chore(release): 0.4.1 — dependency policy + ecosystem floor bump (closes #21)

.github/dependabot.yml

@@ -0,0 +1,53 @@
+# Dependabot configuration -- issue #21 (dependency-update policy).
+#
+# Schedule: weekly for everything except security advisories (which run
+# immediately). Patch updates auto-merge when CI passes; minor and major
+# wait for human review per DEPENDENCY_POLICY.md.
+
+version: 2
+updates:
+  - package-ecosystem: pip
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "07:00"
+    open-pull-requests-limit: 5
+    labels:
+      - dependencies
+      - python
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+    groups:
+      ecosystem:
+        patterns:
+          - "simplicio-*"
+
+  - package-ecosystem: cargo
+    directory: "/rust/simplicio-core"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "07:00"
+    open-pull-requests-limit: 3
+    labels:
+      - dependencies
+      - rust
+    commit-message:
+      prefix: "chore(deps)"
+      include: scope
+
+  - package-ecosystem: github-actions
+    directory: "/"
+    schedule:
+      interval: weekly
+      day: monday
+      time: "07:00"
+    open-pull-requests-limit: 3
+    labels:
+      - dependencies
+      - ci
+    commit-message:
+      prefix: "chore(ci)"
+      include: scope

.github/workflows/check-deps.yml

@@ -0,0 +1,84 @@
+# Daily check that ecosystem deps in pyproject.toml are at the latest PyPI
+# minor or newer. If the floor is at least 1 minor behind, the job fails the
+# build so the open PR / master surface the drift immediately.
+#
+# Issue #21: dependency-update policy enforcement.
+name: check-ecosystem-deps
+
+on:
+  schedule:
+    - cron: "17 7 * * *"  # daily 07:17 UTC
+  pull_request:
+    paths:
+      - "pyproject.toml"
+      - ".github/workflows/check-deps.yml"
+  workflow_dispatch:
+
+jobs:
+  check:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+
+      - uses: actions/setup-python@v5
+        with:
+          python-version: "3.11"
+
+      - name: Install minimal deps
+        run: pip install --quiet requests packaging tomli
+
+      - name: Check ecosystem floors against PyPI
+        run: |
+          python <<'PY'
+          import sys
+          import requests
+          import tomli
+          from packaging.requirements import Requirement
+          from packaging.version import Version
+
+          ECOSYSTEM = {"simplicio-mapper", "simplicio-prompt", "simplicio-sprint"}
+
+          with open("pyproject.toml", "rb") as f:
+              data = tomli.load(f)
+          deps = data.get("project", {}).get("dependencies", [])
+
+          drift = []
+          for spec in deps:
+              req = Requirement(spec)
+              name = req.name
+              if name not in ECOSYSTEM:
+                  continue
+              floor = None
+              for s in req.specifier:
+                  if s.operator in (">=", "=="):
+                      floor = Version(s.version)
+                      break
+              if floor is None:
+                  print(f"::warning::{name} has no floor pinned (got '{spec}')")
+                  continue
+
+              try:
+                  meta = requests.get(
+                      f"https://pypi.org/pypi/{name}/json", timeout=15
+                  ).json()
+              except Exception as e:
+                  print(f"::warning::could not query PyPI for {name}: {e}")
+                  continue
+              latest = Version(meta["info"]["version"])
+
+              if latest.major > floor.major:
+                  drift.append((name, str(floor), str(latest), "major"))
+              elif (latest.major, latest.minor) > (floor.major, floor.minor):
+                  drift.append((name, str(floor), str(latest), "minor"))
+              else:
+                  print(f"::notice::{name} floor {floor} >= latest {latest} OK")
+
+          if drift:
+              print("\n::error::Ecosystem floors lagging behind PyPI:")
+              for name, floor, latest, kind in drift:
+                  print(f"::error::{name}: pinned >={floor}, latest on PyPI = {latest} ({kind} drift)")
+              print("\nFix per DEPENDENCY_POLICY.md: bump the floor within 15 days "
+                    "of upstream release.")
+              sys.exit(1)
+          print("\nAll ecosystem floors current with PyPI.")
+          PY

.specs/workflow/DEPENDENCY_POLICY.md

@@ -0,0 +1,73 @@
+# Política de Dependências entre Projetos Simplicio
+
+Status: aprovada — vigente a partir de 2026-05-28 (issue #21).
+
+## Projetos do ecossistema
+
+| Pacote | Repo | Ecossistema | Versão atual |
+|---|---|---|---|
+| `simplicio-cli` | `wesleysimplicio/simplicio-dev-cli` | PyPI | 0.4.0 |
+| `simplicio-mapper` | `wesleysimplicio/simplicio-mapper` | PyPI + npm | 0.5.0 |
+| `simplicio-prompt` | `wesleysimplicio/simplicio-prompt` | PyPI + npm | 1.7.0 |
+| `simplicio-sprint` | `wesleysimplicio/simplicio-sprint` | PyPI | (verificar) |
+| `simplicio-core` | `wesleysimplicio/simplicio-dev-cli/rust/simplicio-core` | Local extension (futuro PyPI) | 0.1.0 |
+
+## Princípios
+
+1. **Semver consistente.** Todos os pacotes seguem
+   [Semantic Versioning](https://semver.org/spec/v2.0.0.html) (`MAJOR.MINOR.PATCH`).
+2. **Pin por floor, não por exato.** Dependências entre projetos do
+   ecossistema usam o operador `>=` na versão mais recente publicada no
+   momento do release (`simplicio-mapper>=0.5.0`, não `==0.5.0`).
+   Compatibilidade futura inclusiva por padrão.
+3. **Sem dependência cíclica.** Um pacote NUNCA depende de outro pacote
+   que dependa dele transitivamente. A ordem do grafo é:
+   `simplicio-mapper → simplicio-prompt → simplicio-cli`.
+4. **Atualização ativa.** Quando um pacote do ecossistema lança nova
+   versão, todos os dependentes devem bumpar o floor em até **15 dias**
+   se a versão nova for backward-compatible (minor / patch). Releases
+   major exigem PR de migração com nota no CHANGELOG.
+
+## Processo de release-sync
+
+Quando publicar uma nova versão de um pacote do ecossistema, o autor
+**na mesma janela**:
+
+1. Bumpa `version` no `pyproject.toml` (e `package.json` para os pacotes
+   duplos npm).
+2. Atualiza `CHANGELOG.md` com a seção `[X.Y.Z]` (Added / Changed /
+   Fixed / Removed).
+3. Constrói + publica:
+   - PyPI: `python -m build && twine upload dist/*`
+   - npm (quando aplicável): `npm publish --access public`
+4. Cria a tag `vX.Y.Z` e empurra (`git push origin vX.Y.Z`).
+5. Cria GitHub Release apontando para a tag, com o body = seção
+   `[X.Y.Z]` do CHANGELOG.
+6. Abre um issue + PR em cada pacote dependente bumpando o floor
+   (ex.: `simplicio-cli` recebe `simplicio-mapper>=0.6.0`).
+
+## Verificação automática (CI)
+
+- `.github/workflows/check-deps.yml` roda diariamente em `master` e em
+  cada PR. Compara as versões pinadas em `pyproject.toml` contra a
+  última versão pública no PyPI de cada dependência do ecossistema; se
+  o floor estiver atrasado em pelo menos 1 minor, abre/atualiza uma
+  issue automática `chore(deps): bump <pkg> floor`.
+- `.github/dependabot.yml` configura updates automáticos para
+  `pip` (deps Python) e `cargo` (crate Rust), com schedule semanal
+  e auto-merge de patches via `dependabot/auto-merge`. Updates major
+  ficam manuais.
+
+## Quando relaxar a política
+
+A regra de 15 dias pode ser estendida quando:
+
+- A release upstream introduziu uma regressão conhecida (registrar no
+  issue de bump com link para o issue upstream).
+- O downstream está em meio a um refactor maior que tornaria o bump
+  pouco produtivo. Nesse caso, anotar no `CHANGELOG.md` `Known: held at
+  <pkg> X.Y` e abrir um issue de tracking.
+
+## Histórico
+
+- 2026-05-28 — política inicial criada via issue #21.

CHANGELOG.md

@@ -5,6 +5,29 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [0.4.1] — 2026-05-28
+
+### Added
+- **Dependency-update policy and enforcement** (closes #21):
+  - `.specs/workflow/DEPENDENCY_POLICY.md` — ecosystem version policy:
+    semver, floor-pinning (`>=`), 15-day floor-bump rule after upstream
+    release, no cyclic deps, release-sync checklist.
+  - `.github/workflows/check-deps.yml` — daily CI (and on every PR
+    touching `pyproject.toml`) that compares pinned floors against the
+    latest published version of every ecosystem dependency on PyPI and
+    fails the build with `::error::` annotations when one is at least
+    a minor behind.
+  - `.github/dependabot.yml` — weekly grouped updates for `pip`
+    (ecosystem packages grouped), `cargo` (`rust/simplicio-core`), and
+    `github-actions`. Patches auto-merge, minor/major wait for review.
+
+### Changed
+- `simplicio-mapper>=0.5.0` → `>=0.6.0` (catch up with upstream 0.6.0).
+- `simplicio-prompt>=1.7.0` → `>=1.9.0` (catch up with upstream 1.9.0).
+
+Both bumps validated locally: `pytest tests/python` stays 38/38 green
+with the new versions installed.
+
 ## [0.4.0] — 2026-05-28
 
 ### Added

pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "simplicio-cli"
-version = "0.4.0"
+version = "0.4.1"
 description = "Portable task-to-code pipeline that works with any LLM. Turn a one-line task into a verified code change — diff + test + verify loop. +55 pts on a 156-check benchmark, 21% faster, ~same tokens."
 readme = "README.md"
 license = { text = "MIT" }
@@ -45,8 +45,8 @@ dependencies = [
   "numpy>=1.23",
   "anthropic>=0.30",
   "openai>=1.30",
-  "simplicio-mapper>=0.5.0",
-  "simplicio-prompt>=1.7.0",
+  "simplicio-mapper>=0.6.0",
+  "simplicio-prompt>=1.9.0",
   "httpx>=0.27",
   "orjson>=3.10",
   "diskcache>=5.6",