sinapse-ai 9.4.0 → 9.5.0

package/.sinapse-ai/development/skills/deploy-readiness.md

@@ -0,0 +1,93 @@
+---
+name: deploy-readiness
+description: Automated deployment readiness check against 25 blockers
+trigger: Before any production deployment
+agents: [devops, quality-gate, developer]
+---
+
+# Deploy Readiness Skill
+
+## Usage
+
+Invoke with `*deploy-readiness` or `/deploy-readiness` before any production deploy.
+
+## Protocol
+
+Run all 25 deployment blockers from Constitution Article X. For each item, execute the automated check where possible or mark as MANUAL.
+
+### Tier 1: Absolute Blockers (10 items — deploy = impossible)
+
+| # | Blocker | Automated Check |
+|---|---------|-----------------|
+| 1 | Tables without RLS | `SELECT tablename FROM pg_tables WHERE schemaname='public' AND NOT rowsecurity` |
+| 2 | Hardcoded API keys | `grep -rn "sk-\|sk_live\|AKIA\|password\s*=" src/ app/ --include="*.{ts,js,tsx}"` |
+| 3 | service_role in frontend | `grep -rn "service_role" src/ app/ pages/ --include="*.{ts,js,tsx}"` |
+| 4 | No MFA on admin accounts | MANUAL — verify in cloud dashboard |
+| 5 | APIs without auth | MANUAL — review endpoint middleware |
+| 6 | SQL string concatenation | `grep -rn "query(\`.*\${" src/ --include="*.{ts,js}"` |
+| 7 | Critical/high vulns in deps | `npm audit --audit-level=high` |
+| 8 | Secrets in codebase | `git log --all -p -- "*.env" \| head -5` + grep patterns |
+| 9 | Default credentials | MANUAL — check for admin/admin, test/test |
+| 10 | No TLS | MANUAL — verify HTTPS enforcement |
+
+### Tier 2: Compliance Blockers (7 items — deploy = illegal in Brazil)
+
+| # | Blocker | Check |
+|---|---------|-------|
+| 11 | No DPO designated | MANUAL — organizational check |
+| 12 | No breach notification capability | MANUAL — process check |
+| 13 | No consent mechanism | Search for consent UI: `grep -rn "consent\|consentimento" src/` |
+| 14 | No data subject rights portal | Search for deletion endpoint: `grep -rn "delete.*account\|excluir" src/` |
+| 15 | International transfer without SCCs | MANUAL — review data flows |
+| 16 | Children's data without parental consent | MANUAL — if applicable |
+| 17 | No published privacy policy | Check for privacy route: `grep -rn "privacidade\|privacy" src/` |
+
+### Tier 3: Operational Blockers (8 items — deploy = irresponsible)
+
+| # | Blocker | Check |
+|---|---------|-------|
+| 18 | No asset inventory | MANUAL — documentation check |
+| 19 | No centralized logging | Search for logger: `grep -rn "winston\|pino\|logger" src/` |
+| 20 | No incident response plan | MANUAL — documentation check |
+| 21 | No backup verification (90 days) | MANUAL — ops check |
+| 22 | No vulnerability scanning | Check CI for scan step: `grep -rn "audit\|snyk\|trivy" .github/` |
+| 23 | No network segmentation | MANUAL — infra review |
+| 24 | No vendor security assessment | MANUAL — procurement check |
+| 25 | No SSL on database | MANUAL — verify DB connection string |
+
+## Execution
+
+1. Run all automated checks in parallel where possible
+2. Collect results into score card
+3. For MANUAL items: mark as UNCHECKED (requires human verification)
+
+## Output
+
+```
+## Deploy Readiness Report — {project} — {date}
+
+### Score: {passed}/{total_auto} automated | {manual_count} manual checks pending
+
+### Tier 1 — Absolute Blockers
+| # | Check | Status | Details |
+|---|-------|--------|---------|
+| 1 | RLS | PASS | All 12 tables have RLS |
+| 2 | API Keys | FAIL | Found sk- in config.ts:42 |
+
+### Tier 2 — Compliance (LGPD)
+...
+
+### Tier 3 — Operational
+...
+
+### Verdict: READY | BLOCKED | NEEDS_MANUAL_REVIEW
+- Blocking items: {list}
+- Manual items pending: {list}
+```
+
+## Rules
+- Any Tier 1 FAIL = BLOCKED, no override
+- Tier 2 FAIL = BLOCKED (legal requirement)
+- Tier 3 FAIL = WARN, deploy with documented risk acceptance
+- MANUAL items do NOT block but must be reviewed before launch
+- Reference: `.claude/rules/security-data-protection.md`

package/.sinapse-ai/development/skills/model-router.md

@@ -0,0 +1,92 @@
+---
+name: model-router
+description: Decide which model to use for sub-agent tasks
+trigger: When spawning sub-agents or deciding task complexity
+agents: [developer, quality-gate, architect, analyst]
+---
+
+# Model Router Skill
+
+## Usage
+
+Invoke with `*model-router` or `/model-router` to determine the optimal model for a sub-agent task. Can also be used as internal guidance when orchestrating multi-agent workflows.
+
+## Decision Tree
+
+```
+Task received
+├── Can be done WITHOUT sub-agent? (file read, grep, simple command)
+│   └── YES → Do it directly. No sub-agent needed.
+│       Cost: $0 additional. Fastest path.
+│
+└── Needs sub-agent?
+    ├── Routine / mechanical work?
+    │   └── YES → model: "haiku"
+    │
+    ├── Standard implementation / analysis?
+    │   └── YES → model: "sonnet"
+    │
+    └── Complex reasoning / architecture?
+        └── YES → model: "opus" (default)
+```
+
+## Model Selection Matrix
+
+### No Sub-Agent (direct execution)
+| Task | Why |
+|------|-----|
+| Read a file | Native tool, instant |
+| Grep for pattern | Native tool, instant |
+| Run a test | Single bash command |
+| Check git status | Single bash command |
+| Simple file edit | Native tool, instant |
+
+### Haiku (fast, cheap — routine work)
+| Task | Why |
+|------|-----|
+| Lint check on file list | Mechanical, no judgment |
+| Format code | Pattern-based, deterministic |
+| Generate boilerplate | Template-driven |
+| Parse and extract data | Structural, low ambiguity |
+| Rename variables | Find-and-replace logic |
+| Validate JSON/YAML syntax | Structural validation |
+| Run checklist items | Binary pass/fail |
+
+### Sonnet (balanced — standard work)
+| Task | Why |
+|------|-----|
+| Implement a function from spec | Needs understanding but well-scoped |
+| Write unit tests | Requires code comprehension |
+| Code review (non-architectural) | Pattern recognition + judgment |
+| Bug fix with known root cause | Targeted reasoning |
+| Documentation from code | Comprehension + writing |
+| Refactor within a file | Understanding + transformation |
+| Story creation from brief | Structured writing |
+
+### Opus (full power — complex reasoning)
+| Task | Why |
+|------|-----|
+| Architecture decisions | Multi-dimensional tradeoffs |
+| Complex debugging (unknown cause) | Deep reasoning required |
+| Cross-system integration | Multiple context domains |
+| Security audit | Nuanced threat modeling |
+| Spec critique / validation | Judgment under uncertainty |
+| Multi-file refactoring | System-wide understanding |
+| Novel problem solving | No established pattern to follow |
+
+## Rules
+- Default to direct execution when possible (cost: $0, speed: instant)
+- When in doubt between tiers, pick the LOWER one first — escalate if poor results
+- Never use Opus for tasks Haiku can handle
+- Log model selection rationale for cost tracking
+- Sub-agent model is set via `model:` parameter in Task tool
+
+## Output
+
+```
+## Model Router Decision
+- Task: {description}
+- Classification: {routine|standard|complex|direct}
+- Model: {haiku|sonnet|opus|none}
+- Rationale: {one-line reason}
+```

package/.sinapse-ai/development/skills/sinapse-methodology.md

@@ -0,0 +1,175 @@
+---
+name: sinapse-methodology
+description: Complete SINAPSE AI development methodology in one self-contained skill
+trigger: When teaching SINAPSE methodology to any AI tool or new team member
+agents: [analyst, architect, developer, sprint-lead, product-lead]
+---
+
+# SINAPSE Methodology
+
+A complete AI-orchestrated development methodology. Self-contained — works in any project, any AI tool.
+
+## 1. Core Philosophy
+
+**CLI First. Observability Second. UI Third.**
+
+All intelligence lives in the CLI. Dashboards observe, never control. UI is optional. Every feature must work 100% via CLI before any UI exists.
+
+## 2. Constitution (10 Articles)
+
+Non-negotiable principles that govern all work:
+
+| # | Article | Severity | Summary |
+|---|---------|----------|---------|
+| I | CLI First | NON-NEGOTIABLE | CLI is the source of truth |
+| II | Agent Authority | NON-NEGOTIABLE | Each agent has exclusive operations |
+| III | Documentation-First | NON-NEGOTIABLE | Story before code, always |
+| IV | No Invention | MUST | Every spec traces to a requirement |
+| V | Quality First | MUST | Quality gates cannot be bypassed |
+| VI | Absolute Imports | SHOULD | No relative imports in codebase |
+| VII | Ecosystem Metrics | NON-NEGOTIABLE | Metrics must reflect reality |
+| VIII | Mandatory Delegation | NON-NEGOTIABLE | Orchestrators never do domain work |
+| IX | Safe Collaboration | NON-NEGOTIABLE | Git safety net for non-git-experts |
+| X | Security & Data | NON-NEGOTIABLE | 25 deployment blockers enforced |
+
+## 3. Agent System
+
+Specialized agents with exclusive authority domains:
+
+### Development Agents
+
+| Agent | Role | Exclusive Operations |
+|-------|------|---------------------|
+| Sprint Lead | Scrum Master | Story creation |
+| Product Lead | Product Owner | Story validation |
+| Developer | Implementation | Code, local git |
+| Quality Gate | QA | Quality checks, verdicts |
+| Architect | Design authority | Architecture decisions |
+| Data Engineer | Database | Schema, RLS, migrations |
+| DevOps | Deployment | git push, PR, CI/CD (EXCLUSIVE) |
+| Analyst | Research | Research, analysis |
+| Project Lead | PM | Epic orchestration |
+
+### Key Rule: Mandatory Delegation
+Orchestrators NEVER execute domain work. They absorb, diagnose, delegate, coordinate. Even if explicitly asked to "just do it," they delegate to the specialist.
+
+## 4. Story Development Cycle (SDC)
+
+The primary workflow for all development:
+
+```
+Phase 1: CREATE (Sprint Lead)
+  Input: Epic/PRD
+  Output: Story file with AC, scope, dependencies
+  Status: Draft
+
+Phase 2: VALIDATE (Product Lead)
+  10-point checklist (title, AC, scope, deps, complexity, value, risks, DoD, alignment)
+  Decision: GO (>=7/10) or NO-GO
+  Status: Draft -> Ready
+
+Phase 3: IMPLEMENT (Developer)
+  Modes: YOLO (autonomous) | Interactive | Pre-Flight (plan-first)
+  Self-healing code review (max 2 iterations)
+  Status: Ready -> InProgress
+
+Phase 4: QA GATE (Quality Gate)
+  7 checks: code review, tests, AC met, no regressions, perf, security, docs
+  Verdict: PASS | CONCERNS | FAIL | WAIVED
+  Status: InProgress -> InReview -> Done
+```
+
+**Golden Rule:** No code without a validated story. No exceptions.
+
+## 5. Quality Gates
+
+### Pre-Commit
+- Secrets scan (API keys, tokens, passwords)
+- Lint + typecheck
+- Fast review (unused imports, console.logs, patterns)
+
+### Pre-Merge (QA Loop)
+- Automated review with self-healing (max 5 iterations)
+- Verdicts: APPROVE, REJECT (fix + re-review), BLOCKED (escalate)
+
+### Pre-Deploy (25 Blockers)
+- Tier 1: 10 absolute blockers (RLS, secrets, auth, SQL injection, deps)
+- Tier 2: 7 compliance blockers (LGPD/Brazil)
+- Tier 3: 8 operational blockers (logging, backups, incident response)
+
+## 6. Safe Collaboration Protocol
+
+For teams where members are product builders, not git experts:
+
+1. **Auto-branch** — Never work on main. Create feature branch automatically.
+2. **Auto-sync** — git fetch + pull at session start. Always.
+3. **Auto-resolve** — Simple conflicts resolved by agent, complex ones shown to user.
+4. **Auto-PR** — PR created with reviewer assignment after push.
+5. **Secret scan** — Every commit checked for secrets. Blocked if found.
+
+Users never touch git. They focus on WHAT to build. Agents handle HOW to save it.
+
+## 7. Incremental Development (IDS)
+
+Decision hierarchy for every new artifact:
+
+```
+REUSE (>=90% match) > ADAPT (60-89% match, <30% changes) > CREATE (justify)
+```
+
+Creating something new requires: evaluated patterns, rejection reasons, unique capability justification, and registry entry within 24 hours.
+
+## 8. Security by Default
+
+Security is not a feature — it is the foundation. From day one:
+
+- RLS on every table with user data
+- Parameterized queries only (no SQL concatenation)
+- service_role never in frontend
+- Rate limiting on all public APIs
+- Input validation with schema (Zod)
+- CORS restricted to known origins
+- MFA on all admin accounts
+
+## 9. Framework Boundary Model
+
+4 layers with clear mutability rules:
+
+| Layer | Mutability | Example |
+|-------|-----------|---------|
+| L1 Core | NEVER | Constitution, orchestration engine |
+| L2 Templates | NEVER (extend only) | Tasks, templates, checklists |
+| L3 Config | Mutable (guarded) | Knowledge base, agent memory |
+| L4 Runtime | ALWAYS | Stories, packages, tests |
+
+## 10. Workflow Selection
+
+| Situation | Workflow |
+|-----------|---------|
+| New feature from epic | Story Development Cycle |
+| QA found issues | QA Loop (max 5 iterations) |
+| Complex feature needs spec | Spec Pipeline then SDC |
+| Joining existing project | Brownfield Discovery (10-phase) |
+| Trivial bug fix | SDC with fast-track |
+
+## 11. Communication Principles
+
+- Explain simply. "Saved your work" not "committed to HEAD."
+- Never assume git knowledge from users.
+- Always confirm before destructive operations.
+- Document every decision for future context.
+- Every finding references its source.
+
+## 12. Applying to Any Project
+
+To use SINAPSE methodology in a new project:
+
+1. Define agents and their exclusive authorities
+2. Enforce documentation-first (story before code)
+3. Set up quality gates (pre-commit, pre-merge, pre-deploy)
+4. Use the SDC workflow for all development
+5. Apply REUSE > ADAPT > CREATE for every artifact
+6. Implement safe collaboration for non-git-expert teams
+7. Security from commit one, not "later"
+
+This methodology scales from solo developers to multi-agent AI orchestration systems. The principles remain the same regardless of team size or tooling.

package/.sinapse-ai/development/skills/story-fast-track.md

@@ -0,0 +1,71 @@
+---
+name: story-fast-track
+description: Auto-create and validate story for trivial fixes
+trigger: Bug fix or docs change under 50 lines affecting 3 or fewer files
+agents: [developer, sprint-lead]
+---
+
+# Story Fast-Track Skill
+
+## Usage
+
+Invoke with `*fast-track` or `/fast-track` for trivial changes that need a story but not full validation.
+
+## Eligibility Criteria (ALL must be true)
+
+| Criterion | Threshold |
+|-----------|-----------|
+| Change type | Bug fix, docs, typo, config |
+| Lines changed | <= 50 |
+| Files affected | <= 3 |
+| Architecture impact | None |
+| New dependencies | None |
+| Database changes | None |
+| API surface changes | None |
+
+If ANY criterion fails, fall back to the standard SDC workflow (full story + @product-lead validation).
+
+## Protocol
+
+### 1. Verify Eligibility
+```bash
+git diff --stat          # files and lines
+git diff --name-only     # file list
+```
+
+Reject if: files in `.sinapse-ai/core/` or `bin/`, new deps, migrations, or API route changes.
+
+### 2. Auto-Generate Story
+
+Create at `docs/stories/active/fast-track-{YYYYMMDD}-{slug}.story.md` with:
+- Frontmatter: `id: FT-{YYYYMMDD}-{seq}`, `status: Ready`, `fast-tracked: true`, `complexity: XS`
+- Auto-generated description from git diff summary
+- 3 acceptance criteria: change applied, no regressions, tests pass
+- Scope IN (affected files) and OUT (everything else)
+- Change log with auto-creation entry
+
+### 3. Auto-Validate
+
+Fast-track stories skip manual @product-lead validation (trivially small scope, no architectural decisions, minimal risk). Status set directly to `Ready`.
+
+### 4. Proceed
+
+Developer proceeds immediately after story creation.
+
+## Output
+
+```
+## Fast-Track — {story_id}
+- Eligibility: PASSED (type={type}, lines={n}, files={n})
+- Story: docs/stories/active/{filename}
+- Status: Ready (auto-validated)
+- Proceed: YES
+```
+
+## Rules
+- Fast-track is a CONVENIENCE, not an escape hatch — abuse is a process violation
+- If in doubt about eligibility, use standard SDC
+- Fast-tracked stories still require QA gate after implementation
+- Maximum 3 fast-track stories per day per developer (prevents abuse)
+- Reference: `.sinapse-ai/development/workflows/fast-track.yaml`
+- Constitution Article III exception: trivial scope justifies bypassing manual validation

package/.sinapse-ai/development/tasks/dev-develop-story.md

@@ -15,6 +15,16 @@ Execute story development with selectable automation modes to accommodate differ
 - Minimal user interaction
 - **Best for:** Simple, deterministic tasks
 
+**Auto-Activation Conditions (no additional check-ins required):**
+
+YOLO / auto mode activates WITHOUT additional check-ins when **ALL** of the following are true:
+
+1. Story status is `Ready` (upgraded by `@product-lead` via `*validate-story-draft`)
+2. Story has been validated by `@product-lead` (validation entry present in Change Log)
+3. Story scope is clear (IN/OUT sections populated, AC numbered and testable, no ambiguous dependencies)
+
+When these three conditions hold, the developer proceeds autonomously through all tasks/subtasks, logging decisions to `.ai/decision-log-{story-id}.md` instead of prompting the user. If ANY condition is unmet (e.g., status still `Draft`, missing validation, scope contains open questions), fall back to **Interactive** or **Pre-Flight** mode.
+
 ### 2. Interactive Mode - Balanced, Educational (5-10 prompts) **[DEFAULT]**
 - Explicit decision checkpoints
 - Educational explanations