pumuki 6.3.198 → 6.3.199

package/core/facts/detectors/text/ios.test.ts

@@ -21,6 +21,7 @@ import {
   hasSwiftForceTryUsage,
   hasSwiftForceUnwrap,
   hasSwiftGeometryReaderUsage,
+  hasSwiftHardcodedUiStringUsage,
   hasSwiftLegacyOnChangeUsage,
   hasSwiftLegacyExpectationDescriptionUsage,
   hasSwiftLegacySwiftUiObservableWrapperUsage,
@@ -268,6 +269,36 @@ let text = "https://example.com/catalog.json"
   assert.equal(hasSwiftInsecureTransportUsage(ignored), false);
 });
 
+test('detector iOS de localización detecta strings UI hardcodeadas sin confundir keys ni comentarios', () => {
+  const source = `
+struct PaywallView: View {
+  var body: some View {
+    VStack {
+      Text("Start premium trial")
+      Button("Continue") {}
+      Label("Your orders", systemImage: "cart")
+      TextField("Search products", text: $query)
+      EmptyView().navigationTitle("Account details")
+    }
+  }
+}
+`;
+  const ignored = `
+struct OrdersView: View {
+  var body: some View {
+    Text(String(localized: "orders.title"))
+    Text("orders.title")
+    Button(String(localized: "orders.checkout")) {}
+    let sample = "Text(\\"Start premium trial\\")"
+    // Text("Debug")
+  }
+}
+`;
+
+  assert.equal(hasSwiftHardcodedUiStringUsage(source), true);
+  assert.equal(hasSwiftHardcodedUiStringUsage(ignored), false);
+});
+
 test('hasSwiftUncheckedSendableUsage detecta @unchecked Sendable', () => {
   const source = `
 final class LegacyBox: @unchecked Sendable {}

package/core/facts/detectors/text/ios.ts

@@ -511,6 +511,38 @@ export const hasSwiftInsecureTransportUsage = (source: string): boolean => {
   );
 };
 
+const swiftUiLiteralTextPatterns = [
+  /\b(?:Text|Button|Label|TextField|SecureField)\s*\(\s*"((?:\\.|[^"\\])*)"/,
+  /\.navigationTitle\s*\(\s*"((?:\\.|[^"\\])*)"/,
+  /\.navigationSubtitle\s*\(\s*"((?:\\.|[^"\\])*)"/,
+  /\.accessibilityLabel\s*\(\s*"((?:\\.|[^"\\])*)"/,
+];
+
+const looksLikeLocalizationKey = (value: string): boolean => {
+  return /^[A-Za-z0-9_]+(?:[.-][A-Za-z0-9_]+)+$/.test(value);
+};
+
+export const hasSwiftHardcodedUiStringUsage = (source: string): boolean => {
+  const withoutBlockComments = source.replace(/\/\*[\s\S]*?\*\//g, '\n');
+  return withoutBlockComments.split(/\r?\n/).some((line) => {
+    if (/^\s*\/\//.test(line)) {
+      return false;
+    }
+    const withoutInlineComment = line.replace(/\/\/.*$/, '');
+    return swiftUiLiteralTextPatterns.some((pattern) => {
+      const match = withoutInlineComment.match(pattern);
+      if (!match) {
+        return false;
+      }
+      const literal = match[1]?.trim() ?? '';
+      if (literal.length === 0) {
+        return false;
+      }
+      return !looksLikeLocalizationKey(literal);
+    });
+  });
+};
+
 export const hasSwiftUncheckedSendableUsage = (source: string): boolean => {
   return scanCodeLikeSource(source, ({ source: swiftSource, index, current }) => {
     if (current !== '@' || !swiftSource.startsWith('@unchecked', index)) {

