pumuki 6.3.189 → 6.3.191

package/VERSION

@@ -1 +1 @@
-v6.3.189
+v6.3.190

package/core/facts/detectors/text/android.test.ts

@@ -13,6 +13,7 @@ import {
   hasKotlinJUnit4Usage,
   hasKotlinLiveDataStateExposureUsage,
   hasKotlinLifecycleScopeUsage,
+  hasKotlinProductionMockUsage,
   hasKotlinSharedPreferencesUsage,
   hasKotlinWithContextUsage,
   hasKotlinManualCoroutineScopeInViewModelUsage,
@@ -315,6 +316,42 @@ class OrdersViewModelTest {
   assert.equal(hasKotlinJUnit4Usage(source), false);
 });
 
+test('hasKotlinProductionMockUsage detecta mocks y spies en Kotlin Android production', () => {
+  const mockkSource = `
+class OrdersRepositoryFactory {
+  fun create(): OrdersRepository = mockk(relaxed = true)
+}
+`;
+  const mockitoSource = `
+class OrdersRepositoryFactory {
+  private val api = Mockito.mock(OrdersApi::class.java)
+}
+`;
+  const annotationSource = `
+class OrdersRepositoryFactory {
+  @Spy
+  lateinit var repository: OrdersRepository
+}
+`;
+
+  assert.equal(hasKotlinProductionMockUsage(mockkSource), true);
+  assert.equal(hasKotlinProductionMockUsage(mockitoSource), true);
+  assert.equal(hasKotlinProductionMockUsage(annotationSource), true);
+});
+
+test('hasKotlinProductionMockUsage ignora imports, comentarios, strings y nombres parciales', () => {
+  const source = `
+import io.mockk.mockk
+import org.mockito.Mockito
+// val api = mockk<OrdersApi>()
+val sample = "Mockito.mock(OrdersApi::class.java)"
+class OrdersRepositoryFactory {
+  fun create() = mockkitoFactory()
+}
+`;
+  assert.equal(hasKotlinProductionMockUsage(source), false);
+});
+
 test('hasKotlinSupervisorScopeUsage detecta supervisorScope con parentesis y llaves', () => {
   const parenthesesSource = `
 class SyncOrdersUseCase {

package/core/facts/detectors/text/android.ts

@@ -282,6 +282,13 @@ export const hasKotlinJUnit4Usage = (source: string): boolean => {
   });
 };
 
+export const hasKotlinProductionMockUsage = (source: string): boolean => {
+  return collectKotlinRegexLines(
+    source,
+    /(?:\b(?:mockk|spyk|mockkObject|mockkStatic|mockkConstructor|mockito|mockitoSession|mockitoRule)\s*(?:<[^>\n]+>\s*)?\(|\bMockito\s*\.\s*(?:mock|spy)\s*\(|@(?:Mock|Spy|MockK|RelaxedMockK)\b)/
+  ).length > 0;
+};
+
 export const hasKotlinSupervisorScopeUsage = (source: string): boolean => {
   return collectKotlinRegexLines(source, /\bsupervisorScope\s*(?:<[^>\n]+>\s*)?(?:\(|\{)/).length > 0;
 };

package/core/facts/detectors/text/ios.test.ts

@@ -12,6 +12,7 @@ import {
   hasSwiftDispatchGroupUsage,
   hasSwiftDispatchQueueUsage,
   hasSwiftDispatchSemaphoreUsage,
+  hasSwiftAdHocLoggingUsage,
   hasSwiftForEachIndicesUsage,
   hasSwiftForceCastUsage,
   hasSwiftFontWeightBoldUsage,
@@ -41,6 +42,7 @@ import {
   hasSwiftPreconcurrencyUsage,
   hasSwiftSheetIsPresentedUsage,
   hasSwiftScrollViewShowsIndicatorsUsage,
+  hasSwiftSensitiveLoggingUsage,
   hasSwiftStringFormatUsage,
   hasSwiftTabItemUsage,
   hasSwiftTaskDetachedUsage,
@@ -165,6 +167,30 @@ Task {
   assert.equal(hasSwiftTaskDetachedUsage(negative), false);
 });
 
+test('detectores de logging iOS detectan logs ad-hoc y PII en produccion', () => {
+  const adHoc = `
+print(user.id)
+debugPrint(response)
+dump(model)
+NSLog("legacy")
+os_log("legacy")
+`;
+  const structuredSafe = `
+logger.info("Screen loaded")
+let text = "print(accessToken)"
+// print(accessToken)
+`;
+  const sensitive = `
+print(accessToken)
+logger.error("Refresh failed \\(refreshToken)")
+`;
+
+  assert.equal(hasSwiftAdHocLoggingUsage(adHoc), true);
+  assert.equal(hasSwiftAdHocLoggingUsage(structuredSafe), false);
+  assert.equal(hasSwiftSensitiveLoggingUsage(sensitive), true);
+  assert.equal(hasSwiftSensitiveLoggingUsage(structuredSafe), false);
+});
+
 test('hasSwiftUncheckedSendableUsage detecta @unchecked Sendable', () => {
   const source = `
 final class LegacyBox: @unchecked Sendable {}

package/core/facts/detectors/text/ios.ts

@@ -437,6 +437,33 @@ export const hasSwiftTaskDetachedUsage = (source: string): boolean => {
   });
 };
 
+export const hasSwiftAdHocLoggingUsage = (source: string): boolean => {
+  return collectSwiftRegexLines(
+    source,
+    /\b(?:print|debugPrint|dump|NSLog|os_log)\s*\(/
+  ).length > 0;
+};
+
+export const hasSwiftSensitiveLoggingUsage = (source: string): boolean => {
+  return source.split(/\r?\n/).some((line) => {
+    const sanitized = stripSwiftLineForSemanticScan(line);
+    const lineWithoutComments = line.replace(/\/\/.*$/, '');
+    const hasLoggingCall =
+      /\b(?:print|debugPrint|dump|NSLog|os_log)\s*\(/.test(sanitized) ||
+      /\b(?:logger|log)\s*\.\s*(?:debug|info|notice|warning|error|critical|log)\s*\(/i.test(
+        sanitized
+      );
+
+    if (!hasLoggingCall) {
+      return false;
+    }
+
+    return /\b(?:accessToken|refreshToken|authToken|token|password|secret|credential|authorization|email|userId)\b/i.test(
+      lineWithoutComments
+    );
+  });
+};
+
 export const hasSwiftUncheckedSendableUsage = (source: string): boolean => {
   return scanCodeLikeSource(source, ({ source: swiftSource, index, current }) => {
     if (current !== '@' || !swiftSource.startsWith('@unchecked', index)) {

package/core/facts/extractHeuristicFacts.ts

@@ -618,6 +618,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftDispatchSemaphoreUsage, ruleId: 'heuristics.ios.dispatchsemaphore.ast', code: 'HEURISTICS_IOS_DISPATCHSEMAPHORE_AST', message: 'AST heuristic detected DispatchSemaphore usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOperationQueueUsage, ruleId: 'heuristics.ios.operation-queue.ast', code: 'HEURISTICS_IOS_OPERATION_QUEUE_AST', message: 'AST heuristic detected OperationQueue usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftTaskDetachedUsage, ruleId: 'heuristics.ios.task-detached.ast', code: 'HEURISTICS_IOS_TASK_DETACHED_AST', message: 'AST heuristic detected Task.detached usage.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAdHocLoggingUsage, ruleId: 'heuristics.ios.logging.adhoc-print.ast', code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST', message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUncheckedSendableUsage, ruleId: 'heuristics.ios.unchecked-sendable.ast', code: 'HEURISTICS_IOS_UNCHECKED_SENDABLE_AST', message: 'AST heuristic detected @unchecked Sendable usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftPreconcurrencyUsage, ruleId: 'heuristics.ios.preconcurrency.ast', code: 'HEURISTICS_IOS_PRECONCURRENCY_AST', message: 'AST heuristic detected @preconcurrency usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonisolatedUnsafeUsage, ruleId: 'heuristics.ios.nonisolated-unsafe.ast', code: 'HEURISTICS_IOS_NONISOLATED_UNSAFE_AST', message: 'AST heuristic detected nonisolated(unsafe) usage.' },
@@ -658,6 +660,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinRunBlockingUsage, ruleId: 'heuristics.android.run-blocking.ast', code: 'HEURISTICS_ANDROID_RUN_BLOCKING_AST', message: 'AST heuristic detected runBlocking usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidLocalPropertiesPath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.android.security.local-properties-tracked.ast', code: 'HEURISTICS_ANDROID_SECURITY_LOCAL_PROPERTIES_TRACKED_AST', message: 'AST heuristic detected tracked Android local.properties file.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinSharedPreferencesUsage, ruleId: 'heuristics.android.persistence.shared-preferences-usage.ast', code: 'HEURISTICS_ANDROID_PERSISTENCE_SHARED_PREFERENCES_USAGE_AST', message: 'AST heuristic detected SharedPreferences usage in Android production Kotlin code.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinProductionMockUsage, ruleId: 'heuristics.android.testing.production-mock-usage.ast', code: 'HEURISTICS_ANDROID_TESTING_PRODUCTION_MOCK_USAGE_AST', message: 'AST heuristic detected mock or spy usage in Android production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidKotlinTestPath, excludePaths: [], detect: TextAndroid.hasKotlinJUnit4Usage, ruleId: 'heuristics.android.testing.junit4-usage.ast', code: 'HEURISTICS_ANDROID_TESTING_JUNIT4_USAGE_AST', message: 'AST heuristic detected JUnit4 usage in Android Kotlin tests where JUnit5 is preferred.' },
   { platform: 'android', pathCheck: isAndroidPresentationPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinLiveDataStateExposureUsage, ruleId: 'heuristics.android.flow.livedata-state-exposure.ast', code: 'HEURISTICS_ANDROID_FLOW_LIVEDATA_STATE_EXPOSURE_AST', message: 'AST heuristic detected LiveData state exposure in Android presentation code where StateFlow or SharedFlow should be preferred.' },
   { platform: 'android', pathCheck: isAndroidPresentationPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinManualCoroutineScopeInViewModelUsage, ruleId: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast', code: 'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST', message: 'AST heuristic detected manual CoroutineScope inside an Android ViewModel where viewModelScope should be preferred.' },

package/core/rules/presets/heuristics/android.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { androidRules } from './android';
 
 test('androidRules define reglas heurísticas locked para plataforma android', () => {
-  assert.equal(androidRules.length, 19);
+  assert.equal(androidRules.length, 20);
 
   const ids = androidRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -14,6 +14,7 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     'heuristics.android.security.local-properties-tracked.ast',
     'heuristics.android.persistence.shared-preferences-usage.ast',
     'heuristics.android.testing.junit4-usage.ast',
+    'heuristics.android.testing.production-mock-usage.ast',
     'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
     'heuristics.android.coroutines.dispatchers-main-boundary-leak.ast',
     'heuristics.android.coroutines.hardcoded-background-dispatcher.ast',
@@ -67,6 +68,10 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     byId.get('heuristics.android.testing.junit4-usage.ast')?.then.code,
     'HEURISTICS_ANDROID_TESTING_JUNIT4_USAGE_AST'
   );
+  assert.equal(
+    byId.get('heuristics.android.testing.production-mock-usage.ast')?.then.code,
+    'HEURISTICS_ANDROID_TESTING_PRODUCTION_MOCK_USAGE_AST'
+  );
   assert.equal(
     byId.get('heuristics.android.coroutines.manual-scope-in-viewmodel.ast')?.then.code,
     'HEURISTICS_ANDROID_COROUTINES_MANUAL_SCOPE_IN_VIEWMODEL_AST'

package/core/rules/presets/heuristics/android.ts

@@ -135,6 +135,26 @@ export const androidRules: RuleSet = [
       code: 'HEURISTICS_ANDROID_TESTING_JUNIT4_USAGE_AST',
     },
   },
+  {
+    id: 'heuristics.android.testing.production-mock-usage.ast',
+    description:
+      'Detects mock or spy usage in Android production Kotlin code.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.testing.production-mock-usage.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected mock or spy usage in Android production Kotlin code.',
+      code: 'HEURISTICS_ANDROID_TESTING_PRODUCTION_MOCK_USAGE_AST',
+    },
+  },
   {
     id: 'heuristics.android.coroutines.manual-scope-in-viewmodel.ast',
     description:

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 43);
+  assert.equal(iosRules.length, 45);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -17,6 +17,8 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.dispatchsemaphore.ast',
     'heuristics.ios.operation-queue.ast',
     'heuristics.ios.task-detached.ast',
+    'heuristics.ios.logging.adhoc-print.ast',
+    'heuristics.ios.logging.sensitive-data.ast',
     'heuristics.ios.unchecked-sendable.ast',
     'heuristics.ios.preconcurrency.ast',
     'heuristics.ios.nonisolated-unsafe.ast',
@@ -61,6 +63,14 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.task-detached.ast')?.then.code,
     'HEURISTICS_IOS_TASK_DETACHED_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.logging.adhoc-print.ast')?.then.code,
+    'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ios.logging.sensitive-data.ast')?.then.code,
+    'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.preconcurrency.ast')?.then.code,
     'HEURISTICS_IOS_PRECONCURRENCY_AST'

package/core/rules/presets/heuristics/ios.ts

@@ -181,6 +181,42 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_TASK_DETACHED_AST',
     },
   },
+  {
+    id: 'heuristics.ios.logging.adhoc-print.ast',
+    description: 'Detects print/debugPrint/dump/NSLog/os_log usage in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.logging.adhoc-print.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.',
+      code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.logging.sensitive-data.ast',
+    description: 'Detects sensitive data in iOS logging calls.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.logging.sensitive-data.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected sensitive data in an iOS logging call.',
+      code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',

package/docs/codex-skills/android-enterprise-rules.md

@@ -150,6 +150,9 @@ app/
 ✅ `skills.android.guideline.android.junit5-framework-de-testing-preferido-sobre-junit4` debe mapear a señal ejecutable de uso JUnit4 en tests Kotlin Android.
 ✅ Este baseline detecta imports/anotaciones JUnit4 (`org.junit.Test`, `org.junit.Assert`, `@RunWith`, reglas JUnit4) bajo `apps/android/**/test/**` y `apps/android/**/androidTest/**`.
 ✅ JUnit5/Jupiter queda preservado como caso limpio; migración completa de runner, Gradle y APIs de assertions queda fuera hasta tener detectores propios.
+✅ `skills.android.guideline.android.en-produccio-n-ni-un-mocks-ni-un-spies-todo-real-de-apis-y-persistenci` debe mapear a señal ejecutable de mocks/spies en Kotlin Android production.
+✅ Este baseline detecta usos explícitos de MockK/Mockito y anotaciones `@Mock`/`@Spy` fuera de `test` y `androidTest`; los dobles en tests siguen permitidos.
+✅ La regla no prohíbe clases fake de test doubles en suites de test ni analiza wiring Gradle todavía.
 
 ### Dependency Injection (Hilt):
 ✅ **Hilt** - DI framework (NO manual factories)

package/docs/codex-skills/ios-enterprise-rules.md

@@ -223,6 +223,11 @@ apps/ios/Presentation/
 ✅ **Prohibido print()** y logs ad-hoc
 ✅ **No loggear PII** (tokens, emails, IDs sensibles)
 
+### Enforcement AST inicial de logging iOS:
+✅ `skills.ios.guideline.ios.prohibido-print-y-logs-ad-hoc` se mapea a `heuristics.ios.logging.adhoc-print.ast` para detectar `print`, `debugPrint`, `dump`, `NSLog` y `os_log` en Swift production.
+✅ `skills.ios.guideline.ios.no-loggear-pii-tokens-emails-ids-sensibles` se mapea a `heuristics.ios.logging.sensitive-data.ast` para detectar tokens, credenciales, emails e IDs sensibles en llamadas de logging.
+✅ `os.Logger` sigue siendo la API preferida; esta slice detecta el riesgo prohibido, no fuerza todavía una arquitectura completa de observabilidad.
+
 ```swift
 // ✅ Ejemplo: ViewModel con @Observable (iOS 17+)
 @Observable

package/integrations/config/skillsDetectorRegistry.ts

@@ -47,6 +47,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
   'skills.ios.no-task-detached': heuristicDetector('ios.task-detached', [
     'heuristics.ios.task-detached.ast',
   ]),
+  'skills.ios.guideline.ios.prohibido-print-y-logs-ad-hoc': heuristicDetector(
+    'ios.logging.adhoc-print',
+    ['heuristics.ios.logging.adhoc-print.ast']
+  ),
+  'skills.ios.guideline.ios.no-loggear-pii-tokens-emails-ids-sensibles': heuristicDetector(
+    'ios.logging.sensitive-data',
+    ['heuristics.ios.logging.sensitive-data.ast']
+  ),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),
@@ -259,6 +267,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'android.testing.junit4-usage',
     ['heuristics.android.testing.junit4-usage.ast']
   ),
+  'skills.android.guideline.android.en-produccio-n-ni-un-mocks-ni-un-spies-todo-real-de-apis-y-persistenci': heuristicDetector(
+    'android.testing.production-mock-usage',
+    ['heuristics.android.testing.production-mock-usage.ast']
+  ),
   'skills.android.guideline.android.stateflow-estado-mutable-observable': heuristicDetector(
     'android.flow.state-exposure',
     ['heuristics.android.flow.livedata-state-exposure.ast']

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.189",
+  "version": "6.3.191",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-12T21:22:02.797Z",
+  "generatedAt": "2026-05-12T21:28:07.507Z",
   "bundles": [
     {
       "name": "android-guidelines",