pumuki 6.3.248 → 6.3.249

package/CHANGELOG.md

@@ -6,6 +6,13 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
 ## [Unreleased]
 
+## [6.3.249] - 2026-05-14
+
+### Fixed
+
+- **Zero-violation gate contract:** runtime findings are blocking regardless of severity; `pumuki audit` no longer degrades findings to non-blocking warnings just because the runner returned exit 0.
+- **AST-actionable findings contract:** scoped `skills.*` and `heuristics.*` matches without line, range or semantic node attribution are no longer emitted as advisory findings. A runtime finding must be actionable by AST/location evidence or it is not a gate finding.
+
 ## [6.3.248] - 2026-05-14
 
 ### Fixed

package/docs/operations/RELEASE_NOTES.md

@@ -6,12 +6,13 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-04 (CLI stability and macOS notifications)
 
-### 2026-05-14 (v6.3.248)
+### 2026-05-14 (v6.3.249)
 
 - **Normalización iOS mode-aware:** la línea activa conserva reglas iOS automatizables con evidencia concreta y deja como declarativas las reglas greenfield/brownfield que requieren contexto de adopción, baseline o migración.
 - **Package smoke estable para fixtures Git:** los commits y pushes internos de preparación del consumer smoke no disparan hooks del paquete bajo prueba; el gate real sigue validándose en los pasos explícitos del smoke.
 - **Smokes no interactivos sin diálogos macOS:** `PUMUKI_SYSTEM_NOTIFICATIONS=0` y `PUMUKI_NOTIFICATIONS=0` vuelven a apagar el canal de sistema, evitando bloqueos por Swift dialog en validaciones de release.
-- **Rollout recomendado:** publicar `pumuki@6.3.248` tras el test suite global verde; `validation:package-smoke`, metadata local y `PRE_WRITE` strict/advisory quedan alineados para esta versión.
+- **Zero-violation real:** cualquier finding runtime emitido por regla activa bloquea; los matches scoped sin línea/rango/nodo AST dejan de publicarse como findings advisory.
+- **Rollout recomendado:** publicar `pumuki@6.3.249` tras el test suite global verde; `validation:package-smoke`, metadata local y `PRE_WRITE` strict/advisory quedan alineados para esta versión.
 
 ### 2026-04-25 (v6.3.116)
 

package/integrations/git/runPlatformGate.ts

@@ -101,20 +101,6 @@ const hasActionableFindingLocation = (finding: Finding): boolean => {
   );
 };
 
-const toNonActionableScopedAdvisoryFinding = (finding: Finding): Finding => ({
-  ...finding,
-  blocking: false,
-  message:
-    `${finding.message} ` +
-    '(Advisory: Pumuki no pudo atribuir este hallazgo a una linea, rango o nodo accionable en el scope actual.)',
-  why:
-    finding.why ??
-    'El gate esta limitado a un scope acotado y este finding solo pudo atribuirse al archivo completo.',
-  expected_fix:
-    finding.expected_fix ??
-    'Reintentar cuando el detector aporte lineas, rango, simbolo o nodo; mientras tanto no bloquea el slice acotado.',
-});
-
 const normalizeScopedRuleEngineFindings = (params: {
   findings: ReadonlyArray<Finding>;
   scope: GateScope;
@@ -123,15 +109,15 @@ const normalizeScopedRuleEngineFindings = (params: {
     return params.findings;
   }
 
-  return params.findings.map((finding) => {
+  return params.findings.filter((finding) => {
     if (
       !finding.filePath ||
       hasActionableFindingLocation(finding) ||
       (!finding.ruleId.startsWith('skills.') && !finding.ruleId.startsWith('heuristics.'))
     ) {
-      return finding;
+      return true;
     }
-    return toNonActionableScopedAdvisoryFinding(finding);
+    return false;
   });
 };
 

package/integrations/lifecycle/audit.ts

@@ -283,22 +283,6 @@ const toLifecycleAuditFinding = (finding: SnapshotFinding): LifecycleAuditFindin
   blocking: isFindingBlocking(finding),
 });
 
-const toGateAllowedAuditAdvisoryFinding = (
-  finding: LifecycleAuditFinding
-): LifecycleAuditFinding => {
-  if (!finding.blocking) {
-    return finding;
-  }
-  return {
-    ...finding,
-    severity: 'WARN',
-    blocking: false,
-    message:
-      `${finding.message} ` +
-      '(Advisory: current audit gate exited 0, so this finding is not blocking for this run.)',
-  };
-};
-
 const buildBlockedWithoutFindingsFallback = (params: {
   stage: LifecycleAuditStage;
   gateExitCode: number;
@@ -540,13 +524,14 @@ export const runLifecycleAudit = async (params: {
       ? findings.map(toRangeNoSupportedCodeAuditAdvisoryFinding)
     : stagedWithoutSupportedCode
       ? findings.map(toStagedNoSupportedCodeAuditAdvisoryFinding)
-    : gateAllowed
-      ? findings.map(toGateAllowedAuditAdvisoryFinding)
       : findings;
+  const hasBlockingFinding = effectiveFindings.some((finding) => finding.blocking);
   const gateExitCode =
     scopedGlobalEnforcementOnly || rangePrePushWithoutSupportedCodeSddOnly || stagedWithoutSupportedCode
       ? 0
-      : originalGateExitCode;
+      : hasBlockingFinding
+        ? 1
+        : originalGateExitCode;
   const effectiveSnapshotOutcome =
     gateExitCode === 0 && snapshotOutcome === 'BLOCK' ? 'PASS' : snapshotOutcome;
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.248",
+  "version": "6.3.249",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {