pumuki 6.3.97 → 6.3.99

package/integrations/lifecycle/cli.ts

@@ -4,15 +4,11 @@ import type { GatePolicy } from '../../core/gate/GatePolicy';
 import { runPlatformGate } from '../git/runPlatformGate';
 import { collectWorktreeAtomicSlices } from '../git/worktreeAtomicSlices';
 import {
-  doctorCommandShouldFailExit,
-  doctorCommandShouldWarnHuman,
   doctorHasBlockingIssues,
-  doctorHasGovernanceAttention,
   doctorHasParityMismatch,
   runLifecycleDoctor,
   type LifecycleDoctorReport,
 } from './doctor';
-import { printGovernanceConsoleHuman } from './cliGovernanceConsole';
 import { runLifecycleInstall } from './install';
 import { runLifecycleRemove } from './remove';
 import { readLifecycleStatus } from './status';
@@ -76,6 +72,7 @@ import {
   type RemoteCiDiagnostics,
 } from './remoteCiDiagnostics';
 import { runPolicyReconcile } from './policyReconcile';
+import { runLifecycleAudit, type LifecycleAuditStage } from './audit';
 import { resolvePreWriteEnforcement, type PreWriteEnforcementResolution } from '../policy/preWriteEnforcement';
 
 type LifecycleCommand =
@@ -91,7 +88,8 @@ type LifecycleCommand =
   | 'sdd'
   | 'adapter'
   | 'analytics'
-  | 'policy';
+  | 'policy'
+  | 'audit';
 
 type SddCommand =
   | 'status'
@@ -152,7 +150,6 @@ export type ParsedArgs = {
   sddEvidenceTestStatus?: SddEvidenceScaffoldTestStatus;
   sddEvidenceTestOutput?: string;
   sddEvidenceFromEvidence?: string;
-  sddEvidenceTraceabilityMarkdown?: string;
   sddStateSyncDryRun?: boolean;
   sddStateSyncScenarioId?: string;
   sddStateSyncStatus?: SddStateSyncStatus;
@@ -178,6 +175,8 @@ export type ParsedArgs = {
   policyCommand?: PolicyCommand;
   policyStrict?: boolean;
   policyApply?: boolean;
+  auditStage?: LifecycleAuditStage;
+  auditEngine?: boolean;
 };
 
 const HELP_TEXT = `
@@ -188,6 +187,7 @@ Pumuki lifecycle commands:
   pumuki remove
   pumuki update [--latest|--spec=<package-spec>]
   pumuki doctor [--remote-checks] [--deep] [--parity] [--json]
+  pumuki audit [--stage=PRE_COMMIT|PRE_PUSH|CI] [--engine] [--json]
   pumuki status [--json] [--remote-checks]
   pumuki watch [--stage=PRE_COMMIT|PRE_PUSH|CI] [--scope=workingTree|staged|repoAndStaged|repo] [--severity=critical|high|medium|low] [--interval-ms=<n>] [--notify-cooldown-ms=<n>] [--no-notify] [--once|--iterations=<n>] [--json]
   pumuki loop run --objective=<text> [--max-attempts=<n>] [--json]
@@ -209,7 +209,7 @@ Pumuki lifecycle commands:
   pumuki sdd sync [--change=<change-id>] [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--from-evidence=<path>] [--dry-run] [--json]
   pumuki sdd learn --change=<change-id> [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--from-evidence=<path>] [--dry-run] [--json]
   pumuki sdd auto-sync --change=<change-id> [--stage=PRE_WRITE|PRE_COMMIT|PRE_PUSH|CI] [--task=<task-id>] [--from-evidence=<path>] [--dry-run] [--json]
-  pumuki sdd evidence --scenario-id=<id> --test-command=<command> --test-status=passed|failed [--test-output=<path>] [--from-evidence=<path>] [--traceability-markdown=<path>] [--dry-run] [--json]
+  pumuki sdd evidence --scenario-id=<id> --test-command=<command> --test-status=passed|failed [--test-output=<path>] [--from-evidence=<path>] [--dry-run] [--json]
   pumuki sdd state-sync [--scenario-id=<id>] [--status=todo|in_progress|blocked|done] [--from-evidence=<path>] [--board-path=<path>] [--force] [--dry-run] [--json]
   aliases de --stage: RED=PRE_WRITE, GREEN=PRE_COMMIT, REFACTOR=PRE_PUSH, CLOSE=CI
 `.trim();
@@ -233,7 +233,8 @@ const isLifecycleCommand = (value: string): value is LifecycleCommand =>
   value === 'sdd' ||
   value === 'adapter' ||
   value === 'analytics' ||
-  value === 'policy';
+  value === 'policy' ||
+  value === 'audit';
 
 const parseAdapterAgent = (value?: string): AdapterAgent => {
   const normalized = (value ?? '').trim();
@@ -263,6 +264,16 @@ const parseSddStage = (value?: string): SddStage => {
   throw new Error(`Unsupported SDD stage "${value}". Use PRE_WRITE, PRE_COMMIT, PRE_PUSH or CI.`);
 };
 
+const parseAuditStage = (value?: string): LifecycleAuditStage => {
+  const stage = parseSddStage(value);
+  if (stage === 'PRE_WRITE') {
+    throw new Error(
+      'PRE_WRITE is not supported for "pumuki audit". Use PRE_COMMIT, PRE_PUSH or CI (aliases GREEN, REFACTOR, CLOSE).'
+    );
+  }
+  return stage;
+};
+
 const parseSddEvidencePath = (value: string): string => {
   const normalized = value.trim();
   if (normalized.length === 0) {
@@ -613,7 +624,6 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
   let sddEvidenceTestStatus: ParsedArgs['sddEvidenceTestStatus'];
   let sddEvidenceTestOutput: ParsedArgs['sddEvidenceTestOutput'];
   let sddEvidenceFromEvidence: ParsedArgs['sddEvidenceFromEvidence'];
-  let sddEvidenceTraceabilityMarkdown: ParsedArgs['sddEvidenceTraceabilityMarkdown'];
   let sddStateSyncDryRun = false;
   let sddStateSyncScenarioId: ParsedArgs['sddStateSyncScenarioId'];
   let sddStateSyncStatus: ParsedArgs['sddStateSyncStatus'];
@@ -629,6 +639,8 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
   let analyticsSinceDays: ParsedArgs['analyticsSinceDays'];
   let analyticsJsonOutputPath: ParsedArgs['analyticsJsonOutputPath'];
   let analyticsMarkdownOutputPath: ParsedArgs['analyticsMarkdownOutputPath'];
+  let auditStage: LifecycleAuditStage | undefined;
+  let auditEngine = false;
 
   if (commandRaw === 'watch') {
     for (const arg of argv.slice(1)) {
@@ -812,6 +824,31 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
     };
   }
 
+  if (commandRaw === 'audit') {
+    for (const arg of argv.slice(1)) {
+      if (arg === '--json') {
+        json = true;
+        continue;
+      }
+      if (arg === '--engine') {
+        auditEngine = true;
+        continue;
+      }
+      if (arg.startsWith('--stage=')) {
+        auditStage = parseAuditStage(arg.slice('--stage='.length));
+        continue;
+      }
+      throw new Error(`Unsupported argument "${arg}".\n\n${HELP_TEXT}`);
+    }
+    return {
+      command: commandRaw,
+      purgeArtifacts: false,
+      json,
+      auditStage: auditStage ?? 'PRE_COMMIT',
+      ...(auditEngine ? { auditEngine: true } : {}),
+    };
+  }
+
   if (commandRaw === 'loop') {
     const subcommandRaw = argv[1] ?? '';
     if (
@@ -1097,17 +1134,6 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
         sddEvidenceTestOutput = testOutputPath;
         continue;
       }
-      if (arg.startsWith('--traceability-markdown=')) {
-        if (sddCommand !== 'evidence') {
-          throw new Error(`--traceability-markdown is only supported with "pumuki sdd evidence".\n\n${HELP_TEXT}`);
-        }
-        const traceabilityMarkdownPath = arg.slice('--traceability-markdown='.length).trim();
-        if (traceabilityMarkdownPath.length === 0) {
-          throw new Error(`Invalid --traceability-markdown value "${arg}".`);
-        }
-        sddEvidenceTraceabilityMarkdown = traceabilityMarkdownPath;
-        continue;
-      }
       if (arg.startsWith('--from-evidence=')) {
         if (sddCommand === 'sync-docs') {
           sddSyncDocsFromEvidence = parseSddEvidencePath(
@@ -1268,7 +1294,7 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
         sddAutoSyncChange
       ) {
         throw new Error(
-          `"pumuki sdd evidence" only supports --scenario-id=<id> --test-command=<command> --test-status=passed|failed [--test-output=<path>] [--from-evidence=<path>] [--traceability-markdown=<path>] [--dry-run] [--json].\n\n${HELP_TEXT}`
+          `"pumuki sdd evidence" only supports --scenario-id=<id> --test-command=<command> --test-status=passed|failed [--test-output=<path>] [--from-evidence=<path>] [--dry-run] [--json].\n\n${HELP_TEXT}`
         );
       }
       if (!sddEvidenceScenarioId) {
@@ -1291,7 +1317,6 @@ export const parseLifecycleCliArgs = (argv: ReadonlyArray<string>): ParsedArgs =
         sddEvidenceTestStatus,
         ...(sddEvidenceTestOutput ? { sddEvidenceTestOutput } : {}),
         ...(sddEvidenceFromEvidence ? { sddEvidenceFromEvidence } : {}),
-        ...(sddEvidenceTraceabilityMarkdown ? { sddEvidenceTraceabilityMarkdown } : {}),
       };
     }
     if (sddCommand === 'state-sync') {
@@ -1535,12 +1560,11 @@ const printDoctorReport = (
   writeInfo(
     `[pumuki] hook pre-push: ${report.hookStatus['pre-push'].managedBlockPresent ? 'managed' : 'missing'}`
   );
-  printGovernanceConsoleHuman({
-    governanceObservation: report.governanceObservation,
-    governanceNextAction: report.governanceNextAction,
-    policyValidation: report.policyValidation,
-    experimentalFeatures: report.experimentalFeatures,
-  });
+  writeInfo(
+    `[pumuki] policy-as-code: PRE_COMMIT=${report.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+    `PRE_PUSH=${report.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+    `CI=${report.policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${report.policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+  );
 
   for (const issue of report.issues) {
     writeInfo(`[pumuki] ${issue.severity.toUpperCase()}: ${issue.message}`);
@@ -1573,19 +1597,17 @@ const printDoctorReport = (
     }
   }
 
-  const hasBlocking = doctorCommandShouldFailExit(report);
-  const hasWarnings = doctorCommandShouldWarnHuman(report);
+  const hasBlocking =
+    doctorHasBlockingIssues(report) || doctorHasParityMismatch(report);
+  const hasWarnings =
+    report.issues.length > 0 ||
+    report.deep?.checks.some((check) => check.status !== 'pass') === true;
 
   if (!hasWarnings && !hasBlocking) {
     writeInfo('[pumuki] doctor verdict: PASS');
   } else {
     writeInfo(`[pumuki] doctor verdict: ${hasBlocking ? 'BLOCKED' : 'WARN'}`);
   }
-  if (!hasBlocking && doctorHasGovernanceAttention(report)) {
-    writeInfo(
-      '[pumuki] doctor: governance_effective is not GREEN (see governance truth).'
-    );
-  }
 
   if (remoteCiDiagnostics) {
     printRemoteCiDiagnostics(remoteCiDiagnostics);
@@ -1631,8 +1653,8 @@ export type PreWriteOpenSpecBootstrapTrace = {
   details?: string;
 };
 
-export const PRE_WRITE_ENABLE_STRICT_COMMAND =
-  'PUMUKI_EXPERIMENTAL_PRE_WRITE=strict npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json';
+export const PRE_WRITE_ENABLE_ADVISORY_COMMAND =
+  'PUMUKI_EXPERIMENTAL_PRE_WRITE=advisory npx --yes --package pumuki@latest pumuki sdd validate --stage=PRE_WRITE --json';
 export const buildSddExperimentalEnableAdvisoryCommand = (stage: SddStage): string =>
   `PUMUKI_EXPERIMENTAL_SDD=advisory npx --yes --package pumuki@latest pumuki sdd validate --stage=${stage} --json`;
 const buildAnalyticsExperimentalEnableCommand = (action: AnalyticsHotspotsCommand): string =>
@@ -1726,7 +1748,6 @@ const buildSaasIngestionExperimentalDisabledEnvelope = (
 export const buildPreWriteExperimentalDisabledResult = (params: {
   stage: SddStage;
   status: SddEvaluateResult['status'];
-  source: 'env' | 'legacy-env' | 'default';
 }): SddEvaluateResult => ({
   stage: params.stage,
   status: params.status,
@@ -1734,16 +1755,14 @@ export const buildPreWriteExperimentalDisabledResult = (params: {
     allowed: true,
     code: 'PRE_WRITE_EXPERIMENTAL_DISABLED',
     message:
-      'PRE_WRITE está desactivado explícitamente. Reactívalo con PUMUKI_EXPERIMENTAL_PRE_WRITE=strict si necesitas recuperar el gate previo a escritura.',
+      'PRE_WRITE pertenece al namespace experimental y está desactivado por defecto. Actívalo explícitamente con PUMUKI_EXPERIMENTAL_PRE_WRITE=advisory o strict si necesitas este flujo.',
     details: {
       experimental: true,
-      default_off: false,
-      disabled_explicitly: true,
-      disabled_source: params.source,
+      default_off: true,
       layer: 'experimental',
       activation_env: 'PUMUKI_EXPERIMENTAL_PRE_WRITE',
       legacy_activation_env: 'PUMUKI_PREWRITE_ENFORCEMENT',
-      activation_command: PRE_WRITE_ENABLE_STRICT_COMMAND,
+      activation_command: PRE_WRITE_ENABLE_ADVISORY_COMMAND,
     },
   },
 });
@@ -2125,10 +2144,6 @@ export const runLifecycleCli = async (
                   repo_root: installResult.repoRoot,
                   version: installResult.version,
                   hooks_changed: installResult.changedHooks,
-                  bootstrap_manifest: {
-                    path: installResult.bootstrapManifest.path,
-                    changed: installResult.bootstrapManifest.changed,
-                  },
                   openspec: installResult.openSpecBootstrap
                     ? {
                         installed: installResult.openSpecBootstrap.packageInstalled,
@@ -2141,10 +2156,6 @@ export const runLifecycleCli = async (
                 mcp: {
                   agent: adapterResult.agent,
                   changed_files: adapterResult.changedFiles,
-                  bootstrap_manifest: {
-                    path: adapterResult.bootstrapManifest.path,
-                    changed: adapterResult.bootstrapManifest.changed,
-                  },
                   adapter_health: adapterCheck
                     ? {
                         status: adapterCheck.status,
@@ -2171,9 +2182,6 @@ export const runLifecycleCli = async (
           writeInfo(
             `[pumuki] bootstrap install: hooks changed=${installResult.changedHooks.join(', ') || 'none'}`
           );
-          writeInfo(
-            `[pumuki] bootstrap manifest: path=${installResult.bootstrapManifest.path} changed=${installResult.bootstrapManifest.changed ? 'yes' : 'no'}`
-          );
           if (installResult.openSpecBootstrap) {
             writeInfo(
               `[pumuki] bootstrap openspec: installed=${installResult.openSpecBootstrap.packageInstalled ? 'yes' : 'no'} project=${installResult.openSpecBootstrap.projectInitialized ? 'yes' : 'no'} actions=${installResult.openSpecBootstrap.actions.join(', ') || 'none'}`
@@ -2214,9 +2222,6 @@ export const runLifecycleCli = async (
         writeInfo(
           `[pumuki] installed ${result.version} at ${result.repoRoot} (hooks changed: ${result.changedHooks.join(', ') || 'none'})`
         );
-        writeInfo(
-          `[pumuki] bootstrap manifest: path=${result.bootstrapManifest.path} changed=${result.bootstrapManifest.changed ? 'yes' : 'no'}`
-        );
         if (result.openSpecBootstrap) {
           writeInfo(
             `[pumuki] openspec bootstrap: installed=${result.openSpecBootstrap.packageInstalled ? 'yes' : 'no'} project=${result.openSpecBootstrap.projectInitialized ? 'yes' : 'no'} actions=${result.openSpecBootstrap.actions.join(', ') || 'none'}`
@@ -2232,9 +2237,6 @@ export const runLifecycleCli = async (
           writeInfo(
             `[pumuki] mcp wiring: agent=${adapterResult.agent} changed=${adapterResult.changedFiles.length}`
           );
-          writeInfo(
-            `[pumuki] mcp manifest: path=${adapterResult.bootstrapManifest.path} changed=${adapterResult.bootstrapManifest.changed ? 'yes' : 'no'}`
-          );
           if (adapterResult.changedFiles.length > 0) {
             writeInfo(`[pumuki] mcp files: ${adapterResult.changedFiles.join(', ')}`);
           }
@@ -2291,6 +2293,24 @@ export const runLifecycleCli = async (
         );
         return 0;
       }
+      case 'audit': {
+        const result = await runLifecycleAudit({
+          stage: parsed.auditStage ?? 'PRE_COMMIT',
+          auditMode: parsed.auditEngine === true ? 'engine' : 'gate',
+        });
+        if (parsed.json) {
+          writeInfo(JSON.stringify(result, null, 2));
+        } else {
+          writeInfo(
+            `[pumuki] audit: repo=${result.repo_root} stage=${result.stage} mode=${result.audit_mode} exit=${result.gate_exit_code}`
+          );
+          writeInfo(
+            `[pumuki] audit: files_scanned=${result.files_scanned ?? 'n/a'} untracked_matching_extensions=${result.untracked_matching_extensions_count} outcome=${result.snapshot_outcome ?? 'n/a'}`
+          );
+          writeInfo(`[pumuki] audit: hint=${result.policy_reconcile_hint}`);
+        }
+        return result.gate_exit_code;
+      }
       case 'doctor': {
         const report = runLifecycleDoctor({
           deep: parsed.doctorDeep === true,
@@ -2317,7 +2337,7 @@ export const runLifecycleCli = async (
         } else {
           printDoctorReport(report, remoteCiDiagnostics);
         }
-        return doctorCommandShouldFailExit(report) ? 1 : 0;
+        return doctorHasBlockingIssues(report) || doctorHasParityMismatch(report) ? 1 : 0;
       }
       case 'status': {
         const status = readLifecycleStatus();
@@ -2370,15 +2390,38 @@ export const runLifecycleCli = async (
           writeInfo(
             `[pumuki] hooks: pre-commit=${status.hookStatus['pre-commit'].managedBlockPresent ? 'managed' : 'missing'}, pre-push=${status.hookStatus['pre-push'].managedBlockPresent ? 'managed' : 'missing'}`
           );
-          printGovernanceConsoleHuman({
-            governanceObservation: status.governanceObservation,
-            governanceNextAction: status.governanceNextAction,
-            policyValidation: status.policyValidation,
-            experimentalFeatures: status.experimentalFeatures,
-          });
           writeInfo(
             `[pumuki] tracked node_modules paths: ${status.trackedNodeModulesCount}`
           );
+          writeInfo(
+            `[pumuki] policy-as-code: PRE_COMMIT=${status.policyValidation.stages.PRE_COMMIT.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_COMMIT.strict ? 'yes' : 'no'} ` +
+            `PRE_PUSH=${status.policyValidation.stages.PRE_PUSH.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.PRE_PUSH.strict ? 'yes' : 'no'} ` +
+            `CI=${status.policyValidation.stages.CI.validationCode ?? 'n/a'} strict=${status.policyValidation.stages.CI.strict ? 'yes' : 'no'}`
+          );
+          writeInfo(
+            `[pumuki] experimental: ANALYTICS=${status.experimentalFeatures.features.analytics.mode} source=${status.experimentalFeatures.features.analytics.source} layer=${status.experimentalFeatures.features.analytics.layer} blocking=${status.experimentalFeatures.features.analytics.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.analytics.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: HEURISTICS=${status.experimentalFeatures.features.heuristics.mode} source=${status.experimentalFeatures.features.heuristics.source} layer=${status.experimentalFeatures.features.heuristics.layer} blocking=${status.experimentalFeatures.features.heuristics.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.heuristics.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: LEARNING_CONTEXT=${status.experimentalFeatures.features.learning_context.mode} source=${status.experimentalFeatures.features.learning_context.source} layer=${status.experimentalFeatures.features.learning_context.layer} blocking=${status.experimentalFeatures.features.learning_context.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.learning_context.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: MCP_ENTERPRISE=${status.experimentalFeatures.features.mcp_enterprise.mode} source=${status.experimentalFeatures.features.mcp_enterprise.source} layer=${status.experimentalFeatures.features.mcp_enterprise.layer} blocking=${status.experimentalFeatures.features.mcp_enterprise.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.mcp_enterprise.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: OPERATIONAL_MEMORY=${status.experimentalFeatures.features.operational_memory.mode} source=${status.experimentalFeatures.features.operational_memory.source} layer=${status.experimentalFeatures.features.operational_memory.layer} blocking=${status.experimentalFeatures.features.operational_memory.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.operational_memory.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: PRE_WRITE=${status.experimentalFeatures.features.pre_write.mode} source=${status.experimentalFeatures.features.pre_write.source} layer=${status.experimentalFeatures.features.pre_write.layer} blocking=${status.experimentalFeatures.features.pre_write.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.pre_write.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: SAAS_INGESTION=${status.experimentalFeatures.features.saas_ingestion.mode} source=${status.experimentalFeatures.features.saas_ingestion.source} layer=${status.experimentalFeatures.features.saas_ingestion.layer} blocking=${status.experimentalFeatures.features.saas_ingestion.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.saas_ingestion.activationVariable}`
+          );
+          writeInfo(
+            `[pumuki] experimental: SDD=${status.experimentalFeatures.features.sdd.mode} source=${status.experimentalFeatures.features.sdd.source} layer=${status.experimentalFeatures.features.sdd.layer} blocking=${status.experimentalFeatures.features.sdd.blocking ? 'yes' : 'no'} env=${status.experimentalFeatures.features.sdd.activationVariable}`
+          );
           if (remoteCiDiagnostics) {
             printRemoteCiDiagnostics(remoteCiDiagnostics);
           }
@@ -2718,9 +2761,6 @@ export const runLifecycleCli = async (
                 `[pumuki] adapter files: ${result.changedFiles.join(', ')}`
               );
             }
-            writeInfo(
-              `[pumuki] adapter manifest: path=${result.bootstrapManifest.path} changed=${result.bootstrapManifest.changed ? 'yes' : 'no'}`
-            );
           }
           return 0;
         }

package/integrations/lifecycle/cliSdd.ts

@@ -35,7 +35,8 @@ import {
   type PreWriteOpenSpecBootstrapTrace,
   buildPreWriteExperimentalDisabledResult,
   buildSddExperimentalEnableAdvisoryCommand,
-  PRE_WRITE_ENABLE_STRICT_COMMAND,
+  runRawPreWriteAiGateCheck,
+  PRE_WRITE_ENABLE_ADVISORY_COMMAND,
 } from './cli';
 
 export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: LifecycleCliDependencies): Promise<number> => {
@@ -83,7 +84,6 @@ export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: Life
             const disabledResult = buildPreWriteExperimentalDisabledResult({
               stage: requestedStage,
               status: readSddStatus(process.cwd()),
-              source: preWriteEnforcement.source,
             });
             if (parsed.json) {
               writeInfo(
@@ -106,7 +106,7 @@ export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: Life
                     },
                     next_action: {
                       reason: 'PRE_WRITE_EXPERIMENTAL_DISABLED',
-                      command: PRE_WRITE_ENABLE_STRICT_COMMAND,
+                      command: PRE_WRITE_ENABLE_ADVISORY_COMMAND,
                     },
                   },
                   null,
@@ -127,7 +127,7 @@ export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: Life
                 `[pumuki][sdd] pre-write enforcement: mode=${preWriteEnforcement.mode} source=${preWriteEnforcement.source} blocking=no`
               );
               writeInfo(
-                `[pumuki][sdd] next action (PRE_WRITE_EXPERIMENTAL_DISABLED): ${PRE_WRITE_ENABLE_STRICT_COMMAND}`
+                `[pumuki][sdd] next action (PRE_WRITE_EXPERIMENTAL_DISABLED): ${PRE_WRITE_ENABLE_ADVISORY_COMMAND}`
               );
             }
             return 0;
@@ -195,9 +195,15 @@ export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: Life
             automationTrace.attempted = auto.trace.attempted;
             automationTrace.actions = auto.trace.actions;
           }
+          const rawPreWriteAiGate = result.stage === 'PRE_WRITE' && aiGate
+            ? runRawPreWriteAiGateCheck({
+              repoRoot: process.cwd(),
+              requireMcpReceipt: true,
+            })
+            : null;
           const nextAction = resolvePreWriteNextAction({
             sdd: result,
-            aiGate,
+            aiGate: rawPreWriteAiGate ?? aiGate,
           });
           const sddExperimentalNextAction =
             !aiGate && result.decision.code === 'SDD_EXPERIMENTAL_DISABLED'
@@ -209,10 +215,10 @@ export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: Life
           if (parsed.json) {
             writeInfo(
               JSON.stringify(
-                (aiGate)
+                (rawPreWriteAiGate ?? aiGate)
                   ? buildPreWriteValidationEnvelope(
                     result,
-                    aiGate!,
+                    rawPreWriteAiGate ?? aiGate!,
                     preWriteEnforcement,
                     experimentalFeatures,
                     policyValidation,
@@ -451,7 +457,6 @@ export const runSddCommand = async (parsed: ParsedArgs, activeDependencies: Life
             testStatus: parsed.sddEvidenceTestStatus,
             testOutputPath: parsed.sddEvidenceTestOutput,
             fromEvidencePath: parsed.sddEvidenceFromEvidence,
-            traceabilityMarkdownPath: parsed.sddEvidenceTraceabilityMarkdown,
           });
           if (parsed.json) {
             writeInfo(JSON.stringify(evidenceResult, null, 2));

package/integrations/lifecycle/doctor.ts

@@ -5,25 +5,10 @@ import { resolvePolicyForStage } from '../gate/stagePolicies';
 import { getPumukiHooksStatus, resolvePumukiHooksDirectory } from './hookManager';
 import { LifecycleGitService, type ILifecycleGitService } from './gitService';
 import { buildLifecycleVersionReport, getCurrentPumukiVersion } from './packageInfo';
-import {
-  readLifecycleExperimentalFeaturesSnapshot,
-  type LifecycleExperimentalFeaturesSnapshot,
-} from './experimentalFeaturesSnapshot';
 import {
   readLifecyclePolicyValidationSnapshot,
   type LifecyclePolicyValidationSnapshot,
 } from './policyValidationSnapshot';
-import {
-  doctorGovernanceIsBlocking,
-  doctorGovernanceNeedsAttention,
-  readGovernanceObservationSnapshot,
-  type GovernanceObservationSnapshot,
-} from './governanceObservationSnapshot';
-import {
-  readGovernanceNextAction,
-  type GovernanceNextActionReader,
-  type GovernanceNextActionSummary,
-} from './governanceNextAction';
 import { readLifecycleState, type LifecycleState } from './state';
 import {
   detectOpenSpecInstallation,
@@ -110,9 +95,7 @@ export type LifecycleDoctorReport = {
   hooksDirectory: string;
   hooksDirectoryResolution: 'git-rev-parse' | 'git-config' | 'default';
   policyValidation: LifecyclePolicyValidationSnapshot;
-  experimentalFeatures: LifecycleExperimentalFeaturesSnapshot;
-  governanceObservation: GovernanceObservationSnapshot;
-  governanceNextAction: GovernanceNextActionSummary;
+  policy_signature_remediation?: string;
   issues: ReadonlyArray<DoctorIssue>;
   deep?: DoctorDeepReport;
   parity_profile?: DoctorParityProfile;
@@ -810,12 +793,20 @@ const compareDoctorParityProfile = (params: {
   };
 };
 
+const buildPolicySignatureRemediation = (
+  policyValidation: LifecyclePolicyValidationSnapshot
+): string | undefined => {
+  const mismatch = Object.values(policyValidation.stages).some(
+    (stage) => stage.validationCode === 'POLICY_AS_CODE_SIGNATURE_MISMATCH'
+  );
+  return mismatch ? 'pumuki policy reconcile --apply' : undefined;
+};
+
 export const runLifecycleDoctor = (params?: {
   cwd?: string;
   git?: ILifecycleGitService;
   deep?: boolean;
   parity?: boolean;
-  governanceNextActionReader?: GovernanceNextActionReader;
 }): LifecycleDoctorReport => {
   const git = params?.git ?? new LifecycleGitService();
   const cwd = params?.cwd ?? process.cwd();
@@ -843,19 +834,6 @@ export const runLifecycleDoctor = (params?: {
     repoRoot,
     lifecycleVersion: lifecycleState.version,
   });
-  const policyValidation = readLifecyclePolicyValidationSnapshot(repoRoot);
-  const experimentalFeatures = readLifecycleExperimentalFeaturesSnapshot();
-  const governanceObservation = readGovernanceObservationSnapshot({
-    repoRoot,
-    experimentalFeatures,
-    policyValidation,
-    git,
-  });
-  const governanceNextAction = (params?.governanceNextActionReader ?? readGovernanceNextAction)({
-    repoRoot,
-    stage: 'PRE_WRITE',
-    governanceObservation,
-  });
 
   const parity_profile =
     params?.parity === true
@@ -869,6 +847,9 @@ export const runLifecycleDoctor = (params?: {
       ? compareDoctorParityProfile({ repoRoot, actual: parity_profile })
       : undefined;
 
+  const policyValidation = readLifecyclePolicyValidationSnapshot(repoRoot);
+  const policySignatureRemediation = buildPolicySignatureRemediation(policyValidation);
+
   return {
     repoRoot,
     packageVersion: version.effective,
@@ -879,9 +860,9 @@ export const runLifecycleDoctor = (params?: {
     hooksDirectory: hooksDirectory.path,
     hooksDirectoryResolution: hooksDirectory.source,
     policyValidation,
-    experimentalFeatures,
-    governanceNextAction,
-    governanceObservation,
+    ...(policySignatureRemediation
+      ? { policy_signature_remediation: policySignatureRemediation }
+      : {}),
     issues,
     deep,
     parity_profile,
@@ -894,16 +875,3 @@ export const doctorHasBlockingIssues = (report: LifecycleDoctorReport): boolean
 
 export const doctorHasParityMismatch = (report: LifecycleDoctorReport): boolean =>
   typeof report.parity_comparison !== 'undefined' && report.parity_comparison.matches === false;
-
-export const doctorHasGovernanceAttention = (report: LifecycleDoctorReport): boolean =>
-  doctorGovernanceNeedsAttention(report.governanceObservation);
-
-export const doctorCommandShouldWarnHuman = (report: LifecycleDoctorReport): boolean =>
-  report.issues.length > 0
-  || report.deep?.checks.some((check) => check.status !== 'pass') === true
-  || doctorHasGovernanceAttention(report);
-
-export const doctorCommandShouldFailExit = (report: LifecycleDoctorReport): boolean =>
-  doctorHasBlockingIssues(report)
-  || doctorHasParityMismatch(report)
-  || doctorGovernanceIsBlocking(report.governanceObservation);