npm - pumuki - Versions diffs - 6.3.329 → 6.3.331 - Mend

pumuki 6.3.329 → 6.3.331

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (6) hide show

package/core/facts/detectors/text/ios.test.ts +3 -0
package/core/facts/detectors/text/ios.ts +8 -3
package/core/facts/extractHeuristicFacts.ts +1 -1
package/core/facts/index.test.ts +35 -0
package/integrations/notifications/emitAuditSummaryNotification.ts +58 -14
package/package.json +1 -1

package/core/facts/detectors/text/ios.test.ts CHANGED Viewed

@@ -19,6 +19,7 @@ import {
   collectSwiftAnyViewLines,
   collectSwiftAnyTypeErasureLines,
   collectSwiftCallbackStyleSignatureLines,
+  collectSwiftCombineSinkWithoutStoreLines,
   collectSwiftDispatchGroupLines,
   collectSwiftDispatchSemaphoreLines,
   collectSwiftDummyAwaitLines,
@@ -528,7 +529,9 @@ let ignoredAssign = ".assign(to: \\\\Model.title, on: model)"
 `;
   assert.equal(hasSwiftCombineSinkWithoutStoreUsage(source), true);
+  assert.deepEqual(collectSwiftCombineSinkWithoutStoreLines(source), [3, 8]);
   assert.equal(hasSwiftCombineSinkWithoutStoreUsage(safe), false);
+  assert.deepEqual(collectSwiftCombineSinkWithoutStoreLines(safe), []);
 });
 test('hasSwiftProductionTestDoubleUsage detecta mocks/spies productivos y preserva strings', () => {

package/core/facts/detectors/text/ios.ts CHANGED Viewed

@@ -129,8 +129,9 @@ export const hasSwiftWarningSuppressionUsage = (source: string): boolean => {
   return collectSwiftWarningSuppressionLines(source).length > 0;
 };
-export const hasSwiftCombineSinkWithoutStoreUsage = (source: string): boolean => {
+export const collectSwiftCombineSinkWithoutStoreLines = (source: string): readonly number[] => {
   const lines = source.split(/\r?\n/);
+  const matches: number[] = [];
   for (let index = 0; index < lines.length; index += 1) {
     const line = stripSwiftLineForSemanticScan(lines[index] ?? '');
@@ -144,11 +145,15 @@ export const hasSwiftCombineSinkWithoutStoreUsage = (source: string): boolean =>
       .join('\n');
     if (!/\.store\s*\(\s*in\s*:\s*&[A-Za-z_][A-Za-z0-9_]*\s*\)/.test(chain)) {
-      return true;
+      matches.push(index + 1);
     }
   }
-  return false;
+  return sortedUniqueLines(matches);
+};
+export const hasSwiftCombineSinkWithoutStoreUsage = (source: string): boolean => {
+  return collectSwiftCombineSinkWithoutStoreLines(source).length > 0;
 };
 export const hasSwiftProductionTestDoubleUsage = (source: string): boolean => {

package/core/facts/extractHeuristicFacts.ts CHANGED Viewed

@@ -774,7 +774,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftForceTryUsage, locateLines: TextIOS.collectSwiftForceTryLines, primaryNode: (lines) => ({ kind: 'call', name: 'force try expression try!', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: do/catch or throwing boundary', lines }], why: 'Force try converts a throwable operation into an unconditional runtime crash instead of preserving the typed error boundary.', impact: 'A recoverable domain, network, persistence or decoding error can terminate the app and bypass user-facing recovery, telemetry and tests.', expected_fix: 'Replace try! with do/catch, try await propagation, throws on the current boundary, or a guarded fallback that handles the error explicitly.', ruleId: 'heuristics.ios.force-try.ast', code: 'HEURISTICS_IOS_FORCE_TRY_AST', message: 'AST heuristic detected force try usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftForceCastUsage, locateLines: TextIOS.collectSwiftForceCastLines, primaryNode: (lines) => ({ kind: 'call', name: 'force cast expression as!', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: conditional cast or typed boundary', lines }], why: 'Force cast converts a type mismatch into an unconditional runtime crash instead of preserving a checked domain or presentation boundary.', impact: 'Unexpected payloads, dependency substitutions or navigation models can terminate the app instead of producing a recoverable validation path.', expected_fix: 'Replace as! with as?, guard let, pattern matching, generic constraints, protocol boundaries, or a typed mapper that validates the runtime value explicitly.', ruleId: 'heuristics.ios.force-cast.ast', code: 'HEURISTICS_IOS_FORCE_CAST_AST', message: 'AST heuristic detected force cast usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath, isApprovedIOSBridgePath], detect: TextIOS.hasSwiftCallbackStyleSignature, locateLines: TextIOS.collectSwiftCallbackStyleSignatureLines, primaryNode: (lines) => ({ kind: 'call', name: 'escaping callback-style API signature', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: async/await API or explicit bridge adapter', lines }], why: 'Callback-style completion APIs outside bridge layers bypass Swift structured concurrency and make cancellation, isolation and error flow implicit.', impact: 'Consumers must reason about escaping lifetime, actor hops and callback ordering manually, which increases race, leak and flaky-test risk in production iOS flows.', expected_fix: 'Expose async/await or AsyncSequence APIs in production boundaries. Keep callbacks only inside approved bridge/adapters that wrap legacy SDKs and document the conversion point explicitly.', ruleId: 'heuristics.ios.callback-style.ast', code: 'HEURISTICS_IOS_CALLBACK_STYLE_AST', message: 'AST heuristic detected callback-style API signature outside bridge layers.' },
-  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftCombineSinkWithoutStoreUsage, ruleId: 'heuristics.ios.combine.sink-without-store.ast', code: 'HEURISTICS_IOS_COMBINE_SINK_WITHOUT_STORE_AST', message: 'AST heuristic detected Combine sink without store(in:); keep cancellables retained explicitly.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftCombineSinkWithoutStoreUsage, locateLines: TextIOS.collectSwiftCombineSinkWithoutStoreLines, primaryNode: (lines) => ({ kind: 'call', name: 'Combine sink/assign subscription without store(in:)', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: .store(in: &cancellables)', lines }], why: 'Combine subscriptions returned by sink/assign are cancelled immediately unless the AnyCancellable is retained explicitly.', impact: 'Reactive flows can silently stop receiving values, leak intent across view model lifetimes, or behave differently after navigation if subscription ownership is not clear.', expected_fix: 'Store the returned AnyCancellable with .store(in: &cancellables) or assign it to an explicit cancellable property owned by the view model/service lifetime.', ruleId: 'heuristics.ios.combine.sink-without-store.ast', code: 'HEURISTICS_IOS_COMBINE_SINK_WITHOUT_STORE_AST', message: 'AST heuristic detected Combine sink without store(in:); keep cancellables retained explicitly.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftProductionTestDoubleUsage, ruleId: 'heuristics.ios.testing.production-test-double.ast', code: 'HEURISTICS_IOS_TESTING_PRODUCTION_TEST_DOUBLE_AST', message: 'AST heuristic detected Mock/Fake/Spy/Stub usage in iOS production code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftDispatchQueueUsage, locateLines: TextIOS.collectSwiftDispatchQueueLines, primaryNode: (lines) => ({ kind: 'call', name: 'GCD DispatchQueue call', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: structured concurrency Task/actor/MainActor boundary', lines }], why: 'DispatchQueue introduces unstructured GCD scheduling in production Swift code instead of preserving Swift concurrency cancellation, priority and actor isolation semantics.', impact: 'Manual queue hops make ordering, cancellation and main-actor safety harder to reason about, increasing race and flaky UI update risk.', expected_fix: 'Use async/await, Task, TaskGroup, actors, MainActor.run or isolated async APIs. Keep GCD only inside explicitly approved legacy bridge layers with documented ownership.', ruleId: 'heuristics.ios.dispatchqueue.ast', code: 'HEURISTICS_IOS_DISPATCHQUEUE_AST', message: 'AST heuristic detected DispatchQueue usage.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftDispatchGroupUsage, locateLines: TextIOS.collectSwiftDispatchGroupLines, primaryNode: (lines) => ({ kind: 'call', name: 'GCD DispatchGroup call', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: structured concurrency TaskGroup or async aggregation boundary', lines }], why: 'DispatchGroup is an unstructured coordination primitive that makes asynchronous control flow and cancellation implicit instead of modeled by Swift concurrency.', impact: 'Group coordination is harder to reason about and can hide waiting or deadlock risks in production code paths that should be expressed through TaskGroup or async aggregation.', expected_fix: 'Use TaskGroup, async let, await aggregation, actors or explicit async APIs. Keep DispatchGroup only inside approved legacy bridge layers with documented ownership and migration scope.', ruleId: 'heuristics.ios.dispatchgroup.ast', code: 'HEURISTICS_IOS_DISPATCHGROUP_AST', message: 'AST heuristic detected DispatchGroup usage.' },

package/core/facts/index.test.ts CHANGED Viewed

@@ -177,3 +177,38 @@ final class BuyerAPIClient {
   assert.deepEqual(jsonSerialization.primary_node?.lines, [7]);
   assert.match(jsonSerialization.expected_fix ?? '', /Codable/i);
 });
+test('extractHeuristicFacts emite Combine sink iOS con linea y remediation accionable', () => {
+  const params: HeuristicExtractionParams = {
+    facts: [
+      {
+        kind: 'FileContent',
+        source: 'repo',
+        path: 'apps/ios/Presentation/Features/Orders/OrdersViewModel.swift',
+        content: `
+final class OrdersViewModel {
+  func bind() {
+    publisher
+      .sink { value in
+        self.render(value)
+      }
+  }
+}
+`,
+      },
+    ],
+    detectedPlatforms: {
+      ios: { detected: true, confidence: 'HIGH' },
+    },
+  };
+  const extractedFacts = extractHeuristicFacts(params);
+  const match = extractedFacts.find(
+    (fact) => fact.ruleId === 'heuristics.ios.combine.sink-without-store.ast'
+  );
+  assert.ok(match);
+  assert.deepEqual(match.lines, [5]);
+  assert.deepEqual(match.primary_node?.lines, [5]);
+  assert.match(match.expected_fix ?? '', /\.store\(in:/i);
+});

package/integrations/notifications/emitAuditSummaryNotification.ts CHANGED Viewed

@@ -25,6 +25,14 @@ type AuditSummaryNotificationDependencies = {
   env: NodeJS.ProcessEnv;
 };
+type NotificationBlockingCause = {
+  code: string;
+  message: string;
+  ruleId?: string;
+  file?: string;
+  remediation?: string;
+};
 const defaultDependencies: AuditSummaryNotificationDependencies = {
   readEvidence,
   emitSystemNotification,
@@ -62,6 +70,38 @@ const normalizeNotificationStage = (stage: string): PumukiNotificationStage => {
   return 'PRE_COMMIT';
 };
+const normalizeRuleCode = (ruleId: string): string =>
+  ruleId
+    .replace(/^skills\./u, 'SKILLS_')
+    .replace(/[.-]/gu, '_')
+    .toUpperCase();
+const extractNestedSkillCauseFromWrapper = (cause: NotificationBlockingCause): NotificationBlockingCause => {
+  if (cause.ruleId?.startsWith('skills.') || cause.code.startsWith('SKILLS_')) {
+    return cause;
+  }
+  const nested = cause.message.match(/\bBlocking causes:\s*1\)\s*(skills\.[a-z0-9_.-]+)\s+(.+?)$/iu);
+  if (!nested?.[1]) {
+    return cause;
+  }
+  const ruleId = nested[1];
+  const nestedMessage = nested[2]?.trim() || 'Skill violada.';
+  return {
+    ...cause,
+    code: normalizeRuleCode(ruleId),
+    ruleId,
+    message: `rule=${ruleId} message=${nestedMessage}`,
+    remediation:
+      cause.remediation && !/corrige la violaci[oó]n indicada/i.test(cause.remediation)
+        ? cause.remediation
+        : 'Corrige la violación de la skill indicada en el fichero afectado y vuelve a intentar el commit.',
+  };
+};
+const normalizeNotificationBlockingCause = (
+  cause: NotificationBlockingCause
+): NotificationBlockingCause => extractNestedSkillCauseFromWrapper(cause);
 export const shouldEmitAuditSummaryNotificationForStage = (
   stage: AuditSummaryNotificationStage,
   env: NodeJS.ProcessEnv = process.env
@@ -87,13 +127,15 @@ export const toAuditSummaryEventFromEvidence = (
       causeCode: primaryCause.code,
       causeMessage: formatEvidenceBlockingCause(primaryCause),
       remediation: primaryCause.remediation ?? 'Corrige la violación indicada y vuelve a intentar el commit.',
-      blockingCauses: blockingCauses.map((cause) => ({
-        code: cause.code,
-        ruleId: cause.ruleId,
-        file: cause.file,
-        message: formatEvidenceBlockingCause(cause),
-        remediation: cause.remediation,
-      })),
+      blockingCauses: blockingCauses.map((cause) =>
+        normalizeNotificationBlockingCause({
+          code: cause.code,
+          ruleId: cause.ruleId,
+          file: cause.file,
+          message: formatEvidenceBlockingCause(cause),
+          remediation: cause.remediation,
+        })
+      ),
     };
   }
   return {
@@ -125,12 +167,14 @@ export const toAuditSummaryEventFromAiGate = (params: {
       causeCode: primaryViolation.code,
       causeMessage: primaryViolation.message,
       remediation: 'Corrige la violación indicada y vuelve a intentar el commit.',
-      blockingCauses: params.aiGateResult.violations.map((violation) => ({
-        code: violation.code,
-        ruleId: violation.code,
-        message: violation.message,
-        remediation: 'Corrige la violación indicada y vuelve a intentar el commit.',
-      })),
+      blockingCauses: params.aiGateResult.violations.map((violation) =>
+        normalizeNotificationBlockingCause({
+          code: violation.code,
+          ruleId: violation.code.startsWith('skills.') ? violation.code : undefined,
+          message: violation.message,
+          remediation: 'Corrige la violación indicada y vuelve a intentar el commit.',
+        })
+      ),
     };
   }
   return {
@@ -233,7 +277,7 @@ export const emitGateBlockedNotification = (
         causeMessage: params.causeMessage,
       }),
       remediation: params.remediation,
-      blockingCauses: params.blockingCauses,
+      blockingCauses: params.blockingCauses?.map(normalizeNotificationBlockingCause),
     },
     repoRoot: params.repoRoot,
   });

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.329",
+  "version": "6.3.331",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {