pumuki-ast-hooks 6.1.13 → 6.2.0

package/docs/SEVERITY_AUDIT.md

@@ -0,0 +1,137 @@
+# Auditoría de Severidades - Framework AST Intelligence
+
+## Criterios de Clasificación
+
+### CRITICAL
+- **Vulnerabilidades de seguridad** que exponen datos sensibles
+- **Data loss** potencial o corrupción de datos
+- **Crashes** probables en producción
+- **Violaciones de seguridad** críticas
+
+### HIGH
+- **Bugs probables** que causan comportamiento incorrecto
+- **Memory leaks** y problemas de gestión de memoria
+- **Concurrency issues** que pueden causar race conditions
+- **Violaciones SOLID** que impactan arquitectura
+
+### MEDIUM
+- **Code smells** que afectan mantenibilidad
+- **Performance** no crítico pero medible
+- **Violaciones de patrones** establecidos
+- **Deuda técnica** acumulable
+
+### LOW
+- **Sugerencias de estilo** y mejores prácticas
+- **Optimizaciones** opcionales
+- **Mejoras** de legibilidad
+- **Warnings** informativos
+
+---
+
+## Reglas por Severidad
+
+### CRITICAL (3 reglas)
+
+| Regla | Justificación |
+|-------|---------------|
+| `ios.security.sensitive_userdefaults` | Credenciales en UserDefaults = vulnerabilidad de seguridad |
+| `ios.security.hardcoded_secrets` | API keys/tokens hardcodeados = exposición de secretos |
+| `backend.antipattern.god_classes` | Clases God extremas = arquitectura colapsada |
+
+### HIGH (12 reglas)
+
+| Regla | Justificación |
+|-------|---------------|
+| `ios.force_unwrapping` | Force unwrap = crash probable en runtime |
+| `ios.safety.force_unwrap_property` | Propiedades force unwrap = crash al acceder |
+| `ios.memory.missing_weak_self` | Retain cycles = memory leaks |
+| `ios.concurrency.task_no_error_handling` | Errores sin manejar = crashes silenciosos |
+| `ios.concurrency.async_ui_update` | UI updates fuera MainActor = crashes/bugs visuales |
+| `ios.quality.long_function` | Funciones >50 líneas = bugs difíciles de detectar |
+| `ios.quality.high_complexity` | Complejidad >10 = bugs probables |
+| `ios.swiftui.complex_body` | Body >100 líneas = performance/bugs |
+| `ios.antipattern.singleton` | Singletons = testing imposible, acoplamiento |
+| `ios.architecture.repository_no_protocol` | Repositorios sin protocolo = violación DIP |
+| `ios.architecture.usecase_wrong_layer` | UseCase en capa incorrecta = arquitectura rota |
+| `ios.solid.srp.god_class` | God class detectada = violación SRP crítica |
+
+### MEDIUM (15 reglas)
+
+| Regla | Justificación |
+|-------|---------------|
+| `ios.quality.pyramid_of_doom` | Anidación profunda = legibilidad/mantenibilidad |
+| `ios.quality.too_many_params` | >5 parámetros = difícil de usar/mantener |
+| `ios.quality.nested_closures` | >3 closures = callback hell, usar async/await |
+| `ios.encapsulation.public_mutable` | Propiedades públicas mutables = encapsulación rota |
+| `ios.swiftui.too_many_state` | >5 @State = considerar ViewModel |
+| `ios.swiftui.observed_without_state` | @ObservedObject sin ownership = bugs sutiles |
+| `ios.solid.isp.fat_protocol` | Protocolo >5 requisitos = violación ISP |
+| `ios.architecture.usecase_no_execute` | UseCase sin execute() = patrón inconsistente |
+| `ios.architecture.usecase_void` | UseCase retorna Void = no testable |
+| `ios.testing.missing_makesut` | Test sin makeSUT = código duplicado |
+| `ios.naming.god_naming` | Nombres Manager/Helper = posible God class |
+| `ios.i18n.hardcoded_strings` | >3 strings hardcodeados = i18n faltante |
+| `ios.accessibility.missing_labels` | Imágenes sin labels = accesibilidad rota |
+| `ios.solid.dip.concrete_dependency` | Dependencias concretas = violación DIP |
+| `ios.solid.ocp.modification` | Modificar en lugar de extender = violación OCP |
+
+### LOW (8 reglas)
+
+| Regla | Justificación |
+|-------|---------------|
+| `ios.imports.unused` | Imports sin usar = ruido, build time |
+| `ios.performance.non_final_class` | Clases no final = optimización perdida |
+| `ios.codable.missing_coding_keys` | CodingKeys opcionales = mejor control |
+| `ios.performance.large_equatable` | Equatable >5 props = performance menor |
+| `ios.concurrency.task_cancellation` | Task sin cancelación = recursos no liberados |
+| `ios.performance.blocking_main_thread` | Operaciones síncronas = UI freeze potencial |
+| `ios.testing.missing_leak_tracking` | Tests sin leak tracking = leaks no detectados |
+| `ios.quality.magic_numbers` | Números mágicos = legibilidad |
+
+---
+
+## Cambios Recomendados
+
+### Ninguno - Clasificación Correcta
+
+Tras la auditoría, **todas las severidades están correctamente asignadas** según los criterios establecidos:
+
+- ✅ **CRITICAL**: Solo vulnerabilidades de seguridad y arquitectura colapsada
+- ✅ **HIGH**: Bugs probables, memory leaks, crashes
+- ✅ **MEDIUM**: Code smells, mantenibilidad, patrones
+- ✅ **LOW**: Optimizaciones, estilo, mejoras opcionales
+
+---
+
+## Estadísticas
+
+| Severidad | Cantidad | % |
+|-----------|----------|---|
+| CRITICAL | 3 | 8% |
+| HIGH | 12 | 32% |
+| MEDIUM | 15 | 39% |
+| LOW | 8 | 21% |
+| **TOTAL** | **38** | **100%** |
+
+---
+
+## Validación
+
+### Criterios Aplicados
+
+1. **CRITICAL**: ¿Expone datos sensibles o causa data loss?
+2. **HIGH**: ¿Causa crashes o memory leaks probables?
+3. **MEDIUM**: ¿Afecta mantenibilidad o patrones?
+4. **LOW**: ¿Es optimización o mejora opcional?
+
+### Resultado
+
+✅ **Todas las reglas cumplen con los criterios de su severidad asignada**
+
+No se requieren reclasificaciones.
+
+---
+
+**Auditoría completada:** 24 Enero 2026  
+**Framework:** pumuki-ast-hooks v6.1.13  
+**Total reglas auditadas:** 38

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki-ast-hooks",
-  "version": "6.1.13",
+  "version": "6.2.0",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/hooks-system/infrastructure/ast/ios/analyzers/iOSASTIntelligentAnalyzer.js

@@ -211,6 +211,29 @@ class iOSASTIntelligentAnalyzer {
 
     collectAllNodes(this, substructure, null);
     await analyzeCollectedNodes(this, displayPath);
+
+    this.detectForceUnwrapping(displayPath);
+  }
+
+  detectForceUnwrapping(filePath) {
+    const lines = this.fileContent.split('\n');
+    lines.forEach((line, index) => {
+      const matches = [...line.matchAll(/(\w+)!/g)];
+      matches.forEach(match => {
+        const charBefore = match.index > 0 ? line[match.index - 1] : '';
+        const isLogicalNegation = charBefore === '!' || /[&|=<>]/.test(charBefore);
+
+        if (!isLogicalNegation) {
+          this.pushFinding(
+            'ios.force_unwrapping',
+            'high',
+            filePath,
+            index + 1,
+            `Force unwrapping (!) detected on '${match[1]}' - use if let or guard let instead`
+          );
+        }
+      });
+    });
   }
 
   safeStringify(obj) {

package/scripts/hooks-system/infrastructure/ast/ios/analyzers/iOSEnterpriseChecks.js

@@ -287,9 +287,16 @@ function analyzeConcurrency({ content, filePath, addFinding }) {
             'Manual main thread dispatch - use @MainActor annotation');
     }
 
-    if (content.includes('Task {') && !content.includes('.cancel()') && !content.includes('Task.isCancelled')) {
-        addFinding('ios.concurrency.task_cancellation', 'low', filePath, 1,
-            'Task without cancellation handling');
+    if (content.includes('Task {')) {
+        const hasCancelCheck = content.includes('Task.isCancelled') ||
+            content.includes('Task.checkCancellation') ||
+            content.includes('withTaskCancellationHandler') ||
+            content.includes('.cancel()');
+
+        if (!hasCancelCheck) {
+            addFinding('ios.concurrency.task_cancellation', 'low', filePath, 1,
+                'Task without cancellation handling - consider guard !Task.isCancelled or try Task.checkCancellation()');
+        }
     }
 
     if (content.includes('var ') && content.includes('queue') && !content.includes('actor')) {
@@ -304,9 +311,16 @@ function analyzeTesting({ content, filePath, addFinding }) {
             'Test file without XCTest or Quick import');
     }
 
-    if (filePath.includes('Test') && !content.includes('makeSUT') && content.includes('func test')) {
-        addFinding('ios.testing.missing_makesut', 'medium', filePath, 1,
-            'Test without makeSUT pattern - centralize system under test creation');
+    if (filePath.includes('Test') && content.includes('func test')) {
+        const hasMakeSUT = /func\s+(private\s+)?make[Ss][Uu][Tt]\b/.test(content) ||
+            /func\s+(private\s+)?make_sut\b/.test(content) ||
+            /func\s+(private\s+)?sut\b/.test(content);
+        const testCount = (content.match(/func\s+test/g) || []).length;
+
+        if (!hasMakeSUT && testCount >= 3) {
+            addFinding('ios.testing.missing_makesut', 'medium', filePath, 1,
+                'Test without makeSUT pattern - centralize system under test creation');
+        }
     }
 
     if (filePath.includes('Test') && !content.includes('trackForMemoryLeaks') && content.includes('class')) {

package/scripts/hooks-system/infrastructure/ast/ios/ast-ios.js

@@ -37,8 +37,16 @@ function detectMissingMakeSUT({ filePath, content }) {
   if (!content.includes('XCTest')) return null;
   const hasTests = /func\s+test\w*\s*\(/.test(content);
   if (!hasTests) return null;
-  const hasMakeSUT = /func\s+makeSUT\b/.test(content);
+
+  const hasMakeSUT = /func\s+(private\s+)?make[Ss][Uu][Tt]\b/.test(content) ||
+    /func\s+(private\s+)?make_sut\b/.test(content) ||
+    /func\s+(private\s+)?sut\b/.test(content);
+
   if (hasMakeSUT) return null;
+
+  const testCount = (content.match(/func\s+test/g) || []).length;
+  if (testCount < 3) return null;
+
   return {
     ruleId: 'ios.testing.missing_make_sut',
     severity: 'high',
@@ -129,10 +137,6 @@ async function runIOSIntelligence(project, findings, platform) {
 
     if (platformOf(filePath) !== "ios") return;
 
-    sf.getDescendantsOfKind(SyntaxKind.NonNullExpression).forEach((expr) => {
-      pushFinding("ios.force_unwrapping", "high", sf, expr, "Force unwrapping (!) detected - use if let or guard let instead", findings);
-    });
-
     const completionHandlerFilePath = sf.getFilePath();
     const isAnalyzer = /infrastructure\/ast\/|analyzers\/|detectors\/|scanner|analyzer|detector/i.test(completionHandlerFilePath);
     const isCompletionTestFile = /\.(spec|test)\.(js|ts|swift)$/i.test(completionHandlerFilePath);

package/scripts/hooks-system/infrastructure/ast/ios/detectors/ios-ast-intelligent-strategies.js

@@ -120,17 +120,33 @@ function analyzeImportsAST(analyzer, filePath) {
     const unusedImportAllowlist = new Set(['Foundation', 'SwiftUI', 'UIKit', 'Combine']);
 
     const foundationTypeUsage = /\b(Data|Date|URL|UUID|Decimal|NSNumber|NSDecimalNumber|NSSet|NSDictionary|NSArray|IndexPath|Notification|FileManager|Bundle|Locale|TimeZone|Calendar|DateComponents|URLRequest|URLSession)\b/;
+    const swiftUIUsage = /\b(View|some View|Text|VStack|HStack|ZStack|Button|Image|List|NavigationView|NavigationStack|\.font|\.padding|\.frame|\.background|\.foregroundColor|@State|@Binding|@ObservedObject|@StateObject|@Environment)\b/;
+    const uiKitUsage = /\b(UIViewController|UIView|UITableView|UICollectionView|UIButton|UILabel|UIImageView|UINavigationController|viewDidLoad|viewWillAppear)\b/;
+    const combineUsage = /\b(Publisher|AnyPublisher|PassthroughSubject|CurrentValueSubject|@Published|sink|subscribe|eraseToAnyPublisher)\b/;
+
     for (const imp of analyzer.imports) {
         if (!unusedImportAllowlist.has(imp.name)) continue;
 
         let isUsed = analyzer.allNodes.some((n) => {
             const typename = n['key.typename'] || '';
             const name = n['key.name'] || '';
-            return typename.includes(imp.name) || name.includes(imp.name);
+            const inheritedTypes = n['key.inheritedtypes'] || [];
+            const conformsToView = inheritedTypes.some(t => (t['key.name'] || '') === 'View');
+            return typename.includes(imp.name) || name.includes(imp.name) || (imp.name === 'SwiftUI' && conformsToView);
         });
+
         if (!isUsed && imp.name === 'Foundation') {
             isUsed = foundationTypeUsage.test(content);
         }
+        if (!isUsed && imp.name === 'SwiftUI') {
+            isUsed = swiftUIUsage.test(content);
+        }
+        if (!isUsed && imp.name === 'UIKit') {
+            isUsed = uiKitUsage.test(content);
+        }
+        if (!isUsed && imp.name === 'Combine') {
+            isUsed = combineUsage.test(content);
+        }
 
         if (!isUsed) {
             analyzer.pushFinding('ios.imports.unused', 'low', filePath, imp.line, `Unused import: ${imp.name}`);
@@ -298,8 +314,12 @@ async function analyzeClassAST(analyzer, node, filePath) {
     }
 
     if (filePath.includes('Test') && name.includes('Test')) {
-        const hasMakeSUT = methods.some((m) => (m['key.name'] || '').includes('makeSUT'));
-        if (!hasMakeSUT && methods.length > 2) {
+        const hasMakeSUT = methods.some((m) => {
+            const methodName = (m['key.name'] || '').toLowerCase();
+            return methodName.includes('makesut') || methodName.includes('make_sut') || methodName === 'sut';
+        });
+        const testMethods = methods.filter(m => (m['key.name'] || '').startsWith('test'));
+        if (!hasMakeSUT && testMethods.length >= 3) {
             analyzer.pushFinding('ios.testing.missing_makesut', 'medium', filePath, line, `Test class '${name}' missing makeSUT() factory`);
         }
     }
@@ -431,8 +451,11 @@ function analyzeFunctionAST(analyzer, node, filePath) {
     const ifStatements = countStatementsOfType(substructure, 'stmt.if');
     const guardStatements = countStatementsOfType(substructure, 'stmt.guard');
 
-    if (ifStatements > 3 && guardStatements === 0) {
-        analyzer.pushFinding('ios.quality.pyramid_of_doom', 'medium', filePath, line, `Function '${name}' has ${ifStatements} nested ifs - use guard clauses`);
+    const hasEarlyReturns = (analyzer.fileContent || '').includes('return') && guardStatements > 0;
+    const nestingLevel = calculateNestingDepth(substructure);
+
+    if (nestingLevel >= 3 && !hasEarlyReturns) {
+        analyzer.pushFinding('ios.quality.pyramid_of_doom', 'medium', filePath, line, `Function '${name}' has ${nestingLevel} levels of nesting - use guard clauses for early returns`);
     }
 
     const isAsync = attributes.includes('async');
@@ -465,12 +488,16 @@ function analyzePropertyAST(analyzer, node, filePath) {
     const isMutable = isComputed ? hasAccessorSet : true;
 
     const hasSetterAccessRestriction = attributes.some(a => String(a).startsWith('setter_access'));
-    if (isPublic && isInstance && isMutable && !hasSetterAccessRestriction) {
+    const isProtocolRequirement = name === 'body' || attributes.some(a => String(a).includes('protocol'));
+
+    if (isPublic && isInstance && isMutable && !hasSetterAccessRestriction && !isProtocolRequirement) {
         analyzer.pushFinding('ios.encapsulation.public_mutable', 'medium', filePath, line, `Public mutable property '${name}' - consider private(set)`);
     }
 }
 
 function analyzeClosuresAST(analyzer, filePath) {
+    const isStruct = analyzer.structs.length > 0;
+
     for (const closure of analyzer.closures) {
         const closureText = analyzer.safeStringify(closure);
         const hasSelfReference = closureText.includes('"self"') || closureText.includes('key.name":"self');
@@ -478,10 +505,16 @@ function analyzeClosuresAST(analyzer, filePath) {
         const parentFunc = closure._parent;
         const isEscaping = parentFunc && (parentFunc['key.typename'] || '').includes('@escaping');
 
-        if (hasSelfReference && isEscaping) {
-            const hasWeakCapture = closureText.includes('weak') || closureText.includes('unowned');
+        if (hasSelfReference && isEscaping && !isStruct) {
+            const offset = closure['key.offset'] || 0;
+            const length = closure['key.length'] || 100;
+            const closureCode = (analyzer.fileContent || '').substring(offset, offset + length);
 
-            if (!hasWeakCapture) {
+            const hasExplicitSelfInCode = /\bself\b/.test(closureCode);
+            const hasWeakCapture = /\[.*weak.*\]/.test(closureCode) || /\[.*unowned.*\]/.test(closureCode);
+            const hasCaptureListWithoutSelf = /\[[^\]]+\]/.test(closureCode) && !/\[.*self.*\]/.test(closureCode);
+
+            if (hasExplicitSelfInCode && !hasWeakCapture && !hasCaptureListWithoutSelf) {
                 const line = closure['key.line'] || 1;
                 analyzer.pushFinding('ios.memory.missing_weak_self', 'high', filePath, line, 'Escaping closure captures self without [weak self]');
             }
@@ -550,14 +583,27 @@ function analyzeAdditionalRules(analyzer, filePath) {
         analyzer.pushFinding('ios.concurrency.dispatch_queue', 'medium', filePath, line, 'DispatchQueue detected - use async/await in new code');
     }
 
-    if (/Task\s*\{/.test(analyzer.fileContent || '') && !/Task\s*\{[^}]*do\s*\{/.test(analyzer.fileContent || '')) {
-        const line = analyzer.findLineNumber('Task {');
-        analyzer.pushFinding('ios.concurrency.task_no_error_handling', 'high', filePath, line, 'Task without do-catch - handle errors');
-    }
+    const taskMatches = [...(analyzer.fileContent || '').matchAll(/Task\s*\{([^}]*(?:\{[^}]*\}[^}]*)*)\}/gs)];
+    taskMatches.forEach(match => {
+        const taskBody = match[1] || '';
+        const hasTryCall = /\btry\s+/.test(taskBody);
+        const hasDoBlock = /\bdo\s*\{/.test(taskBody);
+
+        if (hasTryCall && !hasDoBlock) {
+            const line = analyzer.findLineNumber(match[0].substring(0, 20));
+            analyzer.pushFinding('ios.concurrency.task_no_error_handling', 'high', filePath, line, 'Task with throwing calls (try) without do-catch - handle errors');
+        }
+    });
 
-    if ((analyzer.fileContent || '').includes('UserDefaults') && /password|token|secret|key/i.test(analyzer.fileContent || '')) {
-        const line = analyzer.findLineNumber('UserDefaults');
-        analyzer.pushFinding('ios.security.sensitive_userdefaults', 'critical', filePath, line, 'Sensitive data in UserDefaults - use Keychain');
+    if ((analyzer.fileContent || '').includes('UserDefaults')) {
+        const content = analyzer.fileContent || '';
+        const hasSensitiveData = /UserDefaults.*\.set.*\b(password|token|secret|apiKey|authToken|accessToken|refreshToken)\b/i.test(content) ||
+            /\.set.*\b(password|token|secret|apiKey|authToken|accessToken|refreshToken)\b.*UserDefaults/i.test(content);
+
+        if (hasSensitiveData) {
+            const line = analyzer.findLineNumber('UserDefaults');
+            analyzer.pushFinding('ios.security.sensitive_userdefaults', 'critical', filePath, line, 'Sensitive credentials in UserDefaults - use Keychain for passwords/tokens');
+        }
     }
 
     const hardcodedStrings = (analyzer.fileContent || '').match(/Text\s*\(\s*"[^"]{10,}"\s*\)/g) || [];
@@ -693,15 +739,35 @@ function countStatementsOfType(substructure, stmtType) {
     let count = 0;
     const traverse = (nodes) => {
         if (!Array.isArray(nodes)) return;
-        for (const node of nodes) {
-            if ((node['key.kind'] || '').includes(stmtType)) count++;
-            traverse(node['key.substructure'] || []);
+        for (const n of nodes) {
+            if ((n['key.kind'] || '').includes(stmtType)) count++;
+            traverse(n['key.substructure']);
         }
     };
     traverse(substructure);
     return count;
 }
 
+function calculateNestingDepth(substructure) {
+    let maxDepth = 0;
+    const traverse = (nodes, currentDepth) => {
+        if (!Array.isArray(nodes)) return;
+        for (const n of nodes) {
+            const kind = n['key.kind'] || '';
+            let depth = currentDepth;
+
+            if (kind.includes('stmt.if') || kind.includes('stmt.guard') || kind.includes('stmt.for') || kind.includes('stmt.while')) {
+                depth++;
+                maxDepth = Math.max(maxDepth, depth);
+            }
+
+            traverse(n['key.substructure'], depth);
+        }
+    };
+    traverse(substructure, 0);
+    return maxDepth;
+}
+
 async function checkDependencyInjectionAST(analyzer, properties, filePath, className, line) {
     await diValidationService.validateDependencyInjection(analyzer, properties, filePath, className, line);
 }
@@ -809,7 +875,10 @@ function finalizeGodClassDetection(analyzer) {
 
         const signalCount = [sizeOutlier, complexityOutlier].filter(Boolean).length;
 
-        if (extremeOutlier || signalCount >= 2) {
+        const isTestDouble = /Spy$|Mock$|Stub$|Fake$|Dummy$/i.test(c.name) ||
+            c.filePath.includes('Test') && /Double|Spy|Mock|Stub/i.test(c.name);
+
+        if ((extremeOutlier || signalCount >= 2) && !isTestDouble) {
             const severity = resolveSrpSeverity(c.filePath, {
                 coreSeverity: 'critical',
                 defaultSeverity: 'high',

package/scripts/hooks-system/infrastructure/ast/ios/parsers/SourceKittenExtractor.js

@@ -119,14 +119,19 @@ class SourceKittenExtractor {
         const forceUnwraps = [];
         const lines = (fileContent || '').split('\n');
         lines.forEach((line, index) => {
-            const matches = [...line.matchAll(/(\w+)\s*!/g)];
+            const matches = [...line.matchAll(/(\w+)!/g)];
             matches.forEach(match => {
-                forceUnwraps.push({
-                    line: index + 1,
-                    column: match.index + 1,
-                    variable: match[1],
-                    context: line.trim(),
-                });
+                const charBefore = match.index > 0 ? line[match.index - 1] : '';
+                const isLogicalNegation = charBefore === '!' || /[&|=<>]/.test(charBefore);
+
+                if (!isLogicalNegation) {
+                    forceUnwraps.push({
+                        line: index + 1,
+                        column: match.index + 1,
+                        variable: match[1],
+                        context: line.trim(),
+                    });
+                }
             });
         });
         return forceUnwraps;

package/scripts/hooks-system/infrastructure/severity/policies/gate-policies.js

@@ -27,8 +27,11 @@ class GatePolicies {
       LOW: this.checkLevel('LOW', grouped.LOW || [], effectivePolicies.LOW || effectivePolicies['LOW'])
     };
 
-    const passed = !results.CRITICAL.failed && !results.HIGH.failed;
-    const blockedBy = results.CRITICAL.failed ? 'CRITICAL' : (results.HIGH.failed ? 'HIGH' : null);
+    const passed = !results.CRITICAL.failed && !results.HIGH.failed && !results.MEDIUM.failed && !results.LOW.failed;
+    const blockedBy = results.CRITICAL.failed ? 'CRITICAL' :
+      (results.HIGH.failed ? 'HIGH' :
+        (results.MEDIUM.failed ? 'MEDIUM' :
+          (results.LOW.failed ? 'LOW' : null)));
 
     return {
       passed,

package/scripts/hooks-system/infrastructure/shell/gitflow/gitflow-enforcer.sh

@@ -62,6 +62,15 @@ evidence_age() {
 ensure_evidence_fresh() {
   local age
   age=$(evidence_age)
+  
+  # En modo check (pre-commit), SIEMPRE refrescar para analizar staged files
+  if [[ "${GITFLOW_STRICT_CHECK:-false}" == "true" ]]; then
+    printf "${CYAN}🔄 Refrescando evidencia para staged files...${NC}\n"
+    refresh_evidence "pre-commit"
+    return
+  fi
+  
+  # En otros modos, usar umbral de tiempo
   if [[ "$age" == "-1" ]]; then
     printf "${YELLOW}⚠️  Evidencia ausente o inválida. Refrescando...${NC}\n"
     refresh_evidence "missing"