pumuki 6.3.269 → 6.3.271

package/integrations/config/skillsRuleClassification.ts

@@ -3,7 +3,7 @@ import { resolveMappedHeuristicRuleIdsForCompiledRule } from './skillsDetectorRe
 
 export type SkillsRuleClassificationStatus =
   | 'AST_IMPLEMENTED'
-  | 'IMPLEMENTABLE_AHORA'
+  | 'IMPLEMENTAR_DETECTOR'
   | 'REQUIERE_ESTUDIO'
   | 'NO_ES_REGLA_DE_CODIGO';
 
@@ -28,7 +28,7 @@ export type SkillsRuleClassificationSummary = {
 
 const emptyStatusCounts = (): Record<SkillsRuleClassificationStatus, number> => ({
   AST_IMPLEMENTED: 0,
-  IMPLEMENTABLE_AHORA: 0,
+  IMPLEMENTAR_DETECTOR: 0,
   REQUIERE_ESTUDIO: 0,
   NO_ES_REGLA_DE_CODIGO: 0,
 });
@@ -55,11 +55,106 @@ const NON_CODE_RULE_PATTERNS: ReadonlyArray<RegExp> = [
   /\bci\/cd\b/,
 ];
 
+const CODE_RULE_WITH_DIRECT_DETECTOR_PATTERNS: ReadonlyArray<RegExp> = [
+  /\baccessibility\b/,
+  /\bcontentdescription\b/,
+  /\bsemantic\b/,
+  /\btest tag\b/,
+  /\basynctask\b/,
+  /\bcallback\b/,
+  /\bglobal ?scope\b/,
+  /\brunblocking\b/,
+  /\bthread\.?sleep\b/,
+  /\bdispatch(queue|group|semaphore)\b/,
+  /\bforce\b.*\b(unwrap|try|cast)\b/,
+  /\btry!\b/,
+  /\bas!\b/,
+  /\bany\b/,
+  /\bconsole\b/,
+  /\blog\b/,
+  /\bprint\b/,
+  /\bsecret\b/,
+  /\btoken\b/,
+  /\bpassword\b/,
+  /\bapi key\b/,
+  /\bhardcoded\b/,
+  /\bmagic number\b/,
+  /\bcolor\b/,
+  /\bdimension\b/,
+  /\bgod\b/,
+  /\blarge\b.*\b(class|component|view|service|function|file)\b/,
+  /\bsolid\b/,
+  /\bsrp\b/,
+  /\bdependency\b.*\binjection\b/,
+  /\bconstructor\b.*\b(param|dependency)/,
+  /\bsharedpreferences\b/,
+  /\buserdefaults\b/,
+  /\bappstorage\b/,
+  /\bkeychain\b/,
+  /\braw sql\b/,
+  /\bsql\b.*\b(template|injection)\b/,
+  /\bempty catch\b/,
+  /\bcatch\b.*\b(empty|silenc)/,
+  /\bmock\b/,
+  /\bspy\b/,
+  /\bjunit4\b/,
+  /\bxctassert\b/,
+  /\bxctunwrap\b/,
+  /\bxctest\b/,
+  /\bquick\b/,
+  /\bnimble\b/,
+  /\bwaitforexpectations\b/,
+  /\bexpectation\(description\b/,
+  /\bnavigationview\b/,
+  /\bgeometryreader\b/,
+  /\banyview\b/,
+  /\bforegroundcolor\b/,
+  /\bcornerradius\b/,
+  /\bsheet\b.*\bispresented\b/,
+  /\bscrollview\b.*\bshowsindicators\b/,
+  /\bforeach\b.*\b(indices|index)\b/,
+  /\bonchange\b/,
+  /\bontapgesture\b/,
+  /\buiscreen\.main\.bounds\b/,
+  /\bstring\(format\b/,
+  /\bobservableobject\b/,
+  /\bstateobject\b/,
+  /\bobservable\b/,
+  /\blivedata\b/,
+  /\bstateflow\b/,
+  /\bsharedflow\b/,
+  /\bremember\b/,
+  /\blaunched(effect)?\b/,
+  /\blazy(column|row|vstack|hstack)\b/,
+  /\bwindow ?size ?class\b/,
+  /\bpadding\b/,
+  /\bframe\b/,
+  /\bfont\b/,
+  /\broute\b/,
+  /\bnavigation\b/,
+];
+
+const STUDY_BEFORE_DETECTOR_RULE_IDS = new Set<string>([
+  'skills.android.guideline.android.adaptive-layouts-responsive-design-windowsizeclass',
+  'skills.android.guideline.android.color-contrast-wcag-aa-mi-nimo',
+  'skills.android.guideline.android.play-console-production-deployment',
+  'skills.backend.guideline.backend.dependency-injection-injectable-inject-providers-array',
+  'skills.backend.guideline.backend.event-store-log-de-eventos-para-auditori-a',
+]);
+
+const requiresStudyBeforeDetector = (rule: SkillsCompiledRule): boolean =>
+  STUDY_BEFORE_DETECTOR_RULE_IDS.has(rule.id);
+
 const isNonCodeRule = (rule: SkillsCompiledRule): boolean => {
   const haystack = normalizeText(`${rule.id} ${rule.description} ${rule.sourceSkill}`);
   return NON_CODE_RULE_PATTERNS.some((pattern) => pattern.test(haystack));
 };
 
+const hasDirectCodeDetectorCandidate = (rule: SkillsCompiledRule): boolean => {
+  const haystack = normalizeText(`${rule.id} ${rule.description} ${rule.sourceSkill}`);
+  return CODE_RULE_WITH_DIRECT_DETECTOR_PATTERNS.some((pattern) => pattern.test(haystack));
+};
+
 const classifyRule = (rule: SkillsCompiledRule): ClassifiedSkillsRule => {
   const evaluationMode = rule.evaluationMode ?? 'AUTO';
   const astNodeIds = resolveMappedHeuristicRuleIdsForCompiledRule(rule);
@@ -86,12 +181,27 @@ const classifyRule = (rule: SkillsCompiledRule): ClassifiedSkillsRule => {
       sourcePath: rule.sourcePath,
       evaluationMode,
       severity: rule.severity,
-      status: 'IMPLEMENTABLE_AHORA',
+      status: 'IMPLEMENTAR_DETECTOR',
       reason: 'AUTO rule without AST/nodal detector binding; implement detector mapping.',
       astNodeIds,
     };
   }
 
+  if (requiresStudyBeforeDetector(rule)) {
+    return {
+      ruleId: rule.id,
+      platform: rule.platform,
+      sourceSkill: rule.sourceSkill,
+      sourcePath: rule.sourcePath,
+      evaluationMode,
+      severity: rule.severity,
+      status: 'REQUIERE_ESTUDIO',
+      reason:
+        'Rule has code relevance, but the AST/nodal signal needs explicit design before implementation to avoid poor umbrella detectors.',
+      astNodeIds,
+    };
+  }
+
   if (isNonCodeRule(rule)) {
     return {
       ruleId: rule.id,
@@ -106,6 +216,20 @@ const classifyRule = (rule: SkillsCompiledRule): ClassifiedSkillsRule => {
     };
   }
 
+  if (hasDirectCodeDetectorCandidate(rule)) {
+    return {
+      ruleId: rule.id,
+      platform: rule.platform,
+      sourceSkill: rule.sourceSkill,
+      sourcePath: rule.sourcePath,
+      evaluationMode,
+      severity: rule.severity,
+      status: 'IMPLEMENTAR_DETECTOR',
+      reason: 'Code rule has a direct AST/nodal detection surface; implement detector and blocking evidence.',
+      astNodeIds,
+    };
+  }
+
   return {
     ruleId: rule.id,
     platform: rule.platform,

package/integrations/context/contextGate.ts

@@ -0,0 +1,192 @@
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
+import type { Finding } from '../../core/gate/Finding';
+import type { GateStage } from '../../core/gate/GateStage';
+
+export type ContextGateStatus = 'applied' | 'blocked' | 'disabled';
+
+export type ContextGateResult = {
+  status: ContextGateStatus;
+  finding?: Finding;
+};
+
+export const CONTEXT_FILE = '.pumuki/context/context.json';
+const CONTEXT_GATE_ENV = 'PUMUKI_CONTEXT_GATE';
+const CONTEXT_SCHEMA_VERSION = 1;
+
+const isStrictContextGate = (): boolean => {
+  const normalized = process.env[CONTEXT_GATE_ENV]?.trim().toLowerCase();
+  return normalized !== 'off' && normalized !== '0' && normalized !== 'false' && normalized !== 'disabled';
+};
+
+type LocalContextDocument = {
+  schema_version: number;
+  repo_root: string;
+  generated_at: string;
+  contract: {
+    status: 'applied';
+    required_before_gate: true;
+    agent_instruction: string;
+    user_remediation: string;
+  };
+};
+
+export type ContextLifecycleResult = {
+  status: 'ok' | 'blocked';
+  path: string;
+  message: string;
+  document?: LocalContextDocument;
+};
+
+const buildContextDocument = (repoRoot: string): LocalContextDocument => ({
+  schema_version: CONTEXT_SCHEMA_VERSION,
+  repo_root: repoRoot,
+  generated_at: new Date().toISOString(),
+  contract: {
+    status: 'applied',
+    required_before_gate: true,
+    agent_instruction:
+      'STOP si este contexto no se puede leer o validar antes de editar, auditar, commitear o pushear.',
+    user_remediation:
+      'Ejecuta `npx pumuki context repair` y reejecuta el gate antes de continuar.',
+  },
+});
+
+const contextPathForRepo = (repoRoot: string): string => join(repoRoot, CONTEXT_FILE);
+
+const parseContextDocument = (repoRoot: string): LocalContextDocument => {
+  const contextPath = contextPathForRepo(repoRoot);
+  const parsed: unknown = JSON.parse(readFileSync(contextPath, 'utf8'));
+  if (!parsed || typeof parsed !== 'object') {
+    throw new Error(`${CONTEXT_FILE} no contiene un objeto JSON valido`);
+  }
+  const candidate = parsed as Partial<LocalContextDocument>;
+  if (candidate.schema_version !== CONTEXT_SCHEMA_VERSION) {
+    throw new Error(`${CONTEXT_FILE} tiene schema_version invalido`);
+  }
+  if (candidate.repo_root !== repoRoot) {
+    throw new Error(`${CONTEXT_FILE} pertenece a otro repo_root`);
+  }
+  if (
+    !candidate.contract ||
+    candidate.contract.status !== 'applied' ||
+    candidate.contract.required_before_gate !== true ||
+    typeof candidate.contract.agent_instruction !== 'string' ||
+    candidate.contract.agent_instruction.trim().length === 0 ||
+    typeof candidate.contract.user_remediation !== 'string' ||
+    candidate.contract.user_remediation.trim().length === 0
+  ) {
+    throw new Error(`${CONTEXT_FILE} no declara contrato aplicado para usuario y agente IA`);
+  }
+  return candidate as LocalContextDocument;
+};
+
+export const writeLocalContext = (repoRoot: string): ContextLifecycleResult => {
+  const contextPath = contextPathForRepo(repoRoot);
+  const document = buildContextDocument(repoRoot);
+  mkdirSync(join(repoRoot, '.pumuki/context'), { recursive: true });
+  writeFileSync(contextPath, `${JSON.stringify(document, null, 2)}\n`, 'utf8');
+  return {
+    status: 'ok',
+    path: contextPath,
+    message: 'Contexto local Pumuki inicializado y aplicado.',
+    document,
+  };
+};
+
+export const readLocalContextStatus = (repoRoot: string): ContextLifecycleResult => {
+  const contextPath = contextPathForRepo(repoRoot);
+  if (!existsSync(contextPath)) {
+    return {
+      status: 'blocked',
+      path: contextPath,
+      message:
+        `Pumuki bloqueado: falta ${CONTEXT_FILE}. Ejecuta ` +
+        '`npx pumuki context init` o `npx pumuki context repair`.',
+    };
+  }
+  try {
+    const document = parseContextDocument(repoRoot);
+    return {
+      status: 'ok',
+      path: contextPath,
+      message: 'Contexto local Pumuki leido, validado y aplicado.',
+      document,
+    };
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : 'context validation error';
+    return {
+      status: 'blocked',
+      path: contextPath,
+      message:
+        `Pumuki bloqueado: contexto local invalido. Causa: ${reason}. Ejecuta ` +
+        '`npx pumuki context repair`.',
+    };
+  }
+};
+
+export const repairLocalContext = (repoRoot: string): ContextLifecycleResult =>
+  writeLocalContext(repoRoot);
+
+const contextBlockedFinding = (params: {
+  stage: GateStage;
+  code: string;
+  cause: string;
+  evidence: string;
+}): Finding => ({
+  ruleId: 'governance.context.local-context-not-applied',
+  severity: 'ERROR',
+  code: params.code,
+  message:
+    `Pumuki bloqueado: contexto local obligatorio no aplicado en ${params.stage}. ` +
+    `Causa: ${params.cause}. ` +
+    `Evidencia: ${params.evidence}. ` +
+    'Usuario: ejecuta `npx pumuki context init` si el repo no tiene contexto, o `npx pumuki context repair` si existe pero no valida. ' +
+    'Agente IA: STOP. No edites archivos ni continues la tarea hasta leer, validar y aplicar el contexto local del repo.',
+  filePath: CONTEXT_FILE,
+  matchedBy: 'PumukiContextGate',
+  source: 'pumuki-context-store',
+  why: 'Pumuki no puede garantizar continuidad entre sesiones ni aplicar el contrato activo del repo sin contexto local validado.',
+  impact: 'El agente y el usuario podrian trabajar con task, contrato o evidencia stale.',
+  expected_fix:
+    'Inicializa o repara el contexto local: `npx pumuki context init` o `npx pumuki context repair`, y reejecuta el gate.',
+});
+
+export const evaluateContextGate = (params: {
+  repoRoot: string;
+  stage: GateStage;
+}): ContextGateResult => {
+  if (!isStrictContextGate()) {
+    return { status: 'disabled' };
+  }
+
+  const contextPath = contextPathForRepo(params.repoRoot);
+  if (!existsSync(contextPath)) {
+    return {
+      status: 'blocked',
+      finding: contextBlockedFinding({
+        stage: params.stage,
+        code: 'CONTEXT_NOT_APPLIED',
+        cause: `No existe ${CONTEXT_FILE}`,
+        evidence: contextPath,
+      }),
+    };
+  }
+
+  try {
+    parseContextDocument(params.repoRoot);
+  } catch (error) {
+    const reason = error instanceof Error ? error.message : 'JSON parse error';
+    return {
+      status: 'blocked',
+      finding: contextBlockedFinding({
+        stage: params.stage,
+        code: 'CONTEXT_INVALID',
+        cause: reason,
+        evidence: contextPath,
+      }),
+    };
+  }
+
+  return { status: 'applied' };
+};

