npm - pumuki - Versions diffs - 6.3.193 → 6.3.195 - Mend

pumuki 6.3.193 → 6.3.195

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/core/facts/detectors/text/ios.test.ts +17 -0
package/core/facts/detectors/text/ios.ts +17 -0
package/core/facts/extractHeuristicFacts.ts +19 -0
package/core/rules/presets/heuristics/ios.test.ts +16 -1
package/core/rules/presets/heuristics/ios.ts +54 -0
package/docs/codex-skills/ios-enterprise-rules.md +13 -0
package/integrations/config/skillsDetectorRegistry.ts +20 -0
package/package.json +1 -1

package/core/facts/detectors/text/ios.test.ts CHANGED Viewed

@@ -44,6 +44,7 @@ import {
   hasSwiftSheetIsPresentedUsage,
   hasSwiftScrollViewShowsIndicatorsUsage,
   hasSwiftSensitiveLoggingUsage,
+  hasSwiftSensitiveUserDefaultsStorageUsage,
   hasSwiftJSONSerializationUsage,
   hasSwiftStringFormatUsage,
   hasSwiftTabItemUsage,
@@ -223,6 +224,22 @@ final class APIClient {
   assert.equal(hasSwiftJSONSerializationUsage(ignored), false);
 });
+test('detector iOS de seguridad detecta secretos en UserDefaults y AppStorage', () => {
+  const source = `
+UserDefaults.standard.set(accessToken, forKey: "accessToken")
+@AppStorage("refreshToken") private var refreshToken = ""
+`;
+  const ignored = `
+UserDefaults.standard.set(theme, forKey: "selectedTheme")
+@AppStorage("preferredTab") private var preferredTab = "home"
+let text = "UserDefaults.standard.set(accessToken, forKey: \\"accessToken\\")"
+// UserDefaults.standard.set(accessToken, forKey: "accessToken")
+`;
+  assert.equal(hasSwiftSensitiveUserDefaultsStorageUsage(source), true);
+  assert.equal(hasSwiftSensitiveUserDefaultsStorageUsage(ignored), false);
+});
 test('hasSwiftUncheckedSendableUsage detecta @unchecked Sendable', () => {
   const source = `
 final class LegacyBox: @unchecked Sendable {}

package/core/facts/detectors/text/ios.ts CHANGED Viewed

@@ -475,6 +475,23 @@ export const hasSwiftJSONSerializationUsage = (source: string): boolean => {
   return collectSwiftRegexLines(source, /\bJSONSerialization\s*\./).length > 0;
 };
+export const hasSwiftSensitiveUserDefaultsStorageUsage = (source: string): boolean => {
+  return source.split(/\r?\n/).some((line) => {
+    const sanitized = stripSwiftLineForSemanticScan(line);
+    const lineWithoutComments = line.replace(/\/\/.*$/, '');
+    const hasUserDefaultsWrite = /\bUserDefaults\s*\.\s*standard\s*\.\s*set\s*\(/.test(sanitized);
+    const hasAppStorage = /@\s*AppStorage\s*\(/.test(sanitized);
+    if (!hasUserDefaultsWrite && !hasAppStorage) {
+      return false;
+    }
+    return /\b(?:accessToken|refreshToken|authToken|token|password|secret|credential|authorization|bearer|apiKey|sessionId)\b/i.test(
+      lineWithoutComments
+    );
+  });
+};
 export const hasSwiftUncheckedSendableUsage = (source: string): boolean => {
   return scanCodeLikeSource(source, ({ source: swiftSource, index, current }) => {
     if (current !== '@' || !swiftSource.startsWith('@unchecked', index)) {

package/core/facts/extractHeuristicFacts.ts CHANGED Viewed

@@ -76,6 +76,22 @@ const isIOSSwiftPath = (path: string): boolean => {
   return path.endsWith('.swift') && path.startsWith('apps/ios/');
 };
+const isIOSPodfilePath = (path: string): boolean => {
+  const normalized = path.replace(/\\/g, '/');
+  return (
+    normalized.startsWith('apps/ios/') &&
+    (normalized.endsWith('/Podfile') || normalized.endsWith('/Podfile.lock'))
+  );
+};
+const isIOSCartfilePath = (path: string): boolean => {
+  const normalized = path.replace(/\\/g, '/');
+  return (
+    normalized.startsWith('apps/ios/') &&
+    (normalized.endsWith('/Cartfile') || normalized.endsWith('/Cartfile.resolved'))
+  );
+};
 const isIOSApplicationOrPresentationPath = (path: string): boolean => {
   return (
     isIOSSwiftPath(path) &&
@@ -608,6 +624,8 @@ type TextDetectorRegistryEntry = {
 const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   // iOS
+  { platform: 'ios', pathCheck: isIOSPodfilePath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.dependencies.cocoapods.ast', code: 'HEURISTICS_IOS_DEPENDENCIES_COCOAPODS_AST', message: 'AST heuristic detected CocoaPods dependency files in an iOS project; Swift Package Manager remains the preferred baseline for new code.' },
+  { platform: 'ios', pathCheck: isIOSCartfilePath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.dependencies.carthage.ast', code: 'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST', message: 'AST heuristic detected Carthage dependency files in an iOS project; Swift Package Manager remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftForceUnwrap, ruleId: 'heuristics.ios.force-unwrap.ast', code: 'HEURISTICS_IOS_FORCE_UNWRAP_AST', message: 'AST heuristic detected force unwrap usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAnyViewUsage, ruleId: 'heuristics.ios.anyview.ast', code: 'HEURISTICS_IOS_ANYVIEW_AST', message: 'AST heuristic detected AnyView usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftForceTryUsage, ruleId: 'heuristics.ios.force-try.ast', code: 'HEURISTICS_IOS_FORCE_TRY_AST', message: 'AST heuristic detected force try usage.' },
@@ -622,6 +640,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAlamofireUsage, ruleId: 'heuristics.ios.networking.alamofire.ast', code: 'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST', message: 'AST heuristic detected Alamofire usage in iOS production code; URLSession remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftJSONSerializationUsage, ruleId: 'heuristics.ios.json.jsonserialization.ast', code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST', message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveUserDefaultsStorageUsage, ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast', code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUncheckedSendableUsage, ruleId: 'heuristics.ios.unchecked-sendable.ast', code: 'HEURISTICS_IOS_UNCHECKED_SENDABLE_AST', message: 'AST heuristic detected @unchecked Sendable usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftPreconcurrencyUsage, ruleId: 'heuristics.ios.preconcurrency.ast', code: 'HEURISTICS_IOS_PRECONCURRENCY_AST', message: 'AST heuristic detected @preconcurrency usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonisolatedUnsafeUsage, ruleId: 'heuristics.ios.nonisolated-unsafe.ast', code: 'HEURISTICS_IOS_NONISOLATED_UNSAFE_AST', message: 'AST heuristic detected nonisolated(unsafe) usage.' },

package/core/rules/presets/heuristics/ios.test.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 47);
+  assert.equal(iosRules.length, 50);
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -21,6 +21,9 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.logging.sensitive-data.ast',
     'heuristics.ios.networking.alamofire.ast',
     'heuristics.ios.json.jsonserialization.ast',
+    'heuristics.ios.dependencies.cocoapods.ast',
+    'heuristics.ios.dependencies.carthage.ast',
+    'heuristics.ios.security.userdefaults-sensitive-data.ast',
     'heuristics.ios.unchecked-sendable.ast',
     'heuristics.ios.preconcurrency.ast',
     'heuristics.ios.nonisolated-unsafe.ast',
@@ -81,6 +84,18 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.json.jsonserialization.ast')?.then.code,
     'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.dependencies.cocoapods.ast')?.then.code,
+    'HEURISTICS_IOS_DEPENDENCIES_COCOAPODS_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ios.dependencies.carthage.ast')?.then.code,
+    'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ios.security.userdefaults-sensitive-data.ast')?.then.code,
+    'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.preconcurrency.ast')?.then.code,
     'HEURISTICS_IOS_PRECONCURRENCY_AST'

package/core/rules/presets/heuristics/ios.ts CHANGED Viewed

@@ -253,6 +253,60 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST',
     },
   },
+  {
+    id: 'heuristics.ios.dependencies.cocoapods.ast',
+    description: 'Detects CocoaPods dependency files in iOS projects; Swift Package Manager is the preferred baseline for new code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.dependencies.cocoapods.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected CocoaPods dependency files in an iOS project; Swift Package Manager remains the preferred baseline for new code.',
+      code: 'HEURISTICS_IOS_DEPENDENCIES_COCOAPODS_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.dependencies.carthage.ast',
+    description: 'Detects Carthage dependency files in iOS projects; Swift Package Manager is the preferred baseline for new code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.dependencies.carthage.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected Carthage dependency files in an iOS project; Swift Package Manager remains the preferred baseline for new code.',
+      code: 'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.security.userdefaults-sensitive-data.ast',
+    description: 'Detects sensitive data stored in UserDefaults/AppStorage; Keychain is the preferred baseline for secrets.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.',
+      code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',

package/docs/codex-skills/ios-enterprise-rules.md CHANGED Viewed

@@ -509,6 +509,12 @@ struct UseCaseFactory {
 - `skills.ios.guideline.ios.codable-para-serializacio-n-json-nunca-jsonserialization` se mapea a `heuristics.ios.json.jsonserialization.ast`.
 - En `PROJECT MODE: brownfield`, estos hallazgos son señal de baseline/adopción y deben evitar drift nuevo sin bloquear deuda histórica salvo promoción explícita de policy.
+### Enforcement AST inicial de dependencias iOS
+- `skills.ios.guideline.ios.cocoapods-prohibido` se mapea a `heuristics.ios.dependencies.cocoapods.ast`.
+- `skills.ios.guideline.ios.carthage-prohibido` se mapea a `heuristics.ios.dependencies.carthage.ast`.
+- En `PROJECT MODE: brownfield`, estos hallazgos son señal de baseline/adopción y deben evitar drift nuevo sin bloquear deuda histórica salvo promoción explícita de policy. Swift Package Manager permanece como baseline preferente para código nuevo.
 ```swift
 // ✅ Ejemplo: APIClient con URLSession y async/await
 protocol APIClientProtocol: Sendable {
@@ -589,6 +595,13 @@ struct APIEndpoint: Sendable {
 ✅ **FileManager** - Archivos, imágenes, documents
 ✅ **iCloud** - Sync entre dispositivos (NSUbiquitousKeyValueStore, CloudKit)
+### Enforcement AST inicial de secretos en preferencias iOS
+- `skills.ios.guideline.ios.keychain-passwords-tokens-no-userdefaults` se mapea a `heuristics.ios.security.userdefaults-sensitive-data.ast`.
+- `skills.ios.guideline.ios.keychainservices-nativo-passwords-tokens-datos-sensibles-no-wrappers-d` se mapea a `heuristics.ios.security.userdefaults-sensitive-data.ast`.
+- `skills.ios.guideline.ios.userdefaults-settings-simples-no-datos-sensibles` se mapea a `heuristics.ios.security.userdefaults-sensitive-data.ast`.
+- En `PROJECT MODE: brownfield`, este hallazgo es señal de baseline/adopción y debe evitar drift nuevo sin bloquear deuda histórica salvo promoción explícita de policy. Keychain nativo permanece como baseline preferente para secretos.
 ### Combine (Reactive):
 ✅ **Publishers** - AsyncSequence para async, Combine para streams complejos
 ✅ **@Published** - En ViewModels para binding con Views

package/integrations/config/skillsDetectorRegistry.ts CHANGED Viewed

@@ -67,6 +67,26 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.json.jsonserialization',
     ['heuristics.ios.json.jsonserialization.ast']
   ),
+  'skills.ios.guideline.ios.cocoapods-prohibido': heuristicDetector(
+    'ios.dependencies.cocoapods',
+    ['heuristics.ios.dependencies.cocoapods.ast']
+  ),
+  'skills.ios.guideline.ios.carthage-prohibido': heuristicDetector(
+    'ios.dependencies.carthage',
+    ['heuristics.ios.dependencies.carthage.ast']
+  ),
+  'skills.ios.guideline.ios.keychain-passwords-tokens-no-userdefaults': heuristicDetector(
+    'ios.security.userdefaults-sensitive-data',
+    ['heuristics.ios.security.userdefaults-sensitive-data.ast']
+  ),
+  'skills.ios.guideline.ios.keychainservices-nativo-passwords-tokens-datos-sensibles-no-wrappers-d': heuristicDetector(
+    'ios.security.userdefaults-sensitive-data',
+    ['heuristics.ios.security.userdefaults-sensitive-data.ast']
+  ),
+  'skills.ios.guideline.ios.userdefaults-settings-simples-no-datos-sensibles': heuristicDetector(
+    'ios.security.userdefaults-sensitive-data',
+    ['heuristics.ios.security.userdefaults-sensitive-data.ast']
+  ),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.193",
+  "version": "6.3.195",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {