pumuki 6.3.204 → 6.3.205

package/integrations/lifecycle/audit.ts

@@ -23,7 +23,14 @@ export type LifecycleAuditResult = {
   command: 'pumuki audit';
   repo_root: string;
   stage: LifecycleAuditStage;
-  scope: { kind: 'repo' | 'staged'; staged_matching_extensions_count: number };
+  scope: {
+    kind: 'repo' | 'staged' | 'range';
+    staged_matching_extensions_count: number;
+    range_matching_extensions_count?: number;
+    base_ref?: string;
+    from_ref?: string;
+    to_ref?: string;
+  };
   audit_mode: 'gate' | 'engine';
   gate_exit_code: number;
   files_scanned: number | null;
@@ -54,7 +61,16 @@ type LifecycleAuditDependencies = {
   runPlatformGate: typeof runPlatformGate;
 };
 
-type LifecycleAuditScope = { kind: 'repo' } | { kind: 'staged' };
+type LifecycleAuditScope =
+  | { kind: 'repo' }
+  | { kind: 'staged' }
+  | {
+      kind: 'range';
+      baseRef: string;
+      fromRef: string;
+      toRef: string;
+      matchingExtensions: ReadonlyArray<string>;
+    };
 
 const POLICY_RECONCILE_HINT =
   'If .pumuki/policy-as-code.json signatures drift after a pumuki upgrade, run: pumuki policy reconcile --apply';
@@ -84,16 +100,161 @@ const collectStagedMatchingExtensions = (
     .filter((path) => hasAllowedExtension(path, extensions));
 };
 
+const runGitOrNull = (
+  git: Pick<IGitService, 'runGit'>,
+  args: ReadonlyArray<string>,
+  cwd: string
+): string | null => {
+  try {
+    const output = git.runGit([...args], cwd).trim();
+    return output.length > 0 ? output : null;
+  } catch {
+    return null;
+  }
+};
+
+const isResolvableRef = (
+  git: Pick<IGitService, 'runGit'>,
+  repoRoot: string,
+  ref: string
+): boolean => runGitOrNull(git, ['rev-parse', '--verify', ref], repoRoot) !== null;
+
+const branchPrefersDevelopBase = (branch: string): boolean =>
+  /^(feature|bugfix|chore|refactor|docs)\//.test(branch);
+
+const branchPrefersMainBase = (branch: string): boolean => /^hotfix\//.test(branch);
+
+const collectRangeMatchingExtensions = (params: {
+  git: Pick<IGitService, 'runGit'>;
+  repoRoot: string;
+  fromRef: string;
+  toRef: string;
+  extensions: ReadonlyArray<string>;
+}): string[] => {
+  const raw = runGitOrNull(
+    params.git,
+    ['diff', '--name-only', `${params.fromRef}..${params.toRef}`],
+    params.repoRoot
+  );
+  return (raw ?? '')
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0)
+    .filter((path) => hasAllowedExtension(path, params.extensions));
+};
+
+const resolvePrePushRangeScope = (params: {
+  git: Pick<IGitService, 'runGit'>;
+  repoRoot: string;
+  extensions: ReadonlyArray<string>;
+}): LifecycleAuditScope | null => {
+  const branch =
+    runGitOrNull(params.git, ['rev-parse', '--abbrev-ref', 'HEAD'], params.repoRoot) ?? '';
+  if (branch === 'HEAD' || branch.length === 0) {
+    return null;
+  }
+
+  const explicitBase =
+    process.env.PUMUKI_AUDIT_PRE_PUSH_BASE_REF?.trim() ??
+    process.env.PUMUKI_PRE_PUSH_BASE_REF?.trim() ??
+    '';
+  const upstreamTracking = runGitOrNull(
+    params.git,
+    ['rev-parse', '--abbrev-ref', '--symbolic-full-name', '@{upstream}'],
+    params.repoRoot
+  );
+  const preferredBaseRefs = [
+    explicitBase,
+    ...(branchPrefersDevelopBase(branch) ? ['origin/develop'] : []),
+    ...(branchPrefersMainBase(branch) ? ['origin/main', 'origin/master'] : []),
+    upstreamTracking ?? '',
+    'origin/develop',
+    'origin/main',
+    'origin/master',
+  ].filter((ref, index, refs) => ref.length > 0 && refs.indexOf(ref) === index);
+
+  const baseRef = preferredBaseRefs.find((ref) =>
+    isResolvableRef(params.git, params.repoRoot, ref)
+  );
+  if (typeof baseRef === 'undefined') {
+    return null;
+  }
+
+  const mergeBase = runGitOrNull(params.git, ['merge-base', baseRef, 'HEAD'], params.repoRoot);
+  if (mergeBase === null) {
+    return null;
+  }
+
+  return {
+    kind: 'range',
+    baseRef,
+    fromRef: mergeBase,
+    toRef: 'HEAD',
+    matchingExtensions: collectRangeMatchingExtensions({
+      git: params.git,
+      repoRoot: params.repoRoot,
+      fromRef: mergeBase,
+      toRef: 'HEAD',
+      extensions: params.extensions,
+    }),
+  };
+};
+
 const resolveLifecycleAuditScope = (params: {
   stage: LifecycleAuditStage;
+  git: Pick<IGitService, 'runGit'>;
+  repoRoot: string;
+  extensions: ReadonlyArray<string>;
   stagedMatchingExtensions: ReadonlyArray<string>;
 }): LifecycleAuditScope => {
   if (params.stage === 'PRE_WRITE' && params.stagedMatchingExtensions.length > 0) {
     return { kind: 'staged' };
   }
+  if (params.stage === 'PRE_PUSH') {
+    const rangeScope = resolvePrePushRangeScope({
+      git: params.git,
+      repoRoot: params.repoRoot,
+      extensions: params.extensions,
+    });
+    if (rangeScope !== null) {
+      return rangeScope;
+    }
+  }
   return { kind: 'repo' };
 };
 
+const toGateScope = (scope: LifecycleAuditScope) => {
+  if (scope.kind === 'range') {
+    return {
+      kind: 'range' as const,
+      fromRef: scope.fromRef,
+      toRef: scope.toRef,
+      extensions: [...DEFAULT_FACT_FILE_EXTENSIONS],
+    };
+  }
+  return { kind: scope.kind };
+};
+
+const toResultScope = (params: {
+  scope: LifecycleAuditScope;
+  stagedMatchingExtensions: ReadonlyArray<string>;
+}): LifecycleAuditResult['scope'] => {
+  const base = {
+    kind: params.scope.kind,
+    staged_matching_extensions_count: params.stagedMatchingExtensions.length,
+  };
+  if (params.scope.kind !== 'range') {
+    return base;
+  }
+  return {
+    ...base,
+    range_matching_extensions_count: params.scope.matchingExtensions.length,
+    base_ref: params.scope.baseRef,
+    from_ref: params.scope.fromRef,
+    to_ref: params.scope.toRef,
+  };
+};
+
 const isFindingBlocking = (finding: SnapshotFinding): boolean => {
   if (typeof finding.blocking === 'boolean') {
     return finding.blocking;
@@ -246,15 +407,19 @@ export const runLifecycleAudit = async (params: {
   const stagedMatchingExtensions = collectStagedMatchingExtensions(git, extensions);
   const scope = resolveLifecycleAuditScope({
     stage: params.stage,
+    git,
+    repoRoot,
+    extensions,
     stagedMatchingExtensions,
   });
+  const gateScope = toGateScope(scope);
 
   const gateParams =
     params.auditMode === 'engine'
       ? {
           policy: resolved.policy,
           policyTrace: resolved.trace,
-          scope,
+          scope: gateScope,
           silent: true,
           auditMode: 'engine' as const,
           dependencies: {
@@ -273,7 +438,7 @@ export const runLifecycleAudit = async (params: {
       : {
           policy: resolved.policy,
           policyTrace: resolved.trace,
-          scope,
+          scope: gateScope,
           silent: true,
           auditMode: 'gate' as const,
         };
@@ -312,10 +477,7 @@ export const runLifecycleAudit = async (params: {
     command: 'pumuki audit',
     repo_root: repoRoot,
     stage: params.stage,
-    scope: {
-      kind: scope.kind,
-      staged_matching_extensions_count: stagedMatchingExtensions.length,
-    },
+    scope: toResultScope({ scope, stagedMatchingExtensions }),
     audit_mode: params.auditMode,
     gate_exit_code: gateExitCode,
     files_scanned: filesScanned,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.204",
+  "version": "6.3.205",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {