommands` | Commands that bypass sandbox | Only git, docker if needed |
+| `allowUnsandboxedCommands` | Allow `dangerouslyDisableSandbox` | `false` unless explicit need |
+### Phase 3: Set Up Network Restrictions
+Configure network access using the `network` section:
+```json
+{
+  "sandbox": {
+    "network": {
+      "allowedDomains": [
+        "registry.npmjs.org",
+        "api.github.com",
+        "raw.githubusercontent.com"
+      ],
+      "allowUnixSockets": [],
+      "allowAllUnixSockets": false,
+      "allowLocalBinding": false,
+      "httpProxyPort": 0,
+      "socksProxyPort": 0
+    }
+  }
+}
+```
+**Common domain allowlists by project type:**
+| Project Type | Domains to Allow |
+|-------------|-----------------|
+| Node.js | registry.npmjs.org, nodejs.org |
+| Python | pypi.org, files.pythonhosted.org |
+| Frontend | unpkg.com, cdn.jsdelivr.net, fonts.googleapis.com |
+| Supabase | *.supabase.co, *.supabase.in |
+| GitHub | api.github.com, raw.githubusercontent.com |
+| Docker | registry.docker.io, auth.docker.io |
+| General API | (project-specific API domains) |
+**Isolation levels:**
+- **standard**: Allow package registries + project APIs
+- **strict**: Allow only package registries
+- **airgapped**: Empty allowedDomains (no external network)
+### Phase 4: Configure File System Boundaries
+Set filesystem access controls:
+```json
+{
+  "sandbox": {
+    "filesystem": {
+      "allowWrite": [
+        "/src",
+        "/tests",
+        "/docs",
+        "//tmp"
+      ],
+      "denyWrite": [
+        "/.sinapse-ai/core",
+        "/node_modules",
+        "/.git"
+      ],
+      "denyRead": [
+        "/.env",
+        "/.env.*",
+        "/secrets"
+      ]
+    }
+  }
+}
+```
+**Path prefix reference:**
+| Prefix | Meaning | Example |
+|--------|---------|---------|
+| `//` | Filesystem root | `//tmp/build` |
+| `~/` | Home directory | `~/.ssh`, `~/.kube` |
+| `/` | Relative to settings file directory | `/src`, `/tests` |
+| `./` | Runtime-resolved relative path | `./output` |
+**Standard write access:**
+| Level | Write Allowed | Write Denied |
+|-------|---------------|--------------|
+| standard | src/, tests/, docs/, tmp/ | node_modules/, .git/, .sinapse-ai/core/ |
+| strict | src/ only | Everything else |
+| airgapped | src/ with review | Everything else |
+**Read restrictions (always deny):**
+- `.env`, `.env.*` -- environment variables
+- `secrets/`, `private/` -- secret directories
+- `~/.ssh/` -- SSH keys
+- `~/.aws/` -- AWS credentials
+- `~/.kube/` -- Kubernetes configs
+### Phase 5: Test Sandbox Isolation
+1. Verify sandbox is active:
+   - Run a bash command and check for sandbox indicators
+   - Attempt to read a denied path (should fail gracefully)
+   - Attempt to write to a denied path (should fail gracefully)
+2. Test network restrictions:
+   - Attempt to fetch from an allowed domain (should succeed)
+   - Attempt to fetch from a non-allowed domain (should be blocked)
+3. Test filesystem boundaries:
+   - Write to an allowed path (should succeed)
+   - Write to a denied path (should be blocked)
+   - Read from a denied path (should be blocked)
+4. Document test results:
+| Test | Expected | Actual | Status |
+|------|----------|--------|--------|
+| Read .env | BLOCKED | {result} | {PASS/FAIL} |
+| Write to src/ | ALLOWED | {result} | {PASS/FAIL} |
+| Fetch npm registry | ALLOWED | {result} | {PASS/FAIL} |
+| Fetch random domain | BLOCKED | {result} | {PASS/FAIL} |
+---
+## Output Format
+```markdown
+## Sandbox Configuration
+**Platform:** {platform}
+**Isolation Level:** {standard | strict | airgapped}
+### Settings Applied
+```json
+{complete sandbox section of settings.json}
+```
+### Filesystem Policy
+| Path | Read | Write | Rationale |
+|------|------|-------|-----------|
+| src/ | Yes | Yes | Source code development |
+| .env | No | No | Sensitive environment variables |
+| node_modules/ | Yes | No | Dependencies (managed by npm) |
+| ... | ... | ... | ... |
+### Network Policy
+| Domain | Allowed | Rationale |
+|--------|---------|-----------|
+| registry.npmjs.org | Yes | Package installation |
+| *.supabase.co | Yes | Database access |
+| * (all others) | No | Default deny |
+### Test Results
+{Test table from Phase 5}
+### Excluded Commands
+{List of commands that bypass sandbox with justification}
+```
+---
+## Veto Conditions
+- **NEVER** disable the sandbox without explicit user confirmation and documented justification.
+- **NEVER** add `allowAllUnixSockets: true` in production or team environments -- it bypasses network restrictions.
+- **NEVER** add home directory (`~/`) to write-allowed paths. Only specific subdirectories if absolutely needed.
+- **NEVER** set `allowUnsandboxedCommands: true` in enterprise or team settings -- it allows bypassing all sandbox protections.
+- **NEVER** add wildcard domains (`*`) to the allowedDomains list. Be specific about which domains need access.
+---
+## Completion Criteria
+- [ ] Platform detected and sandbox support verified
+- [ ] Isolation level selected based on security assessment
+- [ ] Sandbox enabled in settings with appropriate flags
+- [ ] Network restrictions configured with specific domain allowlist
+- [ ] Filesystem boundaries set with write/read controls
+- [ ] Sandbox isolation tested with documented results

package/squads/claude-code-mastery/tasks/setup-repository.md ADDED Viewed

@@ -0,0 +1,230 @@
+# Task: Set Up Repository with Claude Code Integration
+**Task ID:** CCM-PI-001
+**Version:** 1.0.0
+**Command:** `*setup-repository`
+**Agent:** Conduit (project-integrator)
+**Purpose:** Set up a new repository with complete Claude Code integration from scratch, creating the .claude/ directory structure, CLAUDE.md, settings, rules, and hooks.
+---
+## Overview
+```
+  Project Directory
+       |
+       v
+  +------------------+
+  | 1. Initialize Git |
+  |    (if needed)    |
+  +------------------+
+       |
+       v
+  +------------------+
+  | 2. Create .claude/|
+  |    Directory Tree |
+  +------------------+
+       |
+       v
+  +------------------+
+  | 3. Generate       |
+  |    CLAUDE.md      |
+  +------------------+
+       |
+       v
+  +------------------+
+  | 4. Configure      |
+  |    settings.json  |
+  +------------------+
+       |
+       v
+  +------------------+
+  | 5. Set Up Rules   |
+  |    (.claude/rules)|
+  +------------------+
+       |
+       v
+  +------------------+
+  | 6. Configure Hooks|
+  |    (optional)     |
+  +------------------+
+       |
+       v
+  +------------------+
+  | 7. Verify Setup   |
+  +------------------+
+```
+---
+## Inputs
+| Field | Type | Source | Required | Validation |
+|-------|------|--------|----------|------------|
+| project_path | string | User | Yes | Must be valid directory path |
+| project_type | enum | User | Yes | `monorepo`, `fullstack`, `frontend`, `backend`, `library`, `mobile` |
+| team_size | enum | User | No | `solo`, `small` (2-5), `medium` (6-15), `enterprise` (15+) |
+| existing_git | boolean | Detection | No | Auto-detected from .git/ presence |
+---
+## Preconditions
+- Target directory exists and is writable
+- Node.js 18+ available on PATH
+- Git installed and configured with user.name and user.email
+---
+## Execution Phases
+### Phase 1: Initialize Git Repository
+1. Check if `.git/` directory exists in target path
+2. If missing, run `git init` and create initial `.gitignore`
+3. If present, note current branch and recent history for context
+4. Validate git config has user.name and user.email set
+**Skip condition:** Git already initialized.
+### Phase 2: Create .claude/ Directory Structure
+Create the complete directory tree:
+```
+.claude/
+  CLAUDE.md
+  settings.json
+  settings.local.json    # gitignored template
+  rules/                 # contextual rules
+  commands/              # slash commands (optional)
+  skills/                # skill definitions (optional)
+  agent-memory/          # persistent memory (optional)
+```
+For each directory:
+1. Create directory if not present
+2. Add `.gitkeep` for empty optional directories
+3. Record creation in output log
+### Phase 3: Generate CLAUDE.md
+Generate a project-specific CLAUDE.md following best practices:
+1. **Project Context** (1-2 lines): what the project is, primary language/framework
+2. **Build & Test Commands**: exact commands for `dev`, `build`, `test`, `lint`, `typecheck`
+3. **Code Standards**: naming conventions, import style, error handling pattern
+4. **File Structure**: key directories and their purpose (5-10 entries)
+5. **Protected Files**: files that should never be modified by AI
+6. **Common Patterns**: 2-3 code snippets showing project conventions
+**Constraints:**
+- Keep under 150 lines total
+- Only universally applicable content
+- Domain-specific knowledge goes in rules/ or skills/
+### Phase 4: Configure settings.json
+Create `.claude/settings.json` with:
+1. **permissions.allow**: safe operations for the project type
+   - Build commands, test commands, lint commands
+   - File read/write within project scope
+2. **permissions.deny**: dangerous operations
+   - `rm -rf /`, `git push --force`, production database access
+   - Framework-protected paths if using SINAPSE
+3. **rules**: path-based rule loading configuration
+Adapt permissions based on `project_type`:
+- `monorepo`: include workspace-aware commands
+- `fullstack`: include both frontend and backend build tools
+- `library`: include publish-related deny rules
+### Phase 5: Set Up Initial Rules
+Create rule files in `.claude/rules/`:
+1. **coding-standards.md**: language-specific conventions detected from project
+2. **testing.md**: test patterns and requirements (framework-specific)
+3. **git-workflow.md**: branch naming, commit conventions, PR template guidance
+Each rule file includes `paths:` frontmatter for contextual loading:
+```yaml
+---
+paths:
+  - "src/**/*.ts"
+  - "src/**/*.tsx"
+---
+```
+### Phase 6: Configure Hooks (Optional)
+If user wants automation hooks:
+1. Detect available hook infrastructure (pre-commit, husky, lefthook)
+2. Create `.claude/hooks/` directory if using Claude Code hooks
+3. Suggest hook configurations for:
+   - `PreToolUse`: command validation (block dangerous patterns)
+   - `PostToolUse`: logging and metrics
+   - `Stop`: session summary generation
+4. Provide hook templates, do not force-install
+### Phase 7: Verify Setup
+Run verification checks:
+1. Confirm `.claude/CLAUDE.md` exists and is under 150 lines
+2. Confirm `.claude/settings.json` is valid JSON
+3. Confirm rules/ directory has at least one rule file
+4. Test that git status recognizes new files
+5. Generate setup report with pass/fail per component
+---
+## Output Format
+```markdown
+## Repository Setup Report
+**Project:** {project_path}
+**Type:** {project_type}
+**Date:** {YYYY-MM-DD}
+### Components Created
+| Component | Status | Path |
+|-----------|--------|------|
+| .claude/CLAUDE.md | PASS | .claude/CLAUDE.md |
+| settings.json | PASS | .claude/settings.json |
+| Rules | PASS | .claude/rules/ (N files) |
+| Hooks | SKIP/PASS | .claude/hooks/ |
+### CLAUDE.md Summary
+- Lines: {N}/150
+- Sections: {list}
+### Next Steps
+1. Review CLAUDE.md and adjust project context
+2. Run `claude` to test the integration
+3. Consider adding skills with `*create-skill`
+```
+---
+## Veto Conditions
+- **NEVER** overwrite an existing CLAUDE.md without user confirmation
+- **NEVER** add allow rules for destructive commands (rm -rf, drop database)
+- **NEVER** configure hooks that block workflow without explicit opt-in
+- **NEVER** commit generated files automatically -- let user review first
+---
+## Completion Criteria
+- [ ] .claude/ directory structure created
+- [ ] CLAUDE.md generated under 150 lines with project-specific content
+- [ ] settings.json configured with appropriate permissions
+- [ ] At least one rule file created in .claude/rules/
+- [ ] Verification checks all pass
+- [ ] Setup report presented to user