pumuki 6.3.190 → 6.3.192

package/core/facts/detectors/text/ios.test.ts

@@ -12,6 +12,7 @@ import {
   hasSwiftDispatchGroupUsage,
   hasSwiftDispatchQueueUsage,
   hasSwiftDispatchSemaphoreUsage,
+  hasSwiftAdHocLoggingUsage,
   hasSwiftForEachIndicesUsage,
   hasSwiftForceCastUsage,
   hasSwiftFontWeightBoldUsage,
@@ -41,6 +42,7 @@ import {
   hasSwiftPreconcurrencyUsage,
   hasSwiftSheetIsPresentedUsage,
   hasSwiftScrollViewShowsIndicatorsUsage,
+  hasSwiftSensitiveLoggingUsage,
   hasSwiftStringFormatUsage,
   hasSwiftTabItemUsage,
   hasSwiftTaskDetachedUsage,
@@ -165,6 +167,30 @@ Task {
   assert.equal(hasSwiftTaskDetachedUsage(negative), false);
 });
 
+test('detectores de logging iOS detectan logs ad-hoc y PII en produccion', () => {
+  const adHoc = `
+print(user.id)
+debugPrint(response)
+dump(model)
+NSLog("legacy")
+os_log("legacy")
+`;
+  const structuredSafe = `
+logger.info("Screen loaded")
+let text = "print(accessToken)"
+// print(accessToken)
+`;
+  const sensitive = `
+print(accessToken)
+logger.error("Refresh failed \\(refreshToken)")
+`;
+
+  assert.equal(hasSwiftAdHocLoggingUsage(adHoc), true);
+  assert.equal(hasSwiftAdHocLoggingUsage(structuredSafe), false);
+  assert.equal(hasSwiftSensitiveLoggingUsage(sensitive), true);
+  assert.equal(hasSwiftSensitiveLoggingUsage(structuredSafe), false);
+});
+
 test('hasSwiftUncheckedSendableUsage detecta @unchecked Sendable', () => {
   const source = `
 final class LegacyBox: @unchecked Sendable {}

package/core/facts/detectors/text/ios.ts

@@ -437,6 +437,33 @@ export const hasSwiftTaskDetachedUsage = (source: string): boolean => {
   });
 };
 
+export const hasSwiftAdHocLoggingUsage = (source: string): boolean => {
+  return collectSwiftRegexLines(
+    source,
+    /\b(?:print|debugPrint|dump|NSLog|os_log)\s*\(/
+  ).length > 0;
+};
+
+export const hasSwiftSensitiveLoggingUsage = (source: string): boolean => {
+  return source.split(/\r?\n/).some((line) => {
+    const sanitized = stripSwiftLineForSemanticScan(line);
+    const lineWithoutComments = line.replace(/\/\/.*$/, '');
+    const hasLoggingCall =
+      /\b(?:print|debugPrint|dump|NSLog|os_log)\s*\(/.test(sanitized) ||
+      /\b(?:logger|log)\s*\.\s*(?:debug|info|notice|warning|error|critical|log)\s*\(/i.test(
+        sanitized
+      );
+
+    if (!hasLoggingCall) {
+      return false;
+    }
+
+    return /\b(?:accessToken|refreshToken|authToken|token|password|secret|credential|authorization|email|userId)\b/i.test(
+      lineWithoutComments
+    );
+  });
+};
+
 export const hasSwiftUncheckedSendableUsage = (source: string): boolean => {
   return scanCodeLikeSource(source, ({ source: swiftSource, index, current }) => {
     if (current !== '@' || !swiftSource.startsWith('@unchecked', index)) {

package/core/facts/extractHeuristicFacts.ts

@@ -618,6 +618,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftDispatchSemaphoreUsage, ruleId: 'heuristics.ios.dispatchsemaphore.ast', code: 'HEURISTICS_IOS_DISPATCHSEMAPHORE_AST', message: 'AST heuristic detected DispatchSemaphore usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOperationQueueUsage, ruleId: 'heuristics.ios.operation-queue.ast', code: 'HEURISTICS_IOS_OPERATION_QUEUE_AST', message: 'AST heuristic detected OperationQueue usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftTaskDetachedUsage, ruleId: 'heuristics.ios.task-detached.ast', code: 'HEURISTICS_IOS_TASK_DETACHED_AST', message: 'AST heuristic detected Task.detached usage.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAdHocLoggingUsage, ruleId: 'heuristics.ios.logging.adhoc-print.ast', code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST', message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUncheckedSendableUsage, ruleId: 'heuristics.ios.unchecked-sendable.ast', code: 'HEURISTICS_IOS_UNCHECKED_SENDABLE_AST', message: 'AST heuristic detected @unchecked Sendable usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftPreconcurrencyUsage, ruleId: 'heuristics.ios.preconcurrency.ast', code: 'HEURISTICS_IOS_PRECONCURRENCY_AST', message: 'AST heuristic detected @preconcurrency usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonisolatedUnsafeUsage, ruleId: 'heuristics.ios.nonisolated-unsafe.ast', code: 'HEURISTICS_IOS_NONISOLATED_UNSAFE_AST', message: 'AST heuristic detected nonisolated(unsafe) usage.' },

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 43);
+  assert.equal(iosRules.length, 45);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -17,6 +17,8 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.dispatchsemaphore.ast',
     'heuristics.ios.operation-queue.ast',
     'heuristics.ios.task-detached.ast',
+    'heuristics.ios.logging.adhoc-print.ast',
+    'heuristics.ios.logging.sensitive-data.ast',
     'heuristics.ios.unchecked-sendable.ast',
     'heuristics.ios.preconcurrency.ast',
     'heuristics.ios.nonisolated-unsafe.ast',
@@ -61,6 +63,14 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.task-detached.ast')?.then.code,
     'HEURISTICS_IOS_TASK_DETACHED_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.logging.adhoc-print.ast')?.then.code,
+    'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ios.logging.sensitive-data.ast')?.then.code,
+    'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.preconcurrency.ast')?.then.code,
     'HEURISTICS_IOS_PRECONCURRENCY_AST'

package/core/rules/presets/heuristics/ios.ts

@@ -181,6 +181,42 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_TASK_DETACHED_AST',
     },
   },
+  {
+    id: 'heuristics.ios.logging.adhoc-print.ast',
+    description: 'Detects print/debugPrint/dump/NSLog/os_log usage in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.logging.adhoc-print.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.',
+      code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.logging.sensitive-data.ast',
+    description: 'Detects sensitive data in iOS logging calls.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.logging.sensitive-data.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected sensitive data in an iOS logging call.',
+      code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',

package/docs/codex-skills/ios-enterprise-rules.md

@@ -223,6 +223,11 @@ apps/ios/Presentation/
 ✅ **Prohibido print()** y logs ad-hoc
 ✅ **No loggear PII** (tokens, emails, IDs sensibles)
 
+### Enforcement AST inicial de logging iOS:
+✅ `skills.ios.guideline.ios.prohibido-print-y-logs-ad-hoc` se mapea a `heuristics.ios.logging.adhoc-print.ast` para detectar `print`, `debugPrint`, `dump`, `NSLog` y `os_log` en Swift production.
+✅ `skills.ios.guideline.ios.no-loggear-pii-tokens-emails-ids-sensibles` se mapea a `heuristics.ios.logging.sensitive-data.ast` para detectar tokens, credenciales, emails e IDs sensibles en llamadas de logging.
+✅ `os.Logger` sigue siendo la API preferida; esta slice detecta el riesgo prohibido, no fuerza todavía una arquitectura completa de observabilidad.
+
 ```swift
 // ✅ Ejemplo: ViewModel con @Observable (iOS 17+)
 @Observable

package/integrations/config/skillsDetectorRegistry.ts

@@ -47,6 +47,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
   'skills.ios.no-task-detached': heuristicDetector('ios.task-detached', [
     'heuristics.ios.task-detached.ast',
   ]),
+  'skills.ios.guideline.ios.prohibido-print-y-logs-ad-hoc': heuristicDetector(
+    'ios.logging.adhoc-print',
+    ['heuristics.ios.logging.adhoc-print.ast']
+  ),
+  'skills.ios.guideline.ios.no-loggear-pii-tokens-emails-ids-sensibles': heuristicDetector(
+    'ios.logging.sensitive-data',
+    ['heuristics.ios.logging.sensitive-data.ast']
+  ),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),

package/integrations/config/skillsRuleSet.ts

@@ -366,11 +366,15 @@ const resolveRuleSeverity = (params: {
   stage: Exclude<GateStage, 'STAGED'>;
 }): Severity => {
   const promotedRuleIds = params.bundlePolicy?.promoteToErrorRuleIds ?? [];
-  const shouldPromoteBySolidContract =
+  const shouldPromote = promotedRuleIds.includes(params.rule.id);
+
+  if (
     params.rule.id.endsWith('.no-solid-violations') &&
-    (params.stage === 'PRE_PUSH' || params.stage === 'CI');
-  const shouldPromote =
-    shouldPromoteBySolidContract || promotedRuleIds.includes(params.rule.id);
+    (params.stage === 'PRE_PUSH' || params.stage === 'CI') &&
+    !shouldPromote
+  ) {
+    return 'WARN';
+  }
 
   if (!shouldPromote) {
     return params.rule.severity;

package/integrations/lifecycle/audit.ts

@@ -111,6 +111,22 @@ const toLifecycleAuditFinding = (finding: SnapshotFinding): LifecycleAuditFindin
   blocking: isFindingBlocking(finding),
 });
 
+const toGateAllowedAuditAdvisoryFinding = (
+  finding: LifecycleAuditFinding
+): LifecycleAuditFinding => {
+  if (!finding.blocking) {
+    return finding;
+  }
+  return {
+    ...finding,
+    severity: 'WARN',
+    blocking: false,
+    message:
+      `${finding.message} ` +
+      '(Advisory: current audit gate exited 0, so this finding is not blocking for this run.)',
+  };
+};
+
 const buildBlockedWithoutFindingsFallback = (params: {
   stage: LifecycleAuditStage;
   gateExitCode: number;
@@ -282,10 +298,15 @@ export const runLifecycleAudit = async (params: {
     scope,
     findings,
   });
+  const gateAllowed = originalGateExitCode === 0;
   const effectiveFindings = scopedGlobalEnforcementOnly
     ? findings.map(toScopedAuditAdvisoryFinding)
-    : findings;
+    : gateAllowed
+      ? findings.map(toGateAllowedAuditAdvisoryFinding)
+      : findings;
   const gateExitCode = scopedGlobalEnforcementOnly ? 0 : originalGateExitCode;
+  const effectiveSnapshotOutcome =
+    gateExitCode === 0 && snapshotOutcome === 'BLOCK' ? 'PASS' : snapshotOutcome;
 
   return {
     command: 'pumuki audit',
@@ -299,7 +320,7 @@ export const runLifecycleAudit = async (params: {
     gate_exit_code: gateExitCode,
     files_scanned: filesScanned,
     untracked_matching_extensions_count: untrackedMatchingExtensionsCount,
-    snapshot_outcome: snapshotOutcome,
+    snapshot_outcome: effectiveSnapshotOutcome,
     findings_count: effectiveFindings.length,
     blocking_findings_count: effectiveFindings.filter((finding) => finding.blocking).length,
     rules_coverage: evidence?.snapshot.rules_coverage ?? null,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.190",
+  "version": "6.3.192",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {