pumuki 6.3.293 → 6.3.294

package/VERSION

@@ -1 +1 @@
-6.3.291
+6.3.294

package/core/facts/detectors/text/ios.test.ts

@@ -98,9 +98,11 @@ import {
   hasSwiftNonIBOutletImplicitlyUnwrappedOptionalUsage,
   hasSwiftObservableObjectUsage,
   hasSwiftOnChangeTaskUsage,
+  collectSwiftOnChangeTaskLines,
   collectSwiftOnChangeReadonlyVarLines,
   hasSwiftOnChangeReadonlyVarUsage,
   hasSwiftOnAppearTaskUsage,
+  collectSwiftOnAppearTaskLines,
   hasSwiftOnTapGestureUsage,
   hasSwiftOperationQueueUsage,
   hasSwiftContainsUserFilterUsage,
@@ -766,7 +768,9 @@ struct FeedView: View {
 `;
 
   assert.equal(hasSwiftOnAppearTaskUsage(source), true);
+  assert.deepEqual(collectSwiftOnAppearTaskLines(source), [8]);
   assert.equal(hasSwiftOnAppearTaskUsage(safe), false);
+  assert.deepEqual(collectSwiftOnAppearTaskLines(safe), []);
 });
 
 test('hasSwiftOnChangeTaskUsage detecta Task dentro de onChange y preserva task id', () => {
@@ -803,7 +807,9 @@ struct SearchView: View {
 `;
 
   assert.equal(hasSwiftOnChangeTaskUsage(source), true);
+  assert.deepEqual(collectSwiftOnChangeTaskLines(source), [8]);
   assert.equal(hasSwiftOnChangeTaskUsage(safe), false);
+  assert.deepEqual(collectSwiftOnChangeTaskLines(safe), []);
 });
 
 test('hasSwiftOnChangeReadonlyVarUsage detecta var local dentro de onChange y preserva let', () => {

package/core/facts/detectors/text/ios.ts

@@ -699,17 +699,52 @@ export const hasSwiftEmptyCatchUsage = (source: string): boolean => {
 };
 
 export const hasSwiftOnAppearTaskUsage = (source: string): boolean => {
-  const sanitized = sanitizeSwiftSourceForMultilineRegex(source);
-  return /\.onAppear\s*\{[\s\S]{0,500}?\bTask\s*(?:\([^)]*\))?\s*\{/.test(sanitized);
+  return collectSwiftOnAppearTaskLines(source).length > 0;
 };
 
 export const hasSwiftOnChangeTaskUsage = (source: string): boolean => {
-  const sanitized = sanitizeSwiftSourceForMultilineRegex(source);
-  return /\.onChange\s*\([^)]*\)\s*\{[\s\S]{0,500}?\bTask\s*(?:\([^)]*\))?\s*\{/.test(
-    sanitized
-  );
+  return collectSwiftOnChangeTaskLines(source).length > 0;
 };
 
+const collectSwiftLifecycleTaskLines = (
+  source: string,
+  lifecyclePattern: RegExp
+): readonly number[] => {
+  const lines: number[] = [];
+  let insideLifecycle = false;
+  let braceDepth = 0;
+
+  source.split(/\r?\n/).forEach((rawLine, index) => {
+    const line = stripSwiftLineForSemanticScan(rawLine);
+
+    if (!insideLifecycle && lifecyclePattern.test(line)) {
+      insideLifecycle = true;
+      braceDepth = 0;
+    }
+
+    if (insideLifecycle && /\bTask\s*(?:\([^)]*\))?\s*\{/.test(line)) {
+      lines.push(index + 1);
+    }
+
+    if (insideLifecycle) {
+      const opened = (line.match(/\{/g) ?? []).length;
+      const closed = (line.match(/\}/g) ?? []).length;
+      braceDepth += opened - closed;
+      if (braceDepth <= 0) {
+        insideLifecycle = false;
+      }
+    }
+  });
+
+  return sortedUniqueLines(lines);
+};
+
+export const collectSwiftOnAppearTaskLines = (source: string): readonly number[] =>
+  collectSwiftLifecycleTaskLines(source, /\.onAppear\s*\{/);
+
+export const collectSwiftOnChangeTaskLines = (source: string): readonly number[] =>
+  collectSwiftLifecycleTaskLines(source, /\.onChange\s*\([^)]*\)\s*\{/);
+
 export const collectSwiftOnChangeReadonlyVarLines = (source: string): readonly number[] => {
   const lines: number[] = [];
   let insideOnChange = false;

package/core/facts/detectors/typescript/index.test.ts

@@ -6,6 +6,7 @@ import {
   findDtoPropertyWithoutValidationMatch,
   findDtoNestedPropertyWithoutNestedValidationMatch,
   findBackendControllerRouteWithoutGuardLines,
+  findBackendControllerRouteWithoutRolesLines,
   findBackendPermissiveCorsConfigurationLines,
   findBackendStringLiteralUnionEnumCandidateLines,
   findBackendHardDeleteWithoutSoftDeleteLines,
@@ -13,7 +14,11 @@ import {
   findBackendInconsistentErrorResponseLines,
   findBackendErrorPayloadWithSuccessStatusLines,
   findBackendControllerEntityResponseLines,
+  findBackendControllerBusinessLogicMatch,
+  findBackendRepositoryBusinessLogicMatch,
   findBackendRawThrowExpressionLines,
+  findBackendMissingGlobalValidationPipeLines,
+  findBackendMissingHelmetSecurityHeadersLines,
   findFrameworkDependencyImportMatch,
   findMixedCommandQueryClassMatch,
   findMixedCommandQueryInterfaceMatch,
@@ -37,13 +42,18 @@ import {
   hasDtoPropertyWithoutValidation,
   hasDtoNestedPropertyWithoutNestedValidation,
   hasBackendControllerRouteWithoutGuard,
+  hasBackendControllerRouteWithoutRoles,
   hasBackendPermissiveCorsConfiguration,
   hasBackendStringLiteralUnionEnumCandidate,
   hasBackendHardDeleteWithoutSoftDelete,
   hasBackendInconsistentErrorResponse,
   hasBackendErrorPayloadWithSuccessStatus,
   hasBackendControllerEntityResponse,
+  hasBackendControllerBusinessLogic,
+  hasBackendRepositoryBusinessLogic,
   hasBackendRawThrowExpression,
+  hasBackendMissingGlobalValidationPipe,
+  hasBackendMissingHelmetSecurityHeaders,
   hasEmptyCatchClause,
   hasEvalCall,
   hasExplicitAnyType,
@@ -715,6 +725,199 @@ test('hasBackendControllerEntityResponse detecta entidades expuestas por control
   assert.equal(hasBackendControllerEntityResponse(dtoReturnTypeAst), false);
 });
 
+test('hasBackendControllerBusinessLogic detecta logica dentro de rutas controller NestJS', () => {
+  const controllerWithLogicAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ClassDeclaration',
+        decorators: [
+          {
+            type: 'Decorator',
+            expression: {
+              type: 'CallExpression',
+              callee: { type: 'Identifier', name: 'Controller' },
+              arguments: [],
+            },
+          },
+        ],
+        body: {
+          type: 'ClassBody',
+          body: [
+            {
+              type: 'ClassMethod',
+              key: { type: 'Identifier', name: 'createOrder' },
+              loc: { start: { line: 18 }, end: { line: 30 } },
+              decorators: [
+                {
+                  type: 'Decorator',
+                  expression: {
+                    type: 'CallExpression',
+                    callee: { type: 'Identifier', name: 'Post' },
+                    arguments: [],
+                  },
+                },
+              ],
+              body: {
+                type: 'BlockStatement',
+                body: [
+                  {
+                    type: 'IfStatement',
+                    test: { type: 'Identifier', name: 'invalid' },
+                    consequent: { type: 'BlockStatement', body: [] },
+                  },
+                ],
+              },
+            },
+          ],
+        },
+      },
+    ],
+  };
+  const thinControllerAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ClassDeclaration',
+        decorators: [
+          {
+            type: 'Decorator',
+            expression: {
+              type: 'CallExpression',
+              callee: { type: 'Identifier', name: 'Controller' },
+              arguments: [],
+            },
+          },
+        ],
+        body: {
+          type: 'ClassBody',
+          body: [
+            {
+              type: 'ClassMethod',
+              key: { type: 'Identifier', name: 'createOrder' },
+              decorators: [
+                {
+                  type: 'Decorator',
+                  expression: {
+                    type: 'CallExpression',
+                    callee: { type: 'Identifier', name: 'Post' },
+                    arguments: [],
+                  },
+                },
+              ],
+              body: {
+                type: 'BlockStatement',
+                body: [
+                  {
+                    type: 'ReturnStatement',
+                    argument: {
+                      type: 'CallExpression',
+                      callee: {
+                        type: 'MemberExpression',
+                        object: {
+                          type: 'MemberExpression',
+                          object: { type: 'ThisExpression' },
+                          property: { type: 'Identifier', name: 'ordersService' },
+                        },
+                        property: { type: 'Identifier', name: 'create' },
+                      },
+                      arguments: [],
+                    },
+                  },
+                ],
+              },
+            },
+          ],
+        },
+      },
+    ],
+  };
+
+  assert.equal(hasBackendControllerBusinessLogic(controllerWithLogicAst), true);
+  assert.equal(hasBackendControllerBusinessLogic(thinControllerAst), false);
+
+  const match = findBackendControllerBusinessLogicMatch(controllerWithLogicAst);
+  assert.ok(match);
+  assert.deepEqual(match.lines, [18]);
+  assert.equal(match.primary_node, 'createOrder');
+});
+
+test('hasBackendRepositoryBusinessLogic detecta decisiones de negocio dentro de repositories', () => {
+  const repositoryWithLogicAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ClassDeclaration',
+        id: { type: 'Identifier', name: 'OrdersRepository' },
+        body: {
+          type: 'ClassBody',
+          body: [
+            {
+              type: 'ClassMethod',
+              key: { type: 'Identifier', name: 'saveOrder' },
+              loc: { start: { line: 27 }, end: { line: 35 } },
+              body: {
+                type: 'BlockStatement',
+                body: [
+                  {
+                    type: 'IfStatement',
+                    test: { type: 'Identifier', name: 'isPremium' },
+                    consequent: { type: 'BlockStatement', body: [] },
+                  },
+                ],
+              },
+            },
+          ],
+        },
+      },
+    ],
+  };
+  const thinRepositoryAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ClassDeclaration',
+        id: { type: 'Identifier', name: 'OrdersRepository' },
+        body: {
+          type: 'ClassBody',
+          body: [
+            {
+              type: 'ClassMethod',
+              key: { type: 'Identifier', name: 'findActiveOrdersByUserId' },
+              body: {
+                type: 'BlockStatement',
+                body: [
+                  {
+                    type: 'ReturnStatement',
+                    argument: {
+                      type: 'CallExpression',
+                      callee: {
+                        type: 'MemberExpression',
+                        object: { type: 'Identifier', name: 'queryBuilder' },
+                        property: { type: 'Identifier', name: 'where' },
+                      },
+                      arguments: [],
+                    },
+                  },
+                ],
+              },
+            },
+          ],
+        },
+      },
+    ],
+  };
+
+  assert.equal(hasBackendRepositoryBusinessLogic(repositoryWithLogicAst), true);
+  assert.equal(hasBackendRepositoryBusinessLogic(thinRepositoryAst), false);
+
+  const match = findBackendRepositoryBusinessLogicMatch(repositoryWithLogicAst);
+  assert.ok(match);
+  assert.deepEqual(match.lines, [27]);
+  assert.equal(match.primary_node, 'OrdersRepository');
+  assert.deepEqual(match.related_nodes, ['saveOrder']);
+});
+
 test('hasBackendAnemicDomainModel detecta entidades de dominio anemicas', () => {
   const anemicEntityAst = {
     type: 'ClassDeclaration',
@@ -2758,6 +2961,164 @@ test('hasDtoNestedPropertyWithoutNestedValidation detecta DTOs anidados sin Vali
   assert.deepEqual(match.related_nodes, ['address']);
 });
 
+test('hasBackendMissingGlobalValidationPipe detecta bootstrap NestJS sin ValidationPipe estricto', () => {
+  const missingPipeAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          loc: { start: { line: 7 }, end: { line: 7 } },
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'NestFactory' },
+            property: { type: 'Identifier', name: 'create' },
+          },
+          arguments: [],
+        },
+      },
+    ],
+  };
+  const unsafePipeAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          loc: { start: { line: 11 }, end: { line: 11 } },
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'app' },
+            property: { type: 'Identifier', name: 'useGlobalPipes' },
+          },
+          arguments: [
+            {
+              type: 'NewExpression',
+              callee: { type: 'Identifier', name: 'ValidationPipe' },
+              arguments: [],
+            },
+          ],
+        },
+      },
+    ],
+  };
+  const strictPipeAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'NestFactory' },
+            property: { type: 'Identifier', name: 'create' },
+          },
+          arguments: [],
+        },
+      },
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'app' },
+            property: { type: 'Identifier', name: 'useGlobalPipes' },
+          },
+          arguments: [
+            {
+              type: 'NewExpression',
+              callee: { type: 'Identifier', name: 'ValidationPipe' },
+              arguments: [
+                {
+                  type: 'ObjectExpression',
+                  properties: [
+                    {
+                      type: 'ObjectProperty',
+                      key: { type: 'Identifier', name: 'whitelist' },
+                      value: { type: 'BooleanLiteral', value: true },
+                    },
+                  ],
+                },
+              ],
+            },
+          ],
+        },
+      },
+    ],
+  };
+
+  assert.equal(hasBackendMissingGlobalValidationPipe(missingPipeAst), true);
+  assert.deepEqual(findBackendMissingGlobalValidationPipeLines(missingPipeAst), [7]);
+  assert.equal(hasBackendMissingGlobalValidationPipe(unsafePipeAst), true);
+  assert.deepEqual(findBackendMissingGlobalValidationPipeLines(unsafePipeAst), [11]);
+  assert.equal(hasBackendMissingGlobalValidationPipe(strictPipeAst), false);
+});
+
+test('hasBackendMissingHelmetSecurityHeaders detecta bootstrap NestJS sin Helmet', () => {
+  const missingHelmetAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          loc: { start: { line: 9 }, end: { line: 9 } },
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'NestFactory' },
+            property: { type: 'Identifier', name: 'create' },
+          },
+          arguments: [],
+        },
+      },
+    ],
+  };
+  const helmetAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          loc: { start: { line: 11 }, end: { line: 11 } },
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'NestFactory' },
+            property: { type: 'Identifier', name: 'create' },
+          },
+          arguments: [],
+        },
+      },
+      {
+        type: 'ExpressionStatement',
+        expression: {
+          type: 'CallExpression',
+          callee: {
+            type: 'MemberExpression',
+            object: { type: 'Identifier', name: 'app' },
+            property: { type: 'Identifier', name: 'use' },
+          },
+          arguments: [
+            {
+              type: 'CallExpression',
+              callee: { type: 'Identifier', name: 'helmet' },
+              arguments: [],
+            },
+          ],
+        },
+      },
+    ],
+  };
+
+  assert.equal(hasBackendMissingHelmetSecurityHeaders(missingHelmetAst), true);
+  assert.deepEqual(findBackendMissingHelmetSecurityHeadersLines(missingHelmetAst), [9]);
+  assert.equal(hasBackendMissingHelmetSecurityHeaders(helmetAst), false);
+});
+
 test('hasBackendControllerRouteWithoutGuard detecta rutas NestJS sin UseGuards', () => {
   const unguardedRouteAst = {
     type: 'Program',
@@ -2828,3 +3189,94 @@ test('hasBackendControllerRouteWithoutGuard detecta rutas NestJS sin UseGuards',
   assert.equal(hasBackendControllerRouteWithoutGuard(classGuardedRouteAst), false);
   assert.deepEqual(findBackendControllerRouteWithoutGuardLines(unguardedRouteAst), [12]);
 });
+
+test('hasBackendControllerRouteWithoutRoles detecta rutas NestJS protegidas sin RBAC explicito', () => {
+  const guardedWithoutRolesAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ClassDeclaration',
+        decorators: [
+          {
+            type: 'Decorator',
+            expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'Controller' }, arguments: [] },
+          },
+          {
+            type: 'Decorator',
+            expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'UseGuards' }, arguments: [] },
+          },
+        ],
+        body: {
+          type: 'ClassBody',
+          body: [
+            {
+              type: 'ClassMethod',
+              key: { type: 'Identifier', name: 'deleteOrder' },
+              loc: { start: { line: 31 }, end: { line: 33 } },
+              decorators: [
+                {
+                  type: 'Decorator',
+                  expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'Delete' }, arguments: [] },
+                },
+              ],
+            },
+          ],
+        },
+      },
+    ],
+  };
+  const methodRolesAst = {
+    type: 'Program',
+    body: [
+      {
+        type: 'ClassDeclaration',
+        decorators: [
+          {
+            type: 'Decorator',
+            expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'Controller' }, arguments: [] },
+          },
+          {
+            type: 'Decorator',
+            expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'UseGuards' }, arguments: [] },
+          },
+        ],
+        body: {
+          type: 'ClassBody',
+          body: [
+            {
+              type: 'ClassMethod',
+              key: { type: 'Identifier', name: 'deleteOrder' },
+              loc: { start: { line: 42 }, end: { line: 44 } },
+              decorators: [
+                {
+                  type: 'Decorator',
+                  expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'Roles' }, arguments: [] },
+                },
+                {
+                  type: 'Decorator',
+                  expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'Delete' }, arguments: [] },
+                },
+              ],
+            },
+          ],
+        },
+      },
+    ],
+  };
+  const unguardedRouteAst = {
+    type: 'ClassMethod',
+    key: { type: 'Identifier', name: 'publicHealth' },
+    loc: { start: { line: 51 }, end: { line: 53 } },
+    decorators: [
+      {
+        type: 'Decorator',
+        expression: { type: 'CallExpression', callee: { type: 'Identifier', name: 'Get' }, arguments: [] },
+      },
+    ],
+  };
+
+  assert.equal(hasBackendControllerRouteWithoutRoles(guardedWithoutRolesAst), true);
+  assert.deepEqual(findBackendControllerRouteWithoutRolesLines(guardedWithoutRolesAst), [31]);
+  assert.equal(hasBackendControllerRouteWithoutRoles(methodRolesAst), false);
+  assert.equal(hasBackendControllerRouteWithoutRoles(unguardedRouteAst), false);
+});

package/core/facts/detectors/typescript/index.ts

@@ -2155,7 +2155,7 @@ const isCorsPermissiveValue = (node: unknown): boolean => {
   );
 };
 
-const objectPropertyName = (node: unknown): string | undefined => {
+const validationPipeObjectPropertyName = (node: unknown): string | undefined => {
   if (!isObject(node) || (node.type !== 'ObjectProperty' && node.type !== 'Property')) {
     return undefined;
   }
@@ -2766,6 +2766,7 @@ const nestJsClassDecoratorNames = new Set([
 ]);
 const nestJsRouteDecoratorNames = new Set(['Delete', 'Get', 'Head', 'Options', 'Patch', 'Post', 'Put']);
 const nestJsUseGuardsDecoratorNames = new Set(['UseGuards']);
+const nestJsRolesDecoratorNames = new Set(['Roles']);
 
 const decoratorExpressionName = (node: unknown): string | undefined => {
   if (!isObject(node)) {
@@ -2801,12 +2802,42 @@ const hasDecoratorFrom = (node: AstNode, allowedNames: ReadonlySet<string>): boo
   });
 };
 
+const decoratorCallArguments = (decorator: AstNode): readonly unknown[] => {
+  const expression = decorator.expression;
+  if (!isObject(expression) || expression.type !== 'CallExpression') {
+    return [];
+  }
+  return Array.isArray(expression.arguments) ? expression.arguments : [];
+};
+
 const hasNestJsRouteDecorator = (node: AstNode): boolean =>
   hasDecoratorFrom(node, nestJsRouteDecoratorNames);
 
 const hasNestJsUseGuardsDecorator = (node: AstNode): boolean =>
   hasDecoratorFrom(node, nestJsUseGuardsDecoratorNames);
 
+const isRolesSetMetadataDecorator = (decorator: AstNode): boolean => {
+  const name = decoratorExpressionName(decorator.expression);
+  if (name !== 'SetMetadata') {
+    return false;
+  }
+  const [metadataKey] = decoratorCallArguments(decorator);
+  return isObject(metadataKey) && metadataKey.type === 'StringLiteral' && metadataKey.value === 'roles';
+};
+
+const hasNestJsRolesDecorator = (node: AstNode): boolean => {
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const name = decoratorExpressionName(decorator.expression);
+    return (name !== undefined && nestJsRolesDecoratorNames.has(name)) || isRolesSetMetadataDecorator(decorator);
+  });
+};
+
 const isClassLikeNode = (node: unknown): node is AstNode =>
   isObject(node) && (node.type === 'ClassDeclaration' || node.type === 'ClassExpression');
 
@@ -2926,6 +2957,23 @@ export const findBackendControllerRouteWithoutGuardLines = (ast: unknown): reado
 export const hasBackendControllerRouteWithoutGuard = (ast: unknown): boolean =>
   findBackendControllerRouteWithoutGuardLines(ast).length > 0;
 
+export const findBackendControllerRouteWithoutRolesLines = (ast: unknown): readonly number[] => {
+  return collectLineMatchesWithAncestors(ast, (node, ancestors) => {
+    if (!isClassMethodLikeNode(node) || !hasNestJsRouteDecorator(node)) {
+      return false;
+    }
+    const ownerClass = [...ancestors].reverse().find(isClassLikeNode);
+    const hasGuard = hasNestJsUseGuardsDecorator(node) || (ownerClass !== undefined && hasNestJsUseGuardsDecorator(ownerClass));
+    if (!hasGuard) {
+      return false;
+    }
+    return !hasNestJsRolesDecorator(node) && (ownerClass === undefined || !hasNestJsRolesDecorator(ownerClass));
+  });
+};
+
+export const hasBackendControllerRouteWithoutRoles = (ast: unknown): boolean =>
+  findBackendControllerRouteWithoutRolesLines(ast).length > 0;
+
 const persistenceMutationNames = new Set([
   'create',
   'delete',
@@ -3290,6 +3338,298 @@ export const findDtoNestedPropertyWithoutNestedValidationMatch = (
 export const hasDtoNestedPropertyWithoutNestedValidation = (ast: unknown): boolean =>
   findDtoNestedPropertyWithoutNestedValidationMatch(ast) !== undefined;
 
+const isValidationPipeCallee = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'Identifier' && node.name === 'ValidationPipe';
+};
+
+const objectPropertyName = (node: unknown): string | undefined => {
+  if (!isObject(node)) {
+    return undefined;
+  }
+  if (isObject(node.key)) {
+    return methodNameFromNode(node.key);
+  }
+  return undefined;
+};
+
+const isBooleanTrueLiteral = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'BooleanLiteral' && node.value === true;
+};
+
+const validationPipeOptionsEnableWhitelist = (node: unknown): boolean => {
+  if (!isObject(node) || node.type !== 'ObjectExpression' || !Array.isArray(node.properties)) {
+    return false;
+  }
+  return node.properties.some((property) => {
+    return (
+      isObject(property) &&
+      validationPipeObjectPropertyName(property) === 'whitelist' &&
+      isBooleanTrueLiteral(property.value)
+    );
+  });
+};
+
+const isStrictValidationPipeExpression = (node: unknown): boolean => {
+  if (!isObject(node)) {
+    return false;
+  }
+  if (node.type !== 'NewExpression' && node.type !== 'CallExpression') {
+    return false;
+  }
+  if (!isValidationPipeCallee(node.callee)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(validationPipeOptionsEnableWhitelist);
+};
+
+const isUseGlobalPipesCall = (node: AstNode): boolean => {
+  return node.type === 'CallExpression' && callExpressionMemberName(node) === 'useGlobalPipes';
+};
+
+const isStrictUseGlobalPipesCall = (node: AstNode): boolean => {
+  if (!isUseGlobalPipesCall(node)) {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(isStrictValidationPipeExpression);
+};
+
+const isBackendValidationNestFactoryCreateCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression') {
+    return false;
+  }
+  const memberName = callExpressionMemberName(node);
+  const objectName = callExpressionObjectName(node);
+  return memberName === 'create' && objectName === 'NestFactory';
+};
+
+export const findBackendMissingGlobalValidationPipeLines = (ast: unknown): readonly number[] => {
+  const unsafeUseGlobalPipesLines = collectLineMatchesWithAncestors(
+    ast,
+    (node) => isUseGlobalPipesCall(node) && !isStrictUseGlobalPipesCall(node)
+  );
+  if (unsafeUseGlobalPipesLines.length > 0) {
+    return unsafeUseGlobalPipesLines;
+  }
+
+  if (!hasNode(ast, isBackendValidationNestFactoryCreateCall)) {
+    return [];
+  }
+  if (hasNode(ast, isStrictUseGlobalPipesCall)) {
+    return [];
+  }
+  return collectLineMatchesWithAncestors(ast, isBackendValidationNestFactoryCreateCall, { max: 1 });
+};
+
+export const hasBackendMissingGlobalValidationPipe = (ast: unknown): boolean =>
+  findBackendMissingGlobalValidationPipeLines(ast).length > 0;
+
+const isHelmetCallee = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'Identifier' && node.name === 'helmet';
+};
+
+const isHelmetCallExpression = (node: unknown): boolean => {
+  return isObject(node) && node.type === 'CallExpression' && isHelmetCallee(node.callee);
+};
+
+const isAppUseHelmetCall = (node: AstNode): boolean => {
+  if (node.type !== 'CallExpression' || callExpressionMemberName(node) !== 'use') {
+    return false;
+  }
+  const args = Array.isArray(node.arguments) ? node.arguments : [];
+  return args.some(isHelmetCallExpression);
+};
+
+export const findBackendMissingHelmetSecurityHeadersLines = (ast: unknown): readonly number[] => {
+  if (!hasNode(ast, isBackendValidationNestFactoryCreateCall)) {
+    return [];
+  }
+  if (hasNode(ast, isAppUseHelmetCall)) {
+    return [];
+  }
+  return collectLineMatchesWithAncestors(ast, isBackendValidationNestFactoryCreateCall, { max: 1 });
+};
+
+export const hasBackendMissingHelmetSecurityHeaders = (ast: unknown): boolean =>
+  findBackendMissingHelmetSecurityHeadersLines(ast).length > 0;
+
+const backendRouteDecoratorNames = new Set([
+  'All',
+  'Delete',
+  'Get',
+  'Head',
+  'Options',
+  'Patch',
+  'Post',
+  'Put',
+]);
+
+const backendControllerBusinessLogicNodeTypes = new Set([
+  'DoWhileStatement',
+  'ForInStatement',
+  'ForOfStatement',
+  'ForStatement',
+  'IfStatement',
+  'SwitchStatement',
+  'WhileStatement',
+]);
+
+const hasBackendRouteDecorator = (node: AstNode): boolean => {
+  if (!Array.isArray(node.decorators)) {
+    return false;
+  }
+  return node.decorators.some((decorator) => {
+    if (!isObject(decorator)) {
+      return false;
+    }
+    const name = decoratorExpressionName(decorator.expression);
+    return name !== undefined && backendRouteDecoratorNames.has(name);
+  });
+};
+
+const isBackendControllerRouteMethod = (node: AstNode): boolean => {
+  return (
+    (node.type === 'ClassMethod' ||
+      node.type === 'ClassPrivateMethod' ||
+      node.type === 'ObjectMethod') &&
+    hasBackendRouteDecorator(node)
+  );
+};
+
+const isBackendControllerBusinessLogicNode = (node: AstNode): boolean => {
+  if (typeof node.type === 'string' && backendControllerBusinessLogicNodeTypes.has(node.type)) {
+    return true;
+  }
+  if (isPersistenceMutationCall(node)) {
+    return true;
+  }
+  const objectName = callExpressionObjectName(node);
+  const rootObjectName =
+    node.type === 'CallExpression' && isObject(node.callee)
+      ? memberExpressionRootObjectName(node.callee)
+      : undefined;
+  return (
+    (objectName !== undefined && /(?:repository|repo|prisma|supabase|model|collection)$/i.test(objectName)) ||
+    (rootObjectName !== undefined && /(?:repository|repo|prisma|supabase|model|collection)$/i.test(rootObjectName))
+  );
+};
+
+export type TypeScriptBackendControllerBusinessLogicMatch = {
+  lines: readonly number[];
+  primary_node: string;
+  related_nodes: readonly string[];
+  why: string;
+  impact: string;
+  expected_fix: string;
+};
+
+export const findBackendControllerBusinessLogicMatch = (
+  ast: unknown
+): TypeScriptBackendControllerBusinessLogicMatch | undefined => {
+  const match = findFirstNodeWithAncestors(ast, (node) => {
+    if (!isBackendControllerRouteMethod(node)) {
+      return false;
+    }
+    return hasDescendantNode(
+      node,
+      (nested) => nested !== node && isBackendControllerBusinessLogicNode(nested)
+    );
+  });
+
+  if (match === undefined) {
+    return undefined;
+  }
+
+  const methodName = methodNameFromNode(match.node.key) ?? 'anonymous controller route';
+  const line = toPositiveLine(match.node);
+
+  return {
+    lines: line === null ? [] : sortedUniqueLines([line]),
+    primary_node: methodName,
+    related_nodes: ['NestJS route handler', 'business logic in controller'],
+    why: `El handler ${methodName} contiene logica de negocio o acceso a persistencia dentro del controller.`,
+    impact:
+      'El controller deja de ser una frontera HTTP delgada, mezcla routing con dominio/aplicacion y dificulta testabilidad y reutilizacion.',
+    expected_fix:
+      'Mueve la logica a un service/use case inyectado y deja el controller solo con routing, validacion de entrada y delegacion.',
+  };
+};
+
+export const findBackendControllerBusinessLogicLines = (ast: unknown): readonly number[] =>
+  findBackendControllerBusinessLogicMatch(ast)?.lines ?? [];
+
+export const hasBackendControllerBusinessLogic = (ast: unknown): boolean =>
+  findBackendControllerBusinessLogicMatch(ast) !== undefined;
+
+const isBackendRepositoryClassName = (name: string | undefined): boolean =>
+  name !== undefined && /(?:Repository|Repo)$/i.test(name);
+
+const isBackendRepositoryBusinessLogicMethod = (node: AstNode): boolean => {
+  if (
+    node.type !== 'ClassMethod' &&
+    node.type !== 'ClassPrivateMethod' &&
+    node.type !== 'ObjectMethod'
+  ) {
+    return false;
+  }
+  return hasDescendantNode(node, (nested) => {
+    return (
+      nested !== node &&
+      typeof nested.type === 'string' &&
+      backendControllerBusinessLogicNodeTypes.has(nested.type)
+    );
+  });
+};
+
+export type TypeScriptBackendRepositoryBusinessLogicMatch = {
+  lines: readonly number[];
+  primary_node: string;
+  related_nodes: readonly string[];
+  why: string;
+  impact: string;
+  expected_fix: string;
+};
+
+export const findBackendRepositoryBusinessLogicMatch = (
+  ast: unknown
+): TypeScriptBackendRepositoryBusinessLogicMatch | undefined => {
+  const match = findFirstNodeWithAncestors(ast, (node) => {
+    if (node.type !== 'ClassDeclaration' || !isBackendRepositoryClassName(classNameFromNode(node))) {
+      return false;
+    }
+    const body = isObject(node.body) && Array.isArray(node.body.body) ? node.body.body : [];
+    return body.some((member) => isObject(member) && isBackendRepositoryBusinessLogicMethod(member));
+  });
+
+  if (match === undefined) {
+    return undefined;
+  }
+
+  const className = classNameFromNode(match.node) ?? 'Repository';
+  const body = isObject(match.node.body) && Array.isArray(match.node.body.body) ? match.node.body.body : [];
+  const method = body.find((member) => isObject(member) && isBackendRepositoryBusinessLogicMethod(member));
+  const methodName = isObject(method) ? methodNameFromNode(method.key) : undefined;
+  const line = isObject(method) ? toPositiveLine(method) : toPositiveLine(match.node);
+
+  return {
+    lines: line === null ? [] : sortedUniqueLines([line]),
+    primary_node: className,
+    related_nodes: methodName === undefined ? ['repository method'] : [methodName],
+    why: `El repositorio ${className} contiene ramas de decision dentro de un metodo de persistencia.`,
+    impact:
+      'El repositorio mezcla reglas de negocio con acceso a datos, rompiendo Clean Architecture y dificultando pruebas de casos de uso.',
+    expected_fix:
+      'Mueve la decision de negocio a un use case/service y deja el repositorio limitado a CRUD, queries expresivas y mapeo de datos.',
+  };
+};
+
+export const findBackendRepositoryBusinessLogicLines = (ast: unknown): readonly number[] =>
+  findBackendRepositoryBusinessLogicMatch(ast)?.lines ?? [];
+
+export const hasBackendRepositoryBusinessLogic = (ast: unknown): boolean =>
+  findBackendRepositoryBusinessLogicMatch(ast) !== undefined;
+
 const isRecordTypeName = (node: unknown): boolean => {
   return (
     isObject(node) &&

package/core/facts/extractHeuristicFacts.ts

@@ -499,8 +499,12 @@ const astDetectorRegistry: ReadonlyArray<ASTDetectorRegistryEntry> = [
   { detect: TS.hasBackendInconsistentErrorResponse, locateLines: TS.findBackendInconsistentErrorResponseLines, ruleId: 'heuristics.ts.backend.inconsistent-error-response.ast', code: 'HEURISTICS_BACKEND_INCONSISTENT_ERROR_RESPONSE_AST', message: 'AST heuristic detected backend error response without statusCode, message, timestamp and path.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendErrorPayloadWithSuccessStatus, locateLines: TS.findBackendErrorPayloadWithSuccessStatusLines, ruleId: 'heuristics.ts.backend.error-payload-success-status.ast', code: 'HEURISTICS_BACKEND_ERROR_PAYLOAD_SUCCESS_STATUS_AST', message: 'AST heuristic detected backend error payload sent with a success HTTP status.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendControllerEntityResponse, locateLines: TS.findBackendControllerEntityResponseLines, ruleId: 'heuristics.ts.backend.controller-entity-response.ast', code: 'HEURISTICS_BACKEND_CONTROLLER_ENTITY_RESPONSE_AST', message: 'AST heuristic detected backend controller exposing domain entities directly; return DTOs instead.', pathCheck: isBackendControllerTypeScriptPath },
+  { detect: TS.hasBackendControllerBusinessLogic, locateLines: TS.findBackendControllerBusinessLogicLines, ruleId: 'heuristics.ts.backend.controller-business-logic.ast', code: 'HEURISTICS_BACKEND_CONTROLLER_BUSINESS_LOGIC_AST', message: 'AST heuristic detected business logic inside a NestJS controller route handler.', pathCheck: isBackendControllerTypeScriptPath },
+  { detect: TS.hasBackendRepositoryBusinessLogic, locateLines: TS.findBackendRepositoryBusinessLogicLines, ruleId: 'heuristics.ts.backend.repository-business-logic.ast', code: 'HEURISTICS_BACKEND_REPOSITORY_BUSINESS_LOGIC_AST', message: 'AST heuristic detected business decision logic inside a backend repository.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendAnemicDomainModel, ruleId: 'heuristics.ts.backend.anemic-domain-model.ast', code: 'HEURISTICS_BACKEND_ANEMIC_DOMAIN_MODEL_AST', message: 'AST heuristic detected an anemic backend domain entity without business behavior.', pathCheck: isBackendDomainEntityPath },
   { detect: TS.hasBackendPermissiveCorsConfiguration, locateLines: TS.findBackendPermissiveCorsConfigurationLines, ruleId: 'heuristics.ts.backend.permissive-cors.ast', code: 'HEURISTICS_BACKEND_PERMISSIVE_CORS_AST', message: 'AST heuristic detected permissive backend CORS configuration; restrict allowed origins explicitly.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendMissingHelmetSecurityHeaders, locateLines: TS.findBackendMissingHelmetSecurityHeadersLines, ruleId: 'heuristics.ts.backend.missing-helmet-security-headers.ast', code: 'HEURISTICS_BACKEND_MISSING_HELMET_SECURITY_HEADERS_AST', message: 'AST heuristic detected NestJS bootstrap without Helmet security headers middleware.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendMissingGlobalValidationPipe, locateLines: TS.findBackendMissingGlobalValidationPipeLines, ruleId: 'heuristics.ts.backend.missing-global-validation-pipe.ast', code: 'HEURISTICS_BACKEND_MISSING_GLOBAL_VALIDATION_PIPE_AST', message: 'AST heuristic detected NestJS bootstrap without global ValidationPipe whitelist.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasBackendStringLiteralUnionEnumCandidate, locateLines: TS.findBackendStringLiteralUnionEnumCandidateLines, ruleId: 'heuristics.ts.backend.string-literal-union-enum.ast', code: 'HEURISTICS_BACKEND_STRING_LITERAL_UNION_ENUM_AST', message: 'AST heuristic detected fixed backend string literal union; use an enum or centralized typed constants.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasEvalCall, ruleId: 'heuristics.ts.eval.ast', code: 'HEURISTICS_EVAL_AST', message: 'AST heuristic detected eval usage.' },
   { detect: TS.hasFunctionConstructorUsage, ruleId: 'heuristics.ts.function-constructor.ast', code: 'HEURISTICS_FUNCTION_CONSTRUCTOR_AST', message: 'AST heuristic detected Function constructor usage.' },
@@ -527,6 +531,7 @@ const astDetectorRegistry: ReadonlyArray<ASTDetectorRegistryEntry> = [
   { detect: TS.hasConcreteDependencyInstantiation, ruleId: 'heuristics.ts.solid.dip.concrete-instantiation.ast', code: 'HEURISTICS_SOLID_DIP_CONCRETE_INSTANTIATION_AST', message: 'AST heuristic detected DIP risk: direct instantiation of concrete framework dependency.', pathCheck: isTypeScriptDomainOrApplicationPath },
   { detect: TS.hasNestJsConstructorDependencyWithoutDecorator, ruleId: 'heuristics.ts.nestjs.constructor-di-without-decorator.ast', code: 'HEURISTICS_NESTJS_CONSTRUCTOR_DI_WITHOUT_DECORATOR_AST', message: 'AST heuristic detected NestJS constructor dependency injection without an explicit class decorator.' },
   { detect: TS.hasBackendControllerRouteWithoutGuard, locateLines: TS.findBackendControllerRouteWithoutGuardLines, ruleId: 'heuristics.ts.backend.controller-route-without-guard.ast', code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_GUARD_AST', message: 'AST heuristic detected NestJS controller route without UseGuards at method or class level.', pathCheck: isBackendTypeScriptPath },
+  { detect: TS.hasBackendControllerRouteWithoutRoles, locateLines: TS.findBackendControllerRouteWithoutRolesLines, ruleId: 'heuristics.ts.backend.controller-route-without-roles.ast', code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_ROLES_AST', message: 'AST heuristic detected guarded NestJS controller route without Roles/SetMetadata roles authorization.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasPersistenceMutationWithoutAuditEvent, ruleId: 'heuristics.ts.backend.persistence-mutation-without-audit-event.ast', code: 'HEURISTICS_BACKEND_PERSISTENCE_MUTATION_WITHOUT_AUDIT_EVENT_AST', message: 'AST heuristic detected backend persistence mutation without audit log or domain event.' },
   { detect: TS.hasBackendHardDeleteWithoutSoftDelete, locateLines: TS.findBackendHardDeleteWithoutSoftDeleteLines, ruleId: 'heuristics.ts.backend.hard-delete-without-soft-delete.ast', code: 'HEURISTICS_BACKEND_HARD_DELETE_WITHOUT_SOFT_DELETE_AST', message: 'AST heuristic detected backend physical delete; use soft delete with deletedAt/deleted_at.', pathCheck: isBackendTypeScriptPath },
   { detect: TS.hasDtoPropertyWithoutValidation, ruleId: 'heuristics.ts.backend.dto-property-without-validation.ast', code: 'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_VALIDATION_AST', message: 'AST heuristic detected DTO property without class-validator/class-transformer decorator.' },
@@ -733,8 +738,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftTaskDetachedUsage, ruleId: 'heuristics.ios.task-detached.ast', code: 'HEURISTICS_IOS_TASK_DETACHED_AST', message: 'AST heuristic detected Task.detached usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftAsyncWithoutAwaitUsage, ruleId: 'heuristics.ios.concurrency.async-without-await.ast', code: 'HEURISTICS_IOS_CONCURRENCY_ASYNC_WITHOUT_AWAIT_AST', message: 'AST heuristic detected a private async function without await; remove async unless a protocol/override boundary requires it.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftEmptyCatchUsage, ruleId: 'heuristics.ios.error.empty-catch.ast', code: 'HEURISTICS_IOS_ERROR_EMPTY_CATCH_AST', message: 'AST heuristic detected an empty Swift catch block; handle, log, or propagate the error.' },
-  { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnAppearTaskUsage, ruleId: 'heuristics.ios.swiftui.onappear-task.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONAPPEAR_TASK_AST', message: 'AST heuristic detected Task launched from SwiftUI onAppear; .task/.task(id:) provides lifecycle-aware cancellation.' },
-  { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnChangeTaskUsage, ruleId: 'heuristics.ios.swiftui.onchange-task.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_TASK_AST', message: 'AST heuristic detected Task launched from SwiftUI onChange; .task(id:) provides lifecycle-aware cancellation for value-dependent async work.' },
+  { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnAppearTaskUsage, locateLines: TextIOS.collectSwiftOnAppearTaskLines, primaryNode: (lines) => ({ kind: 'call', name: 'Task launched inside SwiftUI onAppear', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: .task { ... } on the view', lines }], why: 'A Task launched from onAppear is not owned by the SwiftUI view lifecycle in the same way as .task.', impact: 'Async work can outlive view disappearance or require manual cancellation, and the gate must point to the exact Task line instead of blocking the whole file.', expected_fix: 'Move the async work from .onAppear { Task { ... } } into .task { ... } so SwiftUI owns automatic cancellation. Keep onAppear only for synchronous side effects such as analytics.', ruleId: 'heuristics.ios.swiftui.onappear-task.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONAPPEAR_TASK_AST', message: 'AST heuristic detected Task launched from SwiftUI onAppear; .task/.task(id:) provides lifecycle-aware cancellation.' },
+  { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnChangeTaskUsage, locateLines: TextIOS.collectSwiftOnChangeTaskLines, primaryNode: (lines) => ({ kind: 'call', name: 'Task launched inside SwiftUI onChange', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: .task(id:) for value-dependent async work', lines }], why: 'A Task launched from onChange makes value-dependent async work manual instead of tying cancellation to the changing value.', impact: 'Search, load or refresh work can race after state changes because cancellation is not expressed through SwiftUI .task(id:).', expected_fix: 'Move value-dependent async work from .onChange { Task { ... } } into .task(id: value) { ... }. Keep onChange only for synchronous derivations or analytics.', ruleId: 'heuristics.ios.swiftui.onchange-task.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_TASK_AST', message: 'AST heuristic detected Task launched from SwiftUI onChange; .task(id:) provides lifecycle-aware cancellation for value-dependent async work.' },
   { platform: 'ios', pathCheck: isIOSPresentationPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftOnChangeReadonlyVarUsage, locateLines: TextIOS.collectSwiftOnChangeReadonlyVarLines, primaryNode: (lines) => ({ kind: 'property', name: 'var declared inside SwiftUI onChange closure', lines }), relatedNodes: (lines) => [{ kind: 'property', name: 'replacement: let for read-only derived value inside onChange', lines }], why: 'A local var inside onChange hides whether the closure is deriving a read-only value or mutating state as part of a reactive update.', impact: 'Reactive closures become harder to audit because unnecessary mutability can mask accidental state changes and value-dependent side effects.', expected_fix: 'Use let for read-only derived values inside onChange. Keep var only when the local value is intentionally mutated and extract complex mutation out of the view closure.', ruleId: 'heuristics.ios.swiftui.onchange-readonly-var.ast', code: 'HEURISTICS_IOS_SWIFTUI_ONCHANGE_READONLY_VAR_AST', message: 'AST heuristic detected local var inside SwiftUI onChange; prefer let for read-only derived values.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftStrongDelegateReferenceUsage, ruleId: 'heuristics.ios.memory.strong-delegate.ast', code: 'HEURISTICS_IOS_MEMORY_STRONG_DELEGATE_AST', message: 'AST heuristic detected a strong delegate/dataSource reference; weak delegates remain the preferred baseline to avoid retain cycles.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftStrongSelfEscapingClosureUsage, ruleId: 'heuristics.ios.memory.strong-self-escaping-closure.ast', code: 'HEURISTICS_IOS_MEMORY_STRONG_SELF_ESCAPING_CLOSURE_AST', message: 'AST heuristic detected strong self capture in an escaping iOS closure; weak or unowned captures remain the preferred baseline when ownership is not explicit.' },

package/core/rules/presets/heuristics/typescript.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { typescriptRules } from './typescript';
 
 test('typescriptRules define reglas heurísticas locked para plataforma generic', () => {
-  assert.equal(typescriptRules.length, 47);
+  assert.equal(typescriptRules.length, 52);
 
   const ids = typescriptRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -49,10 +49,15 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     'heuristics.ts.solid.dip.concrete-instantiation.ast',
     'heuristics.ts.nestjs.constructor-di-without-decorator.ast',
     'heuristics.ts.backend.controller-route-without-guard.ast',
+    'heuristics.ts.backend.controller-route-without-roles.ast',
     'heuristics.ts.backend.persistence-mutation-without-audit-event.ast',
     'heuristics.ts.backend.hard-delete-without-soft-delete.ast',
     'heuristics.ts.backend.dto-property-without-validation.ast',
     'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast',
+    'heuristics.ts.backend.missing-global-validation-pipe.ast',
+    'heuristics.ts.backend.missing-helmet-security-headers.ast',
+    'heuristics.ts.backend.controller-business-logic.ast',
+    'heuristics.ts.backend.repository-business-logic.ast',
     'heuristics.ts.god-class-large-class.ast',
   ]);
 
@@ -169,6 +174,10 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     byId.get('heuristics.ts.backend.controller-route-without-guard.ast')?.then.code,
     'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_GUARD_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.backend.controller-route-without-roles.ast')?.then.code,
+    'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_ROLES_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.backend.persistence-mutation-without-audit-event.ast')?.then.code,
     'HEURISTICS_BACKEND_PERSISTENCE_MUTATION_WITHOUT_AUDIT_EVENT_AST'
@@ -185,6 +194,10 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     byId.get('heuristics.ts.backend.dto-nested-property-without-nested-validation.ast')?.then.code,
     'HEURISTICS_BACKEND_DTO_NESTED_PROPERTY_WITHOUT_NESTED_VALIDATION_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.backend.missing-helmet-security-headers.ast')?.then.code,
+    'HEURISTICS_BACKEND_MISSING_HELMET_SECURITY_HEADERS_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.god-class-large-class.ast')?.then.code,
     'HEURISTICS_GOD_CLASS_LARGE_CLASS_AST'
@@ -195,6 +208,7 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     if (
       rule.id === 'heuristics.ts.god-class-large-class.ast' ||
       rule.id === 'heuristics.ts.backend.controller-route-without-guard.ast' ||
+      rule.id === 'heuristics.ts.backend.controller-route-without-roles.ast' ||
       rule.id === 'heuristics.ts.backend.persistence-mutation-without-audit-event.ast' ||
       rule.id === 'heuristics.ts.backend.hard-delete-without-soft-delete.ast' ||
       rule.id === 'heuristics.ts.backend.dto-property-without-validation.ast' ||
@@ -211,6 +225,10 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
       rule.id === 'heuristics.ts.backend.controller-entity-response.ast' ||
       rule.id === 'heuristics.ts.backend.anemic-domain-model.ast' ||
       rule.id === 'heuristics.ts.backend.permissive-cors.ast' ||
+      rule.id === 'heuristics.ts.backend.missing-global-validation-pipe.ast' ||
+      rule.id === 'heuristics.ts.backend.missing-helmet-security-headers.ast' ||
+      rule.id === 'heuristics.ts.backend.controller-business-logic.ast' ||
+      rule.id === 'heuristics.ts.backend.repository-business-logic.ast' ||
       rule.id === 'heuristics.ts.backend.string-literal-union-enum.ast' ||
       rule.id === 'heuristics.ts.sensitive-token-in-url.ast'
     ) {

package/core/rules/presets/heuristics/typescript.ts

@@ -764,6 +764,25 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_GUARD_AST',
     },
   },
+  {
+    id: 'heuristics.ts.backend.controller-route-without-roles.ast',
+    description:
+      'Detects guarded NestJS controller route handlers without an explicit Roles decorator or roles metadata.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.controller-route-without-roles.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected guarded NestJS controller route without role metadata.',
+      code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_ROLES_AST',
+    },
+  },
   {
     id: 'heuristics.ts.backend.persistence-mutation-without-audit-event.ast',
     description:
@@ -840,6 +859,86 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_BACKEND_DTO_NESTED_PROPERTY_WITHOUT_NESTED_VALIDATION_AST',
     },
   },
+  {
+    id: 'heuristics.ts.backend.missing-global-validation-pipe.ast',
+    description:
+      'Detects NestJS bootstrap code without a strict global ValidationPipe configured with whitelist=true.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.missing-global-validation-pipe.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected NestJS bootstrap without global ValidationPipe whitelist.',
+      code: 'HEURISTICS_BACKEND_MISSING_GLOBAL_VALIDATION_PIPE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.missing-helmet-security-headers.ast',
+    description:
+      'Detects NestJS bootstrap code without Helmet middleware for security headers.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.missing-helmet-security-headers.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected NestJS bootstrap without Helmet security headers middleware.',
+      code: 'HEURISTICS_BACKEND_MISSING_HELMET_SECURITY_HEADERS_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.controller-business-logic.ast',
+    description:
+      'Detects NestJS controller route handlers that contain business logic or direct persistence access instead of delegating to services/use cases.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.controller-business-logic.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected business logic inside a NestJS controller route handler.',
+      code: 'HEURISTICS_BACKEND_CONTROLLER_BUSINESS_LOGIC_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.repository-business-logic.ast',
+    description:
+      'Detects backend repository methods that contain business decision branches instead of staying limited to CRUD, queries and data mapping.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.repository-business-logic.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected business decision logic inside a backend repository.',
+      code: 'HEURISTICS_BACKEND_REPOSITORY_BUSINESS_LOGIC_AST',
+    },
+  },
   {
     id: 'heuristics.ts.god-class-large-class.ast',
     description: 'Detects God Class candidates when one class mixes multiple responsibility nodes.',

package/integrations/config/skillsDetectorRegistry.ts

@@ -813,6 +813,18 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('typescript.backend.dto-nested-property-without-nested-validation', [
       'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast',
     ]),
+  'skills.backend.guideline.backend.pipes-para-validacio-n-global-validationpipe-en-main-ts':
+    heuristicDetector('typescript.backend.missing-global-validation-pipe', [
+      'heuristics.ts.backend.missing-global-validation-pipe.ast',
+    ]),
+  'skills.backend.guideline.backend.validationpipe-global-en-main-ts-con-whitelist-true':
+    heuristicDetector('typescript.backend.missing-global-validation-pipe', [
+      'heuristics.ts.backend.missing-global-validation-pipe.ast',
+    ]),
+  'skills.backend.guideline.backend.helmet-security-headers':
+    heuristicDetector('typescript.backend.missing-helmet-security-headers', [
+      'heuristics.ts.backend.missing-helmet-security-headers.ast',
+    ]),
   'skills.backend.guideline.backend.guards-en-todas-las-rutas-protegidas-useguards-jwtauthguard':
     heuristicDetector('typescript.backend.controller-route-without-guard', [
       'heuristics.ts.backend.controller-route-without-guard.ast',
@@ -821,6 +833,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('typescript.backend.controller-route-without-guard', [
       'heuristics.ts.backend.controller-route-without-guard.ast',
     ]),
+  'skills.backend.guideline.backend.role-based-access-control-roles-admin-user':
+    heuristicDetector('typescript.backend.controller-route-without-roles', [
+      'heuristics.ts.backend.controller-route-without-roles.ast',
+    ]),
   'skills.backend.guideline.backend.callback-hell-usar-async-await': heuristicDetector(
     'typescript.callback-hell',
     ['heuristics.ts.callback-hell.ast']
@@ -898,6 +914,22 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('typescript.backend.controller-entity-response', [
       'heuristics.ts.backend.controller-entity-response.ast',
     ]),
+  'skills.backend.guideline.backend.controllers-delgados-solo-routing-y-validacio-n-lo-gica-en-servicios':
+    heuristicDetector('typescript.backend.controller-business-logic', [
+      'heuristics.ts.backend.controller-business-logic.ast',
+    ]),
+  'skills.backend.guideline.backend.lo-gica-en-controllers-mover-a-servicios-use-cases':
+    heuristicDetector('typescript.backend.controller-business-logic', [
+      'heuristics.ts.backend.controller-business-logic.ast',
+    ]),
+  'skills.backend.guideline.backend.no-lo-gica-de-negocio-en-repositorios-solo-crud-y-queries':
+    heuristicDetector('typescript.backend.repository-business-logic', [
+      'heuristics.ts.backend.repository-business-logic.ast',
+    ]),
+  'skills.backend.guideline.backend.repositories-para-datos-abstraer-acceso-a-bd-con-interfaces':
+    heuristicDetector('typescript.backend.repository-business-logic', [
+      'heuristics.ts.backend.repository-business-logic.ast',
+    ]),
   'skills.backend.guideline.backend.anemic-domain-models-entidades-solo-con-getters-setters':
     heuristicDetector('typescript.backend.anemic-domain-model', [
       'heuristics.ts.backend.anemic-domain-model.ast',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.293",
+  "version": "6.3.294",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {