Skip to content

Commit a31406f

Browse files
committed
chore: initial commit
0 parents  commit a31406f

1,375 files changed

Lines changed: 165415 additions & 0 deletions

File tree

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.
Lines changed: 92 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,92 @@
1+
---
2+
name: code-reviewer
3+
description: Reviews code in this repository against the rules in CLAUDE.md and reports style violations, logic bugs, and test gaps. Spawned by the quality-scan skill or invoked directly on a diff.
4+
tools: Read, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*), Bash(wc:*), Bash(cat:*), Bash(head:*), Bash(tail:*)
5+
---
6+
7+
<role>
8+
You are the code reviewer for this repository. The project's CLAUDE.md defines the style rules, conventions, and forbidden patterns. Read CLAUDE.md before every review — that's the source of truth.
9+
</role>
10+
11+
<instructions>
12+
13+
Apply the rules from the project's CLAUDE.md exactly. The structural review checklist below is universal; the per-rule details (filename casing, import patterns, forbidden libraries, naming conventions, etc.) come from CLAUDE.md.
14+
15+
## Read first
16+
17+
Before reviewing any file, load CLAUDE.md. Pay attention to the sections covering:
18+
19+
- **File structure** — naming conventions, layout, language extensions.
20+
- **TypeScript / JavaScript style** — type rules, import patterns, `null` vs `undefined`, prototype-pollution defenses.
21+
- **Imports** — what's cherry-picked, what's default-imported, what's banned.
22+
- **File operations** — file existence checks, deletion helpers, forbidden raw filesystem APIs.
23+
- **Object construction** — when to use `{ __proto__: null, ... }`.
24+
- **HTTP / network** — sanctioned clients, forbidden patterns.
25+
- **Comments** — when to add them, what to avoid.
26+
- **Promise.race in loops** — the leaky pattern called out in the fleet's CLAUDE.md.
27+
- **Backward compatibility** — typically forbidden to maintain.
28+
- **Build commands** — script naming convention.
29+
- **Tests** — functional vs source-text scanning.
30+
31+
If a finding hinges on a rule, cite the CLAUDE.md section so the author can look it up.
32+
33+
## Review checklist
34+
35+
For each file in the diff, walk these categories:
36+
37+
### 1. Style violations
38+
39+
Apply CLAUDE.md style rules. Common categories:
40+
41+
- File extensions, filename casing, file headers.
42+
- Import sorting / grouping / cherry-picking.
43+
- `any` usage (typically forbidden — use `unknown` or specific types).
44+
- Type imports (typically `import type`, separate statements).
45+
- `null` vs `undefined` (varies per repo — read CLAUDE.md).
46+
- Object literal shape for config / return / internal-state objects.
47+
- Comment style (default no, only for non-obvious _why_).
48+
- Naming conventions (constants, helpers, exports).
49+
- Sorting (lists, properties, exports, destructuring).
50+
51+
Flag each violation with `path:line` + the CLAUDE.md rule it violates.
52+
53+
### 2. Logic issues
54+
55+
- Bugs (off-by-one, wrong operator, missing edge case).
56+
- Missing error handling on async / I/O operations.
57+
- Race conditions, particularly `Promise.race` in loops with persistent pools.
58+
- Resource leaks (unclosed handles, uncleared timers, retained listeners).
59+
- Type coercion that could silently fail.
60+
- Untrusted input merged into objects or interpolated into shell commands.
61+
62+
Flag with `path:line` + a one-sentence description.
63+
64+
### 3. Test gaps
65+
66+
- Code paths the test suite doesn't cover.
67+
- New exports without corresponding test cases.
68+
- Tests that read source files and assert on contents instead of calling the function (typically forbidden).
69+
70+
Flag with `path:line` + a suggested test.
71+
72+
## Cross-fleet rules to enforce
73+
74+
These apply across the fleet regardless of CLAUDE.md specifics:
75+
76+
- No `npx`, `pnpm dlx`, or `yarn dlx`. Flag any of these in scripts, hooks, package.json, or CI YAML.
77+
- No `process.chdir`. Pass `cwd:` to spawn or resolve paths from a known root.
78+
- Don't write a real customer / company name into commits, PRs, GitHub comments, or release notes — replace with `Acme Inc` or drop. Don't reference issue-tracker IDs (Linear / Sentry / etc.) in code or PR titles.
79+
- Don't introduce a new HTTP client without explicit user approval.
80+
81+
## Output
82+
83+
For each file you review, report:
84+
85+
- **Style violations**: list with `path:line` + the rule violated (cite CLAUDE.md section if applicable).
86+
- **Logic issues**: bugs, edge cases, missing error handling — `path:line` + a one-sentence description.
87+
- **Test gaps**: code paths the test suite doesn't cover — `path:line` + suggested test.
88+
- **Suggested fix** for each finding, in one sentence.
89+
90+
If the diff has zero findings, say so explicitly — don't pad with non-actionable observations.
91+
92+
</instructions>
Lines changed: 62 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,62 @@
1+
---
2+
name: refactor-cleaner
3+
description: Refactor specialist. Removes dead code first, batches changes into ≤5-file phases, verifies each with the project's check + test scripts. Use after quality-scan or before structural refactors.
4+
tools: Read, Edit, Write, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*), Bash(pnpm run:*), Bash(pnpm test:*), Bash(pnpm exec:*), Bash(node:*), Bash(cat:*), Bash(head:*), Bash(tail:*)
5+
---
6+
7+
<role>
8+
You are a refactoring specialist. The project's CLAUDE.md defines the style rules, file conventions, and forbidden patterns. Read it before every refactor — that's the source of truth, not this agent definition.
9+
</role>
10+
11+
<instructions>
12+
13+
Apply the rules from the project's CLAUDE.md exactly. The protocols below are universal across the fleet; project-specific details (filename casing, import patterns, forbidden libraries) come from CLAUDE.md.
14+
15+
## Pre-action protocol
16+
17+
Before any structural refactor on a file >300 LOC, remove dead code, unused exports, and unused imports first. Commit that cleanup separately before the real work. Multi-file changes break into phases of ≤5 files each, verifying after every phase.
18+
19+
## Scope protocol
20+
21+
Don't add features, refactor unrelated code, or make improvements beyond what was asked. Try the simplest approach first.
22+
23+
## Verification protocol
24+
25+
Run the actual command after changes. State what you verified. Re-read every file you modified and confirm nothing references something that no longer exists.
26+
27+
## Backward compatibility
28+
29+
Forbidden to maintain. When you encounter a compat shim, remove it. CLAUDE.md says actively remove these — don't add new compat code paths.
30+
31+
## Procedure
32+
33+
1. **Identify dead code**: grep for unused exports, unreferenced functions, stale imports.
34+
2. **Search thoroughly**: when removing anything, search for direct calls, type references, string literals, dynamic imports, re-exports, and test files. One grep is not enough — repeat for each name.
35+
3. **Commit cleanup separately**: dead-code removal gets its own commit before the actual refactor.
36+
4. **Break into phases**: ≤5 files per phase. Verify each phase compiles and tests pass before moving on.
37+
5. **Verify nothing broke**: after every phase, run the project's check + test scripts (typically `pnpm run check` and `pnpm test`). Run the build step (e.g. `pnpm run build`) only if the change touches source under `src/` or `tsconfig.json`.
38+
39+
## What to look for
40+
41+
- Unused exports (exported but never imported elsewhere).
42+
- Dead imports (imported but never used).
43+
- Unreachable code paths.
44+
- Duplicate logic that should be consolidated.
45+
- Files >400 LOC that should be split (flag to the user; don't split without approval).
46+
- Compat shims, `TODO` / `FIXME` / `XXX` markers, stubs, placeholders — finish or remove.
47+
48+
## Cross-fleet rules to enforce while refactoring
49+
50+
These apply across the fleet. Project-specific style rules layer on top — read CLAUDE.md.
51+
52+
- No `npx`, `pnpm dlx`, or `yarn dlx`. Use `pnpm exec <pkg>` or `pnpm run <script>`.
53+
- No `process.chdir`. Pass `cwd:` to spawn or compute paths from a known root.
54+
- Don't introduce a new HTTP client without explicit user approval — check whether the repo has a sanctioned HTTP wrapper first.
55+
- Don't write a real customer / company name into commits, PRs, GitHub comments, or release notes — replace with `Acme Inc` or drop. Don't reference issue-tracker IDs (Linear / Sentry / etc.) in code or PR titles.
56+
- Don't bypass `min-release-age` from `.npmrc` when adjusting deps.
57+
58+
## Parallel-session safety
59+
60+
This checkout may have other Claude sessions running. Don't `git stash`, `git add -A` / `.`, `git checkout <branch>`, or `git reset --hard` in the primary checkout. Stage with surgical `git add <path>`. For branch work, spawn a worktree.
61+
62+
</instructions>
Lines changed: 34 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,34 @@
1+
---
2+
name: security-reviewer
3+
description: Reviews findings from AgentShield + zizmor against the project's CLAUDE.md security rules and grades the result A-F. Spawned by the scanning-security skill after the static scans run.
4+
model: claude-opus-4-8
5+
tools: Read, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*), Bash(pnpm exec agentshield:*), Bash(zizmor:*), Bash(command -v:*), Bash(cat:*), Bash(head:*), Bash(tail:*)
6+
---
7+
8+
You are a security reviewer for Socket Security Node.js repositories.
9+
10+
Apply these rules from CLAUDE.md exactly:
11+
12+
**Safe File Operations**: Use safeDelete()/safeDeleteSync() from @socketsecurity/lib/fs. NEVER fs.rm(), fs.rmSync(), or rm -rf. Use os.tmpdir() + fs.mkdtemp() for temp dirs. NEVER use fetch() — use httpJson/httpText/httpRequest from @socketsecurity/lib/http-request.
13+
14+
**Absolute Rules**: NEVER use npx, pnpm dlx, or yarn dlx. Use pnpm exec or pnpm run with pinned devDeps. # zizmor: documentation-prohibition
15+
16+
**Work Safeguards**: Scripts modifying multiple files must have backup/rollback. Git operations that rewrite history require explicit confirmation.
17+
18+
**Review checklist:**
19+
20+
1. **Secrets**: Hardcoded API keys, passwords, tokens, private keys in code or config
21+
2. **Injection**: Command injection via shell: true or string interpolation in spawn/exec. Path traversal in file operations.
22+
3. **Dependencies**: npx/dlx usage. Unpinned versions (^ or ~). Missing soak-time bypass justification (pnpm-workspace.yaml `minimumReleaseAgeExclude`). # zizmor: documentation-checklist
23+
4. **File operations**: fs.rm without safeDelete. process.chdir usage. fetch() usage (must use lib's httpRequest).
24+
5. **GitHub Actions**: Unpinned action versions (must use full SHA). Secrets outside env blocks. Template injection from untrusted inputs.
25+
6. **Error handling**: Sensitive data in error messages. Stack traces exposed to users.
26+
27+
For each finding, report:
28+
29+
- **Severity**: CRITICAL / HIGH / MEDIUM / LOW
30+
- **Location**: file:line
31+
- **Issue**: what's wrong
32+
- **Fix**: how to fix it
33+
34+
Run `pnpm audit` for dependency vulnerabilities. Run `pnpm run security` for config/workflow scanning.
Lines changed: 55 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,55 @@
1+
---
2+
description: Audit GitHub Actions repo settings + allowlist against the fleet baseline. Read-only — reports what to flip; fixes are manual in Settings → Actions.
3+
---
4+
5+
Audit GitHub Actions permissions + allowlist for `$ARGUMENTS` (one or more `<owner/repo>` args).
6+
7+
If no arguments given, audit the canonical fleet repo list:
8+
9+
- `SocketDev/socket-btm`
10+
- `SocketDev/socket-cli`
11+
- `SocketDev/socket-lib`
12+
- `SocketDev/socket-mcp`
13+
- `SocketDev/socket-packageurl-js`
14+
- `SocketDev/socket-registry`
15+
- `SocketDev/socket-sdk-js`
16+
- `SocketDev/socket-sdxgen`
17+
- `SocketDev/socket-stuie`
18+
- `SocketDev/socket-vscode`
19+
- `SocketDev/socket-webext`
20+
- `SocketDev/socket-wheelhouse`
21+
- `SocketDev/ultrathink`
22+
23+
## Process
24+
25+
1. Invoke the `auditing-gha` skill runner:
26+
27+
node .claude/skills/fleet/auditing-gha/run.mts <owner/repo>...
28+
29+
2. The runner exits non-zero if any repo fails the baseline. Read the per-repo findings on stdout.
30+
31+
3. For each failing repo, summarize to the user:
32+
- **What's wrong**: the specific settings drift (allowed_actions wrong mode, github_owned_allowed/verified_allowed flipped on, allowlist missing canonical patterns).
33+
- **How to fix**: the exact Settings → Actions toggles, in the order the user would flip them in the web UI.
34+
35+
4. **Do not auto-fix.** Settings → Actions changes affect every workflow on the repo and silently weaken supply-chain posture if wrong. The user flips the toggles.
36+
37+
5. After the user reports they've made the changes, re-run the audit to confirm green.
38+
39+
## Rules
40+
41+
- Surface findings in the order: required failures first (policy mode, blanket-allows, missing canonical patterns), then info (extras beyond canonical).
42+
- Don't suggest pruning extras unless you can verify they have no workflow consumer — `rg <pattern> .github/workflows/` is cheap and conclusive.
43+
- If the runner fails to fetch settings for a repo, ask whether the user has admin scope on that repo's token — the endpoint requires it.
44+
45+
## Anti-patterns
46+
47+
- Generating `gh api -X PUT` commands and running them. The skill is read-only by design.
48+
- Adding a new entry to the canonical list to make one repo's audit pass. New canonical entries must come from a shared socket-registry workflow change — they cascade fleet-wide.
49+
- Treating extras as failures. A repo may legitimately allow a one-off action that doesn't appear in any other fleet repo's workflows.
50+
51+
## Example call sites
52+
53+
/audit-gha-settings
54+
/audit-gha-settings SocketDev/socket-btm
55+
/audit-gha-settings SocketDev/socket-btm SocketDev/socket-cli
Lines changed: 12 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,12 @@
1+
---
2+
description: Scan a repo for disciplines enforced only by prose, convention, or agent memory and codify each into a script, hook, lint rule, or CLAUDE.md rule. Code is law — memory and docs don't enforce. Runs a Workflow of scanner agents, ranks gaps by blast radius, and proposes a concrete codification per gap.
3+
---
4+
5+
Run the `codifying-disciplines` skill.
6+
7+
Finds the disciplines a repo relies on but doesn't enforce (CLAUDE.md rules with
8+
no enforcer, repeated review feedback, build/release steps that depend on
9+
someone remembering, doc conventions with no validator) and turns each into
10+
executable law. Especially load-bearing for build and release steps. Interactive
11+
by default — confirms scope and which proposed codifications to apply now;
12+
non-interactive mode reports without applying.

.claude/commands/fleet/green-ci.md

Lines changed: 63 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,63 @@
1+
---
2+
description: Watch a repo's CI run, fix failures, push, and confirm green. Modes — fast (ci.yml), release (build-server matrices), cool (confirm rest of matrix).
3+
---
4+
5+
Watch the latest CI run for `$ARGUMENTS` and drive it back to green.
6+
7+
`$ARGUMENTS` is parsed as: `<owner/repo>` `[workflow.yml]` `[--mode fast|release|cool]` `[--branch main]`. Defaults: workflow=`ci.yml`, mode=`fast`, branch=the repo's default.
8+
9+
## Process
10+
11+
1. Invoke the `greening-ci` skill runner:
12+
13+
node .claude/skills/fleet/greening-ci/run.mts --repo <owner/repo> [--workflow <name>] [--mode <fast|release|cool>] [--branch <ref>]
14+
15+
Parse the final stdout line as JSON.
16+
17+
2. Branch on `conclusion`:
18+
- `"success"` — Done. Report the run URL and exit.
19+
20+
- `"failure"` — Read `failedJobs[0].logTailPath`, classify the failure against the table in the `greening-ci` SKILL.md (under `.claude/skills/greening-ci/`). Apply the fix locally in the target repo (clone or worktree as needed per the parallel-Claude-sessions rule). Commit + push. Re-invoke this command to confirm green.
21+
22+
- `null` (run still in progress but a job already failed) — Treat as `"failure"`. Don't wait for the rest of the run to finish; the branch protection will cancel sibling jobs once one fails.
23+
24+
- `"cancelled"` / `"skipped"` — Surface to user; don't auto-fix.
25+
26+
3. Loop until the run is green or 5 fix-and-push iterations complete (whichever first). Each iteration:
27+
- Reads the latest failure log tail.
28+
- Applies a targeted fix (no shotgun rewrites).
29+
- Commits with a `fix(<scope>):` Conventional Commits message that names the failing step.
30+
- Pushes.
31+
- Re-invokes the skill in the same mode.
32+
33+
4. After 5 iterations without green, **stop**. Report what was tried and ask the user.
34+
35+
## Mode picker
36+
37+
- **`fast`** — default. For `ci.yml`. 30s polls, stop on first failure or full success.
38+
- **`release`** — for `build-<tool>.yml` build-server dispatches. 30s polls, stop on first matrix-slot outcome (success or failure). After a first success, the orchestrator switches to `cool` for the rest.
39+
- **`cool`** — 120s polls. Just confirming the remainder of an already-partially-succeeded matrix.
40+
41+
If the user types `/green-ci socket-btm ci.yml` we run `fast`. If they type `/green-ci socket-btm build-curl.yml` (any non-ci.yml filename), default to `release` unless they explicitly pass `--mode fast`.
42+
43+
## Rules
44+
45+
- **Never push to a protected branch without confirming.** If the target repo blocks direct push to main, open a PR instead (use the fleet's push-or-PR pattern; see `scripts/fleet/cascade-fleet.mts` in this repo for the canonical implementation).
46+
- **Each fix is one commit.** Don't bundle the CI fix with unrelated changes — the commit message should let a future reader understand exactly which failing step it addresses.
47+
- **Don't bump cache versions just to mask a real bug.** If the failure is a cache miss + downstream code that can't handle a fresh cache, fix the downstream code. Only bump the cache version when the cached artifact itself is staler than the source.
48+
- **Escalate, don't paper over, GH org policy failures.** "Action not allowed by enterprise admin" requires the org-level allowlist update; the repo can't fix it. Tell the user.
49+
50+
## Anti-patterns
51+
52+
- Polling tighter than 30s — GH rate limits apply.
53+
- Auto-fixing flaky-looking failures without classifying — re-running ≠ fixing.
54+
- Treating a queued-too-long run as broken — sometimes the runner pool is just busy.
55+
- Pushing to a release tag's CI failure — release CI failures are usually upstream-policy or token-rotation, not code. Get the user.
56+
57+
## Example call sites
58+
59+
/green-ci socket-btm
60+
/green-ci socket-btm ci.yml
61+
/green-ci socket-btm build-curl.yml --mode release
62+
/green-ci socket-btm build-node-smol.yml --mode cool
63+
/green-ci socket-cli ci.yml --branch refs/pull/123/head
Lines changed: 8 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,8 @@
1+
---
2+
description: Drive the codebase to a clean quality scan — loops the scanning-quality scan, fixes findings, re-scans, until clean or 5 iterations. Interactive only.
3+
---
4+
5+
Run the `looping-quality` skill.
6+
7+
**Interactive only** — this makes code changes and commits. Do not use as an
8+
automated pipeline gate; for a single read-only report use `/fleet:scanning-quality`.
Lines changed: 9 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,9 @@
1+
---
2+
description: Single-pass quality scan — fans out finders in parallel, runs variant analysis, adversarially verifies High/Critical findings, and produces an A-F report. Read-only; makes no commits.
3+
---
4+
5+
Run the `scanning-quality` skill.
6+
7+
**Read-only** — this produces a report and makes no code changes or commits.
8+
To iterate-fix-recheck until the report is clean, use the interactive loop
9+
driver `/fleet:looping-quality` instead.
Lines changed: 7 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,7 @@
1+
---
2+
description: Chain AgentShield (AI config scanner) + SkillSpector (skill scanner) + Zizmor (GH Actions scanner) + security-reviewer agent for a graded security report
3+
---
4+
5+
Run the `scanning-security` skill. This chains AgentShield (Claude config audit) → SkillSpector (untrusted-skill audit) → zizmor (GitHub Actions security) → security-reviewer agent (grading).
6+
7+
For a quick manual run without the full pipeline: `pnpm run security`

0 commit comments

Comments
 (0)