pumuki 6.3.115 → 6.3.117

package/CHANGELOG.md

@@ -6,6 +6,23 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [6.3.117] - 2026-04-28
+
+### Fixed
+
+- **`pumuki audit --json` queda accionable cuando bloquea:** la salida ahora expone `findings_count`, `blocking_findings_count` y `findings`; si el gate bloquea sin findings persistidos, emite un blocker sintético `AUDIT_BLOCKED_WITHOUT_FINDINGS` para evitar JSON no accionable.
+- **Auditoría previa a edición:** `pumuki audit --stage=PRE_WRITE --json` queda soportado para dar a consumers como RuralGo un contrato machine-friendly antes de continuar feature work.
+- **Tracking externo prioritario:** el reset interno queda alineado con el bloqueo vivo de RuralGo `PUMUKI-INC-109`/`PUMUKI-INC-110`.
+
+## [6.3.116] - 2026-04-25
+
+### Fixed
+
+- **Inventario real de dependencia local en `status` y `doctor`:** la línea publicada diferencia por fin la señal de seguridad Git (`trackedNodeModulesCount` / `trackedNodeModulesPaths`) del estado real de instalación local (`dependencyInventory`).
+- **Diagnóstico consumer-facing de `pumuki`:** `status --json` y `doctor --json` exponen si existe `package.json`, lockfile, `node_modules`, declaración de `pumuki`, versión instalada y binario local.
+- **Salida humana alineada:** `status` y `doctor` imprimen una línea compacta `dependency pumuki` para que el operador no confunda ausencia de `node_modules` trackeados con ausencia de instalación local.
+- **Cobertura de regresión de `PUMUKI-INC-088`:** nuevas pruebas fijan el inventario de dependencia en ambas superficies lifecycle sin arrastrar el delta amplio de `develop`.
+
 ## [6.3.115] - 2026-04-24
 
 ### Fixed

package/VERSION

@@ -1 +1 @@
-v6.3.115
+v6.3.117

package/docs/operations/RELEASE_NOTES.md

@@ -6,6 +6,12 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-04 (CLI stability and macOS notifications)
 
+### 2026-04-25 (v6.3.116)
+
+- **Inventario local real de dependencias:** `status` y `doctor` conservan `trackedNodeModules*` como señal estricta de seguridad Git y añaden `dependencyInventory` como fuente de verdad de instalación local.
+- **Cierre útil de `PUMUKI-INC-088`:** los consumers pueden ver si `pumuki` está declarado, instalado, con qué versión y si el binario local existe, sin inferirlo desde `git ls-files node_modules`.
+- **Rollout recomendado:** publicar `pumuki@6.3.116`, repin inmediato en `RuralGo` y revalidar `status --json` / `doctor --json` comprobando `dependencyInventory.pumuki.installedVersion`.
+
 ### 2026-04-24 (v6.3.115)
 
 - **`issues` canónicos también para `WARN`:** `status` y `doctor` ya no dejan `issues=[]` cuando la evidencia operativa real está en atención (`WARN`) pero aún no bloquea el gate.

package/integrations/lifecycle/audit.ts

@@ -1,12 +1,23 @@
 import { readEvidence } from '../evidence/readEvidence';
-import { GitService } from '../git/GitService';
+import type { AiEvidenceV2_1, SnapshotFinding } from '../evidence/schema';
+import { GitService, type IGitService } from '../git/GitService';
 import { hasAllowedExtension } from '../git/gitDiffUtils';
 import { runPlatformGate } from '../git/runPlatformGate';
 import { evaluatePlatformGateFindings } from '../git/runPlatformGateEvaluation';
 import { DEFAULT_FACT_FILE_EXTENSIONS } from '../git/runPlatformGateFacts';
-import { resolvePolicyForStage } from '../gate/stagePolicies';
+import { resolvePolicyForStage, type ResolvedStagePolicy } from '../gate/stagePolicies';
 
-export type LifecycleAuditStage = 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+export type LifecycleAuditStage = 'PRE_WRITE' | 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+
+export type LifecycleAuditFinding = {
+  ruleId: string;
+  severity: string;
+  code: string;
+  message: string;
+  file: string;
+  lines?: SnapshotFinding['lines'];
+  blocking: boolean;
+};
 
 export type LifecycleAuditResult = {
   command: 'pumuki audit';
@@ -18,14 +29,24 @@ export type LifecycleAuditResult = {
   files_scanned: number | null;
   untracked_matching_extensions_count: number;
   snapshot_outcome: string | null;
+  findings_count: number;
+  blocking_findings_count: number;
+  findings: ReadonlyArray<LifecycleAuditFinding>;
   policy_reconcile_hint: string;
 };
 
+type LifecycleAuditDependencies = {
+  git: IGitService;
+  readEvidence: typeof readEvidence;
+  resolvePolicyForStage: typeof resolvePolicyForStage;
+  runPlatformGate: typeof runPlatformGate;
+};
+
 const POLICY_RECONCILE_HINT =
   'If .pumuki/policy-as-code.json signatures drift after a pumuki upgrade, run: pumuki policy reconcile --apply';
 
 const countUntrackedMatchingExtensions = (
-  git: GitService,
+  git: Pick<IGitService, 'resolveRepoRoot' | 'runGit'>,
   extensions: ReadonlyArray<string>
 ): number => {
   const repoRoot = git.resolveRepoRoot();
@@ -37,13 +58,80 @@ const countUntrackedMatchingExtensions = (
     .filter((path) => hasAllowedExtension(path, extensions)).length;
 };
 
+const isFindingBlocking = (finding: SnapshotFinding): boolean => {
+  if (typeof finding.blocking === 'boolean') {
+    return finding.blocking;
+  }
+  return finding.severity === 'CRITICAL' || finding.severity === 'ERROR';
+};
+
+const toLifecycleAuditFinding = (finding: SnapshotFinding): LifecycleAuditFinding => ({
+  ruleId: finding.ruleId,
+  severity: finding.severity,
+  code: finding.code,
+  message: finding.message,
+  file: finding.file,
+  ...(typeof finding.lines !== 'undefined' ? { lines: finding.lines } : {}),
+  blocking: isFindingBlocking(finding),
+});
+
+const buildBlockedWithoutFindingsFallback = (params: {
+  stage: LifecycleAuditStage;
+  gateExitCode: number;
+  snapshotOutcome: string | null;
+}): LifecycleAuditFinding => ({
+  ruleId: 'audit.gate.blocked-without-findings',
+  severity: 'ERROR',
+  code: 'AUDIT_BLOCKED_WITHOUT_FINDINGS',
+  message:
+    `Audit ${params.stage} exited ${params.gateExitCode} with outcome=${params.snapshotOutcome ?? 'unknown'} ` +
+    'but produced no machine-readable findings. Re-run with this Pumuki version and inspect policy/SDD output; this fallback keeps JSON actionable.',
+  file: '.ai_evidence.json',
+  blocking: true,
+});
+
+const extractAuditFindings = (params: {
+  evidence: AiEvidenceV2_1 | undefined;
+  gateExitCode: number;
+  stage: LifecycleAuditStage;
+  snapshotOutcome: string | null;
+}): ReadonlyArray<LifecycleAuditFinding> => {
+  const findings = Array.isArray(params.evidence?.snapshot.findings)
+    ? params.evidence.snapshot.findings.map(toLifecycleAuditFinding)
+    : [];
+  if (findings.length > 0) {
+    return findings;
+  }
+  if (params.gateExitCode !== 0 || params.snapshotOutcome === 'BLOCK') {
+    return [
+      buildBlockedWithoutFindingsFallback({
+        stage: params.stage,
+        gateExitCode: params.gateExitCode,
+        snapshotOutcome: params.snapshotOutcome,
+      }),
+    ];
+  }
+  return [];
+};
+
 export const runLifecycleAudit = async (params: {
   stage: LifecycleAuditStage;
   auditMode: 'gate' | 'engine';
+  dependencies?: Partial<LifecycleAuditDependencies>;
 }): Promise<LifecycleAuditResult> => {
-  const git = new GitService();
+  const activeDependencies: LifecycleAuditDependencies = {
+    git: new GitService(),
+    readEvidence,
+    resolvePolicyForStage,
+    runPlatformGate,
+    ...params.dependencies,
+  };
+  const git = activeDependencies.git;
   const repoRoot = git.resolveRepoRoot();
-  const resolved = resolvePolicyForStage(params.stage, repoRoot);
+  const resolved: ResolvedStagePolicy = activeDependencies.resolvePolicyForStage(
+    params.stage,
+    repoRoot
+  );
   const extensions = DEFAULT_FACT_FILE_EXTENSIONS;
   const untrackedMatchingExtensionsCount = countUntrackedMatchingExtensions(git, extensions);
 
@@ -76,8 +164,8 @@ export const runLifecycleAudit = async (params: {
           auditMode: 'gate' as const,
         };
 
-  const gateExitCode = await runPlatformGate(gateParams);
-  const evidence = readEvidence(repoRoot);
+  const gateExitCode = await activeDependencies.runPlatformGate(gateParams);
+  const evidence = activeDependencies.readEvidence(repoRoot);
   const filesScanned =
     typeof evidence?.snapshot.files_scanned === 'number' &&
     Number.isFinite(evidence.snapshot.files_scanned)
@@ -85,6 +173,12 @@ export const runLifecycleAudit = async (params: {
       : null;
   const snapshotOutcome =
     typeof evidence?.snapshot.outcome === 'string' ? evidence.snapshot.outcome : null;
+  const findings = extractAuditFindings({
+    evidence,
+    gateExitCode,
+    stage: params.stage,
+    snapshotOutcome,
+  });
 
   return {
     command: 'pumuki audit',
@@ -96,6 +190,9 @@ export const runLifecycleAudit = async (params: {
     files_scanned: filesScanned,
     untracked_matching_extensions_count: untrackedMatchingExtensionsCount,
     snapshot_outcome: snapshotOutcome,
+    findings_count: findings.length,
+    blocking_findings_count: findings.filter((finding) => finding.blocking).length,
+    findings,
     policy_reconcile_hint: POLICY_RECONCILE_HINT,
   };
 };

package/integrations/lifecycle/cli.ts

@@ -188,7 +188,7 @@ Pumuki lifecycle commands:
   pumuki remove
   pumuki update [--latest|--spec=<package-spec>]
   pumuki doctor [--remote-checks] [--deep] [--parity] [--json]
-  pumuki audit [--stage=PRE_COMMIT|PRE_PUSH|CI] [--engine] [--json]
+  pumuki audit [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--engine] [--json]
   pumuki status [--json] [--remote-checks]
   pumuki watch [--stage=PRE_COMMIT|PRE_PUSH|CI] [--scope=workingTree|staged|repoAndStaged|repo] [--severity=critical|high|medium|low] [--interval-ms=<n>] [--notify-cooldown-ms=<n>] [--no-notify] [--once|--iterations=<n>] [--json]
   pumuki loop run --objective=<text> [--max-attempts=<n>] [--json]
@@ -266,13 +266,7 @@ const parseSddStage = (value?: string): SddStage => {
 };
 
 const parseAuditStage = (value?: string): LifecycleAuditStage => {
-  const stage = parseSddStage(value);
-  if (stage === 'PRE_WRITE') {
-    throw new Error(
-      'PRE_WRITE is not supported for "pumuki audit". Use PRE_COMMIT, PRE_PUSH or CI (aliases GREEN, REFACTOR, CLOSE).'
-    );
-  }
-  return stage;
+  return parseSddStage(value);
 };
 
 const parseSddEvidencePath = (value: string): string => {
@@ -1555,6 +1549,9 @@ const printDoctorReport = (
   writeInfo(
     `[pumuki] tracked node_modules paths: ${report.trackedNodeModulesPaths.length}`
   );
+  writeInfo(
+    `[pumuki] dependency pumuki: declared=${report.dependencyInventory.pumuki.declared ? 'yes' : 'no'}, installed=${report.dependencyInventory.pumuki.installed ? 'yes' : 'no'}, version=${report.dependencyInventory.pumuki.installedVersion ?? 'unknown'}, bin=${report.dependencyInventory.pumuki.binPresent ? 'present' : 'missing'}`
+  );
   writeInfo(
     `[pumuki] hook pre-commit: ${report.hookStatus['pre-commit'].managedBlockPresent ? 'managed' : 'missing'}`
   );
@@ -2428,6 +2425,9 @@ export const runLifecycleCli = async (
           writeInfo(
             `[pumuki] tracked node_modules paths: ${status.trackedNodeModulesCount}`
           );
+          writeInfo(
+            `[pumuki] dependency pumuki: declared=${status.dependencyInventory.pumuki.declared ? 'yes' : 'no'}, installed=${status.dependencyInventory.pumuki.installed ? 'yes' : 'no'}, version=${status.dependencyInventory.pumuki.installedVersion ?? 'unknown'}, bin=${status.dependencyInventory.pumuki.binPresent ? 'present' : 'missing'}`
+          );
           writeInfo(
             `[pumuki] policy-as-code: PRE_COMMIT=${status.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
             `PRE_PUSH=${status.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +

package/integrations/lifecycle/dependencyInventory.ts

@@ -0,0 +1,92 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import packageJson from '../../package.json';
+
+export type LifecycleDependencyInventory = {
+  nodeModulesPresent: boolean;
+  packageJsonPresent: boolean;
+  lockfilePresent: boolean;
+  pumuki: {
+    declared: boolean;
+    declaredRange: string | null;
+    installed: boolean;
+    installedVersion: string | null;
+    packageJsonPath: string | null;
+    binPath: string | null;
+    binPresent: boolean;
+  };
+};
+
+const readJsonRecord = (path: string): Record<string, unknown> | null => {
+  if (!existsSync(path)) {
+    return null;
+  }
+
+  try {
+    const parsed = JSON.parse(readFileSync(path, 'utf8')) as unknown;
+    return typeof parsed === 'object' && parsed !== null && !Array.isArray(parsed)
+      ? (parsed as Record<string, unknown>)
+      : null;
+  } catch {
+    return null;
+  }
+};
+
+const readDependencyRange = (
+  manifest: Record<string, unknown> | null,
+  dependencyName: string
+): string | null => {
+  if (!manifest) {
+    return null;
+  }
+
+  for (const section of ['dependencies', 'devDependencies', 'optionalDependencies'] as const) {
+    const dependencies = manifest[section];
+    if (typeof dependencies !== 'object' || dependencies === null || Array.isArray(dependencies)) {
+      continue;
+    }
+
+    const value = (dependencies as Record<string, unknown>)[dependencyName];
+    if (typeof value === 'string' && value.trim().length > 0) {
+      return value.trim();
+    }
+  }
+
+  return null;
+};
+
+const readInstalledVersion = (installedManifest: Record<string, unknown> | null): string | null => {
+  const version = installedManifest?.version;
+  return typeof version === 'string' && version.trim().length > 0 ? version.trim() : null;
+};
+
+export const readLifecycleDependencyInventory = (
+  repoRoot: string
+): LifecycleDependencyInventory => {
+  const manifestPath = join(repoRoot, 'package.json');
+  const nodeModulesPath = join(repoRoot, 'node_modules');
+  const lockfilePath = join(repoRoot, 'package-lock.json');
+  const installedPackageJsonPath = join(nodeModulesPath, packageJson.name, 'package.json');
+  const binName = process.platform === 'win32' ? `${packageJson.name}.cmd` : packageJson.name;
+  const binPath = join(nodeModulesPath, '.bin', binName);
+  const manifest = readJsonRecord(manifestPath);
+  const installedManifest = readJsonRecord(installedPackageJsonPath);
+  const declaredRange = readDependencyRange(manifest, packageJson.name);
+  const installedVersion = readInstalledVersion(installedManifest);
+  const binPresent = existsSync(binPath);
+
+  return {
+    nodeModulesPresent: existsSync(nodeModulesPath),
+    packageJsonPresent: existsSync(manifestPath),
+    lockfilePresent: existsSync(lockfilePath),
+    pumuki: {
+      declared: declaredRange !== null,
+      declaredRange,
+      installed: installedVersion !== null,
+      installedVersion,
+      packageJsonPath: installedVersion !== null ? `node_modules/${packageJson.name}/package.json` : null,
+      binPath: binPresent ? `node_modules/.bin/${binName}` : null,
+      binPresent,
+    },
+  };
+};

package/integrations/lifecycle/doctor.ts

@@ -16,6 +16,10 @@ import {
   evaluateOpenSpecCompatibility,
   isOpenSpecProjectInitialized,
 } from '../sdd/openSpecCli';
+import {
+  readLifecycleDependencyInventory,
+  type LifecycleDependencyInventory,
+} from './dependencyInventory';
 
 export type DoctorIssueSeverity = 'warning' | 'error';
 
@@ -91,6 +95,7 @@ export type LifecycleDoctorReport = {
   packageVersion: string;
   version: ReturnType<typeof buildLifecycleVersionReport>;
   lifecycleState: LifecycleState;
+  dependencyInventory: LifecycleDependencyInventory;
   trackedNodeModulesPaths: ReadonlyArray<string>;
   hookStatus: ReturnType<typeof getPumukiHooksStatus>;
   hooksDirectory: string;
@@ -842,6 +847,7 @@ export const runLifecycleDoctor = (params?: {
   const cwd = params?.cwd ?? process.cwd();
   const repoRoot = git.resolveRepoRoot(cwd);
   const trackedNodeModulesPaths = git.trackedNodeModulesPaths(repoRoot);
+  const dependencyInventory = readLifecycleDependencyInventory(repoRoot);
   const hooksDirectory = resolvePumukiHooksDirectory(repoRoot);
   const hookStatus = getPumukiHooksStatus(repoRoot);
   const lifecycleState = readLifecycleState(git, repoRoot);
@@ -886,6 +892,7 @@ export const runLifecycleDoctor = (params?: {
     packageVersion: version.effective,
     version,
     lifecycleState,
+    dependencyInventory,
     trackedNodeModulesPaths,
     hookStatus,
     hooksDirectory: hooksDirectory.path,

package/integrations/lifecycle/status.ts

@@ -13,6 +13,10 @@ import {
 } from './policyValidationSnapshot';
 import { readLifecycleState, type LifecycleState } from './state';
 import type { DoctorIssue } from './doctor';
+import {
+  readLifecycleDependencyInventory,
+  type LifecycleDependencyInventory,
+} from './dependencyInventory';
 
 export type LifecycleStatus = {
   repoRoot: string;
@@ -23,6 +27,7 @@ export type LifecycleStatus = {
   hooksDirectory: string;
   hooksDirectoryResolution: 'git-rev-parse' | 'git-config' | 'default';
   trackedNodeModulesCount: number;
+  dependencyInventory: LifecycleDependencyInventory;
   policyValidation: LifecyclePolicyValidationSnapshot;
   experimentalFeatures: LifecycleExperimentalFeaturesSnapshot;
   issues: ReadonlyArray<DoctorIssue>;
@@ -79,6 +84,7 @@ export const readLifecycleStatus = (params?: {
   const repoRoot = git.resolveRepoRoot(cwd);
   const hooksDirectory = resolvePumukiHooksDirectory(repoRoot);
   const trackedNodeModulesCount = git.trackedNodeModulesPaths(repoRoot).length;
+  const dependencyInventory = readLifecycleDependencyInventory(repoRoot);
   const lifecycleState = readLifecycleState(git, repoRoot);
   const version = buildLifecycleVersionReport({
     repoRoot,
@@ -97,6 +103,7 @@ export const readLifecycleStatus = (params?: {
     hooksDirectory: hooksDirectory.path,
     hooksDirectoryResolution: hooksDirectory.source,
     trackedNodeModulesCount,
+    dependencyInventory,
     policyValidation,
     experimentalFeatures,
     issues,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.115",
+  "version": "6.3.117",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {