pumuki 6.3.100 → 6.3.102

package/CHANGELOG.md

@@ -6,6 +6,21 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [6.3.102] - 2026-04-22
+
+### Fixed
+
+- **`strict` efectivo alineado con el contrato firmado:** `policyAsCode` y `stagePolicies` dejan de publicar `validation.strict` desde el entorno cuando el contrato persistido ya declara el valor por stage.
+- **`policy reconcile --strict --apply` materializa el contrato completo:** el archivo `.pumuki/policy-as-code.json` pasa a persistir el mapa `strict` por stage para que `status`, `doctor` y runtime converjan sobre la misma fuente.
+- **Wiring robusto de `pre-push` con hooks previos terminados en `exec`:** el bloque gestionado de Pumuki se recoloca antes del `exec` también en `pre-push`, evitando que el enforcement quede detrás de código muerto.
+
+## [6.3.101] - 2026-04-22
+
+### Fixed
+
+- **`gate.blocked` sin `ReferenceError` en consumers:** `resolveBlockedRemediation` recupera su contrato con variantes (`banner`/`dialog`) y deja de romper la ruta bloqueante de `PRE_WRITE` por un `options is not defined`.
+- **Cobertura de regresión del módulo de remediación:** la suite de `framework-menu-system-notifications-remediation` fija el caso de copy legacy en inglés y la compactación de banners sin truncados rotos.
+
 ## [6.3.100] - 2026-04-22
 
 ### Fixed

package/VERSION

@@ -1 +1 @@
-v6.3.100
+v6.3.102

package/docs/operations/RELEASE_NOTES.md

@@ -6,6 +6,18 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-04 (CLI stability and macOS notifications)
 
+### 2026-04-22 (v6.3.102)
+
+- **Convergencia de policy efectiva:** `strict` deja de depender solo de `PUMUKI_POLICY_STRICT` cuando el contrato firmado ya lo declara por stage; `status`, `doctor` y runtime vuelven a hablar el mismo idioma.
+- **Autofix persistente de contrato:** `policy reconcile --strict --apply` escribe el mapa `strict` completo en `.pumuki/policy-as-code.json`, cerrando la deriva entre reconcile y lectura posterior.
+- **Wiring fiable en `pre-push`:** el hook gestionado se antepone también cuando el hook previo termina en `exec`, evitando bloques inalcanzables.
+- **Rollout recomendado:** publicar `pumuki@6.3.102`, repin inmediato en `RuralGo` y revalidar `status` / `doctor` / `pre-push` para cerrar `PUMUKI-INC-080`.
+
+### 2026-04-22 (v6.3.101)
+
+- **Hotfix de ruta bloqueante:** `gate.blocked` deja de lanzar `ReferenceError: options is not defined` al construir la remediación visible en `PRE_WRITE`.
+- **Rollout recomendado:** publicar `pumuki@6.3.101`, repin inmediato en `RuralGo` y revalidar que el bloqueo de `PRE_WRITE` termina limpio, sin error residual tras el panel.
+
 ### 2026-04-22 (v6.3.100)
 
 - **Hotfix de activación efectiva:** la línea publicada deja de resolver `PRE_WRITE` a `off/default` en ausencia de override explícito; el default vuelve a ser coercitivo para el flujo real del agente/editor.

package/integrations/gate/stagePolicies.ts

@@ -234,6 +234,7 @@ type PolicyAsCodeContract = {
   source: 'default' | 'skills.policy' | 'hard-mode';
   signatures: Partial<Record<SkillsStage, string>> & Record<'PRE_COMMIT' | 'PRE_PUSH' | 'CI', string>;
   expires_at?: string;
+  strict?: Partial<Record<SkillsStage, boolean>>;
 };
 
 const resolveContractSignatureForStage = (
@@ -264,6 +265,23 @@ const isIsoDateString = (value: unknown): value is string => {
   return Number.isFinite(Date.parse(value));
 };
 
+const isPolicyStrictRecord = (
+  value: unknown
+): value is Partial<Record<SkillsStage, boolean>> => {
+  if (!isObject(value)) {
+    return false;
+  }
+  return Object.entries(value).every(([stage, strict]) => {
+    return (
+      (stage === 'PRE_WRITE' ||
+        stage === 'PRE_COMMIT' ||
+        stage === 'PRE_PUSH' ||
+        stage === 'CI') &&
+      typeof strict === 'boolean'
+    );
+  });
+};
+
 const policyStrictModeFromEnv = (): boolean => {
   const raw = process.env.PUMUKI_POLICY_STRICT?.trim().toLowerCase();
   if (!raw) {
@@ -292,6 +310,9 @@ const isPolicyAsCodeContract = (value: unknown): value is PolicyAsCodeContract =
   if (typeof value.expires_at !== 'undefined' && !isIsoDateString(value.expires_at)) {
     return false;
   }
+  if (typeof value.strict !== 'undefined' && !isPolicyStrictRecord(value.strict)) {
+    return false;
+  }
   return (
     (typeof value.signatures.PRE_WRITE === 'undefined' || isSha256Hex(value.signatures.PRE_WRITE)) &&
     isSha256Hex(value.signatures.PRE_COMMIT) &&
@@ -300,6 +321,17 @@ const isPolicyAsCodeContract = (value: unknown): value is PolicyAsCodeContract =
   );
 };
 
+const resolvePolicyAsCodeStrict = (params: {
+  contract?: PolicyAsCodeContract;
+  stage: SkillsStage;
+}): boolean => {
+  const declared = params.contract?.strict?.[params.stage];
+  if (typeof declared === 'boolean') {
+    return declared;
+  }
+  return policyStrictModeFromEnv();
+};
+
 const createPolicyAsCodeSignature = (params: {
   stage: SkillsStage;
   source: 'default' | 'skills.policy' | 'hard-mode';
@@ -332,7 +364,7 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
   policySource: string;
   validation: NonNullable<ResolvedStagePolicy['trace']['validation']>;
 } => {
-  const strict = policyStrictModeFromEnv();
+  const envStrict = policyStrictModeFromEnv();
   const computedVersion = `policy-as-code/${params.source}@${POLICY_AS_CODE_VERSION}`;
   const computedSignature = createPolicyAsCodeSignature({
     stage: params.stage,
@@ -344,7 +376,7 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
   const contractPath = join(params.repoRoot, POLICY_AS_CODE_CONTRACT_PATH);
 
   if (!existsSync(contractPath)) {
-    if (strict) {
+    if (envStrict) {
       return {
         version: computedVersion,
         signature: computedSignature,
@@ -354,7 +386,7 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
           code: 'POLICY_AS_CODE_UNSIGNED',
           message:
             'Policy-as-code contract is missing; runtime policy metadata is unsigned.',
-          strict,
+          strict: envStrict,
         },
       };
     }
@@ -367,7 +399,7 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
         status: 'valid',
         code: 'POLICY_AS_CODE_VALID',
         message: 'Policy-as-code metadata generated from active runtime policy.',
-        strict,
+        strict: envStrict,
       },
     };
   }
@@ -383,11 +415,16 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
           status: 'invalid',
           code: 'POLICY_AS_CODE_CONTRACT_INVALID',
           message: 'Policy-as-code contract is malformed.',
-          strict,
+          strict: envStrict,
         },
       };
     }
 
+    const strict = resolvePolicyAsCodeStrict({
+      contract: raw,
+      stage: params.stage,
+    });
+
     if (raw.source !== params.source) {
       return {
         version: `policy-as-code/${raw.source}@${raw.version}`,
@@ -465,7 +502,7 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
         status: 'invalid',
         code: 'POLICY_AS_CODE_CONTRACT_INVALID',
         message: 'Policy-as-code contract cannot be parsed as JSON.',
-        strict,
+        strict: envStrict,
       },
     };
   }

package/integrations/lifecycle/hookBlock.ts

@@ -104,7 +104,7 @@ const ensureExecutableHeader = (contents: string): string => {
   return contents;
 };
 
-const isPreCommitFrameworkWithExecTerminator = (contents: string): boolean => {
+const isFrameworkHookWithExecTerminator = (contents: string): boolean => {
   if (!contents.includes('pre-commit.com') && !contents.includes('pre_commit')) {
     return false;
   }
@@ -141,11 +141,7 @@ export const upsertPumukiManagedBlock = (params: {
     )
   );
 
-  if (
-    params.hook === 'pre-commit' &&
-    core.length > 0 &&
-    isPreCommitFrameworkWithExecTerminator(core)
-  ) {
+  if (core.length > 0 && isFrameworkHookWithExecTerminator(core)) {
     const merged = prependManagedBlockAfterShebang({ contents: core, block });
     return `${trimTrailingWhitespace(merged)}\n`;
   }

package/integrations/lifecycle/policyReconcile.ts

@@ -148,6 +148,12 @@ const tryApplyPolicyAutofix = (params: {
       PRE_PUSH: signatures.PRE_PUSH,
       CI: signatures.CI,
     },
+    strict: {
+      PRE_WRITE: params.report.stages.PRE_WRITE.strict,
+      PRE_COMMIT: params.report.stages.PRE_COMMIT.strict,
+      PRE_PUSH: params.report.stages.PRE_PUSH.strict,
+      CI: params.report.stages.CI.strict,
+    },
     expires_at: '2999-01-01T00:00:00.000Z',
   };
 

package/integrations/policy/policyAsCode.ts

@@ -32,6 +32,7 @@ type PolicyAsCodeContract = {
   source: PolicyProfileSource;
   signatures: Record<SkillsStage, string>;
   expires_at?: string;
+  strict?: Partial<Record<SkillsStage, boolean>>;
 };
 
 const isObject = (value: unknown): value is Record<string, unknown> => {
@@ -49,6 +50,23 @@ const isIsoDateString = (value: unknown): value is string => {
   return Number.isFinite(Date.parse(value));
 };
 
+const isPolicyStrictRecord = (
+  value: unknown
+): value is Partial<Record<SkillsStage, boolean>> => {
+  if (!isObject(value)) {
+    return false;
+  }
+  return Object.entries(value).every(([stage, strict]) => {
+    return (
+      (stage === 'PRE_WRITE' ||
+        stage === 'PRE_COMMIT' ||
+        stage === 'PRE_PUSH' ||
+        stage === 'CI') &&
+      typeof strict === 'boolean'
+    );
+  });
+};
+
 const policyStrictModeFromEnv = (): boolean => {
   const raw = process.env.PUMUKI_POLICY_STRICT?.trim().toLowerCase();
   if (!raw) {
@@ -77,6 +95,9 @@ const isPolicyAsCodeContract = (value: unknown): value is PolicyAsCodeContract =
   if (typeof value.expires_at !== 'undefined' && !isIsoDateString(value.expires_at)) {
     return false;
   }
+  if (typeof value.strict !== 'undefined' && !isPolicyStrictRecord(value.strict)) {
+    return false;
+  }
   return (
     isSha256Hex(value.signatures.PRE_COMMIT) &&
     isSha256Hex(value.signatures.PRE_PUSH) &&
@@ -84,6 +105,17 @@ const isPolicyAsCodeContract = (value: unknown): value is PolicyAsCodeContract =
   );
 };
 
+const resolvePolicyAsCodeStrict = (params: {
+  contract?: PolicyAsCodeContract;
+  stage: SkillsStage;
+}): boolean => {
+  const declared = params.contract?.strict?.[params.stage];
+  if (typeof declared === 'boolean') {
+    return declared;
+  }
+  return policyStrictModeFromEnv();
+};
+
 export const createPolicyAsCodeSignature = (params: {
   stage: SkillsStage;
   source: PolicyProfileSource;
@@ -111,7 +143,7 @@ export const resolvePolicyAsCodeTraceMetadata = (params: {
   hash: string;
   repoRoot: string;
 }): PolicyAsCodeTraceMetadata => {
-  const strict = policyStrictModeFromEnv();
+  const envStrict = policyStrictModeFromEnv();
   const computedVersion = `policy-as-code/${params.source}@${POLICY_AS_CODE_VERSION}`;
   const computedSignature = createPolicyAsCodeSignature({
     stage: params.stage,
@@ -123,7 +155,7 @@ export const resolvePolicyAsCodeTraceMetadata = (params: {
   const contractPath = join(params.repoRoot, POLICY_AS_CODE_CONTRACT_PATH);
 
   if (!existsSync(contractPath)) {
-    if (strict) {
+    if (envStrict) {
       return {
         version: computedVersion,
         signature: computedSignature,
@@ -133,7 +165,7 @@ export const resolvePolicyAsCodeTraceMetadata = (params: {
           code: 'POLICY_AS_CODE_UNSIGNED',
           message:
             'Policy-as-code contract is missing; runtime policy metadata is unsigned.',
-          strict,
+          strict: envStrict,
         },
       };
     }
@@ -146,7 +178,7 @@ export const resolvePolicyAsCodeTraceMetadata = (params: {
         status: 'valid',
         code: 'POLICY_AS_CODE_VALID',
         message: 'Policy-as-code metadata generated from active runtime policy.',
-        strict,
+        strict: envStrict,
       },
     };
   }
@@ -162,11 +194,16 @@ export const resolvePolicyAsCodeTraceMetadata = (params: {
           status: 'invalid',
           code: 'POLICY_AS_CODE_CONTRACT_INVALID',
           message: 'Policy-as-code contract is malformed.',
-          strict,
+          strict: envStrict,
         },
       };
     }
 
+    const strict = resolvePolicyAsCodeStrict({
+      contract: raw,
+      stage: params.stage,
+    });
+
     if (raw.source !== params.source) {
       return {
         version: `policy-as-code/${raw.source}@${raw.version}`,
@@ -243,7 +280,7 @@ export const resolvePolicyAsCodeTraceMetadata = (params: {
         status: 'invalid',
         code: 'POLICY_AS_CODE_CONTRACT_INVALID',
         message: 'Policy-as-code contract cannot be parsed as JSON.',
-        strict,
+        strict: envStrict,
       },
     };
   }

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.100",
+  "version": "6.3.102",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/framework-menu-system-notifications-remediation.ts

@@ -5,21 +5,26 @@ import {
 } from './framework-menu-system-notifications-text';
 
 const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
-  EVIDENCE_MISSING: 'Genera evidencia del slice actual y vuelve a validar el gate de esta fase.',
-  EVIDENCE_INVALID: 'Regenera la evidencia de la iteración y repite la validación en el mismo stage.',
+  EVIDENCE_MISSING: 'Genera la evidencia del slice actual y vuelve a validar esta fase.',
+  EVIDENCE_INVALID: 'Regenera la evidencia de esta iteración y repite la validación.',
   EVIDENCE_CHAIN_INVALID: 'Regenera la evidencia para restaurar la cadena de integridad y vuelve a validar.',
-  EVIDENCE_STALE: 'Ejecuta una auditoría completa de evidencia y vuelve a validar PRE_WRITE/PRE_PUSH. Si persiste, refresca la sesión SDD y reintenta.',
-  EVIDENCE_BRANCH_MISMATCH: 'Regenera evidencia en esta rama y vuelve a ejecutar la validación para sincronizar branch y snapshot.',
-  EVIDENCE_REPO_ROOT_MISMATCH: 'Regenera evidencia desde este repositorio y relanza la validación del gate.',
-  PRE_PUSH_UPSTREAM_MISSING: 'Configura upstream con `git push --set-upstream origin <branch>` y vuelve a ejecutar PRE_PUSH.',
-  SDD_SESSION_MISSING: 'Abre sesión SDD del change activo y repite la validación de la fase actual.',
-  SDD_SESSION_INVALID: 'Refresca la sesión SDD (open/refresh) y vuelve a validar en el mismo stage.',
-  OPENSPEC_MISSING: 'Instala OpenSpec en el repositorio y relanza la validación del gate.',
-  MCP_ENTERPRISE_RECEIPT_MISSING: 'Genera el receipt enterprise de MCP y vuelve a ejecutar la validación.',
-  BACKEND_AVOID_EXPLICIT_ANY: 'Reemplaza `any` por tipos concretos en backend y vuelve a lanzar el gate para confirmar el fix.',
+  EVIDENCE_STALE: 'Refresca la evidencia y vuelve a validar PRE_WRITE/PRE_PUSH.',
+  EVIDENCE_BRANCH_MISMATCH: 'La evidencia no corresponde a esta rama. Regenera el receipt/evidencia y vuelve a validar.',
+  EVIDENCE_REPO_ROOT_MISMATCH: 'Regenera la evidencia desde este repositorio y vuelve a validar.',
+  PRE_PUSH_UPSTREAM_MISSING: 'Configura upstream con `git push --set-upstream origin <branch>` y repite PRE_PUSH.',
+  SDD_SESSION_MISSING: 'Abre la sesión SDD del change activo y repite la validación.',
+  SDD_SESSION_INVALID: 'Refresca la sesión SDD activa y vuelve a validar esta fase.',
+  OPENSPEC_MISSING: 'Instala OpenSpec en este repositorio y vuelve a validar el gate.',
+  MCP_ENTERPRISE_RECEIPT_MISSING: 'Genera el receipt enterprise de MCP y vuelve a validar.',
+  BACKEND_AVOID_EXPLICIT_ANY: 'Sustituye `any` por tipos concretos en backend y relanza el gate.',
+  GIT_ATOMICITY_TOO_MANY_SCOPES: 'Divide el cambio por scope o en commits más pequeños y vuelve a ejecutar el gate.',
+  SOLID_HEURISTIC: 'Corrige la violación detectada y vuelve a ejecutar el gate.',
 };
 
-const BLOCKED_REMEDIATION_MAX_LENGTH = 220;
+const BLOCKED_REMEDIATION_MAX_LENGTH_BY_VARIANT: Readonly<Record<BlockedRemediationVariant, number>> = {
+  banner: 120,
+  dialog: 220,
+};
 
 const GENERIC_BLOCKED_REMEDIATION =
   'Corrige el bloqueo indicado y vuelve a ejecutar el comando.';
@@ -37,7 +42,6 @@ const resolveFallbackRemediation = (causeCode: string): string =>
 const hasEnglishHints = (message: string): boolean => {
   const normalized = message.toLowerCase();
   return [
-    'detected',
     'avoid explicit any',
     'set-upstream',
     'refresh evidence',
@@ -48,16 +52,6 @@ const hasEnglishHints = (message: string): boolean => {
     'rerun',
     'retry',
     'to continue',
-    'protected branch',
-    'open spec',
-    'openspec',
-    'session',
-    'missing',
-    'invalid',
-    'failed',
-    'worktree',
-    'callback usage',
-    'usage.',
     'run ',
   ].some((hint) => normalized.includes(hint));
 };
@@ -73,9 +67,6 @@ const toKnownSpanishRemediationFromMessage = (message: string, causeCode: string
   if (normalized.includes('refresh evidence') || normalized.includes('evidence is stale')) {
     return BLOCKED_REMEDIATION_BY_CODE.EVIDENCE_STALE;
   }
-  if (normalized.includes('evidence ai gate status is blocked')) {
-    return BLOCKED_REMEDIATION_BY_CODE.EVIDENCE_GATE_BLOCKED;
-  }
   if (normalized.includes('split the change')) {
     return BLOCKED_REMEDIATION_BY_CODE.GIT_ATOMICITY_TOO_MANY_SCOPES;
   }
@@ -87,7 +78,10 @@ const toKnownSpanishRemediationFromMessage = (message: string, causeCode: string
 
 export const resolveBlockedRemediation = (
   event: Extract<PumukiCriticalNotificationEvent, { kind: 'gate.blocked' }>,
-  causeCode: string
+  causeCode: string,
+  options?: {
+    variant?: BlockedRemediationVariant;
+  }
 ): string => {
   const variant = options?.variant ?? 'dialog';
   const maxLength = BLOCKED_REMEDIATION_MAX_LENGTH_BY_VARIANT[variant];