pumuki 6.3.26 → 6.3.28

package/scripts/check-p9-ruralgo-runtime-ready.ts

@@ -0,0 +1,188 @@
+import { execFileSync } from 'node:child_process';
+import { existsSync, readFileSync } from 'node:fs';
+import { join } from 'node:path';
+import process from 'node:process';
+import {
+  evaluateP9RuralgoRuntimeReadiness,
+  normalizeSemverToken,
+  type P9RuralgoRuntimePolicy,
+} from './p9-ruralgo-runtime-ready-lib';
+
+type CliOptions = {
+  repoPath: string;
+  json: boolean;
+  policy: P9RuralgoRuntimePolicy;
+};
+
+type PackageJsonEngines = {
+  engines?: {
+    node?: string;
+    npm?: string;
+  };
+};
+
+const DEFAULT_REPO_PATH =
+  '/Users/juancarlosmerlosalbarracin/Developer/Projects/ruralgo-fork';
+
+const printHelp = (): void => {
+  process.stdout.write(
+    [
+      'Uso:',
+      '  node --import tsx scripts/check-p9-ruralgo-runtime-ready.ts [opciones]',
+      '',
+      'Opciones:',
+      '  --repo=<path>                 Ruta del repo ruralgo-fork (default: ~/Developer/Projects/ruralgo-fork)',
+      '  --allow-missing-node-engine   No falla si falta engines.node',
+      '  --allow-missing-npm-engine    No falla si falta engines.npm',
+      '  --json                        Salida JSON',
+      '  --help                        Muestra ayuda',
+      '',
+      'Exit code:',
+      '  0 => runtime listo para F1.T1',
+      '  1 => runtime no listo',
+      '',
+    ].join('\n'),
+  );
+};
+
+const parseArgs = (argv: ReadonlyArray<string>): CliOptions => {
+  const options: CliOptions = {
+    repoPath: DEFAULT_REPO_PATH,
+    json: false,
+    policy: {
+      requireNodeEngine: true,
+      requireNpmEngine: true,
+    },
+  };
+
+  for (const arg of argv) {
+    if (arg === '--json') {
+      options.json = true;
+      continue;
+    }
+    if (arg === '--allow-missing-node-engine') {
+      options.policy.requireNodeEngine = false;
+      continue;
+    }
+    if (arg === '--allow-missing-npm-engine') {
+      options.policy.requireNpmEngine = false;
+      continue;
+    }
+    if (arg.startsWith('--repo=')) {
+      options.repoPath = arg.slice('--repo='.length);
+      continue;
+    }
+    throw new Error(`Argumento no soportado: ${arg}`);
+  }
+
+  return options;
+};
+
+const resolveCurrentNpmVersion = (repoPath: string): string | null => {
+  try {
+    const version = execFileSync('npm', ['-v'], {
+      cwd: repoPath,
+      encoding: 'utf8',
+      stdio: ['ignore', 'pipe', 'pipe'],
+    }).trim();
+    return version.length > 0 ? version : null;
+  } catch {
+    const userAgent = process.env.npm_config_user_agent ?? '';
+    const match = userAgent.match(/npm\/(\d+\.\d+\.\d+)/);
+    return match ? match[1] : null;
+  }
+};
+
+const main = (): number => {
+  const argv = process.argv.slice(2);
+  if (argv.includes('--help')) {
+    printHelp();
+    return 0;
+  }
+
+  let options: CliOptions;
+  try {
+    options = parseArgs(argv);
+  } catch (error) {
+    process.stderr.write(`[p9][runtime-ready] ${(error as Error).message}\n`);
+    process.stderr.write('Usa --help para ver opciones.\n');
+    return 1;
+  }
+
+  const packageJsonPath = join(options.repoPath, 'package.json');
+  const packageJsonAvailable = existsSync(packageJsonPath);
+  let packageJsonValid = false;
+  let requiredNode: string | null = null;
+  let requiredNpm: string | null = null;
+
+  if (packageJsonAvailable) {
+    try {
+      const packageJson = JSON.parse(
+        readFileSync(packageJsonPath, 'utf8'),
+      ) as PackageJsonEngines;
+      packageJsonValid = true;
+      requiredNode = packageJson.engines?.node ?? null;
+      requiredNpm = packageJson.engines?.npm ?? null;
+    } catch {
+      packageJsonValid = false;
+    }
+  }
+
+  const result = evaluateP9RuralgoRuntimeReadiness(
+    {
+      packageJsonAvailable,
+      packageJsonValid,
+      requiredNode,
+      requiredNpm,
+      currentNode: normalizeSemverToken(process.versions.node),
+      currentNpm: resolveCurrentNpmVersion(options.repoPath),
+    },
+    options.policy,
+  );
+
+  const payload = {
+    ready: result.ready,
+    repoPath: options.repoPath,
+    required: {
+      node: requiredNode,
+      npm: requiredNpm,
+    },
+    current: {
+      node: normalizeSemverToken(process.versions.node),
+      npm: resolveCurrentNpmVersion(options.repoPath),
+    },
+    policy: options.policy,
+    issues: result.issues,
+  };
+
+  if (options.json) {
+    process.stdout.write(`${JSON.stringify(payload, null, 2)}\n`);
+  } else {
+    process.stdout.write('[p9][runtime-ready] PRECHECK\n');
+    process.stdout.write(`[p9][runtime-ready] repo=${payload.repoPath}\n`);
+    process.stdout.write(
+      `[p9][runtime-ready] required.node=${payload.required.node ?? 'n/a'} required.npm=${
+        payload.required.npm ?? 'n/a'
+      }\n`,
+    );
+    process.stdout.write(
+      `[p9][runtime-ready] current.node=${payload.current.node ?? 'n/a'} current.npm=${
+        payload.current.npm ?? 'n/a'
+      }\n`,
+    );
+    process.stdout.write(
+      `[p9][runtime-ready] status=${payload.ready ? 'READY' : 'NOT_READY'} issues=${
+        payload.issues.length
+      }\n`,
+    );
+    for (const issue of payload.issues) {
+      process.stdout.write(
+        `[p9][runtime-ready][${issue.severity}] ${issue.code}: ${issue.message}\n`,
+      );
+    }
+  }
+
+  return payload.ready ? 0 : 1;
+};
+
+process.exitCode = main();

package/scripts/check-package-manifest.ts

@@ -15,6 +15,7 @@ export type PackPayload = {
 type PackageJson = {
   name?: string;
   version?: string;
+  exports?: unknown;
 };
 
 type ReadTextFile = (path: string, encoding: BufferEncoding) => string;
@@ -35,6 +36,43 @@ type NpmPackDryRunPayload = {
   files?: NpmPackDryRunFile[];
 };
 
+export type InvalidRuntimeExportTarget = {
+  subpath: string;
+  target: string;
+};
+
+const RUNTIME_EXPORT_TARGET_PATTERN = /\.(?:[cm]?js|json|node)$/;
+
+const collectExportTargets = (
+  value: unknown,
+  subpath: string,
+  acc: InvalidRuntimeExportTarget[]
+): void => {
+  if (typeof value === 'string') {
+    if (!RUNTIME_EXPORT_TARGET_PATTERN.test(value)) {
+      acc.push({ subpath, target: value });
+    }
+    return;
+  }
+
+  if (value && typeof value === 'object') {
+    for (const [key, nestedValue] of Object.entries(value)) {
+      const nestedSubpath = key.startsWith('.') || subpath === '(root)'
+        ? key
+        : `${subpath}.${key}`;
+      collectExportTargets(nestedValue, nestedSubpath, acc);
+    }
+  }
+};
+
+export const findInvalidRuntimeExportTargets = (
+  exportsField: unknown
+): ReadonlyArray<InvalidRuntimeExportTarget> => {
+  const invalid: InvalidRuntimeExportTarget[] = [];
+  collectExportTargets(exportsField, '(root)', invalid);
+  return invalid.sort((a, b) => a.subpath.localeCompare(b.subpath) || a.target.localeCompare(b.target));
+};
+
 const parseNpmPackDryRunFiles = (stdout: string): ReadonlyArray<string> => {
   let parsed: unknown;
   try {
@@ -138,6 +176,17 @@ export const runPackageManifestCheck = async (
     );
   }
 
+  const packageJsonPath = resolve(deps.cwd, 'package.json');
+  const packageJsonRaw = deps.readTextFile(packageJsonPath, 'utf8');
+  const packageJson = JSON.parse(packageJsonRaw) as PackageJson;
+  const invalidExportTargets = findInvalidRuntimeExportTargets(packageJson.exports);
+  if (invalidExportTargets.length > 0) {
+    const details = invalidExportTargets.map((entry) => `${entry.subpath} -> ${entry.target}`).join('\n- ');
+    throw new Error(
+      `Package exports must target runtime-loadable files (.js/.cjs/.mjs/.json/.node):\n- ${details}`
+    );
+  }
+
   deps.writeStdout(`package manifest check passed for ${payload.id}\n`);
   deps.writeStdout(`files scanned: ${filePaths.length}\n`);
 };

package/scripts/check-tracking-single-active.sh

@@ -0,0 +1,40 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+if [[ "$#" -gt 0 ]]; then
+  FILES=("$@")
+else
+  FILES=(
+    "docs/REFRACTOR_PROGRESS.md"
+    "docs/EXECUTION_BOARD.md"
+    "docs/validation/p9-ruralgo-fork-validation-tracking.md"
+  )
+fi
+
+ACTIVE_PATTERN="^- 🚧 \`[A-Za-z0-9.-]+\` "
+HAS_ERROR=0
+
+for FILE in "${FILES[@]}"; do
+  if [[ ! -f "${FILE}" ]]; then
+    echo "[tracking-single-active] missing file: ${FILE}" >&2
+    HAS_ERROR=1
+    continue
+  fi
+
+  ACTIVE_COUNT="$(rg -n "${ACTIVE_PATTERN}" "${FILE}" | wc -l | tr -d ' ')"
+  echo "[tracking-single-active] file=${FILE}"
+  echo "[tracking-single-active] in_progress_count=${ACTIVE_COUNT}"
+
+  if [[ "${ACTIVE_COUNT}" -ne 1 ]]; then
+    echo "[tracking-single-active] ERROR: expected exactly 1 in-progress task (🚧), found ${ACTIVE_COUNT}." >&2
+    echo "[tracking-single-active] current in-progress entries:" >&2
+    rg -n "${ACTIVE_PATTERN}" "${FILE}" >&2 || true
+    HAS_ERROR=1
+  fi
+done
+
+if [[ "${HAS_ERROR}" -ne 0 ]]; then
+  exit 1
+fi
+
+echo "[tracking-single-active] OK: exactly one in-progress task in each tracking file."

package/scripts/framework-menu-consumer-preflight-lib.ts

@@ -49,6 +49,29 @@ const hasViolationCode = (
 const ACTIONABLE_HINTS_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_MISSING: 'ejecuta una auditoría (1/2/3/4) para regenerar .ai_evidence.json.',
   EVIDENCE_INVALID: 'regenera .ai_evidence.json desde una opción de auditoría.',
+  EVIDENCE_INTEGRITY_MISSING: 'regenera evidencia para crear metadata criptográfica de integridad.',
+  EVIDENCE_INTEGRITY_UNAVAILABLE: 'regenera evidencia válida para restaurar integridad.',
+  EVIDENCE_INTEGRITY_SCHEMA_INVALID: 'regenera evidencia; el bloque de integridad es inválido.',
+  EVIDENCE_INTEGRITY_HASH_FORMAT_INVALID:
+    'regenera evidencia; hash de integridad con formato inválido.',
+  EVIDENCE_INTEGRITY_PREVIOUS_CHAIN_HASH_INVALID:
+    'regenera evidencia para reparar previous_chain_hash.',
+  EVIDENCE_INTEGRITY_TIMESTAMP_MISMATCH:
+    'regenera evidencia para alinear generated_at y timestamp.',
+  EVIDENCE_INTEGRITY_PAYLOAD_HASH_MISMATCH:
+    'regenera evidencia; payload_hash no coincide con el payload.',
+  EVIDENCE_INTEGRITY_CHAIN_HASH_MISMATCH:
+    'regenera evidencia; chain_hash no coincide con la cadena esperada.',
+  EVIDENCE_INTEGRITY_SIGNATURE_REQUIRED:
+    'configura firma de evidencia o ajusta la política de firma.',
+  EVIDENCE_INTEGRITY_SIGNATURE_FORMAT_INVALID:
+    'regenera evidencia firmada; metadatos de firma inválidos.',
+  EVIDENCE_INTEGRITY_SIGNATURE_KEY_MISSING:
+    'configura PUMUKI_EVIDENCE_SIGNING_KEY para verificar firma.',
+  EVIDENCE_INTEGRITY_SIGNATURE_KEY_MISMATCH:
+    'alinea PUMUKI_EVIDENCE_SIGNING_KEY_ID con key_id de evidencia.',
+  EVIDENCE_INTEGRITY_SIGNATURE_INVALID:
+    'regenera evidencia firmada; la firma actual no verifica.',
   EVIDENCE_STALE: 'refresca evidencia antes de continuar con commit/push.',
   EVIDENCE_TIMESTAMP_INVALID: 'regenera evidencia para obtener un timestamp válido.',
   EVIDENCE_GATE_BLOCKED: 'corrige primero las violaciones bloqueantes y vuelve a auditar.',
@@ -65,6 +88,7 @@ const ACTIONABLE_HINTS_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_TIMESTAMP_FUTURE: 'corrige la hora del sistema y regenera evidencia.',
   GITFLOW_PROTECTED_BRANCH:
     'evita trabajo directo en ramas protegidas (usa feature/*).',
+  WAIVER_POLICY_INVALID: 'corrige el archivo de waivers antes de continuar.',
 };
 
 const buildHints = (
@@ -206,12 +230,19 @@ export const formatConsumerPreflight = (
 ): string => {
   const git = preflight.result.repo_state.git;
   const evidence = preflight.result.evidence;
+  const policyTrace = preflight.result.policy.trace;
   const lines = [
     'PRE-FLIGHT CHECK',
     `Stage: ${preflight.stage}`,
     `Branch: ${git.branch ?? 'unknown'} · Upstream: ${git.upstream ?? 'none'}`,
     `Worktree: dirty=${git.dirty ? 'yes' : 'no'} staged=${git.staged} unstaged=${git.unstaged} ahead=${git.ahead} behind=${git.behind}`,
+    `Policy: source=${policyTrace.source} bundle=${policyTrace.bundle} hash=${policyTrace.hash}`,
+    `Policy signature: version=${policyTrace.version ?? 'n/a'} signature=${policyTrace.signature ?? 'n/a'}`,
     `Evidence: kind=${evidence.kind} age=${evidence.age_seconds ?? 'n/a'}s max=${evidence.max_age_seconds}s`,
+    `Evidence source: ${evidence.source} path=${evidence.path}`,
+    `Evidence digest: ${evidence.digest ?? 'n/a'} generated_at=${evidence.generated_at ?? 'n/a'}`,
+    `Evidence integrity: status=${evidence.integrity.status} chain_hash=${evidence.integrity.chain_hash ?? 'n/a'} prev=${evidence.integrity.previous_chain_hash ?? 'n/a'} signature=${evidence.integrity.signature_present ? 'present' : 'absent'} verified=${evidence.integrity.signature_verified === null ? 'n/a' : evidence.integrity.signature_verified ? 'yes' : 'no'}`,
+    `Waivers: status=${preflight.result.waivers.status} applied=${preflight.result.waivers.applied.length} path=${preflight.result.waivers.path}`,
     `Gate: ${preflight.status} (${preflight.result.violations.length} violations)`,
   ];
   lines.push(...buildBlockingCauseLines(preflight));

package/scripts/framework-menu-consumer-runtime-lib.ts

@@ -73,17 +73,17 @@ export const createConsumerMenuRuntime = (params: {
   };
 
   const printEmptyScopeHint = (summary: LegacyAuditSummary, scope: 'staged' | 'workingTree'): void => {
-    if (summary.status !== 'ok' || summary.filesScanned > 0) {
+    if (summary.status !== 'ok' || summary.filesScanned > 0 || summary.totalViolations > 0) {
       return;
     }
     if (scope === 'staged') {
       params.write(
-        '\nℹ Scope vacío (staged): no hay archivos staged para auditar. Resultado PASS por alcance vacío; usa 1 o 2 para validar repo completo.\n'
+        '\nℹ Scope vacío (staged): no hay archivos staged para auditar. Resultado PASS parcial por alcance vacío; usa 1 o 2 para validar repo completo.\n'
       );
       return;
     }
     params.write(
-      '\nℹ Scope vacío (working tree): no hay cambios sin commitear para auditar. Resultado PASS por alcance vacío; usa 1 o 2 para validar repo completo.\n'
+      '\nℹ Scope vacío (working tree): no hay cambios sin commitear para auditar. Resultado PASS parcial por alcance vacío; usa 1 o 2 para validar repo completo.\n'
     );
   };
 

package/scripts/framework-menu-legacy-audit-lib.ts

@@ -417,6 +417,11 @@ const inferRulesetBundle = (
   };
 
   const normalized = ruleId.toLowerCase();
+  const inferPolicyBundle = (): string =>
+    findBundle((bundle) => bundle.startsWith('gate-policy.default.'))
+    ?? findBundle((bundle) => bundle.startsWith('policyRuleSet@'))
+    ?? findBundle((bundle) => bundle === 'project-rules')
+    ?? 'policyRuleSet (inferred)';
   if (normalized.startsWith('heuristics.')) {
     return findBundle((bundle) => bundle.startsWith('astHeuristicsRuleSet@'))
       ?? 'astHeuristicsRuleSet (inferred)';
@@ -437,6 +442,10 @@ const inferRulesetBundle = (
     return findBundle((bundle) => bundle.startsWith('frontendRuleSet@'))
       ?? 'frontendRuleSet (inferred)';
   }
+  if (normalized.startsWith('common.')) {
+    return findBundle((bundle) => bundle.startsWith('commonRuleSet@'))
+      ?? 'commonRuleSet (inferred)';
+  }
   if (normalized.startsWith('skills.ios.')) {
     return findBundle((bundle) => bundle.startsWith('ios-') && bundle.includes('guidelines@'))
       ?? 'ios-guidelines (inferred)';
@@ -454,7 +463,14 @@ const inferRulesetBundle = (
       ?? 'frontend-guidelines (inferred)';
   }
   if (normalized.startsWith('methodology.') || normalized.startsWith('project.')) {
-    return findBundle((bundle) => bundle === 'project-rules') ?? 'project-rules (inferred)';
+    return inferPolicyBundle();
+  }
+  if (
+    normalized.startsWith('workflow.')
+    || normalized.startsWith('sdd.')
+    || normalized.startsWith('generic_')
+  ) {
+    return inferPolicyBundle();
   }
   return 'unknown-ruleset';
 };
@@ -576,6 +592,9 @@ const computeLegacySeverity = (
 };
 
 const formatStatusLine = (summary: LegacyAuditSummary): string => {
+  if (summary.filesScanned <= 0 && summary.totalViolations === 0) {
+    return 'ℹ STATUS: SCOPE EMPTY\nNo auditable files detected in current scope';
+  }
   if (summary.bySeverity.CRITICAL > 0 || summary.bySeverity.HIGH > 0) {
     return '⚠ STATUS: ACTION REQUIRED\nCritical or high-severity issues detected';
   }
@@ -1037,6 +1056,7 @@ export const formatLegacyAuditReport = (
     return '.ai_evidence.json is invalid. Regenerate evidence and retry.';
   }
 
+  const scopeEmpty = summary.filesScanned <= 0 && summary.totalViolations === 0;
   const topViolations = summary.topViolations.length === 0
     ? ['• none']
     : summary.topViolations.flatMap((violation) => [
@@ -1052,7 +1072,9 @@ export const formatLegacyAuditReport = (
 
   const commitStatus = summary.bySeverity.CRITICAL > 0 || summary.bySeverity.HIGH > 0
     ? 'COMMIT BLOCKED — STRICT REPO+STAGING'
-    : 'COMMIT ALLOWED';
+    : scopeEmpty
+      ? 'COMMIT ALLOWED — SCOPE EMPTY (PARTIAL PASS)'
+      : 'COMMIT ALLOWED';
 
   const overviewPanel = renderPanel([
     OVERVIEW_TITLE,
@@ -1117,18 +1139,24 @@ export const formatLegacyAuditReport = (
 
   const blockedMessage = summary.bySeverity.CRITICAL > 0 || summary.bySeverity.HIGH > 0
     ? 'ACTION REQUIRED: Critical or high-severity issues detected. Please review and fix before proceeding.'
-    : 'No blocking violations detected.';
+    : scopeEmpty
+      ? 'PASS parcial por alcance vacío: no hay archivos auditables en el scope actual.'
+      : 'No blocking violations detected.';
   const actionLine = commitStatus.includes('BLOCKED')
     ? 'Action: clean entire repository before committing.'
-    : 'Action: proceed with commit flow.';
+    : scopeEmpty
+      ? 'Action: run option 1 or 2 to validate full-scope before relying on this pass.'
+      : 'Action: proceed with commit flow.';
   const affectedRatio = summary.filesScanned > 0
     ? Math.round((summary.filesAffected / Math.max(1, summary.filesScanned)) * 100)
     : 0;
   const nextAction = commitStatus.includes('BLOCKED')
     ? 'Next action: fix CRITICAL/HIGH findings and rerun full audit.'
-    : summary.bySeverity.MEDIUM > 0 || summary.bySeverity.LOW > 0
-      ? 'Next action: schedule MEDIUM/LOW cleanup without blocking delivery.'
-      : 'Next action: maintain baseline and continue with regular checks.';
+    : scopeEmpty
+      ? 'Next action: run option 1 or 2 to obtain full-scope audit signal.'
+      : summary.bySeverity.MEDIUM > 0 || summary.bySeverity.LOW > 0
+        ? 'Next action: schedule MEDIUM/LOW cleanup without blocking delivery.'
+        : 'Next action: maintain baseline and continue with regular checks.';
 
   const metricsPanel = renderPanel([
     'METRICS',

package/scripts/framework-menu-matrix-evidence-lib.ts

@@ -50,12 +50,16 @@ export const toMatrixOptionReport = (
   if (summary.status !== 'ok') {
     return EMPTY_OPTION_REPORT;
   }
+  const diagnosis = resolveMatrixOptionDiagnosis(summary);
+  const normalizedOutcome = diagnosis === 'scope-empty' && summary.outcome.toUpperCase() === 'PASS'
+    ? 'PASS_SCOPE_EMPTY'
+    : summary.outcome;
   return {
     stage: summary.stage,
-    outcome: summary.outcome,
+    outcome: normalizedOutcome,
     filesScanned: summary.filesScanned,
     totalViolations: summary.totalViolations,
-    diagnosis: resolveMatrixOptionDiagnosis(summary),
+    diagnosis,
   };
 };
 

package/scripts/manage-library.sh

@@ -10,7 +10,7 @@
 
 set -e
 
-PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+PROJECT_ROOT="$(cd "$(dirname "${BASH_SOURCE[0]}")/.." && pwd)"
 cd "$PROJECT_ROOT"
 
 GREEN='\033[0;32m'

package/scripts/p9-ruralgo-baseline-clean-lib.ts

@@ -0,0 +1,117 @@
+export type P9RuralgoBaselineIssueCode =
+  | 'NOT_GIT_REPO'
+  | 'PRE_COMMIT_MANAGED_HOOK_PRESENT'
+  | 'PRE_PUSH_MANAGED_HOOK_PRESENT'
+  | 'AI_EVIDENCE_PRESENT'
+  | 'ARTIFACTS_PRESENT'
+  | 'PUMUKI_DIR_PRESENT'
+  | 'NODE_MODULES_PRESENT'
+  | 'PACKAGE_LOCK_PRESENT';
+
+export type P9RuralgoBaselineIssue = {
+  code: P9RuralgoBaselineIssueCode;
+  severity: 'error' | 'warning';
+  message: string;
+};
+
+export type P9RuralgoBaselineSnapshot = {
+  isGitRepo: boolean;
+  hasManagedPreCommitHook: boolean;
+  hasManagedPrePushHook: boolean;
+  hasAiEvidenceFile: boolean;
+  hasArtifactsDir: boolean;
+  hasPumukiDir: boolean;
+  hasNodeModulesDir: boolean;
+  hasPackageLockFile: boolean;
+};
+
+export type P9RuralgoBaselinePolicy = {
+  requireNoManagedHooks: boolean;
+  requireNoAiEvidence: boolean;
+  requireNoArtifacts: boolean;
+  requireNoPumukiDir: boolean;
+  requireNoNodeModules: boolean;
+  requireNoPackageLock: boolean;
+};
+
+export type P9RuralgoBaselineResult = {
+  ready: boolean;
+  issues: ReadonlyArray<P9RuralgoBaselineIssue>;
+};
+
+export const DEFAULT_P9_RURALGO_BASELINE_POLICY: P9RuralgoBaselinePolicy = {
+  requireNoManagedHooks: true,
+  requireNoAiEvidence: true,
+  requireNoArtifacts: true,
+  requireNoPumukiDir: true,
+  requireNoNodeModules: true,
+  requireNoPackageLock: true,
+};
+
+const pushIssue = (
+  issues: P9RuralgoBaselineIssue[],
+  code: P9RuralgoBaselineIssueCode,
+  message: string,
+  severity: 'error' | 'warning' = 'error',
+): void => {
+  issues.push({ code, severity, message });
+};
+
+export const evaluateP9RuralgoBaselineClean = (
+  snapshot: P9RuralgoBaselineSnapshot,
+  policyOverrides?: Partial<P9RuralgoBaselinePolicy>,
+): P9RuralgoBaselineResult => {
+  const policy: P9RuralgoBaselinePolicy = {
+    ...DEFAULT_P9_RURALGO_BASELINE_POLICY,
+    ...(policyOverrides ?? {}),
+  };
+  const issues: P9RuralgoBaselineIssue[] = [];
+
+  if (!snapshot.isGitRepo) {
+    pushIssue(issues, 'NOT_GIT_REPO', 'La ruta objetivo no es un repositorio git válido.');
+    return { ready: false, issues };
+  }
+
+  if (policy.requireNoManagedHooks && snapshot.hasManagedPreCommitHook) {
+    pushIssue(
+      issues,
+      'PRE_COMMIT_MANAGED_HOOK_PRESENT',
+      'Existe bloque gestionado de Pumuki en .git/hooks/pre-commit.',
+    );
+  }
+  if (policy.requireNoManagedHooks && snapshot.hasManagedPrePushHook) {
+    pushIssue(
+      issues,
+      'PRE_PUSH_MANAGED_HOOK_PRESENT',
+      'Existe bloque gestionado de Pumuki en .git/hooks/pre-push.',
+    );
+  }
+  if (policy.requireNoAiEvidence && snapshot.hasAiEvidenceFile) {
+    pushIssue(issues, 'AI_EVIDENCE_PRESENT', 'Existe .ai_evidence.json en baseline limpio.');
+  }
+  if (policy.requireNoArtifacts && snapshot.hasArtifactsDir) {
+    pushIssue(issues, 'ARTIFACTS_PRESENT', 'Existe directorio artifacts/ en baseline limpio.');
+  }
+  if (policy.requireNoPumukiDir && snapshot.hasPumukiDir) {
+    pushIssue(issues, 'PUMUKI_DIR_PRESENT', 'Existe directorio .pumuki/ en baseline limpio.');
+  }
+  if (policy.requireNoNodeModules && snapshot.hasNodeModulesDir) {
+    pushIssue(
+      issues,
+      'NODE_MODULES_PRESENT',
+      'Existe directorio node_modules/ en baseline limpio.',
+    );
+  }
+  if (policy.requireNoPackageLock && snapshot.hasPackageLockFile) {
+    pushIssue(
+      issues,
+      'PACKAGE_LOCK_PRESENT',
+      'Existe package-lock.json en baseline limpio.',
+    );
+  }
+
+  return {
+    ready: !issues.some((issue) => issue.severity === 'error'),
+    issues,
+  };
+};