pumuki 6.3.139 → 6.3.141

package/CHANGELOG.md

@@ -6,6 +6,19 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [6.3.141] - 2026-05-05
+
+### Fixed
+
+- **PRE_PUSH en ramas actualizadas desde base:** el guard de atomicidad ignora commits heredados de `main`/`develop` y commits merge al validar trazabilidad y límites por commit, evitando bloqueos falsos en rollouts que solo resolvieron conflictos con la rama base.
+
+## [6.3.140] - 2026-05-05
+
+### Fixed
+
+- **PRE_PUSH atomicity por commit:** el guard de atomicidad evalúa cada commit del rango de push de forma independiente, evitando que una rama formada por commits atómicos quede bloqueada por el diff agregado.
+- **Falsos positivos de metadata:** `hardcoded-values` y `magic-numbers` dejan de bloquear literales internos de policy/evidence/analytics y constantes estándar, manteniendo la detección real de configuración hardcoded.
+
 ## [6.3.139] - 2026-05-05
 
 ### Fixed

package/core/facts/detectors/typescript/index.ts

@@ -4588,6 +4588,58 @@ const buildMagicNumberPatternMatch = (
   node: unknown
 ): TypeScriptMagicNumberMatch | undefined => {
   const neutralNumericLiterals = new Set([0, 1]);
+  const isNamedConstantInitializer = (ancestors: ReadonlyArray<AstNode>): boolean => {
+    for (let index = ancestors.length - 1; index >= 0; index -= 1) {
+      const ancestor = ancestors[index];
+      if (ancestor.type === 'CallExpression' || ancestor.type === 'NewExpression') {
+        return false;
+      }
+      if (ancestor.type === 'VariableDeclarator') {
+        return true;
+      }
+    }
+    return false;
+  };
+  const isStandardLibraryNumericArgument = (
+    value: AstNode,
+    ancestors: ReadonlyArray<AstNode>
+  ): boolean => {
+    let callExpression: AstNode | undefined;
+    for (let index = ancestors.length - 1; index >= 0; index -= 1) {
+      if (ancestors[index].type === 'CallExpression') {
+        callExpression = ancestors[index];
+        break;
+      }
+    }
+    if (!isObject(callExpression) || !Array.isArray(callExpression.arguments)) {
+      return false;
+    }
+    const argumentIndex = callExpression.arguments.indexOf(value);
+    const calleeName =
+      methodNameFromNode(callExpression.callee) ?? memberExpressionPropertyName(callExpression.callee);
+    const memberName = memberExpressionPropertyName(callExpression.callee);
+
+    if ((calleeName === 'parseInt' || memberName === 'parseInt') && argumentIndex === 1) {
+      return true;
+    }
+    if ((memberName === 'slice' || memberName === 'substring') && argumentIndex >= 0) {
+      return true;
+    }
+    if (memberName === 'toFixed' && argumentIndex === 0) {
+      return true;
+    }
+    if (memberName === 'toString' && argumentIndex === 0) {
+      return true;
+    }
+    if ((memberName === 'min' || memberName === 'max') && argumentIndex >= 0) {
+      return true;
+    }
+    if (value.value === 1000 && memberExpressionPropertyName(callExpression.callee) === 'floor') {
+      return true;
+    }
+    return false;
+  };
+
   const match = findFirstNodeWithAncestors(node, (value, ancestors) => {
     if (value.type !== 'NumericLiteral' || typeof value.value !== 'number') {
       return false;
@@ -4595,6 +4647,12 @@ const buildMagicNumberPatternMatch = (
     if (neutralNumericLiterals.has(value.value)) {
       return false;
     }
+    if (isNamedConstantInitializer(ancestors)) {
+      return false;
+    }
+    if (isStandardLibraryNumericArgument(value, ancestors)) {
+      return false;
+    }
 
     return !ancestors.some((ancestor) => {
       return (
@@ -4790,6 +4848,80 @@ const isNeutralHardcodedNumericLiteral = (node: AstNode): boolean => {
   return node.type === 'NumericLiteral' && (node.value === 0 || node.value === 1);
 };
 
+const isBenignHardcodedConfigLiteral = (node: AstNode): boolean => {
+  if (node.type !== 'StringLiteral') {
+    return false;
+  }
+  const value = String(node.value).trim();
+  if (value.length === 0) {
+    return true;
+  }
+  if (/^(?:0|1|true|false|yes|no|on|off)$/i.test(value)) {
+    return true;
+  }
+  if (
+    [
+      'all-severities',
+      'critical-high',
+      'default',
+      'detected',
+      'engine',
+      'gate',
+      'hard-mode',
+      'inferred',
+      'skills.policy',
+    ].includes(value)
+  ) {
+    return true;
+  }
+  if (/^\d+(?:\.\d+)+$/.test(value)) {
+    return true;
+  }
+  if (
+    value.startsWith('skills.') ||
+    value.startsWith('heuristics.') ||
+    value.startsWith('common.') ||
+    value.startsWith('workflow.')
+  ) {
+    return true;
+  }
+  if (value.startsWith('.pumuki/') || value.startsWith('openspec/')) {
+    return true;
+  }
+  if (/^\.[a-z0-9]+$/i.test(value)) {
+    return true;
+  }
+  if (/^[A-Z][A-Z0-9_]+$/.test(value)) {
+    return true;
+  }
+  if (/^--[a-z0-9-]+$/i.test(value)) {
+    return true;
+  }
+  if (/^[()[\]{}.,:;!/\-\\]+$/.test(value)) {
+    return true;
+  }
+  return false;
+};
+
+const isBenignConfigMetadataName = (value: string): boolean => {
+  const normalized = value.trim();
+  if (normalized.length === 0) {
+    return true;
+  }
+  if (
+    normalized.startsWith('skills.') ||
+    normalized.startsWith('heuristics.') ||
+    normalized.startsWith('common.') ||
+    normalized.startsWith('workflow.')
+  ) {
+    return true;
+  }
+  if (/^[A-Z][A-Z0-9_]+$/.test(normalized)) {
+    return true;
+  }
+  return false;
+};
+
 const isTypeOnlyAstNode = (node: AstNode): boolean => {
   return typeof node.type === 'string' && node.type.startsWith('TS');
 };
@@ -4803,6 +4935,9 @@ const hardcodedValueAssignmentContextFromAncestors = (
     if (ancestor.type === 'VariableDeclarator') {
       const ownerName = hardcodedValueNameFromNode(ancestor.id);
       if (typeof ownerName === 'string' && ownerName.length > 0) {
+        if (isBenignConfigMetadataName(ownerName)) {
+          return undefined;
+        }
         return {
           ownerName,
           ownerKind: 'member',
@@ -4814,6 +4949,9 @@ const hardcodedValueAssignmentContextFromAncestors = (
     if (ancestor.type === 'ObjectProperty' || ancestor.type === 'ClassProperty') {
       const ownerName = hardcodedValueNameFromNode(ancestor.key);
       if (typeof ownerName === 'string' && ownerName.length > 0) {
+        if (isBenignConfigMetadataName(ownerName)) {
+          return undefined;
+        }
         return {
           ownerName,
           ownerKind: 'member',
@@ -4825,6 +4963,9 @@ const hardcodedValueAssignmentContextFromAncestors = (
     if (ancestor.type === 'AssignmentExpression') {
       const ownerName = hardcodedValueNameFromNode(ancestor.left);
       if (typeof ownerName === 'string' && ownerName.length > 0) {
+        if (isBenignConfigMetadataName(ownerName)) {
+          return undefined;
+        }
         return {
           ownerName,
           ownerKind: 'member',
@@ -4981,6 +5122,7 @@ const buildHardcodedValuePatternMatch = (
       isAstNodeTypeLiteral(value) ||
       isPrimitiveTypeGuardLiteral(value) ||
       isRuntimeApiLiteral(value) ||
+      isBenignHardcodedConfigLiteral(value) ||
       isNeutralHardcodedNumericLiteral(value)
     ) {
       return false;

package/docs/operations/RELEASE_NOTES.md

@@ -4,6 +4,18 @@ This file tracks the active deterministic framework line used in this repository
 Canonical release chronology lives in `CHANGELOG.md`.
 This file keeps only the operational highlights and rollout notes that matter while running the framework.
 
