pumuki-ast-hooks 5.6.5 → 5.6.6

package/scripts/hooks-system/bin/update-evidence.sh

@@ -26,3 +26,11 @@ fi
 
 AUTO_EVIDENCE_TRIGGER="$AUTO_TRIGGER" AUTO_EVIDENCE_REASON="$AUTO_REASON" AUTO_EVIDENCE_SUMMARY="$AUTO_SUMMARY" \
   node "$CLI" evidence:full-update
+
+EXIT_CODE=$?
+if [[ "$EXIT_CODE" -ne 0 ]]; then
+  echo " Evidence updated but gate reported violations (exit code: $EXIT_CODE)." >&2
+  exit 0
+fi
+
+exit 0

package/scripts/hooks-system/infrastructure/ast/android/analyzers/AndroidSOLIDAnalyzer.js

@@ -20,6 +20,34 @@ class AndroidSOLIDAnalyzer {
         this.findings = [];
     }
 
+    analyzeOCP(sf, findings, pushFinding) {
+        return analyzeOCP(sf, findings, pushFinding);
+    }
+
+    analyzeDIP(sf, findings, pushFinding) {
+        return analyzeDIP(sf, findings, pushFinding);
+    }
+
+    analyzeSRP(sf, findings, pushFinding) {
+        return analyzeSRP(sf, findings, pushFinding);
+    }
+
+    analyzeISP(sf, findings, pushFinding) {
+        return analyzeISP(sf, findings, pushFinding);
+    }
+
+    detectMethodConcern(methodName) {
+        const name = String(methodName || '').toLowerCase();
+
+        if (/^(get|fetch|load|read|find|query)/.test(name)) return 'data-access';
+        if (/^(set|update|save|create|delete|remove|insert)/.test(name)) return 'data-mutation';
+        if (/^(validate|verify|check|ensure)/.test(name)) return 'validation';
+        if (/^(format|map|transform|convert|parse)/.test(name)) return 'transformation';
+        if (/^(render|draw|display|show)/.test(name)) return 'rendering';
+
+        return 'unknown';
+    }
+
     /**
      * Analyze source file for SOLID violations
      * @param {SourceFile} sf - TypeScript morph source file
@@ -33,11 +61,11 @@ class AndroidSOLIDAnalyzer {
         this.findings = findings;
         this.pushFinding = pushFinding;
 
-        analyzeOCP(sf, findings, pushFinding);
-        analyzeDIP(sf, findings, pushFinding);
-        analyzeSRP(sf, findings, pushFinding);
-        analyzeISP(sf, findings, pushFinding);
+        this.analyzeOCP(sf, findings, pushFinding);
+        this.analyzeDIP(sf, findings, pushFinding);
+        this.analyzeSRP(sf, findings, pushFinding);
+        this.analyzeISP(sf, findings, pushFinding);
     }
 }
 
-module.exports = AndroidSOLIDAnalyzer;
+module.exports = { AndroidSOLIDAnalyzer };

package/scripts/hooks-system/infrastructure/ast/backend/ast-backend.js

@@ -236,6 +236,7 @@ function runBackendIntelligence(project, findings, platform) {
 
     for (const match of matches) {
       const fullMatch = match[0];
+      const secretField = String(match[1] || '').toLowerCase();
       const secretValue = match[2];
 
       const matchIndex = match.index || 0;
@@ -274,6 +275,11 @@ function runBackendIntelligence(project, findings, platform) {
 
       const matchesSecretEntropyPattern = secretEntropyPattern.test(secretValue);
 
+      const isGenericKeyField = secretField === 'key';
+      const isLikelyNonSecretKeyValue = isGenericKeyField &&
+        secretValue.length < 20 &&
+        !matchesSecretEntropyPattern;
+
       const isConstantKey = /(?:const|let|var)\s+\w*(?:KEY|TOKEN|STORAGE)\s*=/i.test(fullLine) &&
         secretValue.length < 30 &&
         !matchesSecretEntropyPattern;
@@ -281,7 +287,7 @@ function runBackendIntelligence(project, findings, platform) {
 
       const isTestData = isTestFilePath && secretValue.length < 50 && !matchesSecretEntropyPattern;
 
-      if (!isEnvVar && !isPlaceholder && !isKnownConfigValue && !isComment && !isRuleDefinition && !isTestContext && !isStorageKey && !isCacheKey && !isConstantKey && !isRolesDecorator && !isTestData && secretValue.length >= 8) {
+      if (!isEnvVar && !isPlaceholder && !isKnownConfigValue && !isComment && !isRuleDefinition && !isTestContext && !isStorageKey && !isCacheKey && !isLikelyNonSecretKeyValue && !isConstantKey && !isRolesDecorator && !isTestData && secretValue.length >= 8) {
         pushFinding("backend.config.secrets_in_code", "critical", sf, sf, "Hardcoded secret detected - replace with environment variable (process.env)", findings);
       }
     }

package/scripts/hooks-system/infrastructure/ast/common/__tests__/ast-common.spec.js

@@ -1,3 +1,8 @@
+jest.mock('../BDDTDDWorkflowRules', () => ({
+  BDDTDDWorkflowRules: jest.fn().mockImplementation(() => ({ analyze: jest.fn() }))
+}));
+
+const { Project } = require('../../ast-core');
 const { runCommonIntelligence } = require('../ast-common');
 
 describe('AST Common Module', () => {
@@ -9,6 +14,20 @@ describe('AST Common Module', () => {
     it('should be callable', () => {
       expect(runCommonIntelligence).toBeDefined();
     });
+
+    it('does not apply makeSUT/trackForMemoryLeaks rules to Jest spec files', () => {
+      const project = new Project({
+        useInMemoryFileSystem: true,
+        skipAddingFilesFromTsConfig: true,
+      });
+      project.createSourceFile('/tmp/foo.spec.js', "import XCTest\n\ndescribe('x', () => {})");
+
+      const findings = [];
+      runCommonIntelligence(project, findings);
+
+      expect(findings.some(f => f.ruleId === 'common.testing.missing_makesut')).toBe(false);
+      expect(findings.some(f => f.ruleId === 'common.testing.missing_track_for_memory_leaks')).toBe(false);
+    });
   });
 
   describe('exports', () => {

package/scripts/hooks-system/infrastructure/ast/common/ast-common.js

@@ -210,26 +210,31 @@ function runCommonIntelligence(project, findings) {
     if (isTestFilePath(filePath)) {
       const content = sf.getFullText();
 
-      if (!shouldSkipMakeSUTRule(filePath) && !hasMakeSUT(content)) {
-        pushFinding(
-          'common.testing.missing_makesut',
-          'high',
-          sf,
-          sf,
-          'Test file without makeSUT factory - use makeSUT pattern for consistent DI and teardown',
-          findings
-        );
-      }
+      const ext = path.extname(filePath).toLowerCase();
+      const isSwiftOrKotlinTest = ext === '.swift' || ext === '.kt' || ext === '.kts';
 
-      if (!shouldSkipTrackForMemoryLeaksRule(filePath) && !hasTrackForMemoryLeaksEvidence(content)) {
-        pushFinding(
-          'common.testing.missing_track_for_memory_leaks',
-          'critical',
-          sf,
-          sf,
-          'Test file without trackForMemoryLeaks - add memory leak tracking to prevent leaks and cross-test interference',
-          findings
-        );
+      if (isSwiftOrKotlinTest) {
+        if (!shouldSkipMakeSUTRule(filePath) && !hasMakeSUT(content)) {
+          pushFinding(
+            'common.testing.missing_makesut',
+            'high',
+            sf,
+            sf,
+            'Test file without makeSUT factory - use makeSUT pattern for consistent DI and teardown',
+            findings
+          );
+        }
+
+        if (!shouldSkipTrackForMemoryLeaksRule(filePath) && !hasTrackForMemoryLeaksEvidence(content)) {
+          pushFinding(
+            'common.testing.missing_track_for_memory_leaks',
+            'critical',
+            sf,
+            sf,
+            'Test file without trackForMemoryLeaks - add memory leak tracking to prevent leaks and cross-test interference',
+            findings
+          );
+        }
       }
 
       if (!shouldSkipSpyOverMockRule(filePath)) {

package/scripts/hooks-system/infrastructure/ast/ios/__tests__/forbidden-testable-import.spec.js

@@ -0,0 +1,21 @@
+const { detectForbiddenTestableImport } = require('../ast-ios');
+
+describe('ios.imports.forbidden_testable', () => {
+    it('returns a finding when @testable is present in XCTest test file', () => {
+        const filePath = '/SomeModule/Tests/FooTests.swift';
+        const content = 'import XCTest\n@testable import Foo\nfinal class FooTests: XCTestCase {}';
+
+        const finding = detectForbiddenTestableImport({ filePath, content });
+
+        expect(finding).not.toBeNull();
+        expect(finding.ruleId).toBe('ios.imports.forbidden_testable');
+        expect(finding.severity).toBe('high');
+    });
+
+    it('returns null when @testable is not present', () => {
+        const filePath = '/SomeModule/Tests/FooTests.swift';
+        const content = 'import XCTest\nimport Foo\nfinal class FooTests: XCTestCase {}';
+
+        expect(detectForbiddenTestableImport({ filePath, content })).toBeNull();
+    });
+});

package/scripts/hooks-system/infrastructure/ast/ios/__tests__/missing-makesut-leaks.spec.js

@@ -0,0 +1,64 @@
+const { detectMissingMakeSUT, detectMissingLeakTracking } = require('../ast-ios');
+
+describe('iOS testing rules - makeSUT / leak tracking', () => {
+    it('flags missing makeSUT as HIGH when tests exist', () => {
+        const filePath = '/SomeModule/Tests/FooTests.swift';
+        const content = [
+            'import XCTest',
+            'final class FooTests: XCTestCase {',
+            '  func test_one() { XCTAssertTrue(true) }',
+            '}'
+        ].join('\n');
+
+        const finding = detectMissingMakeSUT({ filePath, content });
+        expect(finding).not.toBeNull();
+        expect(finding.ruleId).toBe('ios.testing.missing_make_sut');
+        expect(finding.severity).toBe('high');
+    });
+
+    it('does not flag missing makeSUT when file defines makeSUT()', () => {
+        const filePath = '/SomeModule/Tests/FooTests.swift';
+        const content = [
+            'import XCTest',
+            'final class FooTests: XCTestCase {',
+            '  func makeSUT() -> Foo { Foo() }',
+            '  func test_one() { let _ = makeSUT() }',
+            '}'
+        ].join('\n');
+
+        expect(detectMissingMakeSUT({ filePath, content })).toBeNull();
+    });
+
+    it('flags missing leak tracking as HIGH when tests exist and no tracking is present', () => {
+        const filePath = '/SomeModule/Tests/FooTests.swift';
+        const content = [
+            'import XCTest',
+            'final class FooTests: XCTestCase {',
+            '  func makeSUT() -> Foo { Foo() }',
+            '  func test_one() { let _ = makeSUT() }',
+            '}'
+        ].join('\n');
+
+        const finding = detectMissingLeakTracking({ filePath, content });
+        expect(finding).not.toBeNull();
+        expect(finding.ruleId).toBe('ios.testing.missing_leak_tracking');
+        expect(finding.severity).toBe('high');
+    });
+
+    it('does not flag leak tracking when makeSUT includes trackForMemoryLeaks', () => {
+        const filePath = '/SomeModule/Tests/FooTests.swift';
+        const content = [
+            'import XCTest',
+            'final class FooTests: XCTestCase {',
+            '  func makeSUT() -> Foo {',
+            '    let sut = Foo()',
+            '    trackForMemoryLeaks(sut)',
+            '    return sut',
+            '  }',
+            '  func test_one() { _ = makeSUT() }',
+            '}'
+        ].join('\n');
+
+        expect(detectMissingLeakTracking({ filePath, content })).toBeNull();
+    });
+});

package/scripts/hooks-system/infrastructure/ast/ios/ast-ios.js

@@ -18,6 +18,48 @@ const { iOSForbiddenLiteralsAnalyzer } = require(path.join(__dirname, 'analyzers
 const { iOSASTIntelligentAnalyzer } = require(path.join(__dirname, 'analyzers/iOSASTIntelligentAnalyzer'));
 const { iOSModernPracticesRules } = require(path.join(__dirname, 'analyzers/iOSModernPracticesRules'));
 
+function detectForbiddenTestableImport({ filePath, content }) {
+  if (!filePath || !content) return null;
+  if (!filePath.includes('Tests')) return null;
+  if (!content.includes('XCTest')) return null;
+  if (!/@testable\s+import\b/.test(content)) return null;
+  return {
+    ruleId: 'ios.imports.forbidden_testable',
+    severity: 'high',
+    message: 'Forbidden @testable import in tests - expose required production APIs as public/open (or via a dedicated TestUtilities module) instead of using @testable'
+  };
+}
+
+function detectMissingMakeSUT({ filePath, content }) {
+  if (!filePath || !content) return null;
+  if (!filePath.includes('Test')) return null;
+  if (!content.includes('XCTest')) return null;
+  const hasTests = /func\s+test\w*\s*\(/.test(content);
+  if (!hasTests) return null;
+  const hasMakeSUT = /func\s+makeSUT\b/.test(content);
+  if (hasMakeSUT) return null;
+  return {
+    ruleId: 'ios.testing.missing_make_sut',
+    severity: 'high',
+    message: 'Test file missing makeSUT() factory - extract SUT creation for reuse and to enable consistent leak tracking.'
+  };
+}
+
+function detectMissingLeakTracking({ filePath, content }) {
+  if (!filePath || !content) return null;
+  if (!filePath.includes('Test')) return null;
+  if (!content.includes('XCTest')) return null;
+  const hasTests = /func\s+test\w*\s*\(/.test(content);
+  if (!hasTests) return null;
+  const hasLeakTracking = content.includes('trackForMemoryLeaks') || content.includes('addTeardownBlock');
+  if (hasLeakTracking) return null;
+  return {
+    ruleId: 'ios.testing.missing_leak_tracking',
+    severity: 'high',
+    message: 'Test file missing memory leak tracking (trackForMemoryLeaks/addTeardownBlock). Template:\n\nfunc makeSUT() -> SUT {\n    let sut = SUT()\n    trackForMemoryLeaks(sut)\n    return sut\n}\n\nfunc test_example() {\n    let sut = makeSUT()\n    // ...\n}'
+  };
+}
+
 /**
  * Run iOS-specific AST intelligence analysis
  * Uses both TypeScript AST (for .ts/.tsx) and SourceKitten (for .swift)
@@ -863,28 +905,28 @@ async function runIOSIntelligence(project, findings, platform) {
     }
 
 
-    if (filePath.includes('Test') && content.includes('XCTest')) {
-      if (!content.includes('makeSUT') && !content.includes('func make')) {
-        pushFinding(
-          "ios.testing.missing_make_sut",
-          "medium",
-          sf,
-          sf,
-          'Test file without makeSUT factory - extract SUT creation for reusability',
-          findings
-        );
-      }
+    const missingMakeSUT = detectMissingMakeSUT({ filePath, content });
+    if (missingMakeSUT) {
+      pushFinding(
+        missingMakeSUT.ruleId,
+        missingMakeSUT.severity,
+        sf,
+        sf,
+        missingMakeSUT.message,
+        findings
+      );
+    }
 
-      if (!content.includes('trackForMemoryLeaks') && !content.includes('addTeardownBlock')) {
-        pushFinding(
-          "ios.testing.missing_leak_tracking",
-          "medium",
-          sf,
-          sf,
-          'Test file without memory leak tracking - add trackForMemoryLeaks helper',
-          findings
-        );
-      }
+    const missingLeakTracking = detectMissingLeakTracking({ filePath, content });
+    if (missingLeakTracking) {
+      pushFinding(
+        missingLeakTracking.ruleId,
+        missingLeakTracking.severity,
+        sf,
+        sf,
+        missingLeakTracking.message,
+        findings
+      );
     }
 
     if (!filePath.includes('Test') && (content.includes('Mock') || content.includes('Spy') || content.includes('Stub'))) {
@@ -1704,17 +1746,16 @@ async function runIOSIntelligence(project, findings, platform) {
       }
     }
 
-    if (filePath.includes('Tests') && content.includes('import ') && !content.includes('@testable')) {
-      if (content.includes('XCTest')) {
-        pushFinding(
-          "ios.testing.missing_testable",
-          "low",
-          sf,
-          sf,
-          'Test file without @testable import - use @testable for accessing internal types',
-          findings
-        );
-      }
+    const forbiddenTestable = detectForbiddenTestableImport({ filePath, content });
+    if (forbiddenTestable) {
+      pushFinding(
+        forbiddenTestable.ruleId,
+        forbiddenTestable.severity,
+        sf,
+        sf,
+        forbiddenTestable.message,
+        findings
+      );
     }
 
     if (content.includes('protocol') && !content.includes('extension') && (content.match(/func\s+\w+/g) || []).length > 3) {
@@ -2224,4 +2265,4 @@ async function runIOSIntelligence(project, findings, platform) {
   });
 }
 
-module.exports = { runIOSIntelligence };
+module.exports = { runIOSIntelligence, detectForbiddenTestableImport, detectMissingMakeSUT, detectMissingLeakTracking };

package/scripts/hooks-system/infrastructure/ast/ios/detectors/__tests__/ios-encapsulation-public-mutable.spec.js

@@ -0,0 +1,63 @@
+const { analyzePropertyAST } = require('../ios-ast-intelligent-strategies');
+
+describe('ios.encapsulation.public_mutable', () => {
+    function makeAnalyzer() {
+        const findings = [];
+        return {
+            findings,
+            getAttributes: () => [],
+            pushFinding: (ruleId, severity, filePath, line, message) => {
+                findings.push({ ruleId, severity, filePath, line, message });
+            }
+        };
+    }
+
+    it('does not flag public computed get-only property', () => {
+        const analyzer = makeAnalyzer();
+        const node = {
+            'key.name': 'state',
+            'key.line': 10,
+            'key.kind': 'source.lang.swift.decl.var.instance',
+            'key.accessibility': 'source.lang.swift.accessibility.public',
+            'key.substructure': [
+                { 'key.kind': 'source.lang.swift.decl.function.accessor.get' }
+            ]
+        };
+
+        analyzePropertyAST(analyzer, node, '/tmp/Foo.swift');
+
+        expect(analyzer.findings.find(f => f.ruleId === 'ios.encapsulation.public_mutable')).toBeUndefined();
+    });
+
+    it('flags public stored property (mutable)', () => {
+        const analyzer = makeAnalyzer();
+        const node = {
+            'key.name': 'state',
+            'key.line': 10,
+            'key.kind': 'source.lang.swift.decl.var.instance',
+            'key.accessibility': 'source.lang.swift.accessibility.public'
+        };
+
+        analyzePropertyAST(analyzer, node, '/tmp/Foo.swift');
+
+        expect(analyzer.findings.find(f => f.ruleId === 'ios.encapsulation.public_mutable')).toBeDefined();
+    });
+
+    it('flags public computed property with setter', () => {
+        const analyzer = makeAnalyzer();
+        const node = {
+            'key.name': 'state',
+            'key.line': 10,
+            'key.kind': 'source.lang.swift.decl.var.instance',
+            'key.accessibility': 'source.lang.swift.accessibility.public',
+            'key.substructure': [
+                { 'key.kind': 'source.lang.swift.decl.function.accessor.get' },
+                { 'key.kind': 'source.lang.swift.decl.function.accessor.set' }
+            ]
+        };
+
+        analyzePropertyAST(analyzer, node, '/tmp/Foo.swift');
+
+        expect(analyzer.findings.find(f => f.ruleId === 'ios.encapsulation.public_mutable')).toBeDefined();
+    });
+});

package/scripts/hooks-system/infrastructure/ast/ios/detectors/__tests__/ios-unused-imports.spec.js

@@ -0,0 +1,34 @@
+const { analyzeImportsAST } = require('../ios-ast-intelligent-strategies');
+
+describe('ios.imports.unused', () => {
+    function makeAnalyzer({ fileContent, allNodes }) {
+        const findings = [];
+        return {
+            fileContent,
+            allNodes,
+            imports: [],
+            functions: [],
+            hasAttribute: () => false,
+            pushFinding: (ruleId, severity, filePath, line, message) => {
+                findings.push({ ruleId, severity, filePath, line, message });
+            },
+            findings,
+        };
+    }
+
+    it('does not report unused imports when types use the module name as a prefix', () => {
+        const filePath = '/tmp/Foo.swift';
+        const analyzer = makeAnalyzer({
+            fileContent: 'import Authentication\n\nstruct Foo { let s: AuthenticationState }',
+            allNodes: [
+                { 'key.typename': 'AuthenticationState' },
+            ]
+        });
+
+        analyzer.imports = [{ name: 'Authentication', line: 1 }];
+
+        analyzeImportsAST(analyzer, filePath);
+
+        expect(analyzer.findings.find(f => f.ruleId === 'ios.imports.unused')).toBeUndefined();
+    });
+});

package/scripts/hooks-system/infrastructure/ast/ios/detectors/ios-ast-intelligent-strategies.js

@@ -84,6 +84,9 @@ function extractImports(analyzer) {
 }
 
 function analyzeImportsAST(analyzer, filePath) {
+    if (filePath.includes('Tests')) {
+        return;
+    }
     const importNames = analyzer.imports.map((i) => i.name);
 
     const hasUIKit = importNames.includes('UIKit');
@@ -112,8 +115,10 @@ function analyzeImportsAST(analyzer, filePath) {
         );
     }
 
+    const unusedImportAllowlist = new Set(['Foundation', 'SwiftUI', 'UIKit', 'Combine']);
+
     for (const imp of analyzer.imports) {
-        if (['Foundation', 'SwiftUI', 'UIKit', 'Combine'].includes(imp.name)) continue;
+        if (!unusedImportAllowlist.has(imp.name)) continue;
 
         const isUsed = analyzer.allNodes.some((n) => {
             const typename = n['key.typename'] || '';
@@ -441,7 +446,13 @@ function analyzePropertyAST(analyzer, node, filePath) {
     const isPublic = (node['key.accessibility'] || '').includes('public');
     const isInstance = kind.includes('var.instance');
 
-    if (isPublic && isInstance && !attributes.includes('setter_access')) {
+    const sub = Array.isArray(node['key.substructure']) ? node['key.substructure'] : [];
+    const hasAccessorGet = sub.some(s => (s['key.kind'] || '').includes('accessor.get'));
+    const hasAccessorSet = sub.some(s => (s['key.kind'] || '').includes('accessor.set'));
+    const isComputed = hasAccessorGet || hasAccessorSet;
+    const isMutable = isComputed ? hasAccessorSet : true;
+
+    if (isPublic && isInstance && isMutable && !attributes.includes('setter_access')) {
         analyzer.pushFinding('ios.encapsulation.public_mutable', 'medium', filePath, line, `Public mutable property '${name}' - consider private(set)`);
     }
 }
@@ -801,5 +812,7 @@ module.exports = {
     resetCollections,
     collectAllNodes,
     analyzeCollectedNodes,
+    analyzeImportsAST,
+    analyzePropertyAST,
     finalizeGodClassDetection,
 };

package/scripts/hooks-system/infrastructure/mcp/__tests__/preflight-check-blocks-tests.spec.js

@@ -0,0 +1,14 @@
+const { preFlightCheck } = require('../ast-intelligence-automation');
+
+describe('pre_flight_check - tests are first-class', () => {
+    it('blocks test edits when AST analysis finds CRITICAL violations', () => {
+        const result = preFlightCheck({
+            action_type: 'edit',
+            target_file: '/SomeModule/Tests/FooTests.swift',
+            proposed_code: 'import XCTest\nfinal class FooTests: XCTestCase { func testX() { do { } catch { } } }'
+        });
+
+        expect(result.allowed).toBe(false);
+        expect(result.blocked).toBe(true);
+    });
+});