pumuki 6.3.179 → 6.3.181

package/VERSION

@@ -1 +1 @@
-v6.3.179
+v6.3.181

package/core/facts/detectors/text/android.test.ts

@@ -6,8 +6,10 @@ import {
   findKotlinLiskovSubstitutionMatch,
   findKotlinOpenClosedWhenMatch,
   findKotlinPresentationSrpMatch,
+  hasKotlinDispatcherMainBoundaryLeakUsage,
   hasKotlinGlobalScopeUsage,
   hasKotlinLiveDataStateExposureUsage,
+  hasKotlinManualCoroutineScopeInViewModelUsage,
   hasKotlinRunBlockingUsage,
   hasKotlinThreadSleepCall,
 } from './android';
@@ -114,6 +116,53 @@ class OrdersViewModel : ViewModel() {
   assert.equal(hasKotlinLiveDataStateExposureUsage(source), false);
 });
 
+test('hasKotlinManualCoroutineScopeInViewModelUsage detecta CoroutineScope manual dentro de ViewModel', () => {
+  const source = `
+class OrdersViewModel : ViewModel() {
+  private val scope = CoroutineScope(SupervisorJob() + Dispatchers.Main)
+}
+`;
+  assert.equal(hasKotlinManualCoroutineScopeInViewModelUsage(source), true);
+});
+
+test('hasKotlinManualCoroutineScopeInViewModelUsage ignora imports, comentarios y uso fuera de ViewModel', () => {
+  const source = `
+import kotlinx.coroutines.CoroutineScope
+// private val scope = CoroutineScope(SupervisorJob())
+val sample = "CoroutineScope(SupervisorJob())"
+class OrdersWorker {
+  private val scope = CoroutineScope(SupervisorJob())
+}
+class OrdersViewModel : ViewModel() {
+  fun load() {
+    viewModelScope.launch { }
+  }
+}
+`;
+  assert.equal(hasKotlinManualCoroutineScopeInViewModelUsage(source), false);
+});
+
+test('hasKotlinDispatcherMainBoundaryLeakUsage detecta Dispatchers.Main como dispatcher UI explícito', () => {
+  const source = `
+class SyncOrdersUseCase {
+  suspend fun execute() = withContext(Dispatchers.Main) { }
+}
+`;
+  assert.equal(hasKotlinDispatcherMainBoundaryLeakUsage(source), true);
+});
+
+test('hasKotlinDispatcherMainBoundaryLeakUsage ignora imports, comentarios y strings', () => {
+  const source = `
+import kotlinx.coroutines.Dispatchers
+// withContext(Dispatchers.Main) { }
+val sample = "Dispatchers.Main"
+class SyncOrdersUseCase {
+  suspend fun execute() = withContext(Dispatchers.IO) { }
+}
+`;
+  assert.equal(hasKotlinDispatcherMainBoundaryLeakUsage(source), false);
+});
+
 test('findKotlinPresentationSrpMatch devuelve payload semantico para SRP-Android en presentation', () => {
   const source = `
 import android.content.SharedPreferences

package/core/facts/detectors/text/android.ts

@@ -299,6 +299,42 @@ export const hasKotlinLiveDataStateExposureUsage = (source: string): boolean =>
   ).length > 0;
 };
 
+export const hasKotlinManualCoroutineScopeInViewModelUsage = (source: string): boolean => {
+  const lines = source.split(/\r?\n/);
+  let insideViewModel = false;
+  let braceDepth = 0;
+
+  for (const rawLine of lines) {
+    const sanitized = stripKotlinLineForSemanticScan(rawLine);
+    if (sanitized.trimStart().startsWith('import ')) {
+      continue;
+    }
+
+    if (!insideViewModel && /\bclass\s+\w*ViewModel\b/.test(sanitized)) {
+      insideViewModel = true;
+      braceDepth =
+        countTokenOccurrences(sanitized, '{') - countTokenOccurrences(sanitized, '}');
+    } else if (insideViewModel) {
+      braceDepth += countTokenOccurrences(sanitized, '{');
+      braceDepth -= countTokenOccurrences(sanitized, '}');
+    }
+
+    if (insideViewModel && /\bCoroutineScope\s*\(/.test(sanitized)) {
+      return true;
+    }
+
+    if (insideViewModel && braceDepth <= 0 && sanitized.includes('}')) {
+      insideViewModel = false;
+    }
+  }
+
+  return false;
+};
+
+export const hasKotlinDispatcherMainBoundaryLeakUsage = (source: string): boolean => {
+  return collectKotlinRegexLines(source, /\bDispatchers\s*\.\s*Main\b/).length > 0;
+};
+
 export const findKotlinPresentationSrpMatch = (
   source: string
 ): KotlinPresentationSrpMatch | undefined => {

package/core/facts/extractHeuristicFacts.ts

@@ -99,6 +99,10 @@ const isAndroidApplicationOrPresentationPath = (path: string): boolean => {
   return isAndroidKotlinPath(path) && (path.includes('/application/') || path.includes('/presentation/'));
 };
 
+const isAndroidNonPresentationKotlinPath = (path: string): boolean => {
+  return isAndroidKotlinPath(path) && !path.includes('/presentation/');
+};
+
 const isApprovedIOSBridgePath = (path: string): boolean => {
   const normalized = path.toLowerCase();
   return (
@@ -638,6 +642,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGlobalScopeUsage, ruleId: 'heuristics.android.globalscope.ast', code: 'HEURISTICS_ANDROID_GLOBAL_SCOPE_AST', message: 'AST heuristic detected GlobalScope coroutine usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinRunBlockingUsage, ruleId: 'heuristics.android.run-blocking.ast', code: 'HEURISTICS_ANDROID_RUN_BLOCKING_AST', message: 'AST heuristic detected runBlocking usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidPresentationPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinLiveDataStateExposureUsage, ruleId: 'heuristics.android.flow.livedata-state-exposure.ast', code: 'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST', message: 'AST heuristic detected LiveData state exposure in Android presentation code where StateFlow or SharedFlow should be preferred.' },
+  { platform: 'android', pathCheck: isAndroidPresentationPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinManualCoroutineScopeInViewModelUsage, ruleId: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast', code: 'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST', message: 'AST heuristic detected manual CoroutineScope inside an Android ViewModel where viewModelScope should be preferred.' },
+  { platform: 'android', pathCheck: isAndroidNonPresentationKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinDispatcherMainBoundaryLeakUsage, ruleId: 'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast', code: 'HEURISTICS_ANDROID_COROUTINES_DISPATCHERS_MAIN_BOUNDARY_LEAK_AST', message: 'AST heuristic detected Dispatchers.Main outside Android presentation code.' },
 ];
 
 const extractWorkflowHeuristicFacts = (

package/core/rules/presets/heuristics/android.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { androidRules } from './android';
 
 test('androidRules define reglas heurísticas locked para plataforma android', () => {
-  assert.equal(androidRules.length, 9);
+  assert.equal(androidRules.length, 11);
 
   const ids = androidRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -11,6 +11,8 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     'heuristics.android.globalscope.ast',
     'heuristics.android.run-blocking.ast',
     'heuristics.android.flow.livedata-state-exposure.ast',
+    'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
+    'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast',
     'heuristics.android.solid.srp.presentation-mixed-responsibilities.ast',
     'heuristics.android.solid.ocp.discriminator-branching.ast',
     'heuristics.android.solid.dip.concrete-framework-dependency.ast',
@@ -45,6 +47,14 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     byId.get('heuristics.android.flow.livedata-state-exposure.ast')?.then.code,
     'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST'
   );
+  assert.equal(
+    byId.get('heuristics.android.coroutines.manual-scope-in-viewmodel.ast')?.then.code,
+    'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.android.coroutines.dispatchers-main-boundary-leak.ast')?.then.code,
+    'HEURISTICS_ANDROID_COROUTINES_DISPATCHERS_MAIN_BOUNDARY_LEAK_AST'
+  );
   assert.equal(
     byId.get('heuristics.android.solid.srp.presentation-mixed-responsibilities.ast')?.then.code,
     'HEURISTICS_ANDROID_SOLID_SRP_PRESENTATION_MIXED_RESPONSIBILITIES_AST'

package/core/rules/presets/heuristics/android.ts

@@ -75,6 +75,46 @@ export const androidRules: RuleSet = [
       code: 'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST',
     },
   },
+  {
+    id: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
+    description:
+      'Detects manual CoroutineScope construction inside Android ViewModel classes where viewModelScope should be preferred.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected manual CoroutineScope inside an Android ViewModel.',
+      code: 'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST',
+    },
+  },
+  {
+    id: 'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast',
+    description:
+      'Detects Dispatchers.Main usage outside Android presentation code.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected Dispatchers.Main outside Android presentation code.',
+      code: 'HEURISTICS_ANDROID_COROUTINES_DISPATCHERS_MAIN_BOUNDARY_LEAK_AST',
+    },
+  },
   {
     id: 'heuristics.android.solid.srp.presentation-mixed-responsibilities.ast',
     description:

package/docs/codex-skills/android-enterprise-rules.md

@@ -124,7 +124,9 @@ app/
 
 ### Enforcement AST inicial de coroutines Android
 ✅ `skills.android.guideline.android.coroutines-async-await-no-callbacks` debe mapear a señales ejecutables existentes de uso inseguro de coroutines, empezando por `GlobalScope` y `runBlocking`.
-✅ El baseline inicial de coroutines es parcial: cubre APIs bloqueantes o scopes no estructurados, pero no declara todavía cobertura completa de `Flow`, `viewModelScope`, `supervisorScope`, dispatchers ni cancelación cooperativa.
+✅ `skills.android.guideline.android.viewmodelscope-scope-de-viewmodel-cancelado-automa-ticamente` debe mapear a señales ejecutables de scopes manuales dentro de `ViewModel`, empezando por `CoroutineScope(...)` construido en presentation.
+✅ `skills.android.guideline.android.dispatchers-main-ui-io-network-disk-default-cpu` debe mapear a señales ejecutables de dispatcher UI filtrado fuera de presentation, empezando por `Dispatchers.Main` en application/data.
+✅ El baseline inicial de coroutines es parcial: cubre APIs bloqueantes, scopes no estructurados, scopes manuales en `ViewModel` y filtraciones de `Dispatchers.Main`, pero no declara todavía cobertura completa de `Flow`, `supervisorScope`, dispatchers ni cancelación cooperativa.
 ✅ Si se amplía esta cobertura, cada nueva regla debe aterrizar como detector AST/textual semántico con test dirigido antes de declararse cubierta en el registry.
 
 ### Enforcement AST inicial de Flow/StateFlow Android

package/integrations/config/skillsDetectorRegistry.ts

@@ -220,6 +220,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
       'heuristics.android.run-blocking.ast',
     ]
   ),
+  'skills.android.guideline.android.viewmodelscope-scope-de-viewmodel-cancelado-automa-ticamente': heuristicDetector(
+    'android.coroutines.viewmodel-scope',
+    ['heuristics.android.coroutines.manual-scope-in-viewmodel.ast']
+  ),
+  'skills.android.guideline.android.dispatchers-main-ui-io-network-disk-default-cpu': heuristicDetector(
+    'android.coroutines.dispatchers',
+    ['heuristics.android.coroutines.dispatchers-main-boundary-leak.ast']
+  ),
   'skills.android.guideline.android.stateflow-estado-mutable-observable': heuristicDetector(
     'android.flow.state-exposure',
     ['heuristics.android.flow.livedata-state-exposure.ast']

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.179",
+  "version": "6.3.181",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {