pumuki 6.3.166 → 6.3.168

package/CHANGELOG.md

@@ -6,6 +6,18 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [6.3.168] - 2026-05-06
+
+### Fixed
+
+- **Tracked evidence commit hygiene:** `pumuki-pre-commit` now respects tracked `.ai_evidence.json` when it was not staged by the developer before a successful code commit. Documentation-only commits still restore evidence drift, and `PUMUKI_PRE_COMMIT_ALWAYS_RESTAGE_TRACKED_EVIDENCE=1` preserves the previous forced restage behavior.
+
+## [6.3.167] - 2026-05-06
+
+### Fixed
+
+- **MCP evidence stdio strict backend gate:** the MCP bridge now uses explicit JSON-RPC constants and requires adapter-provided evidence env vars instead of production defaults, keeping `PRE_PUSH` fail-closed without false backend blockers.
+
 ## [6.3.166] - 2026-05-06
 
 ### Fixed

package/integrations/git/stageRunners.ts

@@ -77,6 +77,9 @@ const shouldSkipRestagingTrackedEvidenceForDocumentationOnlyScope = (params: {
   return paths.every(isDocumentationOnlyStagedPath);
 };
 
+const hasStagedEvidencePath = (paths: ReadonlyArray<string>): boolean =>
+  paths.some((path) => path === '.ai_evidence.json' || path === '.AI_EVIDENCE.json');
+
 const PRE_COMMIT_EVIDENCE_MAX_AGE_SECONDS = 900;
 const PRE_PUSH_EVIDENCE_MAX_AGE_SECONDS = 1800;
 const HOOK_GATE_PROGRESS_REMINDER_MS = 2000;
@@ -520,6 +523,7 @@ const syncTrackedEvidenceAfterSuccessfulPreCommit = (params: {
   dependencies: StageRunnerDependencies;
   repoRoot: string;
   gateBlocked: boolean;
+  evidenceWasStagedAtStart: boolean;
 }): boolean => {
   const evidenceAbsolutePath = join(params.repoRoot, EVIDENCE_FILE_PATH);
   if (!existsSync(evidenceAbsolutePath)) {
@@ -543,6 +547,19 @@ const syncTrackedEvidenceAfterSuccessfulPreCommit = (params: {
     params.dependencies.restorePathFromHead(params.repoRoot, EVIDENCE_FILE_PATH);
     return false;
   }
+  if (
+    !params.gateBlocked &&
+    !params.evidenceWasStagedAtStart &&
+    !isTruthyEnvFlag(process.env.PUMUKI_PRE_COMMIT_ALWAYS_RESTAGE_TRACKED_EVIDENCE)
+  ) {
+    if (!params.dependencies.isQuietMode()) {
+      process.stderr.write(
+        `[pumuki][evidence-sync] tracked ${EVIDENCE_FILE_PATH} left unstaged because it was not staged before PRE_COMMIT. ` +
+          `Force previous behavior: PUMUKI_PRE_COMMIT_ALWAYS_RESTAGE_TRACKED_EVIDENCE=1\n`
+      );
+    }
+    return false;
+  }
   try {
     params.dependencies.stagePath(params.repoRoot, EVIDENCE_FILE_PATH);
     return false;
@@ -787,6 +804,7 @@ export async function runPreCommitStage(
   const activeDependencies = getDependencies(dependencies);
   const repoRoot = activeDependencies.resolveRepoRoot();
   const manifestSnapshot = captureManifestGuardSnapshot(repoRoot);
+  const initiallyStagedPaths = activeDependencies.listStagedIndexPaths(repoRoot);
   activeDependencies.ensureRuntimeArtifactsIgnored(repoRoot);
   if (
     enforceGitAtomicityGate({
@@ -820,6 +838,7 @@ export async function runPreCommitStage(
       dependencies: activeDependencies,
       repoRoot,
       gateBlocked: result.exitCode !== 0,
+      evidenceWasStagedAtStart: hasStagedEvidencePath(initiallyStagedPaths),
     })
   ) {
     return 1;

package/integrations/mcp/evidenceStdioServer.cli.ts

@@ -22,11 +22,30 @@ type JsonRpcResponse = {
 
 const MCP_PROTOCOL_VERSION = '2024-11-05';
 const JSON_RPC_VERSION = '2.0';
-const DEFAULT_EVIDENCE_HOST = '127.0.0.1';
-const DEFAULT_EVIDENCE_ROUTE = '/ai-evidence';
-const DEFAULT_EVIDENCE_PORT = 7341;
+const EVIDENCE_HOST_ENV = 'PUMUKI_EVIDENCE_HOST';
+const EVIDENCE_ROUTE_ENV = 'PUMUKI_EVIDENCE_ROUTE';
+const EVIDENCE_PORT_ENV = 'PUMUKI_EVIDENCE_PORT';
 const PORT_PROBE_TIMEOUT_MS = 600;
+const EPHEMERAL_LISTENER_PORT = 0;
+const EMPTY_TEXT_LENGTH = 0;
+const DECIMAL_RADIX = 10;
+const PROCESS_FAILURE_EXIT_CODE = 1;
+const LINE_BREAK_WIDTH = 1;
+const TOOL_IMPLEMENTATION_VERSION = '1.0.0';
 const JSON_RPC_INVALID_REQUEST = -32600;
+const JSON_RPC_METHOD_NOT_FOUND = -32601;
+const JSON_RPC_INVALID_PARAMS = -32602;
+const JSON_RPC_INTERNAL_ERROR = -32603;
+const JSON_RPC_PARSE_ERROR = -32700;
+const LINE_BREAK_NOT_FOUND = -1;
+
+const readRequiredEnv = (name: string): string => {
+  const value = process.env[name];
+  if (typeof value === 'string' && value.trim().length > EMPTY_TEXT_LENGTH) {
+    return value;
+  }
+  throw new Error(`${name} is required for pumuki MCP evidence stdio bridge.`);
+};
 
 const toJsonRpcId = (value: unknown): JsonRpcId => {
   if (typeof value === 'string' || typeof value === 'number' || value === null) {
@@ -49,7 +68,7 @@ const sendResult = (id: JsonRpcId, result: unknown): void => {
 
 const sendError = (id: JsonRpcId, code: number, message: string): void => {
   sendMessage({
-    jsonrpc: '2.0',
+    jsonrpc: JSON_RPC_VERSION,
     id,
     error: {
       code,
@@ -81,9 +100,10 @@ const findAvailableListenerNumber = async (host: string): Promise<number> =>
   await new Promise((resolve, reject) => {
     const probe = createServer();
     probe.once('error', reject);
-    probe.listen(0, host, () => {
+    probe.listen(EPHEMERAL_LISTENER_PORT, host, () => {
       const address = probe.address();
-      const port = address && typeof address === 'object' ? address.port : 0;
+      const port =
+        address && typeof address === 'object' ? address.port : EPHEMERAL_LISTENER_PORT;
       probe.close(() => resolve(port));
     });
   });
@@ -91,7 +111,7 @@ const findAvailableListenerNumber = async (host: string): Promise<number> =>
 const fetchJson = async (url: string): Promise<unknown> => {
   const response = await fetch(url);
   const text = await response.text();
-  if (text.trim().length === 0) {
+  if (text.trim().length === EMPTY_TEXT_LENGTH) {
     return {};
   }
   return JSON.parse(text) as unknown;
@@ -111,14 +131,17 @@ const startOrReuseEvidenceHttp = async (): Promise<{
   port: number;
   route: string;
 }> => {
-  const host = process.env.PUMUKI_EVIDENCE_HOST ?? DEFAULT_EVIDENCE_HOST;
-  const route = process.env.PUMUKI_EVIDENCE_ROUTE ?? DEFAULT_EVIDENCE_ROUTE;
-  const parsedListener = Number.parseInt(process.env.PUMUKI_EVIDENCE_PORT ?? '', 10);
-  const preferredListener = Number.isFinite(parsedListener)
-    ? parsedListener
-    : DEFAULT_EVIDENCE_PORT;
+  const host = readRequiredEnv(EVIDENCE_HOST_ENV);
+  const route = readRequiredEnv(EVIDENCE_ROUTE_ENV);
+  const parsedListener = Number.parseInt(readRequiredEnv(EVIDENCE_PORT_ENV), DECIMAL_RADIX);
+  if (!Number.isFinite(parsedListener)) {
+    throw new Error(`${EVIDENCE_PORT_ENV} must be a valid listener number.`);
+  }
+  const preferredListener = parsedListener;
   const requestedListener =
-    preferredListener > 0 ? preferredListener : await findAvailableListenerNumber(host);
+    preferredListener > EPHEMERAL_LISTENER_PORT
+      ? preferredListener
+      : await findAvailableListenerNumber(host);
   const healthUrl = `http://${host}:${requestedListener}/health`;
 
   try {
@@ -228,7 +251,7 @@ const run = async (): Promise<void> => {
         protocolVersion: MCP_PROTOCOL_VERSION,
         serverInfo: {
           name: 'pumuki-evidence-stdio',
-          version: '1.0.0',
+          version: TOOL_IMPLEMENTATION_VERSION,
         },
         capabilities: {
           tools: {
@@ -269,7 +292,7 @@ const run = async (): Promise<void> => {
       const name = typeof params.name === 'string' ? params.name : '';
       const tool = toolsCatalog.find((entry) => entry.name === name);
       if (!tool) {
-        sendError(id, -32602, `Unknown tool: ${name}`);
+        sendError(id, JSON_RPC_INVALID_PARAMS, `Unknown tool: ${name}`);
         return;
       }
       const payload = await fetchJson(`${baseUrl}${tool.path}`);
@@ -304,7 +327,7 @@ const run = async (): Promise<void> => {
       const uri = typeof params.uri === 'string' ? params.uri : '';
       const resource = resourcesCatalog.find((entry) => entry.uri === uri);
       if (!resource) {
-        sendError(id, -32602, `Unknown resource URI: ${uri}`);
+        sendError(id, JSON_RPC_INVALID_PARAMS, `Unknown resource URI: ${uri}`);
         return;
       }
       const payload = await fetchJson(`${baseUrl}${resource.path}`);
@@ -320,31 +343,31 @@ const run = async (): Promise<void> => {
       return;
     }
 
-    sendError(id, -32601, `Method not found: ${method}`);
+    sendError(id, JSON_RPC_METHOD_NOT_FOUND, `Method not found: ${method}`);
   };
 
   const processBuffer = (): void => {
     while (true) {
       const lineEnd = textBuffer.indexOf('\n');
-      if (lineEnd === -1) {
+      if (lineEnd === LINE_BREAK_NOT_FOUND) {
         return;
       }
       const rawLine = textBuffer.slice(0, lineEnd).trim();
-      textBuffer = textBuffer.slice(lineEnd + 1);
-      if (rawLine.length === 0) {
+      textBuffer = textBuffer.slice(lineEnd + LINE_BREAK_WIDTH);
+      if (rawLine.length === EMPTY_TEXT_LENGTH) {
         continue;
       }
       let payload: JsonRpcRequest;
       try {
         payload = JSON.parse(rawLine) as JsonRpcRequest;
       } catch {
-        sendError(null, -32700, 'Parse error');
+        sendError(null, JSON_RPC_PARSE_ERROR, 'Parse error');
         continue;
       }
       void handleRequest(payload).catch((error) => {
         const id = toJsonRpcId(payload.id);
         const message = error instanceof Error ? error.message : 'Internal error';
-        sendError(id, -32603, message);
+        sendError(id, JSON_RPC_INTERNAL_ERROR, message);
       });
     }
   };
@@ -358,5 +381,5 @@ const run = async (): Promise<void> => {
 void run().catch((error) => {
   const message = error instanceof Error ? error.message : 'Unknown MCP stdio bridge error';
   process.stderr.write(`[pumuki-mcp-evidence-stdio] ${message}\n`);
-  process.exit(1);
+  process.exit(PROCESS_FAILURE_EXIT_CODE);
 });

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.166",
+  "version": "6.3.168",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {