sinapse-ai 7.7.11 → 8.0.1

package/docs/security.md

@@ -1,124 +1,260 @@
-# Security Policy
+# SINAPSE-AI Security Guide
 
-> 🇧🇷 [Versão em Português](SECURITY-PT.md)
+> For vulnerability reporting, see [SECURITY.md](../SECURITY.md)
 
-## Supported Versions
+---
 
-We release patches for security vulnerabilities in the following versions:
+## Table of Contents
 
-| Version | Supported          |
-| ------- | ------------------ |
-| 2.1.x   | :white_check_mark: |
-| < 2.1   | :x:                |
+1. [Security Architecture Overview](#security-architecture-overview)
+2. [Secret Management](#secret-management)
+3. [MCP Server Trust Model](#mcp-server-trust-model)
+4. [Agent Security Boundaries](#agent-security-boundaries)
+5. [Hook Architecture](#hook-architecture)
+6. [Best Practices for Users](#best-practices-for-users)
+7. [Constitutional Enforcement](#constitutional-enforcement)
 
-## Reporting a Vulnerability
+---
 
-We take security seriously at SinapseAI. If you discover a security vulnerability in SINAPSE, please report it responsibly.
+## Security Architecture Overview
+
+SINAPSE-AI implements a defense-in-depth security model with multiple enforcement layers:
+
+```
+Constitution (Article X)
+  |
+  +-- 25 Pre-Deploy Blockers (3 tiers)
+  |     +-- Tier 1: Absolute Blockers (deploy impossible)
+  |     +-- Tier 2: Compliance Blockers (LGPD)
+  |     +-- Tier 3: Operational Blockers
+  |
+  +-- 19 Claude Code Hooks (real-time enforcement)
+  |     +-- Secret scanning
+  |     +-- SQL governance
+  |     +-- Architecture-first gates
+  |     +-- Push authority control
+  |
+  +-- Quality Gates (pre-commit, PR, human review)
+```
+
+Security is not optional in SINAPSE-AI. It is enforced at the constitutional level (Article X -- NON-NEGOTIABLE) and automated through hooks and gates that block violations before they reach production.
 
-### How to Report
+---
 
-**DO NOT** create a public GitHub issue for security vulnerabilities.
+## Secret Management
 
-Instead, please report security vulnerabilities through one of these channels:
+### How SINAPSE-AI Handles Secrets
 
-1. **GitHub Security Advisories** (Preferred)
-   - Go to [Security Advisories](https://github.com/SinapseAI/sinapse-ai/security/advisories)
-   - Click "Report a vulnerability"
-   - Fill out the form with details
+SINAPSE-AI uses a hook-based secret scanning system that runs on every file write and commit operation.
 
-2. **GitHub Issues (Private)**
-   - Open a [private security advisory](https://github.com/SinapseAI/sinapse-ai/security/advisories)
-   - Use subject line: `[SECURITY] Brief description`
+**Active hook:** `secret-scanning.cjs`
 
-### What to Include
+**Scanned patterns include:**
+- AWS access keys and secret keys
+- Stripe API keys (live and test)
+- SSH private keys (RSA, ED25519, ECDSA)
+- GitHub tokens (personal, OAuth, app)
+- Google API keys and OAuth credentials
+- Slack tokens and webhooks
+- Database connection strings with embedded credentials
+- JWT tokens and Bearer tokens
+- Generic high-entropy strings matching key patterns
 
-Please include the following in your report:
+**Behavior on detection:**
+- The commit is **blocked** immediately
+- The agent is notified with the specific file and pattern match
+- The file is removed from staging
+- The user is warned to rotate the detected credential
 
-- **Description**: A clear description of the vulnerability
-- **Impact**: What could an attacker achieve with this vulnerability?
-- **Steps to Reproduce**: Detailed steps to reproduce the issue
-- **Affected Versions**: Which versions are affected?
-- **Possible Fix**: If you have suggestions for how to fix the issue
-- **Your Information**: Name/handle for acknowledgment (optional)
+### Environment Variable Rules
 
-### What to Expect
+| Rule | Enforcement |
+|------|-------------|
+| `.env` files must be in `.gitignore` | Hook blocks commits containing `.env` |
+| `.env.example` must use placeholders | Manual review during QA gate |
+| `NEXT_PUBLIC_*` variables are public | Never put secrets in `NEXT_PUBLIC_*` |
+| `service_role` keys never in frontend | Hook scans `src/`, `app/`, `pages/` directories |
 
-1. **Acknowledgment**: We will acknowledge receipt within 48 hours
-2. **Initial Assessment**: We will provide an initial assessment within 5 business days
-3. **Updates**: We will keep you informed of our progress
-4. **Resolution**: We aim to resolve critical issues within 30 days
-5. **Disclosure**: We will coordinate disclosure timing with you
+---
 
-### Safe Harbor
+## MCP Server Trust Model
 
-We consider security research conducted in accordance with this policy to be:
+SINAPSE-AI uses a tiered approach to MCP (Model Context Protocol) server trust:
 
-- Authorized concerning any applicable anti-hacking laws
-- Authorized concerning any relevant anti-circumvention laws
-- Exempt from restrictions in our Terms of Service that would interfere with conducting security research
+### Docker Isolation
 
-We will not pursue civil action or initiate a complaint to law enforcement for accidental, good faith violations of this policy.
+MCP servers that require authentication or access external services run inside Docker containers via Docker MCP Toolkit. This provides:
 
-## Security Best Practices
+- **Process isolation:** MCP servers cannot access the host filesystem directly
+- **Network segmentation:** Each container has its own network namespace
+- **Credential isolation:** API keys are injected via Docker environment variables, not stored in project files
 
-When using SINAPSE Framework, we recommend:
+### Native Tool Preference
 
-### Environment Variables
+SINAPSE-AI always prefers native Claude Code tools over MCP equivalents:
 
-- Never commit `.env` files to version control
-- Use `.env.example` as a template without real values
-- Rotate API keys and secrets regularly
+| Task | Preferred Tool | Why |
+|------|---------------|-----|
+| File read/write | Read, Write, Edit | Runs locally, no network |
+| Search | Grep, Glob | Faster, no external calls |
+| Commands | Bash | Direct host execution |
 
-### MCP Server Security
+MCP servers are only used when native tools cannot provide the required capability (web search, browser automation, external API access).
 
-- Only enable MCP servers from trusted sources
-- Review MCP server code before enabling
-- Use sandboxed execution environments when available
-- Limit MCP server permissions to minimum required
+### MCP Governance
 
-### AI Agent Security
+Only the DevOps agent (`@devops` / Pipeline) has authority to:
+- Add or remove MCP servers
+- Configure MCP credentials
+- Manage Docker MCP infrastructure
+
+Other agents are consumers only -- they cannot modify MCP configuration.
+
+---
 
-- Be cautious with agent commands that execute system operations
-- Review generated code before execution in production
-- Use appropriate access controls for sensitive operations
+## Agent Security Boundaries
 
-### Dependency Management
+### Framework Protection Layers (L1-L4)
 
-- Keep dependencies up to date
-- Run `npm audit` regularly
-- Review dependency changes in pull requests
+SINAPSE-AI enforces a 4-layer boundary model that controls what agents can and cannot modify:
 
-## Known Security Considerations
+| Layer | Protection | What It Contains |
+|-------|-----------|-----------------|
+| **L1** Framework Core | NEVER modify | Core modules, Constitution, CLI binaries |
+| **L2** Framework Templates | NEVER modify | Tasks, templates, checklists, workflows |
+| **L3** Project Config | Controlled | Data files, agent memory, config |
+| **L4** Project Runtime | Open | Stories, packages, tests |
 
-### Framework Architecture
+These boundaries are enforced deterministically through deny rules in `.claude/settings.json`, not through agent honor system.
 
-SINAPSE Framework executes AI-generated code and commands. Users should:
+### Agent Authority Matrix
 
-- Understand that AI agents can execute arbitrary code
-- Use appropriate sandboxing for untrusted environments
-- Review AI-generated output before production deployment
+Each agent has explicit permissions defining what operations it can perform:
+
+| Agent | Can Do | Cannot Do |
+|-------|--------|-----------|
+| `@developer` | Write code, commit locally | Push to remote, create PRs |
+| `@devops` | Push, create PRs, manage CI | Write application code |
+| `@architect` | Design decisions | Write implementation code |
+| `@data-engineer` | Schema design, migrations | Application code, git push |
+
+The `enforce-delegation.cjs` hook blocks orchestrator agents from executing domain work directly, enforcing the delegation matrix at runtime.
+
+### Git Push Authority
+
+Only `@devops` (Pipeline) can execute `git push`. The `enforce-git-push-authority.sh` hook intercepts all Bash commands and blocks any push attempt from other agents.
+
+---
 
-### Data Handling
+## Hook Architecture
 
-- SINAPSE may process sensitive data through AI providers
-- Review your AI provider's data handling policies
-- Consider data classification when using AI features
+SINAPSE-AI uses 19 Claude Code hooks organized by trigger event:
 
-## Security Updates
+### Hook Event Map
 
-Security updates are announced through:
+| Event | Hook | Purpose | Behavior |
+|-------|------|---------|----------|
+| **UserPromptSubmit** | `synapse-wrapper.cjs` | Context injection | Allow |
+| **PreToolUse (Bash)** | `enforce-git-push-authority.sh` | Block unauthorized push | Block |
+| **PreToolUse (Bash)** | `sql-governance.py` | Block dangerous SQL | Block |
+| **PreToolUse (Bash)** | `enforce-delegation.cjs` | Block direct orchestrator work | Block |
+| **PreToolUse (Write/Edit)** | `enforce-architecture-first.cjs` | Require docs before code | Block |
+| **PreToolUse (Write/Edit)** | `write-path-validation.cjs` | Warn on wrong paths | Warn |
+| **PreToolUse (Write/Edit)** | `enforce-story-gate.cjs` | Require story for code | Block |
+| **PreToolUse (Write/Edit)** | `slug-validation.py` | Validate naming | Warn |
+| **PreToolUse (Write/Edit)** | `mind-clone-governance.py` | Require DNA for clones | Block |
+| **PreToolUse (Write/Edit)** | `enforce-delegation.cjs` | Block direct orchestrator work | Block |
+| **PreToolUse (Read)** | `read-protection.py` | Control sensitive file access | Warn |
+| **PreCompact** | `precompact-wrapper.cjs` | Session digest capture | Allow |
 
-- [GitHub Security Advisories](https://github.com/SinapseAI/sinapse-ai/security/advisories)
-- [CHANGELOG.md](./CHANGELOG.md)
-- GitHub Releases
+### Design Principles
 
-## Acknowledgments
+1. **Fail-open** -- If a hook crashes or cannot parse input, it exits with code 0 (allow). This prevents hook bugs from blocking all development.
+2. **Fast** -- Each hook must complete in under 5 seconds.
+3. **Silent on success** -- Hooks only produce output when blocking or warning.
+4. **Deterministic** -- Same input always produces the same output.
+5. **No side effects** -- Hooks read state but do not modify it.
 
-We thank the following researchers for responsibly disclosing security issues:
+### Exit Code Protocol
+
+| Code | Meaning | Effect |
+|------|---------|--------|
+| 0 | Allow | Operation proceeds normally |
+| 2 | Block | Operation denied, message shown |
+| Other | Ignored | Treated as 0 (allow) |
+
+---
+
+## Best Practices for Users
+
+### After Installing SINAPSE-AI
+
+1. **Verify hook installation**: Run `npx sinapse-ai doctor` to confirm all hooks are registered
+2. **Check `.gitignore`**: Ensure `.env`, `.sinapse/`, and other sensitive paths are listed
+3. **Review MCP servers**: Only enable MCP servers you trust and need
+4. **Set up branch protection**: Enable branch protection on `main` in GitHub settings
+
+### During Development
+
+1. **Never commit `.env` files** -- Use `.env.example` with placeholder values
+2. **Use parameterized queries** -- Never use string interpolation for SQL
+3. **Review generated code** -- AI-generated code should be reviewed before production
+4. **Keep dependencies updated** -- Run `npm audit` regularly
+5. **Use feature branches** -- SINAPSE-AI automatically creates branches and never works on `main`
+
+### For Production Deployments
+
+1. **Enable RLS on all tables** with user data (see [RLS Patterns](../.sinapse-ai/data/rls-security-patterns.md))
+2. **Never expose `service_role`** keys in frontend code
+3. **Configure CORS** with explicit origins (never use `origin: '*'` in production)
+4. **Add rate limiting** to all public API endpoints
+5. **Set up security headers** using helmet or equivalent middleware
+
+---
 
-*No reports yet - be the first!*
+## Constitutional Enforcement
+
+SINAPSE-AI's Constitution (Article X -- Security and Data Protection) defines 25 mandatory pre-deploy blockers:
+
+### Tier 1: Absolute Blockers (10 items)
+
+These make deployment impossible if violated:
+- Tables without RLS enabled
+- Hardcoded API keys in source code
+- `service_role` exposed in frontend
+- Missing MFA on admin accounts
+- APIs without authentication
+- SQL with string concatenation
+- Critical/high dependency vulnerabilities
+- Secrets detected in codebase
+- Default credentials in production
+- Missing TLS encryption
+
+### Tier 2: Compliance Blockers (7 items)
+
+These make deployment illegal in Brazil (LGPD):
+- Missing DPO/Data Protection Officer
+- No breach notification capability
+- Missing consent mechanism
+- No data subject rights portal
+- International transfer without SCCs
+- Children's data without parental consent
+- Missing published privacy policy
+
+### Tier 3: Operational Blockers (8 items)
+
+These make deployment irresponsible:
+- No asset inventory
+- No centralized logging
+- No incident response plan
+- No backup verification
+- No vulnerability scanning
+- No network segmentation
+- No vendor security assessment
+- No SSL enforcement on database
+
+For the complete checklist and implementation details, see the Constitution at `.sinapse-ai/constitution.md`.
 
 ---
 
-*This security policy is effective as of December 2024.*
-*Last updated: 2025-12-11*
+*Last updated: 2026-04-03*

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "sinapse-ai",
-  "version": "7.7.11",
+  "version": "8.0.1",
   "description": "SINAPSE AI: Framework de orquestracao de IA — 18 squads, 175 agentes especializados",
   "bin": {
     "sinapse": "bin/sinapse.js",

package/packages/installer/src/manifest-signature.js

@@ -0,0 +1,194 @@
+'use strict';
+
+const crypto = require('crypto');
+const fs = require('fs');
+const path = require('path');
+const yaml = require('js-yaml');
+
+// Maximum limits to prevent DoS
+const MAX_MANIFEST_SIZE = 10 * 1024 * 1024; // 10MB
+const MAX_FILE_COUNT = 50000;
+const MAX_DIR_DEPTH = 50;
+
+/**
+ * Validates manifest content for security before YAML parsing.
+ * @param {string} rawContent - Raw file content
+ * @returns {{ valid: boolean, reason?: string }}
+ */
+function validateManifestSecurity(rawContent) {
+  // Size check
+  if (Buffer.byteLength(rawContent, 'utf8') > MAX_MANIFEST_SIZE) {
+    return { valid: false, reason: `Manifest exceeds ${MAX_MANIFEST_SIZE} bytes` };
+  }
+
+  // Null byte check
+  if (rawContent.includes('\x00')) {
+    return { valid: false, reason: 'Manifest contains null bytes' };
+  }
+
+  return { valid: true };
+}
+
+/**
+ * Validates paths in parsed manifest for traversal attacks.
+ * @param {object} manifest - Parsed YAML manifest
+ * @returns {{ valid: boolean, issues: string[] }}
+ */
+function validateManifestPaths(manifest) {
+  const issues = [];
+  let fileCount = 0;
+
+  function checkPath(filePath, context) {
+    fileCount++;
+    if (fileCount > MAX_FILE_COUNT) {
+      issues.push(`File count exceeds ${MAX_FILE_COUNT}`);
+      return;
+    }
+
+    // Path traversal
+    if (filePath.includes('..')) {
+      issues.push(`Path traversal detected in ${context}: ${filePath}`);
+    }
+
+    // Absolute paths
+    if (path.isAbsolute(filePath)) {
+      issues.push(`Absolute path in ${context}: ${filePath}`);
+    }
+
+    // Windows ADS
+    if (filePath.includes(':') && !filePath.match(/^[a-zA-Z]:/)) {
+      issues.push(`Possible ADS in ${context}: ${filePath}`);
+    }
+
+    // Depth check
+    const depth = filePath.split(/[/\\]/).length;
+    if (depth > MAX_DIR_DEPTH) {
+      issues.push(`Path depth ${depth} exceeds ${MAX_DIR_DEPTH} in ${context}`);
+    }
+  }
+
+  // Walk manifest structure looking for file paths
+  function walk(obj, prefix) {
+    if (!obj || typeof obj !== 'object') return;
+    for (const [key, value] of Object.entries(obj)) {
+      const ctx = prefix ? `${prefix}.${key}` : key;
+      if (typeof value === 'string' && (value.includes('/') || value.includes('\\'))) {
+        checkPath(value, ctx);
+      } else if (typeof value === 'object') {
+        walk(value, ctx);
+      }
+    }
+  }
+
+  walk(manifest, '');
+  return { valid: issues.length === 0, issues };
+}
+
+/**
+ * Generates Ed25519 keypair for signing.
+ * @returns {{ publicKey: string, privateKey: string }} Base64-encoded keys
+ */
+function generateKeyPair() {
+  const { publicKey, privateKey } = crypto.generateKeyPairSync('ed25519', {
+    publicKeyEncoding: { type: 'spki', format: 'der' },
+    privateKeyEncoding: { type: 'pkcs8', format: 'der' },
+  });
+  return {
+    publicKey: publicKey.toString('base64'),
+    privateKey: privateKey.toString('base64'),
+  };
+}
+
+/**
+ * Signs manifest content with Ed25519 private key.
+ * @param {string} content - Raw manifest content
+ * @param {string} privateKeyBase64 - Base64-encoded private key (DER PKCS8)
+ * @returns {string} Base64-encoded signature
+ */
+function signManifest(content, privateKeyBase64) {
+  const privateKey = crypto.createPrivateKey({
+    key: Buffer.from(privateKeyBase64, 'base64'),
+    format: 'der',
+    type: 'pkcs8',
+  });
+  const signature = crypto.sign(null, Buffer.from(content, 'utf8'), privateKey);
+  return signature.toString('base64');
+}
+
+/**
+ * Verifies manifest signature with Ed25519 public key.
+ * @param {string} content - Raw manifest content
+ * @param {string} signatureBase64 - Base64-encoded signature
+ * @param {string} publicKeyBase64 - Base64-encoded public key (DER SPKI)
+ * @returns {boolean}
+ */
+function verifyManifest(content, signatureBase64, publicKeyBase64) {
+  try {
+    const publicKey = crypto.createPublicKey({
+      key: Buffer.from(publicKeyBase64, 'base64'),
+      format: 'der',
+      type: 'spki',
+    });
+    return crypto.verify(
+      null,
+      Buffer.from(content, 'utf8'),
+      publicKey,
+      Buffer.from(signatureBase64, 'base64'),
+    );
+  } catch {
+    return false;
+  }
+}
+
+/**
+ * Loads and validates a manifest file securely.
+ * @param {string} manifestPath - Path to manifest YAML
+ * @param {string} [signatureBase64] - Optional signature to verify
+ * @param {string} [publicKeyBase64] - Optional public key for verification
+ * @returns {{ manifest: object, security: object }}
+ */
+function loadManifestSecure(manifestPath, signatureBase64, publicKeyBase64) {
+  const rawContent = fs.readFileSync(manifestPath, 'utf8');
+
+  // Step 1: Pre-parse security validation
+  const preCheck = validateManifestSecurity(rawContent);
+  if (!preCheck.valid) {
+    throw new Error(`Manifest security check failed: ${preCheck.reason}`);
+  }
+
+  // Step 2: Verify signature BEFORE parsing YAML (if provided)
+  let signatureValid = null;
+  if (signatureBase64 && publicKeyBase64) {
+    signatureValid = verifyManifest(rawContent, signatureBase64, publicKeyBase64);
+    if (!signatureValid) {
+      throw new Error('Manifest signature verification FAILED — possible tampering');
+    }
+  }
+
+  // Step 3: Parse YAML with FAILSAFE schema (no code execution)
+  const manifest = yaml.load(rawContent, { schema: yaml.FAILSAFE_SCHEMA });
+
+  // Step 4: Validate paths in parsed manifest
+  const pathCheck = validateManifestPaths(manifest);
+
+  return {
+    manifest,
+    security: {
+      sizeBytes: Buffer.byteLength(rawContent, 'utf8'),
+      signatureVerified: signatureValid,
+      pathValidation: pathCheck,
+    },
+  };
+}
+
+module.exports = {
+  generateKeyPair,
+  signManifest,
+  verifyManifest,
+  validateManifestSecurity,
+  validateManifestPaths,
+  loadManifestSecure,
+  MAX_MANIFEST_SIZE,
+  MAX_FILE_COUNT,
+  MAX_DIR_DEPTH,
+};

package/sinapse/agents/sinapse-orqx.md

@@ -1,6 +1,6 @@
 # Agent: Imperator — Sinapse Master
 
-> ACTIVATION-NOTICE: You are now Imperator — the supreme orchestrator of the SINAPSE ecosystem. You have authority over all 18 specialized squads (175 agents total). You do not execute domain work yourself — you diagnose, route, coordinate, and synthesize across the entire ecosystem. Every request passes through you first. You are the CEO of this AI workforce.
+> ACTIVATION-NOTICE: You are now Imperator — the supreme orchestrator of the SINAPSE ecosystem. You have authority over all 18 specialized squads (186 agents total). You do not execute domain work yourself — you diagnose, route, coordinate, and synthesize across the entire ecosystem. Every request passes through you first. You are the CEO of this AI workforce.
 
 ## ACTIVATION INSTRUCTIONS — MANDATORY ON LOAD
 
@@ -25,7 +25,7 @@ Then display:
 
 ```
  AI Agent Squads for Claude Code
- 18 squads · 175 agents · 1,370 tasks
+ 18 squads · 186 agents · 1,430 tasks
 
  👑 Imperator — Sinapse Master activated
 
@@ -111,7 +111,7 @@ agent:
   whenToUse: "ALWAYS as the default agent. Imperator is the first point of contact for EVERY request. Routes directly to @specialist when clear, or to @{domain}-orqx when complex."
 
 persona:
-  role: "Supreme Orchestrator of all 18 SINAPSE Squads (175 agents)"
+  role: "Supreme Orchestrator of all 18 SINAPSE Squads (186 agents)"
   identity: >
     The strategic mind at the top of the SINAPSE hierarchy. Imperator
     sees across all domains — branding, commerce, content, copy, animations,
@@ -664,7 +664,7 @@ Imperator can provide ecosystem-wide insights by combining capabilities across s
 | 17 | courses | courses | Syllabus | Course creation, workshops, ebooks |
 | 18 | claude-code-mastery | claude | Nucleus | Claude Code mastery, prompt engineering |
 
-**Total ecosystem:** 18 squads, 175 agents, 1,370 tasks
+**Total ecosystem:** 18 squads, 186 agents, 1,430 tasks
 
 ## Cross-Squad Handoffs
 - **Receives from:** Every squad (escalations, cross-squad requests)

package/squads/claude-code-mastery/agents/config-engineer.md

@@ -705,13 +705,13 @@ Type `*help` to see all commands, or `*guide` for comprehensive usage instructio
 
 **I collaborate with:**
 
-- **@devops (Gage):** For MCP server management and CI/CD pipeline configuration
-- **@architect (Aria):** For system architecture decisions that inform configuration boundaries
-- **@developer (Dex):** Receives optimized settings for development workflow efficiency
+- **@devops (Pipeline):** For MCP server management and CI/CD pipeline configuration
+- **@architect (Stratum):** For system architecture decisions that inform configuration boundaries
+- **@developer (Pixel):** Receives optimized settings for development workflow efficiency
 
 **I delegate to:**
 
-- **@devops (Gage):** For applying managed-settings.json to infrastructure and MCP administration
+- **@devops (Pipeline):** For applying managed-settings.json to infrastructure and MCP administration
 
 **When to use others:**
 
@@ -856,9 +856,9 @@ Path-scoped rules load when Claude reads matching files.
 
 ### Related Agents
 
-- **@devops (Gage)** - Applies infrastructure configuration and manages MCP servers
-- **@architect (Aria)** - Defines architecture boundaries that inform settings design
-- **@developer (Dex)** - Primary consumer of optimized configuration
+- **@devops (Pipeline)** - Applies infrastructure configuration and manages MCP servers
+- **@architect (Stratum)** - Defines architecture boundaries that inform settings design
+- **@developer (Pixel)** - Primary consumer of optimized configuration
 
 ---
 ---

package/squads/claude-code-mastery/agents/hooks-architect.md

@@ -920,10 +920,10 @@ Type `*help` to see all commands, or `*guide` for detailed usage.
 
 **I collaborate with:**
 
-- **@devops (Gage):** Handles hook deployment, git push, CI/CD integration
-- **@developer (Dex):** Implements complex hook logic or application integrations
-- **@quality-gate (Quinn):** Reviews hook test coverage and quality gate integration
-- **@architect (Aria):** Consults on hook architecture affecting system design
+- **@devops (Pipeline):** Handles hook deployment, git push, CI/CD integration
+- **@developer (Pixel):** Implements complex hook logic or application integrations
+- **@quality-gate (Litmus):** Reviews hook test coverage and quality gate integration
+- **@architect (Stratum):** Consults on hook architecture affecting system design
 
 **When to use others:**
 

package/squads/claude-code-mastery/agents/mcp-integrator.md

@@ -686,9 +686,9 @@ Type `*help` to see all commands.
 
 **I collaborate with:**
 
-- **@devops (Gage):** For Docker MCP infrastructure, git push, CI/CD changes
-- **@architect (Aria):** For system-level tool composition decisions
-- **@developer (Dex):** For custom MCP server implementation beyond scaffold
+- **@devops (Pipeline):** For Docker MCP infrastructure, git push, CI/CD changes
+- **@architect (Stratum):** For system-level tool composition decisions
+- **@developer (Pixel):** For custom MCP server implementation beyond scaffold
 
 **I consume:**
 
@@ -782,9 +782,9 @@ Need a capability?
 
 ### Related Agents
 
-- **@devops (Gage)** - Docker MCP infrastructure, git push, CI/CD
-- **@architect (Aria)** - System architecture impacted by tool choices
-- **@developer (Dex)** - Custom MCP server implementation
+- **@devops (Pipeline)** - Docker MCP infrastructure, git push, CI/CD
+- **@architect (Stratum)** - System architecture impacted by tool choices
+- **@developer (Pixel)** - Custom MCP server implementation
 
 ---
 ---