pumuki-ast-hooks 5.5.31 → 5.5.35

package/README.md

@@ -43,6 +43,7 @@
 - [Complete Architecture and Workflow](#complete-architecture-and-workflow)
 - [What is it?](#what-is-it)
 - [What problems does it solve?](#what-problems-does-it-solve)
+- [Git Flow Automation](#git-flow-automation)
 - [Features](#features)
 - [Use Cases](#use-cases)
 - [Installation](#installation)
@@ -510,6 +511,70 @@ See [HOW_IT_WORKS.md](./docs/HOW_IT_WORKS.md#architecture-detection-by-platform)
 - **MEDIUM/LOW**: Generate warnings in reports
 - **Configurable**: Adjust levels according to your project
 
+### 🔄 Git Flow Automation
+
+**Complete Git Flow workflow automation** with automatic enforcement:
+
+- **Protected Branch Blocking**: Automatically blocks commits and pushes to `main`, `master`, and `develop` branches
+- **Auto-Create Feature Branch**: Automatically creates feature branch when on `develop`/`main` based on changes
+- **Smart Branch Naming**: Generates branch names based on file types (feature/, fix/, chore/, docs/, etc.)
+- **Feature Cycle**: Execute complete Git Flow with `npm run ast:gitflow`
+- **Release Cycle**: Create release PR from develop to main with `npm run ast:release`
+- **Automatic PR Creation**: Creates Pull Requests using GitHub CLI (requires `gh`)
+- **Optional Auto-Merge**: Automatically merges PRs with `--auto-merge` flag
+- **Branch Cleanup**: Automatically deletes merged branches (local and remote)
+- **Branch Synchronization**: Syncs `develop` and `main` with remote
+
+**Feature Development Workflow:**
+```bash
+# Work on develop/main (changes detected)
+
+# Run complete cycle (auto-creates feature branch)
+npm run ast:gitflow -- --auto-merge
+```
+
+**Release Workflow:**
+```bash
+# Switch to develop branch
+git checkout develop
+
+# Create release PR (develop → main)
+npm run ast:release -- --auto-merge
+
+# Or with version tag
+npm run ast:release -- --tag 5.5.35 --auto-merge
+```
+
+**Branch Naming Logic:**
+- `fix/` - Files containing "fix", "bug", "error"
+- `test/` - Test files or "spec" files
+- `docs/` - Documentation files (README, CHANGELOG)
+- `refactor/` - Files containing "refactor", "cleanup"
+- `ci/` - CI/CD files (workflow, github actions)
+- `chore/` - Config files, package.json
+- `feature/` - Default for other changes
+
+**Feature Cycle Options:**
+```bash
+npm run ast:gitflow                              # Basic cycle (auto-creates branch if needed)
+npm run ast:gitflow -- -m "feat: new feature"    # Custom commit message
+npm run ast:gitflow -- --auto-merge              # Auto-merge PR
+npm run ast:gitflow -- --skip-cleanup            # Skip branch cleanup
+npm run ast:gitflow -- --skip-sync               # Skip branch sync
+```
+
+**Release Cycle Options:**
+```bash
+npm run ast:release                              # Create release PR
+npm run ast:release -- --auto-merge              # Auto-merge release PR
+npm run ast:release -- --tag 5.5.35              # Create and push git tag
+npm run ast:release -- --pr-title "Release v5.5.35"  # Custom PR title
+```
+
+**Hooks:**
+- `pre-commit`: Blocks commits on protected branches + AST analysis
+- `pre-push`: Blocks push to protected branches + validates naming
+
 ---
 
 ## Use Cases
@@ -568,6 +633,21 @@ hook-watch
 hook-status
 ```
 
+### 6. Git Flow Automation
+
+```bash
+# Complete Git Flow cycle
+npm run ast:gitflow
+
+# With options
+npm run ast:gitflow -- -m "feat: new feature" --auto-merge
+
+# Using MCP tools (from IDE)
+mcp0_auto_complete_gitflow
+mcp0_sync_branches
+mcp0_cleanup_stale_branches
+```
+
 ---
 
 ## Quick Start
@@ -1023,6 +1103,9 @@ hook-predict                   # Violation prediction
 hook-playbook                  # Execute playbook
 
 # Git Flow
+npm run ast:gitflow              # Complete Git Flow cycle
+npm run ast:gitflow -- -m "msg" # With commit message
+npm run ast:gitflow -- --auto-merge  # Auto-merge PR
 gitflow check                  # Verify Git Flow
 gitflow status                 # Current status
 gitflow workflow               # View full workflow
@@ -1033,6 +1116,7 @@ gitflow workflow               # View full workflow
 ```bash
 npm run audit                  # Full analysis
 npm run install-hooks          # Install hooks
+npm run ast:gitflow            # Complete Git Flow cycle
 npm test                       # Run tests
 npm run lint                   # Linter
 npm run typecheck              # Type checking
@@ -1065,6 +1149,83 @@ For coding standards, see [CODE_STANDARDS.md](./docs/CODE_STANDARDS.md).
 
 ## 📝 Recent Changes
 
+### Version 5.5.35 (2026-01-04)
+
+**✨ New Features:**
+- **Git Flow Release Cycle**: New `npm run ast:release` command for creating release PRs (develop → main)
+- **Release Automation**: Automatic PR creation from develop to main with optional auto-merge
+- **Git Tag Support**: Optional git tag creation with `--tag` flag
+
+**Technical Details:**
+- Separation of concerns: `ast:gitflow` for features, `ast:release` for releases
+- Release cycle steps:
+  1. Validates branch (must be develop)
+  2. Syncs develop with origin
+  3. Syncs main with origin
+  4. Creates PR: develop → main
+  5. Optionally auto-merges PR
+  6. Optionally creates git tag
+- Follows Git Flow best practices with clear separation between development and release workflows
+
+---
+
+### Version 5.5.34 (2026-01-04)
+
+**✨ New Features:**
+- **Git Flow Auto-Create Branch**: Automatically creates feature branch when on `develop`/`main` based on changes
+- **Smart Branch Naming**: Generates branch names based on file types (feature/, fix/, chore/, docs/, etc.)
+
+**Technical Details:**
+- When running `npm run ast:gitflow` on protected branch, script now:
+  - Analyzes changed files to infer branch type
+  - Generates descriptive branch name with timestamp
+  - Creates and switches to new feature branch automatically
+  - Continues with complete Git Flow cycle
+- Branch naming logic:
+  - `fix/` - Files containing "fix", "bug", "error"
+  - `test/` - Test files or "spec" files
+  - `docs/` - Documentation files (README, CHANGELOG)
+  - `refactor/` - Files containing "refactor", "cleanup"
+  - `ci/` - CI/CD files (workflow, github actions)
+  - `chore/` - Config files, package.json
+  - `feature/` - Default for other changes
+
+---
+
+### Version 5.5.33 (2026-01-04)
+
+**🐛 Bug Fixes:**
+- **iOS Security Analyzer**: Fixed false positive in `ios.security.missing_ssl_pinning` rule
+- Now recognizes SSL pinning implementations using `URLSessionDelegate` + `URLAuthenticationChallenge`
+- **iOS Enterprise Analyzer**: Fixed same false positive in `ios.networking.missing_ssl_pinning` rule
+
+**Technical Details:**
+- Previous implementation only checked for `ServerTrustPolicy` or `pinning` keywords
+- Files implementing SSL pinning with `URLSessionDelegate` were incorrectly flagged
+- Added detection for `URLSessionDelegate` + `URLAuthenticationChallenge` pattern
+- This fixes false positives on files like `SSLPinningDelegate.swift` that properly implement SSL pinning
+
+---
+
+### Version 5.5.32 (2026-01-04)
+
+**✨ New Features:**
+- **Git Flow Automation**: Complete Git Flow cycle with `npm run ast:gitflow`
+- **Protected Branch Blocking**: Pre-commit hook now blocks commits on `main`, `master`, and `develop`
+- **Pre-Push Hook**: Automatically installed, blocks push to protected branches and validates naming conventions
+- **Auto PR Creation**: Creates Pull Requests using GitHub CLI (`gh`)
+- **Auto-Merge Support**: Optional auto-merge with `--auto-merge` flag
+- **Branch Cleanup**: Automatically deletes merged branches (local + remote)
+- **Branch Synchronization**: Syncs `develop` and `main` with remote
+
+**🔧 Improvements:**
+- Added `ast-gitflow` binary to package.json
+- Added `ast:gitflow` npm script
+- Updated GitEnvironmentService to install pre-push hook
+- Updated pre-commit hook to validate protected branches
+
+---
+
 ### Version 5.5.25 (2026-01-04)
 
 **⚡ Performance Fix:**
@@ -1174,7 +1335,7 @@ Developed by **Pumuki Team®**
 
 - **Author**: Juan Carlos Merlos Albarracín (Senior Software Architect - AI-Driven Development)
 - **Contact**: freelancemerlos@gmail.com
-- **Version**: 5.5.16
+- **Version**: 5.5.35
 - **Repository**: [GitHub](https://github.com/SwiftEnProfundidad/ast-intelligence-hooks)
 
 ---

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki-ast-hooks",
-  "version": "5.5.31",
+  "version": "5.5.35",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {
@@ -10,6 +10,7 @@
     "ast-install": "./bin/install.js",
     "ast-violations": "./bin/violations-api.js",
     "ast-check-version": "./bin/check-version.js",
+    "ast-gitflow": "./scripts/hooks-system/bin/gitflow-cycle.js",
     "ai-commit": "./bin/ai-commit.sh",
     "hook-run-orchestrator": "./bin/run-orchestrator.js",
     "hook-watch": "./bin/watch-hooks.js",
@@ -29,6 +30,8 @@
     "gitflow:status": "bash bin/gitflow status",
     "gitflow:workflow": "bash bin/gitflow workflow",
     "gitflow:reset": "bash bin/gitflow reset",
+    "ast:gitflow": "node scripts/hooks-system/bin/gitflow-cycle.js",
+    "ast:release": "node scripts/hooks-system/bin/gitflow-release.js",
     "violations": "node bin/violations",
     "violations:list": "node bin/violations list",
     "violations:show": "node bin/violations show",
@@ -41,7 +44,13 @@
     "build:ts": "tsc --noEmit",
     "typecheck": "tsc --noEmit",
     "ast:refresh": "node scripts/hooks-system/bin/update-evidence.sh",
-    "ast:audit": "node scripts/hooks-system/infrastructure/ast/ast-intelligence.js"
+    "ast:audit": "node scripts/hooks-system/infrastructure/ast/ast-intelligence.js",
+    "ast:guard:start": "bash scripts/hooks-system/bin/evidence-guard start",
+    "ast:guard:stop": "bash scripts/hooks-system/bin/evidence-guard stop",
+    "ast:guard:restart": "bash scripts/hooks-system/bin/evidence-guard restart",
+    "ast:guard:status": "bash scripts/hooks-system/bin/evidence-guard status",
+    "ast:guard:logs": "bash scripts/hooks-system/bin/evidence-guard logs",
+    "ast:check-version": "node scripts/hooks-system/bin/check-version.js"
   },
   "keywords": [
     "ast",

package/scripts/hooks-system/application/services/installation/ConfigurationGeneratorService.js

@@ -116,6 +116,7 @@ class ConfigurationGeneratorService {
             packageJson.scripts['ast:guard:status'] = 'bash scripts/hooks-system/bin/evidence-guard status';
             packageJson.scripts['ast:guard:logs'] = 'bash scripts/hooks-system/bin/evidence-guard logs';
             packageJson.scripts['ast:check-version'] = 'node scripts/hooks-system/bin/check-version.js';
+            packageJson.scripts['ast:gitflow'] = 'node scripts/hooks-system/bin/gitflow-cycle.js';
 
             fs.writeFileSync(projectPackageJsonPath, JSON.stringify(packageJson, null, 2));
             this.logSuccess('npm scripts added');

package/scripts/hooks-system/application/services/installation/GitEnvironmentService.js

@@ -108,6 +108,26 @@ fi
 # Change to project root (where package.json is)
 cd "$(git rev-parse --show-toplevel)" || exit 1
 
+# ═══════════════════════════════════════════════════════════════
+# GIT FLOW ENFORCEMENT: Block commits on protected branches
+# ═══════════════════════════════════════════════════════════════
+CURRENT_BRANCH=$(git branch --show-current 2>/dev/null || echo "")
+
+if [[ "$CURRENT_BRANCH" == "main" ]] || [[ "$CURRENT_BRANCH" == "master" ]] || [[ "$CURRENT_BRANCH" == "develop" ]]; then
+  echo ""
+  echo "❌ COMMIT BLOCKED: Cannot commit directly to protected branch: $CURRENT_BRANCH"
+  echo ""
+  echo "🐈 Pumuki says: Create a feature branch first!"
+  echo ""
+  echo "   git checkout -b feature/my-feature"
+  echo "   git checkout -b fix/my-fix"
+  echo "   git checkout -b hotfix/urgent-fix"
+  echo ""
+  echo "Then run: npm run ast:gitflow"
+  echo ""
+  exit 1
+fi
+
 # Check if there are staged files
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null | grep -E '\\.(ts|tsx|js|jsx|swift|kt)$' || true)
 if [ -z "$STAGED_FILES" ]; then

package/scripts/hooks-system/application/services/installation/McpConfigurator.js

@@ -116,7 +116,6 @@ class McpConfigurator {
         const mcpConfig = {
             mcpServers: {
                 [serverId]: {
-                    type: 'stdio',
                     command: nodePath,
                     args: [
                         entrypoint

package/scripts/hooks-system/bin/gitflow-cycle.js

@@ -0,0 +1,496 @@
+#!/usr/bin/env node
+/**
+ * Git Flow Cycle - Complete automation
+ * 
+ * Executes the full Git Flow cycle:
+ * 1. Validates current branch (must be feature/fix/hotfix/chore)
+ * 2. Commits uncommitted changes (optional)
+ * 3. Pushes to origin
+ * 4. Creates PR (requires gh CLI)
+ * 5. Optionally merges PR
+ * 6. Cleans up merged branches
+ * 7. Syncs local branches with remote
+ */
+
+const { execSync } = require('child_process');
+const fs = require('fs');
+const path = require('path');
+
+const COLORS = {
+    reset: '\x1b[0m',
+    red: '\x1b[31m',
+    green: '\x1b[32m',
+    yellow: '\x1b[33m',
+    blue: '\x1b[34m',
+    cyan: '\x1b[36m',
+    magenta: '\x1b[35m'
+};
+
+function log(color, message) {
+    console.log(`${color}${message}${COLORS.reset}`);
+}
+
+function exec(cmd, options = {}) {
+    try {
+        return execSync(cmd, {
+            encoding: 'utf-8',
+            stdio: options.silent ? 'pipe' : 'inherit',
+            ...options
+        });
+    } catch (error) {
+        if (options.ignoreError) {
+            return null;
+        }
+        throw error;
+    }
+}
+
+function execSilent(cmd) {
+    try {
+        return execSync(cmd, { encoding: 'utf-8', stdio: 'pipe' }).trim();
+    } catch (error) {
+        return null;
+    }
+}
+
+function getCurrentBranch() {
+    return execSilent('git branch --show-current') || 'unknown';
+}
+
+function isProtectedBranch(branch) {
+    const protected = ['main', 'master', 'develop'];
+    return protected.includes(branch);
+}
+
+function isValidFeatureBranch(branch) {
+    return /^(feature|fix|hotfix|chore|docs|refactor|test|ci)\//.test(branch);
+}
+
+function hasUncommittedChanges() {
+    const status = execSilent('git status --porcelain');
+    return status && status.length > 0;
+}
+
+function hasStagedChanges() {
+    const staged = execSilent('git diff --cached --name-only');
+    return staged && staged.length > 0;
+}
+
+function getBaseBranch() {
+    // Check if develop exists
+    const hasDevelop = execSilent('git show-ref --verify --quiet refs/heads/develop');
+    return hasDevelop !== null ? 'develop' : 'main';
+}
+
+function getMergedBranches(baseBranch) {
+    const output = execSilent(`git branch --merged ${baseBranch}`);
+    if (!output) return [];
+    return output.split('\n')
+        .map(b => b.replace(/^\*?\s*/, '').trim())
+        .filter(b => b && !isProtectedBranch(b));
+}
+
+function isGitHubCliAvailable() {
+    return execSilent('gh auth status') !== null;
+}
+
+function prExists(branch) {
+    return execSilent(`gh pr view ${branch}`) !== null;
+}
+
+// ════════════════════════════════════════════════════════════════
+// MAIN CYCLE STEPS
+// ════════════════════════════════════════════════════════════════
+
+function getChangedFiles() {
+    try {
+        const output = execSilent('git status --porcelain');
+        if (!output) return [];
+        return output.split('\n')
+            .filter(line => line.trim())
+            .map(line => {
+                const parts = line.trim().split(/\s+/);
+                return parts[1] || parts[0];
+            });
+    } catch (error) {
+        return [];
+    }
+}
+
+function inferBranchType(changedFiles) {
+    const fileTypes = changedFiles.join(' ').toLowerCase();
+
+    if (fileTypes.includes('fix') || fileTypes.includes('bug') || fileTypes.includes('error')) {
+        return 'fix';
+    }
+    if (fileTypes.includes('test') || fileTypes.includes('spec')) {
+        return 'test';
+    }
+    if (fileTypes.includes('doc') || fileTypes.includes('readme') || fileTypes.includes('changelog')) {
+        return 'docs';
+    }
+    if (fileTypes.includes('refactor') || fileTypes.includes('cleanup')) {
+        return 'refactor';
+    }
+    if (fileTypes.includes('ci') || fileTypes.includes('workflow') || fileTypes.includes('github')) {
+        return 'ci';
+    }
+    if (fileTypes.includes('chore') || fileTypes.includes('config') || fileTypes.includes('package')) {
+        return 'chore';
+    }
+    return 'feature';
+}
+
+function generateBranchName(changedFiles) {
+    const type = inferBranchType(changedFiles);
+
+    // Extract keywords from file paths
+    const keywords = changedFiles
+        .map(f => f.replace(/.*\//, '').replace(/\.[^.]+$/, ''))
+        .filter(f => f.length > 2)
+        .slice(0, 3);
+
+    let suffix = keywords.join('-') || 'update';
+    suffix = suffix.toLowerCase().replace(/[^a-z0-9-]/g, '-').replace(/-+/g, '-').replace(/^-|-$/g, '');
+
+    // Add timestamp to ensure uniqueness
+    const timestamp = Date.now().toString(36);
+    return `${type}/${suffix}-${timestamp}`;
+}
+
+function step1_validateBranch() {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '📍 Step 1: Validate Branch');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    let branch = getCurrentBranch();
+    log(COLORS.blue, `Current branch: ${branch}`);
+
+    if (isProtectedBranch(branch)) {
+        log(COLORS.yellow, `\n⚠️  On protected branch: ${branch}`);
+        log(COLORS.cyan, '🔄 Automatically creating feature branch...');
+
+        const changedFiles = getChangedFiles();
+        if (changedFiles.length === 0) {
+            log(COLORS.red, '\n❌ No changes detected to create a feature branch');
+            process.exit(1);
+        }
+
+        const newBranch = generateBranchName(changedFiles);
+        log(COLORS.blue, `Creating branch: ${newBranch}`);
+
+        try {
+            exec(`git checkout -b ${newBranch}`);
+            branch = newBranch;
+            log(COLORS.green, `✅ Created and switched to: ${newBranch}`);
+        } catch (error) {
+            log(COLORS.red, `\n❌ Failed to create branch: ${error.message}`);
+            process.exit(1);
+        }
+    }
+
+    if (!isValidFeatureBranch(branch)) {
+        log(COLORS.yellow, `\n⚠️  Branch '${branch}' doesn't follow naming convention`);
+        log(COLORS.yellow, 'Expected: feature/, fix/, hotfix/, chore/, docs/, refactor/, test/, ci/');
+        log(COLORS.yellow, '\nContinuing anyway...');
+    }
+
+    log(COLORS.green, '✅ Branch validation passed');
+    return branch;
+}
+
+function step2_commitChanges(commitMessage) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '📝 Step 2: Commit Changes');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    if (!hasUncommittedChanges()) {
+        log(COLORS.green, '✅ No uncommitted changes');
+        return;
+    }
+
+    log(COLORS.yellow, '⚠️  Uncommitted changes detected');
+
+    if (!hasStagedChanges()) {
+        log(COLORS.blue, 'Staging all changes...');
+        exec('git add -A');
+    }
+
+    const message = commitMessage || `chore: auto-commit changes on ${getCurrentBranch()}`;
+    log(COLORS.blue, `Committing: ${message}`);
+    exec(`git commit -m "${message}"`);
+    log(COLORS.green, '✅ Changes committed');
+}
+
+function step3_pushToOrigin(branch) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🚀 Step 3: Push to Origin');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    log(COLORS.blue, `Pushing ${branch} to origin...`);
+    exec(`git push -u origin ${branch}`);
+    log(COLORS.green, '✅ Pushed to origin');
+}
+
+function step4_createPR(branch, baseBranch, prTitle, prBody) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '📋 Step 4: Create Pull Request');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    if (!isGitHubCliAvailable()) {
+        log(COLORS.yellow, '⚠️  GitHub CLI (gh) not available or not authenticated');
+        log(COLORS.yellow, '   Install: https://cli.github.com/');
+        log(COLORS.yellow, '   Auth: gh auth login');
+        log(COLORS.yellow, '\n   Create PR manually at GitHub.');
+        return null;
+    }
+
+    if (prExists(branch)) {
+        log(COLORS.green, '✅ PR already exists for this branch');
+        const prUrl = execSilent(`gh pr view ${branch} --json url --jq .url`);
+        return prUrl;
+    }
+
+    const title = prTitle || execSilent('git log -1 --pretty=%s') || `Merge ${branch}`;
+    const body = prBody || `## Summary\nAutomated PR for ${branch}\n\n## Changes\n${execSilent(`git log --oneline origin/${baseBranch}..${branch}`) || '- Updates'}`;
+
+    log(COLORS.blue, `Creating PR: ${title}`);
+    log(COLORS.blue, `Base: ${baseBranch} ← Head: ${branch}`);
+
+    try {
+        const output = execSilent(`gh pr create --base ${baseBranch} --head ${branch} --title "${title}" --body "${body.replace(/"/g, '\\"')}"`);
+        if (output) {
+            const urlMatch = output.match(/https:\/\/github\.com\/.*\/pull\/\d+/);
+            const prUrl = urlMatch ? urlMatch[0] : output;
+            log(COLORS.green, `✅ PR created: ${prUrl}`);
+            return prUrl;
+        }
+    } catch (error) {
+        log(COLORS.red, `❌ Failed to create PR: ${error.message}`);
+    }
+
+    return null;
+}
+
+function step5_mergePR(prUrl, autoMerge) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🔀 Step 5: Merge Pull Request');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    if (!prUrl) {
+        log(COLORS.yellow, '⚠️  No PR URL available, skipping merge');
+        return false;
+    }
+
+    if (!autoMerge) {
+        log(COLORS.yellow, '⚠️  Auto-merge disabled. Merge PR manually.');
+        log(COLORS.blue, `   PR: ${prUrl}`);
+        return false;
+    }
+
+    log(COLORS.blue, 'Enabling auto-merge (squash)...');
+    try {
+        exec(`gh pr merge --auto --squash "${prUrl}"`, { ignoreError: true });
+        log(COLORS.green, '✅ Auto-merge enabled');
+        return true;
+    } catch (error) {
+        log(COLORS.yellow, '⚠️  Could not enable auto-merge (may require admin approval)');
+        return false;
+    }
+}
+
+function step6_cleanupBranches(baseBranch) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🧹 Step 6: Cleanup Merged Branches');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    // Fetch latest
+    exec('git fetch --prune', { silent: true, ignoreError: true });
+
+    const mergedBranches = getMergedBranches(baseBranch);
+
+    if (mergedBranches.length === 0) {
+        log(COLORS.green, '✅ No merged branches to clean');
+        return;
+    }
+
+    log(COLORS.blue, `Found ${mergedBranches.length} merged branches:`);
+    mergedBranches.forEach(b => log(COLORS.yellow, `   - ${b}`));
+
+    // Delete local merged branches
+    for (const branch of mergedBranches) {
+        log(COLORS.blue, `Deleting local: ${branch}`);
+        exec(`git branch -d "${branch}"`, { ignoreError: true, silent: true });
+    }
+
+    // Delete remote merged branches (if gh available)
+    if (isGitHubCliAvailable()) {
+        for (const branch of mergedBranches) {
+            log(COLORS.blue, `Deleting remote: origin/${branch}`);
+            exec(`git push origin --delete "${branch}"`, { ignoreError: true, silent: true });
+        }
+    }
+
+    log(COLORS.green, `✅ Cleaned ${mergedBranches.length} merged branches`);
+}
+
+function step7_syncBranches(baseBranch) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🔄 Step 7: Sync Branches');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    const currentBranch = getCurrentBranch();
+
+    log(COLORS.blue, 'Fetching from origin...');
+    exec('git fetch origin', { ignoreError: true, silent: true });
+
+    // Sync develop
+    if (execSilent('git show-ref --verify --quiet refs/heads/develop') !== null) {
+        log(COLORS.blue, 'Syncing develop...');
+        exec('git checkout develop && git pull origin develop', { ignoreError: true, silent: true });
+    }
+
+    // Sync main
+    log(COLORS.blue, 'Syncing main...');
+    exec('git checkout main && git pull origin main', { ignoreError: true, silent: true });
+
+    // Return to original branch
+    log(COLORS.blue, `Returning to ${currentBranch}...`);
+    exec(`git checkout ${currentBranch}`, { ignoreError: true, silent: true });
+
+    log(COLORS.green, '✅ Branches synchronized');
+}
+
+// ════════════════════════════════════════════════════════════════
+// MAIN
+// ════════════════════════════════════════════════════════════════
+
+function printUsage() {
+    console.log(`
+${COLORS.cyan}═══════════════════════════════════════════════════════════════
+🐈 Pumuki Git Flow Cycle
+═══════════════════════════════════════════════════════════════${COLORS.reset}
+
+${COLORS.blue}Usage:${COLORS.reset} npm run ast:gitflow [options]
+
+${COLORS.blue}Options:${COLORS.reset}
+  --commit-message, -m <msg>   Custom commit message
+  --pr-title <title>           Custom PR title
+  --auto-merge                 Enable auto-merge after PR creation
+  --skip-cleanup               Skip branch cleanup step
+  --skip-sync                  Skip branch sync step
+  --help, -h                   Show this help
+
+${COLORS.blue}Examples:${COLORS.reset}
+  npm run ast:gitflow
+  npm run ast:gitflow -- -m "feat: add new feature"
+  npm run ast:gitflow -- --auto-merge
+  npm run ast:gitflow -- --pr-title "My PR Title" --auto-merge
+
+${COLORS.blue}What it does:${COLORS.reset}
+  1. Validates branch (must be feature/, fix/, etc.)
+  2. Commits uncommitted changes
+  3. Pushes to origin
+  4. Creates PR (requires gh CLI)
+  5. Optionally auto-merges PR
+  6. Cleans up merged branches
+  7. Syncs local branches with remote
+
+${COLORS.yellow}⚠️  Requires:${COLORS.reset}
+  - Git repository
+  - GitHub CLI (gh) for PR operations: https://cli.github.com/
+`);
+}
+
+function parseArgs(args) {
+    const options = {
+        commitMessage: null,
+        prTitle: null,
+        prBody: null,
+        autoMerge: false,
+        skipCleanup: false,
+        skipSync: false,
+        help: false
+    };
+
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        switch (arg) {
+            case '--commit-message':
+            case '-m':
+                options.commitMessage = args[++i];
+                break;
+            case '--pr-title':
+                options.prTitle = args[++i];
+                break;
+            case '--pr-body':
+                options.prBody = args[++i];
+                break;
+            case '--auto-merge':
+                options.autoMerge = true;
+                break;
+            case '--skip-cleanup':
+                options.skipCleanup = true;
+                break;
+            case '--skip-sync':
+                options.skipSync = true;
+                break;
+            case '--help':
+            case '-h':
+                options.help = true;
+                break;
+        }
+    }
+
+    return options;
+}
+
+function main() {
+    const args = process.argv.slice(2);
+    const options = parseArgs(args);
+
+    if (options.help) {
+        printUsage();
+        process.exit(0);
+    }
+
+    log(COLORS.magenta, '\n🐈 Pumuki Git Flow Cycle - Starting...\n');
+
+    try {
+        // Step 1: Validate branch
+        const branch = step1_validateBranch();
+        const baseBranch = getBaseBranch();
+
+        // Step 2: Commit changes
+        step2_commitChanges(options.commitMessage);
+
+        // Step 3: Push to origin
+        step3_pushToOrigin(branch);
+
+        // Step 4: Create PR
+        const prUrl = step4_createPR(branch, baseBranch, options.prTitle, options.prBody);
+
+        // Step 5: Merge PR (optional)
+        step5_mergePR(prUrl, options.autoMerge);
+
+        // Step 6: Cleanup branches
+        if (!options.skipCleanup) {
+            step6_cleanupBranches(baseBranch);
+        }
+
+        // Step 7: Sync branches
+        if (!options.skipSync) {
+            step7_syncBranches(baseBranch);
+        }
+
+        log(COLORS.green, '\n═══════════════════════════════════════════════════════════════');
+        log(COLORS.green, '✅ Git Flow Cycle Complete!');
+        log(COLORS.green, '═══════════════════════════════════════════════════════════════\n');
+
+    } catch (error) {
+        log(COLORS.red, `\n❌ Git Flow Cycle failed: ${error.message}`);
+        process.exit(1);
+    }
+}
+
+main();

package/scripts/hooks-system/bin/gitflow-release.js

@@ -0,0 +1,343 @@
+#!/usr/bin/env node
+/**
+ * Git Flow Release Cycle - Release automation
+ * 
+ * Executes the release cycle (develop → main):
+ * 1. Validates current branch (must be develop)
+ * 2. Syncs develop with origin
+ * 3. Creates PR from develop to main
+ * 4. Optionally merges PR
+ * 5. Syncs main with origin
+ */
+
+const { execSync } = require('child_process');
+
+const COLORS = {
+    reset: '\x1b[0m',
+    red: '\x1b[31m',
+    green: '\x1b[32m',
+    yellow: '\x1b[33m',
+    blue: '\x1b[34m',
+    cyan: '\x1b[36m',
+    magenta: '\x1b[35m'
+};
+
+function log(color, message) {
+    console.log(`${color}${message}${COLORS.reset}`);
+}
+
+function exec(cmd, options = {}) {
+    try {
+        return execSync(cmd, {
+            encoding: 'utf-8',
+            stdio: options.silent ? 'pipe' : 'inherit',
+            ...options
+        });
+    } catch (error) {
+        if (options.ignoreError) {
+            return null;
+        }
+        throw error;
+    }
+}
+
+function execSilent(cmd) {
+    try {
+        return execSync(cmd, { encoding: 'utf-8', stdio: 'pipe' }).trim();
+    } catch (error) {
+        return null;
+    }
+}
+
+function getCurrentBranch() {
+    return execSilent('git branch --show-current') || 'unknown';
+}
+
+function isProtectedBranch(branch) {
+    const protected = ['main', 'master', 'develop'];
+    return protected.includes(branch);
+}
+
+function hasUncommittedChanges() {
+    const status = execSilent('git status --porcelain');
+    return status && status.length > 0;
+}
+
+function isGitHubCliAvailable() {
+    return execSilent('gh auth status') !== null;
+}
+
+function prExists(base, head) {
+    return execSilent(`gh pr list --base ${base} --head ${head} --json number --jq '. | length'`) !== '0';
+}
+
+function getPrUrl(base, head) {
+    const output = execSilent(`gh pr list --base ${base} --head ${head} --json url --jq '.[0].url'`);
+    return output || null;
+}
+
+// ════════════════════════════════════════════════════════════════
+// MAIN CYCLE STEPS
+// ════════════════════════════════════════════════════════════════
+
+function step1_validateBranch() {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '📍 Step 1: Validate Branch');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    const branch = getCurrentBranch();
+    log(COLORS.blue, `Current branch: ${branch}`);
+
+    if (branch !== 'develop') {
+        log(COLORS.red, `\n❌ Release cycle must be run from develop branch`);
+        log(COLORS.yellow, `\nCurrent branch: ${branch}`);
+        log(COLORS.yellow, 'Switch to develop first:');
+        log(COLORS.yellow, '  git checkout develop');
+        process.exit(1);
+    }
+
+    if (hasUncommittedChanges()) {
+        log(COLORS.red, '\n❌ Uncommitted changes detected');
+        log(COLORS.yellow, 'Commit or stash changes before creating release');
+        process.exit(1);
+    }
+
+    log(COLORS.green, '✅ Branch validation passed');
+    return branch;
+}
+
+function step2_syncDevelop() {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🔄 Step 2: Sync Develop');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    log(COLORS.blue, 'Fetching from origin...');
+    exec('git fetch origin', { silent: true });
+
+    log(COLORS.blue, 'Pulling latest changes from develop...');
+    exec('git pull origin develop', { silent: true });
+
+    log(COLORS.green, '✅ Develop synced');
+}
+
+function step3_syncMain() {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🔄 Step 3: Sync Main');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    log(COLORS.blue, 'Fetching from origin...');
+    exec('git fetch origin', { silent: true });
+
+    log(COLORS.blue, 'Pulling latest changes from main...');
+    exec('git pull origin main', { silent: true });
+
+    log(COLORS.green, '✅ Main synced');
+}
+
+function step4_createReleasePR(prTitle, prBody) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '📋 Step 4: Create Release PR');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    if (!isGitHubCliAvailable()) {
+        log(COLORS.yellow, '⚠️  GitHub CLI (gh) not available or not authenticated');
+        log(COLORS.yellow, '   Install: https://cli.github.com/');
+        log(COLORS.yellow, '   Auth: gh auth login');
+        log(COLORS.yellow, '\n   Create PR manually at GitHub.');
+        return null;
+    }
+
+    const base = 'main';
+    const head = 'develop';
+
+    if (prExists(base, head)) {
+        const existingPrUrl = getPrUrl(base, head);
+        log(COLORS.green, '✅ Release PR already exists');
+        log(COLORS.blue, `   PR: ${existingPrUrl}`);
+        return existingPrUrl;
+    }
+
+    const title = prTitle || `Release: ${new Date().toISOString().split('T')[0]}`;
+    const body = prBody || `## Release Summary\n\nAutomated release from develop to main\n\n## Changes\n${execSilent('git log --oneline origin/main..develop') || '- See commit history'}`;
+
+    log(COLORS.blue, `Creating release PR: ${title}`);
+    log(COLORS.blue, `Base: ${base} ← Head: ${head}`);
+
+    try {
+        const output = execSilent(`gh pr create --base ${base} --head ${head} --title "${title}" --body "${body.replace(/"/g, '\\"')}"`);
+        if (output) {
+            const urlMatch = output.match(/https:\/\/github\.com\/.*\/pull\/\d+/);
+            const prUrl = urlMatch ? urlMatch[0] : output;
+            log(COLORS.green, `✅ Release PR created: ${prUrl}`);
+            return prUrl;
+        }
+    } catch (error) {
+        log(COLORS.red, `❌ Failed to create PR: ${error.message}`);
+    }
+
+    return null;
+}
+
+function step5_mergeReleasePR(prUrl, autoMerge) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🔀 Step 5: Merge Release PR');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    if (!prUrl) {
+        log(COLORS.yellow, '⚠️  No PR URL available, skipping merge');
+        return false;
+    }
+
+    if (!autoMerge) {
+        log(COLORS.yellow, '⚠️  Auto-merge disabled. Merge PR manually.');
+        log(COLORS.blue, `   PR: ${prUrl}`);
+        return false;
+    }
+
+    log(COLORS.blue, 'Enabling auto-merge (squash)...');
+    try {
+        exec(`gh pr merge --auto --squash "${prUrl}"`, { ignoreError: true });
+        log(COLORS.green, '✅ Auto-merge enabled');
+        return true;
+    } catch (error) {
+        log(COLORS.yellow, '⚠️  Could not enable auto-merge (may require admin approval)');
+        return false;
+    }
+}
+
+function step6_tagRelease(version) {
+    log(COLORS.cyan, '\n═══════════════════════════════════════════════════════════════');
+    log(COLORS.cyan, '🏷️  Step 6: Tag Release');
+    log(COLORS.cyan, '═══════════════════════════════════════════════════════════════\n');
+
+    if (!version) {
+        log(COLORS.yellow, '⚠️  No version specified, skipping tag');
+        return;
+    }
+
+    log(COLORS.blue, `Creating tag: v${version}`);
+    try {
+        exec(`git tag -a v${version} -m "Release v${version}"`);
+        exec(`git push origin v${version}`);
+        log(COLORS.green, `✅ Tag v${version} created and pushed`);
+    } catch (error) {
+        log(COLORS.red, `❌ Failed to create tag: ${error.message}`);
+    }
+}
+
+// ════════════════════════════════════════════════════════════════
+// MAIN
+// ════════════════════════════════════════════════════════════════
+
+function printUsage() {
+    console.log(`
+${COLORS.cyan}═══════════════════════════════════════════════════════════════
+🐈 Pumuki Git Flow Release Cycle
+═══════════════════════════════════════════════════════════════${COLORS.reset}
+
+${COLORS.blue}Usage:${COLORS.reset} npm run ast:release [options]
+
+${COLORS.blue}Options:${COLORS.reset}
+  --pr-title <title>           Custom PR title
+  --pr-body <body>             Custom PR body
+  --auto-merge                 Enable auto-merge after PR creation
+  --tag <version>              Create and push git tag
+  --help, -h                   Show this help
+
+${COLORS.blue}Examples:${COLORS.reset}
+  npm run ast:release
+  npm run ast:release -- --auto-merge
+  npm run ast:release -- --tag 5.5.35 --auto-merge
+  npm run ast:release -- --pr-title "Release v5.5.35" --auto-merge
+
+${COLORS.blue}What it does:${COLORS.reset}
+  1. Validates branch (must be develop)
+  2. Syncs develop with origin
+  3. Syncs main with origin
+  4. Creates PR: develop → main
+  5. Optionally auto-merges PR
+  6. Optionally creates git tag
+
+${COLORS.yellow}⚠️  Requires:${COLORS.reset}
+  - Git repository
+  - GitHub CLI (gh) for PR operations: https://cli.github.com/
+  - Must be on develop branch
+  - No uncommitted changes
+`);
+}
+
+function parseArgs(args) {
+    const options = {
+        prTitle: null,
+        prBody: null,
+        autoMerge: false,
+        tag: null,
+        help: false
+    };
+
+    for (let i = 0; i < args.length; i++) {
+        const arg = args[i];
+        switch (arg) {
+            case '--pr-title':
+                options.prTitle = args[++i];
+                break;
+            case '--pr-body':
+                options.prBody = args[++i];
+                break;
+            case '--auto-merge':
+                options.autoMerge = true;
+                break;
+            case '--tag':
+                options.tag = args[++i];
+                break;
+            case '--help':
+            case '-h':
+                options.help = true;
+                break;
+        }
+    }
+
+    return options;
+}
+
+function main() {
+    const args = process.argv.slice(2);
+    const options = parseArgs(args);
+
+    if (options.help) {
+        printUsage();
+        process.exit(0);
+    }
+
+    log(COLORS.magenta, '\n🐈 Pumuki Git Flow Release Cycle - Starting...\n');
+
+    try {
+        // Step 1: Validate branch
+        step1_validateBranch();
+
+        // Step 2: Sync develop
+        step2_syncDevelop();
+
+        // Step 3: Sync main
+        step3_syncMain();
+
+        // Step 4: Create release PR
+        const prUrl = step4_createReleasePR(options.prTitle, options.prBody);
+
+        // Step 5: Merge PR (optional)
+        step5_mergeReleasePR(prUrl, options.autoMerge);
+
+        // Step 6: Tag release (optional)
+        step6_tagRelease(options.tag);
+
+        log(COLORS.green, '\n═══════════════════════════════════════════════════════════════');
+        log(COLORS.green, '✅ Git Flow Release Cycle Complete!');
+        log(COLORS.green, '═══════════════════════════════════════════════════════════════\n');
+
+    } catch (error) {
+        log(COLORS.red, `\n❌ Git Flow Release Cycle failed: ${error.message}`);
+        process.exit(1);
+    }
+}
+
+main();

package/scripts/hooks-system/config/project.config.json

@@ -5,7 +5,7 @@
     "platforms": [
       "backend"
     ],
-    "created": "2025-12-31T11:37:15.219Z"
+    "created": "2026-01-04T19:10:44.947Z"
   },
   "architecture": {
     "pattern": "FEATURE_FIRST_CLEAN_DDD",

package/scripts/hooks-system/infrastructure/ast/ios/analyzers/iOSEnterpriseAnalyzer.js

@@ -294,7 +294,13 @@ class iOSEnterpriseAnalyzer {
         'Network code without custom NetworkError enum');
     }
 
-    if (content.includes('URLSession') && !content.includes('serverTrustPolicy') && !content.includes('pinning')) {
+    // Check for SSL pinning implementation
+    const hasSSLPinningImplementation =
+      content.includes('serverTrustPolicy') ||
+      content.includes('pinning') ||
+      (content.includes('URLSessionDelegate') && content.includes('URLAuthenticationChallenge'));
+
+    if (content.includes('URLSession') && !hasSSLPinningImplementation) {
       this.addFinding('ios.networking.missing_ssl_pinning', 'medium', filePath, 1,
         'Consider SSL pinning for high-security apps');
     }

package/scripts/hooks-system/infrastructure/ast/ios/ast-ios.js

@@ -1544,7 +1544,13 @@ async function runIOSIntelligence(project, findings, platform) {
       );
     }
 
-    if (content.includes('URLSession') && content.includes('https') && !content.includes('ServerTrustPolicy') && !content.includes('pinning')) {
+    // Check for SSL pinning implementation
+    const hasSSLPinningImplementation =
+      content.includes('ServerTrustPolicy') ||
+      content.includes('pinning') ||
+      (content.includes('URLSessionDelegate') && content.includes('URLAuthenticationChallenge'));
+
+    if (content.includes('URLSession') && content.includes('https') && !hasSSLPinningImplementation) {
       if (content.includes('production') || content.includes('release')) {
         pushFinding(
           "ios.security.missing_ssl_pinning",