pumuki 6.3.65 → 6.3.69

package/README.md

@@ -37,7 +37,7 @@ npx --yes pumuki status
 npx --yes pumuki doctor --json
 ```
 
-Desde **6.3.63**, `npm install` en la raíz de un repo **Git** dispara un `postinstall` que ejecuta `pumuki install` automáticamente (hooks `pre-commit` / `pre-push`). No configura MCP del IDE por sí solo: usa `pumuki install --with-mcp` o el adaptador. Desactivar el postinstall: `PUMUKI_SKIP_POSTINSTALL=1`. En CI suele saltarse solo (`CI=true`). En **6.3.64+**, las notificaciones del sistema en plataformas sin banner nativo se reflejan en **stderr** por defecto (`PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` para silenciarlas).
+Desde **6.3.63**, `npm install` en la raíz de un repo **Git** dispara un `postinstall` que ejecuta **`pumuki install` solo** (hooks `pre-commit` / `pre-push`, lifecycle, evidencia cuando aplica). **Pumuki no depende de ningún IDE** para el baseline: no toca `.cursor/` ni otros ficheros de editor por defecto. Desde **6.3.68**, cada hook gestionado ejecuta **`pumuki-pre-write` antes** de `pumuki-pre-commit` / `pumuki-pre-push` (stage **PRE_WRITE** vía Git). Saltar solo PRE_WRITE en hooks: `PUMUKI_SKIP_CHAINED_PRE_WRITE=1`. Desde **6.3.69**, esos mismos hooks aplican también **git-flow en ramas protegidas** (`GITFLOW_PROTECTED_BRANCH`) e **higiene de worktree** (`PUMUKI_PREWRITE_WORKTREE_*` / códigos `EVIDENCE_PREWRITE_WORKTREE_*`) cuando la evidencia es válida; el **modal macOS** de bloqueo (Desactivar / Silenciar 30 min / Mantener activas) queda **activo por defecto** si las notificaciones están habilitadas (`"blockedDialogEnabled": false` o `PUMUKI_MACOS_BLOCKED_DIALOG=0` para apagarlo). Tras install, si no existía, aparece **`.pumuki/adapter.json`** con los comandos de hooks y **MCP stdio** para referencia o para clientes que los registren manualmente. Para generar también config de IDE: **`pumuki install --with-mcp --agent=cursor`** (u otro) o **`pumuki bootstrap --enterprise --agent=…`**. Desactivar el postinstall: `PUMUKI_SKIP_POSTINSTALL=1`. En CI suele saltarse solo (`CI=true`). En **6.3.64+**, las notificaciones del sistema en plataformas sin banner nativo se reflejan en **stderr** por defecto (`PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` para silenciarlas). En **6.3.69+**, un `gate.blocked` en macOS también deja una copia en **stderr** por defecto (`PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR=1` para desactivar solo eso).
 
 Fallback (equivalent in pasos separados):
 

package/docs/operations/RELEASE_NOTES.md

@@ -6,6 +6,24 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-04 (CLI stability and macOS notifications)
 
+### 2026-04-05 (v6.3.69)
+
+- **Hooks = política de repo**: `PRE_COMMIT` / `PRE_PUSH` / `CI` / `PRE_WRITE` incorporan **`GITFLOW_PROTECTED_BRANCH`** y **higiene de worktree** (`EVIDENCE_PREWRITE_WORKTREE_*`, env `PUMUKI_PREWRITE_WORKTREE_*`) vía fusión con `evaluateAiGate` en `runPlatformGate`.
+- **macOS bloqueos**: modal **Desactivar / Silenciar 30 min / Mantener activas** **on by default** si las notificaciones están habilitadas; normalización de etiquetas y parseo `osascript` más robusto; `gate.blocked` duplica payload en **stderr** por defecto (`PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR=1` para opt-out).
+- **Rollout**: `pumuki@6.3.69`, **`pumuki install`** en consumidores si quieren hooks reescritos tras cambios previos; revisar `.pumuki/system-notifications.json` si asumías modal apagado sin clave `blockedDialogEnabled`.
+
+### 2026-04-06 (v6.3.68)
+
+- **PRE_WRITE sin depender del IDE**: `pre-commit` y `pre-push` gestionados ejecutan **`pumuki-pre-write`** antes del gate del stage principal. Opt-out: `PUMUKI_SKIP_CHAINED_PRE_WRITE=1`.
+- **`.pumuki/adapter.json`**: se crea en `pumuki install` si faltaba, con comandos de **MCP stdio** y hooks (plantilla `repo`); sigue sin imponer Cursor ni otros IDEs.
+- Rollout: `pumuki@6.3.68` y **`pumuki install`** en consumidores para reescribir hooks.
+
+### 2026-04-06 (v6.3.67)
+
+- **Corrección de producto**: el `postinstall` **no** acopla Pumuki a Cursor ni a ningún IDE. Vuelve a ejecutar solo **`pumuki install`** (baseline Git + lifecycle). IDE/MCP: opt-in con `pumuki install --with-mcp --agent=…` o `bootstrap --enterprise`.
+- La plantilla adaptador **Cursor** sigue pudiendo fusionar `.cursor/mcp.json` y escribir `.pumuki/adapter.json` cuando el equipo elige ese agente explícitamente.
+- Rollout: `pumuki@6.3.67` si **6.3.66** llegó a publicarse; si no, repin directo a **6.3.67**.
+
 ### 2026-04-06 (v6.3.65)
 
 - **pre-commit.com + `exec`**: Pumuki ya no inserta su bloque gestionado *después* del `exec` del hook generado por pre-commit (código inalcanzable). Tras actualizar a **6.3.65**, ejecutar `pumuki install` en el consumer para reordenar `.git/hooks/pre-commit`.

package/docs/product/CONFIGURATION.md

@@ -307,9 +307,9 @@ Blocking code:
 
 - `EVIDENCE_SKILLS_CONTRACT_INCOMPLETE` (when contract is incomplete outside PRE_WRITE)
 
-## PRE_WRITE worktree hygiene guard
+## Worktree hygiene guard (PRE_WRITE + Git hooks)
 
-AI Gate can enforce early worktree hygiene in `PRE_WRITE` to reduce non-atomic changes before commit time.
+AI Gate enforces worktree hygiene using **pending_changes** (or `staged + unstaged`) to reduce oversized batches before commit/push. The same thresholds apply to **`PRE_WRITE`**, **`PRE_COMMIT`**, **`PRE_PUSH`**, and **`CI`** when `.ai_evidence.json` is readable and valid (hooks merge these violations into `runPlatformGate`). Git-flow protected-branch checks (`GITFLOW_PROTECTED_BRANCH`) are also merged into hook runs.
 
 Environment variables:
 

package/docs/product/INSTALLATION.md

@@ -51,6 +51,8 @@ If both commands pass, the workspace is ready.
 npm install --save-exact pumuki
 ```
 
+The package `postinstall` runs **`pumuki install` only** (Git hooks + lifecycle wiring). Hooks chain **`pumuki-pre-write`** then **`pumuki-pre-commit`** / **`pumuki-pre-push`** (IDE-agnostic). When missing, **`.pumuki/adapter.json`** is created with hook + **MCP stdio** command lines (any MCP client can use them). It does **not** write IDE-specific files; use step 2 or `pumuki install --with-mcp --agent=<name>` for that.
+
 ### 2) Bootstrap managed lifecycle (recommended single command)
 
 ```bash

package/docs/product/USAGE.md

@@ -242,7 +242,7 @@ Stage mapping:
 If a scope is empty, the menu prints an explicit operational hint (`Scope vacío`), so `PASS` with zero findings is distinguishable from a clean repository scan.
 
 System notifications (macOS) can be enabled from advanced menu option `31` (persisted in `.pumuki/system-notifications.json`).
-On non-macOS platforms, the same payloads are written to **stderr** by default (visible in the terminal) because there is no native banner API. Set `PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` to silence that path (delivery reports `unsupported-platform` on those OSes). On macOS, set `PUMUKI_NOTIFICATION_STDERR_MIRROR=1` to duplicate the banner text to stderr in addition to the system notification.
+On non-macOS platforms, the same payloads are written to **stderr** by default (visible in the terminal) because there is no native banner API. Set `PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` to silence that path (delivery reports `unsupported-platform` on those OSes). On macOS, set `PUMUKI_NOTIFICATION_STDERR_MIRROR=1` to duplicate **any** notification payload to stderr in addition to the system notification. For **`gate.blocked`** specifically, stderr mirroring is **on by default** when the macOS path reports success (so a failed push/commit still prints a `[pumuki]` block in the terminal even if the banner does not appear); disable only that default with `PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR=1`. The **blocked modal** (Swift floating / AppleScript) with **Desactivar / Silenciar 30 min / Mantener activas** is **on by default** whenever notifications are enabled and `blockedDialogEnabled` is omitted in `.pumuki/system-notifications.json`. Turn it off with `"blockedDialogEnabled": false` or `PUMUKI_MACOS_BLOCKED_DIALOG=0`. Ensure the terminal app is allowed to show notifications in **System Settings → Notifications**.
 Blocked notifications now use a native Swift floating modal (bottom-right) by default, with AppleScript fallback.
 Override mode with `PUMUKI_MACOS_BLOCKED_DIALOG_MODE=auto|swift-floating|applescript`.
 Custom skills import is available in advanced menu option `33` (writes `/.pumuki/custom-rules.json`).

package/integrations/gate/evaluateAiGate.ts

@@ -1093,25 +1093,6 @@ const collectPreWriteCoherenceViolations = (params: {
     );
   }
 
-  if (params.preWriteWorktreeHygiene.enabled && params.repoState.git.available) {
-    const pendingChanges = resolvePendingChanges(params.repoState) ?? 0;
-    if (pendingChanges >= params.preWriteWorktreeHygiene.blockThreshold) {
-      violations.push(
-        toErrorViolation(
-          'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
-          `PRE_WRITE hygiene exceeded: pending_changes=${pendingChanges} (block_threshold=${params.preWriteWorktreeHygiene.blockThreshold}). Split worktree into atomic slices.`
-        )
-      );
-    } else if (pendingChanges >= params.preWriteWorktreeHygiene.warnThreshold) {
-      violations.push(
-        toWarnViolation(
-          'EVIDENCE_PREWRITE_WORKTREE_WARN',
-          `PRE_WRITE hygiene warning: pending_changes=${pendingChanges} (warn_threshold=${params.preWriteWorktreeHygiene.warnThreshold}). Consider splitting worktree into smaller slices.`
-        )
-      );
-    }
-  }
-
   return violations;
 };
 
@@ -1178,6 +1159,8 @@ const collectEvidenceViolations = (
     );
   }
 
+  appendWorktreeHygieneViolations(violations, repoState, preWriteWorktreeHygiene, stage);
+
   return { violations, ageSeconds };
 };
 
@@ -1228,6 +1211,33 @@ const resolvePendingChanges = (repoState: RepoState): number | null => {
   return repoState.git.pending_changes ?? (repoState.git.staged + repoState.git.unstaged);
 };
 
+const appendWorktreeHygieneViolations = (
+  violations: AiGateViolation[],
+  repoState: RepoState,
+  policy: PreWriteWorktreeHygienePolicy,
+  stageLabel: AiGateStage
+): void => {
+  if (!policy.enabled || !repoState.git.available) {
+    return;
+  }
+  const pendingChanges = resolvePendingChanges(repoState) ?? 0;
+  if (pendingChanges >= policy.blockThreshold) {
+    violations.push(
+      toErrorViolation(
+        'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
+        `${stageLabel} worktree hygiene exceeded: pending_changes=${pendingChanges} (block_threshold=${policy.blockThreshold}). Split worktree into atomic slices.`
+      )
+    );
+  } else if (pendingChanges >= policy.warnThreshold) {
+    violations.push(
+      toWarnViolation(
+        'EVIDENCE_PREWRITE_WORKTREE_WARN',
+        `${stageLabel} worktree hygiene warning: pending_changes=${pendingChanges} (warn_threshold=${policy.warnThreshold}). Consider smaller staged/unstaged batches.`
+      )
+    );
+  }
+};
+
 const toPolicyStage = (stage: AiGateStage): SkillsStage => {
   if (stage === 'PRE_WRITE') {
     return 'PRE_COMMIT';

package/integrations/git/aiGateRepoPolicyFindings.ts

@@ -0,0 +1,46 @@
+import type { Finding } from '../../core/gate/Finding';
+import type { GateStage } from '../../core/gate/GateStage';
+import { evaluateAiGate, type AiGateStage } from '../gate/evaluateAiGate';
+
+const AI_GATE_STAGES = new Set<AiGateStage>(['PRE_WRITE', 'PRE_COMMIT', 'PRE_PUSH', 'CI']);
+
+const REPO_POLICY_CODES = new Set<string>([
+  'GITFLOW_PROTECTED_BRANCH',
+  'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
+  'EVIDENCE_PREWRITE_WORKTREE_WARN',
+]);
+
+const toRepoPolicyFinding = (params: {
+  code: string;
+  message: string;
+  severity: 'ERROR' | 'WARN';
+}): Finding => ({
+  ruleId: `ai_gate.repo_policy.${params.code}`,
+  severity: params.severity,
+  code: params.code,
+  message: params.message,
+  matchedBy: 'RepoPolicy',
+  source: 'ai_gate:repo_policy',
+});
+
+export const collectAiGateRepoPolicyFindings = (params: {
+  repoRoot: string;
+  stage: GateStage;
+}): Finding[] => {
+  if (!AI_GATE_STAGES.has(params.stage as AiGateStage)) {
+    return [];
+  }
+  const evaluation = evaluateAiGate({
+    repoRoot: params.repoRoot,
+    stage: params.stage as AiGateStage,
+  });
+  return evaluation.violations
+    .filter((v) => REPO_POLICY_CODES.has(v.code))
+    .map((v) =>
+      toRepoPolicyFinding({
+        code: v.code,
+        message: v.message,
+        severity: v.severity === 'ERROR' ? 'ERROR' : 'WARN',
+      })
+    );
+};

package/integrations/git/runPlatformGate.ts

@@ -34,6 +34,7 @@ import { enforceTddBddPolicy } from '../tdd/enforcement';
 import type { TddBddSnapshot } from '../tdd/types';
 import { resolveSkillsEnforcement } from '../policy/skillsEnforcement';
 import { applyTddBddEnforcement } from '../policy/tddBddEnforcement';
+import { collectAiGateRepoPolicyFindings } from './aiGateRepoPolicyFindings';
 
 export type OperationalMemoryShadowRecommendation = {
   recommendedOutcome: 'ALLOW' | 'WARN' | 'BLOCK';
@@ -151,13 +152,19 @@ const defaultDependencies: GateDependencies = {
     }),
 };
 
-const resolveCurrentBranch = (git: IGitService, repoRoot: string): string | null => {
+const readSymbolicBranchRef = (git: IGitService, repoRoot: string): string | null => {
   try {
     const symbolicBranch = git.runGit(['symbolic-ref', '--short', 'HEAD'], repoRoot).trim();
-    if (symbolicBranch.length > 0) {
-      return symbolicBranch;
-    }
+    return symbolicBranch.length > 0 ? symbolicBranch : null;
   } catch {
+    return null;
+  }
+};
+
+const resolveCurrentBranch = (git: IGitService, repoRoot: string): string | null => {
+  const symbolic = readSymbolicBranchRef(git, repoRoot);
+  if (symbolic !== null) {
+    return symbolic;
   }
   try {
     const branch = git.runGit(['rev-parse', '--abbrev-ref', 'HEAD'], repoRoot).trim();
@@ -927,6 +934,15 @@ export async function runPlatformGate(params: {
   const filesScanned = countScannedFilesFromFacts(factsForPlatformEvaluation);
   const observedCodePaths = collectObservedCodePathsFromFacts(facts);
 
+  const platformEvaluation = dependencies.evaluatePlatformGateFindings({
+    facts: factsForPlatformEvaluation,
+    stage: params.policy.stage,
+    repoRoot,
+  });
+  const aiGateRepoPolicyFindings = collectAiGateRepoPolicyFindings({
+    repoRoot,
+    stage: params.policy.stage,
+  });
   const {
     detectedPlatforms,
     skillsRuleSet,
@@ -934,12 +950,9 @@ export async function runPlatformGate(params: {
     heuristicRules,
     coverage,
     evaluationFacts = factsForPlatformEvaluation,
-    findings,
-  } = dependencies.evaluatePlatformGateFindings({
-    facts: factsForPlatformEvaluation,
-    stage: params.policy.stage,
-    repoRoot,
-  });
+    findings: ruleEngineFindings,
+  } = platformEvaluation;
+  const findings = [...aiGateRepoPolicyFindings, ...ruleEngineFindings];
   const evaluationMetrics: SnapshotEvaluationMetrics = coverage
     ? {
       facts_total: coverage.factsTotal,

package/integrations/git/stageRunners.ts

@@ -62,6 +62,10 @@ const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES:
     'Reconcilia policy/skills y revalida PRE_WRITE: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json',
   GITFLOW_PROTECTED_BRANCH: 'Trabaja en feature/* y evita ramas protegidas.',
+  EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT:
+    'Reduce archivos staged/unstaged por debajo del umbral (o ajusta PUMUKI_PREWRITE_WORKTREE_*); divide el trabajo en commits más pequeños.',
+  EVIDENCE_PREWRITE_WORKTREE_WARN:
+    'El worktree supera el umbral de aviso; reduce alcance antes del siguiente commit/push.',
   PRE_PUSH_UPSTREAM_MISSING: 'Ejecuta: git push --set-upstream origin <branch>',
   PRE_PUSH_UPSTREAM_MISALIGNED:
     'Alinea upstream con la rama actual: git branch --unset-upstream && git push --set-upstream origin <branch>',
@@ -186,6 +190,7 @@ const defaultDependencies: StageRunnerDependencies = {
     try {
       ensureRuntimeArtifactsIgnored(repoRoot);
     } catch {
+      undefined;
     }
   },
   runPolicyReconcile,

package/integrations/lifecycle/adapter.templates.json

@@ -28,6 +28,35 @@
       }
     }
   ],
+  "repo": [
+    {
+      "path": ".pumuki/adapter.json",
+      "payload": {
+        "hooks": {
+          "pre_write": {
+            "command": "npx --yes --package pumuki@latest pumuki-pre-write"
+          },
+          "pre_commit": {
+            "command": "npx --yes --package pumuki@latest pumuki-pre-commit"
+          },
+          "pre_push": {
+            "command": "npx --yes --package pumuki@latest pumuki-pre-push"
+          },
+          "ci": {
+            "command": "npx --yes --package pumuki@latest pumuki-ci"
+          }
+        },
+        "mcp": {
+          "enterprise": {
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
+          },
+          "evidence": {
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-evidence-stdio"
+          }
+        }
+      }
+    }
+  ],
   "claude": [
     {
       "path": ".claude/settings.json",
@@ -74,6 +103,7 @@
   "cursor": [
     {
       "path": ".cursor/mcp.json",
+      "mode": "json-merge",
       "payload": {
         "mcpServers": {
           "pumuki-enterprise": {
@@ -110,6 +140,33 @@
           }
         }
       }
+    },
+    {
+      "path": ".pumuki/adapter.json",
+      "payload": {
+        "hooks": {
+          "pre_write": {
+            "command": "npx --yes --package pumuki@latest pumuki-pre-write"
+          },
+          "pre_commit": {
+            "command": "npx --yes --package pumuki@latest pumuki-pre-commit"
+          },
+          "pre_push": {
+            "command": "npx --yes --package pumuki@latest pumuki-pre-push"
+          },
+          "ci": {
+            "command": "npx --yes --package pumuki@latest pumuki-ci"
+          }
+        },
+        "mcp": {
+          "enterprise": {
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
+          },
+          "evidence": {
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-evidence-stdio"
+          }
+        }
+      }
     }
   ],
   "windsurf": [

package/integrations/lifecycle/hookBlock.ts

@@ -9,6 +9,10 @@ const HOOK_COMMANDS: Record<PumukiManagedHook, string> = {
   'pre-push': 'pumuki-pre-push',
 };
 
+const PRE_WRITE_CLI = 'pumuki-pre-write';
+
+type ResolverPhase = 'pre-write' | 'main';
+
 const trimTrailingWhitespace = (value: string): string =>
   value.replace(/[ \t]+\n/g, '\n').trimEnd();
 
@@ -24,54 +28,72 @@ const managedBlockPattern = new RegExp(
   'g'
 );
 
-const toHookRunner = (params: {
-  hook: PumukiManagedHook;
-  runner: string;
-}): string => {
-  if (params.hook === 'pre-push') {
-    return `  PUMUKI_PRE_PUSH_STDIN="$PUMUKI_PRE_PUSH_STDIN" ${params.runner} "$@"`;
+const runnerLine = (
+  parentHook: PumukiManagedHook,
+  phase: ResolverPhase,
+  runner: string
+): string => {
+  if (parentHook === 'pre-push' && phase === 'main') {
+    return `  PUMUKI_PRE_PUSH_STDIN="$PUMUKI_PRE_PUSH_STDIN" ${runner} "$@"`;
   }
-  return `  ${params.runner}`;
+  return `  ${runner}`;
 };
 
-export const buildPumukiManagedHookBlock = (hook: PumukiManagedHook): string => {
-  const cli = HOOK_COMMANDS[hook];
+const buildCliResolver = (params: {
+  cli: string;
+  parentHook: PumukiManagedHook;
+  phase: ResolverPhase;
+}): string[] => {
+  const { cli, parentHook, phase } = params;
   const localBinPath = `./node_modules/.bin/${cli}`;
   const localNodeEntry = `./node_modules/pumuki/bin/${cli}.js`;
-
   return [
-    PUMUKI_MANAGED_BLOCK_START,
-    ...(hook === 'pre-push' ? ['PUMUKI_PRE_PUSH_STDIN="$(cat)"'] : []),
     `if [ -x "${localBinPath}" ]; then`,
-    toHookRunner({
-      hook,
-      runner: localBinPath,
-    }),
+    runnerLine(parentHook, phase, localBinPath),
     `elif [ -f "${localNodeEntry}" ] && command -v node >/dev/null 2>&1; then`,
-    toHookRunner({
-      hook,
-      runner: `node ${localNodeEntry}`,
-    }),
+    runnerLine(parentHook, phase, `node ${localNodeEntry}`),
     `elif command -v ${cli} >/dev/null 2>&1; then`,
-    toHookRunner({
-      hook,
-      runner: cli,
-    }),
+    runnerLine(parentHook, phase, cli),
     'elif command -v npx >/dev/null 2>&1; then',
-    toHookRunner({
-      hook,
-      runner: `npx --yes --package pumuki@latest ${cli}`,
-    }),
+    runnerLine(parentHook, phase, `npx --yes --package pumuki@latest ${cli}`),
     'else',
     `  echo "[pumuki] unable to resolve ${cli} runner. Install dependencies or ensure npx is available." >&2`,
     '  exit 1',
     'fi',
-    '  status=$?',
-    '  if [ "$status" -ne 0 ]; then',
-    '    exit "$status"',
-    '  fi',
-    PUMUKI_MANAGED_BLOCK_END,
-  ].join('\n');
+  ];
+};
+
+export const buildPumukiManagedHookBlock = (hook: PumukiManagedHook): string => {
+  const mainCli = HOOK_COMMANDS[hook];
+  const lines: string[] = [PUMUKI_MANAGED_BLOCK_START];
+
+  lines.push('if [ "${PUMUKI_SKIP_CHAINED_PRE_WRITE:-}" != "1" ]; then');
+  lines.push(...buildCliResolver({
+    cli: PRE_WRITE_CLI,
+    parentHook: hook,
+    phase: 'pre-write',
+  }));
+  lines.push('  status=$?');
+  lines.push('  if [ "$status" -ne 0 ]; then');
+  lines.push('    exit "$status"');
+  lines.push('  fi');
+  lines.push('fi');
+
+  if (hook === 'pre-push') {
+    lines.push('PUMUKI_PRE_PUSH_STDIN="$(cat)"');
+  }
+
+  lines.push(...buildCliResolver({
+    cli: mainCli,
+    parentHook: hook,
+    phase: 'main',
+  }));
+  lines.push('  status=$?');
+  lines.push('  if [ "$status" -ne 0 ]; then');
+  lines.push('    exit "$status"');
+  lines.push('  fi');
+  lines.push(PUMUKI_MANAGED_BLOCK_END);
+  return lines.join('\n');
 };
 
 const ensureExecutableHeader = (contents: string): string => {

package/integrations/lifecycle/install.ts

@@ -12,6 +12,7 @@ import { captureRepoState } from '../evidence/repoState';
 import { createEmptyEvaluationMetrics } from '../evidence/evaluationMetrics';
 import { readOpenSpecManagedArtifacts, writeLifecycleState } from './state';
 import { ensureRuntimeArtifactsIgnored } from './artifacts';
+import { runLifecycleAdapterInstall } from './adapter';
 
 export type LifecycleInstallResult = {
   repoRoot: string;
@@ -59,6 +60,23 @@ const wireHooksLifecycleAndBootstrapEvidence = (params: {
   return hookResult.changedHooks;
 };
 
+const ensureRepoBaselineAdapter = (repoRoot: string): void => {
+  const adapterPath = join(repoRoot, '.pumuki', 'adapter.json');
+  if (existsSync(adapterPath)) {
+    return;
+  }
+  try {
+    runLifecycleAdapterInstall({
+      cwd: repoRoot,
+      agent: 'repo',
+    });
+  } catch (cause: unknown) {
+    if (process.env.PUMUKI_VERBOSE_INSTALL === '1') {
+      console.debug('[pumuki] adapter scaffold skipped', cause);
+    }
+  }
+};
+
 export const runLifecycleInstall = (params?: {
   cwd?: string;
   git?: ILifecycleGitService;
@@ -84,6 +102,7 @@ export const runLifecycleInstall = (params?: {
         version,
         openSpecManagedArtifacts: priorArtifacts.length > 0 ? priorArtifacts : undefined,
       });
+      ensureRepoBaselineAdapter(report.repoRoot);
       return {
         repoRoot: report.repoRoot,
         version,
@@ -122,6 +141,7 @@ export const runLifecycleInstall = (params?: {
     version,
     openSpecManagedArtifacts: Array.from(mergedOpenSpecArtifacts),
   });
+  ensureRepoBaselineAdapter(report.repoRoot);
 
   return {
     repoRoot: report.repoRoot,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.65",
+  "version": "6.3.69",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {
@@ -212,6 +212,7 @@
     "@babel/preset-env": "^7.29.0",
     "@babel/preset-typescript": "^7.28.5",
     "@babel/traverse": "^7.28.5",
+    "@fission-ai/openspec": "1.2.0",
     "@types/node": "^20.10.0",
     "@typescript-eslint/eslint-plugin": "^8.55.0",
     "@typescript-eslint/parser": "^8.55.0",

package/scripts/framework-menu-system-notifications-config-choice.ts

@@ -6,16 +6,35 @@ import {
 } from './framework-menu-system-notifications-types';
 import { writeSystemNotificationsConfigFile } from './framework-menu-system-notifications-config-file';
 
+export const normalizeBlockedDialogButtonLabel = (raw: string): string => {
+  const t = raw.replace(/\r/g, '').trim();
+  const lower = t.toLowerCase();
+  if (t === BLOCKED_DIALOG_DISABLE || lower.includes('desactivar')) {
+    return BLOCKED_DIALOG_DISABLE;
+  }
+  if (
+    t === BLOCKED_DIALOG_MUTE_30
+    || (lower.includes('silenciar') && lower.includes('30'))
+  ) {
+    return BLOCKED_DIALOG_MUTE_30;
+  }
+  if (t === BLOCKED_DIALOG_KEEP || (lower.includes('mantener') && lower.includes('activ'))) {
+    return BLOCKED_DIALOG_KEEP;
+  }
+  return t;
+};
+
 export const applyDialogChoice = (params: {
   repoRoot: string;
   config: SystemNotificationsConfig;
   button: string;
   nowMs: number;
 }): void => {
-  if (params.button === BLOCKED_DIALOG_KEEP) {
+  const button = normalizeBlockedDialogButtonLabel(params.button);
+  if (button === BLOCKED_DIALOG_KEEP) {
     return;
   }
-  if (params.button === BLOCKED_DIALOG_DISABLE) {
+  if (button === BLOCKED_DIALOG_DISABLE) {
     writeSystemNotificationsConfigFile(params.repoRoot, {
       enabled: false,
       channel: params.config.channel,
@@ -23,7 +42,7 @@ export const applyDialogChoice = (params: {
     });
     return;
   }
-  if (params.button === BLOCKED_DIALOG_MUTE_30) {
+  if (button === BLOCKED_DIALOG_MUTE_30) {
     const muteUntil = new Date(params.nowMs + 30 * 60_000).toISOString();
     writeSystemNotificationsConfigFile(params.repoRoot, {
       enabled: true,

package/scripts/framework-menu-system-notifications-config-state.ts

@@ -13,16 +13,23 @@ export const buildSystemNotificationsConfigFromSelection = (
 ): SystemNotificationsConfig => ({
   enabled,
   channel: 'macos',
-  blockedDialogEnabled: false,
+  blockedDialogEnabled: enabled,
 });
 
 export const normalizeSystemNotificationsConfig = (
   raw: RawSystemNotificationsConfig
 ): SystemNotificationsConfig => {
+  const enabled = raw.enabled === true;
+  const blockedDialogEnabled =
+    raw.blockedDialogEnabled === true
+      ? true
+      : raw.blockedDialogEnabled === false
+        ? false
+        : enabled;
   const config: SystemNotificationsConfig = {
-    enabled: raw.enabled === true,
+    enabled,
     channel: 'macos',
-    blockedDialogEnabled: raw.blockedDialogEnabled === true,
+    blockedDialogEnabled,
   };
   if (typeof raw.muteUntil === 'string' && raw.muteUntil.trim().length > 0) {
     config.muteUntil = raw.muteUntil;

package/scripts/framework-menu-system-notifications-dispatch.ts

@@ -14,6 +14,19 @@ import {
   isStderrNotificationFallbackDisabled,
 } from './framework-menu-system-notifications-stdio-fallback';
 
+const shouldMirrorGateBlockedToStderr = (
+  event: PumukiCriticalNotificationEvent,
+  env: NodeJS.ProcessEnv
+): boolean => {
+  if (event.kind !== 'gate.blocked') {
+    return false;
+  }
+  if (isTruthyEnvValue(env.PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR)) {
+    return false;
+  }
+  return true;
+};
+
 export const dispatchSystemNotification = (params: {
   event: PumukiCriticalNotificationEvent;
   payload: SystemNotificationPayload;
@@ -46,7 +59,12 @@ export const dispatchSystemNotification = (params: {
     applyDialogChoice,
   });
 
-  if (macResult.delivered && isTruthyEnvValue(params.env.PUMUKI_NOTIFICATION_STDERR_MIRROR)) {
+  const mirrorStderrForVisibility =
+    macResult.delivered &&
+    !stderrOff &&
+    (isTruthyEnvValue(params.env.PUMUKI_NOTIFICATION_STDERR_MIRROR) ||
+      shouldMirrorGateBlockedToStderr(params.event, params.env));
+  if (mirrorStderrForVisibility) {
     deliverStderrNotificationBanner({ payload: params.payload });
   }
 

package/scripts/framework-menu-system-notifications-macos-dialog-effect.ts

@@ -1,4 +1,5 @@
 import type { SystemNotificationsConfig } from './framework-menu-system-notifications-types';
+import { normalizeBlockedDialogButtonLabel } from './framework-menu-system-notifications-config-choice';
 
 export const applyBlockedDialogSelection = (params: {
   repoRoot: string;
@@ -19,7 +20,7 @@ export const applyBlockedDialogSelection = (params: {
   params.applyDialogChoice({
     repoRoot: params.repoRoot,
     config: params.config,
-    button: params.selectedButton,
+    button: normalizeBlockedDialogButtonLabel(params.selectedButton),
     nowMs: params.nowMs,
   });
 };

package/scripts/framework-menu-system-notifications-macos-runner-parse.ts

@@ -1,7 +1,12 @@
 export const extractDialogButton = (stdout: string): string | null => {
-  const match = stdout.match(/button returned:(.+)/i);
-  if (!match || !match[1]) {
+  const matches = [...stdout.matchAll(/button returned:\s*(.+)/gi)];
+  if (matches.length === 0) {
     return null;
   }
-  return match[1].trim();
+  const raw = matches[matches.length - 1][1]?.trim() ?? '';
+  const cleaned = raw
+    .replace(/[,}]\s*$/g, '')
+    .replace(/^["'\u201c]|[\u201d"']$/g, '')
+    .trim();
+  return cleaned.length > 0 ? cleaned : null;
 };