pumuki 6.3.267 → 6.3.268

package/core/gate/evaluateGate.test.ts

@@ -25,12 +25,14 @@ test('evaluateGate devuelve WARN cuando hay warnings sin bloqueantes', () => {
       severity: 'WARN',
       code: 'RULE_WARN',
       message: 'Warn finding',
+      blocking: false,
     },
     {
       ruleId: 'rule.info',
       severity: 'INFO',
       code: 'RULE_INFO',
       message: 'Info finding',
+      blocking: false,
     },
   ];
 
@@ -42,7 +44,7 @@ test('evaluateGate devuelve WARN cuando hay warnings sin bloqueantes', () => {
   assert.equal(result.warnings[0]?.ruleId, 'rule.warn');
 });
 
-test('evaluateGate devuelve BLOCK cuando existe al menos un finding bloqueante', () => {
+test('evaluateGate devuelve BLOCK para cualquier finding runtime salvo blocking=false', () => {
   const findings: Finding[] = [
     {
       ruleId: 'rule.error',
@@ -62,18 +64,24 @@ test('evaluateGate devuelve BLOCK cuando existe al menos un finding bloqueante',
       code: 'RULE_WARN',
       message: 'Warn finding',
     },
+    {
+      ruleId: 'rule.info.advisory',
+      severity: 'INFO',
+      code: 'RULE_INFO_ADVISORY',
+      message: 'Info advisory finding',
+      blocking: false,
+    },
   ];
 
   const result = evaluateGate(findings, defaultPolicy);
 
   assert.equal(result.outcome, 'BLOCK');
-  assert.equal(result.blocking.length, 2);
+  assert.equal(result.blocking.length, 3);
   assert.deepEqual(
     result.blocking.map((finding) => finding.ruleId),
-    ['rule.error', 'rule.critical']
+    ['rule.error', 'rule.critical', 'rule.warn']
   );
-  assert.equal(result.warnings.length, 1);
-  assert.equal(result.warnings[0]?.ruleId, 'rule.warn');
+  assert.deepEqual(result.warnings, []);
 });
 
 test('evaluateGate bloquea cualquier severidad cuando la policy zero-violations usa INFO', () => {

package/core/gate/evaluateGate.ts

@@ -3,16 +3,16 @@ import type { GateOutcome } from './GateOutcome';
 import type { GatePolicy } from './GatePolicy';
 import { isSeverityAtLeast } from '../rules/Severity';
 
+const isBlockingFinding = (finding: Finding): boolean => finding.blocking !== false;
+
 export function evaluateGate(
   findings: Finding[],
   policy: GatePolicy
 ): { outcome: GateOutcome; blocking: Finding[]; warnings: Finding[] } {
-  const blocking = findings.filter((finding) =>
-    isSeverityAtLeast(finding.severity, policy.blockOnOrAbove)
-  );
+  const blocking = findings.filter(isBlockingFinding);
   const warnings = findings.filter(
     (finding) =>
-      !isSeverityAtLeast(finding.severity, policy.blockOnOrAbove) &&
+      !isBlockingFinding(finding) &&
       isSeverityAtLeast(finding.severity, policy.warnOnOrAbove)
   );
 

package/integrations/git/astIntelligenceDualValidation.ts

@@ -188,6 +188,7 @@ const toDualValidationFinding = (params: {
   return {
     ruleId: 'governance.ast-intelligence.dual-validation.shadow',
     severity: 'INFO',
+    blocking: false,
     code: 'AST_INTELLIGENCE_DUAL_VALIDATION_SHADOW',
     message:
       `AST Intelligence dual validation shadow at ${params.stage}: ` +

package/integrations/git/runPlatformGate.ts

@@ -39,6 +39,10 @@ import {
   filterFactsByPathPrefixes,
   resolveGateScopePathPrefixesFromEnv,
 } from './filterFactsByPathPrefixes';
+import {
+  readPreWriteLeaseStatus,
+  toPreWriteEnforcementGapFinding,
+} from '../lifecycle/preWriteLease';
 
 export type OperationalMemoryShadowRecommendation = {
   recommendedOutcome: 'ALLOW' | 'WARN' | 'BLOCK';
@@ -801,7 +805,7 @@ const shouldBlockFromFinding = (finding: Finding | undefined): boolean => {
   if (!finding) {
     return false;
   }
-  return finding.severity === 'ERROR' || finding.severity === 'CRITICAL';
+  return finding.blocking !== false;
 };
 
 const applySkillsFindingEnforcement = (
@@ -817,6 +821,7 @@ const applySkillsFindingEnforcement = (
   return {
     ...finding,
     severity: 'WARN',
+    blocking: false,
   };
 };
 
@@ -834,6 +839,7 @@ const toSoftPreCommitSkillsFinding = (params: {
   return {
     ...params.finding,
     severity: 'WARN',
+    blocking: false,
     code: `${params.finding.code}_SOFT_PRECOMMIT`,
     message:
       `${params.finding.message} ` +
@@ -939,6 +945,18 @@ export async function runPlatformGate(params: {
     : facts;
   const filesScanned = countScannedFilesFromFacts(factsForPlatformEvaluation);
   const observedCodePaths = collectObservedCodePathsFromFacts(facts);
+  const preWriteLeaseFinding =
+    params.policy.stage === 'PRE_COMMIT' ||
+    params.policy.stage === 'PRE_PUSH' ||
+    params.policy.stage === 'CI'
+      ? toPreWriteEnforcementGapFinding({
+          stage: params.policy.stage,
+          status: readPreWriteLeaseStatus({
+            repoRoot,
+            git,
+          }),
+        })
+      : undefined;
 
   const platformEvaluation = dependencies.evaluatePlatformGateFindings({
     facts: factsForPlatformEvaluation,
@@ -1184,12 +1202,12 @@ export async function runPlatformGate(params: {
     ? tddBddEvaluation.snapshot
     : undefined;
   const hasTddBddBlockingFinding = tddBddEvaluation.findings.some(
-    (finding) => finding.severity === 'ERROR' || finding.severity === 'CRITICAL'
+    (finding) => shouldBlockFromFinding(finding)
   );
   const hasNativeBlockingFinding = findings.some(
-    (finding) => finding.severity === 'ERROR' || finding.severity === 'CRITICAL'
+    (finding) => shouldBlockFromFinding(finding)
   );
-  const preCommitSoftSkillsEnabled = process.env.PUMUKI_PRE_COMMIT_SOFT_SKILLS !== '0';
+  const preCommitSoftSkillsEnabled = process.env.PUMUKI_PRE_COMMIT_SOFT_SKILLS === '1';
   const lowRiskPreCommitWindow = observedCodePaths.length > 0 && observedCodePaths.length <= 3;
   const shouldSoftEnforceSkillsFindings =
     params.policy.stage === 'PRE_COMMIT'
@@ -1228,6 +1246,7 @@ export async function runPlatformGate(params: {
     ? [
       sddBlockingFinding,
       ...(degradedModeFinding ? [degradedModeFinding] : []),
+      ...(preWriteLeaseFinding ? [preWriteLeaseFinding] : []),
       ...(policyAsCodeBlockingFinding ? [policyAsCodeBlockingFinding] : []),
       ...(effectiveUnsupportedSkillsMappingFinding ? [effectiveUnsupportedSkillsMappingFinding] : []),
       ...(effectivePlatformSkillsCoverageFinding ? [effectivePlatformSkillsCoverageFinding] : []),
@@ -1245,6 +1264,7 @@ export async function runPlatformGate(params: {
       || effectivePlatformSkillsCoverageFinding
       || effectiveCrossPlatformCriticalFinding
       || effectiveSkillsScopeComplianceFinding
+      || preWriteLeaseFinding
       || activeRulesEmptyForCodeChangesFinding
       || effectiveIosTestsQualityFinding
       || astIntelligenceDualFinding
@@ -1255,6 +1275,7 @@ export async function runPlatformGate(params: {
       || tddBddEvaluation.findings.length > 0
       ? [
         ...(degradedModeFinding ? [degradedModeFinding] : []),
+        ...(preWriteLeaseFinding ? [preWriteLeaseFinding] : []),
         ...(policyAsCodeBlockingFinding ? [policyAsCodeBlockingFinding] : []),
         ...(effectiveUnsupportedSkillsMappingFinding ? [effectiveUnsupportedSkillsMappingFinding] : []),
         ...(effectivePlatformSkillsCoverageFinding ? [effectivePlatformSkillsCoverageFinding] : []),
@@ -1284,6 +1305,7 @@ export async function runPlatformGate(params: {
   const baseGateOutcome =
     sddBlockingFinding ||
     degradedModeBlocks ||
+    shouldBlockFromFinding(preWriteLeaseFinding) ||
     shouldBlockFromFinding(policyAsCodeBlockingFinding) ||
     shouldBlockFromFinding(effectiveUnsupportedSkillsMappingFinding) ||
     shouldBlockFromFinding(effectivePlatformSkillsCoverageFinding) ||

package/integrations/git/stageRunners.ts

@@ -818,7 +818,7 @@ export async function runPreCommitStage(
     repoRoot,
     stage: 'PRE_COMMIT',
     scope: {
-      kind: 'staged',
+      kind: 'workingTree',
     },
   });
   if (
@@ -898,9 +898,7 @@ export async function runPrePushStage(
         repoRoot,
         stage: 'PRE_PUSH',
         scope: {
-          kind: 'range',
-          fromRef: bootstrapBaseRef,
-          toRef: 'HEAD',
+          kind: 'repoAndStaged',
         },
       });
       if (
@@ -1006,9 +1004,7 @@ export async function runPrePushStage(
     repoRoot,
     stage: 'PRE_PUSH',
     scope: {
-      kind: 'range',
-      fromRef: prePushFromRef,
-      toRef: prePushToRef,
+      kind: 'repoAndStaged',
     },
     sddDecisionOverride: historicalPrePushSddOverride,
   });
@@ -1064,9 +1060,7 @@ export async function runCiStage(
     policy: resolved.policy,
     policyTrace: resolved.trace,
     scope: {
-      kind: 'range',
-      fromRef: ciBaseRef,
-      toRef: 'HEAD',
+      kind: 'repo',
     },
   });
   if (exitCode !== 0) {

package/integrations/lifecycle/cli.ts

@@ -2849,8 +2849,18 @@ export const runLifecycleCli = async (
   }
 };
 
-if (require.main === module) {
-  void runLifecycleCli(process.argv.slice(2)).then((code) => {
-    process.exitCode = code;
-  });
+if (
+  require.main === module &&
+  process.env.PUMUKI_RUNTIME_EXECUTION_SOURCE === 'source-bin'
+) {
+  void runLifecycleCli(process.argv.slice(2)).then(
+    (code) => {
+      process.exit(code);
+    },
+    (error) => {
+      const message = error instanceof Error ? error.message : 'Unexpected lifecycle CLI error.';
+      writeError(message);
+      process.exit(1);
+    }
+  );
 }

package/integrations/lifecycle/doctor.ts

@@ -20,6 +20,7 @@ import {
   readLifecycleDependencyInventory,
   type LifecycleDependencyInventory,
 } from './dependencyInventory';
+import { readPreWriteLeaseStatus } from './preWriteLease';
 
 export type DoctorIssueSeverity = 'warning' | 'error';
 
@@ -117,6 +118,19 @@ const buildDoctorIssues = (params: {
 }): ReadonlyArray<DoctorIssue> => {
   const issues: DoctorIssue[] = [];
   const evidenceResult = readEvidenceResult(params.repoRoot);
+  const preWriteLeaseStatus = readPreWriteLeaseStatus({
+    repoRoot: params.repoRoot,
+    git: new LifecycleGitService(),
+  });
+
+  if (!preWriteLeaseStatus.valid && preWriteLeaseStatus.changedCodePaths.length > 0) {
+    issues.push({
+      severity: 'error',
+      message:
+        `ENFORCEMENT_GAP: PRE_WRITE hard-stop lease is not valid (${preWriteLeaseStatus.code}) ` +
+        `for ${preWriteLeaseStatus.changedCodePaths.length} changed code file(s).`,
+    });
+  }
 
   if (params.trackedNodeModulesPaths.length > 0) {
     issues.push({

package/integrations/lifecycle/install.ts

@@ -2,7 +2,7 @@ import { existsSync } from 'node:fs';
 import { join } from 'node:path';
 import { installPumukiHooks } from './hookManager';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
-import { doctorHasBlockingIssues, runLifecycleDoctor } from './doctor';
+import { runLifecycleDoctor } from './doctor';
 import { runOpenSpecBootstrap, type OpenSpecBootstrapResult } from './openSpecBootstrap';
 import { LifecycleNpmService, type ILifecycleNpmService } from './npmService';
 import { getCurrentPumukiVersion } from './packageInfo';
@@ -99,6 +99,9 @@ const materializeStrictPolicyAsCode = (repoRoot: string): void => {
   }
 };
 
