pumuki 6.3.35 → 6.3.37

package/VERSION

@@ -1 +1 @@
-v6.3.24
+v6.3.37

package/docs/CONFIGURATION.md

@@ -191,6 +191,7 @@ Behavior:
 - non dry-run: persists `learning.json` deterministically and reports digest/path in output.
 - `rule_updates`: deterministic recommendations derived from evidence/gate signals (`missing`, `invalid`, `blocked`, `allowed`).
 - dedicated command: `pumuki sdd learn --change=<id> [--stage=<stage>] [--task=<task>] [--dry-run] [--json]` generates/persists the same artifact without requiring `sync-docs`.
+- orchestration command: `pumuki sdd auto-sync --change=<id> [--stage=<stage>] [--task=<task>] [--dry-run] [--json]` executes deterministic docs sync plus learning generation in one step.
 
 ## Gate telemetry export (optional)
 
@@ -228,7 +229,7 @@ Expected JSONL keys for enterprise audit ingestion:
 - `schema=telemetry_event_v1` with `schema_version=1.0`
 - `stage`, `gate_outcome`, `severity_counts`
 - `policy.bundle`, `policy.hash`, `policy.version`, `policy.signature`, `policy.policy_source`
-- `policy.validation_status`, `policy.validation_code` (when policy-as-code validation is available)
+- `policy.validation_status`, `policy.validation_code` (when policy-as-code validation is available; status can be `valid|invalid|expired|unknown-source|unsigned`)
 
 ## Heuristic pilot flag
 

package/docs/RELEASE_NOTES.md

@@ -5,6 +5,40 @@ Detailed commit history remains available through Git history (`git log` / `git
 
 ## 2026-03 (enterprise hardening updates)
 
+### 2026-03-04 (v6.3.37)
+
+- Policy-as-code enterprise hardening shipped:
+  - strict mode now blocks unsigned runtime policy metadata with deterministic code `POLICY_AS_CODE_UNSIGNED`.
+  - lifecycle outputs now expose policy validation metadata in `status --json`, `doctor --json`, and `sdd validate --json`.
+  - telemetry/evidence contract now supports policy validation status `unsigned`.
+- Traceability:
+  - implementation issue: `#606`
+  - implementation PR: `#608`
+  - tracking sync PR: `#609`
+- Consumer quick verification:
+  - `npx --yes --package pumuki@latest pumuki status --json`
+  - `npx --yes --package pumuki@latest pumuki doctor --json`
+  - `PUMUKI_POLICY_STRICT=1 npx --yes --package pumuki@latest pumuki-pre-commit`
+  - expected signal:
+    - JSON includes `policyValidation.stages.*.validationCode`.
+    - strict mode blocks unsigned contracts with `POLICY_AS_CODE_UNSIGNED`.
+
+### 2026-03-04 (v6.3.36)
+
+- SDD orchestration hardening shipped:
+  - New enterprise command `pumuki sdd auto-sync` with `--change`, optional `--stage/--task`, `--dry-run`, and `--json`.
+  - `auto-sync` orchestrates deterministic docs sync plus learning generation in one step.
+  - Fail-safe behavior preserved through the existing transactional `sync-docs` path (no partial writes on conflict).
+- Traceability:
+  - implementation issue: `#600`
+  - implementation PR: `#602`
+  - tracking sync PR: `#604`
+- Consumer quick verification:
+  - `npx --yes --package pumuki@latest pumuki sdd auto-sync --change=rgo-quickstart-02 --stage=PRE_WRITE --task=P12.F2.T70 --dry-run --json`
+  - expected signal:
+    - `command=pumuki sdd auto-sync` available in CLI help.
+    - JSON payload includes `syncDocs.updated` and `learning.path`.
+
 ### 2026-03-04 (v6.3.35)
 
 - SDD enterprise incremental hardening shipped:

package/docs/registro-maestro-de-seguimiento.md

@@ -7,8 +7,8 @@
 ## Estado actual
 - Plan activo: `docs/seguimiento-completo-validacion-ruralgo-03-03-2026.md`
 - Estado del plan: EN CURSO
-- Última task cerrada (`✅`): `P12.F2.T68` (nuevo comando `pumuki sdd learn`, issue `#597`, PR `#599`).
-- Task activa (`🚧`): `P12.F2.T69` (publicar release `6.3.35` con cierre SDD incremental en npm).
+- Última task cerrada (`✅`): `P12.F2.T72` (hardening `policy-as-code` completado: issue `#606` cerrada con PR `#608`).
+- Task activa (`🚧`): `P12.F2.T73` (preparar/publicar release incremental con el hardening de `#606`).
 
 ## Historial resumido
 - No se mantienen MDs históricos de seguimiento en este repositorio.

package/docs/seguimiento-completo-validacion-ruralgo-03-03-2026.md

@@ -1942,11 +1942,62 @@ Criterio de salida F5:
     - `npx --yes tsx@4.21.0 --test integrations/sdd/__tests__/syncDocs.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `38 passed, 0 failed`.
     - `npm run -s typecheck` => `exit 0`.
 
-- 🚧 `P12.F2.T69` Publicar release `6.3.35` con cierre SDD incremental.
+- ✅ `P12.F2.T69` Publicar release `6.3.35` con cierre SDD incremental.
+  - cierre ejecutado:
+    - versión incrementada a `6.3.35` en `package.json` y `package-lock.json`.
+    - release notes actualizadas con entrada `2026-03-04 (v6.3.35)` en `docs/RELEASE_NOTES.md`.
+    - publicación npm ejecutada con éxito (`npm publish --access public`).
+    - propagación validada:
+      - `npm view pumuki dist-tags --json` => `"latest": "6.3.35"`.
+      - smoke `@latest` en carpeta temporal mostrando `pumuki sdd learn ...` en `--help`.
+  - evidencia:
+    - `npx --yes tsx@4.21.0 --test integrations/sdd/__tests__/syncDocs.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `38 passed, 0 failed`.
+    - `npm run -s typecheck` => `exit 0`.
+    - `npm publish --access public` => `+ pumuki@6.3.35`.
+    - `npm view pumuki@6.3.35 version` => `6.3.35`.
+
+- ✅ `P12.F2.T70` Siguiente SDD pendiente enterprise: comando orquestador `pumuki sdd auto-sync` (`#600`).
+  - cierre ejecutado:
+    - nuevo runtime `runSddAutoSync` en capa SDD para orquestar `sync-docs` + `learning` en un único paso determinista.
+    - CLI ampliada con:
+      - `pumuki sdd auto-sync --change=<id> --stage=<stage> --task=<task-id> [--dry-run] [--json]`.
+    - cobertura de regresión añadida en `syncDocs`/`index`/`cli` y documentación actualizada en `docs/CONFIGURATION.md`.
+    - issue cerrada: `#600`.
+    - PR mergeada: `#602` (`commit 2be34c5`).
+  - evidencia:
+    - `npx --yes tsx@4.21.0 --test integrations/sdd/__tests__/syncDocs.test.ts integrations/sdd/__tests__/index.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `44 passed, 0 failed`.
+    - `npm run -s typecheck` => `exit 0`.
+
+- ✅ `P12.F2.T71` Publicar release `6.3.36` con `pumuki sdd auto-sync` (`#603`).
+  - cierre ejecutado:
+    - versionado a `6.3.36` en `package.json`, `package-lock.json` y `VERSION`.
+    - release notes actualizadas con entrada `2026-03-04 (v6.3.36)` en `docs/RELEASE_NOTES.md`.
+    - publicación npm ejecutada con éxito (`npm publish --access public`).
+    - propagación validada:
+      - `npm view pumuki dist-tags --json` => `"latest": "6.3.36"`.
+      - smoke `@latest` con `--help` mostrando `pumuki sdd auto-sync ...`.
+  - evidencia:
+    - `npx --yes tsx@4.21.0 --test integrations/sdd/__tests__/syncDocs.test.ts integrations/sdd/__tests__/index.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `44 passed, 0 failed`.
+    - `npm run -s typecheck` => `exit 0`.
+    - `npm publish --access public` => `+ pumuki@6.3.36`.
+    - `npm view pumuki@6.3.36 version` => `6.3.36`.
+
+- ✅ `P12.F2.T72` Hardening enterprise policy-as-code firmada/versionada (`#606`).
+  - cierre ejecutado:
+    - modo estricto bloquea política no firmada con código determinista `POLICY_AS_CODE_UNSIGNED`.
+    - `status`, `doctor` y `sdd validate --json` exponen metadatos de validación de policy (`source/bundle/hash/version/signature/status/code/strict`).
+    - telemetría/evidence alineadas con estado adicional `unsigned`.
+    - cobertura de regresión añadida para strict unsigned + metadatos lifecycle.
+    - issue cerrada: `#606`.
+    - PR mergeada: `#608` (`commit 881eac8`).
+  - evidencia:
+    - `npx --yes tsx@4.21.0 --test integrations/gate/__tests__/stagePolicies.test.ts integrations/git/__tests__/runPlatformGate.test.ts integrations/lifecycle/__tests__/status.test.ts integrations/lifecycle/__tests__/doctor.test.ts integrations/lifecycle/__tests__/cli.test.ts` => `81 passed, 0 failed`.
+    - `npm run -s typecheck` => `exit 0`.
+
+- 🚧 `P12.F2.T73` Preparar y publicar release con el hardening de `#606`.
   - salida esperada:
-    - bump de versión (`package.json`, `package-lock.json`) + nota de release.
-    - publicación npm exitosa y verificación `npm view pumuki version`.
-    - smoke mínimo con `npx --yes --package pumuki@latest pumuki --help`.
+    - versionar release incremental y notas de publicación.
+    - publicar en npm y verificar propagación `dist-tags`.
 
 Criterio de salida F6:
 - veredicto final trazable y cierre administrativo completo.

package/integrations/evidence/schema.ts

@@ -89,7 +89,7 @@ export type RulesetState = {
   version?: string;
   signature?: string;
   source?: string;
-  validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+  validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
   validation_code?: string;
   degraded_mode_enabled?: boolean;
   degraded_mode_action?: 'allow' | 'block';

package/integrations/gate/stagePolicies.ts

@@ -49,9 +49,10 @@ export type ResolvedStagePolicy = {
     signature?: string;
     policySource?: string;
     validation?: {
-      status: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+      status: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
       code:
         | 'POLICY_AS_CODE_VALID'
+        | 'POLICY_AS_CODE_UNSIGNED'
         | 'POLICY_AS_CODE_CONTRACT_INVALID'
         | 'POLICY_AS_CODE_CONTRACT_EXPIRED'
         | 'POLICY_AS_CODE_SIGNATURE_MISMATCH'
@@ -307,6 +308,21 @@ const resolvePolicyAsCodeTraceMetadata = (params: {
   const contractPath = join(params.repoRoot, POLICY_AS_CODE_CONTRACT_PATH);
 
   if (!existsSync(contractPath)) {
+    if (strict) {
+      return {
+        version: computedVersion,
+        signature: computedSignature,
+        policySource: 'computed-local',
+        validation: {
+          status: 'unsigned',
+          code: 'POLICY_AS_CODE_UNSIGNED',
+          message:
+            'Policy-as-code contract is missing; runtime policy metadata is unsigned.',
+          strict,
+        },
+      };
+    }
+
     return {
       version: computedVersion,
       signature: computedSignature,

package/integrations/lifecycle/cli.ts

@@ -10,6 +10,10 @@ import {
 import { runLifecycleInstall } from './install';
 import { runLifecycleRemove } from './remove';
 import { readLifecycleStatus } from './status';
+import {
+  readLifecyclePolicyValidationSnapshot,
+  type LifecyclePolicyValidationSnapshot,
+} from './policyValidationSnapshot';
 import { runLifecycleUninstall } from './uninstall';
 import { runLifecycleUpdate } from './update';
 import { runOpenSpecBootstrap } from './openSpecBootstrap';
@@ -27,6 +31,7 @@ import {
   openSddSession,
   readSddStatus,
   refreshSddSession,
+  runSddAutoSync,
   runSddLearn,
   runSddSyncDocs,
   type SddStage,
@@ -63,7 +68,7 @@ type LifecycleCommand =
   | 'adapter'
   | 'analytics';
 
-type SddCommand = 'status' | 'validate' | 'session' | 'sync-docs' | 'learn';
+type SddCommand = 'status' | 'validate' | 'session' | 'sync-docs' | 'learn' | 'auto-sync';
 type LoopCommand = 'run' | 'status' | 'stop' | 'resume' | 'list' | 'export';
 type AnalyticsCommand = 'hotspots';
 type AnalyticsHotspotsCommand = 'report' | 'diagnose';
@@ -95,6 +100,10 @@ type ParsedArgs = {
   sddLearnChange?: string;
   sddLearnStage?: SddStage;
   sddLearnTask?: string;
+  sddAutoSyncDryRun?: boolean;
+  sddAutoSyncChange?: string;
+  sddAutoSyncStage?: SddStage;
+  sddAutoSyncTask?: string;
   adapterCommand?: 'install';
   adapterAgent?: AdapterAgent;
   adapterDryRun?: boolean;
@@ -130,6 +139,7 @@ Pumuki lifecycle commands:
   pumuki sdd session --close [--json]
   pumuki sdd sync-docs [--change=<change-id>] [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--dry-run] [--json]
   pumuki sdd learn --change=<change-id> [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--dry-run] [--json]
+  pumuki sdd auto-sync --change=<change-id> [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--dry-run] [--json]
 `.trim();
 
 const LOOP_RUN_POLICY: GatePolicy = {
@@ -436,6 +446,10 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
   let sddLearnChange: ParsedArgs['sddLearnChange'];
   let sddLearnStage: ParsedArgs['sddLearnStage'];
   let sddLearnTask: ParsedArgs['sddLearnTask'];
+  let sddAutoSyncDryRun = false;
+  let sddAutoSyncChange: ParsedArgs['sddAutoSyncChange'];
+  let sddAutoSyncStage: ParsedArgs['sddAutoSyncStage'];
+  let sddAutoSyncTask: ParsedArgs['sddAutoSyncTask'];
   let adapterCommand: ParsedArgs['adapterCommand'];
   let adapterAgent: ParsedArgs['adapterAgent'];
   let adapterDryRun = false;
@@ -615,7 +629,8 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
       subcommandRaw !== 'validate' &&
       subcommandRaw !== 'session' &&
       subcommandRaw !== 'sync-docs' &&
-      subcommandRaw !== 'learn'
+      subcommandRaw !== 'learn' &&
+      subcommandRaw !== 'auto-sync'
     ) {
       throw new Error(`Unsupported SDD subcommand "${subcommandRaw}".\n\n${HELP_TEXT}`);
     }
@@ -635,7 +650,11 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
           sddLearnDryRun = true;
           continue;
         }
-        throw new Error(`--dry-run is only supported with "pumuki sdd sync-docs" or "pumuki sdd learn".\n\n${HELP_TEXT}`);
+        if (sddCommand === 'auto-sync') {
+          sddAutoSyncDryRun = true;
+          continue;
+        }
+        throw new Error(`--dry-run is only supported with "pumuki sdd sync-docs", "pumuki sdd learn" or "pumuki sdd auto-sync".\n\n${HELP_TEXT}`);
       }
       if (arg.startsWith('--stage=')) {
         if (sddCommand === 'validate') {
@@ -650,7 +669,11 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
           sddLearnStage = parseSddStage(arg.slice('--stage='.length));
           continue;
         }
-        throw new Error(`--stage is only supported with "pumuki sdd validate", "pumuki sdd sync-docs" or "pumuki sdd learn".\n\n${HELP_TEXT}`);
+        if (sddCommand === 'auto-sync') {
+          sddAutoSyncStage = parseSddStage(arg.slice('--stage='.length));
+          continue;
+        }
+        throw new Error(`--stage is only supported with "pumuki sdd validate", "pumuki sdd sync-docs", "pumuki sdd learn" or "pumuki sdd auto-sync".\n\n${HELP_TEXT}`);
       }
       if (arg === '--open') {
         if (sddCommand !== 'session') {
@@ -694,7 +717,15 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
           sddLearnChange = changeValue;
           continue;
         }
-        throw new Error(`--change is only supported with "pumuki sdd session", "pumuki sdd sync-docs" or "pumuki sdd learn".\n\n${HELP_TEXT}`);
+        if (sddCommand === 'auto-sync') {
+          const changeValue = arg.slice('--change='.length).trim();
+          if (changeValue.length === 0) {
+            throw new Error(`Invalid --change value "${arg}".`);
+          }
+          sddAutoSyncChange = changeValue;
+          continue;
+        }
+        throw new Error(`--change is only supported with "pumuki sdd session", "pumuki sdd sync-docs", "pumuki sdd learn" or "pumuki sdd auto-sync".\n\n${HELP_TEXT}`);
       }
       if (arg.startsWith('--task=')) {
         if (sddCommand === 'sync-docs') {
@@ -713,7 +744,15 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
           sddLearnTask = taskValue;
           continue;
         }
-        throw new Error(`--task is only supported with "pumuki sdd sync-docs" or "pumuki sdd learn".\n\n${HELP_TEXT}`);
+        if (sddCommand === 'auto-sync') {
+          const taskValue = arg.slice('--task='.length).trim();
+          if (taskValue.length === 0) {
+            throw new Error(`Invalid --task value "${arg}".`);
+          }
+          sddAutoSyncTask = taskValue;
+          continue;
+        }
+        throw new Error(`--task is only supported with "pumuki sdd sync-docs", "pumuki sdd learn" or "pumuki sdd auto-sync".\n\n${HELP_TEXT}`);
       }
       if (arg.startsWith('--ttl-minutes=')) {
         if (sddCommand !== 'session') {
@@ -783,6 +822,26 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
         ...(sddLearnTask ? { sddLearnTask } : {}),
       };
     }
+    if (sddCommand === 'auto-sync') {
+      if (sddSessionAction || sddChangeId || typeof sddTtlMinutes === 'number') {
+        throw new Error(
+          `"pumuki sdd auto-sync" only supports --change=<change-id> [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--dry-run] [--json].\n\n${HELP_TEXT}`
+        );
+      }
+      if (!sddAutoSyncChange || sddAutoSyncChange.length === 0) {
+        throw new Error(`Missing --change=<change-id> for "pumuki sdd auto-sync".\n\n${HELP_TEXT}`);
+      }
+      return {
+        command: commandRaw,
+        purgeArtifacts: false,
+        json,
+        sddCommand,
+        sddAutoSyncDryRun,
+        sddAutoSyncChange,
+        ...(sddAutoSyncStage ? { sddAutoSyncStage } : {}),
+        ...(sddAutoSyncTask ? { sddAutoSyncTask } : {}),
+      };
+    }
 
     if (!sddSessionAction) {
       throw new Error(
@@ -922,6 +981,11 @@ const printDoctorReport = (
   writeInfo(
     `[pumuki] hook pre-push: ${report.hookStatus['pre-push'].managedBlockPresent ? 'managed' : 'missing'}`
   );
+  writeInfo(
+    `[pumuki] policy-as-code: PRE_COMMIT=${report.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+    `PRE_PUSH=${report.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+    `CI=${report.policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+  );
 
   for (const issue of report.issues) {
     writeInfo(`[pumuki] ${issue.severity.toUpperCase()}: ${issue.message}`);
@@ -961,6 +1025,7 @@ const PRE_WRITE_INSTALL_REMEDIATION_COMMAND =
 type PreWriteValidationEnvelope = {
   sdd: ReturnType<typeof evaluateSddPolicy>;
   ai_gate: ReturnType<typeof evaluateAiGate>;
+  policy_validation: LifecyclePolicyValidationSnapshot;
   automation: PreWriteAutomationTrace;
   bootstrap: {
     enabled: boolean;
@@ -1174,12 +1239,14 @@ const resolveAiGateViolationLocation = (code: string) => {
 const buildPreWriteValidationEnvelope = (
   result: ReturnType<typeof evaluateSddPolicy>,
   aiGate: ReturnType<typeof evaluateAiGate>,
+  policyValidation: LifecyclePolicyValidationSnapshot,
   automation: PreWriteAutomationTrace,
   bootstrap: PreWriteOpenSpecBootstrapTrace,
   nextAction: PreWriteValidationEnvelope['next_action']
 ): PreWriteValidationEnvelope => ({
   sdd: result,
   ai_gate: aiGate,
+  policy_validation: policyValidation,
   automation: {
     attempted: automation.attempted,
     actions: [...automation.actions],
@@ -1343,6 +1410,11 @@ export const runLifecycleCli = async (
           writeInfo(
             `[pumuki] tracked node_modules paths: ${status.trackedNodeModulesCount}`
           );
+          writeInfo(
+            `[pumuki] policy-as-code: PRE_COMMIT=${status.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+            `PRE_PUSH=${status.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+            `CI=${status.policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+          );
           if (remoteCiDiagnostics) {
             printRemoteCiDiagnostics(remoteCiDiagnostics);
           }
@@ -1601,6 +1673,7 @@ export const runLifecycleCli = async (
           let result = evaluateSddPolicy({
             stage: parsed.sddStage ?? 'PRE_COMMIT',
           });
+          const policyValidation = readLifecyclePolicyValidationSnapshot(process.cwd());
           const preWriteAutoBootstrapEnabled = process.env.PUMUKI_PREWRITE_AUTO_BOOTSTRAP !== '0';
           const preWriteBootstrapTrace: PreWriteOpenSpecBootstrapTrace = {
             enabled: preWriteAutoBootstrapEnabled,
@@ -1672,11 +1745,15 @@ export const runLifecycleCli = async (
                   ? buildPreWriteValidationEnvelope(
                     result,
                     aiGate,
+                    policyValidation,
                     automationTrace,
                     preWriteBootstrapTrace,
                     nextAction
                   )
-                  : result,
+                  : {
+                    ...result,
+                    policy_validation: policyValidation,
+                  },
                 null,
                 2
               )
@@ -1685,6 +1762,11 @@ export const runLifecycleCli = async (
             writeInfo(
               `[pumuki][sdd] stage=${result.stage} allowed=${result.decision.allowed ? 'yes' : 'no'} code=${result.decision.code}`
             );
+            writeInfo(
+              `[pumuki][sdd] policy-as-code: PRE_COMMIT=${policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+              `PRE_PUSH=${policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+              `CI=${policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+            );
             writeInfo(
               withOptionalLocation(
                 `[pumuki][sdd] ${result.decision.message}`,
@@ -1824,6 +1906,31 @@ export const runLifecycleCli = async (
           }
           return 0;
         }
+        if (parsed.sddCommand === 'auto-sync') {
+          const autoSyncResult = runSddAutoSync({
+            repoRoot: process.cwd(),
+            dryRun: parsed.sddAutoSyncDryRun === true,
+            change: parsed.sddAutoSyncChange,
+            stage: parsed.sddAutoSyncStage,
+            task: parsed.sddAutoSyncTask,
+          });
+          if (parsed.json) {
+            writeInfo(JSON.stringify(autoSyncResult, null, 2));
+          } else {
+            writeInfo(
+              `[pumuki][sdd] auto-sync dry_run=${autoSyncResult.dryRun ? 'yes' : 'no'} change=${autoSyncResult.context.change} stage=${autoSyncResult.context.stage ?? 'none'} task=${autoSyncResult.context.task ?? 'none'} updated=${autoSyncResult.syncDocs.updated ? 'yes' : 'no'} files=${autoSyncResult.syncDocs.files.length} learning_written=${autoSyncResult.learning.written ? 'yes' : 'no'}`
+            );
+            writeInfo(
+              `[pumuki][sdd] learning_path=${autoSyncResult.learning.path} digest=${autoSyncResult.learning.digest}`
+            );
+            for (const file of autoSyncResult.syncDocs.files) {
+              writeInfo(
+                `[pumuki][sdd] file=${file.path} updated=${file.updated ? 'yes' : 'no'} before=${file.beforeDigest} after=${file.afterDigest}`
+              );
+            }
+          }
+          return 0;
+        }
         return 0;
       }
       case 'adapter': {

package/integrations/lifecycle/doctor.ts

@@ -5,6 +5,10 @@ import { resolvePolicyForStage } from '../gate/stagePolicies';
 import { getPumukiHooksStatus } from './hookManager';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
 import { getCurrentPumukiVersion } from './packageInfo';
+import {
+  readLifecyclePolicyValidationSnapshot,
+  type LifecyclePolicyValidationSnapshot,
+} from './policyValidationSnapshot';
 import { readLifecycleState, type LifecycleState } from './state';
 import {
   detectOpenSpecInstallation,
@@ -71,6 +75,7 @@ export type LifecycleDoctorReport = {
   lifecycleState: LifecycleState;
   trackedNodeModulesPaths: ReadonlyArray<string>;
   hookStatus: ReturnType<typeof getPumukiHooksStatus>;
+  policyValidation: LifecyclePolicyValidationSnapshot;
   issues: ReadonlyArray<DoctorIssue>;
   deep?: DoctorDeepReport;
 };
@@ -653,6 +658,7 @@ export const runLifecycleDoctor = (params?: {
     lifecycleState,
     trackedNodeModulesPaths,
     hookStatus,
+    policyValidation: readLifecyclePolicyValidationSnapshot(repoRoot),
     issues,
     deep,
   };

package/integrations/lifecycle/policyValidationSnapshot.ts

@@ -0,0 +1,51 @@
+import type { SkillsStage } from '../config/skillsLock';
+import {
+  resolvePolicyForStage,
+  type ResolvedStagePolicy,
+} from '../gate/stagePolicies';
+
+export type LifecyclePolicyValidationStageSnapshot = {
+  source: ResolvedStagePolicy['trace']['source'];
+  bundle: string;
+  hash: string;
+  version: string | null;
+  signature: string | null;
+  policySource: string | null;
+  validationStatus: NonNullable<ResolvedStagePolicy['trace']['validation']>['status'] | null;
+  validationCode: NonNullable<ResolvedStagePolicy['trace']['validation']>['code'] | null;
+  strict: boolean;
+};
+
+export type LifecyclePolicyValidationSnapshot = {
+  stages: Record<SkillsStage, LifecyclePolicyValidationStageSnapshot>;
+};
+
+const POLICY_STAGES: ReadonlyArray<SkillsStage> = ['PRE_COMMIT', 'PRE_PUSH', 'CI'];
+
+const toStageSnapshot = (
+  resolved: ResolvedStagePolicy
+): LifecyclePolicyValidationStageSnapshot => {
+  return {
+    source: resolved.trace.source,
+    bundle: resolved.trace.bundle,
+    hash: resolved.trace.hash,
+    version: resolved.trace.version ?? null,
+    signature: resolved.trace.signature ?? null,
+    policySource: resolved.trace.policySource ?? null,
+    validationStatus: resolved.trace.validation?.status ?? null,
+    validationCode: resolved.trace.validation?.code ?? null,
+    strict: resolved.trace.validation?.strict ?? false,
+  };
+};
+
+export const readLifecyclePolicyValidationSnapshot = (
+  repoRoot: string
+): LifecyclePolicyValidationSnapshot => {
+  const resolvedByStage = Object.fromEntries(
+    POLICY_STAGES.map((stage) => [stage, toStageSnapshot(resolvePolicyForStage(stage, repoRoot))])
+  ) as Record<SkillsStage, LifecyclePolicyValidationStageSnapshot>;
+
+  return {
+    stages: resolvedByStage,
+  };
+};

package/integrations/lifecycle/status.ts

@@ -1,6 +1,10 @@
 import { getPumukiHooksStatus } from './hookManager';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
 import { getCurrentPumukiVersion } from './packageInfo';
+import {
+  readLifecyclePolicyValidationSnapshot,
+  type LifecyclePolicyValidationSnapshot,
+} from './policyValidationSnapshot';
 import { readLifecycleState, type LifecycleState } from './state';
 
 export type LifecycleStatus = {
@@ -9,6 +13,7 @@ export type LifecycleStatus = {
   lifecycleState: LifecycleState;
   hookStatus: ReturnType<typeof getPumukiHooksStatus>;
   trackedNodeModulesCount: number;
+  policyValidation: LifecyclePolicyValidationSnapshot;
 };
 
 export const readLifecycleStatus = (params?: {
@@ -26,5 +31,6 @@ export const readLifecycleStatus = (params?: {
     lifecycleState: readLifecycleState(git, repoRoot),
     hookStatus: getPumukiHooksStatus(repoRoot),
     trackedNodeModulesCount,
+    policyValidation: readLifecyclePolicyValidationSnapshot(repoRoot),
   };
 };

package/integrations/sdd/index.ts

@@ -9,4 +9,4 @@ export type {
 } from './types';
 export { evaluateSddPolicy, readSddStatus } from './policy';
 export { closeSddSession, openSddSession, readSddSession, refreshSddSession } from './sessionStore';
-export { runSddLearn, runSddSyncDocs } from './syncDocs';
+export { runSddAutoSync, runSddLearn, runSddSyncDocs } from './syncDocs';

package/integrations/sdd/syncDocs.ts

@@ -85,6 +85,22 @@ export type SddLearnResult = {
   learning: NonNullable<SddSyncDocsResult['learning']>;
 };
 
+export type SddAutoSyncResult = {
+  command: 'pumuki sdd auto-sync';
+  dryRun: boolean;
+  repoRoot: string;
+  context: {
+    change: string;
+    stage: SddStage | null;
+    task: string | null;
+  };
+  syncDocs: {
+    updated: boolean;
+    files: ReadonlyArray<SddSyncDocsFileResult>;
+  };
+  learning: NonNullable<SddSyncDocsResult['learning']>;
+};
+
 const normalizeSectionBody = (value: string): string => value.trim().replace(/\r\n/g, '\n');
 
 const computeDigest = (value: string): string =>
@@ -433,3 +449,50 @@ export const runSddLearn = (params?: {
     learning: result.learning,
   };
 };
+
+export const runSddAutoSync = (params?: {
+  repoRoot?: string;
+  dryRun?: boolean;
+  change?: string;
+  stage?: SddStage;
+  task?: string;
+  now?: () => Date;
+  evidenceReader?: (repoRoot: string) => EvidenceReadResult;
+  targets?: ReadonlyArray<SddSyncDocsTarget>;
+}): SddAutoSyncResult => {
+  const change = params?.change?.trim();
+  if (!change) {
+    throw new Error('[pumuki][sdd] auto-sync requires --change=<change-id>.');
+  }
+
+  const syncResult = runSddSyncDocs({
+    repoRoot: params?.repoRoot,
+    dryRun: params?.dryRun,
+    change,
+    stage: params?.stage,
+    task: params?.task,
+    now: params?.now,
+    evidenceReader: params?.evidenceReader,
+    targets: params?.targets,
+  });
+
+  if (!syncResult.learning) {
+    throw new Error('[pumuki][sdd] auto-sync could not generate learning artifact.');
+  }
+
+  return {
+    command: 'pumuki sdd auto-sync',
+    dryRun: syncResult.dryRun,
+    repoRoot: syncResult.repoRoot,
+    context: {
+      change,
+      stage: syncResult.context.stage,
+      task: syncResult.context.task,
+    },
+    syncDocs: {
+      updated: syncResult.updated,
+      files: syncResult.files,
+    },
+    learning: syncResult.learning,
+  };
+};

package/integrations/telemetry/gateTelemetry.ts

@@ -25,7 +25,7 @@ type PolicyTrace = ResolvedStagePolicy['trace'] & {
   signature?: string;
   policySource?: string;
   validation?: {
-    status: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+    status: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
     code: string;
   };
   degraded?: {
@@ -189,7 +189,7 @@ export type GateTelemetryEventV1 = {
     version?: string;
     signature?: string;
     policy_source?: string;
-    validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source';
+    validation_status?: 'valid' | 'invalid' | 'expired' | 'unknown-source' | 'unsigned';
     validation_code?: string;
     degraded_mode_enabled?: boolean;
     degraded_mode_action?: 'allow' | 'block';

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.35",
+  "version": "6.3.37",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {