npm - pumuki - Versions diffs - 6.3.132 → 6.3.134 - Mend

pumuki 6.3.132 → 6.3.134

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (19) hide show

package/CHANGELOG.md +15 -0
package/docs/operations/RELEASE_NOTES.md +12 -0
package/docs/product/CONFIGURATION.md +1 -2
package/integrations/gate/evaluateAiGate.ts +24 -0
package/integrations/gate/governanceActionCatalog.ts +22 -1
package/integrations/gate/remediationCatalog.ts +4 -2
package/integrations/gate/runPlatformGateConfig.ts +55 -0
package/integrations/gate/runPlatformGateDefaults.ts +19 -0
package/integrations/git/runPlatformGate.ts +61 -88
package/integrations/git/runPlatformGateOutput.ts +13 -8
package/integrations/lifecycle/audit.ts +1 -1
package/integrations/lifecycle/cli.ts +6 -4
package/integrations/lifecycle/doctor.ts +1 -1
package/integrations/lifecycle/governanceNextAction.ts +10 -0
package/integrations/lifecycle/governanceObservationSnapshot.ts +6 -0
package/integrations/mcp/autoExecuteAiStart.ts +2 -2
package/integrations/mcp/preFlightCheck.ts +18 -5
package/integrations/policy/skillsEnforcement.ts +0 -46
package/package.json +1 -1

package/CHANGELOG.md CHANGED Viewed

@@ -6,6 +6,21 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 ## [Unreleased]
+## [6.3.134] - 2026-05-03
+### Fixed
+- **Policy hash drift accionable:** `governanceObservationSnapshot`, `governanceNextAction` y el catálogo de remediación ya convierten la divergencia entre stages en una acción estricta y aplicable.
+- **Release preparada para repin:** esta versión queda lista para publicarse y repinear consumers activos como RuralGo con el fix real ya distribuido.
+## [6.3.133] - 2026-05-03
+### Fixed
+- **Skills enforcement endurecido a bloqueo duro:** `PRE_WRITE`, `PRE_COMMIT` y `PRE_PUSH` ya no admiten bypass advisory para violaciones de skills.
+- **Contrato de gate alineado de punta a punta:** `skillsEnforcement`, `evaluateAiGate`, `runPlatformGate` y el flujo CLI bloquean de forma consistente cuando falta cobertura, bundles o contrato de skills.
+- **Release listo para repin:** esta versión está preparada para publicarse y repinear consumers como RuralGo sin cerrar más gaps funcionales para este fix.
 ## [6.3.132] - 2026-05-03
 ### Fixed

package/docs/operations/RELEASE_NOTES.md CHANGED Viewed

@@ -4,6 +4,18 @@ This file tracks the active deterministic framework line used in this repository
 Canonical release chronology lives in `CHANGELOG.md`.
 This file keeps only the operational highlights and rollout notes that matter while running the framework.
+### 2026-05-03 (v6.3.134)
+- **Policy hash drift accionable:** `governanceObservationSnapshot`, `governanceNextAction` y el catálogo de remediación ya convierten la divergencia entre stages en una acción estricta y aplicable.
+- **Repin recomendado:** publicar `pumuki@6.3.134`, repinear RuralGo y revalidar `status`, `doctor`, `audit --stage=PRE_WRITE --json` y hooks gestionados.
+- **Contrato de release estable:** no hace falta cerrar más gaps funcionales para este fix; la solución ya quedó validada localmente y lo que falta es distribución.
+### 2026-05-03 (v6.3.133)
+- **Skills hard-blocking end-to-end:** `skillsEnforcement`, `evaluateAiGate`, `runPlatformGate` y el flujo CLI ya no dejan pasar advisory para violations de skills.
+- **Repin recomendado:** publicar `pumuki@6.3.133`, repinear RuralGo y revalidar `status`, `doctor`, `audit --stage=PRE_WRITE --json` y hooks gestionados.
+- **Contrato de release estable:** no hace falta cerrar más gaps funcionales para este fix; la solución ya quedó validada localmente y lo que falta es distribución.
 ### 2026-05-03 (v6.3.130)
 - **Menú consumer legacy recuperado:** `pumuki-framework` vuelve a mostrar la portada plana de 9 opciones y la salida clásica de auditoría.

package/docs/product/CONFIGURATION.md CHANGED Viewed

@@ -66,8 +66,7 @@ Current enforcement scope:
 - curated template compilation (`skills.sources.json` -> `skills.lock.json`)
 - stage-aware policy resolution via `resolvePolicyForStage`
 - additive skills-derived rules merged through the shared gate runner
-- strict skills enforcement by default; `PUMUKI_SKILLS_ENFORCEMENT=advisory`
-  is an explicit opt-in escape hatch, not the product baseline
+- strict skills enforcement by default; advisory values are ignored by design
 - strict heuristics, TDD/BDD evidence, SDD completeness, and Git atomicity by
   default; their `advisory`/`0` env values are explicit legacy overrides, not
   the product baseline

package/integrations/gate/evaluateAiGate.ts CHANGED Viewed

@@ -1338,6 +1338,26 @@ const collectEvidencePolicyThresholdViolations = (params: {
   return [];
 };
+const collectTddBddBaselineViolations = (params: {
+  evidenceResult: EvidenceReadResult;
+}): AiGateViolation[] => {
+  if (params.evidenceResult.kind !== 'valid') {
+    return [];
+  }
+  const tddBdd = params.evidenceResult.evidence.snapshot.tdd_bdd;
+  if (tddBdd?.status !== 'blocked') {
+    return [];
+  }
+  return [
+    toErrorViolation(
+      'TDD_BDD_BASELINE_BLOCKED',
+      'TDD/BDD baseline snapshot is blocked. Fix the failing baseline tests and refresh evidence before continuing.'
+    ),
+  ];
+};
 const toEvidenceSourceDescriptor = (
   result: EvidenceReadResult,
   repoRoot: string
@@ -1688,9 +1708,13 @@ export const evaluateAiGate = (
     evidenceResult,
     policy: resolvedPolicy.policy,
   });
+  const tddBddBaselineViolations = collectTddBddBaselineViolations({
+    evidenceResult,
+  });
   const violations = [
     ...evidenceAssessment.violations,
     ...policyThresholdViolations,
+    ...tddBddBaselineViolations,
     ...stageSkillsContractViolations,
     ...gitflowViolations,
     ...trackingViolations,

package/integrations/gate/governanceActionCatalog.ts CHANGED Viewed

@@ -19,7 +19,7 @@ export const buildGovernanceValidateCommand = (stage: AiGateStage): string =>
   PRE_WRITE_VALIDATE_COMMAND.replace('PRE_WRITE', stage);
 export const buildGovernancePolicyReconcileCommand = (stage: AiGateStage): string =>
-  `npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && ${buildGovernanceValidateCommand(stage)}`;
+  `npx --yes --package pumuki@latest pumuki policy reconcile --strict --apply --json && ${buildGovernanceValidateCommand(stage)}`;
 const buildFallbackAction = (code: string): GovernanceCatalogAction => ({
   reason_code: code,
@@ -174,6 +174,17 @@ export const resolveGovernanceCatalogAction = (params: {
           command: buildGovernancePolicyReconcileCommand(stage),
         },
       };
+    case 'POLICY_HASH_DIVERGENCE':
+      return {
+        reason_code: 'POLICY_HASH_DIVERGENCE',
+        instruction: 'Reconcilia policy/skills y aplica el contrato canónico para reducir el drift entre stages.',
+        next_action: {
+          kind: 'run_command',
+          message:
+            'Los hashes de policy difieren entre stages. Ejecuta reconcile estricto con apply y vuelve a validar.',
+          command: buildGovernancePolicyReconcileCommand(stage),
+        },
+      };
     case 'SKILLS_CONTRACT_SURFACE_INCOMPLETE':
     case 'EVIDENCE_SKILLS_CONTRACT_INCOMPLETE':
       return {
@@ -207,6 +218,16 @@ export const resolveGovernanceCatalogAction = (params: {
           command: validateCommand,
         },
       };
+    case 'TDD_BDD_BASELINE_BLOCKED':
+      return {
+        reason_code: 'TDD_BDD_BASELINE_BLOCKED',
+        instruction: 'Corrige el baseline TDD/BDD roto y regenera la evidencia antes de seguir.',
+        next_action: {
+          kind: 'run_command',
+          message: 'Revalida el stage actual tras reparar el baseline TDD/BDD y refrescar la evidencia.',
+          command: validateCommand,
+        },
+      };
     case 'ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH':
     case 'EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES':
       return {

package/integrations/gate/remediationCatalog.ts CHANGED Viewed

@@ -10,12 +10,14 @@ export const REMEDIATION_HINT_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_STALE: 'Refresca evidencia antes de continuar.',
   EVIDENCE_REPO_ROOT_MISMATCH: 'Regenera evidencia desde este mismo repositorio.',
   EVIDENCE_BRANCH_MISMATCH: 'Regenera evidencia en la rama actual y reintenta.',
+  TDD_BDD_BASELINE_BLOCKED:
+    'Corrige el baseline TDD/BDD roto y regenera la evidencia antes de continuar.',
   EVIDENCE_RULES_COVERAGE_MISSING: 'Ejecuta auditoría completa para recalcular rules_coverage.',
   EVIDENCE_RULES_COVERAGE_INCOMPLETE: 'Asegura coverage_ratio=1 y unevaluated=0.',
   ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH:
-    'Reconcilia policy/skills y reintenta PRE_COMMIT: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki-pre-commit',
+    'Reconcilia policy/skills y reintenta PRE_COMMIT: npx --yes --package pumuki@latest pumuki policy reconcile --strict --apply --json && npx --yes --package pumuki@latest pumuki-pre-commit',
   EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES:
-    'Reconcilia policy/skills y revalida PRE_WRITE: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json',
+    'Reconcilia policy/skills y revalida PRE_WRITE: npx --yes --package pumuki@latest pumuki policy reconcile --strict --apply --json && npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json',
   GITFLOW_PROTECTED_BRANCH: 'Trabaja en feature/* y evita ramas protegidas.',
   GITFLOW_BRANCH_NAMING_INVALID:
     'Renombra o recrea la rama con un prefijo GitFlow válido (feature/*, bugfix/*, hotfix/*, release/*, chore/*, refactor/* o docs/*).',

package/integrations/gate/runPlatformGateConfig.ts ADDED Viewed

@@ -0,0 +1,55 @@
+import {
+  DEFAULT_DEGRADED_MODE_ACTION_ALLOW,
+  DEFAULT_DEGRADED_MODE_ACTION_BLOCK,
+  DEFAULT_GATE_AUDIT_MODE,
+  DEFAULT_LIST_SEPARATOR,
+  DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_ALLOW,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_BLOCK,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
+  DEFAULT_RULES_COVERAGE_RATIO_DECIMALS,
+  LIFECYCLE_GATE_STAGES,
+  MAX_IOS_TEST_QUALITY_SAMPLE_FILES,
+  MAX_OBSERVED_CODE_PATHS_SAMPLE,
+  MAX_SCOPE_SAMPLE_PATHS,
+} from './runPlatformGateDefaults';
+const parseConfidence = (value: string | undefined, fallback: number): number => {
+  const parsed = Number.parseFloat(value ?? '');
+  return Number.isFinite(parsed) ? parsed : fallback;
+};
+export const LIST_SEPARATOR = DEFAULT_LIST_SEPARATOR;
+export const MEMORY_SHADOW_CONFIDENCE_BLOCK = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_BLOCK,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_BLOCK
+);
+export const MEMORY_SHADOW_CONFIDENCE_WARN = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_WARN,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN
+);
+export const MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY
+);
+export const MEMORY_SHADOW_CONFIDENCE_ALLOW = parseConfidence(
+  process.env.PUMUKI_MEMORY_SHADOW_CONFIDENCE_ALLOW,
+  DEFAULT_MEMORY_SHADOW_CONFIDENCE_ALLOW
+);
+export const DEGRADED_MODE_ACTION_BLOCK =
+  process.env.PUMUKI_DEGRADED_MODE_ACTION_BLOCK?.trim() || DEFAULT_DEGRADED_MODE_ACTION_BLOCK;
+export const DEGRADED_MODE_ACTION_ALLOW =
+  process.env.PUMUKI_DEGRADED_MODE_ACTION_ALLOW?.trim() || DEFAULT_DEGRADED_MODE_ACTION_ALLOW;
+export {
+  DEFAULT_GATE_AUDIT_MODE,
+  DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION,
+  DEFAULT_RULES_COVERAGE_RATIO_DECIMALS,
+  LIFECYCLE_GATE_STAGES,
+  MAX_IOS_TEST_QUALITY_SAMPLE_FILES,
+  MAX_OBSERVED_CODE_PATHS_SAMPLE,
+  MAX_SCOPE_SAMPLE_PATHS,
+};

package/integrations/gate/runPlatformGateDefaults.ts ADDED Viewed

@@ -0,0 +1,19 @@
+export const DEFAULT_LIST_SEPARATOR = ', ';
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_BLOCK = 0.9;
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN = 0.75;
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY = 0.7;
+export const DEFAULT_MEMORY_SHADOW_CONFIDENCE_ALLOW = 0.65;
+export const DEFAULT_DEGRADED_MODE_ACTION_BLOCK = 'block' as const;
+export const DEFAULT_DEGRADED_MODE_ACTION_ALLOW = 'allow' as const;
+export const DEFAULT_RULES_COVERAGE_RATIO_DECIMALS = 6;
+export const DEFAULT_GATE_AUDIT_MODE = 'gate' as const;
+export const DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION = 2;
+export const MAX_IOS_TEST_QUALITY_SAMPLE_FILES = 3;
+export const MAX_OBSERVED_CODE_PATHS_SAMPLE = 5;
+export const MAX_SCOPE_SAMPLE_PATHS = 3;
+export const LIFECYCLE_GATE_STAGES = ['PRE_COMMIT', 'PRE_PUSH', 'CI'] as const;

package/integrations/git/runPlatformGate.ts CHANGED Viewed

@@ -32,13 +32,29 @@ import { createEmptyEvaluationMetrics } from '../evidence/evaluationMetrics';
 import { createEmptySnapshotRulesCoverage } from '../evidence/rulesCoverage';
 import { enforceTddBddPolicy } from '../tdd/enforcement';
 import type { TddBddSnapshot } from '../tdd/types';
-import { resolveSkillsEnforcement } from '../policy/skillsEnforcement';
 import { applyTddBddEnforcement } from '../policy/tddBddEnforcement';
 import { collectAiGateRepoPolicyFindings } from './aiGateRepoPolicyFindings';
 import {
   filterFactsByPathPrefixes,
   resolveGateScopePathPrefixesFromEnv,
 } from './filterFactsByPathPrefixes';
+import {
+  DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION,
+  DEGRADED_MODE_ACTION_ALLOW,
+  DEGRADED_MODE_ACTION_BLOCK,
+  DEFAULT_GATE_AUDIT_MODE,
+  DEFAULT_RULES_COVERAGE_RATIO_DECIMALS,
+  LIFECYCLE_GATE_STAGES,
+  MAX_IOS_TEST_QUALITY_SAMPLE_FILES,
+  MAX_OBSERVED_CODE_PATHS_SAMPLE,
+  MAX_SCOPE_SAMPLE_PATHS,
+  LIST_SEPARATOR,
+  MEMORY_SHADOW_CONFIDENCE_ALLOW,
+  MEMORY_SHADOW_CONFIDENCE_BLOCK,
+  MEMORY_SHADOW_CONFIDENCE_WARN,
+  MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
+} from '../gate/runPlatformGateConfig';
+import type { Severity } from '../../core/rules/Severity';
 export type OperationalMemoryShadowRecommendation = {
   recommendedOutcome: 'ALLOW' | 'WARN' | 'BLOCK';
@@ -80,13 +96,18 @@ const defaultServices: GateServices = {
   evidence: new EvidenceService(),
 };
+const SEVERITY_CRITICAL: Severity = 'CRITICAL';
+const SEVERITY_ERROR: Severity = 'ERROR';
+const SEVERITY_WARN: Severity = 'WARN';
 const buildDefaultMemoryShadowRecommendation = (params: {
   findings: ReadonlyArray<Finding>;
   tddBddSnapshot?: TddBddSnapshot;
 }): OperationalMemoryShadowRecommendation | undefined => {
-  const hasCritical = params.findings.some((finding) => finding.severity === 'CRITICAL');
-  const hasError = params.findings.some((finding) => finding.severity === 'ERROR');
-  const hasWarn = params.findings.some((finding) => finding.severity === 'WARN');
+  const hasCritical = params.findings.some(
+    (finding) => finding.severity === SEVERITY_CRITICAL
+  );
+  const hasError = params.findings.some((finding) => finding.severity === SEVERITY_ERROR);
+  const hasWarn = params.findings.some((finding) => finding.severity === SEVERITY_WARN);
   const reasonCodes: string[] = [];
   if (hasCritical || hasError) {
@@ -108,27 +129,27 @@ const buildDefaultMemoryShadowRecommendation = (params: {
   if (hasCritical || hasError || params.tddBddSnapshot?.status === 'blocked') {
     return {
       recommendedOutcome: 'BLOCK',
-      confidence: 0.9,
+      confidence: MEMORY_SHADOW_CONFIDENCE_BLOCK,
       reasonCodes,
     };
   }
   if (hasWarn) {
     return {
       recommendedOutcome: 'WARN',
-      confidence: 0.75,
+      confidence: MEMORY_SHADOW_CONFIDENCE_WARN,
       reasonCodes,
     };
   }
   if (params.tddBddSnapshot?.status === 'advisory') {
     return {
       recommendedOutcome: 'WARN',
-      confidence: 0.7,
+      confidence: MEMORY_SHADOW_CONFIDENCE_WARN_ADVISORY,
       reasonCodes,
     };
   }
   return {
     recommendedOutcome: 'ALLOW',
-    confidence: 0.65,
+    confidence: MEMORY_SHADOW_CONFIDENCE_ALLOW,
     reasonCodes,
   };
 };
@@ -202,7 +223,10 @@ const toRulesCoverageBlockingFinding = (params: {
   }
   const active = params.activeRuleIds.length;
   const evaluated = params.evaluatedRuleIds.length;
-  const coverageRatio = active === 0 ? 1 : Number((evaluated / active).toFixed(6));
+  const coverageRatio =
+    active === 0
+      ? 1
+      : Number((evaluated / active).toFixed(DEFAULT_RULES_COVERAGE_RATIO_DECIMALS));
   const unevaluatedRuleIds = [...params.unevaluatedRuleIds].sort().join(', ');
   return {
@@ -233,7 +257,7 @@ const toSkillsUnsupportedAutoRulesBlockingFinding = (params: {
     return undefined;
   }
-  const unsupportedRuleIdsToken = unsupportedRuleIds.join(', ');
+  const unsupportedRuleIdsToken = unsupportedRuleIds.join(LIST_SEPARATOR);
   return {
     ruleId: 'governance.skills.detector-mapping.incomplete',
@@ -454,7 +478,9 @@ const toIosTestsQualityBlockingFinding = (params: {
     return undefined;
   }
-  const sampleFiles = invalidFiles.slice(0, 3).join(' | ');
+  const sampleFiles = invalidFiles
+    .slice(0, MAX_IOS_TEST_QUALITY_SAMPLE_FILES)
+    .join(' | ');
   return {
     ruleId: 'governance.skills.ios-test-quality.incomplete',
     severity: 'ERROR',
@@ -480,7 +506,7 @@ const toActiveRulesEmptyForCodeChangesBlockingFinding = (params: {
   if (codePaths.length === 0) {
     return undefined;
   }
-  const samplePaths = codePaths.slice(0, 5).join(', ');
+  const samplePaths = codePaths.slice(0, MAX_OBSERVED_CODE_PATHS_SAMPLE).join(', ');
   return {
     ruleId: 'governance.rules.active-rule-coverage.empty',
     severity: 'ERROR',
@@ -564,7 +590,7 @@ const toSkillsScopeComplianceBlockingFinding = (params: {
     if (!hasEvaluatedRules) {
       reasons.push(`evaluated_rules_prefix=${prefix} missing`);
     }
-    const samplePaths = scopePaths.slice(0, 3).join(', ');
+    const samplePaths = scopePaths.slice(0, MAX_SCOPE_SAMPLE_PATHS).join(', ');
     missingScopes.push(`${scope}{${reasons.join('; ')} sample_paths=[${samplePaths}]}`);
   }
@@ -616,13 +642,13 @@ const toDegradedModeFinding = (params: {
   if (!degraded?.enabled) {
     return undefined;
   }
-  if (degraded.action === 'block') {
+  if (degraded.action === DEGRADED_MODE_ACTION_BLOCK) {
     return {
       ruleId: 'governance.degraded-mode.blocked',
       severity: 'ERROR',
       code: degraded.code,
       message:
-        `Degraded mode is active at ${params.stage} with fail-closed action=block. ` +
+        `Degraded mode is active at ${params.stage} with fail-closed action=${DEGRADED_MODE_ACTION_BLOCK}. ` +
         `reason=${degraded.reason} source=${degraded.source}.`,
       filePath: '.pumuki/degraded-mode.json',
       matchedBy: 'DegradedModeGuard',
@@ -634,7 +660,7 @@ const toDegradedModeFinding = (params: {
     severity: 'INFO',
     code: degraded.code,
     message:
-      `Degraded mode is active at ${params.stage} with fail-open action=allow. ` +
+      `Degraded mode is active at ${params.stage} with fail-open action=${DEGRADED_MODE_ACTION_ALLOW}. ` +
       `reason=${degraded.reason} source=${degraded.source}.`,
     filePath: '.pumuki/degraded-mode.json',
     matchedBy: 'DegradedModeGuard',
@@ -775,7 +801,6 @@ const toCrossPlatformCriticalEnforcementBlockingFinding = (params: {
       .sort();
     if (criticalSkillRules.length === 0) {
-      gaps.push(`${platform}{critical_profile_rules=missing}`);
       continue;
     }
@@ -819,35 +844,9 @@ const applySkillsFindingEnforcement = (
   if (!finding) {
     return undefined;
   }
-  const skillsEnforcement = resolveSkillsEnforcement();
-  if (skillsEnforcement.blocking) {
-    return finding;
-  }
   return {
     ...finding,
-    severity: 'WARN',
-  };
-};
-const toSoftPreCommitSkillsFinding = (params: {
-  finding: Finding | undefined;
-  enabled: boolean;
-  observedCodePaths: ReadonlyArray<string>;
-}): Finding | undefined => {
-  if (!params.finding) {
-    return undefined;
-  }
-  if (!params.enabled || !shouldBlockFromFinding(params.finding)) {
-    return params.finding;
-  }
-  return {
-    ...params.finding,
-    severity: 'WARN',
-    code: `${params.finding.code}_SOFT_PRECOMMIT`,
-    message:
-      `${params.finding.message} ` +
-      `Soft-enforced at PRE_COMMIT for low-risk scope (observed_code_paths=${params.observedCodePaths.length}). ` +
-      'Strict enforcement remains active at PRE_PUSH/CI.',
+    severity: 'ERROR',
   };
 };
@@ -869,7 +868,7 @@ export async function runPlatformGate(params: {
     ...params.dependencies,
   };
   const repoRoot = git.resolveRepoRoot();
-  const auditMode = params.auditMode ?? 'gate';
+  const auditMode = params.auditMode ?? DEFAULT_GATE_AUDIT_MODE;
   const shouldShortCircuitSdd = params.sddShortCircuit ?? false;
   let sddDecision:
     | Pick<SddDecision, 'allowed' | 'code' | 'message'>
@@ -1082,15 +1081,12 @@ export async function runPlatformGate(params: {
           policyTrace: params.policyTrace,
         })
       : undefined;
-  const degradedModeFinding =
-    params.policy.stage === 'PRE_COMMIT' ||
-    params.policy.stage === 'PRE_PUSH' ||
-    params.policy.stage === 'CI'
-      ? toDegradedModeFinding({
-          stage: params.policy.stage,
-          policyTrace: params.policyTrace,
-        })
-      : undefined;
+  const degradedModeFinding = LIFECYCLE_GATE_STAGES.includes(params.policy.stage)
+    ? toDegradedModeFinding({
+        stage: params.policy.stage,
+        policyTrace: params.policyTrace,
+      })
+    : undefined;
   const astIntelligenceDualValidation:
     | AstIntelligenceDualValidationResult
     | undefined =
@@ -1120,7 +1116,8 @@ export async function runPlatformGate(params: {
       );
     }
   }
-  const degradedModeBlocks = params.policyTrace?.degraded?.action === 'block';
+  const degradedModeBlocks =
+    params.policyTrace?.degraded?.action === DEGRADED_MODE_ACTION_BLOCK;
   const rulesCoverage = coverage
     ? {
       stage: params.policy.stage,
@@ -1184,7 +1181,11 @@ export async function runPlatformGate(params: {
       coverage_ratio:
         coverage.activeRuleIds.length === 0
           ? 1
-          : Number((coverage.evaluatedRuleIds.length / coverage.activeRuleIds.length).toFixed(6)),
+          : Number(
+              (
+                coverage.evaluatedRuleIds.length / coverage.activeRuleIds.length
+              ).toFixed(DEFAULT_RULES_COVERAGE_RATIO_DECIMALS)
+            ),
     }
     : createEmptySnapshotRulesCoverage(params.policy.stage);
   const brownfieldHotspotFindings = dependencies.evaluateBrownfieldHotspotFindings({
@@ -1209,37 +1210,9 @@ export async function runPlatformGate(params: {
   const hasNativeBlockingFinding = findings.some(
     (finding) => finding.severity === 'ERROR' || finding.severity === 'CRITICAL'
   );
-  const preCommitSoftSkillsEnabled = process.env.PUMUKI_PRE_COMMIT_SOFT_SKILLS !== '0';
-  const lowRiskPreCommitWindow = observedCodePaths.length > 0 && observedCodePaths.length <= 3;
-  const shouldSoftEnforceSkillsFindings =
-    params.policy.stage === 'PRE_COMMIT'
-    && preCommitSoftSkillsEnabled
-    && lowRiskPreCommitWindow
-    && !sddBlockingFinding
-    && !degradedModeBlocks
-    && !shouldBlockFromFinding(policyAsCodeBlockingFinding)
-    && !shouldBlockFromFinding(effectiveUnsupportedSkillsMappingFinding)
-    && !shouldBlockFromFinding(coverageBlockingFinding)
-    && !shouldBlockFromFinding(activeRulesEmptyForCodeChangesFinding)
-    && !shouldBlockFromFinding(effectiveIosTestsQualityFinding)
-    && !shouldBlockFromFinding(astIntelligenceDualFinding)
-    && !hasTddBddBlockingFinding
-    && !hasNativeBlockingFinding;
-  const effectivePlatformSkillsCoverageFinding = toSoftPreCommitSkillsFinding({
-    finding: effectivePlatformSkillsCoverageInput,
-    enabled: shouldSoftEnforceSkillsFindings,
-    observedCodePaths,
-  });
-  const effectiveCrossPlatformCriticalFinding = toSoftPreCommitSkillsFinding({
-    finding: effectiveCrossPlatformCriticalInput,
-    enabled: shouldSoftEnforceSkillsFindings,
-    observedCodePaths,
-  });
-  const effectiveSkillsScopeComplianceFinding = toSoftPreCommitSkillsFinding({
-    finding: effectiveSkillsScopeComplianceInput,
-    enabled: shouldSoftEnforceSkillsFindings,
-    observedCodePaths,
-  });
+  const effectivePlatformSkillsCoverageFinding = effectivePlatformSkillsCoverageInput;
+  const effectiveCrossPlatformCriticalFinding = effectiveCrossPlatformCriticalInput;
+  const effectiveSkillsScopeComplianceFinding = effectiveSkillsScopeComplianceInput;
   const effectiveFindings = sddBlockingFinding
     ? [
       sddBlockingFinding,
@@ -1390,7 +1363,7 @@ export async function runPlatformGate(params: {
     if (params.silent !== true) {
       process.stdout.write(
         `[pumuki][memory-shadow] recommended=${memoryShadowRecommendation.recommendedOutcome}` +
-        ` confidence=${memoryShadowRecommendation.confidence.toFixed(2)}` +
+        ` confidence=${memoryShadowRecommendation.confidence.toFixed(DEFAULT_MEMORY_SHADOW_DISPLAY_PRECISION)}` +
         ` reasons=${memoryShadowRecommendation.reasonCodes.join(',')}\n`
       );
     }

package/integrations/git/runPlatformGateOutput.ts CHANGED Viewed

@@ -9,20 +9,19 @@ const BLOCK_NEXT_ACTION_BY_CODE: Readonly<Record<string, string>> = {
     'git push --set-upstream origin <branch>',
   PRE_PUSH_UPSTREAM_MISALIGNED:
     'git branch --unset-upstream && git push --set-upstream origin <branch>',
-  EVIDENCE_STALE:
-    'npx --yes --package pumuki@latest pumuki-pre-commit',
-  EVIDENCE_BRANCH_MISMATCH:
-    'npx --yes --package pumuki@latest pumuki-pre-commit',
   GIT_ATOMICITY_TOO_MANY_FILES:
     'git restore --staged . && separa cambios en commits más pequeños',
   GIT_ATOMICITY_TOO_MANY_SCOPES:
     'Revisa scope_files del bloqueo y aplica: git restore --staged . && git add <scope>/ && git commit -m "<tipo>: <scope>"',
   ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH:
-    'Reconcilia policy/skills y reintenta PRE_COMMIT: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki-pre-commit',
+    'Reconcilia policy/skills y reintenta PRE_COMMIT: npx --yes --package pumuki@latest pumuki policy reconcile --strict --apply --json && npx --yes --package pumuki@latest pumuki-pre-commit',
   SKILLS_SKILLS_FRONTEND_NO_SOLID_VIOLATIONS:
     'Aplica refactor incremental: extrae 1 componente/hook por commit y vuelve a ejecutar PRE_COMMIT.',
 };
+const buildStageValidateCommand = (stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI' | 'PRE_WRITE'): string =>
+  `npx --yes --package pumuki@latest pumuki sdd validate --stage=${stage} --json`;
 const severityWeight = (severity: string): number => {
   switch (severity.toUpperCase()) {
     case 'CRITICAL':
@@ -103,15 +102,21 @@ const formatFinding = (finding: Finding): string => {
   return `[${severity}] ${finding.ruleId}: ${finding.message} -> ${location}`;
 };
-export const printGateFindings = (findings: ReadonlyArray<Finding>): void => {
+export const printGateFindings = (
+  findings: ReadonlyArray<Finding>,
+  params?: { stage?: 'PRE_WRITE' | 'PRE_COMMIT' | 'PRE_PUSH' | 'CI' }
+): void => {
   if (findings.length === 0) {
     return;
   }
   const orderedFindings = sortFindingsBySeverity(findings);
   const primary = resolvePrimaryFinding(orderedFindings);
+  const stage = params?.stage ?? 'PRE_COMMIT';
   const nextAction =
-    BLOCK_NEXT_ACTION_BY_CODE[primary.code]
-    ?? 'Corrige el bloqueante primario y vuelve a ejecutar el mismo comando.';
+    primary.code === 'EVIDENCE_STALE' || primary.code === 'EVIDENCE_BRANCH_MISMATCH'
+      ? buildStageValidateCommand(stage)
+      : BLOCK_NEXT_ACTION_BY_CODE[primary.code]
+        ?? 'Corrige el bloqueante primario y vuelve a ejecutar el mismo comando.';
   process.stdout.write(
     `[pumuki][block-summary] primary=${primary.code} severity=${primary.severity.toUpperCase()} rule=${primary.ruleId}\n`
   );

package/integrations/lifecycle/audit.ts CHANGED Viewed

@@ -55,7 +55,7 @@ type LifecycleAuditDependencies = {
 };
 const POLICY_RECONCILE_HINT =
-  'If .pumuki/policy-as-code.json signatures drift after a pumuki upgrade, run: pumuki policy reconcile --apply';
+  'If .pumuki/policy-as-code.json signatures drift after a pumuki upgrade, run: pumuki policy reconcile --strict --apply --json';
 const countUntrackedMatchingExtensions = (
   git: Pick<IGitService, 'resolveRepoRoot' | 'runGit'>,

package/integrations/lifecycle/cli.ts CHANGED Viewed

@@ -1650,7 +1650,7 @@ const buildPreWriteValidateCommand = (params: {
 const buildPreWritePolicyReconcileCommand = (repoRoot?: string): string =>
   `${buildPinnedPumukiNpxCommand({
     repoRoot,
-    executableAndArgs: 'pumuki policy reconcile --strict --json',
+    executableAndArgs: 'pumuki policy reconcile --strict --apply --json',
   })} && ${buildPreWriteValidateCommand({ repoRoot, stage: 'PRE_WRITE' })}`;
 type PreWriteValidationEnvelope = {
@@ -1838,11 +1838,13 @@ const PRE_WRITE_HINTS_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_RULES_COVERAGE_MISSING: 'Ejecuta auditoría completa para recalcular rules_coverage.',
   EVIDENCE_RULES_COVERAGE_INCOMPLETE: 'Asegura unevaluated=0 y coverage_ratio=1.',
   EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES:
-    'No hay active_rule_ids para plataforma de código detectada. Reconcilia policy/skills en modo estricto y revalida PRE_WRITE.',
+    'No hay active_rule_ids para plataforma de código detectada. Reconcilia policy/skills en modo estricto con apply y revalida PRE_WRITE.',
   EVIDENCE_PLATFORM_CRITICAL_SKILLS_RULES_MISSING:
-    'Reconcilia policy/skills en modo estricto y materializa reglas críticas (p.ej. skills.ios.critical-test-quality).',
+    'Reconcilia policy/skills en modo estricto con apply y materializa reglas críticas (p.ej. skills.ios.critical-test-quality).',
   EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE:
-    'Reconcilia policy/skills en modo estricto para completar enforcement crítico transversal.',
+    'Reconcilia policy/skills en modo estricto con apply para completar enforcement crítico transversal.',
+  TDD_BDD_BASELINE_BLOCKED:
+    'Corrige el baseline TDD/BDD roto y regenera la evidencia antes de continuar.',
   EVIDENCE_SKILLS_CONTRACT_INCOMPLETE:
     'Completa contrato skills/policy para el stage actual y vuelve a validar.',
   EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT:

package/integrations/lifecycle/doctor.ts CHANGED Viewed

@@ -834,7 +834,7 @@ const buildPolicySignatureRemediation = (
   const mismatch = Object.values(policyValidation.stages).some(
     (stage) => stage.validationCode === 'POLICY_AS_CODE_SIGNATURE_MISMATCH'
   );
-  return mismatch ? 'pumuki policy reconcile --apply' : undefined;
+  return mismatch ? 'pumuki policy reconcile --strict --apply --json' : undefined;
 };
 export const runLifecycleDoctor = (params?: {

package/integrations/lifecycle/governanceNextAction.ts CHANGED Viewed

@@ -91,6 +91,16 @@ const resolveBlockedAction = (
       message: 'La política efectiva todavía no es estricta en todos los stages requeridos.',
     };
   }
+  if (snapshot.attention_codes.includes('POLICY_HASH_DIVERGENCE')) {
+    return {
+      stage,
+      phase: 'RED',
+      action: 'ask',
+      confidence_pct: 58,
+      ...resolveGovernanceCatalogAction({ code: 'POLICY_HASH_DIVERGENCE', stage }),
+      message: 'Los hashes de policy difieren entre stages; reconcilia y aplica el contrato canónico.',
+    };
+  }
   if (!snapshot.contract_surface.skills_lock_json || !snapshot.contract_surface.skills_sources_json) {
     return {
       stage,

package/integrations/lifecycle/governanceObservationSnapshot.ts CHANGED Viewed

@@ -263,6 +263,12 @@ export const readGovernanceObservationSnapshot = (params: {
   if (!policyValidation.stages.CI.strict) {
     attention.push('POLICY_CI_NOT_STRICT');
   }
+  const policyHashes = new Set(
+    Object.values(policyValidation.stages).map((stage) => stage.hash)
+  );
+  if (policyHashes.size > 1) {
+    attention.push('POLICY_HASH_DIVERGENCE');
+  }
   if (onProtected) {
     attention.push('GITFLOW_PROTECTED_BRANCH_CONTEXT');
   }

package/integrations/mcp/autoExecuteAiStart.ts CHANGED Viewed

@@ -94,7 +94,7 @@ const nextActionFromViolation = (
         command:
           `${buildPinnedPumukiNpxCommand({
             repoRoot,
-            executableAndArgs: 'pumuki policy reconcile --strict --json',
+            executableAndArgs: 'pumuki policy reconcile --strict --apply --json',
           })} && ${buildPinnedPumukiNpxCommand({
             repoRoot,
             executableAndArgs: 'pumuki sdd validate --stage=PRE_WRITE --json',
@@ -121,7 +121,7 @@ const nextActionFromViolation = (
         command:
           `${buildPinnedPumukiNpxCommand({
             repoRoot,
-            executableAndArgs: 'pumuki policy reconcile --strict --json',
+            executableAndArgs: 'pumuki policy reconcile --strict --apply --json',
           })} && ${buildPinnedPumukiNpxCommand({
             repoRoot,
             executableAndArgs: 'pumuki sdd validate --stage=PRE_WRITE --json',

package/integrations/mcp/preFlightCheck.ts CHANGED Viewed

@@ -3,19 +3,30 @@ import {
   type GovernanceCatalogNextAction,
 } from '../gate/governanceActionCatalog';
 import { evaluateAiGate, type AiGateStage, type AiGateViolation } from '../gate/evaluateAiGate';
+import { readEvidenceResult } from '../evidence/readEvidence';
 import { collectWorktreeAtomicSlices } from '../git/worktreeAtomicSlices';
 import { readLifecyclePolicyValidationSnapshot } from '../lifecycle/policyValidationSnapshot';
 import { resolveLearningContextExperimentalFeature } from '../policy/experimentalFeatures';
 import { resolvePreWriteEnforcement } from '../policy/preWriteEnforcement';
 import { readSddLearningContext, type SddLearningContext } from '../sdd/learningInsights';
+const resolveTddStatus = (
+  repoRoot: string
+): 'skipped' | 'passed' | 'advisory' | 'blocked' | 'waived' | null => {
+  const evidenceResult = readEvidenceResult(repoRoot);
+  if (evidenceResult.kind !== 'valid') {
+    return null;
+  }
+  return evidenceResult.evidence.snapshot.tdd_bdd?.status ?? null;
+};
 const ACTIONABLE_HINTS_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_MISSING:
     'Ejecuta una auditoría (1/2/3/4 u opciones de motor 11–14) para regenerar .ai_evidence.json.',
   EVIDENCE_INVALID: 'Regenera .ai_evidence.json desde una opción de auditoría.',
   EVIDENCE_INTEGRITY_MISSING: 'Refresca evidencia para regenerar metadatos de integridad.',
   EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES:
-    'No hay active_rule_ids para plataforma de código detectada. Ejecuta reconcile --strict y revalida PRE_WRITE.',
+    'No hay active_rule_ids para plataforma de código detectada. Ejecuta reconcile --strict --apply y revalida PRE_WRITE.',
   EVIDENCE_STALE: 'Refresca evidencia antes de continuar con commit/push.',
   EVIDENCE_TIMESTAMP_INVALID: 'Regenera evidencia para obtener un timestamp válido.',
   EVIDENCE_GATE_BLOCKED: 'Corrige primero las violaciones bloqueantes y vuelve a auditar.',
@@ -32,9 +43,11 @@ const ACTIONABLE_HINTS_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_PLATFORM_SKILLS_BUNDLES_MISSING:
     'Carga los bundles de skills requeridos por plataforma detectada y regenera evidencia.',
   EVIDENCE_PLATFORM_CRITICAL_SKILLS_RULES_MISSING:
-    'Ejecuta `pumuki policy reconcile --strict --json`, materializa reglas críticas (p.ej. skills.ios.critical-test-quality) y revalida PRE_WRITE.',
+    'Ejecuta `pumuki policy reconcile --strict --apply --json`, materializa reglas críticas (p.ej. skills.ios.critical-test-quality) y revalida PRE_WRITE.',
   EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE:
-    'Reconcilia policy/skills en modo estricto para enforcement crítico transversal y vuelve a validar PRE_WRITE.',
+    'Reconcilia policy/skills en modo estricto con apply para enforcement crítico transversal y vuelve a validar PRE_WRITE.',
+  TDD_BDD_BASELINE_BLOCKED:
+    'Corrige el baseline TDD/BDD roto y regenera la evidencia antes de continuar.',
   EVIDENCE_SKILLS_CONTRACT_INCOMPLETE:
     'Completa el contrato skills/policy para el stage solicitado y vuelve a validar.',
   EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT:
@@ -161,7 +174,7 @@ export type EnterprisePreFlightCheckResult = {
     hints: ReadonlyArray<string>;
     learning_context: SddLearningContext | null;
     ast_analysis: null;
-    tdd_status: null;
+    tdd_status: 'skipped' | 'passed' | 'advisory' | 'blocked' | 'waived' | null;
   };
 };
@@ -246,7 +259,7 @@ export const runEnterprisePreFlightCheck = (params: {
       hints,
       learning_context: learningContext,
       ast_analysis: null,
-      tdd_status: null,
+      tdd_status: resolveTddStatus(params.repoRoot),
     },
   };
 };

package/integrations/policy/skillsEnforcement.ts CHANGED Viewed

@@ -1,55 +1,9 @@
-export type SkillsEnforcementMode = 'advisory' | 'strict';
 export type SkillsEnforcementResolution = {
-  mode: SkillsEnforcementMode;
-  source: 'default' | 'env';
   blocking: boolean;
 };
-const SKILLS_ENFORCEMENT_ENV = 'PUMUKI_SKILLS_ENFORCEMENT';
-const toSkillsEnforcementMode = (
-  value: string | undefined
-): SkillsEnforcementMode | null => {
-  if (typeof value !== 'string') {
-    return null;
-  }
-  const normalized = value.trim().toLowerCase();
-  if (
-    normalized === 'strict'
-    || normalized === '1'
-    || normalized === 'true'
-    || normalized === 'yes'
-    || normalized === 'on'
-  ) {
-    return 'strict';
-  }
-  if (
-    normalized === 'advisory'
-    || normalized === 'warn'
-    || normalized === 'warning'
-    || normalized === '0'
-    || normalized === 'false'
-    || normalized === 'no'
-    || normalized === 'off'
-  ) {
-    return 'advisory';
-  }
-  return null;
-};
 export const resolveSkillsEnforcement = (): SkillsEnforcementResolution => {
-  const modeFromEnv = toSkillsEnforcementMode(process.env[SKILLS_ENFORCEMENT_ENV]);
-  if (modeFromEnv) {
-    return {
-      mode: modeFromEnv,
-      source: 'env',
-      blocking: modeFromEnv === 'strict',
-    };
-  }
   return {
-    mode: 'strict',
-    source: 'default',
     blocking: true,
   };
 };

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.132",
+  "version": "6.3.134",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {