pumuki 6.3.68 → 6.3.70

package/README.md

@@ -37,7 +37,7 @@ npx --yes pumuki status
 npx --yes pumuki doctor --json
 ```
 
-Desde **6.3.63**, `npm install` en la raíz de un repo **Git** dispara un `postinstall` que ejecuta **`pumuki install` solo** (hooks `pre-commit` / `pre-push`, lifecycle, evidencia cuando aplica). **Pumuki no depende de ningún IDE** para el baseline: no toca `.cursor/` ni otros ficheros de editor por defecto. Desde **6.3.68**, cada hook gestionado ejecuta **`pumuki-pre-write` antes** de `pumuki-pre-commit` / `pumuki-pre-push` (stage **PRE_WRITE** vía Git). Saltar solo PRE_WRITE en hooks: `PUMUKI_SKIP_CHAINED_PRE_WRITE=1`. Tras install, si no existía, aparece **`.pumuki/adapter.json`** con los comandos de hooks y **MCP stdio** para referencia o para clientes que los registren manualmente. Para generar también config de IDE: **`pumuki install --with-mcp --agent=cursor`** (u otro) o **`pumuki bootstrap --enterprise --agent=…`**. Desactivar el postinstall: `PUMUKI_SKIP_POSTINSTALL=1`. En CI suele saltarse solo (`CI=true`). En **6.3.64+**, las notificaciones del sistema en plataformas sin banner nativo se reflejan en **stderr** por defecto (`PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` para silenciarlas).
+Desde **6.3.63**, `npm install` en la raíz de un repo **Git** dispara un `postinstall` que ejecuta **`pumuki install` solo** (hooks `pre-commit` / `pre-push`, lifecycle, evidencia cuando aplica). **Pumuki no depende de ningún IDE** para el baseline: no toca `.cursor/` ni otros ficheros de editor por defecto. Desde **6.3.68**, cada hook gestionado ejecuta **`pumuki-pre-write` antes** de `pumuki-pre-commit` / `pumuki-pre-push` (stage **PRE_WRITE** vía Git). Saltar solo PRE_WRITE en hooks: `PUMUKI_SKIP_CHAINED_PRE_WRITE=1`. Desde **6.3.69**, esos mismos hooks aplican también **git-flow en ramas protegidas** (`GITFLOW_PROTECTED_BRANCH`) e **higiene de worktree** (`PUMUKI_PREWRITE_WORKTREE_*` / códigos `EVIDENCE_PREWRITE_WORKTREE_*`) cuando la evidencia es válida; el **modal macOS** de bloqueo (Desactivar / Silenciar 30 min / Mantener activas) queda **activo por defecto** si las notificaciones están habilitadas (`"blockedDialogEnabled": false` o `PUMUKI_MACOS_BLOCKED_DIALOG=0` para apagarlo). Tras install, si no existía, aparece **`.pumuki/adapter.json`** con los comandos de hooks y **MCP stdio** para referencia o para clientes que los registren manualmente. Para generar también config de IDE: **`pumuki install --with-mcp --agent=cursor`** (u otro) o **`pumuki bootstrap --enterprise --agent=…`**. Desactivar el postinstall: `PUMUKI_SKIP_POSTINSTALL=1`. En CI suele saltarse solo (`CI=true`). En **6.3.64+**, las notificaciones del sistema en plataformas sin banner nativo se reflejan en **stderr** por defecto (`PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` para silenciarlas). En **6.3.69+**, un `gate.blocked` en macOS también deja una copia en **stderr** por defecto (`PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR=1` para desactivar solo eso). Desde **6.3.70**, si **`.ai_evidence.json` está versionado** y **PRE_PUSH** no bloquea, ese archivo **no se reescribe** en el push (compatibilidad con **pre-commit** como hook de **pre-push**); para forzar escritura: `PUMUKI_PRE_PUSH_ALWAYS_WRITE_TRACKED_EVIDENCE=1`. Con modal de bloqueo activo, el panel interactivo prioriza foco/clics y se evita el banner duplicado.
 
 Fallback (equivalent in pasos separados):
 

package/docs/operations/RELEASE_NOTES.md

@@ -6,6 +6,18 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-04 (CLI stability and macOS notifications)
 
+### 2026-04-06 (v6.3.70)
+
+- **Consumidores con pre-commit en pre-push**: con `.ai_evidence.json` **versionado**, `PRE_PUSH` en **ALLOW/WARN** omite persistir en disco para no ensuciar el árbol tras el gate; variable `PUMUKI_PRE_PUSH_ALWAYS_WRITE_TRACKED_EVIDENCE=1` si necesitas el snapshot `PRE_PUSH` en fichero trackeado (puede exigir flujo de commit explícito).
+- **macOS bloqueo**: un solo canal interactivo cuando el modal está activo (sin banner `osascript` paralelo); panel Swift más fiable para foco y clics en botones.
+- **Rollout**: `pumuki@6.3.70`, repin en monorepos (p. ej. RuralGO); `npm test` / `git push` con hooks encadenados como validación.
+
+### 2026-04-05 (v6.3.69)
+
+- **Hooks = política de repo**: `PRE_COMMIT` / `PRE_PUSH` / `CI` / `PRE_WRITE` incorporan **`GITFLOW_PROTECTED_BRANCH`** y **higiene de worktree** (`EVIDENCE_PREWRITE_WORKTREE_*`, env `PUMUKI_PREWRITE_WORKTREE_*`) vía fusión con `evaluateAiGate` en `runPlatformGate`.
+- **macOS bloqueos**: modal **Desactivar / Silenciar 30 min / Mantener activas** **on by default** si las notificaciones están habilitadas; normalización de etiquetas y parseo `osascript` más robusto; `gate.blocked` duplica payload en **stderr** por defecto (`PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR=1` para opt-out).
+- **Rollout**: `pumuki@6.3.69`, **`pumuki install`** en consumidores si quieren hooks reescritos tras cambios previos; revisar `.pumuki/system-notifications.json` si asumías modal apagado sin clave `blockedDialogEnabled`.
+
 ### 2026-04-06 (v6.3.68)
 
 - **PRE_WRITE sin depender del IDE**: `pre-commit` y `pre-push` gestionados ejecutan **`pumuki-pre-write`** antes del gate del stage principal. Opt-out: `PUMUKI_SKIP_CHAINED_PRE_WRITE=1`.

package/docs/product/CONFIGURATION.md

@@ -307,9 +307,9 @@ Blocking code:
 
 - `EVIDENCE_SKILLS_CONTRACT_INCOMPLETE` (when contract is incomplete outside PRE_WRITE)
 
-## PRE_WRITE worktree hygiene guard
+## Worktree hygiene guard (PRE_WRITE + Git hooks)
 
-AI Gate can enforce early worktree hygiene in `PRE_WRITE` to reduce non-atomic changes before commit time.
+AI Gate enforces worktree hygiene using **pending_changes** (or `staged + unstaged`) to reduce oversized batches before commit/push. The same thresholds apply to **`PRE_WRITE`**, **`PRE_COMMIT`**, **`PRE_PUSH`**, and **`CI`** when `.ai_evidence.json` is readable and valid (hooks merge these violations into `runPlatformGate`). Git-flow protected-branch checks (`GITFLOW_PROTECTED_BRANCH`) are also merged into hook runs.
 
 Environment variables:
 
@@ -317,6 +317,10 @@ Environment variables:
 - `PUMUKI_PREWRITE_WORKTREE_WARN_THRESHOLD` (default: `12`)
 - `PUMUKI_PREWRITE_WORKTREE_BLOCK_THRESHOLD` (default: `24`)
 
+## Evidencia en PRE_PUSH con `.ai_evidence.json` trackeado
+
+- `PUMUKI_PRE_PUSH_ALWAYS_WRITE_TRACKED_EVIDENCE` (`1|true|yes`): fuerza la escritura del snapshot en `PRE_PUSH` aunque `.ai_evidence.json` esté versionado. Por defecto (sin esta variable), si el fichero está en el índice de git y el outcome no es `BLOCK`, Pumuki **no** muta el archivo para no romper hooks encadenados (p. ej. `pre-commit` ejecutado desde `pre-push`).
+
 Codes emitted:
 
 - `EVIDENCE_PREWRITE_WORKTREE_WARN` (warning, still `ALLOWED`)

package/docs/product/USAGE.md

@@ -242,7 +242,7 @@ Stage mapping:
 If a scope is empty, the menu prints an explicit operational hint (`Scope vacío`), so `PASS` with zero findings is distinguishable from a clean repository scan.
 
 System notifications (macOS) can be enabled from advanced menu option `31` (persisted in `.pumuki/system-notifications.json`).
-On non-macOS platforms, the same payloads are written to **stderr** by default (visible in the terminal) because there is no native banner API. Set `PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` to silence that path (delivery reports `unsupported-platform` on those OSes). On macOS, set `PUMUKI_NOTIFICATION_STDERR_MIRROR=1` to duplicate the banner text to stderr in addition to the system notification.
+On non-macOS platforms, the same payloads are written to **stderr** by default (visible in the terminal) because there is no native banner API. Set `PUMUKI_DISABLE_STDERR_NOTIFICATIONS=1` to silence that path (delivery reports `unsupported-platform` on those OSes). On macOS, set `PUMUKI_NOTIFICATION_STDERR_MIRROR=1` to duplicate **any** notification payload to stderr in addition to the system notification. For **`gate.blocked`** specifically, stderr mirroring is **on by default** when the macOS path reports success (so a failed push/commit still prints a `[pumuki]` block in the terminal even if the banner does not appear); disable only that default with `PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR=1`. The **blocked modal** (Swift floating / AppleScript) with **Desactivar / Silenciar 30 min / Mantener activas** is **on by default** whenever notifications are enabled and `blockedDialogEnabled` is omitted in `.pumuki/system-notifications.json`. Turn it off with `"blockedDialogEnabled": false` or `PUMUKI_MACOS_BLOCKED_DIALOG=0`. Ensure the terminal app is allowed to show notifications in **System Settings → Notifications**.
 Blocked notifications now use a native Swift floating modal (bottom-right) by default, with AppleScript fallback.
 Override mode with `PUMUKI_MACOS_BLOCKED_DIALOG_MODE=auto|swift-floating|applescript`.
 Custom skills import is available in advanced menu option `33` (writes `/.pumuki/custom-rules.json`).
@@ -679,6 +679,7 @@ npm run toolkit:clean-artifacts -- --dry-run
 - Fails safe (`exit 1`) with guidance when no upstream is configured.
 - Evaluates `upstream..HEAD` commit range.
 - Requires valid SDD/OpenSpec status (session + active change + validation).
+- Si `.ai_evidence.json` está **versionado** en git y el resultado del gate **no** es `BLOCK` (`PASS`/`WARN`), Pumuki **no reescribe** ese archivo en disco. Así se evita que integraciones tipo `pre-commit` (p. ej. como hook de `pre-push`) fallen con “files were modified by this hook” tras un `decision=ALLOW`. El snapshot en el último commit sigue siendo el generado en `PRE_COMMIT` hasta el siguiente commit. Para forzar la escritura del snapshot `PRE_PUSH` en un fichero trackeado, usa `PUMUKI_PRE_PUSH_ALWAYS_WRITE_TRACKED_EVIDENCE=1` (puede exigir un flujo de commit/evidencia explícito).
 
 ### CI
 
@@ -706,10 +707,12 @@ Resolver source: `integrations/git/resolveGitRefs.ts`.
 
 ## Evidence output
 
-Each run writes deterministic evidence to:
+Cada ejecución del gate escribe evidencia determinista en:
 
 - `.ai_evidence.json`
 
+Excepción: en `PRE_PUSH`, si el fichero está trackeado y el outcome no es `BLOCK`, la escritura al path anterior se omite (ver sección PRE_PUSH arriba). La telemetría interna del gate sigue generándose; solo se evita mutar el árbol de trabajo.
+
 Schema and behavior:
 
 - `version: "2.1"` is the source of truth

package/integrations/evidence/generateEvidence.test.ts

@@ -1,6 +1,6 @@
 import assert from 'node:assert/strict';
 import { execFileSync } from 'node:child_process';
-import { existsSync, mkdirSync, readFileSync } from 'node:fs';
+import { existsSync, mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { join } from 'node:path';
 import test from 'node:test';
 import { withTempDir } from '../__tests__/helpers/tempDir';
@@ -61,6 +61,29 @@ test('generateEvidence compone build + write y persiste .ai_evidence.json', asyn
   });
 });
 
+test('generateEvidence omite escritura a disco cuando skipDiskWrite y repoRoot son válidos', async () => {
+  await withTempDir('pumuki-generate-evidence-skip-', async (tempRoot) => {
+    initGitRepo(tempRoot);
+    const evidencePath = join(tempRoot, '.ai_evidence.json');
+    writeFileSync(evidencePath, '{"version":"2.1","pinned":true}\n', 'utf8');
+
+    const result = generateEvidence({
+      stage: 'PRE_PUSH',
+      gateOutcome: 'PASS',
+      findings: [],
+      detectedPlatforms: {},
+      loadedRulesets: [],
+      repoRoot: tempRoot,
+      skipDiskWrite: true,
+    });
+
+    assert.equal(result.evidence.snapshot.stage, 'PRE_PUSH');
+    assert.equal(result.write.ok, true);
+    assert.equal(result.write.skipped, true);
+    assert.equal(readFileSync(evidencePath, 'utf8'), '{"version":"2.1","pinned":true}\n');
+  });
+});
+
 test('generateEvidence mantiene evidencia en memoria aunque write falle', async () => {
   await withTempDir('pumuki-generate-evidence-write-error-', async (tempRoot) => {
     initGitRepo(tempRoot);

package/integrations/evidence/generateEvidence.ts

@@ -1,7 +1,10 @@
+import { join } from 'node:path';
 import { buildEvidence, type BuildEvidenceParams } from './buildEvidence';
 import type { AiEvidenceV2_1 } from './schema';
 import { writeEvidence, type WriteEvidenceResult } from './writeEvidence';
 
+const EVIDENCE_FILE_BASENAME = '.ai_evidence.json';
+
 export type GenerateEvidenceResult = {
   evidence: AiEvidenceV2_1;
   write: WriteEvidenceResult;
@@ -9,11 +12,25 @@ export type GenerateEvidenceResult = {
 
 export type GenerateEvidenceParams = BuildEvidenceParams & {
   repoRoot?: string;
+  skipDiskWrite?: boolean;
 };
 
 export const generateEvidence = (params: GenerateEvidenceParams): GenerateEvidenceResult => {
-  const { repoRoot, ...buildParams } = params;
+  const { repoRoot, skipDiskWrite, ...buildParams } = params;
   const evidence = buildEvidence(buildParams);
+  if (skipDiskWrite === true) {
+    if (typeof repoRoot !== 'string' || repoRoot.length === 0) {
+      throw new Error('generateEvidence: repoRoot is required when skipDiskWrite is true');
+    }
+    return {
+      evidence,
+      write: {
+        ok: true,
+        path: join(repoRoot, EVIDENCE_FILE_BASENAME),
+        skipped: true,
+      },
+    };
+  }
   const write = writeEvidence(evidence, { repoRoot });
   return { evidence, write };
 };

package/integrations/evidence/writeEvidence.ts

@@ -22,6 +22,7 @@ export type WriteEvidenceResult = {
   ok: boolean;
   path: string;
   error?: string;
+  skipped?: boolean;
 };
 
 const EVIDENCE_FILE_NAME = '.ai_evidence.json';

package/integrations/gate/evaluateAiGate.ts

@@ -1093,25 +1093,6 @@ const collectPreWriteCoherenceViolations = (params: {
     );
   }
 
-  if (params.preWriteWorktreeHygiene.enabled && params.repoState.git.available) {
-    const pendingChanges = resolvePendingChanges(params.repoState) ?? 0;
-    if (pendingChanges >= params.preWriteWorktreeHygiene.blockThreshold) {
-      violations.push(
-        toErrorViolation(
-          'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
-          `PRE_WRITE hygiene exceeded: pending_changes=${pendingChanges} (block_threshold=${params.preWriteWorktreeHygiene.blockThreshold}). Split worktree into atomic slices.`
-        )
-      );
-    } else if (pendingChanges >= params.preWriteWorktreeHygiene.warnThreshold) {
-      violations.push(
-        toWarnViolation(
-          'EVIDENCE_PREWRITE_WORKTREE_WARN',
-          `PRE_WRITE hygiene warning: pending_changes=${pendingChanges} (warn_threshold=${params.preWriteWorktreeHygiene.warnThreshold}). Consider splitting worktree into smaller slices.`
-        )
-      );
-    }
-  }
-
   return violations;
 };
 
@@ -1178,6 +1159,8 @@ const collectEvidenceViolations = (
     );
   }
 
+  appendWorktreeHygieneViolations(violations, repoState, preWriteWorktreeHygiene, stage);
+
   return { violations, ageSeconds };
 };
 
@@ -1228,6 +1211,33 @@ const resolvePendingChanges = (repoState: RepoState): number | null => {
   return repoState.git.pending_changes ?? (repoState.git.staged + repoState.git.unstaged);
 };
 
+const appendWorktreeHygieneViolations = (
+  violations: AiGateViolation[],
+  repoState: RepoState,
+  policy: PreWriteWorktreeHygienePolicy,
+  stageLabel: AiGateStage
+): void => {
+  if (!policy.enabled || !repoState.git.available) {
+    return;
+  }
+  const pendingChanges = resolvePendingChanges(repoState) ?? 0;
+  if (pendingChanges >= policy.blockThreshold) {
+    violations.push(
+      toErrorViolation(
+        'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
+        `${stageLabel} worktree hygiene exceeded: pending_changes=${pendingChanges} (block_threshold=${policy.blockThreshold}). Split worktree into atomic slices.`
+      )
+    );
+  } else if (pendingChanges >= policy.warnThreshold) {
+    violations.push(
+      toWarnViolation(
+        'EVIDENCE_PREWRITE_WORKTREE_WARN',
+        `${stageLabel} worktree hygiene warning: pending_changes=${pendingChanges} (warn_threshold=${policy.warnThreshold}). Consider smaller staged/unstaged batches.`
+      )
+    );
+  }
+};
+
 const toPolicyStage = (stage: AiGateStage): SkillsStage => {
   if (stage === 'PRE_WRITE') {
     return 'PRE_COMMIT';

package/integrations/git/aiGateRepoPolicyFindings.ts

@@ -0,0 +1,46 @@
+import type { Finding } from '../../core/gate/Finding';
+import type { GateStage } from '../../core/gate/GateStage';
+import { evaluateAiGate, type AiGateStage } from '../gate/evaluateAiGate';
+
+const AI_GATE_STAGES = new Set<AiGateStage>(['PRE_WRITE', 'PRE_COMMIT', 'PRE_PUSH', 'CI']);
+
+const REPO_POLICY_CODES = new Set<string>([
+  'GITFLOW_PROTECTED_BRANCH',
+  'EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT',
+  'EVIDENCE_PREWRITE_WORKTREE_WARN',
+]);
+
+const toRepoPolicyFinding = (params: {
+  code: string;
+  message: string;
+  severity: 'ERROR' | 'WARN';
+}): Finding => ({
+  ruleId: `ai_gate.repo_policy.${params.code}`,
+  severity: params.severity,
+  code: params.code,
+  message: params.message,
+  matchedBy: 'RepoPolicy',
+  source: 'ai_gate:repo_policy',
+});
+
+export const collectAiGateRepoPolicyFindings = (params: {
+  repoRoot: string;
+  stage: GateStage;
+}): Finding[] => {
+  if (!AI_GATE_STAGES.has(params.stage as AiGateStage)) {
+    return [];
+  }
+  const evaluation = evaluateAiGate({
+    repoRoot: params.repoRoot,
+    stage: params.stage as AiGateStage,
+  });
+  return evaluation.violations
+    .filter((v) => REPO_POLICY_CODES.has(v.code))
+    .map((v) =>
+      toRepoPolicyFinding({
+        code: v.code,
+        message: v.message,
+        severity: v.severity === 'ERROR' ? 'ERROR' : 'WARN',
+      })
+    );
+};

package/integrations/git/runPlatformGate.ts

@@ -34,6 +34,7 @@ import { enforceTddBddPolicy } from '../tdd/enforcement';
 import type { TddBddSnapshot } from '../tdd/types';
 import { resolveSkillsEnforcement } from '../policy/skillsEnforcement';
 import { applyTddBddEnforcement } from '../policy/tddBddEnforcement';
+import { collectAiGateRepoPolicyFindings } from './aiGateRepoPolicyFindings';
 
 export type OperationalMemoryShadowRecommendation = {
   recommendedOutcome: 'ALLOW' | 'WARN' | 'BLOCK';
@@ -151,13 +152,19 @@ const defaultDependencies: GateDependencies = {
     }),
 };
 
-const resolveCurrentBranch = (git: IGitService, repoRoot: string): string | null => {
+const readSymbolicBranchRef = (git: IGitService, repoRoot: string): string | null => {
   try {
     const symbolicBranch = git.runGit(['symbolic-ref', '--short', 'HEAD'], repoRoot).trim();
-    if (symbolicBranch.length > 0) {
-      return symbolicBranch;
-    }
+    return symbolicBranch.length > 0 ? symbolicBranch : null;
   } catch {
+    return null;
+  }
+};
+
+const resolveCurrentBranch = (git: IGitService, repoRoot: string): string | null => {
+  const symbolic = readSymbolicBranchRef(git, repoRoot);
+  if (symbolic !== null) {
+    return symbolic;
   }
   try {
     const branch = git.runGit(['rev-parse', '--abbrev-ref', 'HEAD'], repoRoot).trim();
@@ -927,6 +934,15 @@ export async function runPlatformGate(params: {
   const filesScanned = countScannedFilesFromFacts(factsForPlatformEvaluation);
   const observedCodePaths = collectObservedCodePathsFromFacts(facts);
 
+  const platformEvaluation = dependencies.evaluatePlatformGateFindings({
+    facts: factsForPlatformEvaluation,
+    stage: params.policy.stage,
+    repoRoot,
+  });
+  const aiGateRepoPolicyFindings = collectAiGateRepoPolicyFindings({
+    repoRoot,
+    stage: params.policy.stage,
+  });
   const {
     detectedPlatforms,
     skillsRuleSet,
@@ -934,12 +950,9 @@ export async function runPlatformGate(params: {
     heuristicRules,
     coverage,
     evaluationFacts = factsForPlatformEvaluation,
-    findings,
-  } = dependencies.evaluatePlatformGateFindings({
-    facts: factsForPlatformEvaluation,
-    stage: params.policy.stage,
-    repoRoot,
-  });
+    findings: ruleEngineFindings,
+  } = platformEvaluation;
+  const findings = [...aiGateRepoPolicyFindings, ...ruleEngineFindings];
   const evaluationMetrics: SnapshotEvaluationMetrics = coverage
     ? {
       facts_total: coverage.factsTotal,

package/integrations/git/runPlatformGateEvidence.ts

@@ -1,6 +1,7 @@
 import type { Finding } from '../../core/gate/Finding';
 import type { GateOutcome } from '../../core/gate/GateOutcome';
 import type { GateStage } from '../../core/gate/GateStage';
+import { GitService } from './GitService';
 import { rulePackVersions } from '../../core/rules/presets/rulePackVersions';
 import type { RuleSet } from '../../core/rules/RuleSet';
 import type { SkillsRuleSetLoadResult } from '../config/skillsRuleSet';
@@ -17,14 +18,51 @@ import { normalizeSnapshotRulesCoverage } from '../evidence/rulesCoverage';
 import type { TddBddSnapshot } from '../tdd/types';
 import { emitGateTelemetryEvent } from '../telemetry/gateTelemetry';
 
+const TRACKED_EVIDENCE_RELATIVE_PATH = '.ai_evidence.json';
+
+const isTruthyEnvFlag = (value?: string): boolean => {
+  if (!value) {
+    return false;
+  }
+  const normalized = value.trim().toLowerCase();
+  return normalized === '1' || normalized === 'true' || normalized === 'yes';
+};
+
+const defaultIsEvidencePathTracked = (repoRoot: string, relativePath: string): boolean => {
+  try {
+    new GitService().runGit(['ls-files', '--error-unmatch', '--', relativePath], repoRoot);
+    return true;
+  } catch {
+    return false;
+  }
+};
+
+const shouldSkipPrePushTrackedEvidenceDiskWrite = (params: {
+  stage: GateStage;
+  gateOutcome: GateOutcome;
+  repoRoot: string;
+  isEvidencePathTracked: (repoRoot: string, relativePath: string) => boolean;
+}): boolean => {
+  if (isTruthyEnvFlag(process.env.PUMUKI_PRE_PUSH_ALWAYS_WRITE_TRACKED_EVIDENCE)) {
+    return false;
+  }
+  return (
+    params.stage === 'PRE_PUSH' &&
+    params.gateOutcome !== 'BLOCK' &&
+    params.isEvidencePathTracked(params.repoRoot, TRACKED_EVIDENCE_RELATIVE_PATH)
+  );
+};
+
 export type PlatformGateEvidenceDependencies = {
   generateEvidence: typeof generateEvidence;
   emitGateTelemetryEvent: typeof emitGateTelemetryEvent;
+  isEvidencePathTracked: (repoRoot: string, relativePath: string) => boolean;
 };
 
 const defaultDependencies: PlatformGateEvidenceDependencies = {
   generateEvidence,
   emitGateTelemetryEvent,
+  isEvidencePathTracked: defaultIsEvidencePathTracked,
 };
 
 export const emitPlatformGateEvidence = (params: {
@@ -58,6 +96,12 @@ export const emitPlatformGateEvidence = (params: {
   const evaluationMetrics = normalizeSnapshotEvaluationMetrics(params.evaluationMetrics);
   const rulesCoverage = normalizeSnapshotRulesCoverage(params.stage, params.rulesCoverage);
   const repoState = captureRepoState(params.repoRoot);
+  const skipDiskWrite = shouldSkipPrePushTrackedEvidenceDiskWrite({
+    stage: params.stage,
+    gateOutcome: params.gateOutcome,
+    repoRoot: params.repoRoot,
+    isEvidencePathTracked: activeDependencies.isEvidencePathTracked,
+  });
 
   activeDependencies.generateEvidence({
     stage: params.stage,
@@ -70,6 +114,7 @@ export const emitPlatformGateEvidence = (params: {
     ...(params.tddBdd ? { tddBdd: params.tddBdd } : {}),
     ...(params.memoryShadow ? { memoryShadow: params.memoryShadow } : {}),
     repoRoot: params.repoRoot,
+    ...(skipDiskWrite ? { skipDiskWrite: true } : {}),
     previousEvidence: params.evidenceService.loadPreviousEvidence(params.repoRoot),
     detectedPlatforms: params.evidenceService.toDetectedPlatformsRecord(params.detectedPlatforms),
     loadedRulesets: params.evidenceService.buildRulesetState({

package/integrations/git/stageRunners.ts

@@ -62,6 +62,10 @@ const BLOCKED_REMEDIATION_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES:
     'Reconcilia policy/skills y revalida PRE_WRITE: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json',
   GITFLOW_PROTECTED_BRANCH: 'Trabaja en feature/* y evita ramas protegidas.',
+  EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT:
+    'Reduce archivos staged/unstaged por debajo del umbral (o ajusta PUMUKI_PREWRITE_WORKTREE_*); divide el trabajo en commits más pequeños.',
+  EVIDENCE_PREWRITE_WORKTREE_WARN:
+    'El worktree supera el umbral de aviso; reduce alcance antes del siguiente commit/push.',
   PRE_PUSH_UPSTREAM_MISSING: 'Ejecuta: git push --set-upstream origin <branch>',
   PRE_PUSH_UPSTREAM_MISALIGNED:
     'Alinea upstream con la rama actual: git branch --unset-upstream && git push --set-upstream origin <branch>',
@@ -186,6 +190,7 @@ const defaultDependencies: StageRunnerDependencies = {
     try {
       ensureRuntimeArtifactsIgnored(repoRoot);
     } catch {
+      undefined;
     }
   },
   runPolicyReconcile,

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "pumuki",
-  "version": "6.3.68",
+  "version": "6.3.70",
   "description": "Enterprise-grade AST Intelligence System with multi-platform support (iOS, Android, Backend, Frontend) and Feature-First + DDD + Clean Architecture enforcement. Includes dynamic violations API for intelligent querying.",
   "main": "index.js",
   "bin": {

package/scripts/framework-menu-system-notifications-config-choice.ts

@@ -6,16 +6,35 @@ import {
 } from './framework-menu-system-notifications-types';
 import { writeSystemNotificationsConfigFile } from './framework-menu-system-notifications-config-file';
 
+export const normalizeBlockedDialogButtonLabel = (raw: string): string => {
+  const t = raw.replace(/\r/g, '').trim();
+  const lower = t.toLowerCase();
+  if (t === BLOCKED_DIALOG_DISABLE || lower.includes('desactivar')) {
+    return BLOCKED_DIALOG_DISABLE;
+  }
+  if (
+    t === BLOCKED_DIALOG_MUTE_30
+    || (lower.includes('silenciar') && lower.includes('30'))
+  ) {
+    return BLOCKED_DIALOG_MUTE_30;
+  }
+  if (t === BLOCKED_DIALOG_KEEP || (lower.includes('mantener') && lower.includes('activ'))) {
+    return BLOCKED_DIALOG_KEEP;
+  }
+  return t;
+};
+
 export const applyDialogChoice = (params: {
   repoRoot: string;
   config: SystemNotificationsConfig;
   button: string;
   nowMs: number;
 }): void => {
-  if (params.button === BLOCKED_DIALOG_KEEP) {
+  const button = normalizeBlockedDialogButtonLabel(params.button);
+  if (button === BLOCKED_DIALOG_KEEP) {
     return;
   }
-  if (params.button === BLOCKED_DIALOG_DISABLE) {
+  if (button === BLOCKED_DIALOG_DISABLE) {
     writeSystemNotificationsConfigFile(params.repoRoot, {
       enabled: false,
       channel: params.config.channel,
@@ -23,7 +42,7 @@ export const applyDialogChoice = (params: {
     });
     return;
   }
-  if (params.button === BLOCKED_DIALOG_MUTE_30) {
+  if (button === BLOCKED_DIALOG_MUTE_30) {
     const muteUntil = new Date(params.nowMs + 30 * 60_000).toISOString();
     writeSystemNotificationsConfigFile(params.repoRoot, {
       enabled: true,

package/scripts/framework-menu-system-notifications-config-state.ts

@@ -13,16 +13,23 @@ export const buildSystemNotificationsConfigFromSelection = (
 ): SystemNotificationsConfig => ({
   enabled,
   channel: 'macos',
-  blockedDialogEnabled: false,
+  blockedDialogEnabled: enabled,
 });
 
 export const normalizeSystemNotificationsConfig = (
   raw: RawSystemNotificationsConfig
 ): SystemNotificationsConfig => {
+  const enabled = raw.enabled === true;
+  const blockedDialogEnabled =
+    raw.blockedDialogEnabled === true
+      ? true
+      : raw.blockedDialogEnabled === false
+        ? false
+        : enabled;
   const config: SystemNotificationsConfig = {
-    enabled: raw.enabled === true,
+    enabled,
     channel: 'macos',
-    blockedDialogEnabled: raw.blockedDialogEnabled === true,
+    blockedDialogEnabled,
   };
   if (typeof raw.muteUntil === 'string' && raw.muteUntil.trim().length > 0) {
     config.muteUntil = raw.muteUntil;

package/scripts/framework-menu-system-notifications-dispatch.ts

@@ -14,6 +14,19 @@ import {
   isStderrNotificationFallbackDisabled,
 } from './framework-menu-system-notifications-stdio-fallback';
 
+const shouldMirrorGateBlockedToStderr = (
+  event: PumukiCriticalNotificationEvent,
+  env: NodeJS.ProcessEnv
+): boolean => {
+  if (event.kind !== 'gate.blocked') {
+    return false;
+  }
+  if (isTruthyEnvValue(env.PUMUKI_DISABLE_GATE_BLOCKED_STDERR_MIRROR)) {
+    return false;
+  }
+  return true;
+};
+
 export const dispatchSystemNotification = (params: {
   event: PumukiCriticalNotificationEvent;
   payload: SystemNotificationPayload;
@@ -46,7 +59,12 @@ export const dispatchSystemNotification = (params: {
     applyDialogChoice,
   });
 
-  if (macResult.delivered && isTruthyEnvValue(params.env.PUMUKI_NOTIFICATION_STDERR_MIRROR)) {
+  const mirrorStderrForVisibility =
+    macResult.delivered &&
+    !stderrOff &&
+    (isTruthyEnvValue(params.env.PUMUKI_NOTIFICATION_STDERR_MIRROR) ||
+      shouldMirrorGateBlockedToStderr(params.event, params.env));
+  if (mirrorStderrForVisibility) {
     deliverStderrNotificationBanner({ payload: params.payload });
   }
 

package/scripts/framework-menu-system-notifications-macos-dialog-effect.ts

@@ -1,4 +1,5 @@
 import type { SystemNotificationsConfig } from './framework-menu-system-notifications-types';
+import { normalizeBlockedDialogButtonLabel } from './framework-menu-system-notifications-config-choice';
 
 export const applyBlockedDialogSelection = (params: {
   repoRoot: string;
@@ -19,7 +20,7 @@ export const applyBlockedDialogSelection = (params: {
   params.applyDialogChoice({
     repoRoot: params.repoRoot,
     config: params.config,
-    button: params.selectedButton,
+    button: normalizeBlockedDialogButtonLabel(params.selectedButton),
     nowMs: params.nowMs,
   });
 };

package/scripts/framework-menu-system-notifications-macos-runner-parse.ts

@@ -1,7 +1,12 @@
 export const extractDialogButton = (stdout: string): string | null => {
-  const match = stdout.match(/button returned:(.+)/i);
-  if (!match || !match[1]) {
+  const matches = [...stdout.matchAll(/button returned:\s*(.+)/gi)];
+  if (matches.length === 0) {
     return null;
   }
-  return match[1].trim();
+  const raw = matches[matches.length - 1][1]?.trim() ?? '';
+  const cleaned = raw
+    .replace(/[,}]\s*$/g, '')
+    .replace(/^["'\u201c]|[\u201d"']$/g, '')
+    .trim();
+  return cleaned.length > 0 ? cleaned : null;
 };

package/scripts/framework-menu-system-notifications-macos-swift-source.ts

@@ -1,6 +1,10 @@
 export const SWIFT_BLOCKED_DIALOG_SOURCE = String.raw`import AppKit
 import Foundation
 
+final class KeyableFloatingPanel: NSPanel {
+  override var canBecomeKey: Bool { true }
+}
+
 struct DialogConfig {
   let title: String
   let cause: String
@@ -108,12 +112,13 @@ final class DialogController: NSObject, NSApplicationDelegate, NSWindowDelegate
       y: screenFrame.minY + margin
     )
 
-    let panel = NSPanel(
+    let panel = KeyableFloatingPanel(
       contentRect: NSRect(x: origin.x, y: origin.y, width: width, height: height),
       styleMask: [.titled, .closable, .fullSizeContentView],
       backing: .buffered,
       defer: false
     )
+    panel.becomesKeyOnlyIfNeeded = false
     panel.level = .floating
     panel.collectionBehavior = [.canJoinAllSpaces, .fullScreenAuxiliary]
     panel.titleVisibility = .hidden

package/scripts/framework-menu-system-notifications-macos.ts

@@ -5,7 +5,7 @@ import {
   type SystemNotificationCommandRunnerWithOutput,
   type SystemNotificationsConfig,
 } from './framework-menu-system-notifications-types';
-import { resolveBlockedDialogEnabled } from './framework-menu-system-notifications-macos-dialog';
+import { resolveBlockedDialogEnabled } from './framework-menu-system-notifications-macos-dialog-enabled';
 import { emitMacOsBannerStage } from './framework-menu-system-notifications-macos-banner-stage';
 import { emitMacOsBlockedDialogStage } from './framework-menu-system-notifications-macos-blocked-stage';
 import { finalizeMacOsNotificationDelivery } from './framework-menu-system-notifications-macos-result';
@@ -13,6 +13,21 @@ import { finalizeMacOsNotificationDelivery } from './framework-menu-system-notif
 export { runSystemCommand, runSystemCommandWithOutput } from './framework-menu-system-notifications-macos-runner';
 export { resolveBlockedDialogEnabled } from './framework-menu-system-notifications-macos-dialog';
 
+const shouldSkipMacOsBannerForInteractiveBlockedDialog = (params: {
+  event: PumukiCriticalNotificationEvent;
+  repoRoot?: string;
+  config: SystemNotificationsConfig;
+  env: NodeJS.ProcessEnv;
+}): boolean => {
+  if (params.event.kind !== 'gate.blocked') {
+    return false;
+  }
+  if (typeof params.repoRoot !== 'string') {
+    return false;
+  }
+  return resolveBlockedDialogEnabled({ env: params.env, config: params.config });
+};
+
 export const deliverMacOsNotification = (params: {
   event: PumukiCriticalNotificationEvent;
   payload: Parameters<typeof emitMacOsBannerStage>[0]['payload'];
@@ -29,11 +44,20 @@ export const deliverMacOsNotification = (params: {
     nowMs: number;
   }) => void;
 }): SystemNotificationEmitResult => {
-  const bannerResult = emitMacOsBannerStage({
-    payload: params.payload,
-    runCommand: params.runCommand,
+  const skipBanner = shouldSkipMacOsBannerForInteractiveBlockedDialog({
+    event: params.event,
+    repoRoot: params.repoRoot,
+    config: params.config,
+    env: params.env,
   });
 
+  const bannerResult = skipBanner
+    ? { delivered: true as const, reason: 'delivered' as const }
+    : emitMacOsBannerStage({
+        payload: params.payload,
+        runCommand: params.runCommand,
+      });
+
   emitMacOsBlockedDialogStage({
     event: params.event,
     repoRoot: params.repoRoot,