pumuki 6.3.191 → 6.3.193

package/core/facts/detectors/text/ios.test.ts

@@ -13,6 +13,7 @@ import {
   hasSwiftDispatchQueueUsage,
   hasSwiftDispatchSemaphoreUsage,
   hasSwiftAdHocLoggingUsage,
+  hasSwiftAlamofireUsage,
   hasSwiftForEachIndicesUsage,
   hasSwiftForceCastUsage,
   hasSwiftFontWeightBoldUsage,
@@ -43,6 +44,7 @@ import {
   hasSwiftSheetIsPresentedUsage,
   hasSwiftScrollViewShowsIndicatorsUsage,
   hasSwiftSensitiveLoggingUsage,
+  hasSwiftJSONSerializationUsage,
   hasSwiftStringFormatUsage,
   hasSwiftTabItemUsage,
   hasSwiftTaskDetachedUsage,
@@ -191,6 +193,36 @@ logger.error("Refresh failed \\(refreshToken)")
   assert.equal(hasSwiftSensitiveLoggingUsage(structuredSafe), false);
 });
 
+test('detectores iOS de networking y JSON detectan Alamofire y JSONSerialization sin leer comentarios ni strings', () => {
+  const source = `
+import Alamofire
+
+final class APIClient {
+  func load() {
+    AF.request("https://example.com")
+    let object = try? JSONSerialization.jsonObject(with: Data())
+  }
+}
+`;
+  const ignored = `
+import Foundation
+
+final class APIClient {
+  func load() async throws {
+    let url = URL(string: "https://example.com")
+    let dto = try JSONDecoder().decode(UserDTO.self, from: Data())
+    let text = "JSONSerialization.jsonObject"
+    // AF.request("debug")
+  }
+}
+`;
+
+  assert.equal(hasSwiftAlamofireUsage(source), true);
+  assert.equal(hasSwiftJSONSerializationUsage(source), true);
+  assert.equal(hasSwiftAlamofireUsage(ignored), false);
+  assert.equal(hasSwiftJSONSerializationUsage(ignored), false);
+});
+
 test('hasSwiftUncheckedSendableUsage detecta @unchecked Sendable', () => {
   const source = `
 final class LegacyBox: @unchecked Sendable {}

package/core/facts/detectors/text/ios.ts

@@ -464,6 +464,17 @@ export const hasSwiftSensitiveLoggingUsage = (source: string): boolean => {
   });
 };
 
+export const hasSwiftAlamofireUsage = (source: string): boolean => {
+  return (
+    collectSwiftRegexLines(source, /^\s*import\s+Alamofire\b/).length > 0 ||
+    collectSwiftRegexLines(source, /\b(?:AF|Alamofire)\s*\.\s*request\b/).length > 0
+  );
+};
+
+export const hasSwiftJSONSerializationUsage = (source: string): boolean => {
+  return collectSwiftRegexLines(source, /\bJSONSerialization\s*\./).length > 0;
+};
+
 export const hasSwiftUncheckedSendableUsage = (source: string): boolean => {
   return scanCodeLikeSource(source, ({ source: swiftSource, index, current }) => {
     if (current !== '@' || !swiftSource.startsWith('@unchecked', index)) {

package/core/facts/extractHeuristicFacts.ts

@@ -620,6 +620,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftTaskDetachedUsage, ruleId: 'heuristics.ios.task-detached.ast', code: 'HEURISTICS_IOS_TASK_DETACHED_AST', message: 'AST heuristic detected Task.detached usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAdHocLoggingUsage, ruleId: 'heuristics.ios.logging.adhoc-print.ast', code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST', message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAlamofireUsage, ruleId: 'heuristics.ios.networking.alamofire.ast', code: 'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST', message: 'AST heuristic detected Alamofire usage in iOS production code; URLSession remains the preferred baseline for new code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftJSONSerializationUsage, ruleId: 'heuristics.ios.json.jsonserialization.ast', code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST', message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUncheckedSendableUsage, ruleId: 'heuristics.ios.unchecked-sendable.ast', code: 'HEURISTICS_IOS_UNCHECKED_SENDABLE_AST', message: 'AST heuristic detected @unchecked Sendable usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftPreconcurrencyUsage, ruleId: 'heuristics.ios.preconcurrency.ast', code: 'HEURISTICS_IOS_PRECONCURRENCY_AST', message: 'AST heuristic detected @preconcurrency usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonisolatedUnsafeUsage, ruleId: 'heuristics.ios.nonisolated-unsafe.ast', code: 'HEURISTICS_IOS_NONISOLATED_UNSAFE_AST', message: 'AST heuristic detected nonisolated(unsafe) usage.' },

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 45);
+  assert.equal(iosRules.length, 47);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -19,6 +19,8 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.task-detached.ast',
     'heuristics.ios.logging.adhoc-print.ast',
     'heuristics.ios.logging.sensitive-data.ast',
+    'heuristics.ios.networking.alamofire.ast',
+    'heuristics.ios.json.jsonserialization.ast',
     'heuristics.ios.unchecked-sendable.ast',
     'heuristics.ios.preconcurrency.ast',
     'heuristics.ios.nonisolated-unsafe.ast',
@@ -71,6 +73,14 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.logging.sensitive-data.ast')?.then.code,
     'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.networking.alamofire.ast')?.then.code,
+    'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ios.json.jsonserialization.ast')?.then.code,
+    'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.preconcurrency.ast')?.then.code,
     'HEURISTICS_IOS_PRECONCURRENCY_AST'

package/core/rules/presets/heuristics/ios.ts

@@ -217,6 +217,42 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST',
     },
   },
+  {
+    id: 'heuristics.ios.networking.alamofire.ast',
+    description: 'Detects Alamofire usage in iOS production code; URLSession is the preferred baseline for new code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.networking.alamofire.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected Alamofire usage in iOS production code; URLSession remains the preferred baseline for new code.',
+      code: 'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.json.jsonserialization.ast',
+    description: 'Detects JSONSerialization usage in iOS production code; Codable is the preferred baseline for new code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.json.jsonserialization.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.',
+      code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',

package/docs/codex-skills/ios-enterprise-rules.md

@@ -499,8 +499,15 @@ struct UseCaseFactory {
 ✅ **Request/Response interceptors** - Logging, auth tokens
 ✅ **SSL pinning** - Para apps con alta seguridad
 ✅ **Network reachability** - Detectar conectividad
-❌ **Alamofire** - Prohibido, usar URLSession nativo
-❌ **JSONSerialization** - Prohibido, usar Codable
+⚠️ **Alamofire** - No introducir en código nuevo; en brownfield existente se trata como señal de migración gradual. URLSession nativo es la línea base preferente.
+⚠️ **JSONSerialization** - No introducir en código nuevo; en brownfield existente se trata como señal de migración gradual. Codable es la línea base preferente.
+
+### Enforcement AST inicial de networking y JSON iOS
+
+- `skills.ios.guideline.ios.alamofire-prohibido-usar-urlsession-nativo` se mapea a `heuristics.ios.networking.alamofire.ast`.
+- `skills.ios.guideline.ios.codable-decodificacio-n-automa-tica-de-json-nunca-jsonserialization` se mapea a `heuristics.ios.json.jsonserialization.ast`.
+- `skills.ios.guideline.ios.codable-para-serializacio-n-json-nunca-jsonserialization` se mapea a `heuristics.ios.json.jsonserialization.ast`.
+- En `PROJECT MODE: brownfield`, estos hallazgos son señal de baseline/adopción y deben evitar drift nuevo sin bloquear deuda histórica salvo promoción explícita de policy.
 
 ```swift
 // ✅ Ejemplo: APIClient con URLSession y async/await

package/integrations/config/skillsDetectorRegistry.ts

@@ -55,6 +55,18 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.logging.sensitive-data',
     ['heuristics.ios.logging.sensitive-data.ast']
   ),
+  'skills.ios.guideline.ios.alamofire-prohibido-usar-urlsession-nativo': heuristicDetector(
+    'ios.networking.alamofire',
+    ['heuristics.ios.networking.alamofire.ast']
+  ),
+  'skills.ios.guideline.ios.codable-decodificacio-n-automa-tica-de-json-nunca-jsonserialization': heuristicDetector(
+    'ios.json.jsonserialization',
+    ['heuristics.ios.json.jsonserialization.ast']
+  ),
+  'skills.ios.guideline.ios.codable-para-serializacio-n-json-nunca-jsonserialization': heuristicDetector(
+    'ios.json.jsonserialization',
+    ['heuristics.ios.json.jsonserialization.ast']
+  ),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),

package/integrations/config/skillsRuleSet.ts

@@ -366,11 +366,15 @@ const resolveRuleSeverity = (params: {
   stage: Exclude<GateStage, 'STAGED'>;
 }): Severity => {
   const promotedRuleIds = params.bundlePolicy?.promoteToErrorRuleIds ?? [];
-  const shouldPromoteBySolidContract =
+  const shouldPromote = promotedRuleIds.includes(params.rule.id);
+
+  if (
     params.rule.id.endsWith('.no-solid-violations') &&
-    (params.stage === 'PRE_PUSH' || params.stage === 'CI');
-  const shouldPromote =
-    shouldPromoteBySolidContract || promotedRuleIds.includes(params.rule.id);
+    (params.stage === 'PRE_PUSH' || params.stage === 'CI') &&
+    !shouldPromote
+  ) {
+    return 'WARN';
+  }
 
   if (!shouldPromote) {
     return params.rule.severity;

package/integrations/lifecycle/audit.ts

@@ -111,6 +111,22 @@ const toLifecycleAuditFinding = (finding: SnapshotFinding): LifecycleAuditFindin
   blocking: isFindingBlocking(finding),
 });
 
+const toGateAllowedAuditAdvisoryFinding = (
+  finding: LifecycleAuditFinding
+): LifecycleAuditFinding => {
+  if (!finding.blocking) {
+    return finding;
+  }
+  return {
+    ...finding,
+    severity: 'WARN',
+    blocking: false,
+    message:
+      `${finding.message} ` +
+      '(Advisory: current audit gate exited 0, so this finding is not blocking for this run.)',
+  };
+};
+
 const buildBlockedWithoutFindingsFallback = (params: {
   stage: LifecycleAuditStage;
   gateExitCode: number;
@@ -282,10 +298,15 @@ export const runLifecycleAudit = async (params: {
     scope,
     findings,
   });
+  const gateAllowed = originalGateExitCode === 0;
   const effectiveFindings = scopedGlobalEnforcementOnly
     ? findings.map(toScopedAuditAdvisoryFinding)
-    : findings;
+    : gateAllowed
+      ? findings.map(toGateAllowedAuditAdvisoryFinding)
+      : findings;
   const gateExitCode = scopedGlobalEnforcementOnly ? 0 : originalGateExitCode;
+  const effectiveSnapshotOutcome =
+    gateExitCode === 0 && snapshotOutcome === 'BLOCK' ? 'PASS' : snapshotOutcome;
 
   return {
     command: 'pumuki audit',
@@ -299,7 +320,7 @@ export const runLifecycleAudit = async (params: {
     gate_exit_code: gateExitCode,
     files_scanned: filesScanned,
     untracked_matching_extensions_count: untrackedMatchingExtensionsCount,
-    snapshot_outcome: snapshotOutcome,
+    snapshot_outcome: effectiveSnapshotOutcome,
     findings_count: effectiveFindings.length,
     blocking_findings_count: effectiveFindings.filter((finding) => finding.blocking).length,
     rules_coverage: evidence?.snapshot.rules_coverage ?? null,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.191",
+  "version": "6.3.193",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {