pumuki 6.3.123 → 6.3.125

package/CHANGELOG.md

@@ -6,6 +6,14 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [6.3.125] - 2026-04-28
+
+### Fixed
+
+- **Mensajes coherentes para bloqueos `gate.blocked`:** las notificaciones y diálogos traducen `EVIDENCE_GATE_BLOCKED`, tracking canónico y atomicidad a causas humanas en vez de mostrar copy interno en inglés.
+- **Tracking como causa accionable:** cuando existe `active_entries` / `tracking_source`, la remediación prioriza corregir el MD de tracking y deja de sugerir `policy reconcile && sdd validate` como solución principal.
+- **Cierre de `PUMUKI-INC-118`:** el evento central de bloqueo enriquece la causa con contexto de tracking antes de construir banners, diálogos macOS y payloads de sistema.
+
 ## [6.3.123] - 2026-04-28
 
 ### Fixed

package/VERSION

@@ -1 +1 @@
-v6.3.123
+v6.3.125

package/core/facts/detectors/astRuleThresholdAudit.test.ts

@@ -0,0 +1,33 @@
+import assert from 'node:assert/strict';
+import { readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import test from 'node:test';
+
+const detectorFiles = [
+  'core/facts/detectors/text/ios.ts',
+  'core/facts/detectors/text/android.ts',
+  'core/facts/detectors/typescript/index.ts',
+  'core/facts/detectors/security/securityCredentials.ts',
+];
+
+const forbiddenDecisionThresholds = [
+  /typeDeclarations\.length\s*<\s*\d+/,
+  /conformingTypes\.length\s*<\s*\d+/,
+  /trim\(\)\.length\s*>=\s*\d+/,
+  /relatedNodes\.length\s*<\s*\d+/,
+  /typedCaseCount\s*>=\s*\d+/,
+  /caseNodes\.length\s*<\s*\d+/,
+  /branchNodes\.length\s*<\s*\d+/,
+  /slice\(0,\s*\d+\)/,
+];
+
+test('detectores AST estructurales no usan umbrales internos para decidir skills', () => {
+  const violations = detectorFiles.flatMap((filePath) => {
+    const content = readFileSync(join(process.cwd(), filePath), 'utf8');
+    return forbiddenDecisionThresholds
+      .filter((pattern) => pattern.test(content))
+      .map((pattern) => `${filePath}: ${pattern.source}`);
+  });
+
+  assert.deepEqual(violations, []);
+});

package/core/facts/detectors/security/index.test.ts

@@ -15,7 +15,7 @@ import {
   hasWeakTokenGenerationWithCryptoRandomUuid,
 } from './index';
 
-test('hasHardcodedSecretTokenLiteral detecta literales fuertes en identificadores sensibles', () => {
+test('hasHardcodedSecretTokenLiteral detecta literales reales en identificadores sensibles', () => {
   const ast = {
     type: 'VariableDeclarator',
     id: { type: 'Identifier', name: 'apiToken' },
@@ -24,11 +24,17 @@ test('hasHardcodedSecretTokenLiteral detecta literales fuertes en identificadore
   const safeAst = {
     type: 'VariableDeclarator',
     id: { type: 'Identifier', name: 'apiToken' },
-    init: { type: 'StringLiteral', value: 'short' },
+    init: { type: 'StringLiteral', value: 'example' },
+  };
+  const shortRealSecretAst = {
+    type: 'VariableDeclarator',
+    id: { type: 'Identifier', name: 'apiToken' },
+    init: { type: 'StringLiteral', value: 'prod' },
   };
 
   assert.equal(hasHardcodedSecretTokenLiteral(ast), true);
   assert.equal(hasHardcodedSecretTokenLiteral(safeAst), false);
+  assert.equal(hasHardcodedSecretTokenLiteral(shortRealSecretAst), true);
 });
 
 test('hasInsecureTokenGenerationWithMathRandom detecta Math.random en asignacion sensible', () => {

package/core/facts/detectors/security/securityCredentials.test.ts

@@ -11,16 +11,21 @@ import {
   hasWeakTokenGenerationWithCryptoRandomUuid,
 } from './securityCredentials';
 
-test('hasHardcodedSecretTokenLiteral detecta literal largo en identificador sensible', () => {
+test('hasHardcodedSecretTokenLiteral detecta literal real en identificador sensible', () => {
   const hardcodedSecretAst = {
     type: 'VariableDeclarator',
     id: { type: 'Identifier', name: 'apiKey' },
     init: { type: 'StringLiteral', value: 'super-secret-key-123' },
   };
-  const safeLengthAst = {
+  const placeholderAst = {
     type: 'VariableDeclarator',
     id: { type: 'Identifier', name: 'apiKey' },
-    init: { type: 'StringLiteral', value: 'short' },
+    init: { type: 'StringLiteral', value: 'replace-me' },
+  };
+  const shortRealSecretAst = {
+    type: 'VariableDeclarator',
+    id: { type: 'Identifier', name: 'apiKey' },
+    init: { type: 'StringLiteral', value: 'prod' },
   };
   const nonSensitiveIdentifierAst = {
     type: 'VariableDeclarator',
@@ -29,7 +34,8 @@ test('hasHardcodedSecretTokenLiteral detecta literal largo en identificador sens
   };
 
   assert.equal(hasHardcodedSecretTokenLiteral(hardcodedSecretAst), true);
-  assert.equal(hasHardcodedSecretTokenLiteral(safeLengthAst), false);
+  assert.equal(hasHardcodedSecretTokenLiteral(placeholderAst), false);
+  assert.equal(hasHardcodedSecretTokenLiteral(shortRealSecretAst), true);
   assert.equal(hasHardcodedSecretTokenLiteral(nonSensitiveIdentifierAst), false);
 });
 

package/core/facts/detectors/security/securityCredentials.ts

@@ -1,13 +1,15 @@
 import { collectNodeLineMatches, hasNode, isObject } from '../utils/astHelpers';
 
 const sensitiveIdentifierPattern = /(secret|token|password|api[_-]?key)/i;
+const placeholderSecretLiteralPattern =
+  /^(?:changeme|change-me|change_me|replace-me|replace_me|todo|tbd|example|sample|dummy|test|testing|placeholder|your[_-]?(?:secret|token|password|api[_-]?key)|xxx+)$/i;
 
-const hasStrongLiteralValue = (value: unknown): boolean => {
+const hasCredentialLiteralValue = (value: unknown): boolean => {
   if (!isObject(value)) {
     return false;
   }
   if (value.type === 'StringLiteral') {
-    return typeof value.value === 'string' && value.value.trim().length >= 12;
+    return typeof value.value === 'string' && isCredentialLiteral(value.value);
   }
   if (
     value.type === 'TemplateLiteral' &&
@@ -17,11 +19,16 @@ const hasStrongLiteralValue = (value: unknown): boolean => {
     value.quasis.length === 1
   ) {
     const cooked = value.quasis[0]?.value?.cooked;
-    return typeof cooked === 'string' && cooked.trim().length >= 12;
+    return typeof cooked === 'string' && isCredentialLiteral(cooked);
   }
   return false;
 };
 
+const isCredentialLiteral = (value: string): boolean => {
+  const normalized = value.trim();
+  return normalized.length > 0 && !placeholderSecretLiteralPattern.test(normalized);
+};
+
 const containsMathRandomCall = (candidate: unknown): boolean => {
   return hasNode(candidate, (value) => {
     if (value.type !== 'CallExpression') {
@@ -109,7 +116,7 @@ const isHardcodedSecretTokenLiteralNode = (value: Record<string, string | number
   if (!sensitiveIdentifierPattern.test(idNode.name as string)) {
     return false;
   }
-  return hasStrongLiteralValue(value.init);
+  return hasCredentialLiteralValue(value.init);
 };
 
 const isInsecureTokenGenerationWithMathRandomNode = (value: Record<string, string | number | boolean | bigint | symbol | null | Date | object>): boolean => {

package/core/facts/detectors/text/android.ts

@@ -699,9 +699,6 @@ export const findKotlinLiskovSubstitutionMatch = (
   }
 
   const typeDeclarations = parseKotlinTypeDeclarations(source);
-  if (typeDeclarations.length < 2) {
-    return undefined;
-  }
 
   const sourceLines = source.split(/\r?\n/);
 
@@ -714,9 +711,6 @@ export const findKotlinLiskovSubstitutionMatch = (
     const conformingTypes = typeDeclarations.filter((typeDeclaration) =>
       typeDeclaration.conformances.includes(interfaceDeclaration.name)
     );
-    if (conformingTypes.length < 2) {
-      continue;
-    }
 
     for (const memberName of memberNames) {
       let safeType: KotlinTypeDeclaration | undefined;

package/core/facts/detectors/text/ios.ts

@@ -1435,9 +1435,6 @@ export const findSwiftLiskovSubstitutionMatch = (
   }
 
   const typeDeclarations = parseSwiftTypeDeclarations(source);
-  if (typeDeclarations.length < 2) {
-    return undefined;
-  }
 
   const sourceLines = source.split(/\r?\n/);
 
@@ -1450,9 +1447,6 @@ export const findSwiftLiskovSubstitutionMatch = (
     const conformingTypes = typeDeclarations.filter((typeDeclaration) =>
       typeDeclaration.conformances.includes(protocolDeclaration.name)
     );
-    if (conformingTypes.length < 2) {
-      continue;
-    }
 
     for (const memberName of memberNames) {
       let safeType: SwiftTypeDeclaration | undefined;

package/integrations/git/aiGateRepoPolicyFindings.ts

@@ -54,7 +54,7 @@ export const collectTrackingActiveEntriesFromMarkdown = (
     const bulletMatch = line.match(/^- 🚧 (`?P[0-9A-Za-z.-]+`?)/u);
     if (bulletMatch) {
       entries.push({
-        taskId: bulletMatch[1]!.replaceAll('`', '').trim(),
+        taskId: bulletMatch[1]!.replace(/`/gu, '').trim(),
         lineNumber: index + 1,
       });
       continue;

package/integrations/lifecycle/cli.ts

@@ -1689,16 +1689,18 @@ export type PreWriteOpenSpecBootstrapTrace = {
 export const buildPreWriteExperimentalEnableAdvisoryCommand = (
   repoRoot: string = process.cwd()
 ): string =>
-  `PUMUKI_EXPERIMENTAL_PRE_WRITE=advisory ${buildPinnedPumukiNpxCommand(
-    getCurrentPumukiVersion({ repoRoot })
-  )} sdd validate --stage=PRE_WRITE --json`;
+  `PUMUKI_EXPERIMENTAL_PRE_WRITE=advisory ${buildPinnedPumukiNpxCommand({
+    repoRoot,
+    executableAndArgs: 'pumuki sdd validate --stage=PRE_WRITE --json',
+  })}`;
 export const buildSddExperimentalEnableAdvisoryCommand = (
   stage: SddStage,
   repoRoot: string = process.cwd()
 ): string =>
-  `PUMUKI_EXPERIMENTAL_SDD=advisory ${buildPinnedPumukiNpxCommand(
-    getCurrentPumukiVersion({ repoRoot })
-  )} sdd validate --stage=${stage} --json`;
+  `PUMUKI_EXPERIMENTAL_SDD=advisory ${buildPinnedPumukiNpxCommand({
+    repoRoot,
+    executableAndArgs: `pumuki sdd validate --stage=${stage} --json`,
+  })}`;
 const buildAnalyticsExperimentalEnableCommand = (action: AnalyticsHotspotsCommand): string =>
   `PUMUKI_EXPERIMENTAL_ANALYTICS=advisory npx --yes --package pumuki@latest pumuki analytics hotspots ${action} --json`;
 const SAAS_INGESTION_ENABLE_ADVISORY_COMMAND =
@@ -1804,7 +1806,7 @@ export const buildPreWriteExperimentalDisabledResult = (params: {
       layer: 'experimental',
       activation_env: 'PUMUKI_EXPERIMENTAL_PRE_WRITE',
       legacy_activation_env: 'PUMUKI_PREWRITE_ENFORCEMENT',
-      activation_command: PRE_WRITE_ENABLE_ADVISORY_COMMAND,
+      activation_command: buildPreWriteExperimentalEnableAdvisoryCommand(),
     },
   },
 });

package/integrations/mcp/enterpriseServer.ts

@@ -5,6 +5,7 @@ import { execFileSync as runBinarySync } from 'node:child_process';
 import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { readLifecycleStatus, runLifecycleAudit } from '../lifecycle';
+import { GitService } from '../git/GitService';
 import { resolveMcpEnterpriseExperimentalFeature } from '../policy/experimentalFeatures';
 import { evaluateSddPolicy, readSddStatus } from '../sdd';
 import type { SddStage } from '../sdd';
@@ -337,6 +338,20 @@ type EnterpriseToolExecution = {
   warnings?: ReadonlyArray<string>;
 };
 
+class EnterpriseRepoGitService extends GitService {
+  constructor(private readonly repoRoot: string) {
+    super();
+  }
+
+  override resolveRepoRoot(): string {
+    return this.repoRoot;
+  }
+
+  override runGit(args: ReadonlyArray<string>, cwd: string = this.repoRoot): string {
+    return super.runGit(args, cwd);
+  }
+}
+
 type CriticalToolGuardResult = {
   allowed: boolean;
   stage: SddStage;
@@ -398,9 +413,11 @@ const executeEnterpriseTool = async (
   switch (toolName) {
     case 'pre_write_guard': {
       const audit = await runLifecycleAudit({
-        repoRoot,
         stage: 'PRE_WRITE',
         auditMode: 'gate',
+        dependencies: {
+          git: new EnterpriseRepoGitService(repoRoot),
+        },
       });
       return {
         name: toolName,

package/integrations/notifications/emitAuditSummaryNotification.ts

@@ -1,6 +1,7 @@
 import type { AiEvidenceV2_1 } from '../evidence/schema';
 import { readEvidence } from '../evidence/readEvidence';
 import type { AiGateCheckResult } from '../gate/evaluateAiGate';
+import { appendTrackingActionableContext } from '../git/aiGateRepoPolicyFindings';
 import {
   emitSystemNotification,
   type PumukiCriticalNotificationEvent,
@@ -34,6 +35,22 @@ const isTruthyEnvValue = (value?: string): boolean => {
   return normalized === '1' || normalized === 'true' || normalized === 'yes';
 };
 
+const withTrackingContext = (params: {
+  repoRoot: string;
+  causeMessage: string;
+}): string => {
+  if (
+    params.causeMessage.includes('active_entries=') ||
+    params.causeMessage.includes('tracking_source=')
+  ) {
+    return params.causeMessage;
+  }
+  return appendTrackingActionableContext({
+    repoRoot: params.repoRoot,
+    message: params.causeMessage,
+  });
+};
+
 export const shouldEmitAuditSummaryNotificationForStage = (
   stage: AuditSummaryNotificationStage,
   env: NodeJS.ProcessEnv = process.env
@@ -155,7 +172,10 @@ export const emitGateBlockedNotification = (
       stage: params.stage,
       totalViolations: params.totalViolations,
       causeCode: params.causeCode,
-      causeMessage: params.causeMessage,
+      causeMessage: withTrackingContext({
+        repoRoot: params.repoRoot,
+        causeMessage: params.causeMessage,
+      }),
       remediation: params.remediation,
     },
     repoRoot: params.repoRoot,

package/integrations/sdd/policy.ts

@@ -167,6 +167,7 @@ const evaluateActiveChangeCompleteness = (params: {
 
 const evaluateSessionRequirements = (params: {
   status: SddStatusPayload;
+  repoRoot: string;
   autoRefreshEnabled: boolean;
   autoRefreshAttempted: boolean;
   autoRefreshError?: string;
@@ -335,7 +336,7 @@ export const evaluateSddPolicy = (params: {
           experimentalSource: sddExperimentalFeature.source,
           activation_env: sddExperimentalFeature.activationVariable,
           legacy_activation_env: sddExperimentalFeature.legacyActivationVariable,
-          activation_command: buildSddExperimentalEnableCommand(params.stage, params.repoRoot),
+          activation_command: buildSddExperimentalEnableCommand(params.stage, repoRoot),
         },
       },
     };
@@ -428,6 +429,7 @@ export const evaluateSddPolicy = (params: {
 
   const sessionDecision = evaluateSessionRequirements({
     status,
+    repoRoot,
     autoRefreshEnabled,
     autoRefreshAttempted,
     autoRefreshError,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.123",
+  "version": "6.3.125",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/framework-menu-system-notifications-cause.ts

@@ -3,8 +3,13 @@ import {
   normalizeNotificationText,
   truncateNotificationText,
 } from './framework-menu-system-notifications-text';
+import {
+  buildNotificationTrackingCauseSummary,
+  extractNotificationTrackingContext,
+} from './framework-menu-system-notifications-tracking';
 
 const BLOCKED_CAUSE_SUMMARY_BY_CODE: Readonly<Record<string, string>> = {
+  EVIDENCE_GATE_BLOCKED: 'El gate de evidencia/gobernanza está bloqueado.',
   EVIDENCE_MISSING: 'Falta evidencia para validar este paso.',
   EVIDENCE_INVALID: 'La evidencia actual es inválida.',
   EVIDENCE_CHAIN_INVALID: 'La cadena de evidencia no es válida.',
@@ -18,6 +23,13 @@ const BLOCKED_CAUSE_SUMMARY_BY_CODE: Readonly<Record<string, string>> = {
   OPENSPEC_MISSING: 'OpenSpec no está instalado en este repositorio.',
   MCP_ENTERPRISE_RECEIPT_MISSING: 'Falta el recibo enterprise de MCP.',
   BACKEND_AVOID_EXPLICIT_ANY: 'Se detectó uso de "any" explícito en backend.',
+  GIT_ATOMICITY_TOO_MANY_SCOPES: 'El cambio toca demasiados scopes para un commit atómico.',
+  TRACKING_CANONICAL_IN_PROGRESS_INVALID:
+    'El tracking canónico tiene una tarea activa inválida.',
+  TRACKING_CANONICAL_SOURCE_CONFLICT:
+    'Hay conflicto entre fuentes de tracking canónico.',
+  ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH:
+    'No hay reglas activas para cambios de código.',
 };
 
 const ENGLISH_CAUSE_HINTS = [
@@ -53,9 +65,19 @@ const buildGenericSpanishBlockedCauseSummary = (
 
 const toKnownSpanishCauseFromMessage = (message: string): string | null => {
   const normalized = message.toLowerCase();
+  const trackingContext = extractNotificationTrackingContext(message);
+  if (trackingContext) {
+    return buildNotificationTrackingCauseSummary(trackingContext);
+  }
   if (normalized.includes('avoid explicit any')) {
     return BLOCKED_CAUSE_SUMMARY_BY_CODE.BACKEND_AVOID_EXPLICIT_ANY;
   }
+  if (normalized.includes('atomicity')) {
+    return BLOCKED_CAUSE_SUMMARY_BY_CODE.GIT_ATOMICITY_TOO_MANY_SCOPES;
+  }
+  if (normalized.includes('evidence ai gate status is blocked')) {
+    return BLOCKED_CAUSE_SUMMARY_BY_CODE.EVIDENCE_GATE_BLOCKED;
+  }
   if (normalized.includes('evidence is stale')) {
     return BLOCKED_CAUSE_SUMMARY_BY_CODE.EVIDENCE_STALE;
   }
@@ -74,6 +96,10 @@ export const resolveBlockedCauseSummary = (
   event: Extract<PumukiCriticalNotificationEvent, { kind: 'gate.blocked' }>,
   causeCode: string
 ): string => {
+  const trackingContext = extractNotificationTrackingContext(event.causeMessage);
+  if (trackingContext) {
+    return buildNotificationTrackingCauseSummary(trackingContext);
+  }
   const mapped = BLOCKED_CAUSE_SUMMARY_BY_CODE[causeCode];
   if (mapped) {
     return mapped;

package/scripts/framework-menu-system-notifications-remediation.ts

@@ -3,8 +3,16 @@ import {
   normalizeNotificationText,
   truncateNotificationText,
 } from './framework-menu-system-notifications-text';
+import {
+  extractNotificationTrackingContext,
+  TRACKING_BLOCKED_REMEDIATION,
+} from './framework-menu-system-notifications-tracking';
+
+type BlockedRemediationVariant = 'banner' | 'dialog';
 
 const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
+  EVIDENCE_GATE_BLOCKED:
+    'Revisa status/doctor para ver la causa exacta del gate, corrígela y revalida.',
   EVIDENCE_MISSING: 'Genera la evidencia del slice actual y vuelve a validar esta fase.',
   EVIDENCE_INVALID: 'Regenera la evidencia de esta iteración y repite la validación.',
   EVIDENCE_CHAIN_INVALID: 'Regenera la evidencia para restaurar la cadena de integridad y vuelve a validar.',
@@ -19,6 +27,10 @@ const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
   BACKEND_AVOID_EXPLICIT_ANY: 'Sustituye `any` por tipos concretos en backend y relanza el gate.',
   GIT_ATOMICITY_TOO_MANY_SCOPES: 'Divide el cambio por scope o en commits más pequeños y vuelve a ejecutar el gate.',
   SOLID_HEURISTIC: 'Corrige la violación detectada y vuelve a ejecutar el gate.',
+  TRACKING_CANONICAL_IN_PROGRESS_INVALID: TRACKING_BLOCKED_REMEDIATION,
+  TRACKING_CANONICAL_SOURCE_CONFLICT: TRACKING_BLOCKED_REMEDIATION,
+  ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH:
+    'Ejecuta `pumuki policy reconcile --strict --json` y revalida antes de continuar.',
 };
 
 const BLOCKED_REMEDIATION_MAX_LENGTH_BY_VARIANT: Readonly<Record<BlockedRemediationVariant, number>> = {
@@ -39,6 +51,11 @@ const normalizeBlockedRemediation = (value: string): string =>
 const resolveFallbackRemediation = (causeCode: string): string =>
   BLOCKED_REMEDIATION_BY_CODE[causeCode] ?? GENERIC_BLOCKED_REMEDIATION;
 
+const isGenericPolicyReconcileRemediation = (message: string): boolean => {
+  const normalized = message.toLowerCase();
+  return normalized.includes('policy reconcile') && normalized.includes('sdd validate');
+};
+
 const hasEnglishHints = (message: string): boolean => {
   const normalized = message.toLowerCase();
   return [
@@ -88,7 +105,16 @@ export const resolveBlockedRemediation = (
   const fromEvent = event.remediation
     ? normalizeBlockedRemediation(event.remediation)
     : '';
+  if (extractNotificationTrackingContext(event.causeMessage)) {
+    return truncateNotificationText(TRACKING_BLOCKED_REMEDIATION, maxLength);
+  }
   if (fromEvent.length > 0) {
+    if (
+      causeCode === 'EVIDENCE_GATE_BLOCKED' &&
+      isGenericPolicyReconcileRemediation(fromEvent)
+    ) {
+      return truncateNotificationText(resolveFallbackRemediation(causeCode), maxLength);
+    }
     const translated = toKnownSpanishRemediationFromMessage(fromEvent, causeCode);
     if (translated) {
       return truncateNotificationText(translated, maxLength);

package/scripts/framework-menu-system-notifications-tracking.ts

@@ -0,0 +1,42 @@
+export type NotificationTrackingContext = {
+  activeEntry?: string;
+  trackingSource?: string;
+};
+
+const TRACKING_CONTEXT_PATTERN = /\b(active_entries=|tracking_source=|TRACKING_CANONICAL_)/u;
+
+export const extractNotificationTrackingContext = (
+  message?: string
+): NotificationTrackingContext | null => {
+  if (!message || !TRACKING_CONTEXT_PATTERN.test(message)) {
+    return null;
+  }
+  const activeEntry = message
+    .match(/\bactive_entries=([^,\s]+)/u)?.[1]
+    ?.replace(/@L\d+$/u, '')
+    .trim();
+  const trackingSource = message.match(/\btracking_source=([^\s]+)/u)?.[1]?.trim();
+  return {
+    activeEntry: activeEntry && activeEntry.length > 0 ? activeEntry : undefined,
+    trackingSource: trackingSource && trackingSource.length > 0 ? trackingSource : undefined,
+  };
+};
+
+export const buildNotificationTrackingCauseSummary = (
+  context: NotificationTrackingContext
+): string => {
+  if (context.activeEntry && context.trackingSource) {
+    return `Tracking bloqueado: ${context.activeEntry} en ${context.trackingSource}.`;
+  }
+  if (context.activeEntry) {
+    return `Tracking bloqueado: ${context.activeEntry}.`;
+  }
+  if (context.trackingSource) {
+    return `Tracking bloqueado en ${context.trackingSource}.`;
+  }
+  return 'El tracking canónico del repo bloquea la governance.';
+};
+
+export const TRACKING_BLOCKED_REMEDIATION =
+  'Corrige el MD de tracking: deja una única tarea activa válida y vuelve a ejecutar el gate.';
+