package/core/facts/extractHeuristicFacts.ts

@@ -654,6 +654,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftInsecureTransportUsage, ruleId: 'heuristics.ios.security.insecure-transport.ast', code: 'HEURISTICS_IOS_SECURITY_INSECURE_TRANSPORT_AST', message: 'AST heuristic detected insecure HTTP transport in iOS production code; HTTPS and ATS remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSInfoPlistPath, excludePaths: [], detect: TextIOS.hasSwiftInsecureTransportUsage, ruleId: 'heuristics.ios.security.insecure-transport.ast', code: 'HEURISTICS_IOS_SECURITY_INSECURE_TRANSPORT_AST', message: 'AST heuristic detected permissive App Transport Security configuration; HTTPS and ATS remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSLocalizableStringsPath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.localization.localizable-strings.ast', code: 'HEURISTICS_IOS_LOCALIZATION_LOCALIZABLE_STRINGS_AST', message: 'AST heuristic detected Localizable.strings usage; String Catalogs (.xcstrings) remain the preferred baseline for new localization work.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftHardcodedUiStringUsage, ruleId: 'heuristics.ios.localization.hardcoded-ui-string.ast', code: 'HEURISTICS_IOS_LOCALIZATION_HARDCODED_UI_STRING_AST', message: 'AST heuristic detected hardcoded user-facing SwiftUI text; String(localized:) and String Catalogs remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUncheckedSendableUsage, ruleId: 'heuristics.ios.unchecked-sendable.ast', code: 'HEURISTICS_IOS_UNCHECKED_SENDABLE_AST', message: 'AST heuristic detected @unchecked Sendable usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftPreconcurrencyUsage, ruleId: 'heuristics.ios.preconcurrency.ast', code: 'HEURISTICS_IOS_PRECONCURRENCY_AST', message: 'AST heuristic detected @preconcurrency usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonisolatedUnsafeUsage, ruleId: 'heuristics.ios.nonisolated-unsafe.ast', code: 'HEURISTICS_IOS_NONISOLATED_UNSAFE_AST', message: 'AST heuristic detected nonisolated(unsafe) usage.' },

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 52);
+  assert.equal(iosRules.length, 53);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -26,6 +26,7 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.security.userdefaults-sensitive-data.ast',
     'heuristics.ios.security.insecure-transport.ast',
     'heuristics.ios.localization.localizable-strings.ast',
+    'heuristics.ios.localization.hardcoded-ui-string.ast',
     'heuristics.ios.unchecked-sendable.ast',
     'heuristics.ios.preconcurrency.ast',
     'heuristics.ios.nonisolated-unsafe.ast',
@@ -106,6 +107,10 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     byId.get('heuristics.ios.localization.localizable-strings.ast')?.then.code,
     'HEURISTICS_IOS_LOCALIZATION_LOCALIZABLE_STRINGS_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ios.localization.hardcoded-ui-string.ast')?.then.code,
+    'HEURISTICS_IOS_LOCALIZATION_HARDCODED_UI_STRING_AST'
+  );
   assert.equal(
     byId.get('heuristics.ios.preconcurrency.ast')?.then.code,
     'HEURISTICS_IOS_PRECONCURRENCY_AST'

package/core/rules/presets/heuristics/ios.ts

@@ -343,6 +343,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_LOCALIZATION_LOCALIZABLE_STRINGS_AST',
     },
   },
+  {
+    id: 'heuristics.ios.localization.hardcoded-ui-string.ast',
+    description: 'Detects hardcoded user-facing SwiftUI text where String(localized:) and String Catalogs are preferred.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.localization.hardcoded-ui-string.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected hardcoded user-facing SwiftUI text; String(localized:) and String Catalogs remain the preferred baseline.',
+      code: 'HEURISTICS_IOS_LOCALIZATION_HARDCODED_UI_STRING_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',

package/docs/codex-skills/ios-enterprise-rules.md

@@ -607,6 +607,16 @@ struct APIEndpoint: Sendable {
 - `skills.ios.guideline.ios.app-transport-security-ats-https-por-defecto` se mapea a `heuristics.ios.security.insecure-transport.ast`.
 - En `PROJECT MODE: brownfield`, este hallazgo detecta `http://` en Swift production y `NSAllowsArbitraryLoads=true` en `Info.plist` como señal de baseline/adopción sin bloquear deuda histórica salvo promoción explícita de policy. HTTPS y ATS permanecen como baseline preferente.
 
+### Enforcement AST inicial de localización iOS
+
+- `skills.ios.guideline.ios.localizable-strings-deprecado-usar-string-catalogs` se mapea a `heuristics.ios.localization.localizable-strings.ast`.
+- `skills.ios.guideline.ios.string-catalogs-xcstrings` se mapea a `heuristics.ios.localization.localizable-strings.ast`.
+- `skills.ios.guideline.ios.string-catalogs-xcstrings-sistema-moderno-de-localizacio-n-xcode-15` se mapea a `heuristics.ios.localization.localizable-strings.ast`.
+- `skills.ios.guideline.ios.cero-strings-hardcodeadas-en-ui` se mapea a `heuristics.ios.localization.hardcoded-ui-string.ast`.
+- `skills.ios.guideline.ios.string-localized-api-moderna-para-strings-traducibles` se mapea a `heuristics.ios.localization.hardcoded-ui-string.ast`.
+- En `PROJECT MODE: brownfield`, este hallazgo detecta `Localizable.strings` bajo `apps/ios/**` como señal de baseline/adopción sin bloquear deuda histórica salvo promoción explícita de policy. String Catalogs (`.xcstrings`) permanece como baseline preferente.
+- También detecta literales de texto visibles en SwiftUI (`Text`, `Button`, `Label`, `TextField`, `SecureField`, `navigationTitle`, `accessibilityLabel`) como señal de adopción hacia `String(localized:)` y String Catalogs, ignorando keys como `orders.title`.
+
 ### Combine (Reactive):
 ✅ **Publishers** - AsyncSequence para async, Combine para streams complejos
 ✅ **@Published** - En ViewModels para binding con Views

package/integrations/config/skillsDetectorRegistry.ts

@@ -103,6 +103,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.localization.localizable-strings',
     ['heuristics.ios.localization.localizable-strings.ast']
   ),
+  'skills.ios.guideline.ios.cero-strings-hardcodeadas-en-ui': heuristicDetector(
+    'ios.localization.hardcoded-ui-string',
+    ['heuristics.ios.localization.hardcoded-ui-string.ast']
+  ),
+  'skills.ios.guideline.ios.string-localized-api-moderna-para-strings-traducibles': heuristicDetector(
+    'ios.localization.hardcoded-ui-string',
+    ['heuristics.ios.localization.hardcoded-ui-string.ast']
+  ),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),

package/integrations/config/skillsMarkdownRules.ts

@@ -395,6 +395,9 @@ const normalizeKnownRuleTarget = (
     ) {
       return 'skills.ios.guideline.ios.localizable-strings-deprecado-usar-string-catalogs';
     }
+    if (includes('strings hardcodeadas') || includes('string localized')) {
+      return 'skills.ios.guideline.ios.cero-strings-hardcodeadas-en-ui';
+    }
     if (
       includes('mixing legacy xctest style') ||
       includes('mixed xctest and swift testing') ||

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.198",
+  "version": "6.3.199",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-13T11:18:53.521Z",
+  "generatedAt": "2026-05-13T11:29:26.365Z",
   "bundles": [
     {
       "name": "android-guidelines",
@@ -5764,7 +5764,7 @@
       "name": "ios-guidelines",
       "version": "1.0.0",
       "source": "file:vendor/skills/ios-enterprise-rules/SKILL.md",
-      "hash": "30c5afdca8ca553960a3063adf318d314f3d60489bf88465b670e82e6e157d51",
+      "hash": "6b68665f29f3894ce007abafdd6a766e63ec02f576fc7299e9d7cf17430786d4",
       "rules": [
         {
           "id": "skills.ios.guideline.ios.accessibility-identifiers-para-localizar-elementos",
@@ -6092,14 +6092,14 @@
         },
         {
           "id": "skills.ios.guideline.ios.cero-strings-hardcodeadas-en-ui",
-          "description": "Cero strings hardcodeadas en UI",
+          "description": "String(localized:) y formateadores (Date/Number)",
           "severity": "WARN",
           "platform": "ios",
           "sourceSkill": "ios-guidelines",
           "sourcePath": "vendor/skills/ios-enterprise-rules/SKILL.md",
           "confidence": "MEDIUM",
           "locked": true,
-          "evaluationMode": "DECLARATIVE",
+          "evaluationMode": "AUTO",
           "origin": "core"
         },
         {
@@ -7879,30 +7879,6 @@
           "evaluationMode": "DECLARATIVE",
           "origin": "core"
         },
-        {
-          "id": "skills.ios.guideline.ios.string-localized-api-moderna-para-strings-traducibles",
-          "description": "String(localized:) - API moderna para strings traducibles",
-          "severity": "WARN",
-          "platform": "ios",
-          "sourceSkill": "ios-guidelines",
-          "sourcePath": "vendor/skills/ios-enterprise-rules/SKILL.md",
-          "confidence": "MEDIUM",
-          "locked": true,
-          "evaluationMode": "DECLARATIVE",
-          "origin": "core"
-        },
-        {
-          "id": "skills.ios.guideline.ios.string-localized-y-formateadores-date-number",
-          "description": "String(localized:) y formateadores (Date/Number)",
-          "severity": "WARN",
-          "platform": "ios",
-          "sourceSkill": "ios-guidelines",
-          "sourcePath": "vendor/skills/ios-enterprise-rules/SKILL.md",
-          "confidence": "MEDIUM",
-          "locked": true,
-          "evaluationMode": "DECLARATIVE",
-          "origin": "core"
-        },
         {
           "id": "skills.ios.guideline.ios.struct-por-defecto-class-solo-cuando-necesites-identity-o-herencia",
           "description": "struct por defecto - class solo cuando necesites identity o herencia",