pumuki 6.3.39 → 6.3.41

package/integrations/git/runPlatformGate.ts

@@ -13,7 +13,11 @@ import {
   resolveActiveGateWaiver,
   type GateWaiverResult,
 } from './gateWaiver';
-import { evaluatePlatformGateFindings } from './runPlatformGateEvaluation';
+import {
+  evaluateAstIntelligenceDualValidation,
+  evaluatePlatformGateFindings,
+  type AstIntelligenceDualValidationResult,
+} from './runPlatformGateEvaluation';
 import {
   countScannedFilesFromFacts,
   resolveFactsForGateScope,
@@ -46,6 +50,7 @@ export type GateDependencies = {
   emitPlatformGateEvidence: typeof emitPlatformGateEvidence;
   printGateFindings: typeof printGateFindings;
   enforceTddBddPolicy: typeof enforceTddBddPolicy;
+  evaluateAstIntelligenceDualValidation: typeof evaluateAstIntelligenceDualValidation;
   buildMemoryShadowRecommendation: (params: {
     findings: ReadonlyArray<Finding>;
     tddBddSnapshot?: TddBddSnapshot;
@@ -117,6 +122,7 @@ const defaultDependencies: GateDependencies = {
   emitPlatformGateEvidence,
   printGateFindings,
   enforceTddBddPolicy,
+  evaluateAstIntelligenceDualValidation,
   buildMemoryShadowRecommendation: buildDefaultMemoryShadowRecommendation,
   evaluateSddForStage: (stage, repoRoot) =>
     evaluateSddPolicy({
@@ -241,6 +247,41 @@ const isCriticalProfileSeverity = (severity: string): boolean => {
 
 const toNormalizedPath = (value: string): string => value.replace(/\\/g, '/').trim();
 
+const CODE_FILE_EXTENSIONS = new Set<string>([
+  '.js',
+  '.jsx',
+  '.ts',
+  '.tsx',
+  '.mjs',
+  '.cjs',
+  '.swift',
+  '.kt',
+  '.kts',
+]);
+
+const isObservedCodePath = (path: string): boolean => {
+  const normalized = toNormalizedPath(path).toLowerCase();
+  if (normalized.length === 0) {
+    return false;
+  }
+  if (
+    normalized.startsWith('apps/backend/')
+    || normalized.startsWith('apps/frontend/')
+    || normalized.startsWith('apps/web/')
+    || normalized.startsWith('apps/admin-dashboard/')
+    || normalized.startsWith('apps/ios/')
+    || normalized.startsWith('apps/android/')
+  ) {
+    return true;
+  }
+  for (const extension of CODE_FILE_EXTENSIONS) {
+    if (normalized.endsWith(extension)) {
+      return true;
+    }
+  }
+  return false;
+};
+
 const collectObservedPathsFromFacts = (
   facts: ReadonlyArray<Fact>
 ): ReadonlyArray<string> => {
@@ -263,6 +304,125 @@ const collectObservedPathsFromFacts = (
   return [...observedPaths].sort();
 };
 
+const collectObservedCodePathsFromFacts = (
+  facts: ReadonlyArray<Fact>
+): ReadonlyArray<string> => {
+  const codePaths = collectObservedPathsFromFacts(facts).filter((path) => isObservedCodePath(path));
+  return [...new Set(codePaths)].sort();
+};
+
+type IosTestFileContent = {
+  path: string;
+  content: string;
+};
+
+const isIosSwiftTestPath = (path: string): boolean => {
+  const normalized = toNormalizedPath(path).toLowerCase();
+  if (!normalized.endsWith('.swift')) {
+    return false;
+  }
+  return normalized.includes('/tests/') || normalized.includes('/uitests/');
+};
+
+const collectIosTestFileContents = (
+  facts: ReadonlyArray<Fact>
+): ReadonlyArray<IosTestFileContent> => {
+  const filesByPath = new Map<string, string>();
+  for (const fact of facts) {
+    if (fact.kind !== 'FileContent') {
+      continue;
+    }
+    if (!isIosSwiftTestPath(fact.path)) {
+      continue;
+    }
+    const normalizedPath = toNormalizedPath(fact.path);
+    filesByPath.set(normalizedPath, fact.content);
+  }
+  return [...filesByPath.entries()]
+    .sort(([leftPath], [rightPath]) => leftPath.localeCompare(rightPath))
+    .map(([path, content]) => ({ path, content }));
+};
+
+const isXCTestSource = (content: string): boolean => {
+  return /\bimport\s+XCTest\b/.test(content) || /\bXCTestCase\b/.test(content);
+};
+
+const hasMakeSUTPattern = (content: string): boolean => /\bmakeSUT\s*\(/.test(content);
+
+const hasTrackForMemoryLeaksPattern = (content: string): boolean =>
+  /\btrackForMemoryLeaks\s*\(/.test(content);
+
+const toIosTestsQualityBlockingFinding = (params: {
+  stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+  facts: ReadonlyArray<Fact>;
+}): Finding | undefined => {
+  const testFiles = collectIosTestFileContents(params.facts);
+  if (testFiles.length === 0) {
+    return undefined;
+  }
+
+  const invalidFiles: string[] = [];
+  for (const testFile of testFiles) {
+    if (!isXCTestSource(testFile.content)) {
+      continue;
+    }
+    const missingMarkers: string[] = [];
+    if (!hasMakeSUTPattern(testFile.content)) {
+      missingMarkers.push('makeSUT()');
+    }
+    if (!hasTrackForMemoryLeaksPattern(testFile.content)) {
+      missingMarkers.push('trackForMemoryLeaks()');
+    }
+    if (missingMarkers.length === 0) {
+      continue;
+    }
+    invalidFiles.push(`${testFile.path}{missing=[${missingMarkers.join(', ')}]}`);
+  }
+
+  if (invalidFiles.length === 0) {
+    return undefined;
+  }
+
+  const sampleFiles = invalidFiles.slice(0, 3).join(' | ');
+  return {
+    ruleId: 'governance.skills.ios-test-quality.incomplete',
+    severity: 'ERROR',
+    code: 'IOS_TEST_QUALITY_PATTERN_MISSING_HIGH',
+    message:
+      `iOS test quality enforcement incomplete at ${params.stage}: ${sampleFiles}. ` +
+      'Use makeSUT() factory pattern and trackForMemoryLeaks() in XCTest sources.',
+    filePath: '.ai_evidence.json',
+    matchedBy: 'IosTestsQualityGuard',
+    source: 'skills-ios-test-quality',
+  };
+};
+
+const toActiveRulesEmptyForCodeChangesBlockingFinding = (params: {
+  stage: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+  facts: ReadonlyArray<Fact>;
+  activeRuleIds: ReadonlyArray<string>;
+}): Finding | undefined => {
+  if (params.activeRuleIds.length > 0) {
+    return undefined;
+  }
+  const codePaths = collectObservedCodePathsFromFacts(params.facts);
+  if (codePaths.length === 0) {
+    return undefined;
+  }
+  const samplePaths = codePaths.slice(0, 5).join(', ');
+  return {
+    ruleId: 'governance.rules.active-rule-coverage.empty',
+    severity: 'ERROR',
+    code: 'ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH',
+    message:
+      `Active rules coverage is empty at ${params.stage} while code changes were detected. ` +
+      `sample_paths=[${samplePaths}]. Ensure skill/project rules are active before allowing this stage.`,
+    filePath: '.ai_evidence.json',
+    matchedBy: 'ActiveRulesCoverageGuard',
+    source: 'rules-coverage',
+  };
+};
+
 const detectRequiredSkillsScopesFromPaths = (
   observedPaths: ReadonlyArray<string>
 ): Record<'ios' | 'android' | 'backend' | 'frontend', ReadonlyArray<string>> => {
@@ -575,6 +735,13 @@ const toCrossPlatformCriticalEnforcementBlockingFinding = (params: {
   };
 };
 
+const shouldBlockFromFinding = (finding: Finding | undefined): boolean => {
+  if (!finding) {
+    return false;
+  }
+  return finding.severity === 'ERROR' || finding.severity === 'CRITICAL';
+};
+
 export async function runPlatformGate(params: {
   policy: GatePolicy;
   auditMode?: 'gate' | 'engine';
@@ -653,6 +820,7 @@ export async function runPlatformGate(params: {
     projectRules,
     heuristicRules,
     coverage,
+    evaluationFacts = facts,
     findings,
   } = dependencies.evaluatePlatformGateFindings({
     facts,
@@ -728,6 +896,25 @@ export async function runPlatformGate(params: {
         evaluatedRuleIds: coverage?.evaluatedRuleIds ?? [],
       })
       : undefined;
+  const activeRulesEmptyForCodeChangesFinding =
+    params.policy.stage === 'PRE_COMMIT' ||
+    params.policy.stage === 'PRE_PUSH' ||
+    params.policy.stage === 'CI'
+      ? toActiveRulesEmptyForCodeChangesBlockingFinding({
+        stage: params.policy.stage,
+        facts,
+        activeRuleIds: coverage?.activeRuleIds ?? [],
+      })
+      : undefined;
+  const iosTestsQualityFinding =
+    params.policy.stage === 'PRE_COMMIT' ||
+    params.policy.stage === 'PRE_PUSH' ||
+    params.policy.stage === 'CI'
+      ? toIosTestsQualityBlockingFinding({
+          stage: params.policy.stage,
+          facts,
+        })
+      : undefined;
   const policyAsCodeBlockingFinding =
     params.policy.stage === 'PRE_COMMIT' ||
     params.policy.stage === 'PRE_PUSH' ||
@@ -746,6 +933,33 @@ export async function runPlatformGate(params: {
           policyTrace: params.policyTrace,
         })
       : undefined;
+  const astIntelligenceDualValidation:
+    | AstIntelligenceDualValidationResult
+    | undefined =
+    params.policy.stage === 'PRE_COMMIT'
+      || params.policy.stage === 'PRE_PUSH'
+      || params.policy.stage === 'CI'
+      ? dependencies.evaluateAstIntelligenceDualValidation({
+          stage: params.policy.stage,
+          skillsRules: skillsRuleSet.rules,
+          facts: evaluationFacts,
+          legacyFindings: findings,
+        })
+      : undefined;
+  const astIntelligenceDualFinding = astIntelligenceDualValidation?.finding;
+  if (astIntelligenceDualValidation && astIntelligenceDualValidation.mode !== 'off') {
+    const summary = astIntelligenceDualValidation.summary;
+    process.stdout.write(
+      `[pumuki][ast-intelligence] mode=${astIntelligenceDualValidation.mode}` +
+      ` mapped_rules=${summary.mapped_rules}` +
+      ` compared_rules=${summary.compared_rules}` +
+      ` divergences=${summary.divergences}` +
+      ` false_positives=${summary.false_positives}` +
+      ` false_negatives=${summary.false_negatives}` +
+      ` latency_ms=${summary.latency_ms}` +
+      ` languages=[${summary.languages.join(',') || 'none'}]\n`
+    );
+  }
   const degradedModeBlocks = params.policyTrace?.degraded?.action === 'block';
   const rulesCoverage = coverage
     ? {
@@ -797,6 +1011,9 @@ export async function runPlatformGate(params: {
       ...(platformSkillsCoverageFinding ? [platformSkillsCoverageFinding] : []),
       ...(crossPlatformCriticalFinding ? [crossPlatformCriticalFinding] : []),
       ...(skillsScopeComplianceFinding ? [skillsScopeComplianceFinding] : []),
+      ...(activeRulesEmptyForCodeChangesFinding ? [activeRulesEmptyForCodeChangesFinding] : []),
+      ...(iosTestsQualityFinding ? [iosTestsQualityFinding] : []),
+      ...(astIntelligenceDualFinding ? [astIntelligenceDualFinding] : []),
       ...(coverageBlockingFinding ? [coverageBlockingFinding] : []),
       ...tddBddEvaluation.findings,
       ...findings,
@@ -805,6 +1022,9 @@ export async function runPlatformGate(params: {
       || platformSkillsCoverageFinding
       || crossPlatformCriticalFinding
       || skillsScopeComplianceFinding
+      || activeRulesEmptyForCodeChangesFinding
+      || iosTestsQualityFinding
+      || astIntelligenceDualFinding
       || coverageBlockingFinding
       || policyAsCodeBlockingFinding
       || degradedModeFinding
@@ -816,11 +1036,15 @@ export async function runPlatformGate(params: {
         ...(platformSkillsCoverageFinding ? [platformSkillsCoverageFinding] : []),
         ...(crossPlatformCriticalFinding ? [crossPlatformCriticalFinding] : []),
         ...(skillsScopeComplianceFinding ? [skillsScopeComplianceFinding] : []),
+        ...(activeRulesEmptyForCodeChangesFinding ? [activeRulesEmptyForCodeChangesFinding] : []),
+        ...(iosTestsQualityFinding ? [iosTestsQualityFinding] : []),
+        ...(astIntelligenceDualFinding ? [astIntelligenceDualFinding] : []),
         ...(coverageBlockingFinding ? [coverageBlockingFinding] : []),
         ...tddBddEvaluation.findings,
         ...findings,
       ]
       : findings;
+  const hasAstIntelligenceBlockingFinding = shouldBlockFromFinding(astIntelligenceDualFinding);
   const decision = dependencies.evaluateGate([...effectiveFindings], params.policy);
   const baseGateOutcome =
     sddBlockingFinding ||
@@ -830,6 +1054,9 @@ export async function runPlatformGate(params: {
     platformSkillsCoverageFinding ||
     crossPlatformCriticalFinding ||
     skillsScopeComplianceFinding ||
+    activeRulesEmptyForCodeChangesFinding ||
+    iosTestsQualityFinding ||
+    hasAstIntelligenceBlockingFinding ||
     coverageBlockingFinding ||
     hasTddBddBlockingFinding
       ? 'BLOCK'

package/integrations/git/runPlatformGateEvaluation.ts

@@ -20,6 +20,10 @@ import {
 import { extractHeuristicFacts } from '../../core/facts/extractHeuristicFacts';
 import { buildCombinedBaselineRules } from './baselineRuleSets';
 import { attachFindingTraceability } from './findingTraceability';
+export {
+  evaluateAstIntelligenceDualValidation,
+  type AstIntelligenceDualValidationResult,
+} from './astIntelligenceDualValidation';
 
 type PlatformGateEvaluationResult = {
   detectedPlatforms: DetectedPlatforms;

package/integrations/git/stageRunners.ts

@@ -1,7 +1,10 @@
 import { resolvePolicyForStage } from '../gate/stagePolicies';
 import {
+  resolveAheadBehindFromRef,
+  resolveCurrentBranchRef,
   resolveCiBaseRef,
   resolvePrePushBootstrapBaseRef,
+  resolveUpstreamTrackingRef,
   resolveUpstreamRef,
 } from './resolveGitRefs';
 import { runPlatformGate } from './runPlatformGate';
@@ -21,6 +24,11 @@ import type { EvidenceReadResult } from '../evidence/readEvidence';
 
 const PRE_PUSH_UPSTREAM_REQUIRED_MESSAGE =
   'pumuki pre-push blocked: branch has no upstream tracking reference. Configure upstream first (for example: git push --set-upstream origin <branch>) and retry.';
+const PRE_PUSH_UPSTREAM_BOOTSTRAP_FALLBACK_MESSAGE =
+  '[pumuki][pre-push] branch has no upstream; using bootstrap range ';
+const PRE_PUSH_MANUAL_FALLBACK_MESSAGE =
+  '[pumuki][pre-push] branch has no upstream and stdin is empty; using working-tree fallback scope.';
+const PRE_PUSH_UPSTREAM_MISALIGNED_AHEAD_THRESHOLD = 5;
 
 const PRE_COMMIT_EVIDENCE_MAX_AGE_SECONDS = 900;
 const PRE_PUSH_EVIDENCE_MAX_AGE_SECONDS = 1800;
@@ -37,11 +45,16 @@ const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_RULES_COVERAGE_INCOMPLETE: 'Asegura coverage_ratio=1 y unevaluated=0.',
   GITFLOW_PROTECTED_BRANCH: 'Trabaja en feature/* y evita ramas protegidas.',
   PRE_PUSH_UPSTREAM_MISSING: 'Ejecuta: git push --set-upstream origin <branch>',
+  PRE_PUSH_UPSTREAM_MISALIGNED:
+    'Alinea upstream con la rama actual: git branch --unset-upstream && git push --set-upstream origin <branch>',
 };
 
 type StageRunnerDependencies = {
   resolvePolicyForStage: typeof resolvePolicyForStage;
   resolveUpstreamRef: typeof resolveUpstreamRef;
+  resolveUpstreamTrackingRef: typeof resolveUpstreamTrackingRef;
+  resolveCurrentBranchRef: typeof resolveCurrentBranchRef;
+  resolveAheadBehindFromRef: typeof resolveAheadBehindFromRef;
   resolvePrePushBootstrapBaseRef: typeof resolvePrePushBootstrapBaseRef;
   resolveCiBaseRef: typeof resolveCiBaseRef;
   runPlatformGate: typeof runPlatformGate;
@@ -75,6 +88,9 @@ type StageRunnerDependencies = {
 const defaultDependencies: StageRunnerDependencies = {
   resolvePolicyForStage,
   resolveUpstreamRef,
+  resolveUpstreamTrackingRef,
+  resolveCurrentBranchRef,
+  resolveAheadBehindFromRef,
   resolvePrePushBootstrapBaseRef,
   resolveCiBaseRef,
   runPlatformGate,
@@ -233,6 +249,57 @@ const shouldAllowBootstrapPrePush = (rawInput: string): boolean => {
   return false;
 };
 
+const PRE_PUSH_TOPIC_BRANCH_PREFIXES = [
+  'feature/',
+  'bugfix/',
+  'refactor/',
+  'chore/',
+  'docs/',
+];
+
+const toShortRef = (value: string): string =>
+  value
+    .replace(/^refs\/heads\//, '')
+    .replace(/^refs\/remotes\/[^/]+\//, '')
+    .replace(/^[^/]+\//, '');
+
+const detectPrePushUpstreamMisalignment = (params: {
+  dependencies: StageRunnerDependencies;
+  upstreamRef: string;
+}): { message: string; remediation: string } | null => {
+  const currentBranch = params.dependencies.resolveCurrentBranchRef();
+  const upstreamTrackingRef = params.dependencies.resolveUpstreamTrackingRef();
+  if (!currentBranch || !upstreamTrackingRef) {
+    return null;
+  }
+
+  const isTopicBranch = PRE_PUSH_TOPIC_BRANCH_PREFIXES.some((prefix) =>
+    currentBranch.startsWith(prefix)
+  );
+  if (!isTopicBranch) {
+    return null;
+  }
+
+  const upstreamShort = toShortRef(upstreamTrackingRef);
+  if (upstreamShort !== 'main' && upstreamShort !== 'develop') {
+    return null;
+  }
+
+  const aheadBehind = params.dependencies.resolveAheadBehindFromRef(params.upstreamRef);
+  if (!aheadBehind || aheadBehind.ahead < PRE_PUSH_UPSTREAM_MISALIGNED_AHEAD_THRESHOLD) {
+    return null;
+  }
+
+  return {
+    message:
+      `pumuki pre-push blocked: upstream appears misaligned for ${currentBranch}. ` +
+      `tracking=${upstreamTrackingRef} ahead=${aheadBehind.ahead} behind=${aheadBehind.behind}.`,
+    remediation:
+      'Alinea upstream con la rama actual para evaluar solo el delta real: ' +
+      'git branch --unset-upstream && git push --set-upstream origin <branch>',
+  };
+};
+
 const enforceGitAtomicityGate = (params: {
   dependencies: StageRunnerDependencies;
   repoRoot: string;
@@ -315,8 +382,19 @@ export async function runPrePushStage(
   const upstreamRef = activeDependencies.resolveUpstreamRef();
   if (!upstreamRef) {
     const prePushInput = activeDependencies.readPrePushStdin();
-    if (shouldAllowBootstrapPrePush(prePushInput)) {
-      const bootstrapBaseRef = activeDependencies.resolvePrePushBootstrapBaseRef();
+    const bootstrapBaseRef = activeDependencies.resolvePrePushBootstrapBaseRef();
+    const bootstrapByPrePushStdIn = shouldAllowBootstrapPrePush(prePushInput);
+    const bootstrapByFallbackBase = !bootstrapByPrePushStdIn && bootstrapBaseRef !== 'HEAD';
+    const manualInvocationFallback =
+      !bootstrapByPrePushStdIn &&
+      !bootstrapByFallbackBase &&
+      prePushInput.trim().length === 0;
+    if (bootstrapByPrePushStdIn || bootstrapByFallbackBase) {
+      if (bootstrapByFallbackBase) {
+        process.stderr.write(
+          `${PRE_PUSH_UPSTREAM_BOOTSTRAP_FALLBACK_MESSAGE}${bootstrapBaseRef}..HEAD\n`
+        );
+      }
       if (
         enforceGitAtomicityGate({
           dependencies: activeDependencies,
@@ -347,6 +425,25 @@ export async function runPrePushStage(
       notifyAuditSummaryForStage(activeDependencies, 'PRE_PUSH');
       return exitCode;
     }
+    if (manualInvocationFallback) {
+      process.stderr.write(`${PRE_PUSH_MANUAL_FALLBACK_MESSAGE}\n`);
+      const resolved = activeDependencies.resolvePolicyForStage('PRE_PUSH');
+      const exitCode = await activeDependencies.runPlatformGate({
+        policy: resolved.policy,
+        policyTrace: resolved.trace,
+        scope: {
+          kind: 'workingTree',
+        },
+      });
+      emitSuccessfulHookGateSummary({
+        dependencies: activeDependencies,
+        stage: 'PRE_PUSH',
+        policyTrace: resolved.trace,
+        exitCode,
+      });
+      notifyAuditSummaryForStage(activeDependencies, 'PRE_PUSH');
+      return exitCode;
+    }
     process.stderr.write(`${PRE_PUSH_UPSTREAM_REQUIRED_MESSAGE}\n`);
     notifyGateBlockedForStage({
       dependencies: activeDependencies,
@@ -359,6 +456,23 @@ export async function runPrePushStage(
     return 1;
   }
 
+  const misalignedUpstream = detectPrePushUpstreamMisalignment({
+    dependencies: activeDependencies,
+    upstreamRef,
+  });
+  if (misalignedUpstream) {
+    process.stderr.write(`${misalignedUpstream.message}\n`);
+    notifyGateBlockedForStage({
+      dependencies: activeDependencies,
+      stage: 'PRE_PUSH',
+      fallbackCauseCode: 'PRE_PUSH_UPSTREAM_MISALIGNED',
+      fallbackCauseMessage: misalignedUpstream.message,
+      fallbackRemediation: misalignedUpstream.remediation,
+    });
+    notifyAuditSummaryForStage(activeDependencies, 'PRE_PUSH');
+    return 1;
+  }
+
   if (
     enforceGitAtomicityGate({
       dependencies: activeDependencies,