sinapse-ai 9.4.0 → 9.5.0

package/.claude/hooks/write-path-validation.py

@@ -1,195 +1,195 @@
-#!/usr/bin/env python3
-"""
-Hook: Write Path Validation
-
-REGRA: Documentos devem ir para os paths corretos conforme convenções.
-
-Este hook intercepta Write/Edit e AVISA (não bloqueia) quando o path
-parece violar as convenções de organização de documentos.
-
-Exit Codes:
-- 0: Sempre (apenas avisa, nunca bloqueia)
-"""
-
-import json
-import sys
-import os
-import re
-from datetime import datetime
-
-# =============================================================================
-# CONFIGURAÇÃO: Regras de organização de documentos
-# =============================================================================
-
-PATH_RULES = [
-    # (pattern no nome/conteúdo, path esperado, descrição)
-    {
-        "name_patterns": [r"session", r"handoff", r"^2\d{3}-\d{2}-\d{2}"],
-        "expected_path": "docs/sessions/",
-        "description": "Session logs e handoffs → docs/sessions/YYYY-MM/",
-    },
-    {
-        "name_patterns": [r"architecture", r"system-design", r"infra"],
-        "expected_path": "docs/architecture/",
-        "description": "Docs de arquitetura → docs/architecture/",
-        "exclude_patterns": [r"ARCHITECTURE_RULES"],  # Exceção para MMOS
-    },
-    {
-        "name_patterns": [r"guide", r"tutorial", r"how-to"],
-        "expected_path": "docs/guides/",
-        "description": "Guias e tutoriais → docs/guides/",
-    },
-    {
-        "name_patterns": [r"prd\.md$", r"epic.*\.md$", r"story.*\.md$"],
-        "expected_path": "docs/projects/",
-        "description": "PRDs, Epics, Stories → docs/projects/{project}/",
-    },
-    {
-        "name_patterns": [r"mind.*specific", r"mind.*validation"],
-        "expected_path": "outputs/minds/",
-        "description": "Docs específicos de mind → outputs/minds/{slug}/docs/",
-    },
-]
-
-# Paths que são sempre válidos (não avisar)
-ALWAYS_VALID_PATHS = [
-    ".claude/",
-    ".sinapse-ai/",
-    ".sinapse-upstream/",
-    "squads/",
-    "node_modules/",
-    ".git/",
-    "app/",
-    "supabase/",
-    "outputs/",
-]
-
-# =============================================================================
-# LÓGICA DO HOOK
-# =============================================================================
-
-def get_project_root():
-    """Obtém o root do projeto."""
-    return os.environ.get("CLAUDE_PROJECT_DIR", os.getcwd())
-
-def normalize_path(file_path: str, project_root: str) -> str:
-    """Normaliza path para relativo."""
-    if file_path.startswith(project_root):
-        return file_path[len(project_root):].lstrip("/")
-    return file_path
-
-def is_always_valid(relative_path: str) -> bool:
-    """Verifica se o path está em área sempre válida."""
-    for valid in ALWAYS_VALID_PATHS:
-        if relative_path.startswith(valid):
-            return True
-    return False
-
-def is_documentation_file(relative_path: str) -> bool:
-    """Verifica se é um arquivo de documentação."""
-    doc_extensions = [".md", ".mdx", ".txt", ".rst"]
-    return any(relative_path.endswith(ext) for ext in doc_extensions)
-
-def check_path_rules(relative_path: str) -> list[dict]:
-    """
-    Verifica se o path viola alguma regra.
-
-    Returns:
-        Lista de violações com sugestões
-    """
-    violations = []
-    filename = os.path.basename(relative_path)
-
-    for rule in PATH_RULES:
-        # Verificar se o nome do arquivo corresponde ao pattern
-        matches_name = False
-        for pattern in rule["name_patterns"]:
-            if re.search(pattern, filename, re.IGNORECASE):
-                matches_name = True
-                break
-
-        if not matches_name:
-            continue
-
-        # Verificar exceções
-        if "exclude_patterns" in rule:
-            is_excluded = False
-            for exc_pattern in rule["exclude_patterns"]:
-                if re.search(exc_pattern, filename, re.IGNORECASE):
-                    is_excluded = True
-                    break
-            if is_excluded:
-                continue
-
-        # Verificar se está no path esperado
-        expected = rule["expected_path"]
-        if not relative_path.startswith(expected):
-            violations.append({
-                "current_path": relative_path,
-                "expected_path": expected,
-                "description": rule["description"],
-            })
-
-    return violations
-
-def main():
-    # Ler input do stdin
-    try:
-        input_data = json.load(sys.stdin)
-    except json.JSONDecodeError:
-        sys.exit(0)
-
-    tool_name = input_data.get("tool_name", "")
-    tool_input = input_data.get("tool_input", {})
-
-    # Só processar Write e Edit
-    if tool_name not in ["Write", "Edit"]:
-        sys.exit(0)
-
-    file_path = tool_input.get("file_path", "")
-    if not file_path:
-        sys.exit(0)
-
-    # Normalizar path
-    project_root = get_project_root()
-    relative_path = normalize_path(file_path, project_root)
-
-    # Verificar se é área sempre válida
-    if is_always_valid(relative_path):
-        sys.exit(0)
-
-    # Só verificar arquivos de documentação
-    if not is_documentation_file(relative_path):
-        sys.exit(0)
-
-    # Verificar regras
-    violations = check_path_rules(relative_path)
-
-    if not violations:
-        sys.exit(0)
-
-    # AVISAR (não bloquear)
-    violation = violations[0]  # Mostrar primeira violação
-
-    warning_message = f"""
-┌──────────────────────────────────────────────────────────────────────────────┐
-│  ⚠️  PATH WARNING: Documento pode estar no local errado                       │
-├──────────────────────────────────────────────────────────────────────────────┤
-│                                                                              │
-│  Arquivo: {relative_path[:60]:<60} │
-│                                                                              │
-│  Convenção: {violation['description'][:56]:<56} │
-│  Esperado:  {violation['expected_path']:<57} │
-│                                                                              │
-│  NOTA: Este é apenas um AVISO, a operação será executada.                    │
-│        Verifique se o path está correto antes de continuar.                  │
-│                                                                              │
-└──────────────────────────────────────────────────────────────────────────────┘
-"""
-    # Imprimir warning mas NÃO bloquear (exit 0)
-    print(warning_message, file=sys.stderr)
-    sys.exit(0)
-
-if __name__ == "__main__":
-    main()
-
+#!/usr/bin/env python3
+"""
+Hook: Write Path Validation
+
+REGRA: Documentos devem ir para os paths corretos conforme convenções.
+
+Este hook intercepta Write/Edit e AVISA (não bloqueia) quando o path
+parece violar as convenções de organização de documentos.
+
+Exit Codes:
+- 0: Sempre (apenas avisa, nunca bloqueia)
+"""
+
+import json
+import sys
+import os
+import re
+from datetime import datetime
+
+# =============================================================================
+# CONFIGURAÇÃO: Regras de organização de documentos
+# =============================================================================
+
+PATH_RULES = [
+    # (pattern no nome/conteúdo, path esperado, descrição)
+    {
+        "name_patterns": [r"session", r"handoff", r"^2\d{3}-\d{2}-\d{2}"],
+        "expected_path": "docs/sessions/",
+        "description": "Session logs e handoffs → docs/sessions/YYYY-MM/",
+    },
+    {
+        "name_patterns": [r"architecture", r"system-design", r"infra"],
+        "expected_path": "docs/architecture/",
+        "description": "Docs de arquitetura → docs/architecture/",
+        "exclude_patterns": [r"ARCHITECTURE_RULES"],  # Exceção para MMOS
+    },
+    {
+        "name_patterns": [r"guide", r"tutorial", r"how-to"],
+        "expected_path": "docs/guides/",
+        "description": "Guias e tutoriais → docs/guides/",
+    },
+    {
+        "name_patterns": [r"prd\.md$", r"epic.*\.md$", r"story.*\.md$"],
+        "expected_path": "docs/projects/",
+        "description": "PRDs, Epics, Stories → docs/projects/{project}/",
+    },
+    {
+        "name_patterns": [r"mind.*specific", r"mind.*validation"],
+        "expected_path": "outputs/minds/",
+        "description": "Docs específicos de mind → outputs/minds/{slug}/docs/",
+    },
+]
+
+# Paths que são sempre válidos (não avisar)
+ALWAYS_VALID_PATHS = [
+    ".claude/",
+    ".sinapse-ai/",
+    ".sinapse-upstream/",
+    "squads/",
+    "node_modules/",
+    ".git/",
+    "app/",
+    "supabase/",
+    "outputs/",
+]
+
+# =============================================================================
+# LÓGICA DO HOOK
+# =============================================================================
+
+def get_project_root():
+    """Obtém o root do projeto."""
+    return os.environ.get("CLAUDE_PROJECT_DIR", os.getcwd())
+
+def normalize_path(file_path: str, project_root: str) -> str:
+    """Normaliza path para relativo."""
+    if file_path.startswith(project_root):
+        return file_path[len(project_root):].lstrip("/")
+    return file_path
+
+def is_always_valid(relative_path: str) -> bool:
+    """Verifica se o path está em área sempre válida."""
+    for valid in ALWAYS_VALID_PATHS:
+        if relative_path.startswith(valid):
+            return True
+    return False
+
+def is_documentation_file(relative_path: str) -> bool:
+    """Verifica se é um arquivo de documentação."""
+    doc_extensions = [".md", ".mdx", ".txt", ".rst"]
+    return any(relative_path.endswith(ext) for ext in doc_extensions)
+
+def check_path_rules(relative_path: str) -> list[dict]:
+    """
+    Verifica se o path viola alguma regra.
+
+    Returns:
+        Lista de violações com sugestões
+    """
+    violations = []
+    filename = os.path.basename(relative_path)
+
+    for rule in PATH_RULES:
+        # Verificar se o nome do arquivo corresponde ao pattern
+        matches_name = False
+        for pattern in rule["name_patterns"]:
+            if re.search(pattern, filename, re.IGNORECASE):
+                matches_name = True
+                break
+
+        if not matches_name:
+            continue
+
+        # Verificar exceções
+        if "exclude_patterns" in rule:
+            is_excluded = False
+            for exc_pattern in rule["exclude_patterns"]:
+                if re.search(exc_pattern, filename, re.IGNORECASE):
+                    is_excluded = True
+                    break
+            if is_excluded:
+                continue
+
+        # Verificar se está no path esperado
+        expected = rule["expected_path"]
+        if not relative_path.startswith(expected):
+            violations.append({
+                "current_path": relative_path,
+                "expected_path": expected,
+                "description": rule["description"],
+            })
+
+    return violations
+
+def main():
+    # Ler input do stdin
+    try:
+        input_data = json.load(sys.stdin)
+    except json.JSONDecodeError:
+        sys.exit(0)
+
+    tool_name = input_data.get("tool_name", "")
+    tool_input = input_data.get("tool_input", {})
+
+    # Só processar Write e Edit
+    if tool_name not in ["Write", "Edit"]:
+        sys.exit(0)
+
+    file_path = tool_input.get("file_path", "")
+    if not file_path:
+        sys.exit(0)
+
+    # Normalizar path
+    project_root = get_project_root()
+    relative_path = normalize_path(file_path, project_root)
+
+    # Verificar se é área sempre válida
+    if is_always_valid(relative_path):
+        sys.exit(0)
+
+    # Só verificar arquivos de documentação
+    if not is_documentation_file(relative_path):
+        sys.exit(0)
+
+    # Verificar regras
+    violations = check_path_rules(relative_path)
+
+    if not violations:
+        sys.exit(0)
+
+    # AVISAR (não bloquear)
+    violation = violations[0]  # Mostrar primeira violação
+
+    warning_message = f"""
+┌──────────────────────────────────────────────────────────────────────────────┐
+│  ⚠️  PATH WARNING: Documento pode estar no local errado                       │
+├──────────────────────────────────────────────────────────────────────────────┤
+│                                                                              │
+│  Arquivo: {relative_path[:60]:<60} │
+│                                                                              │
+│  Convenção: {violation['description'][:56]:<56} │
+│  Esperado:  {violation['expected_path']:<57} │
+│                                                                              │
+│  NOTA: Este é apenas um AVISO, a operação será executada.                    │
+│        Verifique se o path está correto antes de continuar.                  │
+│                                                                              │
+└──────────────────────────────────────────────────────────────────────────────┘
+"""
+    # Imprimir warning mas NÃO bloquear (exit 0)
+    print(warning_message, file=sys.stderr)
+    sys.exit(0)
+
+if __name__ == "__main__":
+    main()
+

package/.claude/rules/hook-governance.md

@@ -14,6 +14,7 @@ paths:
 | Hook | Purpose | Behavior |
 |------|---------|----------|
 | `enforce-git-push-authority.sh` | Art. II — Only @devops can push | BLOCK (deny) |
+| `verify-packages.cjs` | Security — Block hallucinated npm packages (slopsquatting) | BLOCK (exit 2) |
 | `sql-governance.py` | Security — Block dangerous SQL | BLOCK (exit 2) |
 | `enforce-delegation.cjs` | Art. VIII — Orchestrators can't execute | BLOCK (exit 2) |
 

package/.claude/rules/mandatory-delegation.md

@@ -91,6 +91,30 @@ Everything OUTSIDE their orchestration domain MUST be delegated.
 - Saying "vou fazer isso eu mesmo" instead of delegating
 - Absorbing a request and executing it instead of routing
 
+## Universal Auto-Routing (users should NEVER call agents manually)
+
+Users are NOT AI experts. The system MUST understand natural language and route automatically.
+
+**On EVERY user message (not just orchestrator):**
+1. Detect the domain of the request
+2. If a specialist exists → delegate automatically (no confirmation needed)
+3. Brief acknowledgment: "Delegando para @specialist..."
+4. Return the result to the user
+
+**Auto-detect project state on first interaction:**
+- Check for `.sinapse-ai/` → SINAPSE-managed (continue SDC)
+- Check for `package.json` or `.git` → Brownfield (run quick tech scan first)
+- Empty directory → Greenfield (ask project type, scaffold)
+
+**Cross-agent handoff (automatic, never ask user):**
+- Agent needs git push → auto-delegate to @devops
+- Agent needs tests → auto-delegate to @quality-gate
+- Agent needs schema → auto-delegate to @data-engineer
+- Agent needs story → auto-create via fast-track or @sprint-lead
+- Agent needs architecture decision → auto-delegate to @architect
+
 ## Enforcement
 
 Any response from an orchestrator that contains direct domain work (code, schema, copy, etc.) without having first delegated to the appropriate specialist is a **constitutional violation** and must be corrected immediately.
+
+Any response that asks the user to manually invoke an agent (showing `@agent-name` or `/SINAPSE:agents:...` commands) instead of auto-routing is a **UX violation** — the system should just do it.

package/.claude/rules/project-intelligence.md

@@ -0,0 +1,63 @@
+# Project Intelligence — Auto-Detection (NON-NEGOTIABLE)
+
+> Applies to ALL agents, ALL sessions. Users NEVER configure project type manually.
+
+## Auto-Detect on First Interaction
+
+Before ANY work, silently detect project state:
+
+```
+1. Check: does .sinapse-ai/ exist?
+   YES → SINAPSE-managed project. Read core-config.yaml for context.
+   NO  → Continue to step 2.
+
+2. Check: is directory empty (or only has .git)?
+   YES → GREENFIELD. Ask project type, then scaffold.
+   NO  → Continue to step 3.
+
+3. Check: does package.json or .git exist?
+   YES → BROWNFIELD. Run quick tech scan, then proceed.
+   NO  → UNKNOWN. Ask user what they want to build.
+```
+
+## Quick Tech Scan (BROWNFIELD, < 5 seconds)
+
+When brownfield detected, silently check:
+
+| Check | How | Sets Context |
+|-------|-----|-------------|
+| Framework | package.json dependencies | next/react/vue/angular/express |
+| Language | tsconfig.json exists? | typescript/javascript |
+| Database | supabase/, prisma/, .env | supabase/prisma/drizzle/none |
+| Tests | jest.config, vitest.config | jest/vitest/none |
+| CI | .github/workflows/ | github-actions/none |
+
+Report to user in ONE line: "Projeto Next.js + TypeScript + Supabase detectado."
+
+## Behavior Adaptation by State
+
+### Greenfield Behavior
+- Prioritize: scaffolding, architecture decisions, project setup
+- Workflow: setup → story → implement (no brownfield discovery needed)
+- Auto-apply: infra templates (PR template, CI, .env.example, CODEOWNERS)
+- Ask: "Que tipo de projeto? (web app, API, SaaS, landing page)"
+
+### Brownfield Behavior
+- Prioritize: understanding existing code before changing anything
+- First action: read README, package.json, folder structure
+- Workflow: quick scan → understand → then proceed with user request
+- NEVER rewrite or refactor without understanding existing patterns
+- Respect existing conventions (naming, folder structure, testing framework)
+
+### SINAPSE-Managed Behavior
+- Check for active story in docs/stories/
+- Resume where last session left off
+- Follow SDC workflow (story → implement → QA → push)
+
+## Anti-Patterns (FORBIDDEN)
+
+- Asking user "is this a new or existing project?"
+- Asking user to set `projectType` in config
+- Starting implementation in brownfield without reading existing code first
+- Applying greenfield templates to a brownfield project (overwriting existing CI/configs)
+- Ignoring existing patterns and imposing SINAPSE conventions forcefully

package/.claude/rules/response-format.md

@@ -0,0 +1,4 @@
+# Response Format
+
+> **Consolidado em `~/.claude/rules/token-economy.md`** (seções 4, 6, 7).
+> Mantido como stub pra retro-compatibilidade de referências em agentes.

package/.claude/rules/safe-collaboration.md

@@ -91,8 +91,10 @@ Types: `feat`, `fix`, `refactor`, `docs`, `chore`, `test`
 After push, the agent MUST:
 ```
 1. gh pr create with clear title and description (uses PR template)
-2. Auto-assign the OTHER person as reviewer
-3. Inform the user: "PR criado, {outro} precisa aprovar"
+2. Auto-assign reviewer based on who is pushing:
+   - Caio's PR → Caio can merge directly (admin bypass)
+   - Matheus's PR → Assign @caioimori as reviewer (required approval)
+3. Inform the user: "PR criado"
 ```
 
 ### 6. After PR Merge — Cleanup

package/.claude/rules/security-data-protection.md

@@ -98,6 +98,24 @@ db.query('SELECT * FROM users WHERE name = $1', [input]);
 supabase.from('users').select('*').eq('name', input);
 ```
 
+### RLS Performance Optimization (research-backed, ~95% improvement)
+
+```sql
+-- SLOW: auth.uid() called per-row (function call overhead)
+CREATE POLICY "bad" ON items USING (auth.uid() = user_id);
+
+-- FAST: subselect evaluates once per query (~95% faster)
+CREATE POLICY "good" ON items USING ((SELECT auth.uid()) = user_id);
+```
+
+**Index strategy:** Create indexes on EVERY column used in RLS USING/WITH CHECK clauses:
+```sql
+CREATE INDEX idx_items_user ON items(user_id);
+CREATE INDEX idx_items_org ON items(org_id);
+```
+
+**Anti-patterns:** No `EXISTS` subqueries in RLS, no JOINs in policies, no RLS on tables accessed >1000 req/s without indexes.
+
 ### Least Privilege
 - Each service uses a dedicated role with minimal permissions
 - Read-only services get SELECT only