pumuki 6.3.186 → 6.3.188

package/VERSION

@@ -1 +1 @@
-v6.3.186
+v6.3.188

package/core/facts/detectors/text/android.test.ts

@@ -12,6 +12,7 @@ import {
   hasKotlinHardcodedBackgroundDispatcherUsage,
   hasKotlinLiveDataStateExposureUsage,
   hasKotlinLifecycleScopeUsage,
+  hasKotlinSharedPreferencesUsage,
   hasKotlinWithContextUsage,
   hasKotlinManualCoroutineScopeInViewModelUsage,
   hasKotlinRunBlockingUsage,
@@ -247,6 +248,33 @@ class SyncOrdersUseCase {
   assert.equal(hasKotlinLifecycleScopeUsage(source), false);
 });
 
+test('hasKotlinSharedPreferencesUsage detecta SharedPreferences y getSharedPreferences', () => {
+  const typeSource = `
+class PreferencesStore(private val preferences: SharedPreferences) {
+  fun read() = preferences.getString("token", null)
+}
+`;
+  const callSource = `
+class PreferencesStore(private val context: Context) {
+  fun read() = context.getSharedPreferences("user", Context.MODE_PRIVATE)
+}
+`;
+  assert.equal(hasKotlinSharedPreferencesUsage(typeSource), true);
+  assert.equal(hasKotlinSharedPreferencesUsage(callSource), true);
+});
+
+test('hasKotlinSharedPreferencesUsage ignora imports, comentarios, strings y nombres parciales', () => {
+  const source = `
+import android.content.SharedPreferences
+// val preferences: SharedPreferences = legacy()
+val sample = "getSharedPreferences(\"user\")"
+class PreferencesStore {
+  fun read() = customSharedPreferencesProvider()
+}
+`;
+  assert.equal(hasKotlinSharedPreferencesUsage(source), false);
+});
+
 test('hasKotlinSupervisorScopeUsage detecta supervisorScope con parentesis y llaves', () => {
   const parenthesesSource = `
 class SyncOrdersUseCase {

package/core/facts/detectors/text/android.ts

@@ -267,6 +267,10 @@ export const hasKotlinLifecycleScopeUsage = (source: string): boolean => {
   return collectKotlinRegexLines(source, /\blifecycleScope\s*\./).length > 0;
 };
 
+export const hasKotlinSharedPreferencesUsage = (source: string): boolean => {
+  return collectKotlinRegexLines(source, /\b(?:SharedPreferences|PreferenceManager\s*\.|getSharedPreferences\s*\()/).length > 0;
+};
+
 export const hasKotlinSupervisorScopeUsage = (source: string): boolean => {
   return collectKotlinRegexLines(source, /\bsupervisorScope\s*(?:<[^>\n]+>\s*)?(?:\(|\{)/).length > 0;
 };

package/core/facts/extractHeuristicFacts.ts

@@ -91,6 +91,13 @@ const isAndroidKotlinPath = (path: string): boolean => {
   return (path.endsWith('.kt') || path.endsWith('.kts')) && path.startsWith('apps/android/');
 };
 
+const isAndroidLocalPropertiesPath = (path: string): boolean => {
+  const normalized = path.replace(/\\/g, '/').toLowerCase();
+  return normalized.startsWith('apps/android/') && normalized.endsWith('/local.properties');
+};
+
+const detectsTrackedFilePresence = (_source: string): boolean => true;
+
 const isAndroidPresentationPath = (path: string): boolean => {
   return isAndroidKotlinPath(path) && path.includes('/presentation/');
 };
@@ -645,6 +652,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinThreadSleepCall, ruleId: 'heuristics.android.thread-sleep.ast', code: 'HEURISTICS_ANDROID_THREAD_SLEEP_AST', message: 'AST heuristic detected Thread.sleep usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGlobalScopeUsage, ruleId: 'heuristics.android.globalscope.ast', code: 'HEURISTICS_ANDROID_GLOBAL_SCOPE_AST', message: 'AST heuristic detected GlobalScope coroutine usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinRunBlockingUsage, ruleId: 'heuristics.android.run-blocking.ast', code: 'HEURISTICS_ANDROID_RUN_BLOCKING_AST', message: 'AST heuristic detected runBlocking usage in production Kotlin code.' },
+  { platform: 'android', pathCheck: isAndroidLocalPropertiesPath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.android.security.local-properties-tracked.ast', code: 'HEURISTICS_ANDROID_SECURITY_LOCAL_PROPERTIES_TRACKED_AST', message: 'AST heuristic detected tracked Android local.properties file.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinSharedPreferencesUsage, ruleId: 'heuristics.android.persistence.shared-preferences-usage.ast', code: 'HEURISTICS_ANDROID_PERSISTENCE_SHARED_PREFERENCES_USAGE_AST', message: 'AST heuristic detected SharedPreferences usage in Android production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidPresentationPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinLiveDataStateExposureUsage, ruleId: 'heuristics.android.flow.livedata-state-exposure.ast', code: 'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST', message: 'AST heuristic detected LiveData state exposure in Android presentation code where StateFlow or SharedFlow should be preferred.' },
   { platform: 'android', pathCheck: isAndroidPresentationPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinManualCoroutineScopeInViewModelUsage, ruleId: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast', code: 'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST', message: 'AST heuristic detected manual CoroutineScope inside an Android ViewModel where viewModelScope should be preferred.' },
   { platform: 'android', pathCheck: isAndroidNonPresentationKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinDispatcherMainBoundaryLeakUsage, ruleId: 'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast', code: 'HEURISTICS_ANDROID_COROUTINES_DISPATCHERS_MAIN_BOUNDARY_LEAK_AST', message: 'AST heuristic detected Dispatchers.Main outside Android presentation code.' },

package/core/rules/presets/heuristics/android.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { androidRules } from './android';
 
 test('androidRules define reglas heurísticas locked para plataforma android', () => {
-  assert.equal(androidRules.length, 16);
+  assert.equal(androidRules.length, 18);
 
   const ids = androidRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -11,6 +11,8 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     'heuristics.android.globalscope.ast',
     'heuristics.android.run-blocking.ast',
     'heuristics.android.flow.livedata-state-exposure.ast',
+    'heuristics.android.security.local-properties-tracked.ast',
+    'heuristics.android.persistence.shared-preferences-usage.ast',
     'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
     'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast',
     'heuristics.android.coroutines.hardcoded-background-dispatcher.ast',
@@ -52,6 +54,14 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     byId.get('heuristics.android.flow.livedata-state-exposure.ast')?.then.code,
     'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST'
   );
+  assert.equal(
+    byId.get('heuristics.android.security.local-properties-tracked.ast')?.then.code,
+    'HEURISTICS_ANDROID_SECURITY_LOCAL_PROPERTIES_TRACKED_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.android.persistence.shared-preferences-usage.ast')?.then.code,
+    'HEURISTICS_ANDROID_PERSISTENCE_SHARED_PREFERENCES_USAGE_AST'
+  );
   assert.equal(
     byId.get('heuristics.android.coroutines.manual-scope-in-viewmodel.ast')?.then.code,
     'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST'

package/core/rules/presets/heuristics/android.ts

@@ -75,6 +75,46 @@ export const androidRules: RuleSet = [
       code: 'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST',
     },
   },
+  {
+    id: 'heuristics.android.security.local-properties-tracked.ast',
+    description:
+      'Detects tracked Android local.properties files that may expose machine-local SDK paths or secrets.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.security.local-properties-tracked.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected tracked Android local.properties file.',
+      code: 'HEURISTICS_ANDROID_SECURITY_LOCAL_PROPERTIES_TRACKED_AST',
+    },
+  },
+  {
+    id: 'heuristics.android.persistence.shared-preferences-usage.ast',
+    description:
+      'Detects SharedPreferences usage in Android production Kotlin code where DataStore may be preferred.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.persistence.shared-preferences-usage.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected SharedPreferences usage in Android production Kotlin code.',
+      code: 'HEURISTICS_ANDROID_PERSISTENCE_SHARED_PREFERENCES_USAGE_AST',
+    },
+  },
   {
     id: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
     description:

package/docs/codex-skills/android-enterprise-rules.md

@@ -133,6 +133,14 @@ app/
 ✅ El baseline inicial de coroutines es parcial: cubre APIs bloqueantes, scopes no estructurados, scopes manuales en `ViewModel`, filtraciones de `Dispatchers.Main`, hardcode de dispatchers de background en dominio/aplicación, `withContext`, fuga de `lifecycleScope`, `supervisorScope` y `try/catch` en coroutines, pero no declara todavía cobertura completa de `Flow`, dispatchers ni cancelación cooperativa.
 ✅ Si se amplía esta cobertura, cada nueva regla debe aterrizar como detector AST/textual semántico con test dirigido antes de declararse cubierta en el registry.
 
+### Enforcement AST inicial de seguridad Android
+✅ `skills.android.guideline.android.local-properties-api-keys-no-subir-a-git` debe mapear a señal ejecutable de `local.properties` versionado bajo `apps/android/`.
+✅ Este baseline no imprime ni analiza valores secretos; solo reporta la presencia del archivo versionado y exige retirarlo del control de versiones.
+
+### Enforcement AST inicial de persistencia Android
+✅ `skills.android.guideline.android.datastore-androidx-datastore-datastore-preferences-reemplazo-de-shared` debe mapear a señal ejecutable de uso legacy de `SharedPreferences` en Kotlin Android production.
+✅ Este baseline no prohíbe `EncryptedSharedPreferences` todavía ni declara cobertura completa de migración a DataStore; solo detecta el uso legacy explícito de `SharedPreferences` / `getSharedPreferences(...)`.
+
 ### Enforcement AST inicial de Flow/StateFlow Android
 ✅ Las reglas de `StateFlow` / `StateFlow-SharedFlow` deben mapear a señales ejecutables de estado observable legacy, empezando por exposición de `LiveData` / `MutableLiveData` en presentation.
 ✅ Este baseline no obliga a que todo ViewModel use Flow; solo detecta una alternativa legacy concreta cuando aparece en código de presentación Android.

package/integrations/config/skillsDetectorRegistry.ts

@@ -247,6 +247,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'android.coroutines.try-catch',
     ['heuristics.android.coroutines.try-catch.ast']
   ),
+  'skills.android.guideline.android.local-properties-api-keys-no-subir-a-git': heuristicDetector(
+    'android.security.local-properties',
+    ['heuristics.android.security.local-properties-tracked.ast']
+  ),
+  'skills.android.guideline.android.datastore-androidx-datastore-datastore-preferences-reemplazo-de-shared': heuristicDetector(
+    'android.persistence.shared-preferences',
+    ['heuristics.android.persistence.shared-preferences-usage.ast']
+  ),
   'skills.android.guideline.android.stateflow-estado-mutable-observable': heuristicDetector(
     'android.flow.state-exposure',
     ['heuristics.android.flow.livedata-state-exposure.ast']

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.186",
+  "version": "6.3.188",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-12T21:00:49.435Z",
+  "generatedAt": "2026-05-12T21:13:45.516Z",
   "bundles": [
     {
       "name": "android-guidelines",