chore: env allowlist + path-guard + token-guard + hooks .mts + bootstrap + cascade#620
Closed
John-David Dalton (jdalton) wants to merge 15 commits intomainfrom
Closed
chore: env allowlist + path-guard + token-guard + hooks .mts + bootstrap + cascade#620John-David Dalton (jdalton) wants to merge 15 commits intomainfrom
John-David Dalton (jdalton) wants to merge 15 commits intomainfrom
Conversation
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
changed the title
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…y/ scope) Consolidates PR #621 (path-guard infra) and #622 (.sh→.mts hook conversion) into this branch. Resolves the modify/delete conflict on .git-hooks/{commit-msg,pre-push} by accepting the .mts versions — the env allowlist tweak from #620 is already covered in commit-msg.mts via shouldSkipFile and the precommit allowlist. Also renames internal hook packages to drop the @socketsecurity/ scope (hook-path-guard, hook-token-guard, hook-check-new-deps) — they're private:true and never published.
John-David Dalton (jdalton)
changed the title
This was referenced Apr 27, 2026
This comment was marked as outdated.
This comment was marked as outdated.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Consolidates the work previously split across PRs #620 (env allowlist), #621 (path-guard infra), and #622 (.sh→.mts hook conversion) into a single commit on chore/harden-env-allowlist. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE-equivalent stale env entries - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Exclude .cache/** in tsconfig.check.json - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names (no more false positives on substring matches inside identifiers) - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published to npm Dep - Add @sinclair/typebox 0.34.49 to devDependencies (used by scripts/xport-schema.mts)
John-David Dalton (jdalton)
force-pushed
the
chore/harden-env-allowlist
branch
from
c5a5abe to
28af4c5
Compare
|
Review the following changes in direct dependencies. Learn more about Socket for GitHub.
|
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Consolidates the work previously split across PRs #620 (env allowlist), #621 (path-guard infra), and #622 (.sh→.mts hook conversion) into a single commit on chore/harden-env-allowlist. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE-equivalent stale env entries - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Exclude .cache/** in tsconfig.check.json - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names (no more false positives on substring matches inside identifiers) - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published to npm Dep - Add @sinclair/typebox 0.34.49 to devDependencies (used by scripts/xport-schema.mts)
John-David Dalton (jdalton)
force-pushed
the
chore/harden-env-allowlist
branch
from
28af4c5 to
85e74a3
Compare
John-David Dalton (jdalton)
changed the title
…rap + cascade Consolidated PR — combines the original work from #620, #621, #622 plus follow-up commits (private-name rule, socket-registry pin cascades) into a single squashed commit. Includes: - env allowlist + .cache/ + CLAUDE.md hygiene (restore .cache/** exclude in tsconfigs; propagate CLAUDE.md sorting/open-PR/paths/ inclusive-language/Set-sort/don't-revert-untouched/private-name rules; replace whitelist/blacklist with allowlist/denylist) - path-guard infra (PreToolUse hook + scripts/check-paths.mts gate + .github/paths-allowlist.yml + /path-guard skill — enforces "1 path, 1 reference" so multi-stage build paths are constructed exactly once) - token-guard hook (renamed from token-hygiene; word-boundary match for sensitive env names; ALWAYS_DANGEROUS gates on hasRedaction so redacted env dumps pass) - .sh -> .mts hook conversion on Node 25+ (stable type stripping; _helpers.mts hard-fails at module load if Node < 25; husky shims invoke node directly) - internal hook package rename (drop @socketsecurity/ scope from hook-path-guard, hook-token-guard, hook-check-new-deps; private, never published) - xport lock-step manifest (scripts/xport.mts + scripts/xport-schema.mts + scripts/xport-emit-schema.mts + xport.schema.json) - bootstrap-from-registry (scripts/bootstrap-from-registry.mts downloads zero-dep Socket packages from npm registry into node_modules/ via preinstall hook, solving fresh-clone chicken-and-egg) - socket-registry pins cascaded to ceab1e26 (picks up the @socketsecurity/lib bootstrap move from the install action into setup, so consumers calling only setup also benefit)
John-David Dalton (jdalton)
force-pushed
the
chore/harden-env-allowlist
branch
from
410703b to
04c4c73
Compare
John-David Dalton (jdalton)
changed the title
Contributor
Author
|
bugbot run |
… align pre-commit .env scope Two issues from Cursor Bugbot's review: 1. _api-key-check.sh is unused (low) — accidental migration leftover. The replacement is _helpers.mts (already in this PR). 2. commit-msg.mts uses basename() so a nested .env.local is blocked, but pre-commit.mts only matched root-level paths (medium). A nested .env is just as much a leak as a root one. Aligned both to basename-based matching with the same allowlist.
Contributor
Author
|
bugbot run |
…Bugbot) Two issues from Cursor Bugbot's review: 1. token-guard sed redaction regex couldn't cross delimiter boundary (high). The pattern /\bsed\b[^|]*s[/|#][^/|#]*=[^/|#]*<?redact/i used [^/|#]* which stops at the / between sed pattern and replacement, so 'sed s/=.*/=<redacted>/' (the canonical fix the error message suggests) never matched. Replaced with [\s\S]*? to reach across the delimiter. 2. pre-push.mts .env detection only matched root-level .env / .env.local (high). commit-msg.mts and pre-commit.mts both use basename() with a broader pattern. pre-push is the mandatory enforcement layer for --no-verify bypasses; weaker detection there meant a nested packages/cli/.env.local would slip through. Aligned to basename- based matching with the same allowlist (.env.example/.env.test/ .env.precommit). Note on Bugbot finding #2 (rmSync in scripts/bootstrap-from-registry.mts): deliberate. The bootstrap script runs BEFORE pnpm install — that's its whole purpose — so @socketsecurity/lib's safeDelete isn't available yet. Discard.
Contributor
Author
|
bugbot run |
Bugbot flagged: readPinnedVersion stripped range prefixes (^, ~, >=) on the package.json path but returned the catalog match raw. A catalog entry of '^5.24.0' would have produced 'lib-^5.24.0.tgz' as the tarball URL — invalid. Extracted stripRange() and applied to both code paths.
Contributor
Author
|
bugbot run |
Migrates the 20 call sites flagged by `pnpm prim audit` to the shared primordials surface from socket-lib 5.25.0: - 4× StringPrototypeTrim (replaces .trim()) - 9× DateNow (replaces Date.now() in http-client timing) - 2× SetCtor (replaces new Set(...)) - 2× ErrorCtor (replaces new Error(...)) - 2× ArrayIsArray (replaces Array.isArray) - 2× PromiseWithResolvers (replaces Promise.withResolvers) - 1× MapCtor (replaces new Map(...)) - 1× TypeErrorCtor (replaces new TypeError(...)) - 1× StringPrototypeToLowerCase (replaces .toLowerCase()) - 1× StringPrototypeEndsWith (replaces .endsWith()) - 1× URLSearchParamsCtor (replaces new URLSearchParams(...)) After: prim audit reports zero migration candidates.
Pulls in the SKILL.md doc update that mentions segments.mts as the canonical stage/sibling vocabulary.
…mts.tmpl The schema docs in paths-allowlist.yml drifted from canonical. The old comment claimed line tolerance is ±2 (FALSE since Gap 2; lines are now strict-exact) and didn't mention snippet_hash or --show-hashes. Also brings the path-guard skill reference template up to date.
Adds private-name-guard, public-surface-reminder, and release-workflow-guard hooks (previously the rules were in CLAUDE.md without the enforcement hook). Refreshes check-new-deps index.mts + README to canonical (Cargo.toml fragment-mode parsing, score-based warnings, module-aware main). Wires the 4 Bash hooks alphabetically in settings.json. Now byte-identical with template/.claude/hooks/ for index.mts + README.md across all four hooks. package.json kept at per-repo catalog/pin style.
The private-name-guard hook (added in a recent main) declared @types/node@24.9.2 but the lockfile wasn't refreshed. CI was failing with ERR_PNPM_OUTDATED_LOCKFILE since CI uses --frozen-lockfile by default.
Picks up the multi-package bootstrap loop (a645d921) that pre-seeds @socketsecurity/lib + @socketregistry/packageurl-js + @sinclair/typebox on a fresh checkout, plus the libuv-fix in check-firewall that drops process.exit() in favor of natural event-loop drain (necessary on Node 24 + Windows when the bootstrap runs the firewall checker multiple times in succession). Cascade chain: setup + check-firewall Layer 1 a645d921 setup-and-install Layer 2 521d0ba8 reusable workflows Layer 3 3f2f2c00 ← this is the propagation SHA _local-not-for-reuse-* Layer 4 b2905c2f (socket-registry only)
This was referenced Apr 27, 2026
Contributor
Author
|
Superseded by 5 split PRs that can each land independently:
|
auto-merge was automatically disabled
April 27, 2026 15:05
Pull request was closed
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…tall Adds scripts/bootstrap-from-registry.mts that downloads zero-dep Socket packages (currently @socketsecurity/lib) from the npm registry tarball directly into node_modules/<scope>/<name>/ BEFORE pnpm install runs. Wired via package.json preinstall lifecycle hook. Why: setup.mts and other root-script importers of @socketsecurity/lib fail on a fresh clone because pnpm install hasn't run yet. Pre- seeding from the registry tarball solves the chicken-and-egg. Reads pinned version from pnpm-workspace.yaml `catalog:` OR root package.json deps/devDeps — single source of truth, no hardcoded version. A fresh clone now goes `git clone → pnpm install → working repo`, no special setup ordering required. Self-landable split from #620.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
* chore: env allowlist + .cache exclude + CLAUDE.md fleet rules Doc/config-only updates split out from PR #620. CLAUDE.md - Sync sorting + open-PR + paths + inclusive-language + Set constructor sort + don't-revert-untouched rules from the fleet - Replace whitelist/blacklist with allowlist/denylist - Document workflow-dispatch rule .config/tsconfig.check.json - Restore .cache/** exclude (was previously dropped) .gitignore - Add **/.cache/ .claude/agents/security-reviewer.md .claude/skills/security-scan/SKILL.md - Sync from socket-repo-template canonical No runtime behavior changes. * chore(skills): narrow allowed-tools to specific commands Replaces blanket Bash/Grep/Glob entries with command-pattern-specific matchers (Bash(prefix:*)) so the skill cannot run anything the body of the skill doesn't actually invoke. Drops Grep/Glob from skills that don't use them. - security-scan: Task, Read, Bash(pnpm exec agentshield:*), Bash(zizmor:*), Bash(command -v:*), Bash(find .cache/external-tools/zizmor:*) - updating: Read, Edit, Bash(pnpm run:*), Bash(pnpm test:*), Bash(git status:*), Bash(git diff:*), Bash(git add:*), Bash(git commit:*), Bash(git log:*) Addresses billxinli's review on PR #624 / #1283. * chore(claude): add tools: frontmatter to agents, deny-list to settings, allowed-tools to quality-scan Extends the .claude/ tightening already on this branch: - Adds tools: frontmatter to all three agents so they declare exactly what they need instead of inheriting the default tool set: - code-reviewer (read-only): Read, Grep, Glob, Bash(git/rg/grep/find/ls/wc/cat/head/tail:*) - security-reviewer: same + Bash(pnpm exec agentshield:*), Bash(zizmor:*), Bash(command -v:*) - refactor-cleaner: adds Edit, Write, Bash(pnpm run/test/exec:*), Bash(node:*) - Adds permissions.deny block to .claude/settings.json blocking publish/release escape hatches: npm/pnpm/yarn publish, gh release create/delete, gh workflow run/dispatch, git push --force/-f. Particularly important for socket-sdk-js, which publishes to npm but currently has no Bash-targeted PreToolUse hooks. - Adds allowed-tools: to quality-scan/SKILL.md (was missing entirely, inheriting full default access). Mirrors the canonical pattern landed on socket-repo-template main.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
* chore(ci): cascade socket-registry pin to 3f2f2c00 Picks up the latest socket-registry workflow updates (currently the bootstrap-from-registry step in install/action.yml + the path-guard fleet rollout cascade). Self-landable split from #620. * chore(ci): cascade socket-registry pins to 85a2fc0d Picks up the firewall-checker fix in @SocketDev/socket-registry — any alert from Socket Firewall now blocks the bootstrap (no severity threshold; the API only returns alerts when a package is flagged as malware, so any alert means malware). Cascade chain: check-firewall.mts Layer 1 e4193847 setup-and-install Layer 2 b94c9571 reusable workflows Layer 3 85a2fc0d ← propagation SHA _local-not-for-reuse-* Layer 4 25ec2c76 (socket-registry only)
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
… @sinclair/typebox via firewall-checked registry fetch (#627) * feat: bootstrap @socketsecurity/lib from npm registry before pnpm install Adds scripts/bootstrap-from-registry.mts that downloads zero-dep Socket packages (currently @socketsecurity/lib) from the npm registry tarball directly into node_modules/<scope>/<name>/ BEFORE pnpm install runs. Wired via package.json preinstall lifecycle hook. Why: setup.mts and other root-script importers of @socketsecurity/lib fail on a fresh clone because pnpm install hasn't run yet. Pre- seeding from the registry tarball solves the chicken-and-egg. Reads pinned version from pnpm-workspace.yaml `catalog:` OR root package.json deps/devDeps — single source of truth, no hardcoded version. A fresh clone now goes `git clone → pnpm install → working repo`, no special setup ordering required. Self-landable split from #620. * chore(bootstrap): rename bootstrap-from-registry to bootstrap-firewall-deps The script does more than fetch from the npm registry: it also runs each pinned tarball through Socket Firewall and refuses to install if the firewall returns any alert. The new name reflects both halves of the contract — the firewall verification is the security-critical part that "from registry" obscured. - scripts/bootstrap-from-registry.mts → scripts/bootstrap-firewall-deps.mts - Update package.json preinstall hook to point at the new path - Update User-Agent string and fileoverview to match * fix(bootstrap): drop unused typebox + packageurl-js from sdk bootstrap list socket-sdk-js only uses @socketsecurity/lib; the typebox and packageurl-js entries were copied from socket-cli's bootstrap (where xport-schema.mts uses TypeBox) and broke CI here because neither has a pinned version in this repo's package.json or pnpm-workspace.yaml catalog. Restoring to a single-package bootstrap. * chore(bootstrap): oxfmt format
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Self-landable split from #620. Combines the hook overhaul into one atomic PR: path-guard infra, token-guard hook, .sh→.mts conversion of git hooks, and the assorted fleet hooks (private-name-guard, public-surface-reminder, release-workflow-guard, check-new-deps). What's included: Path-guard infra - .claude/hooks/path-guard/ (hook + tests + segments.mts) - .claude/skills/path-guard/ (audit-and-fix skill) - .claude/skills/_shared/path-guard-rule.md (canonical rule) - scripts/check-paths.mts (the gate) - .github/paths-allowlist.yml (empty starter, full schema docs) - .claude/settings.json (wires hook on Edit|Write) - scripts/check.mts (invokes the gate) Token-guard hook - .claude/hooks/token-guard/ (renamed from token-hygiene; word- boundary match for sensitive env names; ALWAYS_DANGEROUS check skips when redaction pipeline is present) .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners (personal paths, AWS keys, GitHub tokens, private keys, AI attribution) - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - .husky/* shims invoke node directly Fleet hooks - .claude/hooks/check-new-deps (npm dep introspection) - .claude/hooks/private-name-guard - .claude/hooks/public-surface-reminder - .claude/hooks/release-workflow-guard Verification: pnpm install ✓ pnpm run check --all ✓ pnpm test --all ✓ 565/565 tests pass
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Consolidated PR — combines the work originally split across #620, #621, and #622 into a single squashed commit on
chore/harden-env-allowlist, plus follow-up commits (private-name rule, socket-registry pin cascades) merged in.45 files changed across 6 logical groups. Each section below lists the files in that group so reviewers can scope their attention.
🟦 Group 1 — Path-guard infra (15 files, additive)
New PreToolUse hook + companion gate that enforces "1 path, 1 reference" — every build/test/runtime path is constructed exactly once, everywhere else references the constructed value.
Files
.claude/hooks/path-guard/README.md.claude/hooks/path-guard/index.mts(the hook).claude/hooks/path-guard/package.json.claude/hooks/path-guard/segments.mts(canonical stage/build-root/mode/sibling vocabulary, imported by both hook and gate).claude/hooks/path-guard/test/path-guard.test.mts(29 tests).claude/hooks/path-guard/tsconfig.json.claude/skills/_shared/path-guard-rule.md.claude/skills/path-guard/SKILL.md(invokable/path-guardskill).claude/skills/path-guard/reference/check-paths.mts.tmpl.claude/skills/path-guard/reference/claude-md-rule.md.claude/skills/path-guard/reference/paths-allowlist.yml.tmplscripts/check-paths.mts(the whole-repo gate).github/paths-allowlist.yml(empty starter).claude/settings.json(wires the hook on Edit|Write)scripts/check.mts(invokes check-paths.mts after the existing file-size validation step)Detection features: template-literal path detection · drift-resistant allowlist via
snippet_hash(exact-line OR hash match) ·--show-hashesCLI flag · paren-balanced parser handles nestedpath.joinargs · multi-line YAML reasons.🟪 Group 2 — Token-guard hook (5 files, mostly additive)
Renamed from
token-hygiene. Word-boundary match for sensitive env names. Step 1 (ALWAYS_DANGEROUS) now gates onhasRedactionsoenv | sed s/=.*/=<redacted>/(the suggested fix) actually passes.Files
.claude/hooks/token-guard/README.md.claude/hooks/token-guard/index.mts.claude/hooks/token-guard/package.json.claude/hooks/token-guard/test/token-guard.test.mts.claude/hooks/token-guard/tsconfig.json🟧 Group 3 —
.sh→.mtshook conversion (12 files, replacement)All four shell-based git hooks become
.mtsmodules running on Node 25+ (stable type stripping, no flag needed)._helpers.mtshard-fails at module load if Node < 25. Husky shims invokenodedirectly.Files (deletions paired with additions)
Deleted (
.sh):.git-hooks/_helpers.sh.git-hooks/commit-msg.git-hooks/pre-commit.git-hooks/pre-pushAdded (
.mts):.git-hooks/_helpers.mts.git-hooks/commit-msg.mts.git-hooks/pre-commit.mts.git-hooks/pre-push.mtsModified (husky shims):
.husky/commit-msg.husky/pre-commit.husky/pre-push🟩 Group 4 — env allowlist +
.cache/+ CLAUDE.md hygiene (8 files, modify-only)Original #620 scope plus the private-name rule. Documentation + tooling-config tightening; no runtime behavior changes outside the hooks.
Files
CLAUDE.md(sorting · open-PR · paths · inclusive-language · Set constructor sort · don't-revert-untouched · private-name rules; replace whitelist/blacklist).claude/agents/security-reviewer.md.claude/skills/security-scan/SKILL.md.config/tsconfig.check.json(restore.cache/**exclude).claude/hooks/check-new-deps/package.json(rename: drop@socketsecurity/scope)package.json(addpreinstall: bootstrap-from-registry.mts)🟨 Group 5 — xport lock-step manifest (4 files, additive)
Machine-readable manifest format already adopted across the Socket fleet.
Files
scripts/xport.mtsscripts/xport-schema.mtsscripts/xport-emit-schema.mtsxport.schema.json(machine-generated fromxport-schema.mts)🟥 Group 6 — Bootstrap-from-registry + socket-registry cascade (5 files)
scripts/bootstrap-from-registry.mtsdownloads zero-dep Socket packages (currently@socketsecurity/lib) from the npm registry directly intonode_modules/<scope>/<name>/BEFOREpnpm installruns. Reads the pinned version frompnpm-workspace.yamlcatalog:OR rootpackage.jsondevDependencies— single source of truth. Wired viapreinstalllifecycle hook.A fresh clone now goes
git clone → pnpm install → working repo, no special setup ordering required.The matching
SocketDev/socket-registryworkflow pins are cascaded to ceab1e26 so this PR's CI runs through the same reusable workflows that pick up the@socketsecurity/libbootstrap from thesetupaction (a parallel cleanup landed upstream).Files
scripts/bootstrap-from-registry.mts.github/workflows/ci.yml.github/workflows/weekly-update.yml.github/workflows/provenance.yml.github/workflows/generate.ymlVerification
➕ Follow-up — @socketsecurity/lib bump + primordials adoption (8 files)
Bumps
@socketsecurity/libfrom5.24.0→5.25.0(picks up the new/primordialsmodule). Migrates the 20 sites flagged bypnpm prim auditfrom raw built-ins to the shared primordials surface — uniform with socket-lib's own internals and other Socket fleet repos.Migrations: 4×
StringPrototypeTrim, 9×DateNow, 2×SetCtor, 2×ErrorCtor, 2×ArrayIsArray, 2×PromiseWithResolvers, 1×MapCtor, 1×TypeErrorCtor, 1×StringPrototypeToLowerCase, 1×StringPrototypeEndsWith, 1×URLSearchParamsCtor.After:
prim auditreports zero migration candidates.Files
package.json(lib bump)pnpm-lock.yaml(lockfile)src/constants.tssrc/http-client.tssrc/quota-utils.tssrc/socket-sdk-class.tssrc/utils.tssrc/utils/header-sanitization.ts