npm - pumuki - Versions diffs - 6.3.7 - Mend

pumuki 6.3.7

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (744) hide show

package/docs/API_REFERENCE.md ADDED Viewed

@@ -0,0 +1,233 @@
+# API Reference (v2.x)
+This document describes the active TypeScript API surface used by the deterministic gate flow in this repository.
+## Stage policies
+File: `integrations/gate/stagePolicies.ts`
+- `policyForPreCommit(): GatePolicy`
+- `policyForPrePush(): GatePolicy`
+- `policyForCI(): GatePolicy`
+- `applyHeuristicSeverityForStage(rules, stage): RuleSet`
+## Git stage runners
+File: `integrations/git/stageRunners.ts`
+- `runPreCommitStage(): Promise<number>`
+- `runPrePushStage(): Promise<number>`
+- `runCiStage(): Promise<number>`
+Exit code contract:
+- `0` on pass/warn
+- `1` on block or runner error
+## Platform wrappers (exports)
+File: `integrations/git/index.ts`
+- `runPreCommitIOS`, `runPreCommitBackend`, `runPreCommitFrontend`, `runPreCommitAndroid`
+- `runPrePushIOS`, `runPrePushBackend`, `runPrePushFrontend`, `runPrePushAndroid`
+- `runCiIOS`, `runCiBackend`, `runCiFrontend`, `runCiAndroid`
+- `evaluateStagedIOS` (legacy compatibility entry still exported)
+## Shared execution entry
+File: `integrations/git/runPlatformGate.ts`
+Primary function:
+- `runPlatformGate(params: { policy: GatePolicy; scope: GateScope }): Promise<number>`
+Behavior:
+- Builds facts from staged or range scope.
+- Detects platforms from facts.
+- Loads and merges baseline + project rules.
+- Applies optional heuristic rule-pack and stage-aware promotion.
+- Evaluates findings + gate decision.
+- Writes `.ai_evidence.json` via `generateEvidence`.
+## Git scope helpers
+Files:
+- `integrations/git/getCommitRangeFacts.ts`
+- `integrations/git/resolveGitRefs.ts`
+- `integrations/git/runCliCommand.ts`
+Key helpers:
+- `getFactsForCommitRange({ fromRef, toRef, extensions })`
+- `resolveUpstreamRef()`
+- `resolveCiBaseRef()`
+- `runCliCommand(runner)`
+## Evidence API
+Files:
+- `integrations/evidence/schema.ts`
+- `integrations/evidence/buildEvidence.ts`
+- `integrations/evidence/writeEvidence.ts`
+- `integrations/evidence/generateEvidence.ts`
+Key types:
+- `AiEvidenceV2_1`
+- `Snapshot`
+- `LedgerEntry`
+- `PlatformState`
+- `RulesetState`
+Contract:
+- Source of truth: `version: "2.1"`
+- Deterministic output order
+- Snapshot + ledger merge model
+## Rule packs
+Files:
+- `core/rules/presets/iosEnterpriseRuleSet.ts`
+- `core/rules/presets/backendRuleSet.ts`
+- `core/rules/presets/frontendRuleSet.ts`
+- `core/rules/presets/androidRuleSet.ts`
+- `core/rules/presets/astHeuristicsRuleSet.ts`
+- `core/rules/presets/rulePackVersions.ts`
+## MCP read-only evidence context
+Files:
+- `integrations/mcp/evidenceContextServer.ts`
+- `integrations/mcp/evidenceContextServer.cli.ts`
+CLI:
+```bash
+npm run mcp:evidence
+```
+Read-only endpoints:
+- `GET /health`
+- `GET /status`
+  - includes `context_api.endpoints[]`, `context_api.filters`, and `context_api.pagination_bounds` capabilities
+- `GET /ai-evidence`
+- `GET /ai-evidence/summary`
+  - snapshot metadata includes `has_findings` (fast boolean gate for non-empty findings)
+  - snapshot metadata includes `findings_files_count` (deterministic count of distinct files with findings)
+  - snapshot metadata includes `findings_rules_count` (deterministic count of distinct rule IDs in findings)
+  - snapshot metadata includes `findings_with_lines_count` (deterministic count of findings with line metadata)
+  - snapshot metadata includes `findings_without_lines_count` (deterministic count of findings without line metadata)
+  - includes `rulesets_platforms_count` (deterministic count of distinct platforms covered by loaded rulesets)
+  - includes `rulesets_bundles_count` (deterministic count of distinct loaded ruleset bundles)
+  - includes `rulesets_hashes_count` (deterministic count of distinct loaded ruleset hashes)
+  - includes `ledger_files_count` (deterministic count of distinct files with open ledger entries)
+  - includes `ledger_rules_count` (deterministic count of distinct rule IDs with open ledger entries)
+  - includes `suppressed_replacement_rules_count` (deterministic count of distinct replacement rule IDs in suppressed findings)
+  - includes `suppressed_platforms_count` (deterministic count of distinct platforms represented in suppressed findings)
+  - includes `suppressed_files_count` (deterministic count of distinct files represented in suppressed findings)
+  - includes `suppressed_rules_count` (deterministic count of distinct original rule IDs represented in suppressed findings)
+  - snapshot metadata includes `severity_counts` (deterministic key order)
+  - snapshot metadata includes `findings_by_platform` (deterministic platform-key order)
+  - snapshot metadata includes `highest_severity` (deterministic severity ranking)
+  - snapshot metadata includes `blocking_findings_count` (count of CRITICAL+ERROR findings)
+  - includes `ledger_by_platform` (deterministic platform-key order)
+  - includes `rulesets_by_platform` (deterministic platform-key order)
+  - includes `rulesets_fingerprint` (deterministic ordered hash signature)
+  - includes `platform_confidence_counts` (deterministic counts by platform confidence level)
+  - includes `suppressed_findings_count` (deterministic count of suppressed findings in consolidation)
+  - includes `tracked_platforms_count` (deterministic count of currently tracked platforms)
+  - includes `detected_platforms_count` (deterministic count of currently detected platforms)
+  - includes `non_detected_platforms_count` (deterministic count of currently tracked but non-detected platforms)
+- `GET /ai-evidence/snapshot`
+- `GET /ai-evidence/findings`
+- `GET /ai-evidence/findings?limit=...&offset=...`
+  - deterministic bound: `maxLimit=100`
+  - pagination metadata includes `has_more` when `limit` is provided
+- `GET /ai-evidence/rulesets`
+- `GET /ai-evidence/rulesets?platform=...&bundle=...`
+- `GET /ai-evidence/rulesets?limit=...&offset=...`
+  - deterministic bound: `maxLimit=100`
+  - pagination metadata includes `has_more` when `limit` is provided
+- `GET /ai-evidence/platforms`
+- `GET /ai-evidence/platforms?detectedOnly=false&confidence=...`
+- `GET /ai-evidence/platforms?detectedOnly=false&limit=...&offset=...`
+  - deterministic bound: `maxLimit=100`
+  - pagination metadata includes `has_more` when `limit` is provided
+- `GET /ai-evidence/ledger`
+- `GET /ai-evidence/ledger?lastSeenAfter=...&lastSeenBefore=...`
+- `GET /ai-evidence/ledger?lastSeenAfter=...&lastSeenBefore=...&limit=...&offset=...`
+  - deterministic bound: `maxLimit=100`
+  - pagination metadata includes `has_more` when `limit` is provided
+Reference: `docs/MCP_EVIDENCE_CONTEXT_SERVER.md`.
+Consumption: `docs/MCP_AGENT_CONTEXT_CONSUMPTION.md`.
+## Local execution quick refs
+```bash
+npm run framework:menu
+npm run validation:adapter-readiness
+npm run typecheck
+npm run test:deterministic
+```
+## Optional diagnostics adapters
+Files:
+- `scripts/build-adapter-readiness.ts`
+- `scripts/adapter-readiness-lib.ts`
+- `scripts/build-phase5-blockers-readiness.ts`
+- `scripts/phase5-blockers-readiness-lib.ts`
+- `scripts/build-phase5-execution-closure-status.ts`
+- `scripts/phase5-execution-closure-status-lib.ts`
+- `scripts/run-phase5-execution-closure.ts`
+- `scripts/phase5-execution-closure-lib.ts`
+- `scripts/clean-validation-artifacts.ts`
+- `scripts/clean-validation-artifacts-lib.ts`
+- `scripts/framework-menu.ts`
+Commands:
+- `npm run validation:adapter-readiness`
+- `npm run validation:adapter-session-status`
+- `npm run validation:adapter-real-session-report`
+- `npm run validation:phase5-blockers-readiness`
+- `npm run validation:phase5-execution-closure-status`
+- `npm run validation:phase5-execution-closure`
+- `npm run validation:phase5-external-handoff`
+- `npm run validation:clean-artifacts`
+`validation:phase5-execution-closure` notes:
+- defaults to output directory `.audit-reports/phase5`
+- runs auth preflight and fails fast on auth/scope blockers
+- supports `--skip-auth-preflight` when preflight must be bypassed
+Framework menu action:
+- `Build adapter readiness report`
+- `Build phase5 execution closure status report`
+- `Run phase5 execution closure (one-shot orchestration)`
+- `Build phase5 external handoff report`
+- `Clean local validation artifacts`
+Deterministic argument builders exported from menu module:
+- `buildAdapterReadinessCommandArgs({ scriptPath, adapterReportFile, outFile })`
+- `buildCleanValidationArtifactsCommandArgs({ scriptPath, dryRun })`
+- `buildPhase5BlockersReadinessCommandArgs({ scriptPath, adapterReportFile, consumerTriageReportFile, outFile })`
+- `buildPhase5ExecutionClosureStatusCommandArgs({ scriptPath, phase5BlockersReportFile, consumerUnblockReportFile, adapterReadinessReportFile, outFile, requireAdapterReadiness })`
+- `buildPhase5ExternalHandoffCommandArgs({ scriptPath, repo, phase5StatusReportFile, phase5BlockersReportFile, consumerUnblockReportFile, mockAbReportFile, runReportFile, outFile, artifactUrls, requireArtifactUrls, requireMockAbReport })`
+- `buildPhase5ExecutionClosureCommandArgs({ scriptPath, repo, limit, outDir, runWorkflowLint, includeAuthPreflight, repoPath, actionlintBin, includeAdapter, requireAdapterReadiness })`
+Current adapter implementation note:
+- The adapter report input flag is named `adapterReportFile` / `--adapter-report` for compatibility with existing runbooks.

package/docs/ARCHITECTURE.md ADDED Viewed

@@ -0,0 +1,190 @@
+# Architecture (v2.x)
+## Objective
+Provide deterministic governance for AI-assisted development with strict separation of concerns.
+Core pipeline:
+`Facts -> Rules -> Gate -> ai_evidence v2.1`
+## Invariants
+- Evidence is the state source of truth (`.ai_evidence.json`, `version: "2.1"`).
+- Gate decision is deterministic for each stage scope and policy.
+- Domain logic stays pure in `core/*` (no shell/filesystem/network coupling).
+- Integrations adapt external systems and delegate decisions to domain logic.
+- Platform detection and rule-pack loading are data-driven from facts.
+## Layer model
+### Domain (`core/*`)
+- Facts model (`core/facts/*`)
+- Rule definitions and presets (`core/rules/*`)
+- Gate evaluation (`core/gate/*`)
+No infrastructure dependencies.
+### Integrations (`integrations/*`)
+- Git scope and execution adapters (`integrations/git/*`)
+- Stage policies (`integrations/gate/*`)
+- Platform detection (`integrations/platform/*`)
+- Evidence persistence (`integrations/evidence/*`)
+- MCP read-only server (`integrations/mcp/*`)
+## Stage architecture
+Policy source: `integrations/gate/stagePolicies.ts`
+- `PRE_COMMIT`
+  - Scope: staged (`git diff --cached`)
+  - Block from `CRITICAL`
+- `PRE_PUSH`
+  - Scope: `upstream..HEAD`
+  - Block from `ERROR`
+- `CI`
+  - Scope: `baseRef..HEAD`
+  - Block from `ERROR`
+## Runtime entrypoints
+- Shared execution: `integrations/git/runPlatformGate.ts`
+- Stage runners: `integrations/git/stageRunners.ts`
+- CLI wrappers: `integrations/git/*.cli.ts`
+- Interactive menu: `scripts/framework-menu.ts`
+## IDE adapter boundary
+- `core/*` and `integrations/*` are IDE-agnostic; they must not depend on editor-specific runtime hooks.
+- IDE diagnostics adapters (provider-specific runtime checks/reports) live in `scripts/*` and `docs/validation/*`.
+- PRE_COMMIT, PRE_PUSH, and CI gate outcomes depend only on facts/rules/gate/evidence contracts.
+## Platform and rule-pack model
+Detected platforms can be combined in one run:
+- `ios`
+- `backend`
+- `frontend`
+- `android`
+Baseline packs:
+- `iosEnterpriseRuleSet`
+- `backendRuleSet`
+- `frontendRuleSet`
+- `androidRuleSet`
+- `astHeuristicsRuleSet` (feature-flagged)
+Version map: `core/rules/presets/rulePackVersions.ts`.
+## Evidence architecture
+Writer path:
+- `integrations/evidence/generateEvidence.ts`
+  - `buildEvidence`
+  - `writeEvidence`
+Evidence properties:
+- deterministic snapshot + ledger
+- deduped findings
+- stable JSON ordering
+- platforms and rulesets traceability
+Schema reference: `docs/evidence-v2.1.md`.
+## CI architecture
+- Reusable workflow: `.github/workflows/pumuki-gate-template.yml`
+- Platform workflows:
+  - `.github/workflows/pumuki-ios.yml`
+  - `.github/workflows/pumuki-backend.yml`
+  - `.github/workflows/pumuki-frontend.yml`
+  - `.github/workflows/pumuki-android.yml`
+Each run publishes `.ai_evidence.json` artifact.
+## MCP architecture
+Current active MCP integration in repo:
+- `integrations/mcp/evidenceContextServer.ts`
+- `integrations/mcp/evidenceContextServer.cli.ts`
+Purpose: read-only exposure of evidence context for agents.
+## Architectural guardrails
+- Do not move decision logic from `core/*` into integrations.
+- Do not couple integrations directly to each other when shared runtime exists.
+- Prefer extending facts/rules/policies over adding ad-hoc shell conditions.
+## Critical Module Map
+Critical modules must document, at minimum:
+- purpose (single responsibility),
+- stable entrypoints (files consumed by other modules),
+- deterministic invariants (behavior that must not change between refactors).
+### MCP evidence payload and facets
+Purpose:
+- deterministic transformation from evidence snapshots to MCP facets/payloads.
+Stable entrypoints:
+- `integrations/mcp/evidenceFacetsBase.ts`
+- `integrations/mcp/evidenceFacetsSuppressed.ts`
+- `integrations/mcp/evidenceFacetsSuppressedBase.ts`
+- `integrations/mcp/evidenceFacetsSuppressedRelations.ts`
+- `integrations/mcp/evidenceFacetsSuppressedShare.ts`
+- `integrations/mcp/evidenceFacetsSuppressedShareCore.ts`
+- `integrations/mcp/evidenceFacetsSuppressedShareTriage.ts`
+- `integrations/mcp/evidenceFacetsSnapshot.ts`
+- `integrations/mcp/evidencePayloadConfig.ts`
+- `integrations/mcp/evidencePayloadCollections.ts`
+- `integrations/mcp/evidencePayloadSummary.ts`
+Deterministic invariants:
+- facet computation is pure from evidence inputs (no side effects).
+- facet keys and tuple naming stay stable across releases.
+- suppression and share metrics remain reproducible for the same snapshot.
+### Git gate runtime
+Purpose:
+- orchestrate facts, rules, policies, and evidence emission for stage-gate decisions.
+Stable entrypoints:
+- `integrations/git/runPlatformGate.ts`
+- `integrations/git/baselineRuleSets.ts`
+Deterministic invariants:
+- gate outcome depends only on facts + policy evaluation.
+- evidence emission always includes stage/policy/ruleset traceability.
+- stage runners remain thin wrappers over shared orchestration.
+### Detector partitions
+Purpose:
+- expose stable detector barrels while keeping implementations split by concern.
+Stable entrypoints:
+- `core/facts/detectors/fs/sync.ts`
+- `core/facts/detectors/process/index.ts`
+Partition files:
+- `core/facts/detectors/fs/syncPart1.ts`
+- `core/facts/detectors/fs/syncPart2.ts`
+- `core/facts/detectors/fs/syncPart3.ts`
+- `core/facts/detectors/process/core.ts`
+- `core/facts/detectors/process/shell.ts`
+- `core/facts/detectors/process/spawn.ts`
+Deterministic invariants:
+- barrels define the public detector surface.
+- partition internals may move, exported behavior and fact shapes must stay stable.

package/docs/ARCHITECTURE_DETAILED.md ADDED Viewed

@@ -0,0 +1,165 @@
+# Detailed Architecture (v2.x)
+This document describes the active deterministic architecture implemented in this repository.
+## Design goal
+Provide a reproducible decision system for AI-assisted development with a strict separation between domain and integrations.
+Primary pipeline:
+`Facts -> Rules -> Gate -> ai_evidence v2.1`
+## Layer boundaries
+### `core/` (domain)
+Pure logic without I/O or shell dependencies:
+- `core/facts/*`
+- `core/rules/*`
+- `core/gate/*`
+Responsibilities:
+- Represent facts and conditions.
+- Evaluate rules against facts.
+- Evaluate gate outcome from findings.
+### `integrations/` (adapters)
+Runtime adapters around the domain:
+- `integrations/git/*`
+- `integrations/platform/*`
+- `integrations/gate/*`
+- `integrations/evidence/*`
+- `integrations/mcp/*`
+Responsibilities:
+- Collect facts from Git scopes (staged/range).
+- Resolve refs (`@{u}`, `GITHUB_BASE_REF`).
+- Load rule packs and project overrides.
+- Build/write deterministic evidence.
+- Expose read-only evidence context via MCP endpoint.
+Boundary rule:
+- IDE/editor-specific diagnostics (provider-specific runtime validation) stay in `scripts/*` and `docs/validation/*`; they must not participate in core gate decisions.
+## Stage execution architecture
+### Shared runtime entry
+`integrations/git/runPlatformGate.ts`
+Responsibilities:
+1. Build facts from selected scope.
+2. Detect active platforms from facts.
+3. Load baseline packs for detected platforms.
+4. Optionally add heuristic facts/rules.
+5. Merge project overrides.
+6. Evaluate findings and gate decision.
+7. Generate `.ai_evidence.json`.
+8. Return process code (`0`/`1`).
+### Stage runners
+`integrations/git/stageRunners.ts`
+- `runPreCommitStage()`
+- `runPrePushStage()`
+- `runCiStage()`
+Policy source: `integrations/gate/stagePolicies.ts`.
+Ref resolution source: `integrations/git/resolveGitRefs.ts`.
+## Multi-platform model
+Platform detection is combined in a single run:
+- `ios`
+- `backend`
+- `frontend`
+- `android`
+Detector source: `integrations/platform/detectPlatforms.ts`.
+Detected platforms drive baseline rule-pack loading and evidence `platforms` state.
+## Rules architecture
+Baseline packs:
+- `iosEnterpriseRuleSet`
+- `backendRuleSet`
+- `frontendRuleSet`
+- `androidRuleSet`
+- `astHeuristicsRuleSet` (feature-flagged)
+Versioning source:
+- `core/rules/presets/rulePackVersions.ts`
+Merge strategy:
+- Baseline first, then project overrides.
+- Locked baseline protections are enforced unless explicitly relaxed.
+## Evidence architecture (v2.1)
+Schema source: `integrations/evidence/schema.ts`.
+Writer path:
+- `integrations/evidence/generateEvidence.ts`
+  - `buildEvidence`
+  - `writeEvidence`
+Deterministic properties:
+- `snapshot` + `ledger`
+- deduped findings
+- stable output order
+- per-run `rulesets` hash traceability
+## CI architecture
+Reusable template:
+- `.github/workflows/pumuki-gate-template.yml`
+Platform workflows:
+- `.github/workflows/pumuki-ios.yml`
+- `.github/workflows/pumuki-backend.yml`
+- `.github/workflows/pumuki-frontend.yml`
+- `.github/workflows/pumuki-android.yml`
+All workflows use shared runner path + upload `.ai_evidence.json` artifact.
+## MCP architecture
+Read-only context server:
+- `integrations/mcp/evidenceContextServer.ts`
+- CLI: `integrations/mcp/evidenceContextServer.cli.ts`
+Contract:
+- serves evidence only when `version === "2.1"`
+- health endpoint + deterministic error behavior
+## Extension points (current model)
+- Add typed facts in `core/facts/*`.
+- Add declarative rules in `core/rules/presets/*`.
+- Add platform detector in `integrations/platform/*`.
+- Add stage/runner wrappers in `integrations/git/*` reusing shared runtime.
+Constraint:
+- Keep domain pure (`core/*`), keep shell and file I/O in integrations.

package/docs/AST_HEURISTICS_REINTRODUCTION_PLAN.md ADDED Viewed

@@ -0,0 +1,88 @@
+# AST Heuristics Reintroduction Plan (Post-Validation)
+This document defines how to reintroduce selective AST heuristics after core validation is stable.
+## Validation gate before implementation
+Do not enable new semantic extractors until:
+- TypeScript baseline is clean for `core/**` and `integrations/**`
+- Existing multi-platform PRE_COMMIT/PRE_PUSH/CI flows remain deterministic
+- Evidence output stays on schema `version: "2.1"`
+## Initial heuristic backlog
+### iOS (Swift)
+- Detect force unwrap usage by AST node analysis
+- Detect `AnyView` usage by type reference, not text match
+- Detect callback-style APIs outside approved bridge layers
+### Backend / Frontend (TypeScript)
+- Detect empty `catch` blocks by AST
+- Detect unrestricted `any` usage by node kind
+- Detect production `console.log` in executable code paths
+### Android (Kotlin)
+- Detect `Thread.sleep` invocation nodes
+- Detect `GlobalScope` usage in production paths
+- Detect `runBlocking` outside test/source-set exceptions
+## Integration contract
+- New semantics should be emitted as typed Facts in `core/facts/*`.
+- Rules remain declarative in Rule Packs and evaluated by existing gate.
+- No changes to evidence contract except additive typed fields when required.
+## Rollout phases
+1. Add Facts behind feature flag (default off).
+2. Add rules consuming those Facts with `WARN` severity first.
+3. Promote selected rules to `ERROR`/`CRITICAL` after project validation window.
+## Feature flag
+- Flag: `PUMUKI_ENABLE_AST_HEURISTICS`
+- Values that enable: `1`, `true`, `yes`, `on`
+- Default: disabled
+When enabled, the gate records `astHeuristicsRuleSet@0.4.0` in evidence `rulesets[]`.
+For GitHub Actions gates using the reusable workflow template:
+- Input: `enable_ast_heuristics: true`
+Current pilot implemented:
+- `heuristics.ts.empty-catch.ast`
+- `heuristics.ts.explicit-any.ast`
+- `heuristics.ts.console-log.ast`
+- `heuristics.ios.force-unwrap.ast`
+- `heuristics.ios.anyview.ast`
+- `heuristics.ios.force-try.ast`
+- `heuristics.ios.force-cast.ast`
+- `heuristics.ios.callback-style.ast`
+- `heuristics.android.thread-sleep.ast`
+- `heuristics.android.globalscope.ast`
+- `heuristics.android.run-blocking.ast`
+- Scope: `apps/frontend/**`, `apps/web/**`, and `apps/backend/**` TypeScript files (`.ts`, `.tsx`)
+- Scope exclusions: test paths (`__tests__`, `tests`, `*.spec.*`, `*.test.*`)
+- Detection: semantic AST parse of `catch {}` with empty block
+- Detection: semantic AST parse of explicit `any` type usage (TS/TSX)
+- Detection: semantic AST parse of `console.log(...)` invocation nodes
+- Scope: `apps/ios/**` Swift files (`.swift`)
+- Scope exclusions: iOS test paths (`/Tests/`, `/tests/`, `*Test.swift`, `*Tests.swift`)
+- Scope exclusions: bridge layers (`/Bridge/`, `/Bridges/`, `*Bridge.swift`)
+- Detection: token-aware scan for force unwrap operator usage (`value!`) outside comments/strings
+- Detection: token-aware scan for `AnyView` type erasure usage outside comments/strings
+- Detection: token-aware scan for force try usage (`try!`) outside comments/strings
+- Detection: token-aware scan for force cast usage (`as!`) outside comments/strings
+- Detection: token-aware scan for callback-style signatures (`@escaping` + completion/handler) outside bridge layers
+- Scope: `apps/android/**` Kotlin files (`.kt`, `.kts`)
+- Scope exclusions: Android test paths (`/test/`, `/androidTest/`, `*Test.kt`, `*Tests.kt`)
+- Detection: token-aware scan for `Thread.sleep(...)` usage in production Kotlin code
+- Detection: token-aware scan for `GlobalScope.launch/async/...` usage in production Kotlin code
+- Detection: token-aware scan for `runBlocking(...)` usage in production Kotlin code
+- Severity: `WARN`