pumuki 6.3.57 → 6.3.59

package/VERSION

@@ -1 +1 @@
-v6.3.57
+v6.3.59

package/docs/operations/RELEASE_NOTES.md

@@ -6,6 +6,41 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-03 (enterprise hardening updates)
 
+### 2026-03-14 (v6.3.59)
+
+- PRE_WRITE tooling-only no-op:
+  - consumer deltas that only touch package/runtime alignment files no longer materialize a fake multi-platform skills contract,
+  - the result is now `skills_contract=NOT_APPLICABLE` even with `pending_changes > 0` when no code platform is active in the worktree delta.
+- Policy packaging alignment:
+  - the published tarball now includes the `integrations/policy/*.ts` helpers required by `evaluateAiGate`, `stageRunners`, `watch` and `cli`.
+- Operational impact:
+  - `SAAS · PUMUKI-021` can now be revalidated against the published package on a real tooling-only adoption slice.
+- Validation evidence:
+  - `npm run -s typecheck` (`PASS`)
+  - `node --import tsx --test integrations/gate/__tests__/evaluateAiGate.test.ts` (`41 pass / 0 fail`)
+  - `node --import tsx --test --test-name-pattern "autocura evidence y receipt stale aunque la sesión SDD esté inválida|blocks AI gate violations in strict enforcement mode|blocks missing OpenSpec in strict enforcement mode|expone next_action de reconcile cuando active_rule_ids está vacío para código|expone next_action con slice atómico" integrations/lifecycle/__tests__/cli.test.ts` (`4 pass / 0 fail`)
+  - `npm run -s validation:package-manifest` (`PASS`)
+  - `npm pack --json --dry-run` (`PASS`)
+
+### 2026-03-14 (v6.3.58)
+
+- PRE_WRITE no-op stability for consumer slices:
+  - clean slices with `pending_changes=0` no longer fail by undetected multi-platform skills contract noise,
+  - the resulting contract is now `NOT_APPLICABLE` when there is no materialized active platform scope.
+- PRE_WRITE freshness autocure:
+  - stale `ai_evidence` and stale MCP receipts are refreshed even if the SDD session itself is invalid,
+  - operational noise is removed before the final decision is reported.
+- Deep doctor de-escalation:
+  - missing/stale evidence is now treated as operational drift (`warning`) instead of a hard diagnostic block.
+- Operational impact:
+  - `SAAS · PUMUKI-021` is left with only release/adoption work; the core no longer has a technical residual for that bug.
+- Validation evidence:
+  - `npm run -s typecheck` (`PASS`)
+  - `node --import tsx --test integrations/gate/__tests__/evaluateAiGate.test.ts` (`40 pass / 0 fail`)
+  - `node --import tsx --test --test-name-pattern "autocura evidence y receipt stale aunque la sesión SDD esté inválida|blocks AI gate violations in strict enforcement mode|blocks missing OpenSpec in strict enforcement mode|expone next_action de reconcile cuando active_rule_ids está vacío para código|expone next_action con slice atómico" integrations/lifecycle/__tests__/cli.test.ts` (`4 pass / 0 fail`)
+  - `npm run -s validation:package-manifest` (`PASS`)
+  - `npm pack --json --dry-run` (`PASS`)
+
 ### 2026-03-11 (v6.3.57)
 
 - AST intelligence and gate payload enrichment:

package/integrations/evidence/schema.ts

@@ -188,7 +188,7 @@ export type RepoState = {
     installed: boolean;
     package_version: string | null;
     lifecycle_version: string | null;
-    package_version_source?: 'consumer-node-modules' | 'runtime-package';
+    package_version_source?: 'consumer-node-modules' | 'runtime-package' | 'source-bin';
     package_version_runtime?: string | null;
     package_version_installed?: string | null;
     hooks: {

package/integrations/gate/evaluateAiGate.ts

@@ -3,6 +3,7 @@ import { readEvidenceResult } from '../evidence/readEvidence';
 import { captureRepoState } from '../evidence/repoState';
 import type { RepoState } from '../evidence/schema';
 import { resolvePolicyForStage } from './stagePolicies';
+import { execFileSync } from 'node:child_process';
 import { existsSync, realpathSync } from 'node:fs';
 import { resolve } from 'node:path';
 import type { SkillsLockV1, SkillsStage } from '../config/skillsLock';
@@ -10,6 +11,10 @@ import {
   loadEffectiveSkillsLock,
   loadRequiredSkillsLock,
 } from '../config/skillsEffectiveLock';
+import {
+  resolveSkillsEnforcement,
+  type SkillsEnforcementResolution,
+} from '../policy/skillsEnforcement';
 import {
   readMcpAiGateReceipt,
   resolveMcpAiGateReceiptPath,
@@ -169,6 +174,13 @@ const MCP_RECEIPT_STAGE_ORDER: Readonly<Record<AiGateStage, number>> = {
   PRE_PUSH: 2,
   CI: 3,
 };
+const SKILLS_CONTRACT_SUPPRESSED_EVIDENCE_CODES = new Set([
+  'EVIDENCE_MISSING',
+  'EVIDENCE_INVALID',
+  'EVIDENCE_CHAIN_INVALID',
+  'EVIDENCE_TIMESTAMP_INVALID',
+  'EVIDENCE_STALE',
+]);
 
 const toErrorViolation = (code: string, message: string): AiGateViolation => ({
   code,
@@ -182,6 +194,16 @@ const toWarnViolation = (code: string, message: string): AiGateViolation => ({
   message,
 });
 
+const toSkillsViolation = (
+  resolution: SkillsEnforcementResolution,
+  code: string,
+  message: string
+): AiGateViolation => (
+  resolution.blocking
+    ? toErrorViolation(code, message)
+    : toWarnViolation(code, message)
+);
+
 const normalizeRepoStateLifecycleVersions = (repoState: RepoState): RepoState => {
   const packageVersion = repoState.lifecycle.package_version;
   const lifecycleVersion = repoState.lifecycle.lifecycle_version;
@@ -332,6 +354,109 @@ const toRepoTreeDetectedPlatforms = (params: {
   });
 };
 
+const normalizeChangedPath = (value: string): string =>
+  value.replace(/\\/g, '/').replace(/^"+|"+$/g, '').trim();
+
+const parseChangedPath = (line: string): string | null => {
+  if (line.length < 4) {
+    return null;
+  }
+  const raw = line.slice(3).trim();
+  if (raw.length === 0) {
+    return null;
+  }
+  if (raw.includes(' -> ')) {
+    const renamed = raw.split(' -> ').pop();
+    if (!renamed) {
+      return null;
+    }
+    const normalizedRenamed = normalizeChangedPath(renamed);
+    return normalizedRenamed.length > 0 ? normalizedRenamed : null;
+  }
+  const normalized = normalizeChangedPath(raw);
+  return normalized.length > 0 ? normalized : null;
+};
+
+const collectWorktreeChangedPaths = (repoRoot: string): ReadonlyArray<string> => {
+  try {
+    const output = execFileSync(
+      'git',
+      ['status', '--short', '--untracked-files=all'],
+      {
+        cwd: repoRoot,
+        encoding: 'utf8',
+        stdio: ['ignore', 'pipe', 'ignore'],
+      }
+    );
+    const files = output
+      .split('\n')
+      .map((line) => parseChangedPath(line))
+      .filter((line): line is string => typeof line === 'string' && line.length > 0);
+    return [...new Set(files)];
+  } catch {
+    return [];
+  }
+};
+
+const isPlatformPath = (platform: PreWriteSkillsPlatform, filePath: string): boolean => {
+  const normalized = normalizeChangedPath(filePath).toLowerCase();
+  if (platform === 'ios') {
+    return normalized.endsWith('.swift')
+      || normalized.startsWith('apps/ios/')
+      || normalized.startsWith('ios/');
+  }
+  if (platform === 'android') {
+    return normalized.endsWith('.kt')
+      || normalized.endsWith('.kts')
+      || normalized.startsWith('apps/android/')
+      || normalized.startsWith('android/');
+  }
+  if (platform === 'backend') {
+    const isTypeScriptOrJavaScript =
+      normalized.endsWith('.ts')
+      || normalized.endsWith('.js')
+      || normalized.endsWith('.mts')
+      || normalized.endsWith('.cts')
+      || normalized.endsWith('.mjs')
+      || normalized.endsWith('.cjs');
+    if (!isTypeScriptOrJavaScript) {
+      return false;
+    }
+    return normalized.startsWith('apps/backend/')
+      || /(^|\/)(backend|server|api)(\/|$)/.test(normalized);
+  }
+  const isReactExtension = normalized.endsWith('.tsx') || normalized.endsWith('.jsx');
+  if (isReactExtension) {
+    return true;
+  }
+  const isTypeScriptOrJavaScript =
+    normalized.endsWith('.ts')
+    || normalized.endsWith('.js')
+    || normalized.endsWith('.mts')
+    || normalized.endsWith('.cts')
+    || normalized.endsWith('.mjs')
+    || normalized.endsWith('.cjs');
+  if (!isTypeScriptOrJavaScript) {
+    return false;
+  }
+  return normalized.startsWith('apps/frontend/')
+    || normalized.startsWith('apps/web/')
+    || /(^|\/)(frontend|web|client)(\/|$)/.test(normalized);
+};
+
+const hasWorktreeCodePlatforms = (params: {
+  repoRoot: string;
+  requiredPlatforms: ReadonlyArray<PreWriteSkillsPlatform>;
+}): boolean => {
+  const changedPaths = collectWorktreeChangedPaths(params.repoRoot);
+  if (changedPaths.length === 0) {
+    return false;
+  }
+  return changedPaths.some((filePath) =>
+    params.requiredPlatforms.some((platform) => isPlatformPath(platform, filePath))
+  );
+};
+
 const toLockRequiredPlatforms = (
   requiredLock: SkillsLockV1 | undefined
 ): ReadonlyArray<PreWriteSkillsPlatform> => {
@@ -426,6 +551,7 @@ const collectActiveRuleIdsCoverageViolations = (params: {
 const collectPreWritePlatformSkillsViolations = (params: {
   evidence: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence'];
   coverage: NonNullable<Extract<EvidenceReadResult, { kind: 'valid' }>['evidence']['snapshot']['rules_coverage']>;
+  skillsEnforcement: SkillsEnforcementResolution;
 }): AiGateViolation[] => {
   const detectedPlatforms = toPreWriteDetectedSkillsPlatforms({
     platforms: params.evidence.platforms,
@@ -460,7 +586,8 @@ const collectPreWritePlatformSkillsViolations = (params: {
 
   if (missingScopeCoverage.length > 0) {
     violations.push(
-      toErrorViolation(
+      toSkillsViolation(
+        params.skillsEnforcement,
         'EVIDENCE_PLATFORM_SKILLS_SCOPE_INCOMPLETE',
         `Detected platforms missing skill-rule coverage in PRE_WRITE: ${missingScopeCoverage.join(' | ')}.`
       )
@@ -485,7 +612,8 @@ const collectPreWritePlatformSkillsViolations = (params: {
 
   if (missingBundlesByPlatform.length > 0) {
     violations.push(
-      toErrorViolation(
+      toSkillsViolation(
+        params.skillsEnforcement,
         'EVIDENCE_PLATFORM_SKILLS_BUNDLES_MISSING',
         `Detected platforms missing required skill bundles in PRE_WRITE: ${missingBundlesByPlatform.join(' | ')}.`
       )
@@ -513,7 +641,8 @@ const collectPreWritePlatformSkillsViolations = (params: {
 
   if (missingCriticalRulesByPlatform.length > 0) {
     violations.push(
-      toErrorViolation(
+      toSkillsViolation(
+        params.skillsEnforcement,
         'EVIDENCE_PLATFORM_CRITICAL_SKILLS_RULES_MISSING',
         `Detected platforms missing critical skill-rule enforcement in PRE_WRITE: ${missingCriticalRulesByPlatform.join(' | ')}.`
       )
@@ -526,6 +655,7 @@ const collectPreWritePlatformSkillsViolations = (params: {
 const collectPreWriteCrossPlatformCriticalViolations = (params: {
   evidence: Extract<EvidenceReadResult, { kind: 'valid' }>['evidence'];
   coverage: NonNullable<Extract<EvidenceReadResult, { kind: 'valid' }>['evidence']['snapshot']['rules_coverage']>;
+  skillsEnforcement: SkillsEnforcementResolution;
 }): AiGateViolation[] => {
   const detectedPlatforms = toPreWriteDetectedSkillsPlatforms({
     platforms: params.evidence.platforms,
@@ -561,7 +691,8 @@ const collectPreWriteCrossPlatformCriticalViolations = (params: {
   }
 
   return [
-    toErrorViolation(
+    toSkillsViolation(
+      params.skillsEnforcement,
       'EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE',
       `Cross-platform critical enforcement incomplete in PRE_WRITE: ${missingCriticalCoverage.join(' | ')}.`
     ),
@@ -571,8 +702,10 @@ const collectPreWriteCrossPlatformCriticalViolations = (params: {
 const toSkillsContractAssessment = (params: {
   stage: AiGateStage;
   repoRoot: string;
+  repoState: RepoState;
   evidenceResult: EvidenceReadResult;
   requiredLock?: SkillsLockV1;
+  skillsEnforcement: SkillsEnforcementResolution;
 }): AiGateSkillsContractAssessment => {
   const requiredPlatforms = toLockRequiredPlatforms(params.requiredLock);
 
@@ -602,7 +735,8 @@ const toSkillsContractAssessment = (params: {
       violations:
         requiredPlatforms.length > 0
           ? [
-              toErrorViolation(
+              toSkillsViolation(
+                params.skillsEnforcement,
                 'EVIDENCE_SKILLS_PLATFORMS_UNDETECTED',
                 `Required repo skills exist, but active platforms could not be detected for ${params.stage}.`
               ),
@@ -615,7 +749,7 @@ const toSkillsContractAssessment = (params: {
   const explicitlyDetectedPlatforms = toDetectedSkillsPlatforms(params.evidenceResult.evidence.platforms);
   const inferredPlatforms = toCoverageInferredPlatforms(coverage);
   const repoTreeDetectedPlatforms =
-    requiredPlatforms.length > 0
+    params.stage !== 'PRE_WRITE' && requiredPlatforms.length > 0
       ? toRepoTreeDetectedPlatforms({
           repoRoot: params.repoRoot,
           platforms: requiredPlatforms,
@@ -634,12 +768,35 @@ const toSkillsContractAssessment = (params: {
       : inferredPlatforms.length > 0
         ? inferredPlatforms
         : repoTreeDetectedPlatforms;
+  const pendingChanges = resolvePendingChanges(params.repoState);
+  const detectedPlatformSet = new Set(detectedPlatforms);
   const assessmentPlatforms =
     requiredPlatforms.length > 0
-      ? requiredPlatforms
+      ? params.stage === 'PRE_WRITE' && detectedPlatforms.length > 0
+        ? requiredPlatforms.filter((platform) => detectedPlatformSet.has(platform))
+        : requiredPlatforms
       : detectedPlatforms;
 
   if (requiredPlatforms.length > 0 && detectedPlatforms.length === 0) {
+    if (
+      params.stage === 'PRE_WRITE'
+      && (
+        pendingChanges === 0
+        || !hasWorktreeCodePlatforms({
+          repoRoot: params.repoRoot,
+          requiredPlatforms,
+        })
+      )
+    ) {
+      return {
+        stage: params.stage,
+        enforced: false,
+        status: 'NOT_APPLICABLE',
+        detected_platforms: [],
+        requirements: [],
+        violations: [],
+      };
+    }
     const requirements: AiGateSkillsContractPlatformRequirement[] = requiredPlatforms.map((platform) => ({
       platform,
       required_rule_prefix: PLATFORM_SKILLS_RULE_PREFIXES[platform],
@@ -665,7 +822,8 @@ const toSkillsContractAssessment = (params: {
       detected_platforms: [],
       requirements,
       violations: [
-        toErrorViolation(
+        toSkillsViolation(
+          params.skillsEnforcement,
           'EVIDENCE_SKILLS_PLATFORMS_UNDETECTED',
           `Required repo skills exist, but active platforms could not be detected for ${params.stage}.`
         ),
@@ -694,7 +852,8 @@ const toSkillsContractAssessment = (params: {
   const violations: AiGateViolation[] = [];
   if (requiredPlatforms.length > 0 && detectedPlatforms.length === 0) {
     violations.push(
-      toErrorViolation(
+      toSkillsViolation(
+        params.skillsEnforcement,
         'EVIDENCE_SKILLS_PLATFORMS_UNDETECTED',
         `Required repo skills exist, but active platforms could not be detected for ${params.stage}.`
       )
@@ -759,7 +918,8 @@ const toSkillsContractAssessment = (params: {
         missingParts.push('evaluated_prefix');
       }
       violations.push(
-        toErrorViolation(
+        toSkillsViolation(
+          params.skillsEnforcement,
           'EVIDENCE_PLATFORM_SKILLS_SCOPE_INCOMPLETE',
           `Skills contract scope coverage missing for ${platform}: ${missingParts.join(', ')} (${requiredRulePrefix}).`
         )
@@ -767,7 +927,8 @@ const toSkillsContractAssessment = (params: {
     }
     if (missingBundles.length > 0) {
       violations.push(
-        toErrorViolation(
+        toSkillsViolation(
+          params.skillsEnforcement,
           'EVIDENCE_PLATFORM_SKILLS_BUNDLES_MISSING',
           `Skills contract missing bundles for ${platform}: [${missingBundles.join(', ')}].`
         )
@@ -775,7 +936,8 @@ const toSkillsContractAssessment = (params: {
     }
     if (missingCriticalRuleIds.length > 0) {
       violations.push(
-        toErrorViolation(
+        toSkillsViolation(
+          params.skillsEnforcement,
           'EVIDENCE_PLATFORM_CRITICAL_SKILLS_RULES_MISSING',
           `Skills contract missing critical rule coverage for ${platform}: [${missingCriticalRuleIds.join(', ')}].`
         )
@@ -783,7 +945,8 @@ const toSkillsContractAssessment = (params: {
     }
     if (!transversalCriticalCovered && requiredAnyTransversalCriticalRuleIds.length > 0) {
       violations.push(
-        toErrorViolation(
+        toSkillsViolation(
+          params.skillsEnforcement,
           'EVIDENCE_CROSS_PLATFORM_CRITICAL_ENFORCEMENT_INCOMPLETE',
           `Skills contract missing transversal critical coverage for ${platform}: required_any=[${requiredAnyTransversalCriticalRuleIds.join(', ')}].`
         )
@@ -867,6 +1030,7 @@ const collectPreWriteCoherenceViolations = (params: {
       )
     );
   } else {
+    const skillsEnforcement = resolveSkillsEnforcement();
     if (coverage.stage !== params.evidence.snapshot.stage) {
       violations.push(
         toErrorViolation(
@@ -908,12 +1072,14 @@ const collectPreWriteCoherenceViolations = (params: {
       ...collectPreWritePlatformSkillsViolations({
         evidence: params.evidence,
         coverage,
+        skillsEnforcement,
       })
     );
     violations.push(
       ...collectPreWriteCrossPlatformCriticalViolations({
         evidence: params.evidence,
         coverage,
+        skillsEnforcement,
       })
     );
   }
@@ -928,9 +1094,7 @@ const collectPreWriteCoherenceViolations = (params: {
   }
 
   if (params.preWriteWorktreeHygiene.enabled && params.repoState.git.available) {
-    const pendingChanges =
-      params.repoState.git.pending_changes
-      ?? (params.repoState.git.staged + params.repoState.git.unstaged);
+    const pendingChanges = resolvePendingChanges(params.repoState) ?? 0;
     if (pendingChanges >= params.preWriteWorktreeHygiene.blockThreshold) {
       violations.push(
         toErrorViolation(
@@ -1057,6 +1221,13 @@ const collectGitflowViolations = (
   return violations;
 };
 
+const resolvePendingChanges = (repoState: RepoState): number | null => {
+  if (!repoState.git.available) {
+    return null;
+  }
+  return repoState.git.pending_changes ?? (repoState.git.staged + repoState.git.unstaged);
+};
+
 const toPolicyStage = (stage: AiGateStage): SkillsStage => {
   if (stage === 'PRE_WRITE') {
     return 'PRE_COMMIT';
@@ -1222,6 +1393,7 @@ export const evaluateAiGate = (
     policyStage,
     params.repoRoot
   );
+  const skillsEnforcement = resolveSkillsEnforcement();
   const evidenceAssessment = collectEvidenceViolations(
     evidenceResult,
     params.repoRoot,
@@ -1243,15 +1415,22 @@ export const evaluateAiGate = (
   const skillsContract = toSkillsContractAssessment({
     stage: params.stage,
     repoRoot: params.repoRoot,
+    repoState,
     evidenceResult,
     requiredLock: requiredSkillsLock,
+    skillsEnforcement,
   });
+  const suppressSkillsContractViolation = evidenceAssessment.violations.some((violation) =>
+    SKILLS_CONTRACT_SUPPRESSED_EVIDENCE_CODES.has(violation.code)
+  );
   const stageSkillsContractViolations =
-    skillsContract.status !== 'FAIL'
+    suppressSkillsContractViolation
+    || skillsContract.status !== 'FAIL'
     || (params.stage === 'PRE_WRITE' && requiredSkillsPlatforms.length === 0)
-      ? []
+        ? []
       : [
-          toErrorViolation(
+          toSkillsViolation(
+            skillsEnforcement,
             'EVIDENCE_SKILLS_CONTRACT_INCOMPLETE',
             `Skills contract incomplete for ${params.stage}: ${skillsContract.violations.map((violation) => violation.code).join(', ')}.`
           ),

package/integrations/git/stageRunners.ts

@@ -25,8 +25,12 @@ import type { EvidenceReadResult } from '../evidence/readEvidence';
 import type { SnapshotFinding } from '../evidence/schema';
 import { ensureRuntimeArtifactsIgnored } from '../lifecycle/artifacts';
 import { runPolicyReconcile } from '../lifecycle/policyReconcile';
-import { isSeverityAtLeast } from '../../core/rules/Severity';
+import { isSeverityAtLeast, type Severity } from '../../core/rules/Severity';
 import type { SddDecision } from '../sdd';
+import {
+  resolveGitAtomicityEnforcement,
+  type GitAtomicityEnforcementResolution,
+} from '../policy/gitAtomicityEnforcement';
 
 const PRE_PUSH_UPSTREAM_REQUIRED_MESSAGE =
   'pumuki pre-push blocked: branch has no upstream tracking reference. Configure upstream first (for example: git push --set-upstream origin <branch>) and retry.';
@@ -38,6 +42,7 @@ const PRE_PUSH_UPSTREAM_MISALIGNED_AHEAD_THRESHOLD = 5;
 
 const PRE_COMMIT_EVIDENCE_MAX_AGE_SECONDS = 900;
 const PRE_PUSH_EVIDENCE_MAX_AGE_SECONDS = 1800;
+const HOOK_GATE_PROGRESS_REMINDER_MS = 2000;
 const DEFAULT_BLOCKED_REMEDIATION = 'Corrige la causa del bloqueo y vuelve a ejecutar el gate.';
 const EVIDENCE_FILE_PATH = '.ai_evidence.json';
 
@@ -106,11 +111,17 @@ type StageRunnerDependencies = {
   now: () => number;
   writeHookGateSummary: (message: string) => void;
   isQuietMode: () => boolean;
+  scheduleHookGateProgressReminder: (params: {
+    stage: HookStage;
+    delayMs: number;
+    onProgress: () => void;
+  }) => () => void;
   ensureRuntimeArtifactsIgnored: (repoRoot: string) => void;
   runPolicyReconcile: typeof runPolicyReconcile;
   isPathTracked: (repoRoot: string, relativePath: string) => boolean;
   stagePath: (repoRoot: string, relativePath: string) => void;
   resolveHeadOid: (repoRoot: string) => string | null;
+  resolveGitAtomicityEnforcement: () => GitAtomicityEnforcementResolution;
 };
 
 const defaultDependencies: StageRunnerDependencies = {
@@ -160,6 +171,17 @@ const defaultDependencies: StageRunnerDependencies = {
     process.stdout.write(`${message}\n`);
   },
   isQuietMode: () => process.argv.includes('--quiet'),
+  scheduleHookGateProgressReminder: ({ delayMs, onProgress }) => {
+    const timer = setTimeout(() => {
+      onProgress();
+    }, delayMs);
+    if (typeof timer === 'object' && timer !== null && 'unref' in timer) {
+      timer.unref();
+    }
+    return () => {
+      clearTimeout(timer);
+    };
+  },
   ensureRuntimeArtifactsIgnored: (repoRoot) => {
     try {
       ensureRuntimeArtifactsIgnored(repoRoot);
@@ -185,6 +207,7 @@ const defaultDependencies: StageRunnerDependencies = {
       return null;
     }
   },
+  resolveGitAtomicityEnforcement,
 };
 
 const getDependencies = (
@@ -253,6 +276,25 @@ const shouldRetryAfterPolicyReconcile = (params: {
   repoRoot: string;
   stage: 'PRE_COMMIT' | 'PRE_PUSH';
 }): boolean => {
+  const toEvidenceViolationSeverity = (violation: {
+    severity?: string | null;
+    level?: string | null;
+  }): Severity => {
+    const candidate = typeof violation.severity === 'string'
+      ? violation.severity
+      : typeof violation.level === 'string'
+        ? violation.level
+        : null;
+    if (
+      candidate === 'INFO' ||
+      candidate === 'WARN' ||
+      candidate === 'ERROR' ||
+      candidate === 'CRITICAL'
+    ) {
+      return candidate;
+    }
+    return 'INFO';
+  };
   const evidence = params.dependencies.readEvidence(params.repoRoot);
   if (!evidence) {
     return false;
@@ -260,11 +302,15 @@ const shouldRetryAfterPolicyReconcile = (params: {
   const stageCodes = new Set<string>();
   if (evidence.snapshot.stage === params.stage) {
     for (const finding of evidence.snapshot.findings) {
-      stageCodes.add(finding.code);
+      if (isSeverityAtLeast(finding.severity, 'ERROR')) {
+        stageCodes.add(finding.code);
+      }
     }
   }
   for (const violation of evidence.ai_gate.violations) {
-    stageCodes.add(violation.code);
+    if (isSeverityAtLeast(toEvidenceViolationSeverity(violation), 'ERROR')) {
+      stageCodes.add(violation.code);
+    }
   }
   for (const code of stageCodes) {
     if (HOOK_POLICY_RECONCILE_CODES.has(code)) {
@@ -384,38 +430,58 @@ const runHookGateWithPolicyRetry = async (params: {
   scope: Parameters<typeof runPlatformGate>[0]['scope'];
   sddDecisionOverride?: Pick<SddDecision, 'allowed' | 'code' | 'message'>;
 }): Promise<{ exitCode: number; policyTrace: HookPolicyTrace }> => {
-  const firstAttempt = await runHookGateAttempt({
-    dependencies: params.dependencies,
-    stage: params.stage,
-    scope: params.scope,
-    sddDecisionOverride: params.sddDecisionOverride,
-  });
-  if (firstAttempt.exitCode === 0) {
-    return firstAttempt;
-  }
-  if (!isHookPolicyAutoReconcileEnabled()) {
-    return firstAttempt;
+  if (!params.dependencies.isQuietMode()) {
+    params.dependencies.writeHookGateSummary(
+      `[pumuki][hook-gate] stage=${params.stage} decision=PENDING status=STARTED`
+    );
   }
-  if (
-    !shouldRetryAfterPolicyReconcile({
+  const cancelProgressReminder = params.dependencies.isQuietMode()
+    ? () => {}
+    : params.dependencies.scheduleHookGateProgressReminder({
+        stage: params.stage,
+        delayMs: HOOK_GATE_PROGRESS_REMINDER_MS,
+        onProgress: () => {
+          params.dependencies.writeHookGateSummary(
+            `[pumuki][hook-gate] stage=${params.stage} decision=PENDING status=RUNNING`
+          );
+        },
+      });
+  try {
+    const firstAttempt = await runHookGateAttempt({
       dependencies: params.dependencies,
+      stage: params.stage,
+      scope: params.scope,
+      sddDecisionOverride: params.sddDecisionOverride,
+    });
+    if (firstAttempt.exitCode === 0) {
+      return firstAttempt;
+    }
+    if (!isHookPolicyAutoReconcileEnabled()) {
+      return firstAttempt;
+    }
+    if (
+      !shouldRetryAfterPolicyReconcile({
+        dependencies: params.dependencies,
+        repoRoot: params.repoRoot,
+        stage: params.stage,
+      })
+    ) {
+      return firstAttempt;
+    }
+    params.dependencies.runPolicyReconcile({
       repoRoot: params.repoRoot,
+      strict: true,
+      apply: true,
+    });
+    return runHookGateAttempt({
+      dependencies: params.dependencies,
       stage: params.stage,
-    })
-  ) {
-    return firstAttempt;
+      scope: params.scope,
+      sddDecisionOverride: params.sddDecisionOverride,
+    });
+  } finally {
+    cancelProgressReminder();
   }
-  params.dependencies.runPolicyReconcile({
-    repoRoot: params.repoRoot,
-    strict: true,
-    apply: true,
-  });
-  return runHookGateAttempt({
-    dependencies: params.dependencies,
-    stage: params.stage,
-    scope: params.scope,
-    sddDecisionOverride: params.sddDecisionOverride,
-  });
 };
 
 const syncTrackedEvidenceAfterSuccessfulPreCommit = (params: {
@@ -643,7 +709,8 @@ const enforceGitAtomicityGate = (params: {
     fromRef: params.fromRef,
     toRef: params.toRef,
   });
-  if (!atomicity.enabled || atomicity.allowed) {
+  const enforcement = params.dependencies.resolveGitAtomicityEnforcement();
+  if (!atomicity.enabled || atomicity.allowed || !enforcement.blocking) {
     return false;
   }
   const firstViolation = atomicity.violations[0];

package/integrations/lifecycle/cli.ts

@@ -70,6 +70,7 @@ import {
   type RemoteCiDiagnostics,
 } from './remoteCiDiagnostics';
 import { runPolicyReconcile } from './policyReconcile';
+import { resolvePreWriteEnforcement, type PreWriteEnforcementResolution } from '../policy/preWriteEnforcement';
 
 type LifecycleCommand =
   | 'bootstrap'
@@ -567,6 +568,9 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
   if (!isLifecycleCommand(commandRaw)) {
     throw new Error(`Unknown command "${commandRaw}".\n\n${HELP_TEXT}`);
   }
+  if (argv.slice(1).some((arg) => arg === '--help' || arg === '-h')) {
+    throw new Error(HELP_TEXT);
+  }
 
   let purgeArtifacts = false;
   let updateSpec: ParsedArgs['updateSpec'];
@@ -1562,6 +1566,7 @@ const PRE_WRITE_POLICY_RECONCILE_COMMAND =
 type PreWriteValidationEnvelope = {
   sdd: ReturnType<typeof evaluateSddPolicy>;
   ai_gate: ReturnType<typeof evaluateAiGate>;
+  pre_write_enforcement: PreWriteEnforcementResolution;
   policy_validation: LifecyclePolicyValidationSnapshot;
   automation: PreWriteAutomationTrace;
   bootstrap: {
@@ -1841,6 +1846,7 @@ const resolveAiGateViolationLocation = (code: string) => {
 const buildPreWriteValidationEnvelope = (
   result: ReturnType<typeof evaluateSddPolicy>,
   aiGate: ReturnType<typeof evaluateAiGate>,
+  preWriteEnforcement: PreWriteEnforcementResolution,
   policyValidation: LifecyclePolicyValidationSnapshot,
   automation: PreWriteAutomationTrace,
   bootstrap: PreWriteOpenSpecBootstrapTrace,
@@ -1848,6 +1854,7 @@ const buildPreWriteValidationEnvelope = (
 ): PreWriteValidationEnvelope => ({
   sdd: result,
   ai_gate: aiGate,
+  pre_write_enforcement: preWriteEnforcement,
   policy_validation: policyValidation,
   automation: {
     attempted: automation.attempted,
@@ -1891,6 +1898,50 @@ const writeLoopAttemptEvidence = (params: {
   return relativePath;
 };
 
+const withTemporaryEnvOverrides = <T>(
+  overrides: Readonly<Record<string, string | undefined>>,
+  callback: () => T
+): T => {
+  const previous = new Map<string, string | undefined>();
+  for (const [key, value] of Object.entries(overrides)) {
+    previous.set(key, process.env[key]);
+    if (typeof value === 'undefined') {
+      delete process.env[key];
+    } else {
+      process.env[key] = value;
+    }
+  }
+  try {
+    return callback();
+  } finally {
+    for (const [key, value] of previous.entries()) {
+      if (typeof value === 'undefined') {
+        delete process.env[key];
+      } else {
+        process.env[key] = value;
+      }
+    }
+  }
+};
+
+const runRawPreWriteAiGateCheck = (params: {
+  repoRoot: string;
+  requireMcpReceipt: boolean;
+}): ReturnType<typeof evaluateAiGate> =>
+  withTemporaryEnvOverrides(
+    {
+      PUMUKI_SKILLS_ENFORCEMENT: process.env.PUMUKI_SKILLS_ENFORCEMENT ?? 'strict',
+      PUMUKI_TDD_BDD_ENFORCEMENT: process.env.PUMUKI_TDD_BDD_ENFORCEMENT ?? 'strict',
+      PUMUKI_HEURISTICS_ENFORCEMENT: process.env.PUMUKI_HEURISTICS_ENFORCEMENT ?? 'strict',
+    },
+    () =>
+      runEnterpriseAiGateCheck({
+        repoRoot: params.repoRoot,
+        stage: 'PRE_WRITE',
+        requireMcpReceipt: params.requireMcpReceipt,
+      }).result
+  );
+
 export const runLifecycleCli = async (
   argv: ReadonlyArray<string>,
   dependencies: Partial<LifecycleCliDependencies> = {}
@@ -2473,6 +2524,13 @@ export const runLifecycleCli = async (
           let result = evaluateSddPolicy({
             stage: parsed.sddStage ?? 'PRE_COMMIT',
           });
+          const preWriteEnforcement = result.stage === 'PRE_WRITE'
+            ? resolvePreWriteEnforcement()
+            : {
+              mode: 'strict',
+              source: 'default',
+              blocking: true,
+            } satisfies PreWriteEnforcementResolution;
           const policyValidation = readLifecyclePolicyValidationSnapshot(process.cwd());
           const preWriteAutoBootstrapEnabled = process.env.PUMUKI_PREWRITE_AUTO_BOOTSTRAP !== '0';
           const preWriteBootstrapTrace: PreWriteOpenSpecBootstrapTrace = {
@@ -2534,17 +2592,24 @@ export const runLifecycleCli = async (
             automationTrace.attempted = auto.trace.attempted;
             automationTrace.actions = auto.trace.actions;
           }
+          const rawPreWriteAiGate = result.stage === 'PRE_WRITE' && aiGate
+            ? runRawPreWriteAiGateCheck({
+              repoRoot: process.cwd(),
+              requireMcpReceipt: true,
+            })
+            : null;
           const nextAction = resolvePreWriteNextAction({
             sdd: result,
-            aiGate,
+            aiGate: rawPreWriteAiGate ?? aiGate,
           });
           if (parsed.json) {
             writeInfo(
               JSON.stringify(
-                aiGate
+                (rawPreWriteAiGate ?? aiGate)
                   ? buildPreWriteValidationEnvelope(
                     result,
-                    aiGate,
+                    rawPreWriteAiGate ?? aiGate!,
+                    preWriteEnforcement,
                     policyValidation,
                     automationTrace,
                     preWriteBootstrapTrace,
@@ -2582,6 +2647,9 @@ export const runLifecycleCli = async (
               writeInfo(
                 `[pumuki][sdd] openspec auto-bootstrap: enabled=${preWriteBootstrapTrace.enabled ? 'yes' : 'no'} attempted=${preWriteBootstrapTrace.attempted ? 'yes' : 'no'} status=${preWriteBootstrapTrace.status} actions=${preWriteBootstrapTrace.actions.join(',') || 'none'}`
               );
+              writeInfo(
+                `[pumuki][sdd] pre-write enforcement: mode=${preWriteEnforcement.mode} source=${preWriteEnforcement.source} blocking=${preWriteEnforcement.blocking ? 'yes' : 'no'}`
+              );
               if (preWriteBootstrapTrace.details) {
                 writeInfo(
                   `[pumuki][sdd] openspec auto-bootstrap details: ${preWriteBootstrapTrace.details}`
@@ -2617,7 +2685,7 @@ export const runLifecycleCli = async (
               aiGateResult: aiGate,
             });
           }
-          if (!result.decision.allowed) {
+          if (!result.decision.allowed && preWriteEnforcement.blocking) {
             activeDependencies.emitGateBlockedNotification({
               repoRoot: process.cwd(),
               stage: result.stage,
@@ -2631,7 +2699,7 @@ export const runLifecycleCli = async (
             });
             return 1;
           }
-          if (aiGate && !aiGate.allowed) {
+          if (aiGate && !aiGate.allowed && preWriteEnforcement.blocking) {
             const firstViolation = aiGate.violations[0];
             const causeCode = firstViolation?.code ?? 'AI_GATE_BLOCKED';
             const causeMessage = firstViolation?.message ?? 'AI gate blocked PRE_WRITE stage.';

package/integrations/lifecycle/doctor.ts

@@ -423,9 +423,9 @@ const evaluateEvidenceSourceDriftCheck = (params: {
     return buildDeepCheck({
       id: 'evidence-source-drift',
       status: 'fail',
-      severity: 'error',
+      severity: 'warning',
       message: '.ai_evidence.json is missing.',
-      remediation: 'Regenerate evidence with a full audit before continuing with enterprise checks.',
+      remediation: 'Regenerate evidence with a full audit before relying on enterprise diagnostics or gates.',
       metadata: {
         path: evidenceResult.source_descriptor.path,
       },
@@ -456,15 +456,17 @@ const evaluateEvidenceSourceDriftCheck = (params: {
   const ageSeconds = Number.isFinite(timestampMs)
     ? Math.max(0, Math.floor((nowMs - timestampMs) / 1000))
     : null;
+  let operationalDriftOnly = true;
 
   if (!Number.isFinite(timestampMs)) {
     toError();
+    operationalDriftOnly = false;
     violations.push('Evidence timestamp is invalid.');
   } else if (timestampMs > nowMs) {
     toError();
+    operationalDriftOnly = false;
     violations.push('Evidence timestamp is in the future.');
   } else if (ageSeconds !== null && ageSeconds > DEEP_EVIDENCE_MAX_AGE_SECONDS) {
-    toError();
     violations.push(
       `Evidence is stale (${ageSeconds}s > ${DEEP_EVIDENCE_MAX_AGE_SECONDS}s).`
     );
@@ -488,6 +490,7 @@ const evaluateEvidenceSourceDriftCheck = (params: {
     toCanonicalPath(expectedEvidencePath)
   ) {
     toError();
+    operationalDriftOnly = false;
     violations.push(
       `Evidence source path mismatch (${evidenceResult.source_descriptor.path} != ${expectedEvidencePath}).`
     );
@@ -498,6 +501,7 @@ const evaluateEvidenceSourceDriftCheck = (params: {
     !/^sha256:[0-9a-f]{64}$/i.test(evidenceResult.source_descriptor.digest)
   ) {
     toError();
+    operationalDriftOnly = false;
     violations.push('Evidence digest format is invalid.');
   }
 
@@ -508,6 +512,7 @@ const evaluateEvidenceSourceDriftCheck = (params: {
     toCanonicalPath(evidenceRepoRoot) !== toCanonicalPath(params.repoRoot)
   ) {
     toError();
+    operationalDriftOnly = false;
     violations.push(`Evidence repo_root mismatch (${evidenceRepoRoot} != ${params.repoRoot}).`);
   }
 
@@ -520,6 +525,7 @@ const evaluateEvidenceSourceDriftCheck = (params: {
     evidenceBranch !== currentBranch
   ) {
     toError();
+    operationalDriftOnly = false;
     violations.push(`Evidence branch mismatch (${evidenceBranch} != ${currentBranch}).`);
   }
 
@@ -535,6 +541,9 @@ const evaluateEvidenceSourceDriftCheck = (params: {
   }
 
   if (violations.length > 0) {
+    if (operationalDriftOnly) {
+      severity = 'warning';
+    }
     return buildDeepCheck({
       id: 'evidence-source-drift',
       status: 'fail',

package/integrations/lifecycle/preWriteAutomation.ts

@@ -98,7 +98,7 @@ export const buildPreWriteAutomationTrace = async (params: {
     attempted: false,
     actions: [],
   };
-  if (params.sdd.stage !== 'PRE_WRITE' || !params.sdd.decision.allowed || params.aiGate.allowed) {
+  if (params.sdd.stage !== 'PRE_WRITE' || params.aiGate.allowed) {
     return {
       aiGate: params.aiGate,
       trace,

package/integrations/lifecycle/watch.ts

@@ -11,6 +11,16 @@ import { readEvidence } from '../evidence/readEvidence';
 import type { AiEvidenceV2_1, SnapshotFinding } from '../evidence/schema';
 import { GitService, type IGitService } from '../git/GitService';
 import type { Fact } from '../../core/facts/Fact';
+import {
+  evaluateGitAtomicity,
+  type GitAtomicityEvaluation,
+  type GitAtomicityViolation,
+} from '../git/gitAtomicity';
+import {
+  resolveCiBaseRef,
+  resolvePrePushBootstrapBaseRef,
+  resolveUpstreamRef,
+} from '../git/resolveGitRefs';
 import { ensureRuntimeArtifactsIgnored } from './artifacts';
 import {
   emitAuditSummaryNotificationFromEvidence,
@@ -22,6 +32,10 @@ import {
   resolvePumukiVersionMetadata,
   type PumukiVersionMetadata,
 } from './packageInfo';
+import {
+  resolveGitAtomicityEnforcement,
+  type GitAtomicityEnforcementResolution,
+} from '../policy/gitAtomicityEnforcement';
 
 export type LifecycleWatchStage = 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
 export type LifecycleWatchScope = 'workingTree' | 'staged' | 'repoAndStaged' | 'repo';
@@ -82,6 +96,15 @@ type LifecycleWatchDependencies = {
   resolveRepoRoot: () => string;
   readChangeToken: (repoRoot: string) => string;
   resolvePolicyForStage: (stage: LifecycleWatchStage) => ResolvedStagePolicy;
+  resolveUpstreamRef: typeof resolveUpstreamRef;
+  resolvePrePushBootstrapBaseRef: typeof resolvePrePushBootstrapBaseRef;
+  resolveCiBaseRef: typeof resolveCiBaseRef;
+  evaluateGitAtomicity: (params: {
+    repoRoot: string;
+    stage: LifecycleWatchStage;
+    fromRef?: string;
+    toRef?: string;
+  }) => GitAtomicityEvaluation;
   runPlatformGate: typeof runPlatformGate;
   resolveFactsForGateScope: typeof resolveFactsForGateScope;
   readEvidence: (repoRoot: string) => AiEvidenceV2_1 | undefined;
@@ -90,6 +113,7 @@ type LifecycleWatchDependencies = {
   emitGateBlockedNotification: typeof emitGateBlockedNotification;
   runPolicyReconcile: typeof runPolicyReconcile;
   resolvePumukiVersionMetadata: (params?: { repoRoot?: string }) => PumukiVersionMetadata;
+  resolveGitAtomicityEnforcement: () => GitAtomicityEnforcementResolution;
   nowMs: () => number;
   sleep: (ms: number) => Promise<void>;
 };
@@ -115,6 +139,16 @@ const defaultDependencies: LifecycleWatchDependencies = {
   readChangeToken: (repoRoot) =>
     defaultGitService.runGit(['status', '--porcelain=v1', '--untracked-files=all'], repoRoot),
   resolvePolicyForStage: (stage) => resolvePolicyForStage(stage),
+  resolveUpstreamRef,
+  resolvePrePushBootstrapBaseRef,
+  resolveCiBaseRef,
+  evaluateGitAtomicity: (params) =>
+    evaluateGitAtomicity({
+      repoRoot: params.repoRoot,
+      stage: params.stage,
+      fromRef: params.fromRef,
+      toRef: params.toRef,
+    }),
   runPlatformGate,
   resolveFactsForGateScope,
   readEvidence,
@@ -128,6 +162,7 @@ const defaultDependencies: LifecycleWatchDependencies = {
   emitGateBlockedNotification,
   runPolicyReconcile,
   resolvePumukiVersionMetadata,
+  resolveGitAtomicityEnforcement,
   nowMs: () => Date.now(),
   sleep: async (ms) => {
     await sleepTimer(ms);
@@ -280,6 +315,56 @@ const collectEvaluatedFilesFromFacts = (facts: ReadonlyArray<Fact>): ReadonlyArr
   return collectChangedFilesFromFacts(facts);
 };
 
+const resolveWatchAtomicityRange = (params: {
+  stage: LifecycleWatchStage;
+  scope: LifecycleWatchScope;
+  dependencies: LifecycleWatchDependencies;
+}): { fromRef?: string; toRef?: string } => {
+  if (params.stage === 'PRE_COMMIT') {
+    return {};
+  }
+  if (params.stage === 'CI') {
+    return {
+      fromRef: params.dependencies.resolveCiBaseRef(),
+      toRef: 'HEAD',
+    };
+  }
+  if (params.scope === 'workingTree') {
+    return {};
+  }
+  const upstreamRef = params.dependencies.resolveUpstreamRef();
+  if (typeof upstreamRef === 'string' && upstreamRef.trim().length > 0) {
+    return {
+      fromRef: upstreamRef,
+      toRef: 'HEAD',
+    };
+  }
+  const bootstrapBaseRef = params.dependencies.resolvePrePushBootstrapBaseRef();
+  if (bootstrapBaseRef !== 'HEAD') {
+    return {
+      fromRef: bootstrapBaseRef,
+      toRef: 'HEAD',
+    };
+  }
+  return {};
+};
+
+const toAtomicitySnapshotFindings = (
+  violations: ReadonlyArray<GitAtomicityViolation>,
+  enforcement: GitAtomicityEnforcementResolution
+): ReadonlyArray<SnapshotFinding> =>
+  violations.map((violation) => ({
+    ruleId: 'governance.git.atomicity',
+    severity: enforcement.blocking ? 'ERROR' : 'WARN',
+    code: violation.code,
+    message: violation.message,
+    file: '.pumuki/git-atomicity.json',
+    matchedBy: 'LifecycleWatch',
+    source: 'skills.backend.runtime-hygiene',
+    blocking: enforcement.blocking,
+    expected_fix: violation.remediation,
+  }));
+
 const toFirstCause = (params: {
   evidence: AiEvidenceV2_1 | undefined;
   matchedFindings: ReadonlyArray<SnapshotFinding>;
@@ -403,6 +488,36 @@ export const runLifecycleWatch = async (
         gateOutcome: 'BLOCK' | 'WARN' | 'ALLOW' | 'NO_EVIDENCE';
         topCodes: ReadonlyArray<string>;
       }> => {
+        const atomicityRange = resolveWatchAtomicityRange({
+          stage,
+          scope,
+          dependencies: activeDependencies,
+        });
+        const atomicity = activeDependencies.evaluateGitAtomicity({
+          repoRoot,
+          stage,
+          fromRef: atomicityRange.fromRef,
+          toRef: atomicityRange.toRef,
+        });
+        const atomicityEnforcement = activeDependencies.resolveGitAtomicityEnforcement();
+        const atomicityFindings =
+          atomicity.enabled && !atomicity.allowed
+            ? toAtomicitySnapshotFindings(atomicity.violations, atomicityEnforcement)
+            : [];
+        if (atomicityFindings.length > 0 && atomicityEnforcement.blocking) {
+          const allFindings = atomicityFindings;
+          const matchedFindings = allFindings.filter((finding) =>
+            isSeverityAtLeast(finding.severity, thresholdSeverity)
+          );
+          return {
+            gateExitCode: 1,
+            evidence: undefined,
+            allFindings,
+            matchedFindings,
+            gateOutcome: 'BLOCK',
+            topCodes: toTopCodes(matchedFindings),
+          };
+        }
         const manifestSnapshot = captureWatchManifestGuardSnapshot(repoRoot);
         let gateExitCode = await activeDependencies.runPlatformGate({
           policy: resolvedPolicy.policy,
@@ -432,20 +547,28 @@ export const runLifecycleWatch = async (
                 source: 'skills.backend.runtime-hygiene',
               }
             : null;
+        const allFindingsWithAtomicity = [...allFindingsBase, ...atomicityFindings];
+        const matchedFindingsWithAtomicity = allFindingsWithAtomicity.filter((finding) =>
+          isSeverityAtLeast(finding.severity, thresholdSeverity)
+        );
         const allFindings = manifestMutationFinding
-          ? [...allFindingsBase, manifestMutationFinding]
-          : allFindingsBase;
+          ? [...allFindingsWithAtomicity, manifestMutationFinding]
+          : allFindingsWithAtomicity;
         const matchedFindings = manifestMutationFinding
-          ? [...matchedFindingsBase, manifestMutationFinding]
-          : matchedFindingsBase;
+          ? [...matchedFindingsWithAtomicity, manifestMutationFinding]
+          : matchedFindingsWithAtomicity;
         const rawGateOutcome =
           evidence?.snapshot.outcome ??
           (gateExitCode !== 0 ? 'BLOCK' : 'NO_EVIDENCE');
-        const gateOutcome = manifestMutationFinding
-          ? 'BLOCK'
-          : rawGateOutcome === 'PASS'
+        const normalizedGateOutcome =
+          rawGateOutcome === 'PASS'
             ? 'ALLOW'
             : rawGateOutcome;
+        const gateOutcome = manifestMutationFinding
+          ? 'BLOCK'
+          : normalizedGateOutcome === 'ALLOW' && atomicityFindings.length > 0
+            ? 'WARN'
+            : normalizedGateOutcome;
         if (manifestMutationFinding) {
           gateExitCode = 1;
           process.stderr.write(
@@ -465,9 +588,32 @@ export const runLifecycleWatch = async (
 
       let evaluation = await runEvaluation(activeDependencies.resolvePolicyForStage(stage));
       if (autoPolicyReconcileEnabled && evaluation.gateExitCode !== 0) {
+        const toEvidenceViolationSeverity = (violation: {
+          severity?: string | null;
+          level?: string | null;
+        }): Severity => {
+          const candidate = typeof violation.severity === 'string'
+            ? violation.severity
+            : typeof violation.level === 'string'
+              ? violation.level
+              : null;
+          if (
+            candidate === 'INFO' ||
+            candidate === 'WARN' ||
+            candidate === 'ERROR' ||
+            candidate === 'CRITICAL'
+          ) {
+            return candidate;
+          }
+          return 'INFO';
+        };
         const findingCodes = new Set<string>([
-          ...evaluation.allFindings.map((finding) => finding.code),
-          ...((evaluation.evidence?.ai_gate.violations ?? []).map((violation) => violation.code)),
+          ...evaluation.allFindings
+            .filter((finding) => isSeverityAtLeast(finding.severity, 'ERROR'))
+            .map((finding) => finding.code),
+          ...((evaluation.evidence?.ai_gate.violations ?? [])
+            .filter((violation) => isSeverityAtLeast(toEvidenceViolationSeverity(violation), 'ERROR'))
+            .map((violation) => violation.code)),
         ]);
         const shouldAttemptAutoReconcile = [...findingCodes].some((code) =>
           WATCH_POLICY_RECONCILE_CODES.has(code)

package/integrations/policy/gitAtomicityEnforcement.ts

@@ -0,0 +1,57 @@
+export type GitAtomicityEnforcementMode = 'advisory' | 'strict';
+
+export type GitAtomicityEnforcementResolution = {
+  mode: GitAtomicityEnforcementMode;
+  source: 'default' | 'env';
+  blocking: boolean;
+};
+
+const GIT_ATOMICITY_ENFORCEMENT_ENV = 'PUMUKI_GIT_ATOMICITY_ENFORCEMENT';
+
+const toGitAtomicityEnforcementMode = (
+  value: string | undefined
+): GitAtomicityEnforcementMode | null => {
+  if (typeof value !== 'string') {
+    return null;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (
+    normalized === 'strict'
+    || normalized === '1'
+    || normalized === 'true'
+    || normalized === 'yes'
+    || normalized === 'on'
+  ) {
+    return 'strict';
+  }
+  if (
+    normalized === 'advisory'
+    || normalized === 'warn'
+    || normalized === 'warning'
+    || normalized === '0'
+    || normalized === 'false'
+    || normalized === 'no'
+    || normalized === 'off'
+  ) {
+    return 'advisory';
+  }
+  return null;
+};
+
+export const resolveGitAtomicityEnforcement = (): GitAtomicityEnforcementResolution => {
+  const modeFromEnv = toGitAtomicityEnforcementMode(
+    process.env[GIT_ATOMICITY_ENFORCEMENT_ENV]
+  );
+  if (modeFromEnv) {
+    return {
+      mode: modeFromEnv,
+      source: 'env',
+      blocking: modeFromEnv === 'strict',
+    };
+  }
+  return {
+    mode: 'advisory',
+    source: 'default',
+    blocking: false,
+  };
+};

package/integrations/policy/preWriteEnforcement.ts

@@ -0,0 +1,41 @@
+export type PreWriteEnforcementMode = 'advisory' | 'strict';
+
+export type PreWriteEnforcementResolution = {
+  mode: PreWriteEnforcementMode;
+  source: 'default' | 'env';
+  blocking: boolean;
+};
+
+const PRE_WRITE_ENFORCEMENT_ENV = 'PUMUKI_PREWRITE_ENFORCEMENT';
+
+const toPreWriteEnforcementMode = (
+  value: string | undefined
+): PreWriteEnforcementMode | null => {
+  if (typeof value !== 'string') {
+    return null;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (normalized === 'strict') {
+    return 'strict';
+  }
+  if (normalized === 'advisory' || normalized === 'warn' || normalized === 'warning') {
+    return 'advisory';
+  }
+  return null;
+};
+
+export const resolvePreWriteEnforcement = (): PreWriteEnforcementResolution => {
+  const modeFromEnv = toPreWriteEnforcementMode(process.env[PRE_WRITE_ENFORCEMENT_ENV]);
+  if (modeFromEnv) {
+    return {
+      mode: modeFromEnv,
+      source: 'env',
+      blocking: modeFromEnv === 'strict',
+    };
+  }
+  return {
+    mode: 'advisory',
+    source: 'default',
+    blocking: false,
+  };
+};

package/integrations/policy/skillsEnforcement.ts

@@ -0,0 +1,64 @@
+export type SkillsEnforcementMode = 'advisory' | 'strict';
+
+export type SkillsEnforcementResolution = {
+  mode: SkillsEnforcementMode;
+  source: 'default' | 'env' | 'prewrite';
+  blocking: boolean;
+};
+
+const SKILLS_ENFORCEMENT_ENV = 'PUMUKI_SKILLS_ENFORCEMENT';
+const PRE_WRITE_ENFORCEMENT_ENV = 'PUMUKI_PREWRITE_ENFORCEMENT';
+
+const toSkillsEnforcementMode = (
+  value: string | undefined
+): SkillsEnforcementMode | null => {
+  if (typeof value !== 'string') {
+    return null;
+  }
+  const normalized = value.trim().toLowerCase();
+  if (
+    normalized === 'strict'
+    || normalized === '1'
+    || normalized === 'true'
+    || normalized === 'yes'
+    || normalized === 'on'
+  ) {
+    return 'strict';
+  }
+  if (
+    normalized === 'advisory'
+    || normalized === 'warn'
+    || normalized === 'warning'
+    || normalized === '0'
+    || normalized === 'false'
+    || normalized === 'no'
+    || normalized === 'off'
+  ) {
+    return 'advisory';
+  }
+  return null;
+};
+
+export const resolveSkillsEnforcement = (): SkillsEnforcementResolution => {
+  const modeFromEnv = toSkillsEnforcementMode(process.env[SKILLS_ENFORCEMENT_ENV]);
+  if (modeFromEnv) {
+    return {
+      mode: modeFromEnv,
+      source: 'env',
+      blocking: modeFromEnv === 'strict',
+    };
+  }
+  const preWriteMode = process.env[PRE_WRITE_ENFORCEMENT_ENV]?.trim().toLowerCase();
+  if (preWriteMode === 'strict') {
+    return {
+      mode: 'strict',
+      source: 'prewrite',
+      blocking: true,
+    };
+  }
+  return {
+    mode: 'advisory',
+    source: 'default',
+    blocking: false,
+  };
+};

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.57",
+  "version": "6.3.59",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {
@@ -95,9 +95,8 @@
     "validation:phase8:mark-followup-state": "bash scripts/mark-phase8-support-followup-state.sh",
     "validation:phase8:mark-followup-posted-now": "bash scripts/mark-phase8-followup-posted-now.sh",
     "validation:phase8:mark-followup-replied-now": "bash scripts/mark-phase8-followup-replied-now.sh",
-    "validation:phase8:ready-handoff": "bash scripts/build-phase8-ready-handoff-summary.sh",
     "validation:phase8:close-ready": "bash scripts/run-phase8-close-ready.sh",
-    "validation:progress-single-active": "bash scripts/check-refactor-progress-single-active.sh",
+    "validation:progress-single-active": "bash scripts/check-tracking-single-active.sh PUMUKI-RESET-MASTER-PLAN.md",
     "validation:self-worktree-hygiene": "node --import tsx scripts/check-self-worktree-hygiene.ts",
     "validation:tracking-single-active": "bash scripts/check-tracking-single-active.sh",
     "validation:backlog-reconcile": "node --import tsx scripts/reconcile-consumer-backlog-issues.ts",
@@ -107,7 +106,6 @@
     "validation:backlog-watch:gate": "node --import tsx scripts/watch-consumer-backlog-fleet-tick.ts --json",
     "validation:phase5-escalation:ready-to-submit": "bash scripts/check-phase5-escalation-ready-to-submit.sh",
     "validation:phase5-escalation:prepare": "bash scripts/prepare-phase5-escalation-submission.sh",
-    "validation:phase5-escalation:close-submission": "bash scripts/close-phase5-escalation-submission.sh",
     "validation:phase5-escalation:mark-submitted": "bash scripts/mark-phase5-escalation-submitted.sh",
     "validation:phase5-escalation:payload": "bash scripts/build-phase5-support-portal-payload.sh",
     "validation:architecture-guardrails": "npx --yes tsx@4.21.0 --test scripts/__tests__/architecture-file-size-guardrails.test.ts",
@@ -203,6 +201,7 @@
     "integrations/evidence/*.ts",
     "integrations/gate/*.ts",
     "integrations/git/*.ts",
+    "integrations/policy/*.ts",
     "integrations/tdd/*.ts",
     "integrations/lifecycle/*.ts",
     "integrations/lifecycle/*.json",