pumuki 6.3.362 → 6.3.364

package/core/facts/detectors/text/ios.test.ts

@@ -180,9 +180,11 @@ import {
   hasSwiftSensitiveLoggingUsage,
   hasSwiftSelfPrintChangesUsage,
   collectSwiftInsecureTransportLines,
+  collectSwiftUrlSessionTrustBypassLines,
   collectSwiftSensitiveUserDefaultsStorageLines,
   hasSwiftSensitiveUserDefaultsStorageUsage,
   hasSwiftInsecureTransportUsage,
+  hasSwiftUrlSessionTrustBypassUsage,
   hasSwiftJSONSerializationUsage,
   collectSwiftJSONSerializationLines,
   hasSwiftExplicitColorStaticMemberUsage,
@@ -229,6 +231,41 @@ let value = loadUser()!
   assert.deepEqual(collectSwiftForceUnwrapLines(source), [2, 3]);
 });
 
+test('hasSwiftUrlSessionTrustBypassUsage detecta delegate que acepta cualquier certificado', () => {
+  const source = `
+final class InsecureDelegate: NSObject, URLSessionDelegate {
+  func urlSession(
+    _ session: URLSession,
+    didReceive challenge: URLAuthenticationChallenge,
+    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    completionHandler(.useCredential, URLCredential(trust: challenge.protectionSpace.serverTrust!))
+  }
+}
+`;
+
+  assert.equal(hasSwiftUrlSessionTrustBypassUsage(source), true);
+  assert.deepEqual(collectSwiftUrlSessionTrustBypassLines(source), [8]);
+});
+
+test('hasSwiftUrlSessionTrustBypassUsage preserva cancelacion o manejo por defecto del challenge TLS', () => {
+  const source = `
+final class SecureDelegate: NSObject, URLSessionDelegate {
+  func urlSession(
+    _ session: URLSession,
+    didReceive challenge: URLAuthenticationChallenge,
+    completionHandler: @escaping (URLSession.AuthChallengeDisposition, URLCredential?) -> Void
+  ) {
+    completionHandler(.performDefaultHandling, nil)
+    completionHandler(.cancelAuthenticationChallenge, nil)
+  }
+}
+`;
+
+  assert.equal(hasSwiftUrlSessionTrustBypassUsage(source), false);
+  assert.deepEqual(collectSwiftUrlSessionTrustBypassLines(source), []);
+});
+
 test('hasSwiftForceUnwrap excluye type annotations, force cast y operadores', () => {
   const source = `
 let name: String!

package/core/facts/detectors/text/ios.ts

@@ -1940,6 +1940,27 @@ export const collectSwiftInsecureTransportLines = (source: string): readonly num
   return sortedUniqueLines(result);
 };
 
+export const collectSwiftUrlSessionTrustBypassLines = (source: string): readonly number[] => {
+  const result: number[] = [];
+
+  source.split(/\r?\n/).forEach((line, index) => {
+    const sanitized = stripSwiftLineForSemanticScan(line);
+    if (
+      /completionHandler\s*\(\s*\.useCredential\s*,\s*URLCredential\s*\(\s*trust\s*:/.test(
+        sanitized
+      )
+    ) {
+      result.push(index + 1);
+    }
+  });
+
+  return sortedUniqueLines(result);
+};
+
+export const hasSwiftUrlSessionTrustBypassUsage = (source: string): boolean => {
+  return collectSwiftUrlSessionTrustBypassLines(source).length > 0;
+};
+
 const swiftUiLiteralTextPatterns = [
   /\b(?:Text|Button|Label|TextField|SecureField)\s*\(\s*"((?:\\.|[^"\\])*)"/,
   /\.navigationTitle\s*\(\s*"((?:\\.|[^"\\])*)"/,

package/core/facts/extractHeuristicFacts.ts

@@ -812,6 +812,7 @@ const textDetectorRegistry: ReadonlyArray<TextDetectorRegistryEntry> = [
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftJSONSerializationUsage, locateLines: TextIOS.collectSwiftJSONSerializationLines, primaryNode: (lines) => ({ kind: 'call', name: 'JSONSerialization call', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: Codable decoder or encoder', lines }], why: 'JSONSerialization bypasses typed decoding and makes payload contracts harder to validate than Codable models.', impact: 'Runtime casts and dictionary traversal can hide API drift until production and make the gate report vague file-level serialization debt.', expected_fix: 'Replace JSONSerialization calls with Codable DTOs using JSONDecoder or JSONEncoder at the repository networking boundary.', ruleId: 'heuristics.ios.json.jsonserialization.ast', code: 'HEURISTICS_IOS_JSON_JSONSERIALIZATION_AST', message: 'AST heuristic detected JSONSerialization usage in iOS production code; Codable remains the preferred baseline for new code.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftSensitiveUserDefaultsStorageUsage, locateLines: TextIOS.collectSwiftSensitiveUserDefaultsStorageLines, primaryNode: (lines) => ({ kind: 'call', name: 'sensitive UserDefaults/AppStorage storage', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: native Keychain or secure secret store', lines }], why: 'Tokens, passwords, credentials and session identifiers must not be stored in UserDefaults or AppStorage because those stores are not the approved secret boundary.', impact: 'Secrets persisted in UserDefaults/AppStorage can leak through backups, diagnostics or simple local inspection, and the gate needs the exact storage node to avoid whole-file remediation.', expected_fix: 'Move tokens, passwords, credentials and session identifiers to native Keychain or the repository-approved secure storage adapter. Keep UserDefaults/AppStorage only for non-sensitive preferences.', ruleId: 'heuristics.ios.security.userdefaults-sensitive-data.ast', code: 'HEURISTICS_IOS_SECURITY_USERDEFAULTS_SENSITIVE_DATA_AST', message: 'AST heuristic detected sensitive data stored in UserDefaults/AppStorage; native Keychain remains the preferred baseline for secrets.' },
   { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftInsecureTransportUsage, locateLines: TextIOS.collectSwiftInsecureTransportLines, primaryNode: (lines) => ({ kind: 'call', name: 'insecure HTTP URL literal', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: HTTPS URLSession endpoint with ATS enabled', lines }], why: 'Production iOS networking must use HTTPS and keep App Transport Security enabled by default.', impact: 'HTTP endpoints can expose credentials, session data or payloads in transit and create release-blocking transport exceptions.', expected_fix: 'Replace http:// endpoints with https:// endpoints and keep ATS enabled. If a temporary exception is unavoidable, isolate it to a documented debug-only configuration, not production code.', ruleId: 'heuristics.ios.security.insecure-transport.ast', code: 'HEURISTICS_IOS_SECURITY_INSECURE_TRANSPORT_AST', message: 'AST heuristic detected insecure HTTP transport in iOS production code.' },
+  { platform: 'ios', pathCheck: isIOSSwiftPath, excludePaths: [isSwiftTestPath], detect: TextIOS.hasSwiftUrlSessionTrustBypassUsage, locateLines: TextIOS.collectSwiftUrlSessionTrustBypassLines, primaryNode: (lines) => ({ kind: 'call', name: 'URLSession trust challenge accepted without validation', lines }), relatedNodes: (lines) => [{ kind: 'call', name: 'replacement: validate server trust or use default URLSession trust handling', lines }], why: 'Production iOS networking must not accept arbitrary TLS server trust in URLSessionDelegate callbacks.', impact: 'Accepting URLCredential(trust:) directly for the server trust challenge disables effective certificate validation and can expose sessions to man-in-the-middle attacks.', expected_fix: 'Remove unconditional .useCredential handling. Use default trust handling, cancel invalid challenges, or implement explicit certificate/public-key pinning with a documented trust evaluator.', ruleId: 'heuristics.ios.security.urlsession-trust-bypass.ast', code: 'HEURISTICS_IOS_SECURITY_URLSESSION_TRUST_BYPASS_AST', message: 'AST heuristic detected URLSession trust challenge bypass in iOS production code.' },
   { platform: 'ios', pathCheck: isIOSInfoPlistPath, excludePaths: [], detect: TextIOS.hasSwiftInsecureTransportUsage, locateLines: TextIOS.collectSwiftInsecureTransportLines, primaryNode: (lines) => ({ kind: 'property', name: 'ATS NSAllowsArbitraryLoads enabled', lines }), relatedNodes: (lines) => [{ kind: 'property', name: 'replacement: ATS enabled with explicit HTTPS-only exceptions', lines }], why: 'NSAllowsArbitraryLoads disables the default iOS App Transport Security protection and should not be enabled for production builds.', impact: 'Permissive ATS configuration allows insecure transport globally, making networking violations harder to audit per endpoint.', expected_fix: 'Remove NSAllowsArbitraryLoads=true. Keep ATS enabled by default and add the narrowest documented domain exception only when the production requirement is approved.', ruleId: 'heuristics.ios.security.insecure-transport.ast', code: 'HEURISTICS_IOS_SECURITY_INSECURE_TRANSPORT_AST', message: 'AST heuristic detected permissive App Transport Security configuration.' },
   { platform: 'ios', pathCheck: isIOSLocalizableStringsPath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.localization.localizable-strings.ast', code: 'HEURISTICS_IOS_LOCALIZATION_LOCALIZABLE_STRINGS_AST', message: 'AST heuristic detected Localizable.strings usage; String Catalogs (.xcstrings) remain the preferred baseline for new localization work.' },
   { platform: 'ios', pathCheck: isIOSInterfaceBuilderPath, excludePaths: [], detect: detectsTrackedFilePresence, ruleId: 'heuristics.ios.interface-builder.storyboard-xib.ast', code: 'HEURISTICS_IOS_INTERFACE_BUILDER_STORYBOARD_XIB_AST', message: 'AST heuristic detected Storyboard/XIB usage; programmatic SwiftUI/UIKit UI remains the preferred baseline for versionable iOS code.' },

package/core/rules/presets/heuristics/ios.test.ts

@@ -3,7 +3,7 @@ import test from 'node:test';
 import { iosRules } from './ios';
 
 test('iosRules define reglas heurísticas locked para plataforma ios', () => {
-  assert.equal(iosRules.length, 136);
+  assert.equal(iosRules.length, 137);
 
   const ids = iosRules.map((rule) => rule.id);
   assert.deepEqual(ids, [
@@ -69,6 +69,7 @@ test('iosRules define reglas heurísticas locked para plataforma ios', () => {
     'heuristics.ios.uikit.cell-without-reuse.ast',
     'heuristics.ios.security.userdefaults-sensitive-data.ast',
     'heuristics.ios.security.insecure-transport.ast',
+    'heuristics.ios.security.urlsession-trust-bypass.ast',
     'heuristics.ios.localization.localizable-strings.ast',
     'heuristics.ios.interface-builder.storyboard-xib.ast',
     'heuristics.ios.localization.hardcoded-ui-string.ast',

package/core/rules/presets/heuristics/ios.ts

@@ -1145,6 +1145,24 @@ export const iosRules: RuleSet = [
       code: 'HEURISTICS_IOS_SECURITY_INSECURE_TRANSPORT_AST',
     },
   },
+  {
+    id: 'heuristics.ios.security.urlsession-trust-bypass.ast',
+    description: 'Detects URLSessionDelegate trust challenge handlers that accept server trust without validation.',
+    severity: 'WARN',
+    platform: 'ios',
+    locked: true,
+    when: {
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.security.urlsession-trust-bypass.ast',
+      },
+    },
+    then: {
+      kind: 'Finding',
+      message: 'AST heuristic detected URLSession trust challenge bypass in iOS production code.',
+      code: 'HEURISTICS_IOS_SECURITY_URLSESSION_TRUST_BYPASS_AST',
+    },
+  },
   {
     id: 'heuristics.ios.localization.localizable-strings.ast',
     description: 'Detects legacy Localizable.strings files where String Catalogs are the preferred iOS baseline.',

package/integrations/config/skillsDetectorRegistry.ts

@@ -236,6 +236,10 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.logging.sensitive-data',
     ['heuristics.ios.logging.sensitive-data.ast']
   ),
+  'skills.ios.guideline.ios.request-response-interceptors-logging-auth-tokens': heuristicDetector(
+    'ios.logging.sensitive-data',
+    ['heuristics.ios.logging.sensitive-data.ast']
+  ),
   'skills.ios.guideline.ios.obfuscation-strings-sensibles-en-co-digo': heuristicDetector(
     'ios.security.hardcoded-sensitive-string',
     ['heuristics.ios.security.hardcoded-sensitive-string.ast']
@@ -304,6 +308,14 @@ const registryByRuleId: Record<string, SkillsDetectorBinding> = {
     'ios.security.insecure-transport',
     ['heuristics.ios.security.insecure-transport.ast']
   ),
+  'skills.ios.guideline.ios.ssl-pinning-para-apps-con-alta-seguridad': heuristicDetector(
+    'ios.security.urlsession-trust-bypass',
+    ['heuristics.ios.security.urlsession-trust-bypass.ast']
+  ),
+  'skills.ios.guideline.ios.ssl-pinning-prevenir-man-in-the-middle': heuristicDetector(
+    'ios.security.urlsession-trust-bypass',
+    ['heuristics.ios.security.urlsession-trust-bypass.ast']
+  ),
   'skills.ios.guideline.ios.localizable-strings-deprecado-usar-string-catalogs':
     heuristicDetector('ios.localization.localizable-strings', [
       'heuristics.ios.localization.localizable-strings.ast',

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.362",
+  "version": "6.3.364",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/skills.lock.json

@@ -1,7 +1,7 @@
 {
   "version": "1.0",
   "compilerVersion": "1.0.0",
-  "generatedAt": "2026-05-24T21:20:37.941Z",
+  "generatedAt": "2026-05-25T04:24:35.613Z",
   "bundles": [
     {
       "name": "android-guidelines",