+### 2026-05-05 (v6.3.141)
+
+- **PRE_PUSH sin falso bloqueo por historial base:** ramas de rollout que integran `main`/`develop` dejan de fallar por commits merge heredados como `Merge pull request ...`.
+- **Flux/SAAS follow-up:** esta patch desbloquea el push de las resoluciones de conflicto de los PRs de repin abiertos tras `6.3.140`.
+- **Rollout:** publicar `pumuki@6.3.141`, repinear primero RuralGo y repetir Flux/SAAS sin bypass.
+
+### 2026-05-05 (v6.3.140)
+
+- **PRE_PUSH compatible con ramas largas:** la atomicidad se valida por commit individual, no por diff agregado de rama.
+- **Skills sin falsos positivos de metadata:** el diff de release queda con `hardcoded-values`/`magic-numbers` a `0` para ficheros cambiados.
+- **Rollout:** publicar `pumuki@6.3.140`, repinear primero RuralGo y repetir validaciones `status`, `doctor` y hooks gestionados.
+
 ### 2026-05-05 (v6.3.139)
 
 - **Baseline tests antes de editar:** Pumuki bloquea cambios TDD/BDD in-scope si cada slice no registra un baseline test pasado antes de RED.

package/integrations/evidence/writeEvidence.ts

@@ -27,6 +27,9 @@ export type WriteEvidenceResult = {
 
 const EVIDENCE_FILE_NAME = '.ai_evidence.json';
 const TEMP_EVIDENCE_PREFIX = '.ai_evidence.json.tmp-';
+const RANDOM_SUFFIX_RADIX = 16;
+const RANDOM_SUFFIX_START_INDEX = 2;
+const RANDOM_SUFFIX_END_INDEX = 10;
 
 const normalizeLines = (lines?: EvidenceLines): EvidenceLines | undefined => {
   if (typeof lines === 'undefined') {
@@ -435,7 +438,9 @@ const resolveRepoRoot = (): string => {
 };
 
 const buildTempEvidencePath = (repoRoot: string): string => {
-  const uniqueSuffix = `${process.pid}-${Date.now()}-${Math.random().toString(16).slice(2, 10)}`;
+  const uniqueSuffix = `${process.pid}-${Date.now()}-${Math.random()
+    .toString(RANDOM_SUFFIX_RADIX)
+    .slice(RANDOM_SUFFIX_START_INDEX, RANDOM_SUFFIX_END_INDEX)}`;
   return join(repoRoot, `${TEMP_EVIDENCE_PREFIX}${uniqueSuffix}`);
 };
 

package/integrations/git/gitAtomicity.ts

@@ -32,6 +32,14 @@ const ATOMICITY_CONFIG_FILE = '.pumuki/git-atomicity.json';
 const DEFAULT_COMMIT_PATTERN =
   '^(feat|fix|chore|refactor|docs|test|perf|build|ci|revert)(\\([^)]+\\))?:\\s.+$';
 const MANAGED_EVIDENCE_PATHS = new Set(['.ai_evidence.json', '.AI_EVIDENCE.json']);
+const BASELINE_BRANCH_REFS = [
+  'origin/main',
+  'origin/develop',
+  'upstream/main',
+  'upstream/develop',
+  'main',
+  'develop',
+];
 
