pumuki 6.3.26 → 6.3.28

package/integrations/evidence/integrity.ts

@@ -0,0 +1,352 @@
+import { createHash, createHmac, timingSafeEqual } from 'node:crypto';
+import type { AiEvidenceV2_1, EvidenceIntegrity } from './schema';
+
+const SHA256_HEX_PATTERN = /^[A-Fa-f0-9]{64}$/;
+const INTEGRITY_SCHEMA = 'pumuki-evidence-integrity-v1' as const;
+const HASH_ALGORITHM = 'SHA256' as const;
+const SIGNATURE_ALGORITHM = 'HMAC-SHA256' as const;
+const CANONICALIZATION = 'json-stable-v1' as const;
+const GENESIS_PREVIOUS_CHAIN_HASH = 'GENESIS';
+
+export type EvidenceSigningConfig = {
+  key: string;
+  keyId: string;
+};
+
+export type EvidenceIntegrityVerification = {
+  ok: boolean;
+  status: 'valid' | 'missing' | 'invalid';
+  code: string | null;
+  message: string | null;
+  payloadHash: string | null;
+  previousChainHash: string | null;
+  chainHash: string | null;
+  signature: {
+    present: boolean;
+    keyId: string | null;
+    verified: boolean | null;
+  };
+};
+
+const toCanonicalJsonValue = (value: unknown): unknown => {
+  if (Array.isArray(value)) {
+    return value.map((item) => toCanonicalJsonValue(item));
+  }
+  if (value && typeof value === 'object') {
+    const record = value as Record<string, unknown>;
+    const ordered: Record<string, unknown> = {};
+    for (const key of Object.keys(record).sort((left, right) => left.localeCompare(right))) {
+      ordered[key] = toCanonicalJsonValue(record[key]);
+    }
+    return ordered;
+  }
+  return value;
+};
+
+const toCanonicalJsonString = (value: unknown): string =>
+  JSON.stringify(toCanonicalJsonValue(value));
+
+const toSha256Hex = (value: string): string =>
+  createHash('sha256').update(value).digest('hex');
+
+const toIntegritySignatureValue = (params: {
+  chainHash: string;
+  payloadHash: string;
+  timestamp: string;
+  key: string;
+}): string =>
+  createHmac('sha256', params.key)
+    .update(`${params.chainHash}:${params.payloadHash}:${params.timestamp}`)
+    .digest('hex');
+
+const cloneWithoutIntegrity = (evidence: AiEvidenceV2_1): Omit<AiEvidenceV2_1, 'integrity'> => {
+  const { integrity: _integrity, ...withoutIntegrity } = evidence;
+  return withoutIntegrity;
+};
+
+const toSignedIntegrity = (
+  base: Omit<EvidenceIntegrity, 'signature'>,
+  signatureConfig: EvidenceSigningConfig | null,
+  timestamp: string
+): EvidenceIntegrity => {
+  if (!signatureConfig) {
+    return base;
+  }
+  return {
+    ...base,
+    signature: {
+      algorithm: SIGNATURE_ALGORITHM,
+      key_id: signatureConfig.keyId,
+      value: toIntegritySignatureValue({
+        chainHash: base.chain_hash,
+        payloadHash: base.payload_hash,
+        timestamp,
+        key: signatureConfig.key,
+      }),
+    },
+  };
+};
+
+export const resolveEvidenceSigningConfig = (
+  env: NodeJS.ProcessEnv = process.env
+): EvidenceSigningConfig | null => {
+  const key = env.PUMUKI_EVIDENCE_SIGNING_KEY?.trim();
+  if (!key) {
+    return null;
+  }
+  const keyId = env.PUMUKI_EVIDENCE_SIGNING_KEY_ID?.trim() || 'local';
+  return {
+    key,
+    keyId,
+  };
+};
+
+export const applyEvidenceIntegrity = (params: {
+  evidence: AiEvidenceV2_1;
+  previousChainHash?: string | null;
+  signatureConfig?: EvidenceSigningConfig | null;
+}): AiEvidenceV2_1 => {
+  const withoutIntegrity = cloneWithoutIntegrity(params.evidence);
+  const payloadHash = toSha256Hex(toCanonicalJsonString(withoutIntegrity));
+  const previousChainHash = params.previousChainHash ?? null;
+  const chainHash = toSha256Hex(`${previousChainHash ?? GENESIS_PREVIOUS_CHAIN_HASH}:${payloadHash}`);
+  const integrity: Omit<EvidenceIntegrity, 'signature'> = {
+    schema: INTEGRITY_SCHEMA,
+    hash_algorithm: HASH_ALGORITHM,
+    canonicalization: CANONICALIZATION,
+    payload_hash: payloadHash,
+    previous_chain_hash: previousChainHash,
+    chain_hash: chainHash,
+    generated_at: withoutIntegrity.timestamp,
+  };
+
+  return {
+    ...withoutIntegrity,
+    integrity: toSignedIntegrity(integrity, params.signatureConfig ?? null, withoutIntegrity.timestamp),
+  };
+};
+
+const buildIntegrityInvalidResult = (params: {
+  code: string;
+  message: string;
+  integrity?: EvidenceIntegrity;
+  signaturePresent?: boolean;
+  signatureKeyId?: string | null;
+  signatureVerified?: boolean | null;
+}): EvidenceIntegrityVerification => ({
+  ok: false,
+  status: 'invalid',
+  code: params.code,
+  message: params.message,
+  payloadHash: params.integrity?.payload_hash ?? null,
+  previousChainHash: params.integrity?.previous_chain_hash ?? null,
+  chainHash: params.integrity?.chain_hash ?? null,
+  signature: {
+    present: params.signaturePresent ?? false,
+    keyId: params.signatureKeyId ?? null,
+    verified: params.signatureVerified ?? null,
+  },
+});
+
+export const verifyEvidenceIntegrity = (
+  evidence: AiEvidenceV2_1,
+  options?: {
+    signatureConfig?: EvidenceSigningConfig | null;
+    enforceSignature?: boolean;
+  }
+): EvidenceIntegrityVerification => {
+  const integrity = evidence.integrity;
+  if (!integrity) {
+    return {
+      ok: false,
+      status: 'missing',
+      code: 'EVIDENCE_INTEGRITY_MISSING',
+      message: 'Evidence integrity metadata is missing.',
+      payloadHash: null,
+      previousChainHash: null,
+      chainHash: null,
+      signature: {
+        present: false,
+        keyId: null,
+        verified: null,
+      },
+    };
+  }
+
+  if (
+    integrity.schema !== INTEGRITY_SCHEMA ||
+    integrity.hash_algorithm !== HASH_ALGORITHM ||
+    integrity.canonicalization !== CANONICALIZATION
+  ) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_SCHEMA_INVALID',
+      message: 'Evidence integrity schema metadata is invalid.',
+      integrity,
+    });
+  }
+
+  if (
+    !SHA256_HEX_PATTERN.test(integrity.payload_hash) ||
+    !SHA256_HEX_PATTERN.test(integrity.chain_hash)
+  ) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_HASH_FORMAT_INVALID',
+      message: 'Evidence integrity hash format is invalid.',
+      integrity,
+    });
+  }
+
+  if (
+    integrity.previous_chain_hash !== null &&
+    !SHA256_HEX_PATTERN.test(integrity.previous_chain_hash)
+  ) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_PREVIOUS_CHAIN_HASH_INVALID',
+      message: 'Evidence integrity previous chain hash format is invalid.',
+      integrity,
+    });
+  }
+
+  if (integrity.generated_at !== evidence.timestamp) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_TIMESTAMP_MISMATCH',
+      message: 'Evidence integrity timestamp does not match evidence timestamp.',
+      integrity,
+    });
+  }
+
+  const withoutIntegrity = cloneWithoutIntegrity(evidence);
+  const expectedPayloadHash = toSha256Hex(toCanonicalJsonString(withoutIntegrity));
+  if (integrity.payload_hash !== expectedPayloadHash) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_PAYLOAD_HASH_MISMATCH',
+      message: 'Evidence integrity payload hash mismatch.',
+      integrity,
+    });
+  }
+
+  const expectedChainHash = toSha256Hex(
+    `${integrity.previous_chain_hash ?? GENESIS_PREVIOUS_CHAIN_HASH}:${expectedPayloadHash}`
+  );
+  if (integrity.chain_hash !== expectedChainHash) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_CHAIN_HASH_MISMATCH',
+      message: 'Evidence integrity chain hash mismatch.',
+      integrity,
+    });
+  }
+
+  const signature = integrity.signature;
+  const signatureConfig = options?.signatureConfig ?? null;
+  if (!signature) {
+    if (options?.enforceSignature && signatureConfig) {
+      return buildIntegrityInvalidResult({
+        code: 'EVIDENCE_INTEGRITY_SIGNATURE_REQUIRED',
+        message: 'Evidence integrity signature is required but missing.',
+        integrity,
+      });
+    }
+    return {
+      ok: true,
+      status: 'valid',
+      code: null,
+      message: null,
+      payloadHash: integrity.payload_hash,
+      previousChainHash: integrity.previous_chain_hash,
+      chainHash: integrity.chain_hash,
+      signature: {
+        present: false,
+        keyId: null,
+        verified: null,
+      },
+    };
+  }
+
+  if (
+    signature.algorithm !== SIGNATURE_ALGORITHM ||
+    !SHA256_HEX_PATTERN.test(signature.value) ||
+    typeof signature.key_id !== 'string' ||
+    signature.key_id.trim().length === 0
+  ) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_SIGNATURE_FORMAT_INVALID',
+      message: 'Evidence integrity signature metadata is invalid.',
+      integrity,
+      signaturePresent: true,
+      signatureKeyId: signature.key_id ?? null,
+      signatureVerified: false,
+    });
+  }
+
+  if (!signatureConfig) {
+    if (options?.enforceSignature) {
+      return buildIntegrityInvalidResult({
+        code: 'EVIDENCE_INTEGRITY_SIGNATURE_KEY_MISSING',
+        message: 'Evidence signature present but signing key is missing locally.',
+        integrity,
+        signaturePresent: true,
+        signatureKeyId: signature.key_id,
+        signatureVerified: null,
+      });
+    }
+    return {
+      ok: true,
+      status: 'valid',
+      code: null,
+      message: null,
+      payloadHash: integrity.payload_hash,
+      previousChainHash: integrity.previous_chain_hash,
+      chainHash: integrity.chain_hash,
+      signature: {
+        present: true,
+        keyId: signature.key_id,
+        verified: null,
+      },
+    };
+  }
+
+  if (signature.key_id !== signatureConfig.keyId) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_SIGNATURE_KEY_MISMATCH',
+      message: `Evidence signature key_id mismatch (${signature.key_id} != ${signatureConfig.keyId}).`,
+      integrity,
+      signaturePresent: true,
+      signatureKeyId: signature.key_id,
+      signatureVerified: false,
+    });
+  }
+
+  const expectedSignature = toIntegritySignatureValue({
+    chainHash: integrity.chain_hash,
+    payloadHash: integrity.payload_hash,
+    timestamp: evidence.timestamp,
+    key: signatureConfig.key,
+  });
+  const provided = Buffer.from(signature.value, 'hex');
+  const expected = Buffer.from(expectedSignature, 'hex');
+  if (provided.length !== expected.length || !timingSafeEqual(provided, expected)) {
+    return buildIntegrityInvalidResult({
+      code: 'EVIDENCE_INTEGRITY_SIGNATURE_INVALID',
+      message: 'Evidence integrity signature mismatch.',
+      integrity,
+      signaturePresent: true,
+      signatureKeyId: signature.key_id,
+      signatureVerified: false,
+    });
+  }
+
+  return {
+    ok: true,
+    status: 'valid',
+    code: null,
+    message: null,
+    payloadHash: integrity.payload_hash,
+    previousChainHash: integrity.previous_chain_hash,
+    chainHash: integrity.chain_hash,
+    signature: {
+      present: true,
+      keyId: signature.key_id,
+      verified: true,
+    },
+  };
+};

package/integrations/evidence/rulesCoverage.ts

@@ -30,6 +30,95 @@ const createCoverageRatio = (active: number, evaluated: number): number => {
   return normalizeCoverageRatio(evaluated / active);
 };
 
+const normalizeSkillsCompliance = (
+  value: SnapshotRulesCoverage['skills_compliance']
+): SnapshotRulesCoverage['skills_compliance'] => {
+  if (!value) {
+    return undefined;
+  }
+
+  const normalizedByFile = value.by_file
+    .map((item) => {
+      const requiredRuleIds = normalizeStringArray(item.required_rule_ids ?? []);
+      const appliedRuleIds = normalizeStringArray(item.applied_rule_ids ?? []);
+      const evidenceRuleIds = normalizeStringArray(item.evidence_rule_ids ?? []);
+      const missingRuleIds = normalizeStringArray(item.missing_rule_ids ?? []);
+      if (requiredRuleIds.length === 0) {
+        return undefined;
+      }
+      return {
+        file_path: item.file_path,
+        platform: item.platform,
+        required_rule_ids: requiredRuleIds,
+        applied_rule_ids: appliedRuleIds,
+        evidence_rule_ids: evidenceRuleIds,
+        missing_rule_ids: missingRuleIds,
+        status: missingRuleIds.length > 0 ? 'INCOMPLETE' : 'OK',
+      };
+    })
+    .filter(
+      (
+        item
+      ): item is {
+        file_path: string;
+        platform: 'ios' | 'android' | 'backend' | 'frontend';
+        required_rule_ids: string[];
+        applied_rule_ids: string[];
+        evidence_rule_ids: string[];
+        missing_rule_ids: string[];
+        status: 'OK' | 'INCOMPLETE';
+      } => item !== undefined
+    )
+    .sort((left, right) => left.file_path.localeCompare(right.file_path));
+
+  if (normalizedByFile.length === 0) {
+    return undefined;
+  }
+
+  const requiredRuleIds = normalizeStringArray(
+    value.required_rule_ids?.length > 0
+      ? value.required_rule_ids
+      : normalizedByFile.flatMap((item) => item.required_rule_ids)
+  );
+  const appliedRuleIds = normalizeStringArray(
+    value.applied_rule_ids?.length > 0
+      ? value.applied_rule_ids
+      : normalizedByFile.flatMap((item) => item.applied_rule_ids)
+  );
+  const evidenceRuleIds = normalizeStringArray(
+    value.evidence_rule_ids?.length > 0
+      ? value.evidence_rule_ids
+      : normalizedByFile.flatMap((item) => item.evidence_rule_ids)
+  );
+  const missingRuleIds = normalizeStringArray(
+    value.missing_rule_ids?.length > 0
+      ? value.missing_rule_ids
+      : normalizedByFile.flatMap((item) => item.missing_rule_ids)
+  );
+
+  return {
+    required_rule_ids: requiredRuleIds,
+    applied_rule_ids: appliedRuleIds,
+    evidence_rule_ids: evidenceRuleIds,
+    missing_rule_ids: missingRuleIds,
+    counts: {
+      files_in_scope: Math.max(
+        normalizedByFile.length,
+        normalizeCount(value.counts?.files_in_scope ?? 0)
+      ),
+      files_with_missing: Math.max(
+        normalizedByFile.filter((item) => item.missing_rule_ids.length > 0).length,
+        normalizeCount(value.counts?.files_with_missing ?? 0)
+      ),
+      required: Math.max(requiredRuleIds.length, normalizeCount(value.counts?.required ?? 0)),
+      applied: Math.max(appliedRuleIds.length, normalizeCount(value.counts?.applied ?? 0)),
+      evidence: Math.max(evidenceRuleIds.length, normalizeCount(value.counts?.evidence ?? 0)),
+      missing: Math.max(missingRuleIds.length, normalizeCount(value.counts?.missing ?? 0)),
+    },
+    by_file: normalizedByFile,
+  };
+};
+
 export const createEmptySnapshotRulesCoverage = (
   stage: GateStage
 ): SnapshotRulesCoverage => ({
@@ -106,5 +195,10 @@ export const normalizeSnapshotRulesCoverage = (
     normalized.unsupported_auto_rule_ids = unsupportedAutoRuleIds;
   }
 
+  const skillsCompliance = normalizeSkillsCompliance(value.skills_compliance);
+  if (skillsCompliance) {
+    normalized.skills_compliance = skillsCompliance;
+  }
+
   return normalized;
 };

package/integrations/evidence/schema.test.ts

@@ -39,6 +39,20 @@ test('AiEvidenceV2_1 soporta snapshot/ledger/platforms/rulesets con contrato 2.1
   const evidence: AiEvidenceV2_1 = {
     version: '2.1',
     timestamp: '2026-02-17T09:00:00.000Z',
+    integrity: {
+      schema: 'pumuki-evidence-integrity-v1',
+      hash_algorithm: 'SHA256',
+      canonicalization: 'json-stable-v1',
+      payload_hash: 'a'.repeat(64),
+      previous_chain_hash: null,
+      chain_hash: 'b'.repeat(64),
+      generated_at: '2026-02-17T09:00:00.000Z',
+      signature: {
+        algorithm: 'HMAC-SHA256',
+        key_id: 'local',
+        value: 'c'.repeat(64),
+      },
+    },
     snapshot: {
       stage: 'PRE_PUSH',
       outcome: 'BLOCK',
@@ -133,6 +147,8 @@ test('AiEvidenceV2_1 soporta snapshot/ledger/platforms/rulesets con contrato 2.1
   };
 
   assert.equal(evidence.version, '2.1');
+  assert.equal(evidence.integrity?.schema, 'pumuki-evidence-integrity-v1');
+  assert.equal(evidence.integrity?.signature?.algorithm, 'HMAC-SHA256');
   assert.equal(evidence.snapshot.stage, 'PRE_PUSH');
   assert.equal(evidence.snapshot.files_scanned, 911);
   assert.equal(evidence.snapshot.files_affected, 1);

package/integrations/evidence/schema.ts

@@ -40,6 +40,29 @@ export type SnapshotRulesCoverage = {
   matched_rule_ids: string[];
   unevaluated_rule_ids: string[];
   unsupported_auto_rule_ids?: string[];
+  skills_compliance?: {
+    required_rule_ids: string[];
+    applied_rule_ids: string[];
+    evidence_rule_ids: string[];
+    missing_rule_ids: string[];
+    counts: {
+      files_in_scope: number;
+      files_with_missing: number;
+      required: number;
+      applied: number;
+      evidence: number;
+      missing: number;
+    };
+    by_file: Array<{
+      file_path: string;
+      platform: 'ios' | 'android' | 'backend' | 'frontend';
+      required_rule_ids: string[];
+      applied_rule_ids: string[];
+      evidence_rule_ids: string[];
+      missing_rule_ids: string[];
+      status: 'OK' | 'INCOMPLETE';
+    }>;
+  };
   counts: {
     active: number;
     evaluated: number;
@@ -88,6 +111,23 @@ export type RulesetState = {
   hash: string;
 };
 
+export type EvidenceIntegritySignature = {
+  algorithm: 'HMAC-SHA256';
+  key_id: string;
+  value: string;
+};
+
+export type EvidenceIntegrity = {
+  schema: 'pumuki-evidence-integrity-v1';
+  hash_algorithm: 'SHA256';
+  canonicalization: 'json-stable-v1';
+  payload_hash: string;
+  previous_chain_hash: string | null;
+  chain_hash: string;
+  generated_at: string;
+  signature?: EvidenceIntegritySignature;
+};
+
 export type HumanIntentConfidence = 'high' | 'medium' | 'low' | 'unset';
 
 export type HumanIntentState = {
@@ -170,6 +210,7 @@ export type RepoState = {
 export type AiEvidenceV2_1 = {
   version: '2.1';
   timestamp: string;
+  integrity?: EvidenceIntegrity;
   snapshot: Snapshot;
   ledger: LedgerEntry[];
   platforms: Record<string, PlatformState>;

package/integrations/evidence/writeEvidence.test.ts

@@ -5,6 +5,7 @@ import { join } from 'node:path';
 import test from 'node:test';
 import { withTempDir } from '../__tests__/helpers/tempDir';
 import type { AiEvidenceV2_1 } from './schema';
+import { verifyEvidenceIntegrity } from './integrity';
 import { writeEvidence } from './writeEvidence';
 
 const withCwd = async <T>(cwd: string, callback: () => Promise<T> | T): Promise<T> => {
@@ -242,6 +243,12 @@ test('writeEvidence escribe archivo estable y normaliza paths/orden/lineas', asy
       });
       assert.equal(written.repo_state?.git.branch, 'feature/write-evidence');
       assert.equal(written.repo_state?.lifecycle.hooks.pre_commit, 'managed');
+      assert.equal(typeof written.integrity?.schema, 'string');
+      assert.match(written.integrity?.payload_hash ?? '', /^[A-Fa-f0-9]{64}$/);
+      assert.match(written.integrity?.chain_hash ?? '', /^[A-Fa-f0-9]{64}$/);
+      assert.equal(written.integrity?.previous_chain_hash, null);
+      const integrityCheck = verifyEvidenceIntegrity(written);
+      assert.equal(integrityCheck.ok, true);
     });
   });
 });
@@ -315,6 +322,67 @@ test('writeEvidence conserva paths externos y elimina lines no finitas', async (
   });
 });
 
+test('writeEvidence encadena previous_chain_hash entre escrituras consecutivas', async () => {
+  await withTempDir('pumuki-write-evidence-chain-', async (tempRoot) => {
+    initGitRepo(tempRoot);
+    await withCwd(tempRoot, async () => {
+      const firstEvidence = sampleEvidence(tempRoot);
+      const firstWrite = writeEvidence(firstEvidence);
+      assert.equal(firstWrite.ok, true);
+      const firstWritten = JSON.parse(readFileSync(firstWrite.path, 'utf8')) as AiEvidenceV2_1;
+      const firstChainHash = firstWritten.integrity?.chain_hash ?? null;
+      assert.match(firstChainHash ?? '', /^[A-Fa-f0-9]{64}$/);
+
+      const secondEvidence = sampleEvidence(tempRoot);
+      secondEvidence.timestamp = '2026-02-17T00:10:00.000Z';
+      secondEvidence.snapshot.findings.push({
+        ruleId: 'b.rule',
+        severity: 'WARN',
+        code: 'B_RULE',
+        message: 'b finding',
+        file: 'apps/backend/B.ts',
+      });
+      secondEvidence.severity_metrics.total_violations = 3;
+      secondEvidence.severity_metrics.by_severity.WARN = 2;
+
+      const secondWrite = writeEvidence(secondEvidence);
+      assert.equal(secondWrite.ok, true);
+      const secondWritten = JSON.parse(readFileSync(secondWrite.path, 'utf8')) as AiEvidenceV2_1;
+      assert.equal(secondWritten.integrity?.previous_chain_hash, firstChainHash);
+      const secondIntegrityCheck = verifyEvidenceIntegrity(secondWritten);
+      assert.equal(secondIntegrityCheck.ok, true);
+    });
+  });
+});
+
+test('writeEvidence añade firma opcional cuando hay key de firmado en entorno', async () => {
+  await withTempDir('pumuki-write-evidence-signature-', async (tempRoot) => {
+    initGitRepo(tempRoot);
+    await withCwd(tempRoot, async () => {
+      const result = writeEvidence(sampleEvidence(tempRoot), {
+        env: {
+          ...process.env,
+          PUMUKI_EVIDENCE_SIGNING_KEY: 'secret-test-key',
+          PUMUKI_EVIDENCE_SIGNING_KEY_ID: 'test-key-id',
+        },
+      });
+      assert.equal(result.ok, true);
+      const written = JSON.parse(readFileSync(result.path, 'utf8')) as AiEvidenceV2_1;
+      assert.equal(written.integrity?.signature?.key_id, 'test-key-id');
+      assert.match(written.integrity?.signature?.value ?? '', /^[A-Fa-f0-9]{64}$/);
+      const integrityCheck = verifyEvidenceIntegrity(written, {
+        signatureConfig: {
+          key: 'secret-test-key',
+          keyId: 'test-key-id',
+        },
+        enforceSignature: false,
+      });
+      assert.equal(integrityCheck.ok, true);
+      assert.equal(integrityCheck.signature.verified, true);
+    });
+  });
+});
+
 test('writeEvidence preserva snapshot.tdd_bdd cuando viene en evidencia', async () => {
   await withTempDir('pumuki-write-evidence-tdd-bdd-', async (tempRoot) => {
     initGitRepo(tempRoot);

package/integrations/evidence/writeEvidence.ts

@@ -14,6 +14,12 @@ import { buildSnapshotPlatformSummaries } from './platformSummary';
 import { normalizeHumanIntent } from './humanIntent';
 import { normalizeSnapshotEvaluationMetrics } from './evaluationMetrics';
 import { normalizeSnapshotRulesCoverage } from './rulesCoverage';
+import { readEvidenceResult } from './readEvidence';
+import {
+  applyEvidenceIntegrity,
+  resolveEvidenceSigningConfig,
+  verifyEvidenceIntegrity,
+} from './integrity';
 
 export type WriteEvidenceResult = {
   ok: boolean;
@@ -343,14 +349,29 @@ const resolveRepoRoot = (): string => {
 
 export function writeEvidence(
   evidence: AiEvidenceV2_1,
-  options?: { repoRoot?: string }
+  options?: { repoRoot?: string; env?: NodeJS.ProcessEnv }
 ): WriteEvidenceResult {
   const repoRoot = options?.repoRoot ?? resolveRepoRoot();
   const outputPath = join(repoRoot, EVIDENCE_FILE_NAME);
 
   try {
     const stableEvidence = toStableEvidence(evidence, repoRoot);
-    writeFileSync(outputPath, `${JSON.stringify(stableEvidence, null, 2)}\n`, 'utf8');
+    const previousResult = readEvidenceResult(repoRoot);
+    const previousChainHash =
+      previousResult.kind === 'valid'
+        ? (() => {
+          const verification = verifyEvidenceIntegrity(previousResult.evidence, {
+            enforceSignature: false,
+          });
+          return verification.ok ? verification.chainHash : null;
+        })()
+        : null;
+    const signedEvidence = applyEvidenceIntegrity({
+      evidence: stableEvidence,
+      previousChainHash,
+      signatureConfig: resolveEvidenceSigningConfig(options?.env ?? process.env),
+    });
+    writeFileSync(outputPath, `${JSON.stringify(signedEvidence, null, 2)}\n`, 'utf8');
     return {
       ok: true,
       path: outputPath,