npm - pumuki - Versions diffs - 6.3.359 → 6.3.361 - Mend

pumuki 6.3.359 → 6.3.361

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (8) hide show

package/core/facts/detectors/text/android.test.ts +63 -0
package/core/facts/detectors/text/android.ts +67 -0
package/core/facts/extractHeuristicFacts.ts +2 -0
package/core/rules/presets/heuristics/android.test.ts +11 -1
package/core/rules/presets/heuristics/android.ts +40 -0
package/integrations/config/skillsDetectorRegistry.ts +12 -0
package/package.json +1 -1
package/skills.lock.json +1 -1

package/core/facts/detectors/text/android.test.ts CHANGED Viewed

@@ -7,6 +7,8 @@ import {
   findKotlinOpenClosedWhenMatch,
   findKotlinPresentationSrpMatch,
   hasAndroidAsyncTaskUsage,
+  hasAndroidCustomSingletonObjectUsage,
+  hasAndroidLegacyFingerprintApiUsage,
   hasKotlinCoroutineTryCatchUsage,
   hasKotlinDispatcherMainBoundaryLeakUsage,
   hasKotlinGlobalScopeUsage,
@@ -1243,3 +1245,64 @@ class PumukiLspAndroidCanaryPremiumDiscountPolicy : PumukiLspAndroidCanaryDiscou
   assert.match(match.impact, /sustituci|regresion|crash/i);
   assert.match(match.expected_fix, /contrato base|estrategia|subtipo/i);
 });
+test('hasAndroidLegacyFingerprintApiUsage detecta APIs biométricas legacy y preserva BiometricPrompt', () => {
+  const legacyManager = `
+import android.hardware.fingerprint.FingerprintManager
+class LegacyBiometricAuth(private val fingerprintManager: FingerprintManager) {
+  fun authenticate(callback: FingerprintManager.AuthenticationCallback) {
+    fingerprintManager.authenticate(null, null, 0, callback, null)
+  }
+}
+`;
+  const legacyCompat = `
+class LegacyCompatAuth(private val fingerprintManager: FingerprintManagerCompat) {
+  fun authenticate(callback: FingerprintManagerCompat.AuthenticationCallback) {
+    fingerprintManager.authenticate(null, 0, null, callback, null)
+  }
+}
+`;
+  const modern = `
+import androidx.biometric.BiometricPrompt
+class ModernBiometricAuth(private val biometricPrompt: BiometricPrompt) {
+  fun authenticate(promptInfo: BiometricPrompt.PromptInfo) {
+    biometricPrompt.authenticate(promptInfo)
+  }
+}
+// FingerprintManager should not match inside comments
+val sample = "FingerprintManagerCompat"
+`;
+  assert.equal(hasAndroidLegacyFingerprintApiUsage(legacyManager), true);
+  assert.equal(hasAndroidLegacyFingerprintApiUsage(legacyCompat), true);
+  assert.equal(hasAndroidLegacyFingerprintApiUsage(modern), false);
+});
+test('hasAndroidCustomSingletonObjectUsage detecta singletons Kotlin propios y preserva objetos seguros', () => {
+  const singletonSource = `
+object CheckoutRepository {
+  fun loadCheckout() = Unit
+}
+object SessionManager {
+  fun clear() = Unit
+}
+`;
+  const safeSource = `
+object CheckoutRoute {
+  const val PATH = "checkout"
+}
+@Module
+@InstallIn(SingletonComponent::class)
+object CheckoutModule {
+  @Provides
+  fun provideRepository(): CheckoutRepository = CheckoutRepository()
+}
+`;
+  assert.equal(hasAndroidCustomSingletonObjectUsage(singletonSource), true);
+  assert.equal(hasAndroidCustomSingletonObjectUsage(safeSource), false);
+});

package/core/facts/detectors/text/android.ts CHANGED Viewed

@@ -130,6 +130,51 @@ const sortedUniqueLines = (lines: ReadonlyArray<number>): readonly number[] => {
     .sort((left, right) => left - right);
 };
+const androidCustomSingletonObjectNamePattern =
+  /(?:Repository|Service|Manager|Client|Store|DataSource|Gateway|Controller|Coordinator)$/;
+const androidSafeObjectNamePattern =
+  /(?:Route|Routes|Screen|Screens|Destination|Destinations|Module|Modules|Constants|Config|Keys|Theme|Colors|Typography)$/;
+const isAndroidHiltModuleObjectContext = (
+  lines: readonly string[],
+  index: number
+): boolean => {
+  const context = lines
+    .slice(Math.max(0, index - 4), index)
+    .map((line) => stripKotlinLineForSemanticScan(line))
+    .join('\n');
+  return /@(?:Module|InstallIn|Provides|Binds)\b/.test(context);
+};
+export const collectAndroidCustomSingletonObjectLines = (source: string): readonly number[] => {
+  const lines = source.split(/\r?\n/);
+  const matches: number[] = [];
+  lines.forEach((line, index) => {
+    const sanitized = stripKotlinLineForSemanticScan(line);
+    if (sanitized.trimStart().startsWith('import ')) {
+      return;
+    }
+    const objectMatch = sanitized.match(/^\s*object\s+([A-Za-z_][A-Za-z0-9_]*)\b/);
+    const objectName = objectMatch?.[1];
+    if (!objectName) {
+      return;
+    }
+    if (androidSafeObjectNamePattern.test(objectName) || isAndroidHiltModuleObjectContext(lines, index)) {
+      return;
+    }
+    if (androidCustomSingletonObjectNamePattern.test(objectName)) {
+      matches.push(index + 1);
+    }
+  });
+  return sortedUniqueLines(matches);
+};
+export const hasAndroidCustomSingletonObjectUsage = (source: string): boolean =>
+  collectAndroidCustomSingletonObjectLines(source).length > 0;
 const countTokenOccurrences = (line: string, token: string): number => {
   return line.split(token).length - 1;
 };
@@ -1407,3 +1452,25 @@ export const findKotlinLiskovSubstitutionMatch = (
   return undefined;
 };
+const legacyFingerprintApiPattern =
+  /\b(?:android\.hardware\.fingerprint\.)?FingerprintManager(?:Compat)?\b/;
+export const hasAndroidLegacyFingerprintApiUsage = (source: string): boolean =>
+  scanCodeLikeSource(source, ({ source: scannedSource, index }) => {
+    const match = scannedSource.slice(index).match(legacyFingerprintApiPattern);
+    return match?.index === 0;
+  });
+export const collectAndroidLegacyFingerprintApiLines = (
+  source: string
+): readonly number[] => {
+  const lines: number[] = [];
+  source.split(/\r?\n/).forEach((line, index) => {
+    const sanitized = stripKotlinLineForSemanticScan(line);
+    if (legacyFingerprintApiPattern.test(sanitized)) {
+      lines.push(index + 1);
+    }
+  });
+  return sortedUniqueLines(lines);
+};

package/core/facts/extractHeuristicFacts.ts CHANGED Viewed

@@ -893,6 +893,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGlobalScopeUsage, ruleId: 'heuristics.android.globalscope.ast', code: 'HEURISTICS_ANDROID_GLOBAL_SCOPE_AST', message: 'AST heuristic detected GlobalScope coroutine usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinRunBlockingUsage, ruleId: 'heuristics.android.run-blocking.ast', code: 'HEURISTICS_ANDROID_RUN_BLOCKING_AST', message: 'AST heuristic detected runBlocking usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidSourcePath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidAsyncTaskUsage, ruleId: 'heuristics.android.concurrency.asynctask.ast', code: 'HEURISTICS_ANDROID_CONCURRENCY_ASYNCTASK_AST', message: 'AST heuristic detected deprecated AsyncTask usage in Android production code; use coroutines.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidLegacyFingerprintApiUsage, locateLines: TextAndroid.collectAndroidLegacyFingerprintApiLines, ruleId: 'heuristics.android.security.legacy-fingerprint-api.ast', code: 'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST', message: 'AST heuristic detected legacy FingerprintManager API usage; use androidx.biometric.BiometricPrompt.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidCustomSingletonObjectUsage, locateLines: TextAndroid.collectAndroidCustomSingletonObjectLines, primaryNode: (lines) => ({ kind: 'class', name: 'Kotlin object singleton', lines }), relatedNodes: (lines) => [{ kind: 'member', name: 'replacement: Hilt/Dagger dependency injection boundary', lines }], why: 'Kotlin object singletons create global mutable architecture boundaries that bypass the Android DI graph.', impact: 'Global repositories, services or managers make feature slices harder to test, override and isolate in brownfield remediation.', expected_fix: 'Replace custom Kotlin object singletons with constructor-injected classes provided by Hilt/Dagger. Keep object declarations only for constants, routes, UI metadata or DI modules.', ruleId: 'heuristics.android.architecture.custom-singleton-object.ast', code: 'HEURISTICS_ANDROID_ARCHITECTURE_CUSTOM_SINGLETON_OBJECT_AST', message: 'AST heuristic detected a custom Kotlin object singleton in Android production code; use Hilt/Dagger dependency injection.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGodActivityUsage, ruleId: 'heuristics.android.architecture.god-activity.ast', code: 'HEURISTICS_ANDROID_ARCHITECTURE_GOD_ACTIVITY_AST', message: 'AST heuristic detected an Android Activity mixing UI entrypoint with product responsibilities; keep Activity thin and move features to composables/ViewModels/use cases.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinApplicationOnCreateHeavyInitializationUsage, ruleId: 'heuristics.android.startup.application-oncreate-heavy-init.ast', code: 'HEURISTICS_ANDROID_STARTUP_APPLICATION_ONCREATE_HEAVY_INIT_AST', message: 'AST heuristic detected heavy library initialization in Application.onCreate; move lazy startup work to AndroidX Startup Initializer or defer it behind the feature boundary.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinNonLazyScrollableCollectionUsage, ruleId: 'heuristics.android.compose.non-lazy-scrollable-collection.ast', code: 'HEURISTICS_ANDROID_COMPOSE_NON_LAZY_SCROLLABLE_COLLECTION_AST', message: 'AST heuristic detected a scrollable Column/Row rendering a collection; use LazyColumn/LazyRow for virtualized lists.' },

package/core/rules/presets/heuristics/android.test.ts CHANGED Viewed

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { androidRules } from './android';
 test('androidRules define reglas heurísticas locked para plataforma android', () => {
-  assert.equal(androidRules.length, 39);
+  assert.equal(androidRules.length, 41);
   const ids = androidRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -13,6 +13,8 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     'heuristics.android.flow.livedata-state-exposure.ast',
     'heuristics.android.flow.viewmodel-flow-without-statein.ast',
     'heuristics.android.flow.sharedflow-used-as-state.ast',
+    'heuristics.android.security.legacy-fingerprint-api.ast',
+    'heuristics.android.architecture.custom-singleton-object.ast',
     'heuristics.android.concurrency.asynctask.ast',
     'heuristics.android.architecture.god-activity.ast',
     'heuristics.android.startup.application-oncreate-heavy-init.ast',
@@ -83,6 +85,14 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     byId.get('heuristics.android.flow.sharedflow-used-as-state.ast')?.then.code,
     'HEURISTICS_ANDROID_FLOW_SHAREDFLOW_USED_AS_STATE_AST'
   );
+  assert.equal(
+    byId.get('heuristics.android.security.legacy-fingerprint-api.ast')?.then.code,
+    'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.android.architecture.custom-singleton-object.ast')?.then.code,
+    'HEURISTICS_ANDROID_ARCHITECTURE_CUSTOM_SINGLETON_OBJECT_AST'
+  );
   assert.equal(
     byId.get('heuristics.android.concurrency.asynctask.ast')?.then.code,
     'HEURISTICS_ANDROID_CONCURRENCY_ASYNCTASK_AST'

package/core/rules/presets/heuristics/android.ts CHANGED Viewed

@@ -115,6 +115,46 @@ export const androidRules: RuleSet = [
       code: 'HEURISTICS_ANDROID_FLOW_SHAREDFLOW_USED_AS_STATE_AST',
     },
   },
+  {
+    id: 'heuristics.android.security.legacy-fingerprint-api.ast',
+    description:
+      'Detects legacy FingerprintManager API usage where androidx.biometric.BiometricPrompt is the supported baseline.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.security.legacy-fingerprint-api.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected legacy FingerprintManager API usage; use androidx.biometric.BiometricPrompt.',
+      code: 'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST',
+    },
+  },
+  {
+    id: 'heuristics.android.architecture.custom-singleton-object.ast',
+    description:
+      'Detects custom Kotlin object singletons in Android production code where Hilt/Dagger dependency injection is expected.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.architecture.custom-singleton-object.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected a custom Kotlin object singleton in Android production code; use Hilt/Dagger dependency injection.',
+      code: 'HEURISTICS_ANDROID_ARCHITECTURE_CUSTOM_SINGLETON_OBJECT_AST',
+    },
+  },
   {
     id: 'heuristics.android.concurrency.asynctask.ast',
     description:

package/integrations/config/skillsDetectorRegistry.ts CHANGED Viewed

@@ -1431,6 +1431,18 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'android.flow.state-exposure',
     ['heuristics.android.flow.livedata-state-exposure.ast']
   ),
+  'skills.android.guideline.android.biometric-auth-biometricprompt-api': heuristicDetector(
+    'android.security.biometric-prompt',
+    ['heuristics.android.security.legacy-fingerprint-api.ast']
+  ),
+  'skills.android.guideline.android.no-singleton-usar-inyeccio-n-de-dependencias-hilt-dagger':
+    heuristicDetector('android.architecture.custom-singleton-object', [
+      'heuristics.android.architecture.custom-singleton-object.ast',
+    ]),
+  'skills.android.guideline.android.singletons-everywhere-usar-hilt-di': heuristicDetector(
+    'android.architecture.custom-singleton-object',
+    ['heuristics.android.architecture.custom-singleton-object.ast']
+  ),
   'skills.android.guideline.android.statein-convertir-cold-flow-a-hot-stateflow': heuristicDetector(
     'android.flow.viewmodel-flow-without-statein',
     ['heuristics.android.flow.viewmodel-flow-without-statein.ast']

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.359",
+  "version": "6.3.361",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json CHANGED Viewed

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-19T21:32:21.704Z",
+  "generatedAt": "2026-05-24T21:16:11.060Z",
   "bundles": [
     {
       "name": "android-guidelines",