 const defaultConfig: GitAtomicityConfig = {
   enabled: true,
@@ -252,12 +260,110 @@ const collectCommitSubjects = (params: {
   fromRef?: string;
   toRef?: string;
 }): ReadonlyArray<string> => {
+  return collectCommitRecords(params)
+    .filter((record) => shouldEvaluateCommitRecord({ git: params.git, repoRoot: params.repoRoot, record }))
+    .map((record) => record.subject);
+};
+
+type CommitRecord = {
+  hash: string;
+  parents: ReadonlyArray<string>;
+  subject: string;
+};
+
+const parseCommitRecords = (value: string): ReadonlyArray<CommitRecord> =>
+  value
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0)
+    .map((line) => {
+      const [hash = '', parents = '', subject = ''] = line.split('\u0001');
+      return {
+        hash: hash.trim(),
+        parents: parents.split(' ').map((parent) => parent.trim()).filter((parent) => parent.length > 0),
+        subject: subject.trim(),
+      };
+    })
+    .filter((record) => record.hash.length > 0);
+
+const isCommitReachableFromRef = (params: {
+  git: IGitService;
+  repoRoot: string;
+  commitHash: string;
+  ref: string;
+}): boolean => {
+  try {
+    params.git.runGit(['merge-base', '--is-ancestor', params.commitHash, params.ref], params.repoRoot);
+    return true;
+  } catch {
+    return false;
+  }
+};
+
+const isInheritedBaselineCommit = (params: {
+  git: IGitService;
+  repoRoot: string;
+  commitHash: string;
+}): boolean =>
+  BASELINE_BRANCH_REFS.some((ref) =>
+    isCommitReachableFromRef({
+      git: params.git,
+      repoRoot: params.repoRoot,
+      commitHash: params.commitHash,
+      ref,
+    })
+  );
+
+const shouldEvaluateCommitRecord = (params: {
+  git: IGitService;
+  repoRoot: string;
+  record: CommitRecord;
+}): boolean => {
+  if (params.record.parents.length > 1) {
+    return false;
+  }
+  return !isInheritedBaselineCommit({
+    git: params.git,
+    repoRoot: params.repoRoot,
+    commitHash: params.record.hash,
+  });
+};
+
+const collectCommitRecords = (params: {
+  git: IGitService;
+  repoRoot: string;
+  fromRef?: string;
+  toRef?: string;
+}): ReadonlyArray<CommitRecord> => {
   if (!params.fromRef || !params.toRef) {
     return [];
   }
+  try {
+    return parseCommitRecords(
+      params.git.runGit(
+        ['log', '--format=%H%x01%P%x01%s', '--reverse', `${params.fromRef}..${params.toRef}`],
+        params.repoRoot
+      )
+    );
+  } catch (error) {
+    if (isUnresolvableRevisionError(error)) {
+      return [];
+    }
+    throw error;
+  }
+};
+
+const collectCommitChangedPaths = (params: {
+  git: IGitService;
+  repoRoot: string;
+  commitHash: string;
+}): ReadonlyArray<string> => {
   try {
     return parseLines(
-      params.git.runGit(['log', '--format=%s', `${params.fromRef}..${params.toRef}`], params.repoRoot)
+      params.git.runGit(
+        ['diff-tree', '--no-commit-id', '--name-only', '-r', '--diff-filter=ACMR', params.commitHash],
+        params.repoRoot
+      )
     );
   } catch (error) {
     if (isUnresolvableRevisionError(error)) {
@@ -267,6 +373,95 @@ const collectCommitSubjects = (params: {
   }
 };
 
+const buildPathLimitViolations = (params: {
+  changedPaths: ReadonlyArray<string>;
+  config: GitAtomicityConfig;
+  stage: GitAtomicityStage;
+  atomicSlicesRemediation?: string;
+  label?: string;
+}): GitAtomicityViolation[] => {
+  const violations: GitAtomicityViolation[] = [];
+  const labelSuffix = params.label ? ` (${params.label})` : '';
+
+  if (params.changedPaths.length > params.config.maxFiles) {
+    violations.push({
+      code: 'GIT_ATOMICITY_TOO_MANY_FILES',
+      message:
+        `Git atomicity guard blocked at ${params.stage}${labelSuffix}: changed_files=${params.changedPaths.length} exceeds max_files=${params.config.maxFiles}.`,
+      remediation:
+        `Divide los cambios en commits más pequeños (máximo ${params.config.maxFiles} archivos por commit).`
+        + (params.atomicSlicesRemediation ? ` ${params.atomicSlicesRemediation}` : ''),
+    });
+  }
+
+  const scopePaths = collectScopePaths(params.changedPaths);
+  const scopeKeys = new Set(scopePaths.keys());
+  if (scopeKeys.size > params.config.maxScopes) {
+    const sortedScopes = [...scopeKeys].sort();
+    const suggestedScopeAdds = sortedScopes
+      .slice(0, Math.max(1, Math.min(params.config.maxScopes + 1, 3)))
+      .map((scope) => `git add ${scope}/`)
+      .join(' && ');
+    const scopeBreakdown = sortedScopes
+      .map((scope) => {
+        const paths = scopePaths.get(scope) ?? [];
+        const sample = paths.slice(0, 3);
+        return `${scope}{count=${paths.length}; sample=[${sample.join(', ')}]}`;
+      })
+      .join(' | ');
+    violations.push({
+      code: 'GIT_ATOMICITY_TOO_MANY_SCOPES',
+      message:
+        `Git atomicity guard blocked at ${params.stage}${labelSuffix}: changed_scopes=${scopeKeys.size} exceeds max_scopes=${params.config.maxScopes}. ` +
+        `scope_files=${scopeBreakdown}.`,
+      remediation:
+        `Agrupa cambios por ámbito funcional (máximo ${params.config.maxScopes} scopes por commit). ` +
+        `scopes_detectados=[${sortedScopes.join(', ')}]. ` +
+        `Sugerencia split: git restore --staged . && ${suggestedScopeAdds} && git commit -m "<tipo>: <scope>".`
+        + (params.atomicSlicesRemediation ? ` ${params.atomicSlicesRemediation}` : ''),
+    });
+  }
+
+  return violations;
+};
+
+const buildPrePushCommitPathLimitViolations = (params: {
+  git: IGitService;
+  repoRoot: string;
+  config: GitAtomicityConfig;
+  fromRef?: string;
+  toRef?: string;
+}): GitAtomicityViolation[] | undefined => {
+  const commitRecords = collectCommitRecords({
+    git: params.git,
+    repoRoot: params.repoRoot,
+    fromRef: params.fromRef,
+    toRef: params.toRef,
+  }).filter((record) => shouldEvaluateCommitRecord({ git: params.git, repoRoot: params.repoRoot, record }));
+  if (commitRecords.length === 0) {
+    return undefined;
+  }
+
+  const violations: GitAtomicityViolation[] = [];
+  for (const commitRecord of commitRecords) {
+    const changedPaths = collectCommitChangedPaths({
+      git: params.git,
+      repoRoot: params.repoRoot,
+      commitHash: commitRecord.hash,
+    }).filter((path) => !isManagedEvidencePath(path));
+    violations.push(
+      ...buildPathLimitViolations({
+        changedPaths,
+        config: params.config,
+        stage: 'PRE_PUSH',
+        label: `commit=${commitRecord.hash.slice(0, 12)}`,
+      })
+    );
+  }
+
+  return violations;
+};
+
 export const evaluateGitAtomicity = (params: {
   git?: IGitService;
   repoRoot?: string;
@@ -299,44 +494,26 @@ export const evaluateGitAtomicity = (params: {
     stage: params.stage,
   });
 
-  if (changedPaths.length > config.maxFiles) {
-    violations.push({
-      code: 'GIT_ATOMICITY_TOO_MANY_FILES',
-      message:
-        `Git atomicity guard blocked at ${params.stage}: changed_files=${changedPaths.length} exceeds max_files=${config.maxFiles}.`,
-      remediation:
-        `Divide los cambios en commits más pequeños (máximo ${config.maxFiles} archivos por commit).`
-        + (atomicSlicesRemediation ? ` ${atomicSlicesRemediation}` : ''),
-    });
-  }
+  const prePushCommitViolations =
+    params.stage === 'PRE_PUSH'
+      ? buildPrePushCommitPathLimitViolations({
+          git,
+          repoRoot,
+          config,
+          fromRef: params.fromRef,
+          toRef: params.toRef,
+        })
+      : undefined;
 
-  const scopePaths = collectScopePaths(changedPaths);
-  const scopeKeys = new Set(scopePaths.keys());
-  if (scopeKeys.size > config.maxScopes) {
-    const sortedScopes = [...scopeKeys].sort();
-    const suggestedScopeAdds = sortedScopes
-      .slice(0, Math.max(1, Math.min(config.maxScopes + 1, 3)))
-      .map((scope) => `git add ${scope}/`)
-      .join(' && ');
-    const scopeBreakdown = sortedScopes
-      .map((scope) => {
-        const paths = scopePaths.get(scope) ?? [];
-        const sample = paths.slice(0, 3);
-        return `${scope}{count=${paths.length}; sample=[${sample.join(', ')}]}`;
-      })
-      .join(' | ');
-    violations.push({
-      code: 'GIT_ATOMICITY_TOO_MANY_SCOPES',
-      message:
-        `Git atomicity guard blocked at ${params.stage}: changed_scopes=${scopeKeys.size} exceeds max_scopes=${config.maxScopes}. ` +
-        `scope_files=${scopeBreakdown}.`,
-      remediation:
-        `Agrupa cambios por ámbito funcional (máximo ${config.maxScopes} scopes por commit). ` +
-        `scopes_detectados=[${sortedScopes.join(', ')}]. ` +
-        `Sugerencia split: git restore --staged . && ${suggestedScopeAdds} && git commit -m "<tipo>: <scope>".`
-        + (atomicSlicesRemediation ? ` ${atomicSlicesRemediation}` : ''),
-    });
-  }
+  violations.push(
+    ...(prePushCommitViolations
+      ?? buildPathLimitViolations({
+        changedPaths,
+        config,
+        stage: params.stage,
+        atomicSlicesRemediation,
+      }))
+  );
 
   if (config.enforceCommitMessagePattern && params.stage !== 'PRE_COMMIT') {
     let pattern: RegExp;

package/integrations/lifecycle/cli.ts

@@ -77,6 +77,18 @@ import { runPolicyReconcile } from './policyReconcile';
 import { runLifecycleAudit, type LifecycleAuditStage } from './audit';
 import { resolvePreWriteEnforcement, type PreWriteEnforcementResolution } from '../policy/preWriteEnforcement';
 
+const POLICY_SUBCOMMAND_ARG_COUNT = 2;
+const PRE_WRITE_PANEL_MIN_COLUMNS = 86;
+const PRE_WRITE_PANEL_MAX_COLUMNS = 140;
+const PRE_WRITE_PANEL_BORDER_COLUMNS = 2;
+const PRE_WRITE_PANEL_PADDING_COLUMNS = 4;
+const WORKTREE_SLICE_PLAN_COUNT = 3;
+const WORKTREE_SLICE_FILE_COUNT = 4;
+const CLI_JSON_INDENT = 2;
+const ANALYTICS_TOOL_NAME = 'analytics';
+const ANALYTICS_FEATURE_NAME = 'analytics';
+const SAAS_INGESTION_FEATURE_NAME = 'saas_ingestion';
+
 type LifecycleCommand =
   | 'bootstrap'
   | 'install'
@@ -811,9 +823,9 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
     }
     let policyStrict = false;
     let policyApply = false;
-    const policyFlagsOffset =
-      typeof firstArg === 'string' && !firstArg.startsWith('--') ? 2 : 1;
-    for (const arg of argv.slice(policyFlagsOffset)) {
+    const policyArgStartIndex =
+      typeof firstArg === 'string' && !firstArg.startsWith('--') ? POLICY_SUBCOMMAND_ARG_COUNT : 1;
+    for (const arg of argv.slice(policyArgStartIndex)) {
       if (arg === '--json') {
         json = true;
         continue;
@@ -1748,7 +1760,7 @@ const buildAnalyticsExperimentalDisabledEnvelope = (
   feature: LifecycleExperimentalFeaturesSnapshot['features']['analytics'],
   action: AnalyticsHotspotsCommand
 ): AnalyticsExperimentalDisabledEnvelope => ({
-  tool: 'analytics',
+  tool: ANALYTICS_TOOL_NAME,
   dryRun: true,
   executed: false,
   success: true,
@@ -1756,7 +1768,7 @@ const buildAnalyticsExperimentalDisabledEnvelope = (
     code: 'ANALYTICS_EXPERIMENTAL_DISABLED',
     message:
       'Analytics hotspots está desactivado explícitamente. Usa PUMUKI_EXPERIMENTAL_ANALYTICS=advisory o strict si necesitas este flujo.',
-    experimental_feature: 'analytics',
+    experimental_feature: ANALYTICS_FEATURE_NAME,
     mode: feature.mode,
     source: feature.source,
     activation_variable: feature.activationVariable,
@@ -1770,7 +1782,7 @@ const buildAnalyticsExperimentalDisabledEnvelope = (
 const buildSaasIngestionExperimentalDisabledEnvelope = (
   feature: LifecycleExperimentalFeaturesSnapshot['features']['saas_ingestion']
 ): SaasIngestionExperimentalDisabledEnvelope => ({
-  tool: 'analytics',
+  tool: ANALYTICS_TOOL_NAME,
   dryRun: true,
   executed: false,
   success: true,
@@ -1778,7 +1790,7 @@ const buildSaasIngestionExperimentalDisabledEnvelope = (
     code: 'SAAS_INGESTION_EXPERIMENTAL_DISABLED',
     message:
       'SaaS ingestion/federation está desactivado explícitamente. Usa PUMUKI_EXPERIMENTAL_SAAS_INGESTION=advisory o strict si necesitas este flujo.',
-    experimental_feature: 'saas_ingestion',
+    experimental_feature: SAAS_INGESTION_FEATURE_NAME,
     mode: feature.mode,
     source: feature.source,
     activation_variable: feature.activationVariable,
@@ -1908,8 +1920,8 @@ export const resolvePreWriteNextAction = (params: {
   if (atomicSliceViolation) {
     const plan = collectWorktreeAtomicSlices({
       repoRoot: params.aiGate.repo_state.repo_root,
-      maxSlices: 3,
-      maxFilesPerSlice: 4,
+      maxSlices: WORKTREE_SLICE_PLAN_COUNT,
+      maxFilesPerSlice: WORKTREE_SLICE_FILE_COUNT,
     });
     const firstSliceCommand = plan.slices[0]?.staged_command ?? 'git add -p';
     return {
@@ -1975,11 +1987,14 @@ const renderPreWritePanel = (lines: ReadonlyArray<string>): string => {
   const terminalWidth = Number.isFinite(process.stdout.columns ?? NaN)
     ? Number(process.stdout.columns)
     : 110;
-  const width = Math.min(140, Math.max(86, terminalWidth - 2));
-  const innerWidth = width - 4;
+  const width = Math.min(
+    PRE_WRITE_PANEL_MAX_COLUMNS,
+    Math.max(PRE_WRITE_PANEL_MIN_COLUMNS, terminalWidth - PRE_WRITE_PANEL_BORDER_COLUMNS)
+  );
+  const innerWidth = width - PRE_WRITE_PANEL_PADDING_COLUMNS;
   const normalized = lines.flatMap((line) => wrapPreWritePanelLine(line, innerWidth));
-  const top = `╔${'═'.repeat(width - 2)}╗`;
-  const bottom = `╚${'═'.repeat(width - 2)}╝`;
+  const top = `╔${'═'.repeat(width - PRE_WRITE_PANEL_BORDER_COLUMNS)}╗`;
+  const bottom = `╚${'═'.repeat(width - PRE_WRITE_PANEL_BORDER_COLUMNS)}╝`;
   const body = normalized.map((line) => `║ ${line.padEnd(innerWidth, ' ')} ║`);
   return [top, ...body, bottom].join('\n');
 };
@@ -2121,7 +2136,7 @@ const writeLoopAttemptEvidence = (params: {
   const relativePath = `.pumuki/loop-sessions/${params.sessionId}.attempt-${params.attempt}.json`;
   const absolutePath = resolve(params.repoRoot, relativePath);
   mkdirSync(dirname(absolutePath), { recursive: true });
-  writeFileSync(absolutePath, `${JSON.stringify(params.payload, null, 2)}\n`, 'utf8');
+  writeFileSync(absolutePath, `${JSON.stringify(params.payload, null, CLI_JSON_INDENT)}\n`, 'utf8');
   return relativePath;
 };
 

package/integrations/lifecycle/governanceObservationSnapshot.ts

@@ -13,6 +13,7 @@ import { writeInfo } from './cliOutputs';
 import { formatTrackingActionableContext } from './trackingState';
 
 const DEFAULT_PROTECTED_BRANCHES = new Set(['main', 'master', 'develop', 'dev']);
+const STRICT_ENV_VALUE = 'strict';
 
 export type GovernanceEvidenceSummary = {
   path: string;
@@ -78,7 +79,7 @@ const truthyEnv = (value: string | undefined): boolean => {
     return false;
   }
   const normalized = value.trim().toLowerCase();
-  return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === 'strict';
+  return normalized === '1' || normalized === 'true' || normalized === 'yes' || normalized === STRICT_ENV_VALUE;
 };
 
 const readCurrentBranch = (git: ILifecycleGitService, repoRoot: string): string | null => {

package/integrations/lifecycle/policyReconcile.ts

@@ -20,6 +20,8 @@ type PolicyReconcileDriftCode =
   | 'POLICY_HASH_DIVERGENCE'
   | 'POLICY_STAGE_NON_STRICT';
 
+const POLICY_CONTRACT_JSON_INDENT = 2;
+
 export type PolicyReconcileDrift = {
   code: PolicyReconcileDriftCode;
   severity: PolicyReconcileSeverity;
@@ -180,7 +182,7 @@ const tryApplyPolicyAutofix = (params: {
 
   try {
     mkdirSync(dirname(contractPath), { recursive: true });
-    writeFileSync(contractPath, `${JSON.stringify(contract, null, 2)}\n`, 'utf8');
+    writeFileSync(contractPath, `${JSON.stringify(contract, null, POLICY_CONTRACT_JSON_INDENT)}\n`, 'utf8');
     return {
       attempted: true,
       status: 'APPLIED',

package/integrations/mcp/autoExecuteAiStart.ts

@@ -7,6 +7,9 @@ import { readSddLearningContext, type SddLearningContext } from '../sdd/learning
 type AutoExecuteAction = 'proceed' | 'ask';
 type AutoExecutePhase = 'GREEN' | 'RED';
 
+const WORKTREE_SLICE_PLAN_COUNT = 3;
+const WORKTREE_SLICE_FILE_COUNT = 4;
+
 type AutoExecuteNextAction = {
   kind: 'info' | 'run_command';
   message: string;
@@ -132,8 +135,8 @@ const nextActionFromViolation = (
       {
         const plan = collectWorktreeAtomicSlices({
           repoRoot,
-          maxSlices: 3,
-          maxFilesPerSlice: 4,
+          maxSlices: WORKTREE_SLICE_PLAN_COUNT,
+          maxFilesPerSlice: WORKTREE_SLICE_FILE_COUNT,
         });
         if (plan.slices.length > 0) {
           const firstSlice = plan.slices[0];

package/integrations/mcp/preFlightCheck.ts

@@ -10,6 +10,9 @@ import { resolveLearningContextExperimentalFeature } from '../policy/experimenta
 import { resolvePreWriteEnforcement } from '../policy/preWriteEnforcement';
 import { readSddLearningContext, type SddLearningContext } from '../sdd/learningInsights';
 
+const WORKTREE_SLICE_PLAN_COUNT = 3;
+const WORKTREE_SLICE_FILE_COUNT = 4;
+
 const resolveTddStatus = (
   repoRoot: string
 ): 'skipped' | 'passed' | 'advisory' | 'blocked' | 'waived' | null => {
@@ -114,8 +117,8 @@ const buildPreFlightHints = (params: {
   if (params.stage === 'PRE_WRITE' && hasWorktreeViolation) {
     const plan = collectWorktreeAtomicSlices({
       repoRoot: params.repoRoot,
-      maxSlices: 3,
-      maxFilesPerSlice: 4,
+      maxSlices: WORKTREE_SLICE_PLAN_COUNT,
+      maxFilesPerSlice: WORKTREE_SLICE_FILE_COUNT,
     });
     if (plan.slices.length > 0) {
       hints.push('ATOMIC_SLICES: staging sugerido por scope.');

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.139",
+  "version": "6.3.141",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {