pumuki 6.3.215 → 6.3.217

package/core/facts/detectors/text/ios.test.ts

@@ -23,6 +23,7 @@ import {
   hasSwiftForceUnwrap,
   hasSwiftGeometryReaderUsage,
   hasSwiftHardcodedUiStringUsage,
+  hasSwiftHardcodedSensitiveStringUsage,
   hasSwiftIconOnlyControlWithoutAccessibilityLabelUsage,
   hasSwiftLooseAssetResourceUsage,
   hasSwiftLegacyOnChangeUsage,
@@ -426,6 +427,25 @@ logger.error("Refresh failed \\(refreshToken)")
   assert.equal(hasSwiftSensitiveLoggingUsage(structuredSafe), false);
 });
 
+test('hasSwiftHardcodedSensitiveStringUsage detecta secretos hardcodeados en Swift productivo', () => {
+  const source = `
+final class Credentials {
+  let apiKey = "sk_live_123456789"
+  private var refreshToken: String = "refresh-token-123456"
+}
+`;
+  const safe = `
+final class Credentials {
+  let apiKey = keychain.read("api_key")
+  let label = "public title"
+  // let apiKey = "sk_live_123456789"
+}
+`;
+
+  assert.equal(hasSwiftHardcodedSensitiveStringUsage(source), true);
+  assert.equal(hasSwiftHardcodedSensitiveStringUsage(safe), false);
+});
+
 test('detectores iOS de networking y JSON detectan Alamofire y JSONSerialization sin leer comentarios ni strings', () => {
   const source = `
 import Alamofire

package/core/facts/detectors/text/ios.ts

@@ -600,6 +600,13 @@ export const hasSwiftSensitiveLoggingUsage = (source: string): boolean => {
   });
 };
 
+export const hasSwiftHardcodedSensitiveStringUsage = (source: string): boolean => {
+  return collectSwiftRegexLines(
+    source,
+    /\b(?:(?:private|fileprivate|internal|public|open|static|class|final|lazy)\s+)*(?:let|var)\s+(?=[A-Za-z_])[A-Za-z0-9_]*(?:token|secret|password|apikey|clientsecret|privatekey|sessionid)[A-Za-z0-9_]*\s*(?::\s*String\s*)?=\s*""/i
+  ).length > 0;
+};
+
 export const hasSwiftAlamofireUsage = (source: string): boolean => {
   return (
     collectSwiftRegexLines(source, /^\s*import\s+Alamofire\b/).length > 0 ||

package/core/facts/extractHeuristicFacts.ts

@@ -655,6 +655,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftMagicNumberLayoutUsage, ruleId: 'heuristics.ios.maintainability.magic-number-layout.ast', code: 'HEURISTICS_IOS_MAINTAINABILITY_MAGIC_NUMBER_LAYOUT_AST', message: 'AST heuristic detected SwiftUI layout magic numbers; named constants or design tokens remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAdHocLoggingUsage, ruleId: 'heuristics.ios.logging.adhoc-print.ast', code: 'HEURISTICS_IOS_LOGGING_ADHOC_PRINT_AST', message: 'AST heuristic detected print/debugPrint/dump/NSLog/os_log usage in iOS production code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveLoggingUsage, ruleId: 'heuristics.ios.logging.sensitive-data.ast', code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data in an iOS logging call.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftHardcodedSensitiveStringUsage, ruleId: 'heuristics.ios.security.hardcoded-sensitive-string.ast', code: 'HEURISTICS_IOS_SECURITY_HARDCODED_SENSITIVE_STRING_AST', message: 'AST heuristic detected hardcoded sensitive Swift string; Keychain, secure config or environment-specific secrets remain the preferred baseline.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAlamofireUsage, ruleId: 'heuristics.ios.networking.alamofire.ast', code: 'HEURISTICS_IOS_NETWORKING_ALAMOFIRE_AST', message: 'AST heuristic detected Alamofire usage in iOS production code; URLSession remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftJSONSerializationUsage, ruleId: 'heuristics.ios.json.jsonserialization.ast', code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST', message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveUserDefaultsStorageUsage, ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast', code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.' },

package/core/rules/presets/heuristics/ios.ts

@@ -350,6 +350,25 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_LOGGING_SENSITIVE_DATA_AST',
     },
   },
+  {
+    id: 'heuristics.ios.security.hardcoded-sensitive-string.ast',
+    description: 'Detects hardcoded sensitive Swift string values in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.security.hardcoded-sensitive-string.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected hardcoded sensitive Swift string; Keychain, secure config or environment-specific secrets remain the preferred baseline.',
+      code: 'HEURISTICS_IOS_SECURITY_HARDCODED_SENSITIVE_STRING_AST',
+    },
+  },
   {
     id: 'heuristics.ios.networking.alamofire.ast',
     description: 'Detects Alamofire usage in iOS production code; URLSession is the preferred baseline for new code.',

package/integrations/config/skillsDetectorRegistry.ts

@@ -98,6 +98,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.logging.sensitive-data',
     ['heuristics.ios.logging.sensitive-data.ast']
   ),
+  'skills.ios.guideline.ios.obfuscation-strings-sensibles-en-co-digo': heuristicDetector(
+    'ios.security.hardcoded-sensitive-string',
+    ['heuristics.ios.security.hardcoded-sensitive-string.ast']
+  ),
   'skills.ios.guideline.ios.alamofire-prohibido-usar-urlsession-nativo': heuristicDetector(
     'ios.networking.alamofire',
     ['heuristics.ios.networking.alamofire.ast']

package/integrations/config/skillsMarkdownRules.ts

@@ -483,6 +483,14 @@ const normalizeKnownRuleTarget = (
     if (includes('swinject')) {
       return 'skills.ios.guideline.ios.swinject-prohibido-di-manual-o-environment';
     }
+    if (
+      includes('obfuscation') ||
+      includes('strings sensibles en codigo') ||
+      includes('strings sensibles en co digo') ||
+      includes('sensitive strings')
+    ) {
+      return 'skills.ios.guideline.ios.obfuscation-strings-sensibles-en-co-digo';
+    }
     if (
       includes('mixing legacy xctest style') ||
       includes('mixed xctest and swift testing') ||

package/integrations/gate/evaluateAiGate.ts

@@ -1144,7 +1144,15 @@ const collectEvidenceViolations = (
   }
 
   if (result.evidence.ai_gate.status === 'BLOCKED') {
-    violations.push(toErrorViolation('EVIDENCE_GATE_BLOCKED', 'Evidence AI gate status is BLOCKED.'));
+    const gateBlockedMessage = 'Evidence AI gate status is BLOCKED.';
+    violations.push(
+      isAdvisoryDocumentationRenderSlice(repoRoot, ageSeconds, maxAgeSeconds)
+        ? toWarnViolation(
+            'EVIDENCE_GATE_BLOCKED',
+            `${gateBlockedMessage} Advisory because the current slice only contains documentation/render/tooling artifacts and evidence is fresh.`
+          )
+        : toErrorViolation('EVIDENCE_GATE_BLOCKED', gateBlockedMessage)
+    );
   }
 
   if (stage === 'PRE_WRITE') {
@@ -1164,6 +1172,107 @@ const collectEvidenceViolations = (
   return { violations, ageSeconds };
 };
 
+const SUPPORTED_FUNCTIONAL_EXTENSIONS = new Set([
+  '.swift',
+  '.ts',
+  '.tsx',
+  '.js',
+  '.jsx',
+  '.kt',
+  '.kts',
+]);
+
+const DOCUMENTATION_RENDER_TOOLING_EXTENSIONS = new Set([
+  '.css',
+  '.html',
+  '.json',
+  '.md',
+  '.mdx',
+  '.txt',
+]);
+
+const normalizeGitPath = (value: string): string => value.replace(/\\/g, '/').replace(/^"|"$/g, '');
+
+const extractGitStatusPath = (line: string): string | null => {
+  const payload = line.slice(3).trim();
+  if (payload.length === 0) {
+    return null;
+  }
+  const renameSeparator = ' -> ';
+  if (payload.includes(renameSeparator)) {
+    return normalizeGitPath(payload.slice(payload.lastIndexOf(renameSeparator) + renameSeparator.length));
+  }
+  return normalizeGitPath(payload);
+};
+
+const collectGitStatusPaths = (repoRoot: string): readonly string[] => {
+  if (!existsSync(resolve(repoRoot, '.git'))) {
+    return [];
+  }
+  try {
+    return execFileSync('git', ['status', '--porcelain', '--untracked-files=all'], {
+      cwd: repoRoot,
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'ignore'],
+    })
+      .split(/\r?\n/)
+      .map(extractGitStatusPath)
+      .filter((path): path is string => path !== null);
+  } catch {
+    return [];
+  }
+};
+
+const pathExtension = (path: string): string => {
+  const basename = path.split('/').pop() ?? '';
+  const dotIndex = basename.lastIndexOf('.');
+  return dotIndex >= 0 ? basename.slice(dotIndex).toLowerCase() : '';
+};
+
+const isSupportedFunctionalPath = (path: string): boolean =>
+  SUPPORTED_FUNCTIONAL_EXTENSIONS.has(pathExtension(path));
+
+const isDocumentationRenderToolingPath = (path: string): boolean => {
+  const normalized = path.toLowerCase();
+  if (normalized.startsWith('docs/') && DOCUMENTATION_RENDER_TOOLING_EXTENSIONS.has(pathExtension(normalized))) {
+    return true;
+  }
+  if (normalized.endsWith('.md') || normalized.endsWith('.mdx')) {
+    return true;
+  }
+  if (
+    normalized.startsWith('stack-my-architecture-pumuki/dist/') ||
+    normalized.startsWith('stack-my-architecture-hub/pumuki/')
+  ) {
+    return DOCUMENTATION_RENDER_TOOLING_EXTENSIONS.has(pathExtension(normalized));
+  }
+  if (normalized === 'stack-my-architecture-pumuki/scripts/build-html.py') {
+    return true;
+  }
+  if (normalized === 'package.json' || normalized === 'package-lock.json') {
+    return true;
+  }
+  return false;
+};
+
+const isAdvisoryDocumentationRenderSlice = (
+  repoRoot: string,
+  ageSeconds: number,
+  maxAgeSeconds: number
+): boolean => {
+  if (ageSeconds > maxAgeSeconds) {
+    return false;
+  }
+  const paths = collectGitStatusPaths(repoRoot);
+  if (paths.length === 0) {
+    return false;
+  }
+  return (
+    paths.every(isDocumentationRenderToolingPath) &&
+    !paths.some(isSupportedFunctionalPath)
+  );
+};
+
 const toEvidenceSourceDescriptor = (
   result: EvidenceReadResult,
   repoRoot: string

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.215",
+  "version": "6.3.217",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-13T13:18:11.822Z",
+  "generatedAt": "2026-05-13T13:30:09.135Z",
   "bundles": [
     {
       "name": "android-guidelines",
@@ -5764,7 +5764,7 @@
       "name": "ios-guidelines",
       "version": "1.0.0",
       "source": "file:vendor/skills/ios-enterprise-rules/SKILL.md",
-      "hash": "45d9315671888e71b9f038d52026b4d1da3e3ac41312749be77c5ed44b52958b",
+      "hash": "c7b96d97cd02175dacf17b64cb8bdd1be7b5978dd2f74c7feb3bf3d462311467",
       "rules": [
         {
           "id": "skills.ios.guideline.ios.accessibility-identifiers-para-localizar-elementos",
@@ -7192,7 +7192,7 @@
           "sourcePath": "vendor/skills/ios-enterprise-rules/SKILL.md",
           "confidence": "MEDIUM",
           "locked": true,
-          "evaluationMode": "DECLARATIVE",
+          "evaluationMode": "AUTO",
           "origin": "core"
         },
         {