npm - pumuki - Versions diffs - 6.3.358 → 6.3.360 - Mend

pumuki 6.3.358 → 6.3.360

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (11) hide show

package/core/facts/detectors/text/android.test.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   findKotlinOpenClosedWhenMatch,
   findKotlinPresentationSrpMatch,
   hasAndroidAsyncTaskUsage,
+  hasAndroidLegacyFingerprintApiUsage,
   hasKotlinCoroutineTryCatchUsage,
   hasKotlinDispatcherMainBoundaryLeakUsage,
   hasKotlinGlobalScopeUsage,
@@ -1243,3 +1244,37 @@ class PumukiLspAndroidCanaryPremiumDiscountPolicy : PumukiLspAndroidCanaryDiscou
   assert.match(match.impact, /sustituci|regresion|crash/i);
   assert.match(match.expected_fix, /contrato base|estrategia|subtipo/i);
 });
+test('hasAndroidLegacyFingerprintApiUsage detecta APIs biométricas legacy y preserva BiometricPrompt', () => {
+  const legacyManager = `
+import android.hardware.fingerprint.FingerprintManager
+class LegacyBiometricAuth(private val fingerprintManager: FingerprintManager) {
+  fun authenticate(callback: FingerprintManager.AuthenticationCallback) {
+    fingerprintManager.authenticate(null, null, 0, callback, null)
+  }
+}
+`;
+  const legacyCompat = `
+class LegacyCompatAuth(private val fingerprintManager: FingerprintManagerCompat) {
+  fun authenticate(callback: FingerprintManagerCompat.AuthenticationCallback) {
+    fingerprintManager.authenticate(null, 0, null, callback, null)
+  }
+}
+`;
+  const modern = `
+import androidx.biometric.BiometricPrompt
+class ModernBiometricAuth(private val biometricPrompt: BiometricPrompt) {
+  fun authenticate(promptInfo: BiometricPrompt.PromptInfo) {
+    biometricPrompt.authenticate(promptInfo)
+  }
+}
+// FingerprintManager should not match inside comments
+val sample = "FingerprintManagerCompat"
+`;
+  assert.equal(hasAndroidLegacyFingerprintApiUsage(legacyManager), true);
+  assert.equal(hasAndroidLegacyFingerprintApiUsage(legacyCompat), true);
+  assert.equal(hasAndroidLegacyFingerprintApiUsage(modern), false);
+});

package/core/facts/detectors/text/android.ts CHANGED Viewed

@@ -1407,3 +1407,25 @@ export const findKotlinLiskovSubstitutionMatch = (
   return undefined;
 };
+const legacyFingerprintApiPattern =
+  /\b(?:android\.hardware\.fingerprint\.)?FingerprintManager(?:Compat)?\b/;
+export const hasAndroidLegacyFingerprintApiUsage = (source: string): boolean =>
+  scanCodeLikeSource(source, ({ source: scannedSource, index }) => {
+    const match = scannedSource.slice(index).match(legacyFingerprintApiPattern);
+    return match?.index === 0;
+  });
+export const collectAndroidLegacyFingerprintApiLines = (
+  source: string
+): readonly number[] => {
+  const lines: number[] = [];
+  source.split(/\r?\n/).forEach((line, index) => {
+    const sanitized = stripKotlinLineForSemanticScan(line);
+    if (legacyFingerprintApiPattern.test(sanitized)) {
+      lines.push(index + 1);
+    }
+  });
+  return sortedUniqueLines(lines);
+};

package/core/facts/extractHeuristicFacts.ts CHANGED Viewed

@@ -893,6 +893,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGlobalScopeUsage, ruleId: 'heuristics.android.globalscope.ast', code: 'HEURISTICS_ANDROID_GLOBAL_SCOPE_AST', message: 'AST heuristic detected GlobalScope coroutine usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinRunBlockingUsage, ruleId: 'heuristics.android.run-blocking.ast', code: 'HEURISTICS_ANDROID_RUN_BLOCKING_AST', message: 'AST heuristic detected runBlocking usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidSourcePath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidAsyncTaskUsage, ruleId: 'heuristics.android.concurrency.asynctask.ast', code: 'HEURISTICS_ANDROID_CONCURRENCY_ASYNCTASK_AST', message: 'AST heuristic detected deprecated AsyncTask usage in Android production code; use coroutines.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidLegacyFingerprintApiUsage, locateLines: TextAndroid.collectAndroidLegacyFingerprintApiLines, ruleId: 'heuristics.android.security.legacy-fingerprint-api.ast', code: 'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST', message: 'AST heuristic detected legacy FingerprintManager API usage; use androidx.biometric.BiometricPrompt.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGodActivityUsage, ruleId: 'heuristics.android.architecture.god-activity.ast', code: 'HEURISTICS_ANDROID_ARCHITECTURE_GOD_ACTIVITY_AST', message: 'AST heuristic detected an Android Activity mixing UI entrypoint with product responsibilities; keep Activity thin and move features to composables/ViewModels/use cases.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinApplicationOnCreateHeavyInitializationUsage, ruleId: 'heuristics.android.startup.application-oncreate-heavy-init.ast', code: 'HEURISTICS_ANDROID_STARTUP_APPLICATION_ONCREATE_HEAVY_INIT_AST', message: 'AST heuristic detected heavy library initialization in Application.onCreate; move lazy startup work to AndroidX Startup Initializer or defer it behind the feature boundary.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinNonLazyScrollableCollectionUsage, ruleId: 'heuristics.android.compose.non-lazy-scrollable-collection.ast', code: 'HEURISTICS_ANDROID_COMPOSE_NON_LAZY_SCROLLABLE_COLLECTION_AST', message: 'AST heuristic detected a scrollable Column/Row rendering a collection; use LazyColumn/LazyRow for virtualized lists.' },

package/core/rules/presets/heuristics/android.test.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { androidRules } from './android';
 test('androidRules define reglas heurísticas locked para plataforma android', () => {
-  assert.equal(androidRules.length, 39);
+  assert.equal(androidRules.length, 40);
   const ids = androidRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -13,6 +13,7 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     'heuristics.android.flow.livedata-state-exposure.ast',
     'heuristics.android.flow.viewmodel-flow-without-statein.ast',
     'heuristics.android.flow.sharedflow-used-as-state.ast',
+    'heuristics.android.security.legacy-fingerprint-api.ast',
     'heuristics.android.concurrency.asynctask.ast',
     'heuristics.android.architecture.god-activity.ast',
     'heuristics.android.startup.application-oncreate-heavy-init.ast',
@@ -83,6 +84,10 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     byId.get('heuristics.android.flow.sharedflow-used-as-state.ast')?.then.code,
     'HEURISTICS_ANDROID_FLOW_SHAREDFLOW_USED_AS_STATE_AST'
   );
+  assert.equal(
+    byId.get('heuristics.android.security.legacy-fingerprint-api.ast')?.then.code,
+    'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST'
+  );
   assert.equal(
     byId.get('heuristics.android.concurrency.asynctask.ast')?.then.code,
     'HEURISTICS_ANDROID_CONCURRENCY_ASYNCTASK_AST'

package/core/rules/presets/heuristics/android.ts CHANGED Viewed

@@ -115,6 +115,26 @@ export const androidRules: RuleSet = [
       code: 'HEURISTICS_ANDROID_FLOW_SHAREDFLOW_USED_AS_STATE_AST',
     },
   },
+  {
+    id: 'heuristics.android.security.legacy-fingerprint-api.ast',
+    description:
+      'Detects legacy FingerprintManager API usage where androidx.biometric.BiometricPrompt is the supported baseline.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.security.legacy-fingerprint-api.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected legacy FingerprintManager API usage; use androidx.biometric.BiometricPrompt.',
+      code: 'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST',
+    },
+  },
   {
     id: 'heuristics.android.concurrency.asynctask.ast',
     description:

package/integrations/config/skillsDetectorRegistry.ts CHANGED Viewed

@@ -1431,6 +1431,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'android.flow.state-exposure',
     ['heuristics.android.flow.livedata-state-exposure.ast']
   ),
+  'skills.android.guideline.android.biometric-auth-biometricprompt-api': heuristicDetector(
+    'android.security.biometric-prompt',
+    ['heuristics.android.security.legacy-fingerprint-api.ast']
+  ),
   'skills.android.guideline.android.statein-convertir-cold-flow-a-hot-stateflow': heuristicDetector(
     'android.flow.viewmodel-flow-without-statein',
     ['heuristics.android.flow.viewmodel-flow-without-statein.ast']

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.358",
+  "version": "6.3.360",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/framework-menu-system-notifications-cause.ts CHANGED Viewed

@@ -7,6 +7,7 @@ import {
   buildNotificationTrackingCauseSummary,
   extractNotificationTrackingContext,
 } from './framework-menu-system-notifications-tracking';
+import { buildLegacySkillCauseSummary } from './framework-menu-system-notifications-legacy-skill-cause';
 const BLOCKED_CAUSE_SUMMARY_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_GATE_BLOCKED: 'El gate de evidencia/gobernanza está bloqueado.',
@@ -170,6 +171,10 @@ export const resolveBlockedCauseSummary = (
   if (blockedCausesSummary) {
     return truncateNotificationText(blockedCausesSummary, 72);
   }
+  const legacySkillCauseSummary = buildLegacySkillCauseSummary(event.causeMessage);
+  if (legacySkillCauseSummary) {
+    return legacySkillCauseSummary;
+  }
   const trackingContext = extractNotificationTrackingContext(event.causeMessage);
   const priorityCode = resolvePriorityCauseFromMessage(event.causeMessage);
   if (priorityCode) {

package/scripts/framework-menu-system-notifications-legacy-skill-cause.ts ADDED Viewed

@@ -0,0 +1,107 @@
+import path from 'node:path';
+import { normalizeNotificationText } from './framework-menu-system-notifications-text';
+type LegacySkillCause = {
+  readonly ruleId: string;
+  readonly file?: string;
+  readonly line?: string;
+  readonly message?: string;
+  readonly remediation?: string;
+};
+const FIELD_NAMES = ['severity', 'file', 'line', 'lines', 'message', 'remediation'] as const;
+const RULE_LABELS: Readonly<Record<string, string>> = {
+  'skills.ios.prefer-swift-testing': 'Swift Testing',
+  'skills.ios.no-wait-for-expectations': 'Swift Testing async',
+  'skills.ios.no-xctassert': 'Swift Testing',
+  'skills.ios.no-xctunwrap': 'Swift Testing',
+  'skills.backend.no-empty-catch': 'Backend: no empty catch',
+};
+const extractLegacySkillSegment = (message?: string): string | null => {
+  if (!message) {
+    return null;
+  }
+  const markerIndex = message.indexOf('Blocking causes:');
+  if (markerIndex < 0) {
+    return null;
+  }
+  const afterMarker = message.slice(markerIndex);
+  const firstCause = afterMarker.replace(/^Blocking causes:\s*1\)\s*/i, '');
+  const nextCauseIndex = firstCause.search(/\s+\d+\)\s+skills\./);
+  return nextCauseIndex >= 0 ? firstCause.slice(0, nextCauseIndex) : firstCause;
+};
+const extractField = (segment: string, fieldName: string): string | undefined => {
+  const nextFields = FIELD_NAMES.filter((name) => name !== fieldName).join('|');
+  const pattern = new RegExp(`(?:^|\\s)${fieldName}=([\\s\\S]*?)(?=\\s(?:${nextFields})=|$)`);
+  const match = segment.match(pattern);
+  const value = match?.[1]?.trim();
+  return value && value.length > 0 ? value : undefined;
+};
+const humanizeRuleId = (ruleId: string): string =>
+  RULE_LABELS[ruleId] ??
+  ruleId
+    .replace(/^skills\./, '')
+    .split(/[._-]+/)
+    .filter(Boolean)
+    .map((part) => part.charAt(0).toUpperCase() + part.slice(1))
+    .join(' ');
+const formatLocation = (cause: LegacySkillCause): string | null => {
+  if (!cause.file) {
+    return null;
+  }
+  const basename = path.basename(cause.file);
+  return cause.line ? `${basename}:${cause.line}` : basename;
+};
+export const extractLegacySkillCauseFromMessage = (
+  message?: string
+): LegacySkillCause | null => {
+  const segment = extractLegacySkillSegment(message);
+  if (!segment) {
+    return null;
+  }
+  const ruleId = segment.match(/\bskills\.[a-z0-9_.-]+\b/i)?.[0];
+  if (!ruleId) {
+    return null;
+  }
+  return {
+    ruleId,
+    file: extractField(segment, 'file'),
+    line: extractField(segment, 'lines') ?? extractField(segment, 'line'),
+    message: extractField(segment, 'message'),
+    remediation: extractField(segment, 'remediation'),
+  };
+};
+export const buildLegacySkillCauseSummary = (message?: string): string | null => {
+  const cause = extractLegacySkillCauseFromMessage(message);
+  if (!cause) {
+    return null;
+  }
+  const rule = humanizeRuleId(cause.ruleId);
+  const location = formatLocation(cause);
+  return location ? `Skill violada: ${location} · ${rule}` : `Skill violada: ${rule}`;
+};
+export const buildLegacySkillCauseRemediation = (message?: string): string | null => {
+  const cause = extractLegacySkillCauseFromMessage(message);
+  if (!cause) {
+    return null;
+  }
+  const rule = humanizeRuleId(cause.ruleId);
+  const location = formatLocation(cause);
+  const failure = cause.message
+    ? ` Falla: ${normalizeNotificationText(cause.message)}.`
+    : '';
+  const remediation = cause.remediation
+    ? normalizeNotificationText(cause.remediation)
+    : 'Corrige esa regla en el fichero afectado y vuelve a intentar el commit.';
+  const file = location ? ` Fichero: ${location}.` : '';
+  return `Regla: ${rule}.${file}${failure} Solución: ${remediation}`;
+};

package/scripts/framework-menu-system-notifications-remediation.ts CHANGED Viewed

@@ -8,6 +8,7 @@ import {
   extractNotificationTrackingContext,
   TRACKING_BLOCKED_REMEDIATION,
 } from './framework-menu-system-notifications-tracking';
+import { buildLegacySkillCauseRemediation } from './framework-menu-system-notifications-legacy-skill-cause';
 type BlockedRemediationVariant = 'banner' | 'dialog';
@@ -224,6 +225,10 @@ export const resolveBlockedRemediation = (
   if (trackingContext) {
     return truncateNotificationText(buildNotificationTrackingRemediation(trackingContext), maxLength);
   }
+  const legacySkillCauseRemediation = buildLegacySkillCauseRemediation(event.causeMessage);
+  if (legacySkillCauseRemediation) {
+    return truncateNotificationText(legacySkillCauseRemediation, maxLength);
+  }
   if (fromEvent.length > 0) {
     if (
       causeCode === 'EVIDENCE_GATE_BLOCKED' &&

package/skills.lock.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-19T21:32:21.704Z",
+  "generatedAt": "2026-05-24T21:08:57.332Z",
   "bundles": [
     {
       "name": "android-guidelines",