+const isPreWriteEnforcementGapIssue = (message: string): boolean =>
+  message.startsWith('ENFORCEMENT_GAP: PRE_WRITE hard-stop lease is not valid');
+
 export const runLifecycleInstall = (params?: {
   cwd?: string;
   git?: ILifecycleGitService;
@@ -114,8 +117,13 @@ export const runLifecycleInstall = (params?: {
     cwd: params?.cwd,
     git,
   });
+  const installBlockingIssues = report.issues.filter(
+    (issue) => issue.severity === 'error' && !isPreWriteEnforcementGapIssue(issue.message)
+  );
+  const hasInstallBlockingIssues =
+    installBlockingIssues.length > 0 || report.deep?.blocking === true;
 
-  if (doctorHasBlockingIssues(report)) {
+  if (hasInstallBlockingIssues) {
     if (bestEffortAfterDoctorBlock) {
       const version = getCurrentPumukiVersion();
       const priorArtifacts = readOpenSpecManagedArtifacts(git, report.repoRoot);
@@ -135,8 +143,8 @@ export const runLifecycleInstall = (params?: {
         degradedDoctorBypass: true,
       };
     }
-    const renderedIssues = report.issues.map((issue) => `- [${issue.severity}] ${issue.message}`).join('\n');
-    const firstIssue = report.issues[0];
+    const renderedIssues = installBlockingIssues.map((issue) => `- [${issue.severity}] ${issue.message}`).join('\n');
+    const firstIssue = installBlockingIssues[0];
     const notificationResult = (params?.notifyGateBlocked ?? emitGateBlockedNotification)({
       repoRoot: report.repoRoot,
       stage: 'PRE_COMMIT',

package/integrations/lifecycle/preWriteAutomation.ts

@@ -1,8 +1,11 @@
+import { existsSync } from 'node:fs';
 import { evaluateAiGate } from '../gate/evaluateAiGate';
+import { GitService } from '../git/GitService';
 import { runPlatformGate } from '../git/runPlatformGate';
 import { runEnterpriseAiGateCheck } from '../mcp/aiGateCheck';
 import { writeMcpAiGateReceipt } from '../mcp/aiGateReceipt';
 import { evaluateSddPolicy } from '../sdd';
+import { writePreWriteLease } from './preWriteLease';
 
 const PRE_WRITE_AUTOMATION_RETRY_BACKOFF_MS = 200;
 
@@ -33,7 +36,7 @@ const PRE_WRITE_AUTOFIXABLE_MCP_RECEIPT_CODES = new Set<string>([
 ]);
 
 export type PreWriteAutomationAction = {
-  action: 'refresh_evidence' | 'refresh_mcp_receipt' | 'retry_backoff';
+  action: 'refresh_evidence' | 'refresh_mcp_receipt' | 'retry_backoff' | 'write_prewrite_lease';
   status: 'OK' | 'FAILED';
   details: string;
 };
@@ -47,6 +50,7 @@ type PreWriteAutomationDependencies = {
   evaluateAiGate: typeof evaluateAiGate;
   runEnterpriseAiGateCheck: typeof runEnterpriseAiGateCheck;
   writeMcpAiGateReceipt: typeof writeMcpAiGateReceipt;
+  writePreWriteLease: typeof writePreWriteLease;
   sleep: (ms: number) => Promise<void>;
   retryBackoffMs: number;
 };
@@ -55,6 +59,7 @@ const defaultDependencies: PreWriteAutomationDependencies = {
   evaluateAiGate,
   runEnterpriseAiGateCheck,
   writeMcpAiGateReceipt,
+  writePreWriteLease,
   sleep: (ms: number) =>
     new Promise((resolve) => {
       setTimeout(resolve, ms);
@@ -98,7 +103,7 @@ export const buildPreWriteAutomationTrace = async (params: {
     attempted: false,
     actions: [],
   };
-  if (params.sdd.stage !== 'PRE_WRITE' || params.aiGate.allowed) {
+  if (params.sdd.stage !== 'PRE_WRITE') {
     return {
       aiGate: params.aiGate,
       trace,
@@ -106,14 +111,17 @@ export const buildPreWriteAutomationTrace = async (params: {
   }
 
   let aiGate = params.aiGate;
-  if (hasAutoFixableEvidenceViolation(aiGate)) {
+  if (
+    process.env.PUMUKI_PRE_WRITE_REFRESH_GATE !== '0' ||
+    hasAutoFixableEvidenceViolation(aiGate)
+  ) {
     trace.attempted = true;
     try {
       const gateExitCode = await params.runPlatformGate({
         policy: {
           stage: 'PRE_COMMIT',
-          blockOnOrAbove: 'ERROR',
-          warnOnOrAbove: 'WARN',
+          blockOnOrAbove: 'INFO',
+          warnOnOrAbove: 'INFO',
         },
         scope: {
           kind: 'workingTree',
@@ -235,6 +243,28 @@ export const buildPreWriteAutomationTrace = async (params: {
     }
   }
 
+  if (params.sdd.decision.allowed && aiGate.allowed && existsSync(params.repoRoot)) {
+    trace.attempted = true;
+    try {
+      const git = new GitService();
+      const leaseResult = activeDependencies.writePreWriteLease({
+        repoRoot: params.repoRoot,
+        git,
+      });
+      trace.actions.push({
+        action: 'write_prewrite_lease',
+        status: leaseResult.valid ? 'OK' : 'FAILED',
+        details: `${leaseResult.code} path=${leaseResult.path}`,
+      });
+    } catch (error) {
+      trace.actions.push({
+        action: 'write_prewrite_lease',
+        status: 'FAILED',
+        details: error instanceof Error ? error.message : 'Unknown PRE_WRITE lease write error',
+      });
+    }
+  }
+
   return {
     aiGate,
     trace,

package/integrations/lifecycle/preWriteLease.ts

@@ -0,0 +1,271 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { dirname, join } from 'node:path';
+import type { Finding } from '../../core/gate/Finding';
+import type { IGitService } from '../git/GitService';
+import { hasAllowedExtension } from '../git/gitDiffUtils';
+import { DEFAULT_FACT_FILE_EXTENSIONS } from '../git/runPlatformGateFacts';
+
+export type PreWriteLease = {
+  version: '1';
+  kind: 'pumuki-pre-write-lease';
+  repo_root: string;
+  head: string;
+  branch: string | null;
+  issued_at: string;
+  expires_at: string;
+  pre_change_code_changes_count: number;
+  pre_change_code_paths: string[];
+};
+
+export type PreWriteLeaseStatus =
+  | {
+      valid: true;
+      code: 'PRE_WRITE_LEASE_VALID';
+      path: string;
+      lease: PreWriteLease;
+      changedCodePaths: string[];
+    }
+  | {
+      valid: false;
+      code:
+        | 'PRE_WRITE_LEASE_MISSING'
+        | 'PRE_WRITE_LEASE_INVALID'
+        | 'PRE_WRITE_LEASE_EXPIRED'
+        | 'PRE_WRITE_LEASE_HEAD_MISMATCH'
+        | 'PRE_WRITE_LEASE_DIRTY_AT_ISSUE';
+      path: string;
+      message: string;
+      changedCodePaths: string[];
+      lease?: PreWriteLease;
+    };
+
+export type PreWriteLeaseWriteResult = {
+  path: string;
+  written: boolean;
+  valid: boolean;
+  code: 'PRE_WRITE_LEASE_WRITTEN' | 'PRE_WRITE_LEASE_NOT_WRITTEN_DIRTY_CODE';
+  message: string;
+  lease?: PreWriteLease;
+  changedCodePaths: string[];
+};
+
+const PRE_WRITE_LEASE_TTL_MS = 4 * 60 * 60 * 1000;
+
+export const resolvePreWriteLeasePath = (repoRoot: string): string =>
+  join(repoRoot, '.pumuki', 'prewrite-lease.json');
+
+const runGitOrEmpty = (
+  git: Pick<IGitService, 'runGit'>,
+  repoRoot: string,
+  args: ReadonlyArray<string>
+): string => {
+  try {
+    return git.runGit([...args], repoRoot);
+  } catch {
+    return '';
+  }
+};
+
+const collectCodePathsFromOutput = (output: string): string[] =>
+  output
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0)
+    .filter((line) => hasAllowedExtension(line, DEFAULT_FACT_FILE_EXTENSIONS));
+
+export const collectPreWriteCodeChangePaths = (params: {
+  repoRoot: string;
+  git: Pick<IGitService, 'runGit'>;
+}): string[] => {
+  const paths = new Set<string>();
+  for (const output of [
+    runGitOrEmpty(params.git, params.repoRoot, ['diff', '--name-only']),
+    runGitOrEmpty(params.git, params.repoRoot, ['diff', '--cached', '--name-only']),
+    runGitOrEmpty(params.git, params.repoRoot, ['ls-files', '--others', '--exclude-standard']),
+  ]) {
+    for (const path of collectCodePathsFromOutput(output)) {
+      paths.add(path);
+    }
+  }
+  return [...paths].sort((left, right) => left.localeCompare(right));
+};
+
+const resolveHead = (params: {
+  repoRoot: string;
+  git: Pick<IGitService, 'runGit'>;
+}): string => runGitOrEmpty(params.git, params.repoRoot, ['rev-parse', 'HEAD']).trim();
+
+const resolveBranch = (params: {
+  repoRoot: string;
+  git: Pick<IGitService, 'runGit'>;
+}): string | null => {
+  const branch = runGitOrEmpty(params.git, params.repoRoot, ['rev-parse', '--abbrev-ref', 'HEAD']).trim();
+  return branch.length === 0 || branch === 'HEAD' ? null : branch;
+};
+
+const parseLease = (raw: string): PreWriteLease | undefined => {
+  try {
+    const value = JSON.parse(raw) as Partial<PreWriteLease>;
+    if (
+      value.version === '1' &&
+      value.kind === 'pumuki-pre-write-lease' &&
+      typeof value.repo_root === 'string' &&
+      typeof value.head === 'string' &&
+      typeof value.issued_at === 'string' &&
+      typeof value.expires_at === 'string' &&
+      typeof value.pre_change_code_changes_count === 'number' &&
+      Array.isArray(value.pre_change_code_paths)
+    ) {
+      return {
+        version: '1',
+        kind: 'pumuki-pre-write-lease',
+        repo_root: value.repo_root,
+        head: value.head,
+        branch: typeof value.branch === 'string' ? value.branch : null,
+        issued_at: value.issued_at,
+        expires_at: value.expires_at,
+        pre_change_code_changes_count: value.pre_change_code_changes_count,
+        pre_change_code_paths: value.pre_change_code_paths.filter(
+          (item): item is string => typeof item === 'string'
+        ),
+      };
+    }
+  } catch {
+    return undefined;
+  }
+  return undefined;
+};
+
+export const readPreWriteLeaseStatus = (params: {
+  repoRoot: string;
+  git: Pick<IGitService, 'runGit'>;
+  now?: Date;
+}): PreWriteLeaseStatus => {
+  const path = resolvePreWriteLeasePath(params.repoRoot);
+  const changedCodePaths = collectPreWriteCodeChangePaths(params);
+  if (!existsSync(path)) {
+    return {
+      valid: false,
+      code: 'PRE_WRITE_LEASE_MISSING',
+      path,
+      changedCodePaths,
+      message: 'No valid PRE_WRITE lease exists for this code diff.',
+    };
+  }
+
+  const lease = parseLease(readFileSync(path, 'utf8'));
+  if (!lease) {
+    return {
+      valid: false,
+      code: 'PRE_WRITE_LEASE_INVALID',
+      path,
+      changedCodePaths,
+      message: 'PRE_WRITE lease is invalid or unreadable.',
+    };
+  }
+
+  if (lease.head !== resolveHead(params)) {
+    return {
+      valid: false,
+      code: 'PRE_WRITE_LEASE_HEAD_MISMATCH',
+      path,
+      lease,
+      changedCodePaths,
+      message: 'PRE_WRITE lease was issued for a different HEAD.',
+    };
+  }
+
+  if (Date.parse(lease.expires_at) <= (params.now ?? new Date()).getTime()) {
+    return {
+      valid: false,
+      code: 'PRE_WRITE_LEASE_EXPIRED',
+      path,
+      lease,
+      changedCodePaths,
+      message: 'PRE_WRITE lease has expired.',
+    };
+  }
+
+  if (lease.pre_change_code_changes_count !== 0 || lease.pre_change_code_paths.length !== 0) {
+    return {
+      valid: false,
+      code: 'PRE_WRITE_LEASE_DIRTY_AT_ISSUE',
+      path,
+      lease,
+      changedCodePaths,
+      message: 'PRE_WRITE lease was issued after code changes already existed.',
+    };
+  }
+
+  return {
+    valid: true,
+    code: 'PRE_WRITE_LEASE_VALID',
+    path,
+    lease,
+    changedCodePaths,
+  };
+};
+
+export const writePreWriteLease = (params: {
+  repoRoot: string;
+  git: Pick<IGitService, 'runGit'>;
+  now?: Date;
+}): PreWriteLeaseWriteResult => {
+  const path = resolvePreWriteLeasePath(params.repoRoot);
+  const changedCodePaths = collectPreWriteCodeChangePaths(params);
+  if (changedCodePaths.length > 0) {
+    return {
+      path,
+      written: false,
+      valid: false,
+      code: 'PRE_WRITE_LEASE_NOT_WRITTEN_DIRTY_CODE',
+      changedCodePaths,
+      message:
+        `PRE_WRITE lease not written because code changes already exist: ${changedCodePaths.join(', ')}`,
+    };
+  }
+
+  const issuedAt = params.now ?? new Date();
+  const lease: PreWriteLease = {
+    version: '1',
+    kind: 'pumuki-pre-write-lease',
+    repo_root: params.repoRoot,
+    head: resolveHead(params),
+    branch: resolveBranch(params),
+    issued_at: issuedAt.toISOString(),
+    expires_at: new Date(issuedAt.getTime() + PRE_WRITE_LEASE_TTL_MS).toISOString(),
+    pre_change_code_changes_count: 0,
+    pre_change_code_paths: [],
+  };
+  mkdirSync(dirname(path), { recursive: true });
+  writeFileSync(path, `${JSON.stringify(lease, null, 2)}\n`, 'utf8');
+  return {
+    path,
+    written: true,
+    valid: true,
+    code: 'PRE_WRITE_LEASE_WRITTEN',
+    changedCodePaths,
+    message: 'PRE_WRITE lease written for clean code state.',
+    lease,
+  };
+};
+
+export const toPreWriteEnforcementGapFinding = (params: {
+  stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+  status: PreWriteLeaseStatus;
+}): Finding | undefined => {
+  if (params.status.valid || params.status.changedCodePaths.length === 0) {
+    return undefined;
+  }
+  return {
+    ruleId: 'governance.prewrite.enforcement-gap',
+    severity: 'ERROR',
+    code: 'ENFORCEMENT_GAP_PRE_WRITE_LEASE_MISSING',
+    message:
+      `PRE_WRITE hard-stop lease is not valid at ${params.stage}: ${params.status.code}. ` +
+      'Run PRE_WRITE before editing code; hooks/audit cannot accept code diffs without a prior clean PRE_WRITE lease.',
+    filePath: '.pumuki/prewrite-lease.json',
+    matchedBy: 'PreWriteLeaseGuard',
+    source: 'prewrite-lease',
+  };
+};

package/integrations/lifecycle/status.ts

@@ -17,6 +17,7 @@ import {
   readLifecycleDependencyInventory,
   type LifecycleDependencyInventory,
 } from './dependencyInventory';
+import { readPreWriteLeaseStatus } from './preWriteLease';
 
 export type LifecycleStatus = {
   repoRoot: string;
@@ -35,8 +36,23 @@ export type LifecycleStatus = {
 
 const buildLifecycleIssues = (repoRoot: string): ReadonlyArray<DoctorIssue> => {
   const evidenceResult = readEvidenceResult(repoRoot);
+  const preWriteLeaseStatus = readPreWriteLeaseStatus({
+    repoRoot,
+    git: new LifecycleGitService(),
+  });
+  const leaseIssues: DoctorIssue[] =
+    !preWriteLeaseStatus.valid && preWriteLeaseStatus.changedCodePaths.length > 0
+      ? [
+          {
+            severity: 'error',
+            message:
+              `ENFORCEMENT_GAP: PRE_WRITE hard-stop lease is not valid (${preWriteLeaseStatus.code}) ` +
+              `for ${preWriteLeaseStatus.changedCodePaths.length} changed code file(s).`,
+          },
+        ]
+      : [];
   if (evidenceResult.kind !== 'valid') {
-    return [];
+    return leaseIssues;
   }
 
   const evidence = evidenceResult.evidence;
@@ -47,11 +63,12 @@ const buildLifecycleIssues = (repoRoot: string): ReadonlyArray<DoctorIssue> => {
 
   if (!blocked) {
     if (evidence.snapshot.outcome !== 'WARN') {
-      return [];
+      return leaseIssues;
     }
 
     const warnStage = evidence?.snapshot?.stage ?? 'PRE_WRITE';
     return [
+      ...leaseIssues,
       {
         severity: 'warning',
         message: appendTrackingActionableContext({
@@ -68,6 +85,7 @@ const buildLifecycleIssues = (repoRoot: string): ReadonlyArray<DoctorIssue> => {
     message: `Governance is blocked (${blockedStage}).`,
   });
   return [
+    ...leaseIssues,
     {
       severity: 'error',
       message,

package/integrations/policy/skillsEnforcement.ts

@@ -48,8 +48,8 @@ export const resolveSkillsEnforcement = (): SkillsEnforcementResolution => {
     };
   }
   return {
-    mode: 'advisory',
+    mode: 'strict',
     source: 'default',
-    blocking: false,
+    blocking: true,
   };
 };

package/integrations/policy/tddBddEnforcement.ts

@@ -52,9 +52,9 @@ export const resolveTddBddEnforcement = (): TddBddEnforcementResolution => {
     };
   }
   return {
-    mode: 'advisory',
+    mode: 'strict',
     source: 'default',
-    blocking: false,
+    blocking: true,
   };
 };
 
@@ -71,6 +71,7 @@ const applyTddBddFindingEnforcement = (
   return {
     ...finding,
     severity: 'WARN',
+    blocking: false,
   };
 };
 

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.267",
+  "version": "6.3.268",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/package-install-smoke-execution-lib.ts

@@ -4,6 +4,7 @@ import {
   assertLifecycleStatusMatchesSnapshot,
   captureLifecycleStatusSnapshot,
   runLifecycleInstallStep,
+  runLifecyclePreWriteStep,
   runLifecycleUninstallStep,
 } from './package-install-smoke-lifecycle-lib';
 import {
@@ -37,10 +38,11 @@ export const runPackageInstallSmoke = (mode: SmokeMode): void => {
     });
 
     setupConsumerRepository(workspace, mode);
+    runLifecycleInstallStep(workspace);
+    runLifecyclePreWriteStep(workspace);
     writeStagedPayload(workspace, mode);
 
     const lifecycleStatusSnapshot = captureLifecycleStatusSnapshot(workspace);
-    runLifecycleInstallStep(workspace);
 
     const results = runDefaultSmokeGateSteps({
       workspace,

package/scripts/package-install-smoke-gate-lib.ts

@@ -25,6 +25,9 @@ export const runGateStep = (
   expectation: SmokeExpectation
 ): { outcome: string; exitCode: number } => {
   const gateEnv: NodeJS.ProcessEnv = {
+    PUMUKI_DISABLE_SYSTEM_NOTIFICATIONS: '1',
+    PUMUKI_SYSTEM_NOTIFICATIONS: '0',
+    PUMUKI_NOTIFICATIONS: '0',
     PUMUKI_SDD_BYPASS: '1',
     ...(step.label === 'ci' ? { GITHUB_BASE_REF: 'main' } : {}),
   };

package/scripts/package-install-smoke-lifecycle-lib.ts

@@ -38,6 +38,9 @@ export const runLifecycleInstallStep = (workspace: SmokeWorkspace): void => {
     executable: command.executable,
     args: command.args,
     env: {
+      PUMUKI_DISABLE_SYSTEM_NOTIFICATIONS: '1',
+      PUMUKI_SYSTEM_NOTIFICATIONS: '0',
+      PUMUKI_NOTIFICATIONS: '0',
       PUMUKI_SKIP_OPENSPEC_BOOTSTRAP: '1',
     },
   });
@@ -46,6 +49,27 @@ export const runLifecycleInstallStep = (workspace: SmokeWorkspace): void => {
   assertSuccess(result, 'pumuki lifecycle install');
 };
 
+export const runLifecyclePreWriteStep = (workspace: SmokeWorkspace): void => {
+  const command = resolveConsumerPumukiCommand({
+    consumerRepo: workspace.consumerRepo,
+    binary: 'pumuki-pre-write',
+  });
+  const result = runCommand({
+    cwd: workspace.consumerRepo,
+    executable: command.executable,
+    args: command.args,
+    env: {
+      PUMUKI_DISABLE_SYSTEM_NOTIFICATIONS: '1',
+      PUMUKI_SYSTEM_NOTIFICATIONS: '0',
+      PUMUKI_NOTIFICATIONS: '0',
+      PUMUKI_SDD_BYPASS: '1',
+    },
+  });
+  pushCommandLog(workspace.commandLog, result);
+  assertNoFatalOutput(result, 'pumuki lifecycle pre-write');
+  assertSuccess(result, 'pumuki lifecycle pre-write');
+};
+
 export const runLifecycleUninstallStep = (workspace: SmokeWorkspace): void => {
   const command = resolveConsumerPumukiCommand({
     consumerRepo: workspace.consumerRepo,
@@ -56,6 +80,11 @@ export const runLifecycleUninstallStep = (workspace: SmokeWorkspace): void => {
     cwd: workspace.consumerRepo,
     executable: command.executable,
     args: command.args,
+    env: {
+      PUMUKI_DISABLE_SYSTEM_NOTIFICATIONS: '1',
+      PUMUKI_SYSTEM_NOTIFICATIONS: '0',
+      PUMUKI_NOTIFICATIONS: '0',
+    },
   });
   pushCommandLog(workspace.commandLog, result);
   assertNoFatalOutput(result, 'pumuki lifecycle uninstall');