pumuki 6.3.73 → 6.3.75

package/VERSION

@@ -1 +1 @@
-v6.3.73
+v6.3.64

package/docs/README.md

@@ -36,9 +36,11 @@ Mapa corto y humano de la documentación oficial de Pumuki.
   - `docs/validation/ios-avdlee-parity-matrix.md`
 
 - Quiero saber en qué estamos ahora:
-  - `docs/tracking/plan-activo-de-trabajo.md`
-- Quiero el seguimiento del curso Stack My Architecture (Pumuki), iniciativa formativa aparte del espejo operativo:
-  - `docs/tracking/plan-curso-pumuki-stack-my-architecture.md`
+  - `PUMUKI-RESET-MASTER-PLAN.md` en la raíz del repo como artefacto operativo local y única fuente viva del tracking interno
+- Quiero contexto histórico o materiales de seguimiento retirados:
+  - Referencia histórica: `docs/tracking/plan-activo-de-trabajo.md`
+  - Quiero el seguimiento del curso Stack My Architecture (Pumuki), iniciativa formativa aparte del espejo operativo:
+  - Curso Stack My Architecture: `docs/tracking/plan-curso-pumuki-stack-my-architecture.md`
 
 ## Estructura oficial
 
@@ -65,10 +67,10 @@ Mapa corto y humano de la documentación oficial de Pumuki.
   - Skills vendorizadas que el repo usa como contrato local.
 
 - `docs/tracking/`
-  - Seguimiento permitido y solo el imprescindible.
-  - Espejo operativo de producto y consumidores: `docs/tracking/plan-activo-de-trabajo.md` (unica fuente de verdad para ese ambito).
-  - Iniciativa formativa (curso Pumuki en Stack My Architecture): `docs/tracking/plan-curso-pumuki-stack-my-architecture.md` (no sustituye al plan activo).
-  - Regla hard: solo puede existir una tarea `🚧` en cada documento de seguimiento que lo use.
+  - Material histórico o formativo; no actúa como backlog vivo del producto.
+  - Fuente viva del tracking interno: `PUMUKI-RESET-MASTER-PLAN.md` en la raíz del repo.
+  - Documento retirado: `docs/tracking/plan-activo-de-trabajo.md`.
+  - Material del curso: `docs/tracking/plan-curso-pumuki-stack-my-architecture.md`.
 
 ## Fuera de `docs/`
 

package/docs/operations/RELEASE_NOTES.md

@@ -6,24 +6,6 @@ This file keeps only the operational highlights and rollout notes that matter wh
 
 ## 2026-04 (CLI stability and macOS notifications)
 
-### 2026-04-14 (v6.3.73)
-
-- **S1 governance console**: `status`, `doctor`, menú consumer, hooks y MCP comparten ya la misma semántica de governance (`governance truth`, `reason_code`, `instruction`, `next_action`).
-- **RuralGo evidence pack**: nuevo `npm run validation:ruralgo-s1-evidence-pack -- --consumer-root <repo> --package-version <semver>` para preparar la validación real de `PUMUKI-INC-071/073/076`.
-- **Sin regresión de 6.3.72**: esta release preserva `lifecycle audit`, `consumer postinstall resolve args`, `detectPlatforms` y `full surface smoke`, en vez de volver a una base `6.3.71`.
-- **Rollout**: publicar `pumuki@6.3.73`, repinear primero RuralGo y ejecutar el evidence pack con la semver publicada antes de mover ningún `INC` a `FIXED`.
-
-### 2026-04-11 (v6.3.72)
-
-- **Tarball npm**: `package.json` → `files` incluye `AGENTS.md`, `CHANGELOG.md` y `docs/tracking/plan-curso-pumuki-stack-my-architecture.md` para lectura canónica vía npm / jsDelivr sin depender solo del repo Git.
-- **`gate.blocked` (macOS)**: banner de Notification Center **y** modal por defecto (evita cero notificaciones si el modal no llega a mostrarse desde un hook); dedupe opcional: `PUMUKI_MACOS_GATE_BLOCKED_BANNER_DEDUPE=1`.
-- **Modal Swift**: `NSAlert.runModal()` en lugar de panel flotante para que los botones del diálogo respondan de forma fiable.
-- **Postinstall consumer**: por defecto `pumuki install --with-mcp --agent=repo` y fusión conservadora en `.pumuki/adapter.json` (`json-merge`); opt-out `PUMUKI_POSTINSTALL_SKIP_MCP=1`.
-- **Validación local**: `smoke:pumuki-surface` / `smoke:pumuki-surface-installed` y `validation:local-merge-bar` (sin depender de minutos de Actions). Detalle en `docs/validation/README.md`.
-- **Tests en macOS:** `integrations/lifecycle/__tests__/cli.test.ts` evita notificaciones reales del sistema (`PUMUKI_DISABLE_SYSTEM_NOTIFICATIONS` en hooks) para que `npm test` / la barra local no queden colgados en PRE_WRITE strict.
-- **Menú / matriz consumer**: opciones motor `11–14`, matriz baseline alineada, vista classic opcional, etc. (ver `CHANGELOG.md`).
-- **Rollout**: `pumuki@6.3.72`; `npm publish` cuando el tarball incluya lo anterior; luego `pumuki doctor --json` + repin en consumidores (p. ej. RuralGO).
-
 ### 2026-04-06 (v6.3.71)
 
 - **Evidencia v2.1**: bloque `operational_hints` (`requires_second_pass`, resumen operativo, desglose por severidad de reglas). Alineado con PRE_COMMIT solo-docs + evidencia trackeada (INC-069) cuando no se re-stagea el JSON automáticamente.

package/docs/validation/README.md

@@ -14,7 +14,9 @@ Este directorio contiene solo documentación estable de validación y runbooks o
 
 ## Estado de seguimiento
 
-- Única fuente de seguimiento: `docs/tracking/plan-activo-de-trabajo.md`
+- `docs/validation/` no gobierna backlog.
+- La única fuente viva del tracking interno es `PUMUKI-RESET-MASTER-PLAN.md` en la raíz del repo.
+- `docs/tracking/plan-activo-de-trabajo.md` queda retirado como espejo operativo y solo conserva valor histórico.
 
 ## Política de higiene
 

package/integrations/evidence/buildEvidence.ts

@@ -716,6 +716,20 @@ const normalizeRepoState = (repoState?: RepoState): RepoState | undefined => {
           config_path: repoState.lifecycle.hard_mode.config_path,
         }
         : undefined,
+      tracking: {
+        enforced: repoState.lifecycle.tracking.enforced,
+        canonical_path: repoState.lifecycle.tracking.canonical_path,
+        canonical_present: repoState.lifecycle.tracking.canonical_present,
+        source_file: repoState.lifecycle.tracking.source_file,
+        in_progress_count: repoState.lifecycle.tracking.in_progress_count,
+        single_in_progress_valid: repoState.lifecycle.tracking.single_in_progress_valid,
+        conflict: repoState.lifecycle.tracking.conflict,
+        declarations: repoState.lifecycle.tracking.declarations.map((entry) => ({
+          source_file: entry.source_file,
+          declared_path: entry.declared_path,
+          resolved_path: entry.resolved_path,
+        })),
+      },
     },
   };
 };

package/integrations/evidence/repoState.ts

@@ -5,6 +5,7 @@ import { readLifecycleStatus } from '../lifecycle/status';
 import { resolvePumukiVersionMetadata } from '../lifecycle/packageInfo';
 import { readPersistedHardModeConfig } from '../policy/policyProfiles';
 import type { RepoHardModeState, RepoHookState, RepoState } from './schema';
+import { readRepoTrackingState } from './trackingContract';
 
 type HookStateShape = { exists: boolean; managedBlockPresent: boolean };
 
@@ -123,6 +124,7 @@ export const captureRepoState = (repoRoot: string): RepoState => {
   const consumerFacingVersion = versionMetadata.resolvedVersion;
   const installedVersion = versionMetadata.consumerInstalledVersion;
   const hardModeState = readHardModeState(repoRoot);
+  const trackingState = readRepoTrackingState(repoRoot);
 
   return {
     repo_root: repoRoot,
@@ -150,6 +152,7 @@ export const captureRepoState = (repoRoot: string): RepoState => {
         pre_push: toHookState(lifecycle.hookStatus['pre-push']),
       },
       hard_mode: hardModeState,
+      tracking: trackingState,
     },
   };
 };

package/integrations/evidence/schema.ts

@@ -171,6 +171,23 @@ export type RepoHardModeState = {
   config_path: string;
 };
 
+export type RepoTrackingDeclaration = {
+  source_file: string;
+  declared_path: string;
+  resolved_path: string;
+};
+
+export type RepoTrackingState = {
+  enforced: boolean;
+  canonical_path: string | null;
+  canonical_present: boolean;
+  source_file: string | null;
+  in_progress_count: number | null;
+  single_in_progress_valid: boolean | null;
+  conflict: boolean;
+  declarations: ReadonlyArray<RepoTrackingDeclaration>;
+};
+
 export type RepoState = {
   repo_root: string;
   git: {
@@ -196,6 +213,7 @@ export type RepoState = {
       pre_push: RepoHookState;
     };
     hard_mode?: RepoHardModeState;
+    tracking: RepoTrackingState;
   };
 };
 

package/integrations/evidence/trackingContract.ts

@@ -0,0 +1,146 @@
+import { existsSync, readFileSync } from 'node:fs';
+import { dirname, relative, resolve, sep } from 'node:path';
+import type { RepoTrackingDeclaration, RepoTrackingState } from './schema';
+
+const TRACKING_DECLARATION_SOURCES = [
+  'AGENTS.md',
+  'docs/README.md',
+  'docs/validation/README.md',
+  'docs/strategy/README.md',
+] as const;
+
+const TRACKING_KEYWORDS =
+  /(seguimiento|tracking interno|tracking can[oó]nico|canonical tracking|fuente viva|fuente can[oó]nica|source of truth|single source)/i;
+const TRACKING_PRIORITY_SOURCE = new Set(['AGENTS.md']);
+const IN_PROGRESS_PATTERNS = [
+  /^- Estado:\s*🚧/m,
+  /^- 🚧 (\`?P[0-9A-Za-z.-]+\`?)/m,
+  /^\|[^|\n]+\|\s*🚧(?:\s|\|)/m,
+] as const;
+
+const toRepoRelativePath = (repoRoot: string, absolutePath: string): string => {
+  const relativePath = relative(repoRoot, absolutePath).replace(/\\/g, '/');
+  return relativePath.length > 0 && !relativePath.startsWith('..') ? relativePath : absolutePath.replace(/\\/g, '/');
+};
+
+const collectDeclaredPathsFromLine = (line: string): string[] => {
+  const matches = new Set<string>();
+  for (const regex of [/`([^`]+\.md)`/g, /\[[^\]]+\]\(([^)]+\.md)\)/g]) {
+    let match: RegExpExecArray | null;
+    while ((match = regex.exec(line)) !== null) {
+      const candidate = match[1]?.trim();
+      if (candidate) {
+        matches.add(candidate);
+      }
+    }
+  }
+  return [...matches];
+};
+
+const collectTrackingDeclarations = (repoRoot: string): ReadonlyArray<RepoTrackingDeclaration> => {
+  const declarations: RepoTrackingDeclaration[] = [];
+  for (const sourceFile of TRACKING_DECLARATION_SOURCES) {
+    const absoluteSourcePath = resolve(repoRoot, sourceFile);
+    if (!existsSync(absoluteSourcePath)) {
+      continue;
+    }
+    const content = readFileSync(absoluteSourcePath, 'utf8');
+    for (const line of content.split(/\r?\n/)) {
+      if (!TRACKING_KEYWORDS.test(line)) {
+        continue;
+      }
+      for (const declaredPath of collectDeclaredPathsFromLine(line)) {
+        const resolvedPath = declaredPath.startsWith('./') || declaredPath.startsWith('../')
+          ? resolve(repoRoot, dirname(sourceFile), declaredPath)
+          : resolve(repoRoot, declaredPath);
+        declarations.push({
+          source_file: sourceFile,
+          declared_path: declaredPath,
+          resolved_path: toRepoRelativePath(repoRoot, resolvedPath),
+        });
+      }
+    }
+  }
+  const deduped = new Map<string, RepoTrackingDeclaration>();
+  for (const declaration of declarations) {
+    deduped.set(
+      `${declaration.source_file}::${declaration.resolved_path}`,
+      declaration
+    );
+  }
+  return [...deduped.values()];
+};
+
+const resolveCanonicalTrackingPath = (
+  declarations: ReadonlyArray<RepoTrackingDeclaration>
+): { canonicalPath: string | null; sourceFile: string | null; conflict: boolean } => {
+  if (declarations.length === 0) {
+    return {
+      canonicalPath: null,
+      sourceFile: null,
+      conflict: false,
+    };
+  }
+
+  const agentsDeclarations = declarations.filter((entry) => TRACKING_PRIORITY_SOURCE.has(entry.source_file));
+  const preferred = agentsDeclarations.length > 0 ? agentsDeclarations : declarations;
+  const preferredPaths = [...new Set(preferred.map((entry) => entry.resolved_path))];
+  const allPaths = [...new Set(declarations.map((entry) => entry.resolved_path))];
+
+  if (preferredPaths.length === 0) {
+    return {
+      canonicalPath: null,
+      sourceFile: null,
+      conflict: allPaths.length > 1,
+    };
+  }
+
+  const canonicalPath = preferredPaths[0] ?? null;
+  const sourceFile =
+    preferred.find((entry) => entry.resolved_path === canonicalPath)?.source_file
+    ?? null;
+  return {
+    canonicalPath,
+    sourceFile,
+    conflict: allPaths.length > 1 || preferredPaths.length > 1,
+  };
+};
+
+const countInProgressMarkers = (absolutePath: string): number => {
+  if (!existsSync(absolutePath)) {
+    return 0;
+  }
+  const content = readFileSync(absolutePath, 'utf8');
+  const matchedLines = new Set<number>();
+  const lines = content.split(/\r?\n/);
+  lines.forEach((line, index) => {
+    if (IN_PROGRESS_PATTERNS.some((pattern) => pattern.test(line))) {
+      matchedLines.add(index);
+    }
+  });
+  return matchedLines.size;
+};
+
+export const readRepoTrackingState = (repoRoot: string): RepoTrackingState => {
+  const declarations = collectTrackingDeclarations(repoRoot);
+  const enforced = declarations.length > 0;
+  const resolution = resolveCanonicalTrackingPath(declarations);
+  const canonicalAbsolutePath = resolution.canonicalPath
+    ? resolve(repoRoot, resolution.canonicalPath.split('/').join(sep))
+    : null;
+  const canonicalPresent = canonicalAbsolutePath ? existsSync(canonicalAbsolutePath) : false;
+  const inProgressCount = canonicalPresent && canonicalAbsolutePath
+    ? countInProgressMarkers(canonicalAbsolutePath)
+    : null;
+
+  return {
+    enforced,
+    canonical_path: resolution.canonicalPath,
+    canonical_present: canonicalPresent,
+    source_file: resolution.sourceFile,
+    in_progress_count: inProgressCount,
+    single_in_progress_valid: inProgressCount === null ? null : inProgressCount === 1,
+    conflict: resolution.conflict,
+    declarations,
+  };
+};

package/integrations/evidence/writeEvidence.ts

@@ -217,6 +217,20 @@ const normalizeRepoState = (
           config_path: toRelativeRepoPath(repoRoot, repoState.lifecycle.hard_mode.config_path),
         }
         : undefined,
+      tracking: {
+        enforced: repoState.lifecycle.tracking.enforced,
+        canonical_path: repoState.lifecycle.tracking.canonical_path,
+        canonical_present: repoState.lifecycle.tracking.canonical_present,
+        source_file: repoState.lifecycle.tracking.source_file,
+        in_progress_count: repoState.lifecycle.tracking.in_progress_count,
+        single_in_progress_valid: repoState.lifecycle.tracking.single_in_progress_valid,
+        conflict: repoState.lifecycle.tracking.conflict,
+        declarations: repoState.lifecycle.tracking.declarations.map((entry) => ({
+          source_file: entry.source_file,
+          declared_path: entry.declared_path,
+          resolved_path: entry.resolved_path,
+        })),
+      },
     },
   };
 };

package/integrations/gate/evaluateAiGate.ts

@@ -1,11 +1,12 @@
 import type { EvidenceReadResult } from '../evidence/readEvidence';
 import { readEvidenceResult } from '../evidence/readEvidence';
 import { captureRepoState } from '../evidence/repoState';
-import type { RepoState } from '../evidence/schema';
+import type { RepoState, RepoTrackingState } from '../evidence/schema';
 import { resolvePolicyForStage } from './stagePolicies';
 import { execFileSync } from 'node:child_process';
 import { existsSync, realpathSync } from 'node:fs';
 import { resolve } from 'node:path';
+import { isSeverityAtLeast } from '../../core/rules/Severity';
 import type { SkillsLockV1, SkillsStage } from '../config/skillsLock';
 import {
   loadEffectiveSkillsLock,
@@ -132,6 +133,10 @@ const PREWRITE_WORKTREE_HYGIENE_WARN_THRESHOLD_ENV = 'PUMUKI_PREWRITE_WORKTREE_W
 const PREWRITE_WORKTREE_HYGIENE_BLOCK_THRESHOLD_ENV = 'PUMUKI_PREWRITE_WORKTREE_BLOCK_THRESHOLD';
 
 const DEFAULT_PROTECTED_BRANCHES = new Set(['main', 'master', 'develop', 'dev']);
+const DEFAULT_GITFLOW_BRANCH_PATTERNS = [
+  /^(?:feature|bugfix|hotfix|chore|refactor|docs)\/[a-z0-9]+(?:-[a-z0-9]+)*$/,
+  /^release\/\d+\.\d+\.\d+(?:[-+][0-9A-Za-z.-]+)?$/,
+] as const;
 const PREWRITE_SKILLS_PLATFORMS = ['ios', 'android', 'backend', 'frontend'] as const;
 type PreWriteSkillsPlatform = (typeof PREWRITE_SKILLS_PLATFORMS)[number];
 const PLATFORM_SKILLS_RULE_PREFIXES: Readonly<Record<PreWriteSkillsPlatform, string>> = {
@@ -457,6 +462,27 @@ const hasWorktreeCodePlatforms = (params: {
   );
 };
 
+const toWorktreeDetectedPlatforms = (params: {
+  repoRoot: string;
+  requiredPlatforms: ReadonlyArray<PreWriteSkillsPlatform>;
+}): ReadonlyArray<PreWriteSkillsPlatform> => {
+  const changedPaths = collectWorktreeChangedPaths(params.repoRoot);
+  if (changedPaths.length === 0) {
+    return [];
+  }
+
+  const detected = new Set<PreWriteSkillsPlatform>();
+  for (const filePath of changedPaths) {
+    for (const platform of params.requiredPlatforms) {
+      if (isPlatformPath(platform, filePath)) {
+        detected.add(platform);
+      }
+    }
+  }
+
+  return PREWRITE_SKILLS_PLATFORMS.filter((platform) => detected.has(platform));
+};
+
 const toLockRequiredPlatforms = (
   requiredLock: SkillsLockV1 | undefined
 ): ReadonlyArray<PreWriteSkillsPlatform> => {
@@ -748,6 +774,13 @@ const toSkillsContractAssessment = (params: {
   const coverage = params.evidenceResult.evidence.snapshot.rules_coverage;
   const explicitlyDetectedPlatforms = toDetectedSkillsPlatforms(params.evidenceResult.evidence.platforms);
   const inferredPlatforms = toCoverageInferredPlatforms(coverage);
+  const worktreeDetectedPlatforms =
+    params.stage === 'PRE_WRITE' && requiredPlatforms.length > 0
+      ? toWorktreeDetectedPlatforms({
+          repoRoot: params.repoRoot,
+          requiredPlatforms,
+        })
+      : [];
   const repoTreeDetectedPlatforms =
     params.stage !== 'PRE_WRITE' && requiredPlatforms.length > 0
       ? toRepoTreeDetectedPlatforms({
@@ -767,6 +800,8 @@ const toSkillsContractAssessment = (params: {
       ? explicitlyDetectedEffectivePlatforms
       : inferredPlatforms.length > 0
         ? inferredPlatforms
+        : worktreeDetectedPlatforms.length > 0
+          ? worktreeDetectedPlatforms
         : repoTreeDetectedPlatforms;
   const pendingChanges = resolvePendingChanges(params.repoState);
   const detectedPlatformSet = new Set(detectedPlatforms);
@@ -1164,6 +1199,63 @@ const collectEvidenceViolations = (
   return { violations, ageSeconds };
 };
 
+const severityOrder: ReadonlyArray<'CRITICAL' | 'ERROR' | 'WARN' | 'INFO'> = [
+  'CRITICAL',
+  'ERROR',
+  'WARN',
+  'INFO',
+];
+
+const toHighestTriggeredSeverity = (
+  severityCounts: Readonly<Record<'INFO' | 'WARN' | 'ERROR' | 'CRITICAL', number>>,
+  threshold: 'INFO' | 'WARN' | 'ERROR' | 'CRITICAL'
+): 'INFO' | 'WARN' | 'ERROR' | 'CRITICAL' | null => {
+  for (const severity of severityOrder) {
+    if (severityCounts[severity] > 0 && isSeverityAtLeast(severity, threshold)) {
+      return severity;
+    }
+  }
+  return null;
+};
+
+const collectEvidencePolicyThresholdViolations = (params: {
+  evidenceResult: EvidenceReadResult;
+  policy: ReturnType<typeof resolvePolicyForStage>['policy'];
+}): AiGateViolation[] => {
+  if (params.evidenceResult.kind !== 'valid') {
+    return [];
+  }
+
+  const severityCounts = params.evidenceResult.evidence.severity_metrics.by_severity;
+  const blockSeverity = toHighestTriggeredSeverity(
+    severityCounts,
+    params.policy.blockOnOrAbove
+  );
+  if (blockSeverity && params.evidenceResult.evidence.ai_gate.status !== 'BLOCKED') {
+    return [
+      toErrorViolation(
+        'EVIDENCE_POLICY_THRESHOLD_BLOCK',
+        `Evidence severities exceed block_on_or_above=${params.policy.blockOnOrAbove} (highest=${blockSeverity}).`
+      ),
+    ];
+  }
+
+  const warnSeverity = toHighestTriggeredSeverity(
+    severityCounts,
+    params.policy.warnOnOrAbove
+  );
+  if (warnSeverity && params.evidenceResult.evidence.ai_gate.status === 'ALLOWED') {
+    return [
+      toWarnViolation(
+        'EVIDENCE_POLICY_THRESHOLD_WARN',
+        `Evidence severities exceed warn_on_or_above=${params.policy.warnOnOrAbove} (highest=${warnSeverity}).`
+      ),
+    ];
+  }
+
+  return [];
+};
+
 const toEvidenceSourceDescriptor = (
   result: EvidenceReadResult,
   repoRoot: string
@@ -1193,17 +1285,81 @@ const collectGitflowViolations = (
   if (!repoState.git.available) {
     return violations;
   }
-  if (repoState.git.branch && protectedBranches.has(repoState.git.branch)) {
+  const branch = repoState.git.branch?.trim() ?? null;
+  const normalizedBranch = branch?.toLowerCase() ?? null;
+  if (branch && normalizedBranch && protectedBranches.has(normalizedBranch)) {
     violations.push(
       toErrorViolation(
         'GITFLOW_PROTECTED_BRANCH',
-        `Direct work on protected branch "${repoState.git.branch}" is not allowed.`
+        `Direct work on protected branch "${branch}" is not allowed.`
+      )
+    );
+    return violations;
+  }
+  if (
+    branch
+    && !DEFAULT_GITFLOW_BRANCH_PATTERNS.some((pattern) => pattern.test(branch))
+  ) {
+    violations.push(
+      toErrorViolation(
+        'GITFLOW_BRANCH_NAMING_INVALID',
+        `Branch "${branch}" does not comply with GitFlow naming. Use feature/*, bugfix/*, hotfix/*, release/*, chore/*, refactor/* or docs/*.`
       )
     );
   }
   return violations;
 };
 
+const DEFAULT_TRACKING_STATE: RepoTrackingState = {
+  enforced: false,
+  canonical_path: null,
+  canonical_present: false,
+  source_file: null,
+  in_progress_count: null,
+  single_in_progress_valid: null,
+  conflict: false,
+  declarations: [],
+};
+
+const collectTrackingViolations = (repoState: RepoState): AiGateViolation[] => {
+  const tracking = repoState.lifecycle.tracking ?? DEFAULT_TRACKING_STATE;
+  if (!tracking.enforced) {
+    return [];
+  }
+
+  if (tracking.conflict) {
+    const declaredPaths = tracking.declarations
+      .map((entry) => `${entry.source_file}:${entry.resolved_path}`)
+      .join(', ');
+    return [
+      toErrorViolation(
+        'TRACKING_CANONICAL_SOURCE_CONFLICT',
+        `Tracking canonical source conflict detected (${declaredPaths}).`
+      ),
+    ];
+  }
+
+  if (!tracking.canonical_path || !tracking.canonical_present) {
+    return [
+      toErrorViolation(
+        'TRACKING_CANONICAL_FILE_MISSING',
+        `Tracking canonical file is missing (${tracking.canonical_path ?? 'undeclared'}).`
+      ),
+    ];
+  }
+
+  if (tracking.single_in_progress_valid === false) {
+    return [
+      toErrorViolation(
+        'TRACKING_CANONICAL_IN_PROGRESS_INVALID',
+        `Tracking canonical file must contain exactly one in-progress task (count=${tracking.in_progress_count ?? 'n/a'}).`
+      ),
+    ];
+  }
+
+  return [];
+};
+
 const resolvePendingChanges = (repoState: RepoState): number | null => {
   if (!repoState.git.available) {
     return null;
@@ -1422,6 +1578,7 @@ export const evaluateAiGate = (
     readMcpAiGateReceipt: activeDependencies.readMcpAiGateReceipt,
   });
   const gitflowViolations = collectGitflowViolations(repoState, protectedBranches);
+  const trackingViolations = collectTrackingViolations(repoState);
   const skillsContract = toSkillsContractAssessment({
     stage: params.stage,
     repoRoot: params.repoRoot,
@@ -1445,10 +1602,16 @@ export const evaluateAiGate = (
             `Skills contract incomplete for ${params.stage}: ${skillsContract.violations.map((violation) => violation.code).join(', ')}.`
           ),
         ];
+  const policyThresholdViolations = collectEvidencePolicyThresholdViolations({
+    evidenceResult,
+    policy: resolvedPolicy.policy,
+  });
   const violations = [
     ...evidenceAssessment.violations,
+    ...policyThresholdViolations,
     ...stageSkillsContractViolations,
     ...gitflowViolations,
+    ...trackingViolations,
     ...mcpReceiptAssessment.violations,
   ];
   const blocked = violations.some((violation) => violation.severity === 'ERROR');

package/integrations/gate/governanceActionCatalog.ts

@@ -119,6 +119,51 @@ export const resolveGovernanceCatalogAction = (params: {
           command: 'git checkout -b feature/<descripcion-kebab-case>',
         },
       };
+    case 'GITFLOW_BRANCH_NAMING_INVALID':
+    case 'GITFLOW_BRANCH_NAMING_INVALID_CONTEXT':
+      return {
+        reason_code: 'GITFLOW_BRANCH_NAMING_INVALID_CONTEXT',
+        instruction:
+          'Renombra o recrea la rama actual con un prefijo GitFlow válido antes de continuar.',
+        next_action: {
+          kind: 'run_command',
+          message: 'Crea una rama válida y mueve el trabajo a esa rama antes de seguir.',
+          command: 'git checkout -b feature/<descripcion-kebab-case>',
+        },
+      };
+    case 'TRACKING_CANONICAL_SOURCE_CONFLICT':
+      return {
+        reason_code: 'TRACKING_CANONICAL_SOURCE_CONFLICT',
+        instruction:
+          'Alinea AGENTS.md y los README canónicos para que todos apunten al mismo MD de seguimiento.',
+        next_action: {
+          kind: 'info',
+          message:
+            'Deja una única fuente canónica de tracking y elimina referencias legacy o contradictorias.',
+        },
+      };
+    case 'TRACKING_CANONICAL_FILE_MISSING':
+      return {
+        reason_code: 'TRACKING_CANONICAL_FILE_MISSING',
+        instruction:
+          'Crea o restaura el MD de seguimiento canónico declarado por el repo antes de continuar.',
+        next_action: {
+          kind: 'info',
+          message:
+            'Restaura el archivo canónico de tracking y vuelve a validar governance.',
+        },
+      };
+    case 'TRACKING_CANONICAL_IN_PROGRESS_INVALID':
+      return {
+        reason_code: 'TRACKING_CANONICAL_IN_PROGRESS_INVALID',
+        instruction:
+          'El tracking canónico debe tener exactamente una tarea o fase en construcción.',
+        next_action: {
+          kind: 'info',
+          message:
+            'Corrige el MD canónico para dejar exactamente una `🚧` antes de continuar.',
+        },
+      };
     case 'POLICY_STAGE_NOT_STRICT':
       return {
         reason_code: 'POLICY_STAGE_NOT_STRICT',

package/integrations/gate/remediationCatalog.ts

@@ -17,6 +17,14 @@ export const REMEDIATION_HINT_BY_CODE: Readonly<Record<string, string>> = {
   EVIDENCE_ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES:
     'Reconcilia policy/skills y revalida PRE_WRITE: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json',
   GITFLOW_PROTECTED_BRANCH: 'Trabaja en feature/* y evita ramas protegidas.',
+  GITFLOW_BRANCH_NAMING_INVALID:
+    'Renombra o recrea la rama con un prefijo GitFlow válido (feature/*, bugfix/*, hotfix/*, release/*, chore/*, refactor/* o docs/*).',
+  TRACKING_CANONICAL_SOURCE_CONFLICT:
+    'Alinea AGENTS.md y los README canónicos para que todos apunten al mismo MD de seguimiento.',
+  TRACKING_CANONICAL_FILE_MISSING:
+    'Crea o restaura el archivo canónico de tracking declarado por el repo.',
+  TRACKING_CANONICAL_IN_PROGRESS_INVALID:
+    'Deja exactamente una tarea o fase `🚧` en el MD canónico de seguimiento antes de continuar.',
   EVIDENCE_PREWRITE_WORKTREE_OVER_LIMIT:
     'Reduce archivos staged/unstaged por debajo del umbral (o ajusta PUMUKI_PREWRITE_WORKTREE_*); divide el trabajo en commits más pequeños.',
   EVIDENCE_PREWRITE_WORKTREE_WARN:

package/integrations/git/GitService.ts

@@ -9,7 +9,6 @@ export { parseNameStatus } from './gitDiffUtils';
 export interface IGitService {
   runGit(args: ReadonlyArray<string>, cwd?: string): string;
   getStagedFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact>;
-  getUnstagedFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact>;
   getRepoFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact>;
   getRepoAndStagedFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact>;
   getStagedAndUnstagedFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact>;
@@ -45,30 +44,6 @@ export class GitService implements IGitService {
     );
   }
 
-  getUnstagedFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact> {
-    const nameStatus = this.runGit(['diff', '--name-status']);
-    const changes = parseNameStatus(nameStatus).filter((change) =>
-      hasAllowedExtension(change.path, extensions)
-    );
-    const untrackedPaths = this.runGit(['ls-files', '--others', '--exclude-standard'])
-      .split('\n')
-      .map((line) => line.trim())
-      .filter((line) => line.length > 0)
-      .filter((path) => hasAllowedExtension(path, extensions));
-    const unstagedPaths = new Set(changes.map((change) => change.path));
-    const untrackedChanges = untrackedPaths
-      .filter((path) => !unstagedPaths.has(path))
-      .map((path) => ({
-        path,
-        changeType: 'added' as const,
-      }));
-    const mergedChanges = [...changes, ...untrackedChanges];
-    const repoRoot = this.resolveRepoRoot();
-    return buildFactsFromChanges(mergedChanges, 'git:unstaged', (filePath) =>
-      this.readWorkingTreeFile(repoRoot, filePath)
-    );
-  }
-
   getRepoFacts(extensions: ReadonlyArray<string>): ReadonlyArray<Fact> {
     const trackedFiles = this.runGit(['ls-files'])
       .split('\n')