pumuki 6.3.270 → 6.3.271

package/integrations/config/skillsRuleClassification.ts

@@ -3,7 +3,7 @@ import { resolveMappedHeuristicRuleIdsForCompiledRule } from './skillsDetectorRe
 
 export type SkillsRuleClassificationStatus =
   | 'AST_IMPLEMENTED'
-  | 'IMPLEMENTABLE_AHORA'
+  | 'IMPLEMENTAR_DETECTOR'
   | 'REQUIERE_ESTUDIO'
   | 'NO_ES_REGLA_DE_CODIGO';
 
@@ -28,7 +28,7 @@ export type SkillsRuleClassificationSummary = {
 
 const emptyStatusCounts = (): Record<SkillsRuleClassificationStatus, number> => ({
   AST_IMPLEMENTED: 0,
-  IMPLEMENTABLE_AHORA: 0,
+  IMPLEMENTAR_DETECTOR: 0,
   REQUIERE_ESTUDIO: 0,
   NO_ES_REGLA_DE_CODIGO: 0,
 });
@@ -55,11 +55,106 @@ const NON_CODE_RULE_PATTERNS: ReadonlyArray<RegExp> = [
   /\bci\/cd\b/,
 ];
 
+const CODE_RULE_WITH_DIRECT_DETECTOR_PATTERNS: ReadonlyArray<RegExp> = [
+  /\baccessibility\b/,
+  /\bcontentdescription\b/,
+  /\bsemantic\b/,
+  /\btest tag\b/,
+  /\basynctask\b/,
+  /\bcallback\b/,
+  /\bglobal ?scope\b/,
+  /\brunblocking\b/,
+  /\bthread\.?sleep\b/,
+  /\bdispatch(queue|group|semaphore)\b/,
+  /\bforce\b.*\b(unwrap|try|cast)\b/,
+  /\btry!\b/,
+  /\bas!\b/,
+  /\bany\b/,
+  /\bconsole\b/,
+  /\blog\b/,
+  /\bprint\b/,
+  /\bsecret\b/,
+  /\btoken\b/,
+  /\bpassword\b/,
+  /\bapi key\b/,
+  /\bhardcoded\b/,
+  /\bmagic number\b/,
+  /\bcolor\b/,
+  /\bdimension\b/,
+  /\bgod\b/,
+  /\blarge\b.*\b(class|component|view|service|function|file)\b/,
+  /\bsolid\b/,
+  /\bsrp\b/,
+  /\bdependency\b.*\binjection\b/,
+  /\bconstructor\b.*\b(param|dependency)/,
+  /\bsharedpreferences\b/,
+  /\buserdefaults\b/,
+  /\bappstorage\b/,
+  /\bkeychain\b/,
+  /\braw sql\b/,
+  /\bsql\b.*\b(template|injection)\b/,
+  /\bempty catch\b/,
+  /\bcatch\b.*\b(empty|silenc)/,
+  /\bmock\b/,
+  /\bspy\b/,
+  /\bjunit4\b/,
+  /\bxctassert\b/,
+  /\bxctunwrap\b/,
+  /\bxctest\b/,
+  /\bquick\b/,
+  /\bnimble\b/,
+  /\bwaitforexpectations\b/,
+  /\bexpectation\(description\b/,
+  /\bnavigationview\b/,
+  /\bgeometryreader\b/,
+  /\banyview\b/,
+  /\bforegroundcolor\b/,
+  /\bcornerradius\b/,
+  /\bsheet\b.*\bispresented\b/,
+  /\bscrollview\b.*\bshowsindicators\b/,
+  /\bforeach\b.*\b(indices|index)\b/,
+  /\bonchange\b/,
+  /\bontapgesture\b/,
+  /\buiscreen\.main\.bounds\b/,
+  /\bstring\(format\b/,
+  /\bobservableobject\b/,
+  /\bstateobject\b/,
+  /\bobservable\b/,
+  /\blivedata\b/,
+  /\bstateflow\b/,
+  /\bsharedflow\b/,
+  /\bremember\b/,
+  /\blaunched(effect)?\b/,
+  /\blazy(column|row|vstack|hstack)\b/,
+  /\bwindow ?size ?class\b/,
+  /\bpadding\b/,
+  /\bframe\b/,
+  /\bfont\b/,
+  /\broute\b/,
+  /\bnavigation\b/,
+];
+
+const STUDY_BEFORE_DETECTOR_RULE_IDS = new Set<string>([
+  'skills.android.guideline.android.adaptive-layouts-responsive-design-windowsizeclass',
+  'skills.android.guideline.android.color-contrast-wcag-aa-mi-nimo',
+  'skills.android.guideline.android.play-console-production-deployment',
+  'skills.backend.guideline.backend.dependency-injection-injectable-inject-providers-array',
+  'skills.backend.guideline.backend.event-store-log-de-eventos-para-auditori-a',
+]);
+
+const requiresStudyBeforeDetector = (rule: SkillsCompiledRule): boolean =>
+  STUDY_BEFORE_DETECTOR_RULE_IDS.has(rule.id);
+
 const isNonCodeRule = (rule: SkillsCompiledRule): boolean => {
   const haystack = normalizeText(`${rule.id} ${rule.description} ${rule.sourceSkill}`);
   return NON_CODE_RULE_PATTERNS.some((pattern) => pattern.test(haystack));
 };
 
+const hasDirectCodeDetectorCandidate = (rule: SkillsCompiledRule): boolean => {
+  const haystack = normalizeText(`${rule.id} ${rule.description} ${rule.sourceSkill}`);
+  return CODE_RULE_WITH_DIRECT_DETECTOR_PATTERNS.some((pattern) => pattern.test(haystack));
+};
+
 const classifyRule = (rule: SkillsCompiledRule): ClassifiedSkillsRule => {
   const evaluationMode = rule.evaluationMode ?? 'AUTO';
   const astNodeIds = resolveMappedHeuristicRuleIdsForCompiledRule(rule);
@@ -86,12 +181,27 @@ const classifyRule = (rule: SkillsCompiledRule): ClassifiedSkillsRule => {
       sourcePath: rule.sourcePath,
       evaluationMode,
       severity: rule.severity,
-      status: 'IMPLEMENTABLE_AHORA',
+      status: 'IMPLEMENTAR_DETECTOR',
       reason: 'AUTO rule without AST/nodal detector binding; implement detector mapping.',
       astNodeIds,
     };
   }
 
+  if (requiresStudyBeforeDetector(rule)) {
+    return {
+      ruleId: rule.id,
+      platform: rule.platform,
+      sourceSkill: rule.sourceSkill,
+      sourcePath: rule.sourcePath,
+      evaluationMode,
+      severity: rule.severity,
+      status: 'REQUIERE_ESTUDIO',
+      reason:
+        'Rule has code relevance, but the AST/nodal signal needs explicit design before implementation to avoid poor umbrella detectors.',
+      astNodeIds,
+    };
+  }
+
   if (isNonCodeRule(rule)) {
     return {
       ruleId: rule.id,
@@ -106,6 +216,20 @@ const classifyRule = (rule: SkillsCompiledRule): ClassifiedSkillsRule => {
     };
   }
 
+  if (hasDirectCodeDetectorCandidate(rule)) {
+    return {
+      ruleId: rule.id,
+      platform: rule.platform,
+      sourceSkill: rule.sourceSkill,
+      sourcePath: rule.sourcePath,
+      evaluationMode,
+      severity: rule.severity,
+      status: 'IMPLEMENTAR_DETECTOR',
+      reason: 'Code rule has a direct AST/nodal detection surface; implement detector and blocking evidence.',
+      astNodeIds,
+    };
+  }
+
   return {
     ruleId: rule.id,
     platform: rule.platform,

package/integrations/git/runPlatformGate.ts

@@ -286,6 +286,9 @@ const toSkillsDeclarativeRulesClassificationFinding = (params: {
   declarativeRuleIds: ReadonlyArray<string>;
   facts: ReadonlyArray<Fact>;
 }): Finding | undefined => {
+  if (process.env.PUMUKI_ENFORCE_DECLARATIVE_RULE_CLASSIFICATION !== '1') {
+    return undefined;
+  }
   if (params.declarativeRuleIds.length === 0) {
     return undefined;
   }
@@ -302,7 +305,7 @@ const toSkillsDeclarativeRulesClassificationFinding = (params: {
     message:
       `Skills declarative rules require AST/nodal classification at ${params.stage}: ` +
       `total=${params.declarativeRuleIds.length} sample_rule_ids=[${sampleRuleIds}]. ` +
-      'Classify every rule as IMPLEMENTABLE_AHORA, REQUIERE_ESTUDIO, or NO_ES_REGLA_DE_CODIGO; code skills cannot remain as hidden declarative/advisory rules.',
+      'Classify every rule as IMPLEMENTAR_DETECTOR, REQUIERE_ESTUDIO, or NO_ES_REGLA_DE_CODIGO; code skills cannot remain as hidden declarative/advisory rules.',
     filePath: 'skills.lock.json',
     matchedBy: 'SkillsDeclarativeRulesClassificationGuard',
     source: 'skills-declarative-rules-classification',

package/integrations/lifecycle/preWriteAutomation.ts

@@ -250,6 +250,7 @@ export const buildPreWriteAutomationTrace = async (params: {
       const leaseResult = activeDependencies.writePreWriteLease({
         repoRoot: params.repoRoot,
         git,
+        allowExistingCodeChanges: true,
       });
       trace.actions.push({
         action: 'write_prewrite_lease',

package/integrations/lifecycle/preWriteLease.ts

@@ -8,6 +8,7 @@ import { DEFAULT_FACT_FILE_EXTENSIONS } from '../git/runPlatformGateFacts';
 export type PreWriteLease = {
   version: '1';
   kind: 'pumuki-pre-write-lease';
+  validation_mode?: 'clean-prewrite' | 'validated-diff';
   repo_root: string;
   head: string;
   branch: string | null;
@@ -119,6 +120,10 @@ const parseLease = (raw: string): PreWriteLease | undefined => {
       return {
         version: '1',
         kind: 'pumuki-pre-write-lease',
+        validation_mode:
+          value.validation_mode === 'validated-diff' || value.validation_mode === 'clean-prewrite'
+            ? value.validation_mode
+            : undefined,
         repo_root: value.repo_root,
         head: value.head,
         branch: typeof value.branch === 'string' ? value.branch : null,
@@ -186,6 +191,33 @@ export const readPreWriteLeaseStatus = (params: {
     };
   }
 
+  if (lease.validation_mode === 'validated-diff') {
+    const expectedPaths = [...lease.pre_change_code_paths].sort((left, right) => left.localeCompare(right));
+    const currentPaths = [...changedCodePaths].sort((left, right) => left.localeCompare(right));
+    if (
+      lease.pre_change_code_changes_count !== expectedPaths.length ||
+      expectedPaths.length !== currentPaths.length ||
+      expectedPaths.some((path, index) => path !== currentPaths[index])
+    ) {
+      return {
+        valid: false,
+        code: 'PRE_WRITE_LEASE_DIRTY_AT_ISSUE',
+        path,
+        lease,
+        changedCodePaths,
+        message: 'PRE_WRITE lease was issued for a different validated code diff.',
+      };
+    }
+
+    return {
+      valid: true,
+      code: 'PRE_WRITE_LEASE_VALID',
+      path,
+      lease,
+      changedCodePaths,
+    };
+  }
+
   if (lease.pre_change_code_changes_count !== 0 || lease.pre_change_code_paths.length !== 0) {
     return {
       valid: false,
@@ -210,10 +242,11 @@ export const writePreWriteLease = (params: {
   repoRoot: string;
   git: Pick<IGitService, 'runGit'>;
   now?: Date;
+  allowExistingCodeChanges?: boolean;
 }): PreWriteLeaseWriteResult => {
   const path = resolvePreWriteLeasePath(params.repoRoot);
   const changedCodePaths = collectPreWriteCodeChangePaths(params);
-  if (changedCodePaths.length > 0) {
+  if (changedCodePaths.length > 0 && !params.allowExistingCodeChanges) {
     return {
       path,
       written: false,
@@ -229,13 +262,14 @@ export const writePreWriteLease = (params: {
   const lease: PreWriteLease = {
     version: '1',
     kind: 'pumuki-pre-write-lease',
+    validation_mode: changedCodePaths.length > 0 ? 'validated-diff' : 'clean-prewrite',
     repo_root: params.repoRoot,
     head: resolveHead(params),
     branch: resolveBranch(params),
     issued_at: issuedAt.toISOString(),
     expires_at: new Date(issuedAt.getTime() + PRE_WRITE_LEASE_TTL_MS).toISOString(),
-    pre_change_code_changes_count: 0,
-    pre_change_code_paths: [],
+    pre_change_code_changes_count: changedCodePaths.length,
+    pre_change_code_paths: changedCodePaths,
   };
   mkdirSync(dirname(path), { recursive: true });
   writeFileSync(path, `${JSON.stringify(lease, null, 2)}\n`, 'utf8');
@@ -245,7 +279,10 @@ export const writePreWriteLease = (params: {
     valid: true,
     code: 'PRE_WRITE_LEASE_WRITTEN',
     changedCodePaths,
-    message: 'PRE_WRITE lease written for clean code state.',
+    message:
+      changedCodePaths.length > 0
+        ? 'PRE_WRITE lease written for validated code diff.'
+        : 'PRE_WRITE lease written for clean code state.',
     lease,
   };
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.270",
+  "version": "6.3.271",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/classify-skills-rules.ts

@@ -19,8 +19,8 @@ process.stdout.write(`${JSON.stringify({
     AST_IMPLEMENTED: summary.rules
       .filter((rule) => rule.status === 'AST_IMPLEMENTED')
       .slice(0, 12),
-    IMPLEMENTABLE_AHORA: summary.rules
-      .filter((rule) => rule.status === 'IMPLEMENTABLE_AHORA')
+    IMPLEMENTAR_DETECTOR: summary.rules
+      .filter((rule) => rule.status === 'IMPLEMENTAR_DETECTOR')
       .slice(0, 12),
     REQUIERE_ESTUDIO: summary.rules
       .filter((rule) => rule.status === 'REQUIERE_ESTUDIO')

package/scripts/framework-menu-consumer-actions-lib.ts

@@ -26,22 +26,22 @@ export const createConsumerLegacyMenuActions = (
   return [
     {
       id: '1',
-      label: 'Consumer preflight + gate: ALL tracked files (PRE_COMMIT · writes evidence)',
+      label: 'Full audit (repo analysis)',
       execute: params.runFullAudit,
     },
     {
       id: '2',
-      label: 'Consumer preflight + gate: REPO+index contract (PRE_PUSH · disk skip risk if evidence tracked)',
+      label: 'Strict REPO+STAGING (CI/CD)',
       execute: params.runStrictRepoAndStaged,
     },
     {
       id: '3',
-      label: 'Consumer preflight + gate: STAGED only (PRE_COMMIT)',
+      label: 'Strict STAGING only (dev)',
       execute: params.runStrictStagedOnly,
     },
     {
       id: '4',
-      label: 'Consumer preflight + gate: working tree (PRE_PUSH policy · disk skip risk if evidence tracked)',
+      label: 'Standard CRITICAL/HIGH',
       execute: params.runStandardCriticalHigh,
     },
     {
@@ -66,27 +66,27 @@ export const createConsumerLegacyMenuActions = (
     },
     {
       id: '5',
-      label: 'Legacy read-only pattern checks snapshot',
+      label: 'Pattern checks',
       execute: params.runPatternChecks,
     },
     {
       id: '6',
-      label: 'Legacy read-only ESLint evidence snapshot',
+      label: 'ESLint Admin+Web',
       execute: params.runEslintAudit,
     },
     {
       id: '7',
-      label: 'Legacy read-only AST snapshot',
+      label: 'AST Intelligence',
       execute: params.runAstIntelligence,
     },
     {
       id: '8',
-      label: 'Export legacy read-only evidence snapshot',
+      label: 'Export Markdown',
       execute: params.runExportMarkdown,
     },
     {
       id: '9',
-      label: 'Legacy read-only file diagnostics snapshot',
+      label: 'File diagnostics',
       execute: params.runFileDiagnostics,
     },
     {

package/scripts/framework-menu-consumer-runtime-actions.ts

@@ -12,7 +12,12 @@ import {
   renderConsumerRuntimePatternChecks,
   renderConsumerRuntimeSummary,
 } from './framework-menu-consumer-runtime-audit';
-import type { ConsumerAction, ConsumerRuntimeEmitNotification, ConsumerRuntimeWrite } from './framework-menu-consumer-runtime-types';
+import type {
+  ConsumerAction,
+  ConsumerRuntimeEmitNotification,
+  ConsumerRuntimeGateResult,
+  ConsumerRuntimeWrite,
+} from './framework-menu-consumer-runtime-types';
 
 type ConsumerRuntimeActionDependencies = {
   repoRoot: string;
@@ -61,49 +66,54 @@ const runConsumerRuntimePreflight = async (
   );
 };
 
+const renderSummaryAfterGate = (
+  dependencies: Pick<
+    ConsumerRuntimeActionDependencies,
+    | 'clearSummaryOverride'
+    | 'emitNotification'
+    | 'getSummaryOverride'
+    | 'repoRoot'
+    | 'setSummaryOverride'
+    | 'useColor'
+    | 'write'
+  >,
+  gateResult: ConsumerRuntimeGateResult | void
+) => {
+  if (gateResult?.blocked) {
+    dependencies.setSummaryOverride(
+      buildConsumerRuntimeBlockedSummary(gateResult.blocked)
+    );
+  } else {
+    dependencies.clearSummaryOverride();
+  }
+  const summary = renderConsumerRuntimeSummary({
+    repoRoot: dependencies.repoRoot,
+    write: dependencies.write,
+    useColor: dependencies.useColor,
+    summaryOverride: dependencies.getSummaryOverride(),
+  });
+  notifyConsumerRuntimeAuditSummary(
+    {
+      emitNotification: dependencies.emitNotification,
+      repoRoot: dependencies.repoRoot,
+    },
+    summary
+  );
+  return summary;
+};
+
 export const createConsumerRuntimeActions = (
   dependencies: ConsumerRuntimeActionDependencies
 ): ReadonlyArray<ConsumerAction> =>
   createConsumerLegacyMenuActions({
     runFullAudit: async () => {
       await runConsumerRuntimePreflight(dependencies, 'PRE_COMMIT');
-      await dependencies.runRepoGate();
-      dependencies.clearSummaryOverride();
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        renderConsumerRuntimeSummary({
-          repoRoot: dependencies.repoRoot,
-          write: dependencies.write,
-          useColor: dependencies.useColor,
-        })
-      );
+      renderSummaryAfterGate(dependencies, await dependencies.runRepoGate());
     },
     runStrictRepoAndStaged: async () => {
       await runConsumerRuntimePreflight(dependencies, 'PRE_PUSH');
       const gateResult = await dependencies.runRepoAndStagedGate();
-      if (gateResult?.blocked) {
-        dependencies.setSummaryOverride(
-          buildConsumerRuntimeBlockedSummary(gateResult.blocked)
-        );
-      } else {
-        dependencies.clearSummaryOverride();
-      }
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-        summaryOverride: dependencies.getSummaryOverride(),
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
-      );
+      const summary = renderSummaryAfterGate(dependencies, gateResult);
       if (
         !gateResult?.blocked
         && (summary.outcome === 'PASS' || summary.outcome === 'WARN')
@@ -113,109 +123,35 @@ export const createConsumerRuntimeActions = (
     },
     runStrictStagedOnly: async () => {
       await runConsumerRuntimePreflight(dependencies, 'PRE_COMMIT');
-      await dependencies.runStagedGate();
-      dependencies.clearSummaryOverride();
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
-      );
+      const summary = renderSummaryAfterGate(dependencies, await dependencies.runStagedGate());
       printConsumerRuntimeEmptyScopeHint({ write: dependencies.write }, summary, 'staged');
     },
     runStandardCriticalHigh: async () => {
       await runConsumerRuntimePreflight(dependencies, 'PRE_PUSH');
-      await dependencies.runWorkingTreeGate();
-      dependencies.clearSummaryOverride();
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
-      );
+      const gateResult = await dependencies.runWorkingTreeGate();
+      const summary = renderSummaryAfterGate(dependencies, gateResult);
       if (summary.outcome === 'PASS' || summary.outcome === 'WARN') {
         printPrePushTrackedEvidenceDiskHint({ write: dependencies.write });
       }
       printConsumerRuntimeEmptyScopeHint({ write: dependencies.write }, summary, 'workingTree');
     },
     runEngineStagedNoPreflight: async () => {
-      await dependencies.runStagedGate();
-      dependencies.clearSummaryOverride();
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
-      );
+      const summary = renderSummaryAfterGate(dependencies, await dependencies.runStagedGate());
       printConsumerRuntimeEmptyScopeHint({ write: dependencies.write }, summary, 'staged');
     },
     runEngineUnstagedNoPreflight: async () => {
-      await dependencies.runUnstagedGate();
-      dependencies.clearSummaryOverride();
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
-      );
+      const summary = renderSummaryAfterGate(dependencies, await dependencies.runUnstagedGate());
       printConsumerRuntimeEmptyScopeHint({ write: dependencies.write }, summary, 'unstaged');
     },
     runEngineStagedAndUnstagedNoPreflight: async () => {
-      await dependencies.runWorkingTreePreCommitGate();
-      dependencies.clearSummaryOverride();
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
+      const summary = renderSummaryAfterGate(
+        dependencies,
+        await dependencies.runWorkingTreePreCommitGate()
       );
       printConsumerRuntimeEmptyScopeHint({ write: dependencies.write }, summary, 'workingTree');
     },
     runEngineFullRepoNoPreflight: async () => {
-      await dependencies.runRepoGate();
-      dependencies.clearSummaryOverride();
-      const summary = renderConsumerRuntimeSummary({
-        repoRoot: dependencies.repoRoot,
-        write: dependencies.write,
-        useColor: dependencies.useColor,
-      });
-      notifyConsumerRuntimeAuditSummary(
-        {
-          emitNotification: dependencies.emitNotification,
-          repoRoot: dependencies.repoRoot,
-        },
-        summary
-      );
+      renderSummaryAfterGate(dependencies, await dependencies.runRepoGate());
     },
     runPatternChecks: async () => {
       dependencies.write(`\n${renderConsumerRuntimePatternChecks(dependencies.repoRoot)}\n`);

package/scripts/framework-menu-consumer-runtime-audit.ts

@@ -33,6 +33,9 @@ export const renderConsumerRuntimeSummary = (
   dependencies: ConsumerRuntimeSummaryDependencies
 ): FrameworkMenuEvidenceSummary => {
   const summary = dependencies.summaryOverride ?? readEvidenceSummaryForMenu(dependencies.repoRoot);
+  const canonicalSummary = dependencies.summaryOverride
+    ? readEvidenceSummaryForMenu(dependencies.repoRoot)
+    : null;
   const lines = [
     formatEvidenceSummaryForMenu(summary),
     '',
@@ -41,6 +44,13 @@ export const renderConsumerRuntimeSummary = (
     `Files affected: ${summary.filesAffected}`,
   ];
 
+  const driftLines = canonicalSummary
+    ? buildConsumerRuntimeEvidenceDriftLines(summary, canonicalSummary)
+    : [];
+  if (driftLines.length > 0) {
+    lines.push('', ...driftLines);
+  }
+
   if (summary.status === 'ok' && summary.topFindings.length > 0) {
     const primaryFinding = summary.topFindings[0];
     lines.push('', `Primary block: ${primaryFinding.ruleId}`);
@@ -74,6 +84,62 @@ export const renderConsumerRuntimeSummary = (
   return summary;
 };
 
+const toPlatformMap = (
+  summary: FrameworkMenuEvidenceSummary
+): Map<string, number> =>
+  new Map((summary.platformAuditRows ?? []).map((row) => [row.platform, row.violations]));
+
+const buildConsumerRuntimeEvidenceDriftLines = (
+  gateSummary: FrameworkMenuEvidenceSummary,
+  canonicalSummary: FrameworkMenuEvidenceSummary
+): string[] => {
+  const drifts: string[] = [];
+  if (canonicalSummary.status !== 'ok') {
+    return [
+      `⚠ Menu/gate evidence drift: canonical_evidence=${canonicalSummary.status}; using gate blocked summary`,
+    ];
+  }
+  if (gateSummary.stage !== canonicalSummary.stage) {
+    drifts.push(`stage gate=${gateSummary.stage ?? 'null'} evidence=${canonicalSummary.stage ?? 'null'}`);
+  }
+  if (gateSummary.outcome !== canonicalSummary.outcome) {
+    drifts.push(`outcome gate=${gateSummary.outcome ?? 'null'} evidence=${canonicalSummary.outcome ?? 'null'}`);
+  }
+  if (gateSummary.totalFindings !== canonicalSummary.totalFindings) {
+    drifts.push(`totalFindings gate=${gateSummary.totalFindings} evidence=${canonicalSummary.totalFindings}`);
+  }
+
+  const severityKeys = ['CRITICAL', 'HIGH', 'MEDIUM', 'LOW'] as const;
+  for (const key of severityKeys) {
+    const gateValue = gateSummary.byEnterpriseSeverity?.[key] ?? 0;
+    const evidenceValue = canonicalSummary.byEnterpriseSeverity?.[key] ?? 0;
+    if (gateValue !== evidenceValue) {
+      drifts.push(`severity.${key} gate=${gateValue} evidence=${evidenceValue}`);
+    }
+  }
+
+  const gatePlatforms = toPlatformMap(gateSummary);
+  const evidencePlatforms = toPlatformMap(canonicalSummary);
+  const platformNames = [...new Set([...gatePlatforms.keys(), ...evidencePlatforms.keys()])].sort();
+  for (const platform of platformNames) {
+    const gateValue = gatePlatforms.get(platform) ?? 0;
+    const evidenceValue = evidencePlatforms.get(platform) ?? 0;
+    if (gateValue !== evidenceValue) {
+      drifts.push(`platform.${platform} gate=${gateValue} evidence=${evidenceValue}`);
+    }
+  }
+
+  if (drifts.length === 0) {
+    return [];
+  }
+  return [
+    '⚠ Menu/gate evidence drift detected',
+    'Diagnostic code: MENU_GATE_EVIDENCE_DRIFT',
+    'Diagnostic severity: HIGH',
+    ...drifts.map((drift) => `- ${drift}`),
+  ];
+};
+
 export const printPrePushTrackedEvidenceDiskHint = (params: {
   write: ConsumerRuntimeSummaryDependencies['write'];
 }): void => {