chore(scaffolding): adopt token-guard + path-guard from socket-repo-template#621
Closed
John-David Dalton (jdalton) wants to merge 9 commits intomainfrom
Closed
chore(scaffolding): adopt token-guard + path-guard from socket-repo-template#621John-David Dalton (jdalton) wants to merge 9 commits intomainfrom
John-David Dalton (jdalton) wants to merge 9 commits intomainfrom
Conversation
…emplate
Propagated via sync-scaffolding from socket-repo-template@cfba1e6.
Three-level enforcement of "1 path, 1 reference":
1. CLAUDE.md rule (mantra-driven; lands on next CLAUDE.md sync)
2. Hook (.claude/hooks/path-guard/) — PreToolUse on Edit/Write of
.mts/.cts files; blocks new path duplications at edit time
3. Gate (scripts/check-paths.mts) — whole-repo scan; runs as part
of pnpm check via runParallel.
Renames token-hygiene → token-guard fleet-wide.
Hook package.jsons drop the @socketsecurity/lib catalog devDep so
they install cleanly in repos without a 'default' catalog entry.
Gate runs clean against socket-sdk-js on first scan.
Companion fleet propagations: socket-cli #1280; socket-btm 360d469d;
socket-tui 79dc1ca; socket-lib 5153ddd; socket-sdxgen ef8e39f;
ultrathink 1534b406d; socket-packageurl-js e720bc1.
…, multi-line YAML (sync from template@fbadb76)
…rom template@aeac8c1)
…te literal detection Sync from socket-repo-template@000943d. Hook + gate now flag template- literal build paths; allowlist replaces ±2 line tolerance with exact-line OR snippet_hash match. New --show-hashes flag prints SHA-256 prefix for allowlist entries that survive reformatting.
…ents.mts Sync from socket-repo-template@bb21ab5. Mantra: 1 path, 1 reference. The hook and gate now both import STAGE_SEGMENTS, BUILD_ROOT_SEGMENTS, MODE_SEGMENTS, and KNOWN_SIBLING_PACKAGES from a single canonical .claude/hooks/path-guard/segments.mts so they can no longer drift on what counts as a build-output path.
Format check-paths.mts (Gap 2 sync), CLAUDE.md (sync drift), and xport.schema.json (sync drift) so CI lint passes.
Contributor
Author
|
bugbot run |
Contributor
Author
|
bugbot run |
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…y/ scope) Consolidates PR #621 (path-guard infra) and #622 (.sh→.mts hook conversion) into this branch. Resolves the modify/delete conflict on .git-hooks/{commit-msg,pre-push} by accepting the .mts versions — the env allowlist tweak from #620 is already covered in commit-msg.mts via shouldSkipFile and the precommit allowlist. Also renames internal hook packages to drop the @socketsecurity/ scope (hook-path-guard, hook-token-guard, hook-check-new-deps) — they're private:true and never published.
Contributor
Author
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Consolidates the work previously split across PRs #620 (env allowlist), #621 (path-guard infra), and #622 (.sh→.mts hook conversion) into a single commit on chore/harden-env-allowlist. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE-equivalent stale env entries - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Exclude .cache/** in tsconfig.check.json - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names (no more false positives on substring matches inside identifiers) - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published to npm Dep - Add @sinclair/typebox 0.34.49 to devDependencies (used by scripts/xport-schema.mts)
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Consolidates the work previously split across PRs #620 (env allowlist), #621 (path-guard infra), and #622 (.sh→.mts hook conversion) into a single commit on chore/harden-env-allowlist. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE-equivalent stale env entries - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Exclude .cache/** in tsconfig.check.json - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names (no more false positives on substring matches inside identifiers) - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published to npm Dep - Add @sinclair/typebox 0.34.49 to devDependencies (used by scripts/xport-schema.mts)
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…rap + cascade Consolidated PR — combines the original work from #620, #621, #622 plus follow-up commits (private-name rule, socket-registry pin cascades) into a single squashed commit. Includes: - env allowlist + .cache/ + CLAUDE.md hygiene (restore .cache/** exclude in tsconfigs; propagate CLAUDE.md sorting/open-PR/paths/ inclusive-language/Set-sort/don't-revert-untouched/private-name rules; replace whitelist/blacklist with allowlist/denylist) - path-guard infra (PreToolUse hook + scripts/check-paths.mts gate + .github/paths-allowlist.yml + /path-guard skill — enforces "1 path, 1 reference" so multi-stage build paths are constructed exactly once) - token-guard hook (renamed from token-hygiene; word-boundary match for sensitive env names; ALWAYS_DANGEROUS gates on hasRedaction so redacted env dumps pass) - .sh -> .mts hook conversion on Node 25+ (stable type stripping; _helpers.mts hard-fails at module load if Node < 25; husky shims invoke node directly) - internal hook package rename (drop @socketsecurity/ scope from hook-path-guard, hook-token-guard, hook-check-new-deps; private, never published) - xport lock-step manifest (scripts/xport.mts + scripts/xport-schema.mts + scripts/xport-emit-schema.mts + xport.schema.json) - bootstrap-from-registry (scripts/bootstrap-from-registry.mts downloads zero-dep Socket packages from npm registry into node_modules/ via preinstall hook, solving fresh-clone chicken-and-egg) - socket-registry pins cascaded to ceab1e26 (picks up the @socketsecurity/lib bootstrap move from the install action into setup, so consumers calling only setup also benefit)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Propagates the
path-guardinfrastructure andtoken-hygiene → token-guardrename from socket-repo-template@bb21ab5.Mantra: 1 path, 1 reference. Every build/test/runtime path is constructed exactly once; everywhere else references the constructed value.
Three-level enforcement
.claude/hooks/path-guard/) — PreToolUse onEdit/Writeof.mts/.ctsfiles. Blocks new path duplications at edit time.scripts/check-paths.mts) — whole-repo scan; runs after lint/type/validate steps inpnpm run check --all.What's new
.claude/hooks/path-guard/— new mandatory PreToolUse hook + tests..claude/hooks/path-guard/segments.mts— single canonical source ofSTAGE_SEGMENTS,BUILD_ROOT_SEGMENTS,MODE_SEGMENTS,KNOWN_SIBLING_PACKAGES. Imported by both hook and gate so they can never drift..claude/hooks/token-guard/— renamed fromtoken-hygiene(same behavior, new name aligns with the*-guardfamily). Word-boundary match for sensitive env names..claude/skills/path-guard/— invokable/path-guardskill (audit-and-fix, check, install modes)..claude/skills/_shared/path-guard-rule.md— canonical rule snippet.scripts/check-paths.mts— the gate..github/paths-allowlist.yml— narrow-exemption allowlist (empty starter)..claude/settings.json— wires path-guard onEdit|Write, token-guard onBash.scripts/check.mts— invokescheck-paths.mtsafter the existing file-size validation step.package.json— addscheck:pathsscript.Detection improvements
`${PKG}/build/${mode}/${arch}/out/Final/...`that were previously invisible to apath.join-only scanner.snippet_hashmatch.snippet_hashis a 12-char SHA-256 prefix of the whitespace-normalized snippet, surviving reformatting but invalidated by any content-changing edit.--show-hashesflag: print the hash for each finding when authoring an allowlist entry.segments.mts— the hook and gate import from one source, eliminating drift.path.join/path.resolve.|and>block scalars.Verification
node scripts/check-paths.mts --quiet # exit 0 — no findingsGate runs clean against socket-sdk-js on first scan.
Companion propagations
Test plan
node scripts/check-paths.mtsexits 0)