pumuki 6.3.248 → 6.3.250
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
package/CHANGELOG.md
CHANGED
|
@@ -6,6 +6,14 @@ This project follows [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
|
6
6
|
|
|
7
7
|
## [Unreleased]
|
|
8
8
|
|
|
9
|
+
## [6.3.250] - 2026-05-14
|
|
10
|
+
|
|
11
|
+
### Fixed
|
|
12
|
+
|
|
13
|
+
- **Zero-violation gate contract:** runtime findings are blocking regardless of severity; `pumuki audit` no longer degrades findings to non-blocking warnings just because the runner returned exit 0.
|
|
14
|
+
- **AST-actionable findings contract:** scoped `skills.*` and `heuristics.*` matches without line, range or semantic node attribution are no longer emitted as advisory findings. A runtime finding must be actionable by AST/location evidence or it is not a gate finding.
|
|
15
|
+
- **Synthetic coverage findings removed from runtime gates:** cross-platform critical coverage gaps are no longer emitted as `.ai_evidence.json` findings. Coverage remains diagnostic metadata; runtime findings must be source-actionable.
|
|
16
|
+
|
|
9
17
|
## [6.3.248] - 2026-05-14
|
|
10
18
|
|
|
11
19
|
### Fixed
|
|
@@ -6,12 +6,14 @@ This file keeps only the operational highlights and rollout notes that matter wh
|
|
|
6
6
|
|
|
7
7
|
## 2026-04 (CLI stability and macOS notifications)
|
|
8
8
|
|
|
9
|
-
### 2026-05-14 (v6.3.
|
|
9
|
+
### 2026-05-14 (v6.3.250)
|
|
10
10
|
|
|
11
11
|
- **Normalización iOS mode-aware:** la línea activa conserva reglas iOS automatizables con evidencia concreta y deja como declarativas las reglas greenfield/brownfield que requieren contexto de adopción, baseline o migración.
|
|
12
12
|
- **Package smoke estable para fixtures Git:** los commits y pushes internos de preparación del consumer smoke no disparan hooks del paquete bajo prueba; el gate real sigue validándose en los pasos explícitos del smoke.
|
|
13
13
|
- **Smokes no interactivos sin diálogos macOS:** `PUMUKI_SYSTEM_NOTIFICATIONS=0` y `PUMUKI_NOTIFICATIONS=0` vuelven a apagar el canal de sistema, evitando bloqueos por Swift dialog en validaciones de release.
|
|
14
|
-
- **
|
|
14
|
+
- **Zero-violation real:** cualquier finding runtime emitido por regla activa bloquea; los matches scoped sin línea/rango/nodo AST dejan de publicarse como findings advisory.
|
|
15
|
+
- **AST accionable obligatorio:** los gaps sintéticos de cobertura cross-platform dejan de emitirse como findings sobre `.ai_evidence.json`; la cobertura queda como metadato diagnóstico y las findings runtime deben apuntar a código accionable.
|
|
16
|
+
- **Rollout recomendado:** publicar `pumuki@6.3.250` tras el test suite global verde; `validation:package-smoke`, metadata local y `PRE_WRITE` strict/advisory quedan alineados para esta versión.
|
|
15
17
|
|
|
16
18
|
### 2026-04-25 (v6.3.116)
|
|
17
19
|
|
|
@@ -693,13 +693,7 @@ const collectPreWriteCrossPlatformCriticalViolations = (params: {
|
|
|
693
693
|
return [];
|
|
694
694
|
}
|
|
695
695
|
|
|
696
|
-
return [
|
|
697
|
-
toSkillsViolation(
|
|
698
|
-
params.skillsEnforcement,
|
|
699
|
-
'EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE',
|
|
700
|
-
`Cross-platform critical enforcement incomplete in PRE_WRITE: ${missingCriticalCoverage.join(' | ')}.`
|
|
701
|
-
),
|
|
702
|
-
];
|
|
696
|
+
return [];
|
|
703
697
|
};
|
|
704
698
|
|
|
705
699
|
const toSkillsContractAssessment = (params: {
|
|
@@ -945,15 +939,6 @@ const toSkillsContractAssessment = (params: {
|
|
|
945
939
|
)
|
|
946
940
|
);
|
|
947
941
|
}
|
|
948
|
-
if (!transversalCriticalCovered && requiredAnyTransversalCriticalRuleIds.length > 0) {
|
|
949
|
-
violations.push(
|
|
950
|
-
toSkillsViolation(
|
|
951
|
-
params.skillsEnforcement,
|
|
952
|
-
'EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE',
|
|
953
|
-
`Skills contract missing transversal critical coverage for ${platform}: required_any=[${requiredAnyTransversalCriticalRuleIds.join(', ')}].`
|
|
954
|
-
)
|
|
955
|
-
);
|
|
956
|
-
}
|
|
957
942
|
}
|
|
958
943
|
|
|
959
944
|
return {
|
|
@@ -101,20 +101,6 @@ const hasActionableFindingLocation = (finding: Finding): boolean => {
|
|
|
101
101
|
);
|
|
102
102
|
};
|
|
103
103
|
|
|
104
|
-
const toNonActionableScopedAdvisoryFinding = (finding: Finding): Finding => ({
|
|
105
|
-
...finding,
|
|
106
|
-
blocking: false,
|
|
107
|
-
message:
|
|
108
|
-
`${finding.message} ` +
|
|
109
|
-
'(Advisory: Pumuki no pudo atribuir este hallazgo a una linea, rango o nodo accionable en el scope actual.)',
|
|
110
|
-
why:
|
|
111
|
-
finding.why ??
|
|
112
|
-
'El gate esta limitado a un scope acotado y este finding solo pudo atribuirse al archivo completo.',
|
|
113
|
-
expected_fix:
|
|
114
|
-
finding.expected_fix ??
|
|
115
|
-
'Reintentar cuando el detector aporte lineas, rango, simbolo o nodo; mientras tanto no bloquea el slice acotado.',
|
|
116
|
-
});
|
|
117
|
-
|
|
118
104
|
const normalizeScopedRuleEngineFindings = (params: {
|
|
119
105
|
findings: ReadonlyArray<Finding>;
|
|
120
106
|
scope: GateScope;
|
|
@@ -123,15 +109,15 @@ const normalizeScopedRuleEngineFindings = (params: {
|
|
|
123
109
|
return params.findings;
|
|
124
110
|
}
|
|
125
111
|
|
|
126
|
-
return params.findings.
|
|
112
|
+
return params.findings.filter((finding) => {
|
|
127
113
|
if (
|
|
128
114
|
!finding.filePath ||
|
|
129
115
|
hasActionableFindingLocation(finding) ||
|
|
130
116
|
(!finding.ruleId.startsWith('skills.') && !finding.ruleId.startsWith('heuristics.'))
|
|
131
117
|
) {
|
|
132
|
-
return
|
|
118
|
+
return true;
|
|
133
119
|
}
|
|
134
|
-
return
|
|
120
|
+
return false;
|
|
135
121
|
});
|
|
136
122
|
};
|
|
137
123
|
|
|
@@ -808,50 +794,7 @@ const toCrossPlatformCriticalEnforcementBlockingFinding = (params: {
|
|
|
808
794
|
return undefined;
|
|
809
795
|
}
|
|
810
796
|
|
|
811
|
-
|
|
812
|
-
const gaps: string[] = [];
|
|
813
|
-
|
|
814
|
-
for (const platform of detectedPlatformKeys) {
|
|
815
|
-
const rulePrefix = PLATFORM_SKILLS_RULE_PREFIXES[platform];
|
|
816
|
-
const criticalSkillRules = params.skillsRules
|
|
817
|
-
.filter(
|
|
818
|
-
(rule) =>
|
|
819
|
-
rule.id.startsWith(rulePrefix) &&
|
|
820
|
-
isCriticalProfileSeverity(rule.severity)
|
|
821
|
-
)
|
|
822
|
-
.map((rule) => rule.id)
|
|
823
|
-
.sort();
|
|
824
|
-
|
|
825
|
-
if (criticalSkillRules.length === 0) {
|
|
826
|
-
gaps.push(`${platform}{critical_profile_rules=missing}`);
|
|
827
|
-
continue;
|
|
828
|
-
}
|
|
829
|
-
|
|
830
|
-
const evaluatedCriticalSkillRules = criticalSkillRules.filter((ruleId) =>
|
|
831
|
-
evaluatedRuleIds.has(ruleId)
|
|
832
|
-
);
|
|
833
|
-
if (evaluatedCriticalSkillRules.length === 0) {
|
|
834
|
-
gaps.push(
|
|
835
|
-
`${platform}{critical_profile_rules=${criticalSkillRules.length}; evaluated=0}`
|
|
836
|
-
);
|
|
837
|
-
}
|
|
838
|
-
}
|
|
839
|
-
|
|
840
|
-
if (gaps.length === 0) {
|
|
841
|
-
return undefined;
|
|
842
|
-
}
|
|
843
|
-
|
|
844
|
-
return {
|
|
845
|
-
ruleId: 'governance.skills.cross-platform-critical.incomplete',
|
|
846
|
-
severity: 'ERROR',
|
|
847
|
-
code: 'SKILLS_CROSS_PLATFORM_CRITICAL_INCOMPLETE_S0',
|
|
848
|
-
message:
|
|
849
|
-
`Cross-platform critical enforcement incomplete at ${params.stage}: ${gaps.join(' | ')}. ` +
|
|
850
|
-
'Ensure each detected platform has critical-profile skill rules active and evaluated.',
|
|
851
|
-
filePath: '.ai_evidence.json',
|
|
852
|
-
matchedBy: 'SkillsCrossPlatformCriticalGuard',
|
|
853
|
-
source: 'skills-cross-platform-critical',
|
|
854
|
-
};
|
|
797
|
+
return undefined;
|
|
855
798
|
};
|
|
856
799
|
|
|
857
800
|
const shouldBlockFromFinding = (finding: Finding | undefined): boolean => {
|
|
@@ -283,22 +283,6 @@ const toLifecycleAuditFinding = (finding: SnapshotFinding): LifecycleAuditFindin
|
|
|
283
283
|
blocking: isFindingBlocking(finding),
|
|
284
284
|
});
|
|
285
285
|
|
|
286
|
-
const toGateAllowedAuditAdvisoryFinding = (
|
|
287
|
-
finding: LifecycleAuditFinding
|
|
288
|
-
): LifecycleAuditFinding => {
|
|
289
|
-
if (!finding.blocking) {
|
|
290
|
-
return finding;
|
|
291
|
-
}
|
|
292
|
-
return {
|
|
293
|
-
...finding,
|
|
294
|
-
severity: 'WARN',
|
|
295
|
-
blocking: false,
|
|
296
|
-
message:
|
|
297
|
-
`${finding.message} ` +
|
|
298
|
-
'(Advisory: current audit gate exited 0, so this finding is not blocking for this run.)',
|
|
299
|
-
};
|
|
300
|
-
};
|
|
301
|
-
|
|
302
286
|
const buildBlockedWithoutFindingsFallback = (params: {
|
|
303
287
|
stage: LifecycleAuditStage;
|
|
304
288
|
gateExitCode: number;
|
|
@@ -540,13 +524,14 @@ export const runLifecycleAudit = async (params: {
|
|
|
540
524
|
? findings.map(toRangeNoSupportedCodeAuditAdvisoryFinding)
|
|
541
525
|
: stagedWithoutSupportedCode
|
|
542
526
|
? findings.map(toStagedNoSupportedCodeAuditAdvisoryFinding)
|
|
543
|
-
: gateAllowed
|
|
544
|
-
? findings.map(toGateAllowedAuditAdvisoryFinding)
|
|
545
527
|
: findings;
|
|
528
|
+
const hasBlockingFinding = effectiveFindings.some((finding) => finding.blocking);
|
|
546
529
|
const gateExitCode =
|
|
547
530
|
scopedGlobalEnforcementOnly || rangePrePushWithoutSupportedCodeSddOnly || stagedWithoutSupportedCode
|
|
548
531
|
? 0
|
|
549
|
-
:
|
|
532
|
+
: hasBlockingFinding
|
|
533
|
+
? 1
|
|
534
|
+
: originalGateExitCode;
|
|
550
535
|
const effectiveSnapshotOutcome =
|
|
551
536
|
gateExitCode === 0 && snapshotOutcome === 'BLOCK' ? 'PASS' : snapshotOutcome;
|
|
552
537
|
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "pumuki",
|
|
3
|
-
"version": "6.3.
|
|
3
|
+
"version": "6.3.250",
|
|
4
4
|
"description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
|
|
5
5
|
"main": "index.js",
|
|
6
6
|
"bin": {
|