feat(reflexes): port 5 passive rules from fs-cortex + idempotent merger

[NestorPVsf]

Summary

Ports 5 non-duplicate passive rules (reflexes) from fermontero/fs-cortex (MIT) into the Sinapsis passive-rules tier. Adds an idempotent merger so fresh installs and upgrades both receive the new rules while preserving any user customizations.

Ported (5)

ID	Trigger	Purpose
read-before-edit	^(Edit|Write)\s	Reminder to Read a file before editing it
test-after-change	^(Edit|Write)\s.*(\.test\.|...)	Run tests after code edits
git-push-safety	git push|gh pr create	Fetch+rebase before push; --force-with-lease
git-merge-verify	gh pr merge|git merge	Verify CI + cleanup branch
instinct-downvote	/downvote|wrong instinct|...	Prompt /downvote on negative feedback (adapted from fs-cortex /cx-downvote to Sinapsis's native /downvote)

Skipped as duplicates (5)

env-never-commit, git-commit-quality, api-auth-check (→ api-auth-reminder), security-headers (→ security-headers-check), capture-decision (→ decision-capture). Sinapsis equivalents kept as-is.

Changes

• seeds/reflexes.json (new): 5 rules + _credit / _license header.
• core/_reflex-merge.mjs (new, ~100 LOC Node.js): idempotent merger, user id wins on conflict, atomic tmp → rename write that preserves 0600 file mode (install.sh hardens _passive-rules.json to 0600; the merger must not relax to umask). CLI flags: --seeds-path, --index-path, --dry-run.
• install.sh + install.bat: new Step 5c runs the merger after hook scripts.
• tests/test-reflexes.sh (new): 11 TDD tests including activator-integration (rules actually fire) and a regression guard that test-after-change does NOT fire on Read/Grep.

Codex review fixes applied pre-commit

/codex:review --base main flagged 3 issues, all addressed before this PR:

• P1 install.bat was missing the reflex step → Windows fresh installs would have stayed on the old rule set. Fixed.
• P2 atomic write replaced 0600-protected file with a new file at umask default (0644 typical) → relaxed permissions on a file documented as personal data. Fixed: merger stats existing file and chmods tmp to same mode (0600 fallback on fresh install).
• P2 test-after-change fired on Read/Grep because trigger only tested filename. Scoped to ^(Edit|Write)\s.*. Regression test added.

Test plan

• bash tests/test-reflexes.sh → 11/11 GREEN (including regression guard)
• Full suite → 127/127 GREEN, 0 regressions
• JSON validity on seeds/reflexes.json
• bash -n syntax on install.sh
• Manual: each new rule fires on its trigger (Edit, git push, gh pr merge, /downvote)
• Manual: test-after-change does NOT fire on Read/Grep
• /codex:review second-opinion applied

Independence

Branches from main (45949ed). No dependency on PR #7 (dashboard), PR #8 (seeds), or PR #9 (laws). Can merge in any order.

Credit

5 rules ported from fermontero/fs-cortex — MIT © 2026 Fernando Montero. Attribution preserved as origin: seed:fermontero-fs-cortex in each rule.