sinapse-ai 7.7.4 → 7.7.6

package/.codex/scripts/resolve-codex-delegation-parity.js

@@ -0,0 +1,205 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const PROJECT_ROOT = path.resolve(__dirname, '..', '..');
+const MATRIX_PATH = path.join('.codex', 'delegation-parity.json');
+
+function loadDelegationMatrix(projectRoot = PROJECT_ROOT) {
+  const matrixPath = path.join(projectRoot, MATRIX_PATH);
+  const raw = fs.readFileSync(matrixPath, 'utf8');
+  return JSON.parse(raw);
+}
+
+function normalizeRouteInput(value) {
+  return String(value || '')
+    .trim()
+    .replace(/^[@*]/, '')
+    .toLowerCase();
+}
+
+function normalizeActorInput(value) {
+  return String(value || '')
+    .trim()
+    .replace(/^@/, '')
+    .toLowerCase();
+}
+
+function collectRouteAliases(routeId, routeSpec) {
+  return [routeId, ...(routeSpec.aliases || [])]
+    .map((alias) => normalizeRouteInput(alias))
+    .filter(Boolean);
+}
+
+function resolveDelegationRoute(routeInput, projectRoot = PROJECT_ROOT, matrix = loadDelegationMatrix(projectRoot)) {
+  const normalized = normalizeRouteInput(routeInput);
+  const matches = Object.entries(matrix.routes || {}).filter(([routeId, routeSpec]) =>
+    collectRouteAliases(routeId, routeSpec).includes(normalized),
+  );
+
+  if (matches.length > 1) {
+    throw new Error(`Ambiguous Codex delegation route "${routeInput}"`);
+  }
+
+  if (matches.length === 0) {
+    throw new Error(`Unknown Codex delegation route "${routeInput}"`);
+  }
+
+  const [routeId, routeSpec] = matches[0];
+  return { routeId, routeSpec };
+}
+
+function resolveRouteRecord(routeInput, projectRoot = PROJECT_ROOT, matrix = loadDelegationMatrix(projectRoot)) {
+  if (
+    routeInput &&
+    typeof routeInput === 'object' &&
+    typeof routeInput.routeId === 'string' &&
+    routeInput.routeSpec &&
+    typeof routeInput.routeSpec === 'object'
+  ) {
+    return routeInput;
+  }
+
+  return resolveDelegationRoute(routeInput, projectRoot, matrix);
+}
+
+function routeMentionsSource(routeSpec, sourceInput) {
+  const normalizedSource = normalizeActorInput(sourceInput);
+  if (!normalizedSource) {
+    return true;
+  }
+
+  if (normalizeActorInput(routeSpec.owner) === normalizedSource) {
+    return true;
+  }
+
+  return (routeSpec.delegationChain || []).some(
+    (step) =>
+      normalizeActorInput(step.from) === normalizedSource ||
+      normalizeActorInput(step.to) === normalizedSource,
+  );
+}
+
+function buildHandoffPacket(routeInput, projectRoot = PROJECT_ROOT, matrix = loadDelegationMatrix(projectRoot)) {
+  const { routeId, routeSpec } = resolveRouteRecord(routeInput, projectRoot, matrix);
+  const nextStep = routeSpec.delegationChain?.[0] || null;
+
+  return {
+    routeId,
+    mission: routeSpec.mission,
+    phase: matrix.phase || 'W5 / Delegation Matrix Parity',
+    owner: routeSpec.owner,
+    classification: routeSpec.classification,
+    summary: routeSpec.summary || '',
+    inputs: routeSpec.inputs || [],
+    outputs: routeSpec.outputs || [],
+    validators: routeSpec.validators || [],
+    sharedSurfaceRisk: routeSpec.sharedSurfaceRisk || 'low',
+    nextHandoff: {
+      to: nextStep?.to || routeSpec.owner,
+      artifact: routeSpec.outputs?.[0] || 'handoff-packet',
+    },
+    delegationChain: routeSpec.delegationChain || [],
+    resources: routeSpec.resources || [],
+    notes: routeSpec.notes || [],
+  };
+}
+
+function resolveCodexDelegation(routeInput, projectRoot = PROJECT_ROOT, options = {}) {
+  const matrix = options.matrix || loadDelegationMatrix(projectRoot);
+  const { routeId, routeSpec } = resolveDelegationRoute(routeInput, projectRoot, matrix);
+
+  if (options.source && !routeMentionsSource(routeSpec, options.source)) {
+    throw new Error(
+      `Codex delegation route "${routeId}" is not available from source "${options.source}"`,
+    );
+  }
+
+  return {
+    routeId,
+    owner: routeSpec.owner,
+    requestType: routeSpec.requestType,
+    classification: routeSpec.classification,
+    mission: routeSpec.mission,
+    summary: routeSpec.summary || '',
+    inputs: routeSpec.inputs || [],
+    outputs: routeSpec.outputs || [],
+    validators: routeSpec.validators || [],
+    sharedSurfaceRisk: routeSpec.sharedSurfaceRisk || 'low',
+    resources: routeSpec.resources || [],
+    delegationChain: routeSpec.delegationChain || [],
+    handoffPacket: buildHandoffPacket({ routeId, routeSpec }, projectRoot, matrix),
+  };
+}
+
+function parseArgs(argv = process.argv.slice(2)) {
+  const flags = new Set(argv.filter((arg) => arg.startsWith('--')));
+  const args = argv.filter((arg) => !arg.startsWith('--'));
+
+  return {
+    source: args.length > 1 ? args[0] : null,
+    route: args.length > 1 ? args[1] : args[0],
+    json: flags.has('--json'),
+    packet: flags.has('--packet'),
+  };
+}
+
+function formatHumanResult(result) {
+  const nextHandoff = result.handoffPacket?.nextHandoff?.to || 'n/a';
+  const delegationPath = (result.delegationChain || [])
+    .map((step) => `${step.from} -> ${step.to}`)
+    .join(' | ');
+
+  return [
+    `Route: ${result.routeId}`,
+    `Owner: ${result.owner}`,
+    `Request Type: ${result.requestType}`,
+    `Classification: ${result.classification}`,
+    `Next Handoff: ${nextHandoff}`,
+    `Delegation Chain: ${delegationPath || 'n/a'}`,
+  ].join('\n');
+}
+
+function main() {
+  const args = parseArgs();
+  if (!args.route) {
+    console.error(
+      'Usage: node .codex/scripts/resolve-codex-delegation-parity.js <route> [--json] [--packet]\n' +
+        '   or: node .codex/scripts/resolve-codex-delegation-parity.js <source-agent> <route> [--json] [--packet]',
+    );
+    process.exit(1);
+  }
+
+  try {
+    const result = resolveCodexDelegation(args.route, PROJECT_ROOT, {
+      source: args.source,
+    });
+    const payload = args.packet ? result.handoffPacket : result;
+
+    if (args.json || args.packet) {
+      console.log(JSON.stringify(payload, null, 2));
+    } else {
+      console.log(formatHumanResult(result));
+    }
+  } catch (error) {
+    console.error(error.message);
+    process.exit(1);
+  }
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = {
+  MATRIX_PATH,
+  loadDelegationMatrix,
+  normalizeRouteInput,
+  resolveDelegationRoute,
+  buildHandoffPacket,
+  resolveCodexDelegation,
+  parseArgs,
+  formatHumanResult,
+};

package/.codex/scripts/resolve-codex-delegation.js

@@ -0,0 +1,176 @@
+#!/usr/bin/env node
+'use strict';
+
+const fs = require('fs');
+const path = require('path');
+
+const PROJECT_ROOT = path.resolve(__dirname, '..', '..');
+
+function loadDelegationMatrix(projectRoot = PROJECT_ROOT) {
+  const matrixPath = path.join(projectRoot, '.codex', 'delegation-matrix.json');
+  const raw = fs.readFileSync(matrixPath, 'utf8');
+  return JSON.parse(raw);
+}
+
+function normalizeAgentInput(value) {
+  return String(value || '').trim().replace(/^@/, '').toLowerCase();
+}
+
+function normalizeRouteInput(value) {
+  return String(value || '').trim().replace(/^\*/, '').toLowerCase();
+}
+
+function collectAliases(routeId, routeSpec) {
+  return [routeId, ...(routeSpec.aliases || [])]
+    .map((alias) => normalizeRouteInput(alias))
+    .filter(Boolean);
+}
+
+function getSourceAgentConfig(matrix, agentInput) {
+  const normalized = normalizeAgentInput(agentInput);
+
+  if (['sinapse-orqx', 'imperator'].includes(normalized)) {
+    return {
+      sourceAgent: 'sinapse-orqx',
+      routes: {
+        ...(matrix.masterRoutes || {}),
+        ...(matrix.orqxRoutes || {}),
+      },
+    };
+  }
+
+  const matches = Object.entries(matrix.specialistRoutes || {})
+    .filter(([sourceAgentId, sourceSpec]) => {
+      const aliases = [sourceAgentId, ...(sourceSpec.aliases || [])]
+        .map((alias) => normalizeAgentInput(alias))
+        .filter(Boolean);
+      return aliases.includes(normalized);
+    });
+
+  if (matches.length > 1) {
+    throw new Error(`Ambiguous Codex delegation source "${agentInput}"`);
+  }
+
+  if (matches.length === 1) {
+    return {
+      sourceAgent: matches[0][0],
+      routes: matches[0][1].routes || {},
+    };
+  }
+
+  return null;
+}
+
+function resolveRoute(routes, routeInput) {
+  const normalized = normalizeRouteInput(routeInput);
+  const matches = Object.entries(routes || {})
+    .filter(([routeId, routeSpec]) => collectAliases(routeId, routeSpec).includes(normalized));
+
+  if (matches.length > 1) {
+    throw new Error(`Ambiguous Codex delegation route "${routeInput}"`);
+  }
+
+  if (matches.length === 0) {
+    return null;
+  }
+
+  return {
+    routeId: matches[0][0],
+    routeSpec: matches[0][1],
+  };
+}
+
+function resolveCodexDelegation(agentInput, routeInput, projectRoot = PROJECT_ROOT) {
+  const matrix = loadDelegationMatrix(projectRoot);
+  const source = getSourceAgentConfig(matrix, agentInput);
+  if (!source) {
+    throw new Error(`Unknown Codex delegation source "${agentInput}"`);
+  }
+
+  const route = resolveRoute(source.routes, routeInput);
+  if (!route) {
+    throw new Error(`Unknown Codex delegation route "${routeInput}" for source "${source.sourceAgent}"`);
+  }
+
+  return {
+    sourceAgent: source.sourceAgent,
+    routeId: route.routeId,
+    classification: route.routeSpec.classification,
+    target: route.routeSpec.target,
+    handoff: route.routeSpec.handoff || null,
+    sourceDocs: route.routeSpec.sourceDocs || [],
+    handoffSchemaPath: matrix.handoffSchemaPath,
+    handoffTemplatePath: matrix.handoffTemplatePath,
+  };
+}
+
+function parseArgs(argv = process.argv.slice(2)) {
+  const args = argv.filter((arg) => !arg.startsWith('--'));
+  const flags = new Set(argv.filter((arg) => arg.startsWith('--')));
+  return {
+    agent: args[0],
+    route: args[1],
+    json: flags.has('--json'),
+  };
+}
+
+function formatHumanResult(result) {
+  const lines = [
+    `Source: ${result.sourceAgent}`,
+    `Route: ${result.routeId}`,
+    `Classification: ${result.classification}`,
+    `Target Type: ${result.target.type}`,
+    `Target Agent: ${result.target.agentId}`,
+  ];
+
+  if (result.target.commandId) {
+    lines.push(`Target Command: ${result.target.commandId}`);
+  }
+  if (result.target.docPath) {
+    lines.push(`Target Doc: ${result.target.docPath}`);
+  }
+  if (result.target.taskPath) {
+    lines.push(`Target Task: ${result.target.taskPath}`);
+  }
+  if (result.handoff) {
+    lines.push(`Next Handoff: ${result.handoff.nextHandoff}`);
+  }
+
+  return lines.join('\n');
+}
+
+function main() {
+  const args = parseArgs();
+  if (!args.agent || !args.route) {
+    console.error('Usage: node .codex/scripts/resolve-codex-delegation.js <source-agent> <route> [--json]');
+    process.exit(1);
+  }
+
+  try {
+    const result = resolveCodexDelegation(args.agent, args.route);
+    if (args.json) {
+      console.log(JSON.stringify(result, null, 2));
+    } else {
+      console.log(formatHumanResult(result));
+    }
+  } catch (error) {
+    console.error(error.message);
+    process.exit(1);
+  }
+}
+
+if (require.main === module) {
+  main();
+}
+
+module.exports = {
+  loadDelegationMatrix,
+  normalizeAgentInput,
+  normalizeRouteInput,
+  collectAliases,
+  getSourceAgentConfig,
+  resolveRoute,
+  resolveCodexDelegation,
+  parseArgs,
+  formatHumanResult,
+};

package/.codex/tasks/route-sinapse-request.md

@@ -11,19 +11,21 @@ Diagnose a request and choose the smallest correct Codex routing path.
 ## Steps
 
 1. Read `.codex/catalog.json`.
-2. Classify the request as one of:
+2. Read `.codex/delegation-parity.json`.
+3. Classify the request as one of:
    - simple + single-domain
    - complex + single-domain
    - complex + multi-domain
    - framework/development workflow
-3. Prefer the smallest correct path:
+4. Prefer the smallest correct path:
    - simple + single-domain -> relevant `*-orqx` or validated framework agent
    - complex + single-domain -> relevant `*-orqx`
    - complex + multi-domain -> `sinapse-orqx` orchestration plan
    - framework/development workflow -> `sinapse-pm`, `sinapse-po`, `sinapse-sm`, `sinapse-dev`, or `sinapse-qa`
-4. If the request depends on a starred command, resolve it through `.codex/command-registry.json`.
-5. Only recommend direct specialist routing from `.codex/agents` when it is an exploratory fallback rather than a validator-backed path.
-6. Return the recommended route with rationale and next action.
+5. When the request matches an approved handoff route, resolve it through `.codex/delegation-parity.json`.
+6. If the request depends on a starred command, resolve it through `.codex/command-registry.json`.
+7. Only recommend direct specialist routing from `.codex/agents` when the delegation matrix marks it as `exploratory`.
+8. Return the recommended route with rationale, classification, and next action.
 
 ## Output Contract
 

package/.sinapse-ai/constitution.md

@@ -1,6 +1,6 @@
 # SINAPSE Constitution
 
-> **Version:** 2.1.0 | **Ratified:** 2025-01-30 | **Last Amended:** 2026-04-02
+> **Version:** 2.2.0 | **Ratified:** 2025-01-30 | **Last Amended:** 2026-04-03
 
 Este documento define os princípios fundamentais e inegociáveis do SINAPSE. Todos os agentes, tasks, e workflows DEVEM respeitar estes princípios. Violações são bloqueadas automaticamente via gates.
 
@@ -239,6 +239,72 @@ Usuários são product builders, não especialistas em git. Agentes DEVEM gerenc
 
 ---
 
+### X. Security & Data Protection (NON-NEGOTIABLE)
+
+Todo projeto que manipula dados de usuarios DEVE seguir praticas de seguranca rigorosas. Nenhum atalho e aceito — seguranca e inegociavel desde o primeiro commit.
+
+**Regras — Banco de Dados:**
+- MUST: TODA tabela com dados de usuario DEVE ter Row Level Security (RLS) ativado
+- MUST: Chave `service_role` NUNCA exposta no frontend — apenas no servidor
+- MUST: Queries DEVEM ser parametrizadas (`$1, $2`) — NUNCA string interpolation
+- MUST: Cada servico DEVE usar role com privilegios minimos (principio do menor privilegio)
+- MUST: Dados sensiveis (CPF, cartao, saude) DEVEM ser criptografados em repouso
+
+**Regras — APIs:**
+- MUST: TODA API publica DEVE ter rate limiting configurado
+- MUST: TODA API DEVE validar input (schema validation com Zod ou equivalente)
+- MUST: CORS DEVE restringir origens permitidas (NUNCA `origin: '*'` em producao)
+- MUST: Headers de seguranca DEVEM estar ativos (helmet ou equivalente)
+- MUST: Autenticacao DEVE usar OAuth 2.0 / OIDC ou Supabase Auth
+
+**Regras — Secrets & Keys:**
+- MUST: API keys, tokens e credenciais DEVEM estar em variaveis de ambiente (.env)
+- MUST: Arquivos .env NUNCA commitados no repositorio (gitignore obrigatorio)
+- MUST: .env.example DEVE existir com placeholders (sem valores reais)
+- MUST: Variaveis prefixadas com `NEXT_PUBLIC_` sao PUBLICAS — NUNCA colocar secrets nelas
+- MUST: Rotacao de chaves DEVE ser feita ao menor sinal de vazamento
+- MUST NOT: Nenhum agente pode commitar arquivos contendo credentials em plaintext
+
+**Regras — LGPD (Lei Geral de Protecao de Dados):**
+- MUST: Consentimento explicito DEVE ser coletado antes de processar dados pessoais (Art. 7)
+- MUST: Usuarios DEVEM poder acessar, corrigir e deletar seus dados (Art. 18)
+- MUST: DPO/Encarregado DEVE ser designado para projetos com dados pessoais (Art. 37)
+- MUST: Medidas de seguranca tecnica DEVEM proteger dados contra acesso nao autorizado (Art. 46)
+- MUST: Incidentes de seguranca DEVEM ser notificados a ANPD e titulares (Art. 48)
+- MUST: Dados pessoais DEVEM ter periodo de retencao definido e documentado
+- MUST: Audit logging DEVE registrar todo acesso a dados pessoais
+
+**Regras — Repositorio:**
+- MUST: Repositorios com codigo de producao DEVEM ser privados por padrao
+- MUST: Branch protection DEVE estar ativa em main (PR + approval)
+- MUST: GitHub Secret Scanning DEVE estar habilitado
+- MUST: Dependabot DEVE estar configurado para alertas de seguranca
+- MUST: CODEOWNERS DEVE proteger arquivos criticos
+
+**Delegacao:**
+
+| Dominio de Seguranca | Agente Responsavel |
+|----------------------|-------------------|
+| Threat modeling, MITRE ATT&CK | @cyber-orqx → Shield (threat-analyst) |
+| Penetration testing, OWASP | @cyber-orqx → Breach (penetration-tester) |
+| SOC, detection engineering | @cyber-orqx → Sentinel (soc-analyst) |
+| Incident response | @cyber-orqx → Rapid (incident-responder) |
+| Cloud security, IAM, encryption | @cyber-orqx → Nimbus (cloud-security-engineer) |
+| Network security, zero trust | @cyber-orqx → Wire (network-security-engineer) |
+| LGPD, GDPR, SOC 2, ISO 27001 | @cyber-orqx → Govern (compliance-officer) |
+| Database security, RLS | @data-engineer (Dara) |
+| Application security, hooks | @developer (Dex) + hooks automaticos |
+
+**Gates:**
+- Hook `sql-governance.py` — BLOCK DDL perigoso
+- Hook `secret-scanning.cjs` — BLOCK credentials em commits
+- Hook `staged-secret-scan.js` — BLOCK .env e tokens pre-commit
+- Checklist: `.claude/rules/security-data-protection.md`
+
+**Rule file:** `.claude/rules/security-data-protection.md`
+
+---
+
 ## Governance
 
 ### Amendment Process

package/.sinapse-ai/core/doctor/checks/constitution-consistency.js

@@ -29,6 +29,7 @@ const KEY_ARTICLES = [
   'Ecosystem Metrics Accuracy',
   'Mandatory Delegation',
   'Safe Collaboration',
+  'Security & Data Protection',
 ];
 
 /**

package/.sinapse-ai/core/health-check/checks/project/constitution-consistency.js

@@ -28,6 +28,7 @@ const EXPECTED_ARTICLES = [
   { number: 'VII', title: 'Ecosystem Metrics Accuracy', severity: 'NON-NEGOTIABLE' },
   { number: 'VIII', title: 'Mandatory Delegation', severity: 'NON-NEGOTIABLE' },
   { number: 'IX', title: 'Safe Collaboration', severity: 'NON-NEGOTIABLE' },
+  { number: 'X', title: 'Security & Data Protection', severity: 'NON-NEGOTIABLE' },
 ];
 
 /**