npm - pumuki - Versions diffs - 6.3.47 → 6.3.49 - Mend

pumuki 6.3.47 → 6.3.49

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/docs/RELEASE_NOTES.md +33 -0
package/docs/seguimiento-activo-pumuki-saas-supermercados.md +73 -1
package/integrations/git/stageRunners.ts +6 -1
package/integrations/lifecycle/watch.ts +96 -5
package/package.json +1 -1

package/docs/RELEASE_NOTES.md CHANGED Viewed

@@ -5,6 +5,39 @@ Detailed commit history remains available through Git history (`git log` / `git
 ## 2026-03 (enterprise hardening updates)
+### 2026-03-05 (v6.3.49)
+- Watch JSON contract clarity for staged scope:
+  - `lastTick.changed` now reflects real scoped file delta, not merely tick execution.
+  - In `scope=staged` with no staged files:
+    - `changed=false`
+    - `changedFiles=[]`
+    - `evaluatedFiles=[]`
+- Operational impact:
+  - prevents false interpretation of activity in consumer diagnostics and backlog evidence.
+- Validation evidence:
+  - `npx --yes tsx@4.21.0 --test integrations/lifecycle/__tests__/watch.test.ts` (`6 pass / 0 fail`)
+  - `npm run -s typecheck` (`PASS`)
+  - consumer smoke (Flux, local core bin): `watch --once --stage=PRE_COMMIT --scope=staged --json` -> `changed=false` with empty arrays.
+### 2026-03-05 (v6.3.48)
+- Anti-drift hardening for consumer validation flows:
+  - `pumuki watch` now applies manifest integrity guard and restores unexpected mutations to:
+    - `package.json`
+    - `package-lock.json`
+    - `pnpm-lock.yaml`
+    - `yarn.lock`
+  - If mutation is detected, watch blocks with `MANIFEST_MUTATION_DETECTED`.
+- Hook hardening parity:
+  - `pre-commit` / `pre-push` manifest guard now covers npm + pnpm + yarn lockfiles (not only npm).
+- Operational impact:
+  - avoids silent manifest/lockfile drift in consumers during validation loops unless upgrade is explicitly requested.
+- Validation evidence:
+  - `npx --yes tsx@4.21.0 --test integrations/lifecycle/__tests__/watch.test.ts integrations/git/__tests__/stageRunners.test.ts` (`38 pass / 0 fail`)
+  - `npm run -s typecheck` (`PASS`)
+  - consumer smoke (Flux, local core bin): `watch --once --json` with hashes unchanged for `package.json` / `pnpm-lock.yaml`.
 ### 2026-03-05 (v6.3.47)
 - Manifest integrity hardening in hook stages (`PRE_COMMIT` / `PRE_PUSH`):

package/docs/seguimiento-activo-pumuki-saas-supermercados.md CHANGED Viewed

@@ -2516,4 +2516,76 @@
     - vigilancia:
       - `npm run -s validation:backlog-watch:tick`.
-- 🚧 PUMUKI-187: Publicar corte con fix `#720`, actualizar consumers a la versión publicada y mover `PUMUKI-INC-063` de `🚧 REPORTED` a `✅ FIXED` con referencia de issue/commit/release.
+- ✅ PUMUKI-187: Publicar corte con fix `#720`, actualizar consumers a la versión publicada y mover `PUMUKI-INC-063` de `🚧 REPORTED` a `✅ FIXED` con referencia de issue/commit/release.
+  - Resultado (2026-03-05):
+    - release publicada: `pumuki@6.3.47`.
+    - rollout en consumers:
+      - `R_GO`: upgrade a `pumuki@6.3.47` (con `npm_config_engine_strict=false` por restricción de engines del consumer), `PRE_WRITE/PRE_COMMIT/PRE_PUSH` en `RC=0`.
+      - `SAAS`: upgrade a `pumuki@6.3.47`, validación local con binarios `node node_modules/pumuki/bin/*` (bloqueos existentes del repo por reglas/gate, no regresión de manifests).
+      - `Flux_training`: upgrade a `pumuki@6.3.47`, `PRE_WRITE/PRE_COMMIT` en `RC=0` y `PRE_PUSH` bloqueado por atomicidad del propio worktree (`changed_files=720`), sin mutación de manifests.
+    - verificación de no mutación de manifests:
+      - `R_GO`: `package.json` y `package-lock.json` sin cambios de hash antes/después de `validate + pre-commit + pre-push`.
+      - `SAAS`: `package.json` y `package-lock.json` sin cambios de hash antes/después de `validate + pre-commit + pre-push`.
+      - `Flux_training`: `package.json` y `pnpm-lock.yaml` sin cambios de hash antes/después de `validate + pre-commit + pre-push`.
+    - MD canónico RuralGo actualizado:
+      - `PUMUKI-INC-063` -> `✅ FIXED (#720, release 6.3.47)`.
+      - activos High reducidos a `PUMUKI-INC-064` como único foco.
+  - Evidencia:
+    - `npm publish --access public` -> `+ pumuki@6.3.47`.
+    - `npm ls pumuki --depth=0` (`R_GO`/`SAAS`) y `pnpm list -D pumuki --depth 0` (`Flux_training`) -> `6.3.47`.
+    - hashes before/after de manifests en los tres consumers.
+- ✅ PUMUKI-188: Cerrar trazabilidad de RuralGo tras validación de `PUMUKI-INC-064` y ajustar foco activo al siguiente hallazgo neto real.
+  - Resultado (2026-03-05):
+    - MD canónico RuralGo quedó 100% cerrado:
+      - `✅ Cerrados: 100`
+      - `🚧/⏳/⛔: 0`.
+    - `PUMUKI-INC-064` se consolidó en `✅ FIXED` con referencia de release `6.3.47` y evidencia de `PRE_PUSH=ALLOW` sin workaround manual de `skills.sources.json`/`skills.lock.json`.
+    - `issue #720` cerrada tras validación del fix de mutación de manifests.
+  - Evidencia:
+    - `sed -n '1,60p' /Users/.../R_GO/docs/.../pumuki-integration-feedback.md` (estado cerrado 100/0).
+    - `gh issue close 720 --repo SwiftEnProfundidad/ast-intelligence-hooks ...`.
+- ✅ PUMUKI-189: Ejecutar siguiente bug prioritaria activa de Flux (`PUM-013`) sobre drift de dependencia en manifests durante validación y cerrar con fix + release + validación consumer.
+  - Resultado (2026-03-05):
+    - issue upstream `#722` cerrada tras validación real en consumer.
+    - `PUM-013` actualizado a `✅ Cerrado` en el MD externo de Flux.
+    - verificación de no-mutación confirmada:
+      - `package.json` hash before/after sin cambios,
+      - `pnpm-lock.yaml` hash before/after sin cambios,
+      - `watch --once --json` en `ALLOW` (`gateExitCode=0`).
+  - Evidencia:
+    - `npx --yes --package pumuki@latest pumuki watch --once --stage=PRE_COMMIT --scope=staged --json`
+    - `gh issue close 722 --repo SwiftEnProfundidad/ast-intelligence-hooks ...`
+    - `/Users/juancarlosmerlosalbarracin/Developer/Projects/Flux_training/docs/BUGS_Y_MEJORAS_PUMUKI.md` (`PUM-013` -> `✅ Cerrado`).
+- ✅ PUMUKI-190: Ejecutar vigilancia activa del backlog canónico de RuralGo y abrir/cerrar loop solo ante nuevos hallazgos netos reproducibles (`OPEN/REPORTED`), manteniendo SAAS/Flux en validación de no-regresión sin tocar código consumidor.
+  - Resultado (2026-03-05):
+    - tick fleet ejecutado sobre los 3 backlogs externos (`SAAS`, `RuralGo`, `Flux`) sin hallazgos netos.
+    - `non_closed_total=0`, `action_required_targets=0`, `has_action_required=false`.
+    - no se abren issues nuevas ni se requiere fix técnico en este ciclo.
+  - Evidencia:
+    - `npm run -s validation:backlog-watch:tick`
+    - salida JSON: `targets=3`, `entries_scanned_total=142`, `non_closed_total=0`.
+- ✅ PUMUKI-191: Mantener monitorización continua multi-consumer (tick periódico) y abrir ejecución técnica inmediata solo cuando `has_action_required=true`, actualizando en el mismo ciclo el MD externo afectado + este MD interno.
+  - Resultado (2026-03-05):
+    - tick fleet detectó hallazgo neto nuevo en Flux (`PUM-014`) con `has_action_required=true`.
+    - issue upstream creada: `#723`.
+    - MD externo Flux actualizado a estado activo (`PUM-014` -> `🚧 En construccion (#723)`).
+  - Evidencia:
+    - `npm run -s validation:backlog-watch:tick` (run_id `819f019e-36ce-405f-ba24-3cb1372a2021`)
+    - `gh issue create --repo SwiftEnProfundidad/ast-intelligence-hooks ...` -> `#723`
+    - `/Users/juancarlosmerlosalbarracin/Developer/Projects/Flux_training/docs/BUGS_Y_MEJORAS_PUMUKI.md` actualizado.
+- 🚧 PUMUKI-192: Ejecutar fix de `PUM-014/#723` en `watch --json` para alinear `lastTick.changed` con delta real de archivos del scope, validar en tests y preparar cierre de leyenda externa.
+  - Avance (2026-03-05):
+    - fix aplicado en `integrations/lifecycle/watch.ts` (`changed` ahora depende del delta real del scope).
+    - regresión añadida/actualizada en `integrations/lifecycle/__tests__/watch.test.ts`.
+    - smoke en Flux con binario local del core:
+      - `changed=false`, `changedFiles=[]`, `evaluatedFiles=[]`, `gateOutcome=ALLOW`.
+    - issue `#723` actualizada con evidencia técnica.
+  - Pendiente para cierre:
+    - publicar corte con este fix,
+    - validar en Flux con `npx --yes --package pumuki@latest ...`,
+    - mover `PUM-014` de `🚧` a `✅` y cerrar `#723`.

package/integrations/git/stageRunners.ts CHANGED Viewed

@@ -241,7 +241,12 @@ const shouldRetryAfterPolicyReconcile = (params: {
 type HookStage = 'PRE_COMMIT' | 'PRE_PUSH';
 type HookPolicyTrace = NonNullable<ReturnType<typeof resolvePolicyForStage>['trace']>;
-const MANIFEST_GUARD_FILES = ['package.json', 'package-lock.json'] as const;
+const MANIFEST_GUARD_FILES = [
+  'package.json',
+  'package-lock.json',
+  'pnpm-lock.yaml',
+  'yarn.lock',
+] as const;
 type ManifestGuardEntry = {
   relativePath: (typeof MANIFEST_GUARD_FILES)[number];

package/integrations/lifecycle/watch.ts CHANGED Viewed

@@ -1,4 +1,6 @@
 import { createHash } from 'node:crypto';
+import { existsSync, readFileSync, unlinkSync, writeFileSync } from 'node:fs';
+import { join } from 'node:path';
 import { setTimeout as sleepTimer } from 'node:timers/promises';
 import { isSeverityAtLeast, type Severity } from '../../core/rules/Severity';
 import type { GateScope } from '../git/runPlatformGateFacts';
@@ -125,6 +127,8 @@ const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
   SDD_SESSION_INVALID: 'Refresca la sesión SDD y vuelve a intentar.',
   OPENSPEC_MISSING: 'Instala OpenSpec y reintenta la validación.',
   MCP_ENTERPRISE_RECEIPT_MISSING: 'Genera el receipt enterprise de MCP antes de continuar.',
+  MANIFEST_MUTATION_DETECTED:
+    'Validación no debe mutar package.json/lockfiles. Revisa wiring y realiza upgrades solo con comando explícito.',
 };
 const WATCH_POLICY_RECONCILE_CODES = new Set<string>([
@@ -142,6 +146,61 @@ const THRESHOLD_TO_SEVERITY: Record<LifecycleWatchSeverityThreshold, Severity> =
   low: 'INFO',
 };
+const WATCH_MANIFEST_GUARD_FILES = [
+  'package.json',
+  'package-lock.json',
+  'pnpm-lock.yaml',
+  'yarn.lock',
+] as const;
+type WatchManifestGuardEntry = {
+  relativePath: (typeof WATCH_MANIFEST_GUARD_FILES)[number];
+  absolutePath: string;
+  existed: boolean;
+  contents: string;
+};
+const captureWatchManifestGuardSnapshot = (
+  repoRoot: string
+): Array<WatchManifestGuardEntry> =>
+  WATCH_MANIFEST_GUARD_FILES.map((relativePath) => {
+    const absolutePath = join(repoRoot, relativePath);
+    const existed = existsSync(absolutePath);
+    return {
+      relativePath,
+      absolutePath,
+      existed,
+      contents: existed ? readFileSync(absolutePath, 'utf8') : '',
+    };
+  });
+const restoreWatchManifestGuardSnapshot = (
+  snapshot: ReadonlyArray<WatchManifestGuardEntry>
+): Array<string> => {
+  const mutated: Array<string> = [];
+  for (const entry of snapshot) {
+    const existsNow = existsSync(entry.absolutePath);
+    if (entry.existed) {
+      if (!existsNow) {
+        writeFileSync(entry.absolutePath, entry.contents, 'utf8');
+        mutated.push(entry.relativePath);
+        continue;
+      }
+      const current = readFileSync(entry.absolutePath, 'utf8');
+      if (current !== entry.contents) {
+        writeFileSync(entry.absolutePath, entry.contents, 'utf8');
+        mutated.push(entry.relativePath);
+      }
+      continue;
+    }
+    if (existsNow) {
+      unlinkSync(entry.absolutePath);
+      mutated.push(entry.relativePath);
+    }
+  }
+  return Array.from(new Set(mutated));
+};
 const toGateScope = (scope: LifecycleWatchScope): GateScope => {
   if (scope === 'staged') {
     return { kind: 'staged' };
@@ -314,6 +373,7 @@ export const runLifecycleWatch = async (
       });
       const changedFiles = collectChangedFilesFromFacts(facts);
       const evaluatedFiles = collectEvaluatedFilesFromFacts(facts);
+      const scopeHasFileDelta = changedFiles.length > 0 || evaluatedFiles.length > 0;
       const runEvaluation = async (): Promise<{
         gateExitCode: number;
         evidence: AiEvidenceV2_1 | undefined;
@@ -322,21 +382,52 @@ export const runLifecycleWatch = async (
         gateOutcome: 'BLOCK' | 'WARN' | 'ALLOW' | 'NO_EVIDENCE';
         topCodes: ReadonlyArray<string>;
       }> => {
-        const gateExitCode = await activeDependencies.runPlatformGate({
+        const manifestSnapshot = captureWatchManifestGuardSnapshot(repoRoot);
+        let gateExitCode = await activeDependencies.runPlatformGate({
           policy: resolvedPolicy.policy,
           policyTrace: resolvedPolicy.trace,
           scope: gateScope,
           silent: true,
         });
         const evidence = activeDependencies.readEvidence(repoRoot);
-        const allFindings = evidence?.snapshot.findings ?? [];
-        const matchedFindings = allFindings.filter((finding) =>
+        const allFindingsBase = evidence?.snapshot.findings ?? [];
+        const matchedFindingsBase = allFindingsBase.filter((finding) =>
           isSeverityAtLeast(finding.severity, thresholdSeverity)
         );
+        const manifestMutations = restoreWatchManifestGuardSnapshot(manifestSnapshot);
+        const manifestMutationFinding: SnapshotFinding | null =
+          manifestMutations.length > 0
+            ? {
+                ruleId: 'governance.manifest.no-silent-mutation',
+                severity: 'ERROR',
+                code: 'MANIFEST_MUTATION_DETECTED',
+                message:
+                  `Unexpected manifest mutation detected during watch and reverted: ${manifestMutations.join(', ')}.`,
+                file: manifestMutations[0] ?? 'package.json',
+                matchedBy: 'LifecycleWatch',
+                source: 'skills.backend.runtime-hygiene',
+              }
+            : null;
+        const allFindings = manifestMutationFinding
+          ? [...allFindingsBase, manifestMutationFinding]
+          : allFindingsBase;
+        const matchedFindings = manifestMutationFinding
+          ? [...matchedFindingsBase, manifestMutationFinding]
+          : matchedFindingsBase;
         const rawGateOutcome =
           evidence?.snapshot.outcome ??
           (gateExitCode !== 0 ? 'BLOCK' : 'NO_EVIDENCE');
-        const gateOutcome = rawGateOutcome === 'PASS' ? 'ALLOW' : rawGateOutcome;
+        const gateOutcome = manifestMutationFinding
+          ? 'BLOCK'
+          : rawGateOutcome === 'PASS'
+            ? 'ALLOW'
+            : rawGateOutcome;
+        if (manifestMutationFinding) {
+          gateExitCode = 1;
+          process.stderr.write(
+            `[pumuki][watch-manifest-guard] unexpected manifest mutation detected and reverted: ${manifestMutations.join(', ')}\n`
+          );
+        }
         const topCodes = toTopCodes(matchedFindings);
         return {
           gateExitCode,
@@ -440,7 +531,7 @@ export const runLifecycleWatch = async (
       lastTick = {
         tick: ticks,
-        changed,
+        changed: scopeHasFileDelta,
         evaluated: true,
         stage,
         scope,

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.47",
+  "version": "6.3.49",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {