pumuki 6.3.194 → 6.3.196

package/core/facts/detectors/text/ios.test.ts

@@ -44,6 +44,7 @@ import {
   hasSwiftSheetIsPresentedUsage,
   hasSwiftScrollViewShowsIndicatorsUsage,
   hasSwiftSensitiveLoggingUsage,
+  hasSwiftSensitiveUserDefaultsStorageUsage,
   hasSwiftJSONSerializationUsage,
   hasSwiftStringFormatUsage,
   hasSwiftTabItemUsage,
@@ -223,6 +224,22 @@ final class APIClient {
   assert.equal(hasSwiftJSONSerializationUsage(ignored), false);
 });
 
+test('detector iOS de seguridad detecta secretos en UserDefaults y AppStorage', () => {
+  const source = `
+UserDefaults.standard.set(accessToken, forKey: "accessToken")
+@AppStorage("refreshToken") private var refreshToken = ""
+`;
+  const ignored = `
+UserDefaults.standard.set(theme, forKey: "selectedTheme")
+@AppStorage("preferredTab") private var preferredTab = "home"
+let text = "UserDefaults.standard.set(accessToken, forKey: \\"accessToken\\")"
+// UserDefaults.standard.set(accessToken, forKey: "accessToken")
+`;
+
+  assert.equal(hasSwiftSensitiveUserDefaultsStorageUsage(source), true);
+  assert.equal(hasSwiftSensitiveUserDefaultsStorageUsage(ignored), false);
+});
+
 test('hasSwiftUncheckedSendableUsage detecta @unchecked Sendable', () => {
   const source = `
 final class LegacyBox: @unchecked Sendable {}

package/core/facts/detectors/text/ios.ts

@@ -475,6 +475,23 @@ export const hasSwiftJSONSerializationUsage = (source: string): boolean => {
   return collectSwiftRegexLines(source, /\bJSONSerialization\s*\./).length > 0;
 };
 
+export const hasSwiftSensitiveUserDefaultsStorageUsage = (source: string): boolean => {
+  return source.split(/\r?\n/).some((line) => {
+    const sanitized = stripSwiftLineForSemanticScan(line);
+    const lineWithoutComments = line.replace(/\/\/.*$/, '');
+    const hasUserDefaultsWrite = /\bUserDefaults\s*\.\s*standard\s*\.\s*set\s*\(/.test(sanitized);
+    const hasAppStorage = /@\s*AppStorage\s*\(/.test(sanitized);
+
+    if (!hasUserDefaultsWrite && !hasAppStorage) {
+      return false;
+    }
+
+    return /\b(?:accessToken|refreshToken|authToken|token|password|secret|credential|authorization|bearer|apiKey|sessionId)\b/i.test(
+      lineWithoutComments
+    );
+  });
+};
+
 export const hasSwiftUncheckedSendableUsage = (source: string): boolean => {
   return scanCodeLikeSource(source, ({ source: swiftSource, index, current }) => {
     if (current !== '@' || !swiftSource.startsWith('@unchecked', index)) {

package/core/facts/extractHeuristicFacts.ts

@@ -640,6 +640,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAlamofireUsage, ruleId: 'heuristics.ios.networking.alamofire.ast', code: 'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST', message: 'AST heuristic detected Alamofire usage in iOS production code; URLSession remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftJSONSerializationUsage, ruleId: 'heuristics.ios.json.jsonserialization.ast', code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST', message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveUserDefaultsStorageUsage, ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast', code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUncheckedSendableUsage, ruleId: 'heuristics.ios.unchecked-sendable.ast', code: 'HEURISTICS_IOS_UNCHECKED_SENDABLE_AST', message: 'AST heuristic detected @unchecked Sendable usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftPreconcurrencyUsage, ruleId: 'heuristics.ios.preconcurrency.ast', code: 'HEURISTICS_IOS_PRECONCURRENCY_AST', message: 'AST heuristic detected @preconcurrency usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonisolatedUnsafeUsage, ruleId: 'heuristics.ios.nonisolated-unsafe.ast', code: 'HEURISTICS_IOS_NONISOLATED_UNSAFE_AST', message: 'AST heuristic detected nonisolated(unsafe) usage.' },

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 49);
+  assert.equal(iosRules.length, 50);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -23,6 +23,7 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.json.jsonserialization.ast',
     'heuristics.ios.dependencies.cocoapods.ast',
     'heuristics.ios.dependencies.carthage.ast',
+    'heuristics.ios.security.userdefaults-sensitive-data.ast',
     'heuristics.ios.unchecked-sendable.ast',
     'heuristics.ios.preconcurrency.ast',
     'heuristics.ios.nonisolated-unsafe.ast',
@@ -91,6 +92,10 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.dependencies.carthage.ast')?.then.code,
     'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.security.userdefaults-sensitive-data.ast')?.then.code,
+    'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.preconcurrency.ast')?.then.code,
     'HEURISTICS_IOS_PRECONCURRENCY_AST'

package/core/rules/presets/heuristics/ios.ts

@@ -289,6 +289,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_DEPENDENCIES_CARTHAGE_AST',
     },
   },
+  {
+    id: 'heuristics.ios.security.userdefaults-sensitive-data.ast',
+    description: 'Detects sensitive data stored in UserDefaults/AppStorage; Keychain is the preferred baseline for secrets.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.',
+      code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',

package/docs/codex-skills/ios-enterprise-rules.md

@@ -595,6 +595,13 @@ struct APIEndpoint: Sendable {
 ✅ **FileManager** - Archivos, imágenes, documents
 ✅ **iCloud** - Sync entre dispositivos (NSUbiquitousKeyValueStore, CloudKit)
 
+### Enforcement AST inicial de secretos en preferencias iOS
+
+- `skills.ios.guideline.ios.keychain-passwords-tokens-no-userdefaults` se mapea a `heuristics.ios.security.userdefaults-sensitive-data.ast`.
+- `skills.ios.guideline.ios.keychainservices-nativo-passwords-tokens-datos-sensibles-no-wrappers-d` se mapea a `heuristics.ios.security.userdefaults-sensitive-data.ast`.
+- `skills.ios.guideline.ios.userdefaults-settings-simples-no-datos-sensibles` se mapea a `heuristics.ios.security.userdefaults-sensitive-data.ast`.
+- En `PROJECT MODE: brownfield`, este hallazgo es señal de baseline/adopción y debe evitar drift nuevo sin bloquear deuda histórica salvo promoción explícita de policy. Keychain nativo permanece como baseline preferente para secretos.
+
 ### Combine (Reactive):
 ✅ **Publishers** - AsyncSequence para async, Combine para streams complejos
 ✅ **@Published** - En ViewModels para binding con Views

package/integrations/config/skillsDetectorRegistry.ts

@@ -75,6 +75,18 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.dependencies.carthage',
     ['heuristics.ios.dependencies.carthage.ast']
   ),
+  'skills.ios.guideline.ios.keychain-passwords-tokens-no-userdefaults': heuristicDetector(
+    'ios.security.userdefaults-sensitive-data',
+    ['heuristics.ios.security.userdefaults-sensitive-data.ast']
+  ),
+  'skills.ios.guideline.ios.keychainservices-nativo-passwords-tokens-datos-sensibles-no-wrappers-d': heuristicDetector(
+    'ios.security.userdefaults-sensitive-data',
+    ['heuristics.ios.security.userdefaults-sensitive-data.ast']
+  ),
+  'skills.ios.guideline.ios.userdefaults-settings-simples-no-datos-sensibles': heuristicDetector(
+    'ios.security.userdefaults-sensitive-data',
+    ['heuristics.ios.security.userdefaults-sensitive-data.ast']
+  ),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),

package/integrations/config/skillsMarkdownRules.ts

@@ -403,6 +403,15 @@ const normalizeKnownRuleTarget = (
     ) {
       return 'skills.ios.no-nsmanagedobject-async-boundary';
     }
+    if (
+      includes('keep swiftdata orchestration') ||
+      includes('swiftdata contexts containers queries or persistence models') ||
+      includes('modelcontext') ||
+      includes('modelcontainer') ||
+      includes('query model')
+    ) {
+      return 'skills.ios.no-swiftdata-layer-leak';
+    }
     if (
       includes('core data orchestration inside infrastructure') ||
       includes('instead of presentation code') ||

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.194",
+  "version": "6.3.196",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-12T21:28:07.507Z",
+  "generatedAt": "2026-05-13T11:03:09.894Z",
   "bundles": [
     {
       "name": "android-guidelines",
@@ -5644,20 +5644,8 @@
       "name": "ios-core-data-guidelines",
       "version": "1.0.0",
       "source": "file:vendor/skills/core-data-expert/SKILL.md",
-      "hash": "d91f2cad6499310a4299b39593d47f40a507299a0562c21bc64aad9b5d27c66f",
+      "hash": "be63caab019ec200e0248cc670f431b27d4fa8023c3267d0577785e50ba14db4",
       "rules": [
-        {
-          "id": "skills.ios.guideline.ios-core-data.keep-swiftdata-orchestration-modelcontext-modelcontainer-query-model-i",
-          "description": "Keep SwiftData orchestration (ModelContext, ModelContainer, @Query, @Model) inside infrastructure or repository layers instead of application or presentation code in enterprise Clean Architecture.",
-          "severity": "WARN",
-          "platform": "ios",
-          "sourceSkill": "ios-core-data-guidelines",
-          "sourcePath": "vendor/skills/core-data-expert/SKILL.md",
-          "confidence": "MEDIUM",
-          "locked": true,
-          "evaluationMode": "DECLARATIVE",
-          "origin": "core"
-        },
         {
           "id": "skills.ios.guideline.ios-core-data.make-context-ownership-explicit-and-keep-merge-boundaries-controlled",
           "description": "Make context ownership explicit and keep merge boundaries controlled.",
@@ -5706,18 +5694,6 @@
           "evaluationMode": "DECLARATIVE",
           "origin": "core"
         },
-        {
-          "id": "skills.ios.guideline.ios-core-data.using-swiftdata-contexts-containers-queries-or-persistence-models-dire",
-          "description": "Using SwiftData contexts, containers, queries, or persistence models directly in application or presentation code when the repo requires Clean Architecture boundaries.",
-          "severity": "ERROR",
-          "platform": "ios",
-          "sourceSkill": "ios-core-data-guidelines",
-          "sourcePath": "vendor/skills/core-data-expert/SKILL.md",
-          "confidence": "HIGH",
-          "locked": true,
-          "evaluationMode": "DECLARATIVE",
-          "origin": "core"
-        },
         {
           "id": "skills.ios.no-core-data-layer-leak",
           "description": "Keep Core Data orchestration inside infrastructure or repository layers; avoid Core Data APIs in application or presentation code.",
@@ -5769,6 +5745,18 @@
           "sourcePath": "vendor/skills/core-data-expert/SKILL.md",
           "evaluationMode": "AUTO",
           "origin": "core"
+        },
+        {
+          "id": "skills.ios.no-swiftdata-layer-leak",
+          "description": "Keep SwiftData orchestration (ModelContext, ModelContainer, @Query, @Model) inside infrastructure or repository layers instead of application or presentation code in enterprise Clean Architecture.",
+          "severity": "WARN",
+          "platform": "ios",
+          "sourceSkill": "ios-core-data-guidelines",
+          "sourcePath": "vendor/skills/core-data-expert/SKILL.md",
+          "confidence": "MEDIUM",
+          "locked": true,
+          "evaluationMode": "AUTO",
+          "origin": "core"
         }
       ]
     },