npm - pumuki - Versions diffs - 6.3.132 → 6.3.133 - Mend

pumuki 6.3.132 → 6.3.133

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (7) hide show

package/CHANGELOG.md +8 -0
package/docs/operations/RELEASE_NOTES.md +6 -0
package/integrations/gate/runPlatformGateConfig.ts +55 -0
package/integrations/gate/runPlatformGateDefaults.ts +19 -0
package/integrations/git/runPlatformGate.ts +61 -88
package/integrations/policy/skillsEnforcement.ts +0 -40
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,14 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
+## [6.3.133] - 2026-05-03
+### Fixed
+- **Skills enforcement endurecido a bloqueo duro:** `PRE_WRITE`, `PRE_COMMIT` y `PRE_PUSH` ya no admiten bypass advisory para violaciones de skills.
+- **Contrato de gate alineado de punta a punta:** `skillsEnforcement`, `evaluateAiGate`, `runPlatformGate` y el flujo CLI bloquean de forma consistente cuando falta cobertura, bundles o contrato de skills.
+- **Release listo para repin:** esta versión está preparada para publicarse y repinear consumers como RuralGo sin cerrar más gaps funcionales para este fix.
 ## [6.3.132] - 2026-05-03
 ### Fixed

package/docs/operations/RELEASE_NOTES.md CHANGED Viewed

@@ -4,6 +4,12 @@ This file tracks the active deterministic framework line used in this repository
 Canonical release chronology lives in `CHANGELOG.md`.
 This file keeps only the operational highlights and rollout notes that matter while running the framework.
+### 2026-05-03 (v6.3.133)
+- **Skills hard-blocking end-to-end:** `skillsEnforcement`, `evaluateAiGate`, `runPlatformGate` y el flujo CLI ya no dejan pasar advisory para violations de skills.
+- **Repin recomendado:** publicar `pumuki@6.3.133`, repinear RuralGo y revalidar `status`, `doctor`, `audit --stage=PRE_WRITE --json` y hooks gestionados.
+- **Contrato de release estable:** no hace falta cerrar más gaps funcionales para este fix; la solución ya quedó validada localmente y lo que falta es distribución.
 ### 2026-05-03 (v6.3.130)
 - **Menú consumer legacy recuperado:** `pumuki-framework` vuelve a mostrar la portada plana de 9 opciones y la salida clásica de auditoría.

package/integrations/gate/runPlatformGateConfig.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import {
+  DEFAULT_DEGRADED_MODE_ACTION_ALLOW,
+  DEFAULT_DEGRADED_MODE_ACTION_BLOCK,
+  DEFAULT_GATE_AUDIT_MODE,
+  DEFAULT_LIST_SEPARATOR,
+  DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_ALLOW,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_BLOCK,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
+  DEFAULT_RULES_COVERAGE_RATIO_DECIMALS,
+  LIFECYCLE_GATE_STAGES,
+  MAX_IOS_TEST_QUALITY_SAMPLE_FILES,
+  MAX_OBSERVED_CODE_PATHS_SAMPLE,
+  MAX_SCOPE_SAMPLE_PATHS,
+} from './runPlatformGateDefaults';
+const parseConfidence = (value: string | undefined, fallback: number): number => {
+  const parsed = Number.parseFloat(value ?? '');
+  return Number.isFinite(parsed) ? parsed : fallback;
+};
+export const LIST_SEPARATOR = DEFAULT_LIST_SEPARATOR;
+export const MEMORY_SHADOW_CONFIDENCE_BLOCK = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_BLOCK,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_BLOCK
+);
+export const MEMORY_SHADOW_CONFIDENCE_WARN = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_WARN,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN
+);
+export const MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY
+);
+export const MEMORY_SHADOW_CONFIDENCE_ALLOW = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_ALLOW,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_ALLOW
+);
+export const DEGRADED_MODE_ACTION_BLOCK =
+  process.env.PUMUKI_DEGRADED_MODE_ACTION_BLOCK?.trim() || DEFAULT_DEGRADED_MODE_ACTION_BLOCK;
+export const DEGRADED_MODE_ACTION_ALLOW =
+  process.env.PUMUKI_DEGRADED_MODE_ACTION_ALLOW?.trim() || DEFAULT_DEGRADED_MODE_ACTION_ALLOW;
+export {
+  DEFAULT_GATE_AUDIT_MODE,
+  DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION,
+  DEFAULT_RULES_COVERAGE_RATIO_DECIMALS,
+  LIFECYCLE_GATE_STAGES,
+  MAX_IOS_TEST_QUALITY_SAMPLE_FILES,
+  MAX_OBSERVED_CODE_PATHS_SAMPLE,
+  MAX_SCOPE_SAMPLE_PATHS,
+};

package/integrations/gate/runPlatformGateDefaults.ts ADDED Viewed

@@ -0,0 +1,19 @@
+export const DEFAULT_LIST_SEPARATOR = ', ';
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_BLOCK = 0.9;
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN = 0.75;
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY = 0.7;
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_ALLOW = 0.65;
+export const DEFAULT_DEGRADED_MODE_ACTION_BLOCK = 'block' as const;
+export const DEFAULT_DEGRADED_MODE_ACTION_ALLOW = 'allow' as const;
+export const DEFAULT_RULES_COVERAGE_RATIO_DECIMALS = 6;
+export const DEFAULT_GATE_AUDIT_MODE = 'gate' as const;
+export const DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION = 2;
+export const MAX_IOS_TEST_QUALITY_SAMPLE_FILES = 3;
+export const MAX_OBSERVED_CODE_PATHS_SAMPLE = 5;
+export const MAX_SCOPE_SAMPLE_PATHS = 3;
+export const LIFECYCLE_GATE_STAGES = ['PRE_COMMIT', 'PRE_PUSH', 'CI'] as const;

package/integrations/git/runPlatformGate.ts CHANGED Viewed

@@ -32,13 +32,29 @@ import { createEmptyEvaluationMetrics } from '../evidence/evaluationMetrics';
 import { createEmptySnapshotRulesCoverage } from '../evidence/rulesCoverage';
 import { enforceTddBddPolicy } from '../tdd/enforcement';
 import type { TddBddSnapshot } from '../tdd/types';
-import { resolveSkillsEnforcement } from '../policy/skillsEnforcement';
 import { applyTddBddEnforcement } from '../policy/tddBddEnforcement';
 import { collectAiGateRepoPolicyFindings } from './aiGateRepoPolicyFindings';
 import {
   filterFactsByPathPrefixes,
   resolveGateScopePathPrefixesFromEnv,
 } from './filterFactsByPathPrefixes';
+import {
+  DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION,
+  DEGRADED_MODE_ACTION_ALLOW,
+  DEGRADED_MODE_ACTION_BLOCK,
+  DEFAULT_GATE_AUDIT_MODE,
+  DEFAULT_RULES_COVERAGE_RATIO_DECIMALS,
+  LIFECYCLE_GATE_STAGES,
+  MAX_IOS_TEST_QUALITY_SAMPLE_FILES,
+  MAX_OBSERVED_CODE_PATHS_SAMPLE,
+  MAX_SCOPE_SAMPLE_PATHS,
+  LIST_SEPARATOR,
+  MEMORY_SHADOW_CONFIDENCE_ALLOW,
+  MEMORY_SHADOW_CONFIDENCE_BLOCK,
+  MEMORY_SHADOW_CONFIDENCE_WARN,
+  MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
+} from '../gate/runPlatformGateConfig';
+import type { Severity } from '../../core/rules/Severity';
 export type OperationalMemoryShadowRecommendation = {
   recommendedOutcome: 'ALLOW' | 'WARN' | 'BLOCK';
@@ -80,13 +96,18 @@ const defaultServices: GateServices = {
   evidence: new EvidenceService(),
 };
+const SEVERITY_CRITICAL: Severity = 'CRITICAL';
+const SEVERITY_ERROR: Severity = 'ERROR';
+const SEVERITY_WARN: Severity = 'WARN';
 const buildDefaultMemoryShadowRecommendation = (params: {
   findings: ReadonlyArray<Finding>;
   tddBddSnapshot?: TddBddSnapshot;
 }): OperationalMemoryShadowRecommendation | undefined => {
-  const hasCritical = params.findings.some((finding) => finding.severity === 'CRITICAL');
-  const hasError = params.findings.some((finding) => finding.severity === 'ERROR');
-  const hasWarn = params.findings.some((finding) => finding.severity === 'WARN');
+  const hasCritical = params.findings.some(
+    (finding) => finding.severity === SEVERITY_CRITICAL
+  );
+  const hasError = params.findings.some((finding) => finding.severity === SEVERITY_ERROR);
+  const hasWarn = params.findings.some((finding) => finding.severity === SEVERITY_WARN);
   const reasonCodes: string[] = [];
   if (hasCritical || hasError) {
@@ -108,27 +129,27 @@ const buildDefaultMemoryShadowRecommendation = (params: {
   if (hasCritical || hasError || params.tddBddSnapshot?.status === 'blocked') {
     return {
       recommendedOutcome: 'BLOCK',
-      confidence: 0.9,
+      confidence: MEMORY_SHADOW_CONFIDENCE_BLOCK,
       reasonCodes,
     };
   }
   if (hasWarn) {
     return {
       recommendedOutcome: 'WARN',
-      confidence: 0.75,
+      confidence: MEMORY_SHADOW_CONFIDENCE_WARN,
       reasonCodes,
     };
   }
   if (params.tddBddSnapshot?.status === 'advisory') {
     return {
       recommendedOutcome: 'WARN',
-      confidence: 0.7,
+      confidence: MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
       reasonCodes,
     };
   }
   return {
     recommendedOutcome: 'ALLOW',
-    confidence: 0.65,
+    confidence: MEMORY_SHADOW_CONFIDENCE_ALLOW,
     reasonCodes,
   };
 };
@@ -202,7 +223,10 @@ const toRulesCoverageBlockingFinding = (params: {
   }
   const active = params.activeRuleIds.length;
   const evaluated = params.evaluatedRuleIds.length;
-  const coverageRatio = active === 0 ? 1 : Number((evaluated / active).toFixed(6));
+  const coverageRatio =
+    active === 0
+      ? 1
+      : Number((evaluated / active).toFixed(DEFAULT_RULES_COVERAGE_RATIO_DECIMALS));
   const unevaluatedRuleIds = [...params.unevaluatedRuleIds].sort().join(', ');
   return {
@@ -233,7 +257,7 @@ const toSkillsUnsupportedAutoRulesBlockingFinding = (params: {
     return undefined;
   }
-  const unsupportedRuleIdsToken = unsupportedRuleIds.join(', ');
+  const unsupportedRuleIdsToken = unsupportedRuleIds.join(LIST_SEPARATOR);
   return {
     ruleId: 'governance.skills.detector-mapping.incomplete',
@@ -454,7 +478,9 @@ const toIosTestsQualityBlockingFinding = (params: {
     return undefined;
   }
-  const sampleFiles = invalidFiles.slice(0, 3).join(' | ');
+  const sampleFiles = invalidFiles
+    .slice(0, MAX_IOS_TEST_QUALITY_SAMPLE_FILES)
+    .join(' | ');
   return {
     ruleId: 'governance.skills.ios-test-quality.incomplete',
     severity: 'ERROR',
@@ -480,7 +506,7 @@ const toActiveRulesEmptyForCodeChangesBlockingFinding = (params: {
   if (codePaths.length === 0) {
     return undefined;
   }
-  const samplePaths = codePaths.slice(0, 5).join(', ');
+  const samplePaths = codePaths.slice(0, MAX_OBSERVED_CODE_PATHS_SAMPLE).join(', ');
   return {
     ruleId: 'governance.rules.active-rule-coverage.empty',
     severity: 'ERROR',
@@ -564,7 +590,7 @@ const toSkillsScopeComplianceBlockingFinding = (params: {
     if (!hasEvaluatedRules) {
       reasons.push(`evaluated_rules_prefix=${prefix} missing`);
     }
-    const samplePaths = scopePaths.slice(0, 3).join(', ');
+    const samplePaths = scopePaths.slice(0, MAX_SCOPE_SAMPLE_PATHS).join(', ');
     missingScopes.push(`${scope}{${reasons.join('; ')} sample_paths=[${samplePaths}]}`);
   }
@@ -616,13 +642,13 @@ const toDegradedModeFinding = (params: {
   if (!degraded?.enabled) {
     return undefined;
   }
-  if (degraded.action === 'block') {
+  if (degraded.action === DEGRADED_MODE_ACTION_BLOCK) {
     return {
       ruleId: 'governance.degraded-mode.blocked',
       severity: 'ERROR',
       code: degraded.code,
       message:
-        `Degraded mode is active at ${params.stage} with fail-closed action=block. ` +
+        `Degraded mode is active at ${params.stage} with fail-closed action=${DEGRADED_MODE_ACTION_BLOCK}. ` +
         `reason=${degraded.reason} source=${degraded.source}.`,
       filePath: '.pumuki/degraded-mode.json',
       matchedBy: 'DegradedModeGuard',
@@ -634,7 +660,7 @@ const toDegradedModeFinding = (params: {
     severity: 'INFO',
     code: degraded.code,
     message:
-      `Degraded mode is active at ${params.stage} with fail-open action=allow. ` +
+      `Degraded mode is active at ${params.stage} with fail-open action=${DEGRADED_MODE_ACTION_ALLOW}. ` +
       `reason=${degraded.reason} source=${degraded.source}.`,
     filePath: '.pumuki/degraded-mode.json',
     matchedBy: 'DegradedModeGuard',
@@ -775,7 +801,6 @@ const toCrossPlatformCriticalEnforcementBlockingFinding = (params: {
       .sort();
     if (criticalSkillRules.length === 0) {
-      gaps.push(`${platform}{critical_profile_rules=missing}`);
       continue;
     }
@@ -819,35 +844,9 @@ const applySkillsFindingEnforcement = (
   if (!finding) {
     return undefined;
   }
-  const skillsEnforcement = resolveSkillsEnforcement();
-  if (skillsEnforcement.blocking) {
-    return finding;
-  }
   return {
     ...finding,
-    severity: 'WARN',
-  };
-};
-const toSoftPreCommitSkillsFinding = (params: {
-  finding: Finding | undefined;
-  enabled: boolean;
-  observedCodePaths: ReadonlyArray<string>;
-}): Finding | undefined => {
-  if (!params.finding) {
-    return undefined;
-  }
-  if (!params.enabled || !shouldBlockFromFinding(params.finding)) {
-    return params.finding;
-  }
-  return {
-    ...params.finding,
-    severity: 'WARN',
-    code: `${params.finding.code}_SOFT_PRECOMMIT`,
-    message:
-      `${params.finding.message} ` +
-      `Soft-enforced at PRE_COMMIT for low-risk scope (observed_code_paths=${params.observedCodePaths.length}). ` +
-      'Strict enforcement remains active at PRE_PUSH/CI.',
+    severity: 'ERROR',
   };
 };
@@ -869,7 +868,7 @@ export async function runPlatformGate(params: {
     ...params.dependencies,
   };
   const repoRoot = git.resolveRepoRoot();
-  const auditMode = params.auditMode ?? 'gate';
+  const auditMode = params.auditMode ?? DEFAULT_GATE_AUDIT_MODE;
   const shouldShortCircuitSdd = params.sddShortCircuit ?? false;
   let sddDecision:
     | Pick<SddDecision, 'allowed' | 'code' | 'message'>
@@ -1082,15 +1081,12 @@ export async function runPlatformGate(params: {
           policyTrace: params.policyTrace,
         })
       : undefined;
-  const degradedModeFinding =
-    params.policy.stage === 'PRE_COMMIT' ||
-    params.policy.stage === 'PRE_PUSH' ||
-    params.policy.stage === 'CI'
-      ? toDegradedModeFinding({
-          stage: params.policy.stage,
-          policyTrace: params.policyTrace,
-        })
-      : undefined;
+  const degradedModeFinding = LIFECYCLE_GATE_STAGES.includes(params.policy.stage)
+    ? toDegradedModeFinding({
+        stage: params.policy.stage,
+        policyTrace: params.policyTrace,
+      })
+    : undefined;
   const astIntelligenceDualValidation:
     | AstIntelligenceDualValidationResult
     | undefined =
@@ -1120,7 +1116,8 @@ export async function runPlatformGate(params: {
       );
     }
   }
-  const degradedModeBlocks = params.policyTrace?.degraded?.action === 'block';
+  const degradedModeBlocks =
+    params.policyTrace?.degraded?.action === DEGRADED_MODE_ACTION_BLOCK;
   const rulesCoverage = coverage
     ? {
       stage: params.policy.stage,
@@ -1184,7 +1181,11 @@ export async function runPlatformGate(params: {
       coverage_ratio:
         coverage.activeRuleIds.length === 0
           ? 1
-          : Number((coverage.evaluatedRuleIds.length / coverage.activeRuleIds.length).toFixed(6)),
+          : Number(
+              (
+                coverage.evaluatedRuleIds.length / coverage.activeRuleIds.length
+              ).toFixed(DEFAULT_RULES_COVERAGE_RATIO_DECIMALS)
+            ),
     }
     : createEmptySnapshotRulesCoverage(params.policy.stage);
   const brownfieldHotspotFindings = dependencies.evaluateBrownfieldHotspotFindings({
@@ -1209,37 +1210,9 @@ export async function runPlatformGate(params: {
   const hasNativeBlockingFinding = findings.some(
     (finding) => finding.severity === 'ERROR' || finding.severity === 'CRITICAL'
   );
-  const preCommitSoftSkillsEnabled = process.env.PUMUKI_PRE_COMMIT_SOFT_SKILLS !== '0';
-  const lowRiskPreCommitWindow = observedCodePaths.length > 0 && observedCodePaths.length <= 3;
-  const shouldSoftEnforceSkillsFindings =
-    params.policy.stage === 'PRE_COMMIT'
-    && preCommitSoftSkillsEnabled
-    && lowRiskPreCommitWindow
-    && !sddBlockingFinding
-    && !degradedModeBlocks
-    && !shouldBlockFromFinding(policyAsCodeBlockingFinding)
-    && !shouldBlockFromFinding(effectiveUnsupportedSkillsMappingFinding)
-    && !shouldBlockFromFinding(coverageBlockingFinding)
-    && !shouldBlockFromFinding(activeRulesEmptyForCodeChangesFinding)
-    && !shouldBlockFromFinding(effectiveIosTestsQualityFinding)
-    && !shouldBlockFromFinding(astIntelligenceDualFinding)
-    && !hasTddBddBlockingFinding
-    && !hasNativeBlockingFinding;
-  const effectivePlatformSkillsCoverageFinding = toSoftPreCommitSkillsFinding({
-    finding: effectivePlatformSkillsCoverageInput,
-    enabled: shouldSoftEnforceSkillsFindings,
-    observedCodePaths,
-  });
-  const effectiveCrossPlatformCriticalFinding = toSoftPreCommitSkillsFinding({
-    finding: effectiveCrossPlatformCriticalInput,
-    enabled: shouldSoftEnforceSkillsFindings,
-    observedCodePaths,
-  });
-  const effectiveSkillsScopeComplianceFinding = toSoftPreCommitSkillsFinding({
-    finding: effectiveSkillsScopeComplianceInput,
-    enabled: shouldSoftEnforceSkillsFindings,
-    observedCodePaths,
-  });
+  const effectivePlatformSkillsCoverageFinding = effectivePlatformSkillsCoverageInput;
+  const effectiveCrossPlatformCriticalFinding = effectiveCrossPlatformCriticalInput;
+  const effectiveSkillsScopeComplianceFinding = effectiveSkillsScopeComplianceInput;
   const effectiveFindings = sddBlockingFinding
     ? [
       sddBlockingFinding,
@@ -1390,7 +1363,7 @@ export async function runPlatformGate(params: {
     if (params.silent !== true) {
       process.stdout.write(
         `[pumuki][memory-shadow] recommended=${memoryShadowRecommendation.recommendedOutcome}` +
-        ` confidence=${memoryShadowRecommendation.confidence.toFixed(2)}` +
+        ` confidence=${memoryShadowRecommendation.confidence.toFixed(DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION)}` +
         ` reasons=${memoryShadowRecommendation.reasonCodes.join(',')}\n`
       );
     }

package/integrations/policy/skillsEnforcement.ts CHANGED Viewed

@@ -6,47 +6,7 @@ export type SkillsEnforcementResolution = {
   blocking: boolean;
 };
-const SKILLS_ENFORCEMENT_ENV = 'PUMUKI_SKILLS_ENFORCEMENT';
-const toSkillsEnforcementMode = (
-  value: string | undefined
-): SkillsEnforcementMode | null => {
-  if (typeof value !== 'string') {
-    return null;
-  }
-  const normalized = value.trim().toLowerCase();
-  if (
-    normalized === 'strict'
-    || normalized === '1'
-    || normalized === 'true'
-    || normalized === 'yes'
-    || normalized === 'on'
-  ) {
-    return 'strict';
-  }
-  if (
-    normalized === 'advisory'
-    || normalized === 'warn'
-    || normalized === 'warning'
-    || normalized === '0'
-    || normalized === 'false'
-    || normalized === 'no'
-    || normalized === 'off'
-  ) {
-    return 'advisory';
-  }
-  return null;
-};
 export const resolveSkillsEnforcement = (): SkillsEnforcementResolution => {
-  const modeFromEnv = toSkillsEnforcementMode(process.env[SKILLS_ENFORCEMENT_ENV]);
-  if (modeFromEnv) {
-    return {
-      mode: modeFromEnv,
-      source: 'env',
-      blocking: modeFromEnv === 'strict',
-    };
-  }
   return {
     mode: 'strict',
     source: 'default',

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.132",
+  "version": "6.3.133",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {