pumuki 6.3.294 → 6.3.296

package/core/rules/presets/heuristics/typescript.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { typescriptRules } from './typescript';
 
 test('typescriptRules define reglas heurísticas locked para plataforma generic', () => {
-  assert.equal(typescriptRules.length, 52);
+  assert.equal(typescriptRules.length, 61);
 
   const ids = typescriptRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -50,12 +50,21 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     'heuristics.ts.nestjs.constructor-di-without-decorator.ast',
     'heuristics.ts.backend.controller-route-without-guard.ast',
     'heuristics.ts.backend.controller-route-without-roles.ast',
+    'heuristics.ts.backend.auth-route-without-throttle.ast',
+    'heuristics.ts.backend.event-handler-without-on-event.ast',
     'heuristics.ts.backend.persistence-mutation-without-audit-event.ast',
+    'heuristics.ts.backend.sensitive-cache-write.ast',
+    'heuristics.ts.backend.auth-response-without-refresh-token.ast',
+    'heuristics.ts.backend.process-env-default-fallback.ast',
+    'heuristics.ts.backend.direct-process-env-read.ast',
+    'heuristics.ts.backend.config-module-without-validation.ast',
     'heuristics.ts.backend.hard-delete-without-soft-delete.ast',
     'heuristics.ts.backend.dto-property-without-validation.ast',
+    'heuristics.ts.backend.dto-property-without-api-property.ast',
     'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast',
     'heuristics.ts.backend.missing-global-validation-pipe.ast',
     'heuristics.ts.backend.missing-helmet-security-headers.ast',
+    'heuristics.ts.backend.missing-compression-middleware.ast',
     'heuristics.ts.backend.controller-business-logic.ast',
     'heuristics.ts.backend.repository-business-logic.ast',
     'heuristics.ts.god-class-large-class.ast',
@@ -178,10 +187,38 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     byId.get('heuristics.ts.backend.controller-route-without-roles.ast')?.then.code,
     'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_ROLES_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.backend.auth-route-without-throttle.ast')?.then.code,
+    'HEURISTICS_BACKEND_AUTH_ROUTE_WITHOUT_THROTTLE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.backend.event-handler-without-on-event.ast')?.then.code,
+    'HEURISTICS_BACKEND_EVENT_HANDLER_WITHOUT_ON_EVENT_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.backend.persistence-mutation-without-audit-event.ast')?.then.code,
     'HEURISTICS_BACKEND_PERSISTENCE_MUTATION_WITHOUT_AUDIT_EVENT_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.backend.sensitive-cache-write.ast')?.then.code,
+    'HEURISTICS_BACKEND_SENSITIVE_CACHE_WRITE_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.backend.auth-response-without-refresh-token.ast')?.then.code,
+    'HEURISTICS_BACKEND_AUTH_RESPONSE_WITHOUT_REFRESH_TOKEN_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.backend.process-env-default-fallback.ast')?.then.code,
+    'HEURISTICS_BACKEND_PROCESS_ENV_DEFAULT_FALLBACK_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.backend.direct-process-env-read.ast')?.then.code,
+    'HEURISTICS_BACKEND_DIRECT_PROCESS_ENV_READ_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.ts.backend.config-module-without-validation.ast')?.then.code,
+    'HEURISTICS_BACKEND_CONFIG_MODULE_WITHOUT_VALIDATION_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.backend.hard-delete-without-soft-delete.ast')?.then.code,
     'HEURISTICS_BACKEND_HARD_DELETE_WITHOUT_SOFT_DELETE_AST'
@@ -190,6 +227,10 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     byId.get('heuristics.ts.backend.dto-property-without-validation.ast')?.then.code,
     'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_VALIDATION_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.backend.dto-property-without-api-property.ast')?.then.code,
+    'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_API_PROPERTY_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.backend.dto-nested-property-without-nested-validation.ast')?.then.code,
     'HEURISTICS_BACKEND_DTO_NESTED_PROPERTY_WITHOUT_NESTED_VALIDATION_AST'
@@ -198,6 +239,10 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
     byId.get('heuristics.ts.backend.missing-helmet-security-headers.ast')?.then.code,
     'HEURISTICS_BACKEND_MISSING_HELMET_SECURITY_HEADERS_AST'
   );
+  assert.equal(
+    byId.get('heuristics.ts.backend.missing-compression-middleware.ast')?.then.code,
+    'HEURISTICS_BACKEND_MISSING_COMPRESSION_MIDDLEWARE_AST'
+  );
   assert.equal(
     byId.get('heuristics.ts.god-class-large-class.ast')?.then.code,
     'HEURISTICS_GOD_CLASS_LARGE_CLASS_AST'
@@ -209,9 +254,17 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
       rule.id === 'heuristics.ts.god-class-large-class.ast' ||
       rule.id === 'heuristics.ts.backend.controller-route-without-guard.ast' ||
       rule.id === 'heuristics.ts.backend.controller-route-without-roles.ast' ||
+      rule.id === 'heuristics.ts.backend.auth-route-without-throttle.ast' ||
+      rule.id === 'heuristics.ts.backend.event-handler-without-on-event.ast' ||
       rule.id === 'heuristics.ts.backend.persistence-mutation-without-audit-event.ast' ||
+      rule.id === 'heuristics.ts.backend.sensitive-cache-write.ast' ||
+      rule.id === 'heuristics.ts.backend.auth-response-without-refresh-token.ast' ||
+      rule.id === 'heuristics.ts.backend.process-env-default-fallback.ast' ||
+      rule.id === 'heuristics.ts.backend.direct-process-env-read.ast' ||
+      rule.id === 'heuristics.ts.backend.config-module-without-validation.ast' ||
       rule.id === 'heuristics.ts.backend.hard-delete-without-soft-delete.ast' ||
       rule.id === 'heuristics.ts.backend.dto-property-without-validation.ast' ||
+      rule.id === 'heuristics.ts.backend.dto-property-without-api-property.ast' ||
       rule.id === 'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast' ||
       rule.id === 'heuristics.ts.backend.sensitive-data-logging.ast' ||
       rule.id === 'heuristics.ts.backend.log-without-context.ast' ||
@@ -226,6 +279,7 @@ test('typescriptRules define reglas heurísticas locked para plataforma generic'
       rule.id === 'heuristics.ts.backend.anemic-domain-model.ast' ||
       rule.id === 'heuristics.ts.backend.permissive-cors.ast' ||
       rule.id === 'heuristics.ts.backend.missing-global-validation-pipe.ast' ||
+      rule.id === 'heuristics.ts.backend.missing-compression-middleware.ast' ||
       rule.id === 'heuristics.ts.backend.missing-helmet-security-headers.ast' ||
       rule.id === 'heuristics.ts.backend.controller-business-logic.ast' ||
       rule.id === 'heuristics.ts.backend.repository-business-logic.ast' ||

package/core/rules/presets/heuristics/typescript.ts

@@ -783,6 +783,43 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_BACKEND_CONTROLLER_ROUTE_WITHOUT_ROLES_AST',
     },
   },
+  {
+    id: 'heuristics.ts.backend.auth-route-without-throttle.ast',
+    description:
+      'Detects NestJS authentication routes such as login, register, refresh or password reset without @Throttle rate limiting.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.auth-route-without-throttle.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected authentication route without rate limiting.',
+      code: 'HEURISTICS_BACKEND_AUTH_ROUTE_WITHOUT_THROTTLE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.event-handler-without-on-event.ast',
+    description: 'Detects backend event handler classes or methods without an explicit @OnEvent subscription.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.event-handler-without-on-event.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected backend event handler without @OnEvent.',
+      code: 'HEURISTICS_BACKEND_EVENT_HANDLER_WITHOUT_ON_EVENT_AST',
+    },
+  },
   {
     id: 'heuristics.ts.backend.persistence-mutation-without-audit-event.ast',
     description:
@@ -803,6 +840,96 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_BACKEND_PERSISTENCE_MUTATION_WITHOUT_AUDIT_EVENT_AST',
     },
   },
+  {
+    id: 'heuristics.ts.backend.sensitive-cache-write.ast',
+    description: 'Detects backend cache writes that store tokens, passwords, secrets, email or other sensitive data.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.sensitive-cache-write.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected sensitive data written to backend cache.',
+      code: 'HEURISTICS_BACKEND_SENSITIVE_CACHE_WRITE_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.auth-response-without-refresh-token.ast',
+    description: 'Detects backend auth responses that return an access token without a refresh token.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.auth-response-without-refresh-token.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected auth response without refresh token.',
+      code: 'HEURISTICS_BACKEND_AUTH_RESPONSE_WITHOUT_REFRESH_TOKEN_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.process-env-default-fallback.ast',
+    description: 'Detects backend process.env configuration reads with literal production fallbacks.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.process-env-default-fallback.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected process.env fallback; fail fast when critical backend configuration is missing.',
+      code: 'HEURISTICS_BACKEND_PROCESS_ENV_DEFAULT_FALLBACK_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.direct-process-env-read.ast',
+    description: 'Detects direct backend process.env reads outside the configuration boundary.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.direct-process-env-read.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected direct process.env access; use NestJS ConfigModule/ConfigService.',
+      code: 'HEURISTICS_BACKEND_DIRECT_PROCESS_ENV_READ_AST',
+    },
+  },
+  {
+    id: 'heuristics.ts.backend.config-module-without-validation.ast',
+    description: 'Detects NestJS ConfigModule.forRoot calls without environment validation.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.config-module-without-validation.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected ConfigModule.forRoot without validationSchema or validate.',
+      code: 'HEURISTICS_BACKEND_CONFIG_MODULE_WITHOUT_VALIDATION_AST',
+    },
+  },
   {
     id: 'heuristics.ts.backend.hard-delete-without-soft-delete.ast',
     description: 'Detects backend physical delete calls where soft delete with deletedAt/deleted_at should be used.',
@@ -841,6 +968,25 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_VALIDATION_AST',
     },
   },
+  {
+    id: 'heuristics.ts.backend.dto-property-without-api-property.ast',
+    description:
+      'Detects DTO properties without Swagger ApiProperty or ApiPropertyOptional decorators.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.dto-property-without-api-property.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected DTO property without Swagger ApiProperty decorator.',
+      code: 'HEURISTICS_BACKEND_DTO_PROPERTY_WITHOUT_API_PROPERTY_AST',
+    },
+  },
   {
     id: 'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast',
     description: 'Detects nested DTO properties without ValidateNested/Type decorators.',
@@ -899,6 +1045,25 @@ export const typescriptRules: RuleSet = [
       code: 'HEURISTICS_BACKEND_MISSING_HELMET_SECURITY_HEADERS_AST',
     },
   },
+  {
+    id: 'heuristics.ts.backend.missing-compression-middleware.ast',
+    description:
+      'Detects NestJS bootstrap code without compression middleware for large responses.',
+    severity: 'ERROR',
+    platform: 'generic',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ts.backend.missing-compression-middleware.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected NestJS bootstrap without compression middleware.',
+      code: 'HEURISTICS_BACKEND_MISSING_COMPRESSION_MIDDLEWARE_AST',
+    },
+  },
   {
     id: 'heuristics.ts.backend.controller-business-logic.ast',
     description:

package/integrations/config/skillsDetectorRegistry.ts

@@ -175,6 +175,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.error.empty-catch',
     ['heuristics.ios.error.empty-catch.ast']
   ),
+  'skills.ios.guideline.ios.error-handling-custom-networkerror-enum': heuristicDetector(
+    'ios.error.typed-error-enum',
+    ['heuristics.ios.error.nserror-throw.ast']
+  ),
+  'skills.ios.guideline.ios.error-handling-global-custom-error-enum': heuristicDetector(
+    'ios.error.typed-error-enum',
+    ['heuristics.ios.error.nserror-throw.ast']
+  ),
   'skills.ios.guideline.ios.no-loggear-pii-tokens-emails-ids-sensibles': heuristicDetector(
     'ios.logging.sensitive-data',
     ['heuristics.ios.logging.sensitive-data.ast']
@@ -364,6 +372,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('ios.swiftui.environment-system-values-no-swinject', [
       'heuristics.ios.architecture.swinject.ast',
     ]),
+  'skills.ios.guideline.ios.dependencies-en-package-swift-versiones-especi-ficas':
+    heuristicDetector('ios.dependencies.swiftpm-branch-dependency', [
+      'heuristics.ios.dependencies.swiftpm-branch-dependency.ast',
+    ]),
   'skills.ios.no-unchecked-sendable': heuristicDetector('ios.unchecked-sendable', [
     'heuristics.ios.unchecked-sendable.ast',
   ]),
@@ -397,6 +409,8 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
   'skills.ios.no-assume-isolated': heuristicDetector('ios.assume-isolated', [
     'heuristics.ios.assume-isolated.ast',
   ]),
+  'skills.ios.guideline.ios.no-usar-mainactor-como-parche-justificar-el-aislamiento':
+    heuristicDetector('ios.assume-isolated', ['heuristics.ios.assume-isolated.ast']),
   'skills.ios.no-observable-object': heuristicDetector('ios.observable-object', [
     'heuristics.ios.observable-object.ast',
   ]),
@@ -781,6 +795,38 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('typescript.backend.persistence-mutation-without-audit-event', [
       'heuristics.ts.backend.persistence-mutation-without-audit-event.ast',
     ]),
+  'skills.backend.guideline.backend.event-handlers-onevent-order-created': heuristicDetector(
+    'typescript.backend.event-handler-without-on-event',
+    ['heuristics.ts.backend.event-handler-without-on-event.ast']
+  ),
+  'skills.backend.guideline.backend.no-cachear-datos-sensibles-o-cifrar-antes-de-cachear':
+    heuristicDetector('typescript.backend.sensitive-cache-write', [
+      'heuristics.ts.backend.sensitive-cache-write.ast',
+    ]),
+  'skills.backend.guideline.backend.refresh-tokens-no-solo-access-tokens':
+    heuristicDetector('typescript.backend.auth-response-without-refresh-token', [
+      'heuristics.ts.backend.auth-response-without-refresh-token.ast',
+    ]),
+  'skills.backend.guideline.backend.no-defaults-en-produccio-n-fallar-si-falta-config-cri-tica':
+    heuristicDetector('typescript.backend.process-env-default-fallback', [
+      'heuristics.ts.backend.process-env-default-fallback.ast',
+    ]),
+  'skills.backend.guideline.backend.correlation-ids-para-tracing-distribuido':
+    heuristicDetector('typescript.backend.log-without-context', [
+      'heuristics.ts.backend.log-without-context.ast',
+    ]),
+  'skills.backend.guideline.backend.nestjs-config-configmodule-para-variables-de-entorno':
+    heuristicDetector('typescript.backend.direct-process-env-read', [
+      'heuristics.ts.backend.direct-process-env-read.ast',
+    ]),
+  'skills.backend.guideline.backend.validation-de-config-joi-o-class-validator-para-env':
+    heuristicDetector('typescript.backend.config-module-without-validation', [
+      'heuristics.ts.backend.config-module-without-validation.ast',
+    ]),
+  'skills.backend.guideline.backend.compression-gzip-para-responses-grandes':
+    heuristicDetector('typescript.backend.missing-compression-middleware', [
+      'heuristics.ts.backend.missing-compression-middleware.ast',
+    ]),
   'skills.backend.guideline.backend.soft-deletes-deletedat-en-lugar-de-delete-fi-sico':
     heuristicDetector('typescript.backend.hard-delete-without-soft-delete', [
       'heuristics.ts.backend.hard-delete-without-soft-delete.ast',
@@ -809,6 +855,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('typescript.backend.dto-property-without-validation', [
       'heuristics.ts.backend.dto-property-without-validation.ast',
     ]),
+  'skills.backend.guideline.backend.swagger-nestjs-swagger-decoradores-apiproperty':
+    heuristicDetector('typescript.backend.dto-property-without-api-property', [
+      'heuristics.ts.backend.dto-property-without-api-property.ast',
+    ]),
   'skills.backend.guideline.backend.nested-validation-validatenested-type':
     heuristicDetector('typescript.backend.dto-nested-property-without-nested-validation', [
       'heuristics.ts.backend.dto-nested-property-without-nested-validation.ast',
@@ -837,6 +887,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     heuristicDetector('typescript.backend.controller-route-without-roles', [
       'heuristics.ts.backend.controller-route-without-roles.ast',
     ]),
+  'skills.backend.guideline.backend.rate-limiting-nestjs-throttler-para-prevenir-brute-force':
+    heuristicDetector('typescript.backend.auth-route-without-throttle', [
+      'heuristics.ts.backend.auth-route-without-throttle.ast',
+    ]),
+  'skills.backend.guideline.backend.rate-limiting-throttler-para-prevenir-abuse':
+    heuristicDetector('typescript.backend.auth-route-without-throttle', [
+      'heuristics.ts.backend.auth-route-without-throttle.ast',
+    ]),
   'skills.backend.guideline.backend.callback-hell-usar-async-await': heuristicDetector(
     'typescript.callback-hell',
     ['heuristics.ts.callback-hell.ast']

package/integrations/git/runPlatformGate.ts

@@ -196,6 +196,33 @@ const isFindingOutsideChangedLines = (
   return findingLines.every((line) => !changedLines.has(line));
 };
 
+const BROAD_BROWNFIELD_FINDING_LINES_THRESHOLD = 20;
+
+const isBroadFileLevelFinding = (finding: Finding): boolean => {
+  const findingLines = normalizeFindingLines(finding.lines);
+  if (findingLines.length <= BROAD_BROWNFIELD_FINDING_LINES_THRESHOLD) {
+    return false;
+  }
+  const nodeLines = [
+    ...normalizeFindingLines(finding.primary_node?.lines),
+    ...(finding.related_nodes ?? []).flatMap((node) => normalizeFindingLines(node.lines)),
+  ];
+  const hasPreciseNode =
+    nodeLines.length > 0 && nodeLines.length <= BROAD_BROWNFIELD_FINDING_LINES_THRESHOLD;
+  return !hasPreciseNode;
+};
+
+const isFindingTooBroadForStagedDiffBlock = (
+  finding: Finding,
+  changedLinesByPath: ReadonlyMap<string, ReadonlySet<number>>
+): boolean => {
+  if (!finding.filePath || !isBroadFileLevelFinding(finding)) {
+    return false;
+  }
+  const changedLines = changedLinesByPath.get(toNormalizedPath(finding.filePath));
+  return typeof changedLines !== 'undefined' && changedLines.size > 0;
+};
+
 const normalizeScopedRuleEngineFindings = (params: {
   findings: ReadonlyArray<Finding>;
   scope: GateScope;
@@ -210,7 +237,18 @@ const normalizeScopedRuleEngineFindings = (params: {
   }
 
   return params.findings.map((finding) => {
-    if (!isAstRuleFinding(finding) || !isFindingOutsideChangedLines(finding, params.changedLinesByPath)) {
+    if (!isAstRuleFinding(finding)) {
+      return finding;
+    }
+    const outsideChangedLines = isFindingOutsideChangedLines(
+      finding,
+      params.changedLinesByPath
+    );
+    const tooBroadForDiffBlock = isFindingTooBroadForStagedDiffBlock(
+      finding,
+      params.changedLinesByPath
+    );
+    if (!outsideChangedLines && !tooBroadForDiffBlock) {
       return finding;
     }
     return {
@@ -219,10 +257,14 @@ const normalizeScopedRuleEngineFindings = (params: {
       severity: 'INFO',
       message:
         `${finding.message} ` +
-        'Baseline brownfield outside the staged diff; tracked as advisory for this atomic slice.',
+        (tooBroadForDiffBlock
+          ? 'Finding is file-level/broad and cannot prove the violation was introduced by the staged diff; tracked as advisory for this atomic slice.'
+          : 'Baseline brownfield outside the staged diff; tracked as advisory for this atomic slice.'),
       expected_fix:
         finding.expected_fix ??
-        'Plan a dedicated brownfield remediation slice for this pre-existing finding.',
+        (tooBroadForDiffBlock
+          ? 'Emit a precise AST/nodal finding with line-level evidence for the changed node, or plan a dedicated brownfield remediation slice for this file-level debt.'
+          : 'Plan a dedicated brownfield remediation slice for this pre-existing finding.'),
     };
   });
 };

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.294",
+  "version": "6.3.296",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {