pumuki 6.3.97 → 6.3.99

package/integrations/lifecycle/hookManager.ts

@@ -27,81 +27,6 @@ export type PumukiHooksDirectoryResolution = {
 };
 
 const HOOK_FILE_MODE = 0o755;
-const PUMUKI_WORKTREE_HOOKS_PATH = '.pumuki/git-hooks';
-
-const readLocalGitConfigValue = (repoRoot: string, key: string): string | null => {
-  try {
-    const value = execFileSync('git', ['config', '--local', '--get', key], {
-      cwd: repoRoot,
-      encoding: 'utf8',
-      stdio: ['ignore', 'pipe', 'ignore'],
-    }).trim();
-    return value.length > 0 ? value : null;
-  } catch {
-    return null;
-  }
-};
-
-const writeLocalGitConfigValue = (repoRoot: string, key: string, value: string): void => {
-  execFileSync('git', ['config', '--local', key, value], {
-    cwd: repoRoot,
-    stdio: ['ignore', 'ignore', 'ignore'],
-  });
-};
-
-const unsetLocalGitConfigValue = (repoRoot: string, key: string): void => {
-  try {
-    execFileSync('git', ['config', '--local', '--unset-all', key], {
-      cwd: repoRoot,
-      stdio: ['ignore', 'ignore', 'ignore'],
-    });
-  } catch {
-    // noop
-  }
-};
-
-const isWorktreeCheckout = (repoRoot: string): boolean => {
-  try {
-    const gitPointer = readFileSync(join(repoRoot, '.git'), 'utf8').trim();
-    return /^gitdir:\s+/i.test(gitPointer);
-  } catch {
-    return false;
-  }
-};
-
-const isPumukiManagedWorktreeHooksPath = (repoRoot: string, hooksPath: string): boolean => {
-  const normalizedHooksPath = hooksPath.trim();
-  return (
-    normalizedHooksPath === PUMUKI_WORKTREE_HOOKS_PATH ||
-    normalizedHooksPath === resolve(repoRoot, PUMUKI_WORKTREE_HOOKS_PATH)
-  );
-};
-
-const ensureWorktreeLocalHooksPath = (repoRoot: string): void => {
-  if (!isWorktreeCheckout(repoRoot)) {
-    return;
-  }
-
-  const currentHooksPath = readLocalGitConfigValue(repoRoot, 'core.hooksPath');
-  if (currentHooksPath) {
-    return;
-  }
-
-  writeLocalGitConfigValue(repoRoot, 'core.hooksPath', PUMUKI_WORKTREE_HOOKS_PATH);
-};
-
-const clearWorktreeLocalHooksPath = (repoRoot: string): void => {
-  if (!isWorktreeCheckout(repoRoot)) {
-    return;
-  }
-
-  const currentHooksPath = readLocalGitConfigValue(repoRoot, 'core.hooksPath');
-  if (!currentHooksPath || !isPumukiManagedWorktreeHooksPath(repoRoot, currentHooksPath)) {
-    return;
-  }
-
-  unsetLocalGitConfigValue(repoRoot, 'core.hooksPath');
-};
 
 const resolveGitPath = (repoRoot: string, gitPathTarget: string): string | null => {
   try {
@@ -212,7 +137,6 @@ const ensureHooksDirectory = (repoRoot: string): void => {
 };
 
 export const installPumukiHooks = (repoRoot: string): HookInstallResult => {
-  ensureWorktreeLocalHooksPath(repoRoot);
   ensureHooksDirectory(repoRoot);
   const changedHooks: PumukiManagedHook[] = [];
 
@@ -256,7 +180,6 @@ export const uninstallPumukiHooks = (repoRoot: string): HookUninstallResult => {
     changedHooks.push(hook);
   }
 
-  clearWorktreeLocalHooksPath(repoRoot);
   return { changedHooks };
 };
 

package/integrations/lifecycle/index.ts

@@ -1,4 +1,6 @@
 export { runLifecycleDoctor, doctorHasBlockingIssues } from './doctor';
+export { runLifecycleAudit } from './audit';
+export type { LifecycleAuditResult, LifecycleAuditStage } from './audit';
 export { runLifecycleInstall } from './install';
 export { runLifecycleUninstall } from './uninstall';
 export { runLifecycleRemove } from './remove';

package/integrations/lifecycle/install.ts

@@ -13,7 +13,6 @@ import { createEmptyEvaluationMetrics } from '../evidence/evaluationMetrics';
 import { readOpenSpecManagedArtifacts, writeLifecycleState } from './state';
 import { ensureRuntimeArtifactsIgnored } from './artifacts';
 import { runLifecycleAdapterInstall } from './adapter';
-import { writeLifecycleBootstrapManifest } from './bootstrapManifest';
 
 export type LifecycleInstallResult = {
   repoRoot: string;
@@ -21,10 +20,6 @@ export type LifecycleInstallResult = {
   changedHooks: ReadonlyArray<string>;
   openSpecBootstrap?: OpenSpecBootstrapResult;
   degradedDoctorBypass?: boolean;
-  bootstrapManifest: {
-    path: string;
-    changed: boolean;
-  };
 };
 
 const shouldBootstrapEvidence = (repoRoot: string): boolean =>
@@ -108,20 +103,12 @@ export const runLifecycleInstall = (params?: {
         openSpecManagedArtifacts: priorArtifacts.length > 0 ? priorArtifacts : undefined,
       });
       ensureRepoBaselineAdapter(report.repoRoot);
-      const bootstrapManifest = writeLifecycleBootstrapManifest({
-        git,
-        repoRoot: report.repoRoot,
-      });
       return {
         repoRoot: report.repoRoot,
         version,
         changedHooks,
         openSpecBootstrap: undefined,
         degradedDoctorBypass: true,
-        bootstrapManifest: {
-          path: bootstrapManifest.path,
-          changed: bootstrapManifest.changed,
-        },
       };
     }
     const renderedIssues = report.issues.map((issue) => `- [${issue.severity}] ${issue.message}`).join('\n');
@@ -155,19 +142,11 @@ export const runLifecycleInstall = (params?: {
     openSpecManagedArtifacts: Array.from(mergedOpenSpecArtifacts),
   });
   ensureRepoBaselineAdapter(report.repoRoot);
-  const bootstrapManifest = writeLifecycleBootstrapManifest({
-    git,
-    repoRoot: report.repoRoot,
-  });
 
   return {
     repoRoot: report.repoRoot,
     version,
     changedHooks,
     openSpecBootstrap,
-    bootstrapManifest: {
-      path: bootstrapManifest.path,
-      changed: bootstrapManifest.changed,
-    },
   };
 };

package/integrations/lifecycle/npmService.ts

@@ -1,173 +1,21 @@
-import { existsSync, readFileSync } from 'node:fs';
-import { join } from 'node:path';
 import { spawnSync as runSpawnSync } from 'node:child_process';
 
 export interface ILifecycleNpmService {
   runNpm(args: ReadonlyArray<string>, cwd: string): void;
 }
 
-type LifecyclePackageManager = 'npm' | 'pnpm' | 'yarn';
-
-type PackageManagerManifest = {
-  packageManager?: string;
-  workspaces?: unknown;
-};
-
-const resolvePackageManagerFromManifest = (cwd: string): LifecyclePackageManager | undefined => {
-  const packageJsonPath = join(cwd, 'package.json');
-  if (!existsSync(packageJsonPath)) {
-    return undefined;
-  }
-
-  try {
-    const raw = readFileSync(packageJsonPath, 'utf8');
-    const manifest = JSON.parse(raw) as PackageManagerManifest;
-    const packageManager = manifest.packageManager?.trim().toLowerCase();
-    if (!packageManager) {
-      return undefined;
-    }
-    if (packageManager.startsWith('pnpm@')) {
-      return 'pnpm';
-    }
-    if (packageManager.startsWith('yarn@')) {
-      return 'yarn';
-    }
-    if (packageManager.startsWith('npm@')) {
-      return 'npm';
-    }
-  } catch {
-    return undefined;
-  }
-
-  return undefined;
-};
-
-export const resolveLifecyclePackageManager = (cwd: string): LifecyclePackageManager => {
-  const fromManifest = resolvePackageManagerFromManifest(cwd);
-  if (fromManifest) {
-    return fromManifest;
-  }
-  if (existsSync(join(cwd, 'pnpm-lock.yaml'))) {
-    return 'pnpm';
-  }
-  if (existsSync(join(cwd, 'yarn.lock'))) {
-    return 'yarn';
-  }
-  return 'npm';
-};
-
-const isWorkspaceRoot = (cwd: string): boolean => {
-  if (existsSync(join(cwd, 'pnpm-workspace.yaml'))) {
-    return true;
-  }
-  const packageJsonPath = join(cwd, 'package.json');
-  if (!existsSync(packageJsonPath)) {
-    return false;
-  }
-  try {
-    const raw = readFileSync(packageJsonPath, 'utf8');
-    const manifest = JSON.parse(raw) as PackageManagerManifest;
-    return Array.isArray(manifest.workspaces) || typeof manifest.workspaces === 'object';
-  } catch {
-    return false;
-  }
-};
-
-const translateInstallLikeArgs = (
-  packageManager: Exclude<LifecyclePackageManager, 'npm'>,
-  args: ReadonlyArray<string>,
-  cwd: string
-): ReadonlyArray<string> => {
-  const packageSpecs = args.filter((arg) => !arg.startsWith('-')).slice(1);
-  if (packageSpecs.length === 0) {
-    return args;
-  }
-
-  const useExact = args.includes('--save-exact');
-  const useDev = args.includes('--save-dev');
-
-  if (packageManager === 'pnpm') {
-    return [
-      'add',
-      ...(isWorkspaceRoot(cwd) ? ['-w'] : []),
-      ...(useDev ? ['-D'] : []),
-      ...(useExact ? ['-E'] : []),
-      ...packageSpecs,
-    ];
-  }
-
-  return [
-    'add',
-    ...(useDev ? ['--dev'] : []),
-    ...(useExact ? ['--exact'] : []),
-    ...packageSpecs,
-  ];
-};
-
-const translateUninstallLikeArgs = (
-  packageManager: Exclude<LifecyclePackageManager, 'npm'>,
-  args: ReadonlyArray<string>,
-  cwd: string
-): ReadonlyArray<string> => {
-  const packageSpecs = args.filter((arg) => !arg.startsWith('-')).slice(1);
-  if (packageSpecs.length === 0) {
-    return args;
-  }
-  if (packageManager === 'pnpm') {
-    return ['remove', ...(isWorkspaceRoot(cwd) ? ['-w'] : []), ...packageSpecs];
-  }
-  return ['remove', ...packageSpecs];
-};
-
-export const resolveLifecyclePackageManagerCommand = (
-  args: ReadonlyArray<string>,
-  cwd: string
-): {
-  command: LifecyclePackageManager;
-  args: ReadonlyArray<string>;
-} => {
-  const packageManager = resolveLifecyclePackageManager(cwd);
-  if (packageManager === 'npm') {
-    return {
-      command: 'npm',
-      args,
-    };
-  }
-
-  const primaryCommand = args[0];
-  if (primaryCommand === 'install') {
-    return {
-      command: packageManager,
-      args: translateInstallLikeArgs(packageManager, args, cwd),
-    };
-  }
-  if (primaryCommand === 'uninstall') {
-    return {
-      command: packageManager,
-      args: translateUninstallLikeArgs(packageManager, args, cwd),
-    };
-  }
-
-  return {
-    command: packageManager,
-    args,
-  };
-};
-
 export class LifecycleNpmService implements ILifecycleNpmService {
   runNpm(args: ReadonlyArray<string>, cwd: string): void {
-    const execution = resolveLifecyclePackageManagerCommand(args, cwd);
-    const renderedCommand = `${execution.command} ${execution.args.join(' ')}`.trim();
-    const result = runSpawnSync(execution.command, execution.args, {
+    const result = runSpawnSync('npm', args, {
       cwd,
       stdio: 'inherit',
       env: process.env,
     });
     if (result.error) {
-      throw new Error(`${renderedCommand} failed: ${result.error.message}`);
+      throw new Error(`npm ${args.join(' ')} failed: ${result.error.message}`);
     }
     if (typeof result.status !== 'number' || result.status !== 0) {
-      throw new Error(`${renderedCommand} failed with exit code ${result.status ?? 'unknown'}`);
+      throw new Error(`npm ${args.join(' ')} failed with exit code ${result.status ?? 'unknown'}`);
     }
   }
 }

package/integrations/lifecycle/policyValidationSnapshot.ts

@@ -3,6 +3,7 @@ import {
   resolvePolicyForStage,
   type ResolvedStagePolicy,
 } from '../gate/stagePolicies';
+import { resolvePreWriteEnforcement } from '../policy/preWriteEnforcement';
 
 export type LifecyclePolicyValidationStageSnapshot = {
   source: ResolvedStagePolicy['trace']['source'];
@@ -23,8 +24,13 @@ export type LifecyclePolicyValidationSnapshot = {
 const POLICY_STAGES: ReadonlyArray<SkillsStage> = ['PRE_WRITE', 'PRE_COMMIT', 'PRE_PUSH', 'CI'];
 
 const toStageSnapshot = (
+  stage: SkillsStage,
   resolved: ResolvedStagePolicy
 ): LifecyclePolicyValidationStageSnapshot => {
+  const strictFromPolicy = resolved.trace.validation?.strict ?? false;
+  const strict = stage === 'PRE_WRITE'
+    ? strictFromPolicy || resolvePreWriteEnforcement().blocking
+    : strictFromPolicy;
   return {
     source: resolved.trace.source,
     bundle: resolved.trace.bundle,
@@ -34,7 +40,7 @@ const toStageSnapshot = (
     policySource: resolved.trace.policySource ?? null,
     validationStatus: resolved.trace.validation?.status ?? null,
     validationCode: resolved.trace.validation?.code ?? null,
-    strict: resolved.trace.validation?.strict ?? false,
+    strict,
   };
 };
 
@@ -42,7 +48,7 @@ export const readLifecyclePolicyValidationSnapshot = (
   repoRoot: string
 ): LifecyclePolicyValidationSnapshot => {
   const resolvedByStage = Object.fromEntries(
-    POLICY_STAGES.map((stage) => [stage, toStageSnapshot(resolvePolicyForStage(stage, repoRoot))])
+    POLICY_STAGES.map((stage) => [stage, toStageSnapshot(stage, resolvePolicyForStage(stage, repoRoot))])
   ) as Record<SkillsStage, LifecyclePolicyValidationStageSnapshot>;
 
   return {

package/integrations/lifecycle/preWriteAutomation.ts

@@ -68,24 +68,16 @@ const hasAutoFixableEvidenceViolation = (aiGate: ReturnType<typeof evaluateAiGat
 const hasEvidenceGateBlockedViolation = (aiGate: ReturnType<typeof evaluateAiGate>): boolean =>
   aiGate.violations.some((violation) => violation.code === 'EVIDENCE_GATE_BLOCKED');
 
-const hasAdapterMissingViolation = (aiGate: ReturnType<typeof evaluateAiGate>): boolean =>
-  aiGate.violations.some((violation) => violation.code === 'MCP_ENTERPRISE_ADAPTER_MISSING');
-
 const hasAutoFixableMcpReceiptViolation = (aiGate: ReturnType<typeof evaluateAiGate>): boolean =>
-  !hasAdapterMissingViolation(aiGate)
-  && aiGate.violations.some((violation) => PRE_WRITE_AUTOFIXABLE_MCP_RECEIPT_CODES.has(violation.code));
+  aiGate.violations.some((violation) => PRE_WRITE_AUTOFIXABLE_MCP_RECEIPT_CODES.has(violation.code));
 
 const collectAutoFixableViolationCodes = (aiGate: ReturnType<typeof evaluateAiGate>): string[] =>
   aiGate.violations
-    .filter((violation) => {
-      if (PRE_WRITE_AUTOFIXABLE_EVIDENCE_CODES.has(violation.code)) {
-        return true;
-      }
-      if (!PRE_WRITE_AUTOFIXABLE_MCP_RECEIPT_CODES.has(violation.code)) {
-        return false;
-      }
-      return !hasAdapterMissingViolation(aiGate);
-    })
+    .filter(
+      (violation) =>
+        PRE_WRITE_AUTOFIXABLE_EVIDENCE_CODES.has(violation.code)
+        || PRE_WRITE_AUTOFIXABLE_MCP_RECEIPT_CODES.has(violation.code)
+    )
     .map((violation) => violation.code)
     .sort((left, right) => left.localeCompare(right));
 
@@ -106,7 +98,7 @@ export const buildPreWriteAutomationTrace = async (params: {
     attempted: false,
     actions: [],
   };
-  if (params.sdd.stage !== 'PRE_WRITE') {
+  if (params.sdd.stage !== 'PRE_WRITE' || params.aiGate.allowed) {
     return {
       aiGate: params.aiGate,
       trace,
@@ -114,42 +106,6 @@ export const buildPreWriteAutomationTrace = async (params: {
   }
 
   let aiGate = params.aiGate;
-  if (aiGate.allowed) {
-    trace.attempted = true;
-    try {
-      const gateExitCode = await params.runPlatformGate({
-        policy: {
-          stage: 'PRE_COMMIT',
-          blockOnOrAbove: 'ERROR',
-          warnOnOrAbove: 'WARN',
-        },
-        scope: {
-          kind: 'workingTree',
-        },
-        auditMode: 'gate',
-        dependencies: {
-          printGateFindings: () => {},
-        },
-      });
-      trace.actions.push({
-        action: 'refresh_evidence',
-        status: 'OK',
-        details: `stage=PRE_COMMIT runPlatformGate exit_code=${gateExitCode} parity_probe=allowed_initial`,
-      });
-      aiGate = activeDependencies.runEnterpriseAiGateCheck({
-        repoRoot: params.repoRoot,
-        stage: 'PRE_WRITE',
-        requireMcpReceipt: true,
-      }).result;
-    } catch (error) {
-      trace.actions.push({
-        action: 'refresh_evidence',
-        status: 'FAILED',
-        details: error instanceof Error ? error.message : 'Unknown PRE_COMMIT parity refresh error',
-      });
-    }
-  }
-
   if (hasAutoFixableEvidenceViolation(aiGate)) {
     trace.attempted = true;
     try {
@@ -246,32 +202,6 @@ export const buildPreWriteAutomationTrace = async (params: {
         stage: 'PRE_WRITE',
         requireMcpReceipt: true,
       }).result;
-      if (aiGate.allowed) {
-        const gateExitCode = await params.runPlatformGate({
-          policy: {
-            stage: 'PRE_COMMIT',
-            blockOnOrAbove: 'ERROR',
-            warnOnOrAbove: 'WARN',
-          },
-          scope: {
-            kind: 'workingTree',
-          },
-          auditMode: 'gate',
-          dependencies: {
-            printGateFindings: () => {},
-          },
-        });
-        trace.actions.push({
-          action: 'refresh_evidence',
-          status: 'OK',
-          details: `stage=PRE_COMMIT runPlatformGate exit_code=${gateExitCode} parity_probe=allowed_after_mcp_receipt_refresh`,
-        });
-        aiGate = activeDependencies.runEnterpriseAiGateCheck({
-          repoRoot: params.repoRoot,
-          stage: 'PRE_WRITE',
-          requireMcpReceipt: true,
-        }).result;
-      }
     } catch (error) {
       trace.actions.push({
         action: 'refresh_mcp_receipt',

package/integrations/lifecycle/state.ts

@@ -49,17 +49,10 @@ export const writeLifecycleState = (params: {
   openSpecManagedArtifacts?: ReadonlyArray<string>;
 }): void => {
   const { git, repoRoot, version } = params;
-  const existingInstalledAt = git.localConfig(repoRoot, PUMUKI_CONFIG_KEYS.installedAt);
   git.applyLocalConfig(repoRoot, PUMUKI_CONFIG_KEYS.installed, 'true');
   git.applyLocalConfig(repoRoot, PUMUKI_CONFIG_KEYS.version, version);
   git.applyLocalConfig(repoRoot, PUMUKI_CONFIG_KEYS.hooks, PUMUKI_MANAGED_HOOKS.join(','));
-  git.applyLocalConfig(
-    repoRoot,
-    PUMUKI_CONFIG_KEYS.installedAt,
-    typeof existingInstalledAt === 'string' && existingInstalledAt.trim().length > 0
-      ? existingInstalledAt
-      : new Date().toISOString()
-  );
+  git.applyLocalConfig(repoRoot, PUMUKI_CONFIG_KEYS.installedAt, new Date().toISOString());
   if (params.openSpecManagedArtifacts) {
     const serialized = serializeManagedArtifacts(params.openSpecManagedArtifacts);
     if (serialized) {

package/integrations/lifecycle/status.ts

@@ -9,15 +9,6 @@ import {
   readLifecyclePolicyValidationSnapshot,
   type LifecyclePolicyValidationSnapshot,
 } from './policyValidationSnapshot';
-import {
-  readGovernanceObservationSnapshot,
-  type GovernanceObservationSnapshot,
-} from './governanceObservationSnapshot';
-import {
-  readGovernanceNextAction,
-  type GovernanceNextActionReader,
-  type GovernanceNextActionSummary,
-} from './governanceNextAction';
 import { readLifecycleState, type LifecycleState } from './state';
 
 export type LifecycleStatus = {
@@ -31,14 +22,11 @@ export type LifecycleStatus = {
   trackedNodeModulesCount: number;
   policyValidation: LifecyclePolicyValidationSnapshot;
   experimentalFeatures: LifecycleExperimentalFeaturesSnapshot;
-  governanceObservation: GovernanceObservationSnapshot;
-  governanceNextAction: GovernanceNextActionSummary;
 };
 
 export const readLifecycleStatus = (params?: {
   cwd?: string;
   git?: ILifecycleGitService;
-  governanceNextActionReader?: GovernanceNextActionReader;
 }): LifecycleStatus => {
   const git = params?.git ?? new LifecycleGitService();
   const cwd = params?.cwd ?? process.cwd();
@@ -50,19 +38,6 @@ export const readLifecycleStatus = (params?: {
     repoRoot,
     lifecycleVersion: lifecycleState.version,
   });
-  const policyValidation = readLifecyclePolicyValidationSnapshot(repoRoot);
-  const experimentalFeatures = readLifecycleExperimentalFeaturesSnapshot();
-  const governanceObservation = readGovernanceObservationSnapshot({
-    repoRoot,
-    experimentalFeatures,
-    policyValidation,
-    git,
-  });
-  const governanceNextAction = (params?.governanceNextActionReader ?? readGovernanceNextAction)({
-    repoRoot,
-    stage: 'PRE_WRITE',
-    governanceObservation,
-  });
 
   return {
     repoRoot,
@@ -73,9 +48,7 @@ export const readLifecycleStatus = (params?: {
     hooksDirectory: hooksDirectory.path,
     hooksDirectoryResolution: hooksDirectory.source,
     trackedNodeModulesCount,
-    policyValidation,
-    experimentalFeatures,
-    governanceNextAction,
-    governanceObservation,
+    policyValidation: readLifecyclePolicyValidationSnapshot(repoRoot),
+    experimentalFeatures: readLifecycleExperimentalFeaturesSnapshot(),
   };
 };