pumuki 6.3.360 → 6.3.362

package/core/facts/detectors/text/android.test.ts

@@ -7,6 +7,8 @@ import {
   findKotlinOpenClosedWhenMatch,
   findKotlinPresentationSrpMatch,
   hasAndroidAsyncTaskUsage,
+  hasAndroidCustomSingletonObjectUsage,
+  hasAndroidHiltInjectionWithoutEntryPointUsage,
   hasAndroidLegacyFingerprintApiUsage,
   hasKotlinCoroutineTryCatchUsage,
   hasKotlinDispatcherMainBoundaryLeakUsage,
@@ -1278,3 +1280,55 @@ val sample = "FingerprintManagerCompat"
   assert.equal(hasAndroidLegacyFingerprintApiUsage(legacyCompat), true);
   assert.equal(hasAndroidLegacyFingerprintApiUsage(modern), false);
 });
+
+test('hasAndroidCustomSingletonObjectUsage detecta singletons Kotlin propios y preserva objetos seguros', () => {
+  const singletonSource = `
+object CheckoutRepository {
+  fun loadCheckout() = Unit
+}
+
+object SessionManager {
+  fun clear() = Unit
+}
+`;
+  const safeSource = `
+object CheckoutRoute {
+  const val PATH = "checkout"
+}
+
+@Module
+@InstallIn(SingletonComponent::class)
+object CheckoutModule {
+  @Provides
+  fun provideRepository(): CheckoutRepository = CheckoutRepository()
+}
+`;
+
+  assert.equal(hasAndroidCustomSingletonObjectUsage(singletonSource), true);
+  assert.equal(hasAndroidCustomSingletonObjectUsage(safeSource), false);
+});
+
+test('hasAndroidHiltInjectionWithoutEntryPointUsage detecta Activity o Fragment con inyección Hilt sin AndroidEntryPoint', () => {
+  const missingEntryPoint = `
+class CheckoutActivity : AppCompatActivity() {
+  @Inject lateinit var analytics: CheckoutAnalytics
+}
+
+class StoresFragment : Fragment() {
+  @Inject lateinit var repository: StoresRepository
+}
+`;
+  const validEntryPoint = `
+@AndroidEntryPoint
+class CheckoutActivity : AppCompatActivity() {
+  @Inject lateinit var analytics: CheckoutAnalytics
+}
+
+class CheckoutViewModel @Inject constructor(
+  private val repository: CheckoutRepository
+) : ViewModel()
+`;
+
+  assert.equal(hasAndroidHiltInjectionWithoutEntryPointUsage(missingEntryPoint), true);
+  assert.equal(hasAndroidHiltInjectionWithoutEntryPointUsage(validEntryPoint), false);
+});

package/core/facts/detectors/text/android.ts

@@ -130,6 +130,96 @@ const sortedUniqueLines = (lines: ReadonlyArray<number>): readonly number[] => {
     .sort((left, right) => left - right);
 };
 
+const androidCustomSingletonObjectNamePattern =
+  /(?:Repository|Service|Manager|Client|Store|DataSource|Gateway|Controller|Coordinator)$/;
+
+const androidSafeObjectNamePattern =
+  /(?:Route|Routes|Screen|Screens|Destination|Destinations|Module|Modules|Constants|Config|Keys|Theme|Colors|Typography)$/;
+
+const isAndroidHiltModuleObjectContext = (
+  lines: readonly string[],
+  index: number
+): boolean => {
+  const context = lines
+    .slice(Math.max(0, index - 4), index)
+    .map((line) => stripKotlinLineForSemanticScan(line))
+    .join('\n');
+  return /@(?:Module|InstallIn|Provides|Binds)\b/.test(context);
+};
+
+export const collectAndroidCustomSingletonObjectLines = (source: string): readonly number[] => {
+  const lines = source.split(/\r?\n/);
+  const matches: number[] = [];
+
+  lines.forEach((line, index) => {
+    const sanitized = stripKotlinLineForSemanticScan(line);
+    if (sanitized.trimStart().startsWith('import ')) {
+      return;
+    }
+    const objectMatch = sanitized.match(/^\s*object\s+([A-Za-z_][A-Za-z0-9_]*)\b/);
+    const objectName = objectMatch?.[1];
+    if (!objectName) {
+      return;
+    }
+    if (androidSafeObjectNamePattern.test(objectName) || isAndroidHiltModuleObjectContext(lines, index)) {
+      return;
+    }
+    if (androidCustomSingletonObjectNamePattern.test(objectName)) {
+      matches.push(index + 1);
+    }
+  });
+
+  return sortedUniqueLines(matches);
+};
+
+export const hasAndroidCustomSingletonObjectUsage = (source: string): boolean =>
+  collectAndroidCustomSingletonObjectLines(source).length > 0;
+
+export const collectAndroidHiltInjectionWithoutEntryPointLines = (
+  source: string
+): readonly number[] => {
+  const lines = source.split(/\r?\n/);
+  const matches: number[] = [];
+
+  for (let index = 0; index < lines.length; index += 1) {
+    const sanitized = stripKotlinLineForSemanticScan(lines[index] ?? '');
+    const classMatch = sanitized.match(
+      /^\s*(?:class|open\s+class)\s+([A-Za-z_][A-Za-z0-9_]*)\b[^{]*(?:Activity|Fragment)\s*\(/
+    );
+    if (!classMatch) {
+      continue;
+    }
+
+    const annotationContext = lines
+      .slice(Math.max(0, index - 4), index)
+      .map((line) => stripKotlinLineForSemanticScan(line))
+      .join('\n');
+    if (/@AndroidEntryPoint\b/.test(annotationContext)) {
+      continue;
+    }
+
+    const classStartLine = index + 1;
+    let braceDepth =
+      countTokenOccurrences(sanitized, '{') - countTokenOccurrences(sanitized, '}');
+    for (let cursor = index + 1; cursor < lines.length; cursor += 1) {
+      const candidate = stripKotlinLineForSemanticScan(lines[cursor] ?? '');
+      if (/@Inject\b\s+lateinit\s+var\b/.test(candidate)) {
+        matches.push(classStartLine, cursor + 1);
+      }
+      braceDepth += countTokenOccurrences(candidate, '{');
+      braceDepth -= countTokenOccurrences(candidate, '}');
+      if (braceDepth <= 0) {
+        break;
+      }
+    }
+  }
+
+  return sortedUniqueLines(matches);
+};
+
+export const hasAndroidHiltInjectionWithoutEntryPointUsage = (source: string): boolean =>
+  collectAndroidHiltInjectionWithoutEntryPointLines(source).length > 0;
+
 const countTokenOccurrences = (line: string, token: string): number => {
   return line.split(token).length - 1;
 };

package/core/facts/extractHeuristicFacts.ts

@@ -894,6 +894,8 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinRunBlockingUsage, ruleId: 'heuristics.android.run-blocking.ast', code: 'HEURISTICS_ANDROID_RUN_BLOCKING_AST', message: 'AST heuristic detected runBlocking usage in production Kotlin code.' },
   { platform: 'android', pathCheck: isAndroidSourcePath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidAsyncTaskUsage, ruleId: 'heuristics.android.concurrency.asynctask.ast', code: 'HEURISTICS_ANDROID_CONCURRENCY_ASYNCTASK_AST', message: 'AST heuristic detected deprecated AsyncTask usage in Android production code; use coroutines.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidLegacyFingerprintApiUsage, locateLines: TextAndroid.collectAndroidLegacyFingerprintApiLines, ruleId: 'heuristics.android.security.legacy-fingerprint-api.ast', code: 'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST', message: 'AST heuristic detected legacy FingerprintManager API usage; use androidx.biometric.BiometricPrompt.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidCustomSingletonObjectUsage, locateLines: TextAndroid.collectAndroidCustomSingletonObjectLines, primaryNode: (lines) => ({ kind: 'class', name: 'Kotlin object singleton', lines }), relatedNodes: (lines) => [{ kind: 'member', name: 'replacement: Hilt/Dagger dependency injection boundary', lines }], why: 'Kotlin object singletons create global mutable architecture boundaries that bypass the Android DI graph.', impact: 'Global repositories, services or managers make feature slices harder to test, override and isolate in brownfield remediation.', expected_fix: 'Replace custom Kotlin object singletons with constructor-injected classes provided by Hilt/Dagger. Keep object declarations only for constants, routes, UI metadata or DI modules.', ruleId: 'heuristics.android.architecture.custom-singleton-object.ast', code: 'HEURISTICS_ANDROID_ARCHITECTURE_CUSTOM_SINGLETON_OBJECT_AST', message: 'AST heuristic detected a custom Kotlin object singleton in Android production code; use Hilt/Dagger dependency injection.' },
+  { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasAndroidHiltInjectionWithoutEntryPointUsage, locateLines: TextAndroid.collectAndroidHiltInjectionWithoutEntryPointLines, primaryNode: (lines) => ({ kind: 'class', name: 'Activity/Fragment using Hilt injection without @AndroidEntryPoint', lines }), relatedNodes: (lines) => [{ kind: 'member', name: 'replacement: annotate Activity/Fragment with @AndroidEntryPoint', lines }], why: 'Hilt field injection in Activity or Fragment requires the Android entry point annotation on the Android framework type.', impact: 'The app can compile but crash or fail injection at runtime because the generated Hilt component is not installed for that entry point.', expected_fix: 'Add @AndroidEntryPoint to the Activity or Fragment that declares @Inject fields, or remove field injection and use constructor/ViewModel boundaries where appropriate.', ruleId: 'heuristics.android.di.hilt-injection-without-entrypoint.ast', code: 'HEURISTICS_ANDROID_DI_HILT_INJECTION_WITHOUT_ENTRYPOINT_AST', message: 'AST heuristic detected Hilt field injection in Activity/Fragment without @AndroidEntryPoint.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinGodActivityUsage, ruleId: 'heuristics.android.architecture.god-activity.ast', code: 'HEURISTICS_ANDROID_ARCHITECTURE_GOD_ACTIVITY_AST', message: 'AST heuristic detected an Android Activity mixing UI entrypoint with product responsibilities; keep Activity thin and move features to composables/ViewModels/use cases.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinApplicationOnCreateHeavyInitializationUsage, ruleId: 'heuristics.android.startup.application-oncreate-heavy-init.ast', code: 'HEURISTICS_ANDROID_STARTUP_APPLICATION_ONCREATE_HEAVY_INIT_AST', message: 'AST heuristic detected heavy library initialization in Application.onCreate; move lazy startup work to AndroidX Startup Initializer or defer it behind the feature boundary.' },
   { platform: 'android', pathCheck: isAndroidKotlinPath, excludePaths: [isKotlinTestPath], detect: TextAndroid.hasKotlinNonLazyScrollableCollectionUsage, ruleId: 'heuristics.android.compose.non-lazy-scrollable-collection.ast', code: 'HEURISTICS_ANDROID_COMPOSE_NON_LAZY_SCROLLABLE_COLLECTION_AST', message: 'AST heuristic detected a scrollable Column/Row rendering a collection; use LazyColumn/LazyRow for virtualized lists.' },

package/core/rules/presets/heuristics/android.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { androidRules } from './android';
 
 test('androidRules define reglas heurísticas locked para plataforma android', () => {
-  assert.equal(androidRules.length, 40);
+  assert.equal(androidRules.length, 42);
 
   const ids = androidRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -14,6 +14,8 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     'heuristics.android.flow.viewmodel-flow-without-statein.ast',
     'heuristics.android.flow.sharedflow-used-as-state.ast',
     'heuristics.android.security.legacy-fingerprint-api.ast',
+    'heuristics.android.architecture.custom-singleton-object.ast',
+    'heuristics.android.di.hilt-injection-without-entrypoint.ast',
     'heuristics.android.concurrency.asynctask.ast',
     'heuristics.android.architecture.god-activity.ast',
     'heuristics.android.startup.application-oncreate-heavy-init.ast',
@@ -88,6 +90,14 @@ test('androidRules define reglas heurísticas locked para plataforma android', (
     byId.get('heuristics.android.security.legacy-fingerprint-api.ast')?.then.code,
     'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST'
   );
+  assert.equal(
+    byId.get('heuristics.android.architecture.custom-singleton-object.ast')?.then.code,
+    'HEURISTICS_ANDROID_ARCHITECTURE_CUSTOM_SINGLETON_OBJECT_AST'
+  );
+  assert.equal(
+    byId.get('heuristics.android.di.hilt-injection-without-entrypoint.ast')?.then.code,
+    'HEURISTICS_ANDROID_DI_HILT_INJECTION_WITHOUT_ENTRYPOINT_AST'
+  );
   assert.equal(
     byId.get('heuristics.android.concurrency.asynctask.ast')?.then.code,
     'HEURISTICS_ANDROID_CONCURRENCY_ASYNCTASK_AST'

package/core/rules/presets/heuristics/android.ts

@@ -135,6 +135,46 @@ export const androidRules: RuleSet = [
       code: 'HEURISTICS_ANDROID_SECURITY_LEGACY_FINGERPRINT_API_AST',
     },
   },
+  {
+    id: 'heuristics.android.architecture.custom-singleton-object.ast',
+    description:
+      'Detects custom Kotlin object singletons in Android production code where Hilt/Dagger dependency injection is expected.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.architecture.custom-singleton-object.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected a custom Kotlin object singleton in Android production code; use Hilt/Dagger dependency injection.',
+      code: 'HEURISTICS_ANDROID_ARCHITECTURE_CUSTOM_SINGLETON_OBJECT_AST',
+    },
+  },
+  {
+    id: 'heuristics.android.di.hilt-injection-without-entrypoint.ast',
+    description:
+      'Detects Activity or Fragment Hilt field injection without @AndroidEntryPoint.',
+    severity: 'WARN',
+    platform: 'android',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.android.di.hilt-injection-without-entrypoint.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message:
+        'AST heuristic detected Hilt field injection in Activity/Fragment without @AndroidEntryPoint.',
+      code: 'HEURISTICS_ANDROID_DI_HILT_INJECTION_WITHOUT_ENTRYPOINT_AST',
+    },
+  },
   {
     id: 'heuristics.android.concurrency.asynctask.ast',
     description:

package/integrations/config/skillsDetectorRegistry.ts

@@ -1435,6 +1435,18 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'android.security.biometric-prompt',
     ['heuristics.android.security.legacy-fingerprint-api.ast']
   ),
+  'skills.android.guideline.android.no-singleton-usar-inyeccio-n-de-dependencias-hilt-dagger':
+    heuristicDetector('android.architecture.custom-singleton-object', [
+      'heuristics.android.architecture.custom-singleton-object.ast',
+    ]),
+  'skills.android.guideline.android.singletons-everywhere-usar-hilt-di': heuristicDetector(
+    'android.architecture.custom-singleton-object',
+    ['heuristics.android.architecture.custom-singleton-object.ast']
+  ),
+  'skills.android.guideline.android.androidentrypoint-activity-fragment-viewmodel':
+    heuristicDetector('android.di.hilt-injection-without-entrypoint', [
+      'heuristics.android.di.hilt-injection-without-entrypoint.ast',
+    ]),
   'skills.android.guideline.android.statein-convertir-cold-flow-a-hot-stateflow': heuristicDetector(
     'android.flow.viewmodel-flow-without-statein',
     ['heuristics.android.flow.viewmodel-flow-without-statein.ast']

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.360",
+  "version": "6.3.362",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-24T21:08:57.332Z",
+  "generatedAt": "2026-05-24T21:20:37.941Z",
   "bundles": [
     {
       "name": "android-guidelines",