pumuki 6.3.58 → 6.3.60

package/VERSION

@@ -1 +1 @@
-v6.3.58
+v6.3.57

package/bin/_run-ts-entry.js

@@ -22,7 +22,10 @@ function runTsEntry(relativeEntry, forwardedArgs = []) {
     [tsxCli, entryFile, ...forwardedArgs],
     {
       stdio: 'inherit',
-      env: process.env,
+      env: {
+        ...process.env,
+        PUMUKI_RUNTIME_EXECUTION_SOURCE: 'source-bin',
+      },
     }
   );
 

package/core/facts/detectors/text/ios.test.ts

@@ -111,6 +111,16 @@ test('hasSwiftCallbackStyleSignature ignora usos fuera de firmas callback', () =
   assert.equal(hasSwiftCallbackStyleSignature(source), false);
 });
 
+test('hasSwiftCallbackStyleSignature ignora closures async modernos con @Sendable', () => {
+  const source = `
+public init(publish: @escaping @Sendable ([AppRoute]) async -> Void) {
+  self.publish = publish
+}
+`;
+
+  assert.equal(hasSwiftCallbackStyleSignature(source), false);
+});
+
 test('detecta primitivas GCD y OperationQueue en codigo ejecutable', () => {
   const source = `
 DispatchQueue.main.async { }

package/core/rules/presets/iosEnterpriseRuleSet.test.ts

@@ -35,7 +35,7 @@ test('iosEnterpriseRuleSet define reglas locked para plataforma ios', () => {
   assert.equal(byId.get('ios.solid.srp.presentation-mixed-responsibilities')?.when.kind, 'Heuristic');
   assert.equal(byId.get('ios.canary-001.presentation-mixed-responsibilities')?.when.kind, 'Heuristic');
   assert.equal(byId.get('ios.tdd.domain-changes-require-tests')?.when.kind, 'All');
-  assert.equal(byId.get('ios.no-completion-handlers-outside-bridges')?.when.kind, 'Any');
+  assert.equal(byId.get('ios.no-completion-handlers-outside-bridges')?.when.kind, 'Heuristic');
   assert.equal(byId.get('ios.no-force-unwrap')?.when.kind, 'All');
   assert.equal(byId.get('ios.no-force-unwrap')?.when.conditions[0]?.kind, 'Heuristic');
 
@@ -90,6 +90,54 @@ test('ios.no-force-unwrap bloquea cuando la heuristica detecta force unwrap real
   assert.equal(findings[0]?.code, 'IOS_NO_FORCE_UNWRAP');
 });
 
+test('ios.no-completion-handlers-outside-bridges ignora closures async modernos', () => {
+  const rule = iosEnterpriseRuleSet.find(
+    (candidate) => candidate.id === 'ios.no-completion-handlers-outside-bridges'
+  );
+  assert.ok(rule);
+
+  const findings = evaluateRules([rule], [
+    {
+      kind: 'FileContent',
+      path: 'Sources/AppComposition/Presentation/ProtectedPathCommandChannel.swift',
+      content:
+        'public init(publish: @escaping @Sendable ([AppRoute]) async -> Void) { self.publish = publish }',
+      source: 'unit-test',
+    },
+  ]);
+
+  assert.deepEqual(findings, []);
+});
+
+test('ios.no-completion-handlers-outside-bridges bloquea callback-style signatures detectadas por AST', () => {
+  const rule = iosEnterpriseRuleSet.find(
+    (candidate) => candidate.id === 'ios.no-completion-handlers-outside-bridges'
+  );
+  assert.ok(rule);
+
+  const findings = evaluateRules([rule], [
+    {
+      kind: 'FileContent',
+      path: 'Sources/Features/Flights/Application/LegacyAdapter.swift',
+      content: 'func fetch(completion: @escaping (Result<Void, Error>) -> Void) {}',
+      source: 'unit-test',
+    },
+    {
+      kind: 'Heuristic',
+      ruleId: 'heuristics.ios.callback-style.ast',
+      severity: 'CRITICAL',
+      code: 'HEURISTICS_IOS_CALLBACK_STYLE_AST',
+      message: 'AST heuristic detected callback-style API signature outside bridge layers.',
+      filePath: 'Sources/Features/Flights/Application/LegacyAdapter.swift',
+      source: 'heuristics:ast',
+    },
+  ]);
+
+  assert.equal(findings.length, 1);
+  assert.equal(findings[0]?.ruleId, 'ios.no-completion-handlers-outside-bridges');
+  assert.equal(findings[0]?.code, 'IOS_NO_COMPLETION_HANDLERS');
+});
+
 test('ios.canary-001.presentation-mixed-responsibilities emite finding bloqueante con metadata semantica', () => {
   const rule = iosEnterpriseRuleSet.find(
     (candidate) => candidate.id === 'ios.canary-001.presentation-mixed-responsibilities'

package/core/rules/presets/iosEnterpriseRuleSet.ts

@@ -341,17 +341,10 @@ export const iosEnterpriseRuleSet: RuleSet = [
       exclude: ['**/Bridges/**', '**/*Tests*/**'],
     },
     when: {
-      kind: 'Any',
-      conditions: [
-        {
-          kind: 'FileContent',
-          contains: ['@escaping'],
-        },
-        {
-          kind: 'FileContent',
-          contains: ['completion:'],
-        },
-      ],
+      kind: 'Heuristic',
+      where: {
+        ruleId: 'heuristics.ios.callback-style.ast',
+      },
     },
     then: {
       kind: 'Finding',

package/docs/README.md

@@ -33,8 +33,7 @@ Mapa corto y humano de la documentación oficial de Pumuki.
   - `docs/validation/README.md`
 
 - Quiero saber en qué estamos ahora:
-  - `docs/tracking/estado-ejecutivo.md`
-  - `docs/tracking/plan-activo-de-trabajo.md`
+  - `PUMUKI-RESET-MASTER-PLAN.md`
 
 ## Estructura oficial
 
@@ -60,14 +59,9 @@ Mapa corto y humano de la documentación oficial de Pumuki.
 - `docs/codex-skills/`
   - Skills vendorizadas que el repo usa como contrato local.
 
-- `docs/tracking/`
-  - Seguimiento permitido y solo el imprescindible.
-  - Maestro: `docs/tracking/estado-ejecutivo.md`
-  - Plan activo: `docs/tracking/plan-activo-de-trabajo.md`
-  - Históricos técnicos permitidos:
-    - `docs/tracking/historico-validacion-ruralgo-03-03-2026.md`
-    - `docs/tracking/historico-contrato-aceptacion-c022.md`
-  - Regla hard: solo puede existir una tarea `🚧` en el plan activo.
+- Seguimiento operativo:
+  - Fuente viva única: `PUMUKI-RESET-MASTER-PLAN.md`
+  - Regla hard: no mantener MDs legacy de seguimiento dentro del repo.
 
 ## Fuera de `docs/`
 
@@ -76,6 +70,7 @@ Mapa corto y humano de la documentación oficial de Pumuki.
 - `CHANGELOG.md`
 - `AGENTS.md`
 - `PUMUKI.md`
+- `PUMUKI-RESET-MASTER-PLAN.md`
 
 ## Lo que no se conserva
 

package/docs/operations/RELEASE_NOTES.md

@@ -6,24 +6,35 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-03 (enterprise hardening updates)
 
-### 2026-03-14 (v6.3.58)
-
-- PRE_WRITE no-op stability for consumer slices:
-  - clean slices with `pending_changes=0` no longer fail by undetected multi-platform skills contract noise,
-  - the resulting contract is now `NOT_APPLICABLE` when there is no materialized active platform scope.
-- PRE_WRITE freshness autocure:
-  - stale `ai_evidence` and stale MCP receipts are refreshed even if the SDD session itself is invalid,
-  - operational noise is removed before the final decision is reported.
-- Deep doctor de-escalation:
-  - missing/stale evidence is now treated as operational drift (`warning`) instead of a hard diagnostic block.
+### 2026-03-14 (unreleased)
+
+- Support surface removed from product baseline:
+  - consumer support bundle, startup triage, adapter readiness and phase5 closure helpers are now presented as auxiliary support toolkit,
+  - product docs and menu labels no longer describe that surface as baseline framework behavior.
+- Canonical support namespace:
+  - new primary npm commands: `toolkit:*`,
+  - legacy `validation:*` commands remain only as compatibility aliases for existing automations.
+- Legacy escalation/handoff surface frozen:
+  - `phase5-latest`, `phase5-escalation`, `phase8` and final external handoff/reporting now live under `toolkit:legacy:*`,
+  - shell chains and next-command hints already point to `toolkit:legacy:*` instead of treating `validation:*` as the primary contract.
 - Operational impact:
-  - `SAAS · PUMUKI-021` is left with only release/adoption work; the core no longer has a technical residual for that bug.
-- Validation evidence:
-  - `npm run -s typecheck` (`PASS`)
-  - `node --import tsx --test integrations/gate/__tests__/evaluateAiGate.test.ts` (`40 pass / 0 fail`)
-  - `node --import tsx --test --test-name-pattern "autocura evidence y receipt stale aunque la sesión SDD esté inválida|blocks AI gate violations in strict enforcement mode|blocks missing OpenSpec in strict enforcement mode|expone next_action de reconcile cuando active_rule_ids está vacío para código|expone next_action con slice atómico" integrations/lifecycle/__tests__/cli.test.ts` (`4 pass / 0 fail`)
-  - `npm run -s validation:package-manifest` (`PASS`)
-  - `npm pack --json --dry-run` (`PASS`)
+  - the product baseline stays focused on install/status/doctor/gate,
+  - support and rollout helpers remain available without contaminating the core surface,
+  - frozen escalation chains stay callable for legacy workflows but leave the official product API.
+- Legacy export/reporting downgraded to read-only snapshots:
+  - legacy markdown export and consumer runtime export now declare themselves as `legacy read-only evidence snapshots`,
+  - they no longer publish prescriptive `next_action` / `blocked` copy or act as a parallel gate summary outside canonical `status` / `doctor`.
+- Consumer menu shell parity tightened:
+  - consumer mode now groups `1/2/3/4` as canonical read-only gate flows, `8` as the matching read-only markdown export, and `5/6/7/9` as `Legacy Read-Only Diagnostics`,
+  - fixture validation on `ios-architecture-showcase` confirms parity between gate execution, menu summary, and exported markdown snapshot.
+- Fixture acceptance baseline added:
+  - `validation:consumer-matrix-baseline` now runs repeated consumer matrix rounds against a real fixture repo,
+  - the command emits `report.json` + `summary.md` under `.audit-reports/fixture-matrix/<fixture>/consumer-menu-matrix-baseline/`, adds `doctor_blocking` plus `layerSummary`, and fails fast on drift,
+  - real baselines on `2026-03-14` are already stable for `ios-architecture-showcase`, `SAAS:APP_SUPERMERCADOS`, and `R_GO`, which makes per-layer acceptance visible before any promotion to blocking.
+- Release readiness frozen for the reset:
+  - release decision now depends on an explicit checklist (`typecheck`, enterprise contract suite, package manifest, both package smokes, and the three fixture baselines),
+  - publication is allowed only from `release/<semver>` cut from `develop`,
+  - rollback is defined as previous stable semver + consumer repin + revalidation of `status` / `doctor` / fixture baseline.
 
 ### 2026-03-11 (v6.3.57)
 

package/docs/product/API_REFERENCE.md

@@ -301,7 +301,7 @@ Consumption: `docs/mcp/agent-context-consumption.md`.
 npm run framework:menu
 npm run adapter:install -- --agent=codex --dry-run
 npx --yes pumuki adapter install --agent=cursor
-npm run validation:adapter-readiness
+npm run toolkit:adapter-readiness
 npm run typecheck
 npm run test:deterministic
 ```
@@ -318,11 +318,19 @@ Consumer menu pre-flight:
 - options `1/2/3/4` execute pre-flight before gate evaluation
 - pre-flight checks `repo_state`, stale/missing evidence, git-flow protected branches, and AI gate chain consistency
 - stage mapping is deterministic: `1/3 -> PRE_COMMIT`, `2/4 -> PRE_PUSH`
+- consumer mode is a read-only shell: `1/2/3/4` are gate flows, `8` is the matching markdown export, and `5/6/7/9` are `Legacy Read-Only Diagnostics`
 - in modern UI mode (`PUMUKI_MENU_UI_V2=1`) options are grouped by domains while preserving IDs and execution wiring
 - advanced maintenance option `33` imports custom rules from `AGENTS.md/SKILLS.md` to `/.pumuki/custom-rules.json`
 - menu audits no longer bypass SDD; `sdd.policy.blocked` can be emitted in menu-driven runs
+- advanced options `28/29/30/32` are legacy read-only audits: they help inspect evidence snapshots, but they do not redefine the canonical gate verdict
+- acceptance baseline helper: `npm run validation:consumer-matrix-baseline -- --repo-root /absolute/path/to/<fixture> --fixture <name> --rounds 3 --json`
+- baseline outputs are written under `.audit-reports/fixture-matrix/<fixture>/consumer-menu-matrix-baseline/{report.json,summary.md}` and return exit `1` on drift
+- baseline `report.json` also carries `status.policyValidation`, `status.experimentalFeatures`, `doctor.blocking`, and `doctor.layerSummary`
+- validated acceptance snapshots on `2026-03-14`: `ios-architecture-showcase=stable YES`, `SAAS:APP_SUPERMERCADOS=stable YES`, `R_GO=stable YES`
 
-## Optional diagnostics adapters
+## Optional support toolkit
+
+Primary namespace is `toolkit:*`. Legacy `validation:*` aliases remain only for compatibility.
 
 Files:
 
@@ -340,16 +348,15 @@ Files:
 
 Commands:
 
-- `npm run validation:adapter-readiness`
-- `npm run validation:adapter-session-status`
-- `npm run validation:adapter-real-session-report`
-- `npm run validation:phase5-blockers-readiness`
-- `npm run validation:phase5-execution-closure-status`
-- `npm run validation:phase5-execution-closure`
-- `npm run validation:phase5-external-handoff`
-- `npm run validation:clean-artifacts`
+- `npm run toolkit:adapter-readiness`
+- `npm run toolkit:adapter-session-status`
+- `npm run toolkit:adapter-real-session-report`
+- `npm run toolkit:phase5-blockers-readiness`
+- `npm run toolkit:phase5-execution-closure-status`
+- `npm run toolkit:phase5-execution-closure`
+- `npm run toolkit:clean-artifacts`
 
-`validation:phase5-execution-closure` notes:
+`toolkit:phase5-execution-closure` notes:
 
 - defaults to output directory `.audit-reports/phase5`
 - runs auth preflight and fails fast on auth/scope blockers
@@ -357,11 +364,23 @@ Commands:
 
 Framework menu action:
 
-- `Build adapter readiness report`
-- `Build phase5 execution closure status report`
-- `Run phase5 execution closure (one-shot orchestration)`
-- `Build phase5 external handoff report`
-- `Clean local validation artifacts`
+- `Toolkit: build adapter readiness report`
+- `Toolkit: build phase5 execution closure status report`
+- `Toolkit: run phase5 execution closure`
+- `Toolkit: clean local validation artifacts`
+
+Frozen legacy support namespace:
+
+- `npm run toolkit:legacy:phase5-external-handoff`
+- `npm run toolkit:legacy:phase5-latest:refresh`
+- `npm run toolkit:legacy:phase5-latest:ready-check`
+- `npm run toolkit:legacy:phase5-escalation:prepare`
+- `npm run toolkit:legacy:phase8:doctor`
+- `npm run toolkit:legacy:phase8:close-ready`
+
+Legacy advanced menu action:
+
+- `Toolkit legacy: build phase5 external handoff report`
 
 Deterministic argument builders exported from menu module:
 

package/docs/product/CONFIGURATION.md

@@ -74,13 +74,20 @@ Ownership model:
 - CI and team members must evaluate the same committed contract files.
 - User-home skill sources (`~/.codex/**`) are not runtime inputs for CI gate decisions.
 
-Compile/check commands:
+Compile/check commands in the Pumuki source workspace:
 
 ```bash
 npm run skills:compile
 npm run skills:lock:check
 ```
 
+If you are validating an installed consumer package rather than the Pumuki source repo, invoke the packaged tool directly instead of assuming consumer-local `npm run skills:*` scripts:
+
+```bash
+npx --yes tsx@4.21.0 ./node_modules/pumuki/scripts/compile-skills-lock.ts
+npx --yes tsx@4.21.0 ./node_modules/pumuki/scripts/compile-skills-lock.ts --check
+```
+
 CI guardrail:
 
 - `.github/workflows/ci.yml` includes `Skills Lock Freshness` and fails when committed lock is stale.

package/docs/product/HOW_IT_WORKS.md

@@ -109,39 +109,39 @@ npx tsx integrations/git/prePushBackend.cli.ts
 npx tsx integrations/git/ciFrontend.cli.ts
 ```
 
-## Operational adapters (optional)
+## Support toolkit (optional)
 
-Adapter diagnostics are intentionally outside the deterministic gate runtime.
+Adapter diagnostics and rollout helpers are intentionally outside the deterministic gate runtime and outside the product baseline.
 
 - They live under `scripts/*` and `docs/validation/*`.
 - They do not change PRE_COMMIT/PRE_PUSH/CI outcomes.
-- They support rollout diagnostics and incident triage.
+- They support rollout diagnostics and incident triage as auxiliary toolkit.
 
 Typical commands:
 
 ```bash
-npm run validation:adapter-readiness -- \
+npm run toolkit:adapter-readiness -- \
   --adapter-report .audit-reports/adapter/adapter-real-session-report.md \
   --out .audit-reports/adapter/adapter-readiness.md
 
-npm run validation:adapter-session-status -- \
+npm run toolkit:adapter-session-status -- \
   --out .audit-reports/adapter/adapter-session-status.md
 
-npm run validation:adapter-real-session-report -- \
+npm run toolkit:adapter-real-session-report -- \
   --status-report .audit-reports/adapter/adapter-session-status.md \
   --out .audit-reports/adapter/adapter-real-session-report.md
 
-npm run validation:phase5-blockers-readiness -- \
+npm run toolkit:phase5-blockers-readiness -- \
   --consumer-triage-report .audit-reports/consumer-triage/consumer-startup-triage-report.md \
   --out .audit-reports/phase5/phase5-blockers-readiness.md
 
-npm run validation:phase5-execution-closure-status -- \
+npm run toolkit:phase5-execution-closure-status -- \
   --phase5-blockers-report .audit-reports/phase5/phase5-blockers-readiness.md \
   --consumer-unblock-report .audit-reports/consumer-triage/consumer-startup-unblock-status.md \
   --out .audit-reports/phase5/phase5-execution-closure-status.md
 ```
 
-Note: current adapter readiness command uses `--adapter-report` as the adapter input file flag.
+Primary namespace is `toolkit:*`; legacy `validation:*` aliases remain only for compatibility. Current adapter readiness command still uses `--adapter-report` as the adapter input file flag.
 
 ### CI workflows
 

package/docs/product/TESTING.md

@@ -80,6 +80,34 @@ npm run test:saas-ingestion
 npm run test:deterministic
 ```
 
+## Release readiness del reset
+
+Before deciding whether the reset is publishable, freeze this exact sequence:
+
+```bash
+npm run -s typecheck
+npm run -s validation:contract-suite:enterprise
+npm run -s validation:package-manifest
+npm run -s validation:package-smoke
+npm run -s validation:package-smoke:minimal
+npm run -s validation:consumer-matrix-baseline -- --repo-root /Users/juancarlosmerlosalbarracin/Developer/Projects/ios-architecture-showcase --fixture ios-architecture-showcase --rounds 3 --json
+npm run -s validation:consumer-matrix-baseline -- --repo-root "/Users/juancarlosmerlosalbarracin/Developer/Projects/SAAS:APP_SUPERMERCADOS" --fixture saas-app-supermercados --rounds 3 --json
+npm run -s validation:consumer-matrix-baseline -- --repo-root /Users/juancarlosmerlosalbarracin/Developer/Projects/R_GO --fixture r_go --rounds 3 --json
+git diff --check
+```
+
+Publication rule:
+
+- only publish from `release/<semver>` cut from `develop`
+- do not publish while a framework-owned fixture failure or known false-positive blocking signal remains
+- consumer-owned debt may remain only when it is explicitly classified and does not change the canonical framework verdict
+
+Minimum rollback:
+
+- revert to the previous stable `pumuki` semver
+- repin affected consumers to that exact version
+- rerun `status`, `doctor`, and the fixture baseline on the impacted consumer before declaring rollback complete
+
 ## CI alignment
 
 Workflows rely on the same deterministic model and should remain consistent with local commands:

package/docs/product/USAGE.md

@@ -121,6 +121,12 @@ npx --yes --package pumuki@latest pumuki-framework
 Menu starts in `Consumer` mode by default (focused operational options).
 Use `A` to switch to `Advanced` mode (full options), and `C` to return to `Consumer`.
 Advanced mode options include short inline contextual help.
+Consumer mode is now a minimal read-only shell:
+
+- `1/2/3/4` are the canonical read-only gate flows
+- `8` exports the same evidence snapshot in markdown form
+- `5/6/7/9` remain available only as `Legacy Read-Only Diagnostics`
+
 If needed, you can start directly in advanced mode:
 
 ```bash
@@ -145,14 +151,16 @@ To avoid host-specific defaults for consumer diagnostics prompts, set:
 export PUMUKI_CONSUMER_REPO_PATH=/absolute/path/to/consumer-repo
 ```
 
-Optional diagnostics adapters (runtime diagnostics and consumer startup triage) are also exposed from the menu, but they are not required for PRE_COMMIT/PRE_PUSH/CI gate outcomes.
+Advanced menu still exposes an auxiliary support toolkit (runtime diagnostics, consumer startup triage and phase5 closure helpers), but that toolkit is outside the product baseline and never required for PRE_COMMIT/PRE_PUSH/CI gate outcomes.
+
+Advanced menu options `28/29/30/32` are legacy read-only audits. They remain available for diagnosis, but they are not part of the baseline gate shell and must not be interpreted as the canonical gate result.
 
-Adapter readiness diagnostics are available from the interactive menu as:
+Support toolkit actions are available from the interactive menu as:
 
-- `Build adapter readiness report`
-- `Build phase5 execution closure status report`
-- `Run phase5 execution closure (one-shot orchestration)`
-- `Clean local validation artifacts`
+- `Toolkit: build adapter readiness report`
+- `Toolkit: build phase5 execution closure status report`
+- `Toolkit: run phase5 execution closure`
+- `Toolkit: clean local validation artifacts`
 
 ### 1.1) Non-interactive consumer matrix (1/2/3/4/9)
 
@@ -183,6 +191,31 @@ Diagnosis semantics:
 - `violations-detected`: one or more findings were produced.
 - `unknown`: evidence is missing/invalid or report normalization could not resolve status.
 
+Repeated baseline for a real fixture:
+
+```bash
+npm run validation:consumer-matrix-baseline -- \
+  --repo-root /absolute/path/to/ios-architecture-showcase \
+  --fixture ios-architecture-showcase \
+  --rounds 3 \
+  --json
+```
+
+This command writes `report.json` and `summary.md` under `.audit-reports/fixture-matrix/<fixture>/consumer-menu-matrix-baseline/`.
+Exit code is `0` when the repeated matrix stays stable and `1` when drift is detected across rounds.
+The JSON snapshot also includes:
+
+- `status.policyValidation`
+- `status.experimentalFeatures`
+- `doctor.blocking`
+- `doctor.layerSummary` for `core`, `operational`, `integration`, `policy-pack`, and `experimental`
+
+Real baselines validated on `2026-03-14`:
+
+- `ios-architecture-showcase`: `stable=YES`, with deterministic matrix output across `3` rounds
+- `SAAS:APP_SUPERMERCADOS`: `stable=YES`, `layerSummary={core:FAIL, operational:WARN, integration:FAIL, policy-pack:WARN, experimental:PASS}`
+- `R_GO`: `stable=YES`, `layerSummary={core:PASS, operational:WARN, integration:PASS, policy-pack:WARN, experimental:PASS}`
+
 Optional canary execution (controlled temporary violation + cleanup):
 
 ```bash
@@ -311,13 +344,20 @@ npx --yes pumuki adapter install --agent=codex --dry-run
 npx --yes pumuki adapter install --agent=cursor
 npm run adapter:install -- --agent=claude
 
-# skills engine helpers
+# skills engine helpers (inside the Pumuki source repo)
 npm run skills:compile
 npm run skills:lock:check
 npm run skills:import:custom
 npm run skills:import:custom -- --source /abs/path/to/SKILL.md --source ./skills/backend/SKILL.md
 ```
 
+If you are operating from a consumer repository with the published package installed, do not assume `npm run skills:*` exists in the consumer. Use the packaged script directly instead:
+
+```bash
+npx --yes tsx@4.21.0 ./node_modules/pumuki/scripts/compile-skills-lock.ts
+npx --yes tsx@4.21.0 ./node_modules/pumuki/scripts/compile-skills-lock.ts --check
+```
+
 `pumuki remove` is the enterprise-safe removal path because it performs lifecycle cleanup before package uninstall.
 When no modules remain, it also prunes orphan `node_modules/.package-lock.json` residue.
 Plain `npm uninstall pumuki` removes only the dependency; it does not remove managed hooks or lifecycle state.
@@ -570,56 +610,58 @@ Verificación post-rollback:
 - `npx --yes pumuki analytics hotspots diagnose --json` puede quedar en `degraded` por artefactos ausentes.
 - El flujo local de gate (`pre-write/pre-commit/pre-push/ci`) sigue operativo y no depende de publicación SaaS.
 
-### 3) Diagnostics reports (optional adapters)
+### 3) Support toolkit reports (advanced-only, optional)
+
+These commands are support tooling, not gate baseline. Primary namespace is `toolkit:*`; legacy `validation:*` aliases remain only for compatibility.
 
 ```bash
 # Adapter-only readiness
 # (current adapter implementation consumes --adapter-report as input path)
-npm run validation:adapter-readiness -- \
+npm run toolkit:adapter-readiness -- \
   --adapter-report .audit-reports/adapter/adapter-real-session-report.md \
   --out .audit-reports/adapter/adapter-readiness.md
 
 # Adapter runtime status/report aliases (provider-agnostic command naming)
-npm run validation:adapter-session-status -- \
+npm run toolkit:adapter-session-status -- \
   --out .audit-reports/adapter/adapter-session-status.md
 
-npm run validation:adapter-real-session-report -- \
+npm run toolkit:adapter-real-session-report -- \
   --status-report .audit-reports/adapter/adapter-session-status.md \
   --out .audit-reports/adapter/adapter-real-session-report.md
 
 # Phase 5 consolidated readiness (consumer triage required, adapter report optional by default)
-npm run validation:phase5-blockers-readiness -- \
+npm run toolkit:phase5-blockers-readiness -- \
   --consumer-triage-report .audit-reports/consumer-triage/consumer-startup-triage-report.md \
   --out .audit-reports/phase5/phase5-blockers-readiness.md
 
 # Phase 5 execution-closure status snapshot
-npm run validation:phase5-execution-closure-status -- \
+npm run toolkit:phase5-execution-closure-status -- \
   --phase5-blockers-report .audit-reports/phase5/phase5-blockers-readiness.md \
   --consumer-unblock-report .audit-reports/consumer-triage/consumer-startup-unblock-status.md \
   --out .audit-reports/phase5/phase5-execution-closure-status.md
 
 # One-shot: run full Phase 5 execution-closure orchestration
-npm run validation:phase5-execution-closure -- \
+npm run toolkit:phase5-execution-closure -- \
   --repo <owner>/<repo> \
   --out-dir .audit-reports/phase5 \
   --skip-workflow-lint
 
 # Local mock-consumer closure (no external GH dependency)
-npm run validation:phase5-execution-closure -- \
+npm run toolkit:phase5-execution-closure -- \
   --repo <owner>/<repo> \
   --out-dir .audit-reports/phase5 \
   --mock-consumer
 
 # Optional: disable auth preflight fail-fast
-npm run validation:phase5-execution-closure -- \
+npm run toolkit:phase5-execution-closure -- \
   --repo <owner>/<repo> \
   --out-dir .audit-reports/phase5 \
   --skip-workflow-lint \
   --skip-auth-preflight
 
 # Optional: clean local generated validation artifacts
-npm run validation:clean-artifacts
-npm run validation:clean-artifacts -- --dry-run
+npm run toolkit:clean-artifacts
+npm run toolkit:clean-artifacts -- --dry-run
 ```
 
 ## Scope behavior

package/docs/validation/README.md

@@ -13,13 +13,8 @@ Este directorio contiene solo documentación estable de validación y runbooks o
 
 ## Estado de seguimiento
 
-- Maestro: `docs/tracking/estado-ejecutivo.md`
-- Plan activo: `docs/tracking/plan-activo-de-trabajo.md`
-- Histórico permitido: `docs/tracking/historico-validacion-ruralgo-03-03-2026.md`
-
-## Histórico técnico conservado
-
-- `docs/tracking/historico-contrato-aceptacion-c022.md`
+- Fuente viva única: `PUMUKI-RESET-MASTER-PLAN.md`
+- No se conservan MDs legacy de seguimiento en `docs/tracking/`.
 
 ## Política de higiene
 
@@ -34,4 +29,33 @@ Este directorio contiene solo documentación estable de validación y runbooks o
 
 - Higiene hard del worktree propio: `npm run -s validation:self-worktree-hygiene`
 - Suite contractual enterprise: `npm run -s validation:contract-suite:enterprise`
+- Baseline repetible de fixture consumer: `npm run -s validation:consumer-matrix-baseline -- --repo-root /absolute/path/to/<fixture> --fixture <name> --rounds 3 --json`
+  - emite `report.json` + `summary.md` con `doctor_blocking` y `layerSummary`
+  - validado en `ios-architecture-showcase`, `SAAS:APP_SUPERMERCADOS` y `R_GO`
 - Verificación de plan activo único + higiene hard del worktree propio: `npm run -s validation:tracking-single-active`
+
+## Release readiness del reset
+
+Secuencia mínima congelada antes de decidir una publicación útil:
+
+- `npm run -s typecheck`
+- `npm run -s validation:contract-suite:enterprise`
+- `npm run -s validation:package-manifest`
+- `npm run -s validation:package-smoke`
+- `npm run -s validation:package-smoke:minimal`
+- `npm run -s validation:consumer-matrix-baseline -- --repo-root /Users/juancarlosmerlosalbarracin/Developer/Projects/ios-architecture-showcase --fixture ios-architecture-showcase --rounds 3 --json`
+- `npm run -s validation:consumer-matrix-baseline -- --repo-root "/Users/juancarlosmerlosalbarracin/Developer/Projects/SAAS:APP_SUPERMERCADOS" --fixture saas-app-supermercados --rounds 3 --json`
+- `npm run -s validation:consumer-matrix-baseline -- --repo-root /Users/juancarlosmerlosalbarracin/Developer/Projects/R_GO --fixture r_go --rounds 3 --json`
+- `git diff --check`
+
+Regla de publicación:
+
+- publicar solo desde `release/<semver>` cortada desde `develop`
+- exigir checklist verde o hallazgos remanentes ya clasificados como deuda del consumer, nunca como bug del framework
+- no publicar si reaparece un falso positivo blocking conocido o si un fixture necesita bypass manual
+
+Rollback mínimo:
+
+- volver al semver estable previo de `pumuki`
+- repinear consumers afectados a esa versión exacta
+- revalidar `status`, `doctor` y la baseline del consumer impactado antes de cerrar el incidente

package/integrations/config/compileSkillsLock.ts

@@ -208,7 +208,7 @@ export const checkSkillsLockStatus = (
   if (!existsSync(lockPath)) {
     return {
       status: 'missing',
-      details: `${lockFile} is missing. Run skills lock compilation.`,
+      details: `${lockFile} is missing. Generate it with the installed Pumuki skills lock tool.`,
     };
   }