pumuki 6.3.214 → 6.3.216

package/core/facts/detectors/text/ios.test.ts

@@ -23,6 +23,7 @@ import {
   hasSwiftForceUnwrap,
   hasSwiftGeometryReaderUsage,
   hasSwiftHardcodedUiStringUsage,
+  hasSwiftHardcodedSensitiveStringUsage,
   hasSwiftIconOnlyControlWithoutAccessibilityLabelUsage,
   hasSwiftLooseAssetResourceUsage,
   hasSwiftLegacyOnChangeUsage,
@@ -61,6 +62,7 @@ import {
   hasSwiftStringFormatUsage,
   hasSwiftStrongDelegateReferenceUsage,
   hasSwiftStrongSelfEscapingClosureUsage,
+  hasSwiftSwinjectUsage,
   hasSwiftTabItemUsage,
   hasSwiftTaskDetachedUsage,
   hasSwiftWaitForExpectationsUsage,
@@ -287,6 +289,34 @@ final class APIClient {
   assert.equal(hasSwiftCustomSingletonUsage(ignored), false);
 });
 
+test('hasSwiftSwinjectUsage detecta DI de terceros y preserva DI nativa', () => {
+  const source = `
+import Swinject
+
+final class AppAssembly {
+  private let container = Container()
+  private let assembler = Assembler([])
+}
+`;
+  const native = `
+struct AppDependencies {
+  let apiClient: APIClient
+}
+
+private struct DependenciesKey: EnvironmentKey {
+  static let defaultValue = AppDependencies(apiClient: URLSessionAPIClient())
+}
+`;
+  const ignored = `
+let text = "import Swinject"
+// let container = Container()
+`;
+
+  assert.equal(hasSwiftSwinjectUsage(source), true);
+  assert.equal(hasSwiftSwinjectUsage(native), false);
+  assert.equal(hasSwiftSwinjectUsage(ignored), false);
+});
+
 test('hasSwiftMassiveViewControllerResponsibilityUsage detecta ViewControllers con acceso directo a infraestructura', () => {
   const source = `
 final class CheckoutViewController: UIViewController {
@@ -397,6 +427,25 @@ logger.error("Refresh failed \\(refreshToken)")
   assert.equal(hasSwiftSensitiveLoggingUsage(structuredSafe), false);
 });
 
+test('hasSwiftHardcodedSensitiveStringUsage detecta secretos hardcodeados en Swift productivo', () => {
+  const source = `
+final class Credentials {
+  let apiKey = "sk_live_123456789"
+  private var refreshToken: String = "refresh-token-123456"
+}
+`;
+  const safe = `
+final class Credentials {
+  let apiKey = keychain.read("api_key")
+  let label = "public title"
+  // let apiKey = "sk_live_123456789"
+}
+`;
+
+  assert.equal(hasSwiftHardcodedSensitiveStringUsage(source), true);
+  assert.equal(hasSwiftHardcodedSensitiveStringUsage(safe), false);
+});
+
 test('detectores iOS de networking y JSON detectan Alamofire y JSONSerialization sin leer comentarios ni strings', () => {
   const source = `
 import Alamofire

package/core/facts/detectors/text/ios.ts

@@ -528,6 +528,13 @@ export const hasSwiftCustomSingletonUsage = (source: string): boolean => {
   });
 };
 
+export const hasSwiftSwinjectUsage = (source: string): boolean => {
+  return hasSwiftSanitizedRegexMatch(
+    source,
+    /\bimport\s+Swinject\b|\b(?:Container|Assembler)\s*\(/
+  );
+};
+
 export const hasSwiftMassiveViewControllerResponsibilityUsage = (source: string): boolean => {
   const sanitized = sanitizeSwiftSourceForMultilineRegex(source);
   const viewControllerPattern =
@@ -593,6 +600,13 @@ export const hasSwiftSensitiveLoggingUsage = (source: string): boolean => {
   });
 };
 
+export const hasSwiftHardcodedSensitiveStringUsage = (source: string): boolean => {
+  return collectSwiftRegexLines(
+    source,
+    /\b(?:(?:private|fileprivate|internal|public|open|static|class|final|lazy)\s+)*(?:let|var)\s+(?=[A-Za-z_])[A-Za-z0-9_]*(?:token|secret|password|apikey|clientsecret|privatekey|sessionid)[A-Za-z0-9_]*\s*(?::\s*String\s*)?=\s*""/i
+  ).length > 0;
+};
+
 export const hasSwiftAlamofireUsage = (source: string): boolean => {
   return (
     collectSwiftRegexLines(source, /^\s*import\s+Alamofire\b/).length > 0 ||

package/core/facts/extractHeuristicFacts.ts

@@ -649,11 +649,13 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftStrongDelegateReferenceUsage, ruleId: 'heuristics.ios.memory.strong-delegate.ast', code: 'HEURISTICS_IOS_MEMORY_STRONG_DELEGATE_AST', message: 'AST heuristic detected a strong delegate/dataSource reference; weak delegates remain the preferred baseline to avoid retain cycles.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftStrongSelfEscapingClosureUsage, ruleId: 'heuristics.ios.memory.strong-self-escaping-closure.ast', code: 'HEURISTICS_IOS_MEMORY_STRONG_SELF_ESCAPING_CLOSURE_AST', message: 'AST heuristic detected strong self capture in an escaping iOS closure; weak or unowned captures remain the preferred baseline when ownership is not explicit.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftCustomSingletonUsage, ruleId: 'heuristics.ios.architecture.custom-singleton.ast', code: 'HEURISTICS_IOS_ARCHITECTURE_CUSTOM_SINGLETON_AST', message: 'AST heuristic detected a custom static shared singleton in iOS production code; dependency injection remains the preferred baseline for app-owned services.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSwinjectUsage, ruleId: 'heuristics.ios.architecture.swinject.ast', code: 'HEURISTICS_IOS_ARCHITECTURE_SWINJECT_AST', message: 'AST heuristic detected Swinject usage; manual dependency injection or SwiftUI Environment remain the preferred native baseline.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftMassiveViewControllerResponsibilityUsage, ruleId: 'heuristics.ios.architecture.massive-view-controller.ast', code: 'HEURISTICS_IOS_ARCHITECTURE_MASSIVE_VIEW_CONTROLLER_AST', message: 'AST heuristic detected a UIViewController with direct infrastructure/data access; move data access behind application/domain boundaries.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftNonIBOutletImplicitlyUnwrappedOptionalUsage, ruleId: 'heuristics.ios.safety.non-iboutlet-iuo.ast', code: 'HEURISTICS_IOS_SAFETY_NON_IBOUTLET_IUO_AST', message: 'AST heuristic detected an implicitly unwrapped optional outside IBOutlet wiring; explicit optionals or initialization guarantees remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftMagicNumberLayoutUsage, ruleId: 'heuristics.ios.maintainability.magic-number-layout.ast', code: 'HEURISTICS_IOS_MAINTAINABILITY_MAGIC_NUMBER_LAYOUT_AST', message: 'AST heuristic detected SwiftUI layout magic numbers; named constants or design tokens remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAdHocLoggingUsage, ruleId: 'heuristics.ios.logging.adhoc-print.ast', code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST', message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftHardcodedSensitiveStringUsage, ruleId: 'heuristics.ios.security.hardcoded-sensitive-string.ast', code: 'HEURISTICS_IOS_SECURITY_HARDCODED_SENSITIVE_STRING_AST', message: 'AST heuristic detected hardcoded sensitive Swift string; Keychain, secure config or environment-specific secrets remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAlamofireUsage, ruleId: 'heuristics.ios.networking.alamofire.ast', code: 'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST', message: 'AST heuristic detected Alamofire usage in iOS production code; URLSession remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftJSONSerializationUsage, ruleId: 'heuristics.ios.json.jsonserialization.ast', code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST', message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveUserDefaultsStorageUsage, ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast', code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.' },

package/core/rules/presets/heuristics/ios.ts

@@ -238,6 +238,25 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_ARCHITECTURE_CUSTOM_SINGLETON_AST',
     },
   },
+  {
+    id: 'heuristics.ios.architecture.swinject.ast',
+    description: 'Detects Swinject usage in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.architecture.swinject.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected Swinject usage; manual dependency injection or SwiftUI Environment remain the preferred native baseline.',
+      code: 'HEURISTICS_IOS_ARCHITECTURE_SWINJECT_AST',
+    },
+  },
   {
     id: 'heuristics.ios.architecture.massive-view-controller.ast',
     description: 'Detects UIViewController classes with direct infrastructure/data access.',
@@ -331,6 +350,25 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST',
     },
   },
+  {
+    id: 'heuristics.ios.security.hardcoded-sensitive-string.ast',
+    description: 'Detects hardcoded sensitive Swift string values in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.security.hardcoded-sensitive-string.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected hardcoded sensitive Swift string; Keychain, secure config or environment-specific secrets remain the preferred baseline.',
+      code: 'HEURISTICS_IOS_SECURITY_HARDCODED_SENSITIVE_STRING_AST',
+    },
+  },
   {
     id: 'heuristics.ios.networking.alamofire.ast',
     description: 'Detects Alamofire usage in iOS production code; URLSession is the preferred baseline for new code.',

package/integrations/config/skillsDetectorRegistry.ts

@@ -82,6 +82,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.architecture.custom-singleton',
     ['heuristics.ios.architecture.custom-singleton.ast']
   ),
+  'skills.ios.guideline.ios.swinject-prohibido-di-manual-o-environment': heuristicDetector(
+    'ios.architecture.swinject',
+    ['heuristics.ios.architecture.swinject.ast']
+  ),
   'skills.ios.guideline.ios.magic-numbers-usar-constantes-con-nombres': heuristicDetector(
     'ios.maintainability.magic-number-layout',
     ['heuristics.ios.maintainability.magic-number-layout.ast']
@@ -94,6 +98,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.logging.sensitive-data',
     ['heuristics.ios.logging.sensitive-data.ast']
   ),
+  'skills.ios.guideline.ios.obfuscation-strings-sensibles-en-co-digo': heuristicDetector(
+    'ios.security.hardcoded-sensitive-string',
+    ['heuristics.ios.security.hardcoded-sensitive-string.ast']
+  ),
   'skills.ios.guideline.ios.alamofire-prohibido-usar-urlsession-nativo': heuristicDetector(
     'ios.networking.alamofire',
     ['heuristics.ios.networking.alamofire.ast']

package/integrations/config/skillsMarkdownRules.ts

@@ -480,6 +480,17 @@ const normalizeKnownRuleTarget = (
     ) {
       return 'skills.ios.guideline.ios.magic-numbers-usar-constantes-con-nombres';
     }
+    if (includes('swinject')) {
+      return 'skills.ios.guideline.ios.swinject-prohibido-di-manual-o-environment';
+    }
+    if (
+      includes('obfuscation') ||
+      includes('strings sensibles en codigo') ||
+      includes('strings sensibles en co digo') ||
+      includes('sensitive strings')
+    ) {
+      return 'skills.ios.guideline.ios.obfuscation-strings-sensibles-en-co-digo';
+    }
     if (
       includes('mixing legacy xctest style') ||
       includes('mixed xctest and swift testing') ||

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.214",
+  "version": "6.3.216",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-13T13:13:49.119Z",
+  "generatedAt": "2026-05-13T13:25:12.010Z",
   "bundles": [
     {
       "name": "android-guidelines",
@@ -5764,7 +5764,7 @@
       "name": "ios-guidelines",
       "version": "1.0.0",
       "source": "file:vendor/skills/ios-enterprise-rules/SKILL.md",
-      "hash": "45fa3aefa9324032a7a0ce988d5546db63b0d64936bf81c4dbaa4906e5f4a544",
+      "hash": "c7b96d97cd02175dacf17b64cb8bdd1be7b5978dd2f74c7feb3bf3d462311467",
       "rules": [
         {
           "id": "skills.ios.guideline.ios.accessibility-identifiers-para-localizar-elementos",
@@ -7192,7 +7192,7 @@
           "sourcePath": "vendor/skills/ios-enterprise-rules/SKILL.md",
           "confidence": "MEDIUM",
           "locked": true,
-          "evaluationMode": "DECLARATIVE",
+          "evaluationMode": "AUTO",
           "origin": "core"
         },
         {
@@ -7912,7 +7912,7 @@
           "sourcePath": "vendor/skills/ios-enterprise-rules/SKILL.md",
           "confidence": "HIGH",
           "locked": true,
-          "evaluationMode": "DECLARATIVE",
+          "evaluationMode": "AUTO",
           "origin": "core"
         },
         {