pumuki 6.3.97 → 6.3.99

package/integrations/git/runPlatformGateFacts.ts

@@ -19,6 +19,11 @@ export type GateScope =
     kind: 'workingTree';
     extensions?: string[];
   }
+  | {
+    kind: 'unstaged';
+    extensions?: string[];
+    includeUntracked?: boolean;
+  }
   | {
     kind: 'range';
     fromRef: string;
@@ -26,7 +31,17 @@ export type GateScope =
     extensions?: string[];
   };
 
-const DEFAULT_EXTENSIONS = ['.swift', '.ts', '.tsx', '.js', '.jsx', '.kt', '.kts'];
+export const DEFAULT_FACT_FILE_EXTENSIONS: ReadonlyArray<string> = [
+  '.swift',
+  '.ts',
+  '.tsx',
+  '.js',
+  '.jsx',
+  '.kt',
+  '.kts',
+];
+
+const DEFAULT_EXTENSIONS = DEFAULT_FACT_FILE_EXTENSIONS;
 
 export const countScannedFilesFromFacts = (facts: ReadonlyArray<Fact>): number => {
   const contentPaths = new Set<string>();
@@ -66,6 +81,9 @@ export const resolveFactsForGateScope = async (params: {
   if (params.scope.kind === 'workingTree') {
     return params.git.getStagedAndUnstagedFacts(extensions);
   }
+  if (params.scope.kind === 'unstaged') {
+    return params.git.getUnstagedFacts(extensions, params.scope.includeUntracked);
+  }
 
   return getFactsForCommitRange({
     fromRef: params.scope.fromRef,

package/integrations/git/runPlatformGateOutput.ts

@@ -1,5 +1,27 @@
 import type { Finding } from '../../core/gate/Finding';
-import { resolveGovernanceCatalogAction } from '../gate/governanceActionCatalog';
+
+const BLOCK_NEXT_ACTION_BY_CODE: Readonly<Record<string, string>> = {
+  SDD_SESSION_MISSING:
+    'npx --yes --package pumuki@latest pumuki sdd session --open --change=<id>',
+  SDD_SESSION_INVALID:
+    'npx --yes --package pumuki@latest pumuki sdd session --refresh --ttl-minutes=90',
+  PRE_PUSH_UPSTREAM_MISSING:
+    'git push --set-upstream origin <branch>',
+  PRE_PUSH_UPSTREAM_MISALIGNED:
+    'git branch --unset-upstream && git push --set-upstream origin <branch>',
+  EVIDENCE_STALE:
+    'npx --yes --package pumuki@latest pumuki-pre-commit',
+  EVIDENCE_BRANCH_MISMATCH:
+    'npx --yes --package pumuki@latest pumuki-pre-commit',
+  GIT_ATOMICITY_TOO_MANY_FILES:
+    'git restore --staged . && separa cambios en commits más pequeños',
+  GIT_ATOMICITY_TOO_MANY_SCOPES:
+    'Revisa scope_files del bloqueo y aplica: git restore --staged . && git add <scope>/ && git commit -m "<tipo>: <scope>"',
+  ACTIVE_RULE_IDS_EMPTY_FOR_CODE_CHANGES_HIGH:
+    'Reconcilia policy/skills y reintenta PRE_COMMIT: npx --yes --package pumuki@latest pumuki policy reconcile --strict --json && npx --yes --package pumuki@latest pumuki-pre-commit',
+  SKILLS_SKILLS_FRONTEND_NO_SOLID_VIOLATIONS:
+    'Aplica refactor incremental: extrae 1 componente/hook por commit y vuelve a ejecutar PRE_COMMIT.',
+};
 
 const severityWeight = (severity: string): number => {
   switch (severity.toUpperCase()) {
@@ -72,49 +94,18 @@ const formatFinding = (finding: Finding): string => {
   return `[${severity}] ${finding.ruleId}: ${finding.message} -> ${location}`;
 };
 
-const resolveAtomicityFallback = (code: string): string | null => {
-  switch (code) {
-    case 'GIT_ATOMICITY_TOO_MANY_FILES':
-      return 'git restore --staged . && separa cambios en commits más pequeños';
-    case 'GIT_ATOMICITY_TOO_MANY_SCOPES':
-      return 'Revisa scope_files del bloqueo y aplica: git restore --staged . && git add <scope>/ && git commit -m "<tipo>: <scope>"';
-    default:
-      return null;
-  }
-};
-
-export const printGateFindings = (
-  findings: ReadonlyArray<Finding>,
-  params?: { stage?: 'PRE_COMMIT' | 'PRE_PUSH' | 'CI' }
-): void => {
+export const printGateFindings = (findings: ReadonlyArray<Finding>): void => {
   if (findings.length === 0) {
     return;
   }
   const primary = resolvePrimaryFinding(findings);
-  const action = resolveGovernanceCatalogAction({
-    code: primary.code,
-    stage: params?.stage ?? 'PRE_COMMIT',
-    fallback: {
-      reason_code: primary.code,
-      instruction: 'Corrige el bloqueante primario y vuelve a ejecutar la validación del stage actual.',
-      next_action: {
-        kind: 'info',
-        message:
-          resolveAtomicityFallback(primary.code)
-          ?? 'Corrige el bloqueante primario y vuelve a ejecutar el mismo comando.',
-      },
-    },
-  });
-  const nextAction = action.next_action.command ?? action.next_action.message;
+  const nextAction =
+    BLOCK_NEXT_ACTION_BY_CODE[primary.code]
+    ?? 'Corrige el bloqueante primario y vuelve a ejecutar el mismo comando.';
   process.stdout.write(
     `[pumuki][block-summary] primary=${primary.code} severity=${primary.severity.toUpperCase()} rule=${primary.ruleId}\n`
   );
-  process.stdout.write(`[pumuki][block-summary] reason_code=${action.reason_code}\n`);
-  process.stdout.write(`[pumuki][block-summary] instruction=${action.instruction}\n`);
   process.stdout.write(`[pumuki][block-summary] next_action=${nextAction}\n`);
-  if (action.next_action.command) {
-    process.stdout.write(`[pumuki][block-summary] command=${action.next_action.command}\n`);
-  }
   for (const finding of findings) {
     process.stdout.write(`${formatFinding(finding)}\n`);
   }

package/integrations/lifecycle/adapter.templates.json

@@ -19,7 +19,7 @@
         },
         "mcp": {
           "enterprise": {
-            "command": "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE=advisory npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
           },
           "evidence": {
             "command": "npx --yes --package pumuki@latest pumuki-mcp-evidence-stdio"
@@ -31,6 +31,7 @@
   "repo": [
     {
       "path": ".pumuki/adapter.json",
+      "mode": "json-merge",
       "payload": {
         "hooks": {
           "pre_write": {
@@ -48,7 +49,7 @@
         },
         "mcp": {
           "enterprise": {
-            "command": "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE=advisory npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
           },
           "evidence": {
             "command": "npx --yes --package pumuki@latest pumuki-mcp-evidence-stdio"
@@ -85,10 +86,7 @@
               "--package",
               "pumuki@latest",
               "pumuki-mcp-enterprise-stdio"
-            ],
-            "env": {
-              "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE": "advisory"
-            }
+            ]
           },
           "pumuki-evidence": {
             "command": "npx",
@@ -116,10 +114,7 @@
               "--package",
               "pumuki@latest",
               "pumuki-mcp-enterprise-stdio"
-            ],
-            "env": {
-              "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE": "advisory"
-            }
+            ]
           },
           "pumuki-evidence": {
             "command": "npx",
@@ -183,7 +178,7 @@
         "postCommand": "npx --yes --package pumuki@latest pumuki-pre-commit",
         "pushCommand": "npx --yes --package pumuki@latest pumuki-pre-push",
         "ciCommand": "npx --yes --package pumuki@latest pumuki-ci",
-        "mcpCommand": "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE=advisory npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
+        "mcpCommand": "npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
       }
     },
     {
@@ -201,7 +196,6 @@
             ],
             "disabledTools": [],
             "env": {
-              "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE": "advisory",
               "PUMUKI_ENTERPRISE_MCP_PORT": "0",
               "PUMUKI_ENTERPRISE_MCP_HOST": "127.0.0.1"
             },
@@ -247,7 +241,7 @@
         },
         "mcp": {
           "enterprise": {
-            "command": "PUMUKI_EXPERIMENTAL_MCP_ENTERPRISE=advisory npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
+            "command": "npx --yes --package pumuki@latest pumuki-mcp-enterprise-stdio"
           },
           "evidence": {
             "command": "npx --yes --package pumuki@latest pumuki-mcp-evidence-stdio"

package/integrations/lifecycle/adapter.ts

@@ -2,7 +2,6 @@ import { mkdirSync, readFileSync, writeFileSync } from 'node:fs';
 import { homedir } from 'node:os';
 import { dirname, isAbsolute, join, resolve } from 'node:path';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
-import { writeLifecycleBootstrapManifest } from './bootstrapManifest';
 
 export type AdapterAgent = string;
 
@@ -12,10 +11,6 @@ export type LifecycleAdapterInstallResult = {
   dryRun: boolean;
   written: boolean;
   changedFiles: ReadonlyArray<string>;
-  bootstrapManifest: {
-    path: string;
-    changed: boolean;
-  };
 };
 
 type AdapterTemplate = {
@@ -159,30 +154,11 @@ export const runLifecycleAdapterInstall = (params: {
     writeFileSync(absolutePath, nextContents, 'utf8');
   }
 
-  let bootstrapManifest = {
-    path: join(repoRoot, '.pumuki', 'bootstrap-manifest.json'),
-    changed: false,
-  };
-  if (!dryRun) {
-    const manifestWrite = writeLifecycleBootstrapManifest({
-      git,
-      repoRoot,
-    });
-    bootstrapManifest = {
-      path: manifestWrite.path,
-      changed: manifestWrite.changed,
-    };
-    if (manifestWrite.changed) {
-      changedFiles.push('.pumuki/bootstrap-manifest.json');
-    }
-  }
-
   return {
     repoRoot,
     agent: params.agent,
     dryRun,
     written: !dryRun,
     changedFiles,
-    bootstrapManifest,
   };
 };

package/integrations/lifecycle/artifacts.ts

@@ -11,12 +11,7 @@ import {
 import { dirname, isAbsolute, join, resolve } from 'node:path';
 import type { ILifecycleGitService } from './gitService';
 
-const PUMUKI_ARTIFACTS = [
-  '.ai_evidence.json',
-  '.AI_EVIDENCE.json',
-  '.pumuki/adapter.json',
-  '.pumuki/bootstrap-manifest.json',
-] as const;
+const PUMUKI_ARTIFACTS = ['.ai_evidence.json', '.AI_EVIDENCE.json'] as const;
 const RUNTIME_ARTIFACT_IGNORE_ENTRIES = [...PUMUKI_ARTIFACTS, '.pumuki/'] as const;
 const RUNTIME_ARTIFACT_IGNORE_BEGIN = '# >>> pumuki-runtime-artifacts >>>';
 const RUNTIME_ARTIFACT_IGNORE_END = '# <<< pumuki-runtime-artifacts <<<';

package/integrations/lifecycle/audit.ts

@@ -0,0 +1,101 @@
+import { readEvidence } from '../evidence/readEvidence';
+import { GitService } from '../git/GitService';
+import { hasAllowedExtension } from '../git/gitDiffUtils';
+import { runPlatformGate } from '../git/runPlatformGate';
+import { evaluatePlatformGateFindings } from '../git/runPlatformGateEvaluation';
+import { DEFAULT_FACT_FILE_EXTENSIONS } from '../git/runPlatformGateFacts';
+import { resolvePolicyForStage } from '../gate/stagePolicies';
+
+export type LifecycleAuditStage = 'PRE_COMMIT' | 'PRE_PUSH' | 'CI';
+
+export type LifecycleAuditResult = {
+  command: 'pumuki audit';
+  repo_root: string;
+  stage: LifecycleAuditStage;
+  scope: { kind: 'repo' };
+  audit_mode: 'gate' | 'engine';
+  gate_exit_code: number;
+  files_scanned: number | null;
+  untracked_matching_extensions_count: number;
+  snapshot_outcome: string | null;
+  policy_reconcile_hint: string;
+};
+
+const POLICY_RECONCILE_HINT =
+  'If .pumuki/policy-as-code.json signatures drift after a pumuki upgrade, run: pumuki policy reconcile --apply';
+
+const countUntrackedMatchingExtensions = (
+  git: GitService,
+  extensions: ReadonlyArray<string>
+): number => {
+  const repoRoot = git.resolveRepoRoot();
+  const raw = git.runGit(['ls-files', '--others', '--exclude-standard'], repoRoot);
+  return raw
+    .split('\n')
+    .map((line) => line.trim())
+    .filter((line) => line.length > 0)
+    .filter((path) => hasAllowedExtension(path, extensions)).length;
+};
+
+export const runLifecycleAudit = async (params: {
+  stage: LifecycleAuditStage;
+  auditMode: 'gate' | 'engine';
+}): Promise<LifecycleAuditResult> => {
+  const git = new GitService();
+  const repoRoot = git.resolveRepoRoot();
+  const resolved = resolvePolicyForStage(params.stage, repoRoot);
+  const extensions = DEFAULT_FACT_FILE_EXTENSIONS;
+  const untrackedMatchingExtensionsCount = countUntrackedMatchingExtensions(git, extensions);
+
+  const gateParams =
+    params.auditMode === 'engine'
+      ? {
+          policy: resolved.policy,
+          policyTrace: resolved.trace,
+          scope: { kind: 'repo' as const },
+          silent: true,
+          auditMode: 'engine' as const,
+          dependencies: {
+            evaluatePlatformGateFindings: (
+              evalParams: Parameters<typeof evaluatePlatformGateFindings>[0]
+            ) =>
+              evaluatePlatformGateFindings(evalParams, {
+                loadHeuristicsConfig: () => ({
+                  astSemanticEnabled: true,
+                  typeScriptScope: 'all',
+                }),
+              }),
+            printGateFindings: () => {},
+          },
+        }
+      : {
+          policy: resolved.policy,
+          policyTrace: resolved.trace,
+          scope: { kind: 'repo' as const },
+          silent: true,
+          auditMode: 'gate' as const,
+        };
+
+  const gateExitCode = await runPlatformGate(gateParams);
+  const evidence = readEvidence(repoRoot);
+  const filesScanned =
+    typeof evidence?.snapshot.files_scanned === 'number' &&
+    Number.isFinite(evidence.snapshot.files_scanned)
+      ? evidence.snapshot.files_scanned
+      : null;
+  const snapshotOutcome =
+    typeof evidence?.snapshot.outcome === 'string' ? evidence.snapshot.outcome : null;
+
+  return {
+    command: 'pumuki audit',
+    repo_root: repoRoot,
+    stage: params.stage,
+    scope: { kind: 'repo' },
+    audit_mode: params.auditMode,
+    gate_exit_code: gateExitCode,
+    files_scanned: filesScanned,
+    untracked_matching_extensions_count: untrackedMatchingExtensionsCount,
+    snapshot_outcome: snapshotOutcome,
+    policy_reconcile_hint: POLICY_RECONCILE_HINT,
+  };
+};