pumuki 6.3.270 → 6.3.272

package/core/rules/presets/heuristics/ios.ts

@@ -37,6 +37,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_ANYVIEW_AST',
     },
   },
+  {
+    id: 'heuristics.ios.type-erasure.any.ast',
+    description: 'Detects Swift Any/AnyObject/AnyHashable type erasure in production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.type-erasure.any.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected Swift Any/AnyObject/AnyHashable type erasure in production code.',
+      code: 'HEURISTICS_IOS_TYPE_ERASURE_ANY_AST',
+    },
+  },
   {
     id: 'heuristics.ios.force-try.ast',
     description: 'Detects Swift force try usage in production code.',
@@ -91,6 +109,25 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_CALLBACK_STYLE_AST',
     },
   },
+  {
+    id: 'heuristics.ios.combine.sink-without-store.ast',
+    description: 'Detects Combine sink subscriptions that are not retained with store(in:).',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.combine.sink-without-store.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected Combine sink without store(in:); keep cancellables retained explicitly.',
+      code: 'HEURISTICS_IOS_COMBINE_SINK_WITHOUT_STORE_AST',
+    },
+  },
   {
     id: 'heuristics.ios.dispatchqueue.ast',
     description: 'Detects DispatchQueue usage in iOS production code.',
@@ -257,6 +294,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_TASK_AST',
     },
   },
+  {
+    id: 'heuristics.ios.swiftui.onchange-readonly-var.ast',
+    description: 'Detects local var declarations inside SwiftUI onChange closures where let should be used for read-only derived values.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.swiftui.onchange-readonly-var.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected local var inside SwiftUI onChange; prefer let for read-only derived values.',
+      code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_READONLY_VAR_AST',
+    },
+  },
   {
     id: 'heuristics.ios.memory.strong-delegate.ast',
     description: 'Detects strong delegate/dataSource references in iOS production code.',
@@ -295,6 +350,63 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_MEMORY_STRONG_SELF_ESCAPING_CLOSURE_AST',
     },
   },
+  {
+    id: 'heuristics.ios.memory.unowned-self-capture.ast',
+    description: 'Detects unowned captures in iOS closures.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.memory.unowned-self-capture.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected unowned capture in an iOS closure; use weak capture unless lifetime is explicitly guaranteed.',
+      code: 'HEURISTICS_IOS_MEMORY_UNOWNED_SELF_CAPTURE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.maintainability.nested-if-pyramid.ast',
+    description: 'Detects deeply nested if pyramids in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.maintainability.nested-if-pyramid.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected nested if pyramid in iOS code; prefer guard clauses and early returns.',
+      code: 'HEURISTICS_IOS_MAINTAINABILITY_NESTED_IF_PYRAMID_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.maintainability.comment-trivia.ast',
+    description: 'Detects source comments in iOS production Swift code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.maintainability.comment-trivia.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected source comments in iOS production code; prefer self-documenting names and extracted concepts.',
+      code: 'HEURISTICS_IOS_MAINTAINABILITY_COMMENT_TRIVIA_AST',
+    },
+  },
   {
     id: 'heuristics.ios.architecture.custom-singleton.ast',
     description: 'Detects custom static shared singletons in iOS production code.',
@@ -590,6 +702,25 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_LOCALIZATION_LOCALIZABLE_STRINGS_AST',
     },
   },
+  {
+    id: 'heuristics.ios.interface-builder.storyboard-xib.ast',
+    description: 'Detects Storyboard/XIB usage where programmatic UI should be used.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.interface-builder.storyboard-xib.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected Storyboard/XIB usage; programmatic SwiftUI/UIKit UI remains the preferred baseline.',
+      code: 'HEURISTICS_IOS_INTERFACE_BUILDER_STORYBOARD_XIB_AST',
+    },
+  },
   {
     id: 'heuristics.ios.localization.hardcoded-ui-string.ast',
     description: 'Detects hardcoded user-facing SwiftUI text where String(localized:) and String Catalogs are preferred.',
@@ -698,6 +829,43 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_ACCESSIBILITY_ICON_ONLY_CONTROL_LABEL_AST',
     },
   },
+  {
+    id: 'heuristics.ios.accessibility.missing-accessibility-identifier.ast',
+    description: 'Detects interactive SwiftUI controls without accessibilityIdentifier.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.accessibility.missing-accessibility-identifier.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected an interactive SwiftUI control without accessibilityIdentifier; stable identifiers are required for UI automation and traceability.',
+      code: 'HEURISTICS_IOS_ACCESSIBILITY_MISSING_ACCESSIBILITY_IDENTIFIER_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.swiftui.missing-bindable-observable-binding.ast',
+    description: 'Detects injected @Observable values used as bindings without @Bindable.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.swiftui.missing-bindable-observable-binding.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected an injected @Observable used as a binding without @Bindable.',
+      code: 'HEURISTICS_IOS_SWIFTUI_MISSING_BINDABLE_OBSERVABLE_BINDING_AST',
+    },
+  },
   {
     id: 'heuristics.ios.unchecked-sendable.ast',
     description: 'Detects @unchecked Sendable usage in iOS production code.',
@@ -788,6 +956,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_OBSERVABLE_OBJECT_AST',
     },
   },
+  {
+    id: 'heuristics.ios.swiftui.legacy-preview-provider.ast',
+    description: 'Detects PreviewProvider usage where modern SwiftUI #Preview macros should be used.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.swiftui.legacy-preview-provider.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected PreviewProvider usage; use #Preview macros for modern SwiftUI previews.',
+      code: 'HEURISTICS_IOS_SWIFTUI_LEGACY_PREVIEW_PROVIDER_AST',
+    },
+  },
   {
     id: 'heuristics.ios.legacy-swiftui-observable-wrapper.ast',
     description: 'Detects @StateObject and @ObservedObject usage in modern SwiftUI production code.',
@@ -806,6 +992,61 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_LEGACY_SWIFTUI_OBSERVABLE_WRAPPER_AST',
     },
   },
+  {
+    id: 'heuristics.ios.testing.test-double-without-protocol.ast',
+    description: 'Detects Swift Mock/Fake/Spy/Stub classes without protocol conformance.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.testing.test-double-without-protocol.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected a Swift test double class without protocol conformance.',
+      code: 'HEURISTICS_IOS_TESTING_TEST_DOUBLE_WITHOUT_PROTOCOL_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.testing.production-test-double.ast',
+    description: 'Detects Mock/Fake/Spy/Stub usage in iOS production code.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.testing.production-test-double.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected Mock/Fake/Spy/Stub usage in iOS production code.',
+      code: 'HEURISTICS_IOS_TESTING_PRODUCTION_TEST_DOUBLE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ios.accessibility.low-contrast-static-color-pair.ast',
+    description: 'Detects static SwiftUI foreground/background color pairs with insufficient contrast.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.accessibility.low-contrast-static-color-pair.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected a static SwiftUI foreground/background color pair with insufficient contrast.',
+      code: 'HEURISTICS_IOS_ACCESSIBILITY_LOW_CONTRAST_STATIC_COLOR_PAIR_AST',
+    },
+  },
   {
     id: 'heuristics.ios.swiftui.non-private-state-ownership.ast',
     description: 'Detects @State/@StateObject declarations without private visibility in SwiftUI presentation code.',
@@ -1454,7 +1695,7 @@ export const iosRules: RuleSet = [
   },
   {
     id: 'heuristics.ios.testing.wait-for-expectations.ast',
-    description: 'Detects wait(for:) and waitForExpectations(timeout:) usage in async iOS tests.',
+    description: 'Detects wait(for:), waitForExpectations(timeout:) and waitForExistence(timeout:) usage in async iOS tests.',
     severity: 'WARN',
     platform: 'ios',
     locked: true,
@@ -1466,7 +1707,7 @@ export const iosRules: RuleSet = [
     },
     then: {
       kind: 'Finding',
-      message: 'AST heuristic detected wait(for:)/waitForExpectations usage where await fulfillment(of:) may be preferred.',
+      message: 'AST heuristic detected wait(for:)/waitForExpectations/waitForExistence usage where an explicit async wait contract may be preferred.',
       code: 'HEURISTICS_IOS_TESTING_WAIT_FOR_EXPECTATIONS_AST',
     },
   },

package/core/rules/presets/heuristics/typescript.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { typescriptRules } from './typescript';
 
 test('typescriptRules define reglas heurísticas locked para plataforma generic', () => {
-  assert.equal(typescriptRules.length, 19);
+  assert.equal(typescriptRules.length, 28);
 
   const ids = typescriptRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -16,6 +16,15 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     'heuristics.ts.set-timeout-string.ast',
     'heuristics.ts.set-interval-string.ast',
     'heuristics.ts.new-promise-async.ast',
+    'heuristics.ts.bcrypt-weak-salt-rounds.ast',
+    'heuristics.ts.sql-interpolated-unsafe-call.ast',
+    'heuristics.ts.sensitive-token-in-url.ast',
+    'heuristics.tsx.non-semantic-clickable.ast',
+    'heuristics.tsx.redundant-aria-role.ast',
+    'heuristics.ts.frontend-test-direct-network-call.ast',
+    'heuristics.ts.callback-hell.ast',
+    'heuristics.ts.nested-if-else.ast',
+    'heuristics.ts.next-pages-api-route.ast',
     'heuristics.ts.with-statement.ast',
     'heuristics.ts.delete-operator.ast',
     'heuristics.ts.debugger.ast',
@@ -37,6 +46,42 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     byId.get('heuristics.ts.debugger.ast')?.then.code,
     'HEURISTICS_DEBUGGER_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.callback-hell.ast')?.then.code,
+    'HEURISTICS_CALLBACK_HELL_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.nested-if-else.ast')?.then.code,
+    'HEURISTICS_NESTED_IF_ELSE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.next-pages-api-route.ast')?.then.code,
+    'HEURISTICS_NEXT_PAGES_API_ROUTE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.bcrypt-weak-salt-rounds.ast')?.then.code,
+    'HEURISTICS_BCRYPT_WEAK_SALT_ROUNDS_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.sql-interpolated-unsafe-call.ast')?.then.code,
+    'HEURISTICS_SQL_INTERPOLATED_UNSAFE_CALL_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.sensitive-token-in-url.ast')?.then.code,
+    'HEURISTICS_SENSITIVE_TOKEN_IN_URL_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.frontend-test-direct-network-call.ast')?.then.code,
+    'HEURISTICS_FRONTEND_TEST_DIRECT_NETWORK_CALL_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.tsx.non-semantic-clickable.ast')?.then.code,
+    'HEURISTICS_TSX_NON_SEMANTIC_CLICKABLE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.tsx.redundant-aria-role.ast')?.then.code,
+    'HEURISTICS_TSX_REDUNDANT_ARIA_ROLE_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.solid.dip.framework-import.ast')?.then.code,
     'HEURISTICS_SOLID_DIP_FRAMEWORK_IMPORT_AST'
@@ -52,7 +97,10 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
 
   for (const rule of typescriptRules) {
     assert.equal(rule.platform, 'generic');
-    if (rule.id === 'heuristics.ts.god-class-large-class.ast') {
+    if (
+      rule.id === 'heuristics.ts.god-class-large-class.ast' ||
+      rule.id === 'heuristics.ts.sensitive-token-in-url.ast'
+    ) {
       assert.equal(rule.severity, 'ERROR');
     } else {
       assert.equal(rule.severity, 'WARN');

package/core/rules/presets/heuristics/typescript.ts

@@ -163,6 +163,168 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_NEW_PROMISE_ASYNC_AST',
     },
   },
+  {
+    id: 'heuristics.ts.bcrypt-weak-salt-rounds.ast',
+    description: 'Detects bcrypt hashing calls with numeric salt rounds below 10.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.bcrypt-weak-salt-rounds.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected bcrypt salt rounds below 10.',
+      code: 'HEURISTICS_BCRYPT_WEAK_SALT_ROUNDS_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.sql-interpolated-unsafe-call.ast',
+    description: 'Detects interpolated template SQL passed to unsafe query/raw calls.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.sql-interpolated-unsafe-call.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected interpolated SQL passed to an unsafe query/raw call.',
+      code: 'HEURISTICS_SQL_INTERPOLATED_UNSAFE_CALL_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.sensitive-token-in-url.ast',
+    description: 'Detects sensitive credential query parameters in network call URLs.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.sensitive-token-in-url.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected sensitive token or credential in a network URL.',
+      code: 'HEURISTICS_SENSITIVE_TOKEN_IN_URL_AST',
+    },
+  },
+  {
+    id: 'heuristics.tsx.non-semantic-clickable.ast',
+    description: 'Detects non-semantic JSX elements with click handlers and no keyboard accessibility evidence.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.tsx.non-semantic-clickable.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected non-semantic clickable JSX without keyboard accessibility.',
+      code: 'HEURISTICS_TSX_NON_SEMANTIC_CLICKABLE_AST',
+    },
+  },
+  {
+    id: 'heuristics.tsx.redundant-aria-role.ast',
+    description: 'Detects redundant ARIA roles on semantic JSX elements where native semantics should be used.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.tsx.redundant-aria-role.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected redundant ARIA role on semantic JSX.',
+      code: 'HEURISTICS_TSX_REDUNDANT_ARIA_ROLE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.frontend-test-direct-network-call.ast',
+    description: 'Detects direct fetch/axios/request calls in frontend test files where MSW should own API mocking.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.frontend-test-direct-network-call.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected direct network call usage in a frontend test; use MSW handlers instead.',
+      code: 'HEURISTICS_FRONTEND_TEST_DIRECT_NETWORK_CALL_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.callback-hell.ast',
+    description: 'Detects nested callback functions passed to calls in TypeScript production files.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.callback-hell.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected nested callback usage.',
+      code: 'HEURISTICS_CALLBACK_HELL_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.nested-if-else.ast',
+    description: 'Detects nested if/else control flow where early returns should be preferred.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.nested-if-else.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected nested if/else control flow; prefer early returns.',
+      code: 'HEURISTICS_NESTED_IF_ELSE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.next-pages-api-route.ast',
+    description: 'Detects legacy Next.js pages/api route handlers where app/api route handlers should be used.',
+    severity: 'WARN',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.next-pages-api-route.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected a legacy Next.js pages/api default route handler; use app/api route handlers.',
+      code: 'HEURISTICS_NEXT_PAGES_API_ROUTE_AST',
+    },
+  },
   {
     id: 'heuristics.ts.with-statement.ast',
     description: 'Detects with-statement usage in TypeScript/TSX production files.',

package/docs/operations/RELEASE_NOTES.md

@@ -4,6 +4,14 @@ This file tracks the active deterministic framework line used in this repository
 Canonical release chronology lives in `CHANGELOG.md`.
 This file keeps only the operational highlights and rollout notes that matter while running the framework.
 
+### 2026-05-18 (v6.3.272)
+
+- `PUMUKI-INC-142`: `sdd validate --stage=PRE_WRITE` refreshes evidence with PRE_WRITE semantics before writing the validated-diff lease, avoiding the PRE_COMMIT/PRE_PUSH bootstrap loop that still produced `ENFORCEMENT_GAP_PRE_WRITE_LEASE_MISSING` in real RuralGo commits.
+
+### 2026-05-18 (v6.3.271)
+
+- Published `pumuki@6.3.271` with `PUMUKI-INC-142` lease parity: PRE_WRITE validated staged slices now create a `validated-diff` lease consumed by PRE_COMMIT/PRE_PUSH when the diff is unchanged, while changed slices still fail closed.
+
 ## 2026-04 (CLI stability and macOS notifications)
 
 ### 2026-05-14 (v6.3.267)