package/integrations/git/runPlatformGate.ts

@@ -286,6 +286,9 @@ const toSkillsDeclarativeRulesClassificationFinding = (params: {
   declarativeRuleIds: ReadonlyArray<string>;
   facts: ReadonlyArray<Fact>;
 }): Finding | undefined => {
+  if (process.env.PUMUKI_ENFORCE_DECLARATIVE_RULE_CLASSIFICATION !== '1') {
+    return undefined;
+  }
   if (params.declarativeRuleIds.length === 0) {
     return undefined;
   }
@@ -302,7 +305,7 @@ const toSkillsDeclarativeRulesClassificationFinding = (params: {
     message:
       `Skills declarative rules require AST/nodal classification at ${params.stage}: ` +
       `total=${params.declarativeRuleIds.length} sample_rule_ids=[${sampleRuleIds}]. ` +
-      'Classify every rule as IMPLEMENTABLE_AHORA, REQUIERE_ESTUDIO, or NO_ES_REGLA_DE_CODIGO; code skills cannot remain as hidden declarative/advisory rules.',
+      'Classify every rule as IMPLEMENTAR_DETECTOR, REQUIERE_ESTUDIO, or NO_ES_REGLA_DE_CODIGO; code skills cannot remain as hidden declarative/advisory rules.',
     filePath: 'skills.lock.json',
     matchedBy: 'SkillsDeclarativeRulesClassificationGuard',
     source: 'skills-declarative-rules-classification',

package/integrations/lifecycle/preWriteAutomation.ts

@@ -250,6 +250,7 @@ export const buildPreWriteAutomationTrace = async (params: {
       const leaseResult = activeDependencies.writePreWriteLease({
         repoRoot: params.repoRoot,
         git,
+        allowExistingCodeChanges: true,
       });
       trace.actions.push({
         action: 'write_prewrite_lease',

package/integrations/lifecycle/preWriteLease.ts

@@ -8,6 +8,7 @@ import { DEFAULT_FACT_FILE_EXTENSIONS } from '../git/runPlatformGateFacts';
 export type PreWriteLease = {
   version: '1';
   kind: 'pumuki-pre-write-lease';
+  validation_mode?: 'clean-prewrite' | 'validated-diff';
   repo_root: string;
   head: string;
   branch: string | null;
@@ -119,6 +120,10 @@ const parseLease = (raw: string): PreWriteLease | undefined => {
       return {
         version: '1',
         kind: 'pumuki-pre-write-lease',
+        validation_mode:
+          value.validation_mode === 'validated-diff' || value.validation_mode === 'clean-prewrite'
+            ? value.validation_mode
+            : undefined,
         repo_root: value.repo_root,
         head: value.head,
         branch: typeof value.branch === 'string' ? value.branch : null,
@@ -186,6 +191,33 @@ export const readPreWriteLeaseStatus = (params: {
     };
   }
 
+  if (lease.validation_mode === 'validated-diff') {
+    const expectedPaths = [...lease.pre_change_code_paths].sort((left, right) => left.localeCompare(right));
+    const currentPaths = [...changedCodePaths].sort((left, right) => left.localeCompare(right));
+    if (
+      lease.pre_change_code_changes_count !== expectedPaths.length ||
+      expectedPaths.length !== currentPaths.length ||
+      expectedPaths.some((path, index) => path !== currentPaths[index])
+    ) {
+      return {
+        valid: false,
+        code: 'PRE_WRITE_LEASE_DIRTY_AT_ISSUE',
+        path,
+        lease,
+        changedCodePaths,
+        message: 'PRE_WRITE lease was issued for a different validated code diff.',
+      };
+    }
+
+    return {
+      valid: true,
+      code: 'PRE_WRITE_LEASE_VALID',
+      path,
+      lease,
+      changedCodePaths,
+    };
+  }
+
   if (lease.pre_change_code_changes_count !== 0 || lease.pre_change_code_paths.length !== 0) {
     return {
       valid: false,
@@ -210,10 +242,11 @@ export const writePreWriteLease = (params: {
   repoRoot: string;
   git: Pick<IGitService, 'runGit'>;
   now?: Date;
+  allowExistingCodeChanges?: boolean;
 }): PreWriteLeaseWriteResult => {
   const path = resolvePreWriteLeasePath(params.repoRoot);
   const changedCodePaths = collectPreWriteCodeChangePaths(params);
-  if (changedCodePaths.length > 0) {
+  if (changedCodePaths.length > 0 && !params.allowExistingCodeChanges) {
     return {
       path,
       written: false,
@@ -229,13 +262,14 @@ export const writePreWriteLease = (params: {
   const lease: PreWriteLease = {
     version: '1',
     kind: 'pumuki-pre-write-lease',
+    validation_mode: changedCodePaths.length > 0 ? 'validated-diff' : 'clean-prewrite',
     repo_root: params.repoRoot,
     head: resolveHead(params),
     branch: resolveBranch(params),
     issued_at: issuedAt.toISOString(),
     expires_at: new Date(issuedAt.getTime() + PRE_WRITE_LEASE_TTL_MS).toISOString(),
-    pre_change_code_changes_count: 0,
-    pre_change_code_paths: [],
+    pre_change_code_changes_count: changedCodePaths.length,
+    pre_change_code_paths: changedCodePaths,
   };
   mkdirSync(dirname(path), { recursive: true });
   writeFileSync(path, `${JSON.stringify(lease, null, 2)}\n`, 'utf8');
@@ -245,7 +279,10 @@ export const writePreWriteLease = (params: {
     valid: true,
     code: 'PRE_WRITE_LEASE_WRITTEN',
     changedCodePaths,
-    message: 'PRE_WRITE lease written for clean code state.',
+    message:
+      changedCodePaths.length > 0
+        ? 'PRE_WRITE lease written for validated code diff.'
+        : 'PRE_WRITE lease written for clean code state.',
     lease,
   };
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.269",
+  "version": "6.3.271",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {
@@ -239,6 +239,7 @@
     "core/rules/presets/*.ts",
     "core/rules/presets/heuristics/*.ts",
     "integrations/config/*.ts",
+    "integrations/context/*.ts",
     "integrations/evidence/*.ts",
     "integrations/gate/*.ts",
     "integrations/git/*.ts",

package/scripts/classify-skills-rules.ts

@@ -19,8 +19,8 @@ process.stdout.write(`${JSON.stringify({
     AST_IMPLEMENTED: summary.rules
       .filter((rule) => rule.status === 'AST_IMPLEMENTED')
       .slice(0, 12),
-    IMPLEMENTABLE_AHORA: summary.rules
-      .filter((rule) => rule.status === 'IMPLEMENTABLE_AHORA')
+    IMPLEMENTAR_DETECTOR: summary.rules
+      .filter((rule) => rule.status === 'IMPLEMENTAR_DETECTOR')
       .slice(0, 12),
     REQUIERE_ESTUDIO: summary.rules
       .filter((rule) => rule.status === 'REQUIERE_ESTUDIO')

package/scripts/framework-menu-consumer-actions-lib.ts

@@ -26,22 +26,22 @@ export const createConsumerLegacyMenuActions = (
   return [
     {
       id: '1',
-      label: 'Consumer preflight + gate: ALL tracked files (PRE_COMMIT · writes evidence)',
+      label: 'Full audit (repo analysis)',
       execute: params.runFullAudit,
     },
     {
       id: '2',
-      label: 'Consumer preflight + gate: REPO+index contract (PRE_PUSH · disk skip risk if evidence tracked)',
+      label: 'Strict REPO+STAGING (CI/CD)',
       execute: params.runStrictRepoAndStaged,
     },
     {
       id: '3',
-      label: 'Consumer preflight + gate: STAGED only (PRE_COMMIT)',
+      label: 'Strict STAGING only (dev)',
       execute: params.runStrictStagedOnly,
     },
     {
       id: '4',
-      label: 'Consumer preflight + gate: working tree (PRE_PUSH policy · disk skip risk if evidence tracked)',
+      label: 'Standard CRITICAL/HIGH',
       execute: params.runStandardCriticalHigh,
     },
     {
@@ -66,27 +66,27 @@ export const createConsumerLegacyMenuActions = (
     },
     {
       id: '5',
-      label: 'Legacy read-only pattern checks snapshot',
+      label: 'Pattern checks',
       execute: params.runPatternChecks,
     },
     {
       id: '6',
-      label: 'Legacy read-only ESLint evidence snapshot',
+      label: 'ESLint Admin+Web',
       execute: params.runEslintAudit,
     },
     {
       id: '7',
-      label: 'Legacy read-only AST snapshot',
+      label: 'AST Intelligence',
       execute: params.runAstIntelligence,
     },
     {
       id: '8',
-      label: 'Export legacy read-only evidence snapshot',
+      label: 'Export Markdown',
       execute: params.runExportMarkdown,
     },
     {
       id: '9',
-      label: 'Legacy read-only file diagnostics snapshot',
+      label: 'File diagnostics',
       execute: params.runFileDiagnostics,
     },
     {