chore(wheelhouse): cascade template@b0c8c0c9

Auto-applied by socket-wheelhouse sync-scaffolding into cascade-socket-bin-10669.
624 file(s) touched:
  - .claude/commands/fleet/audit-gha-settings.md
  - .claude/commands/fleet/codifying-disciplines.md
  - .claude/commands/fleet/green-ci.md
  - .claude/commands/fleet/scanning-quality.md
  - .claude/hooks/fleet/_shared/README.md
  - .claude/hooks/fleet/_shared/error-message-quality.mts
  - .claude/hooks/fleet/_shared/foreign-paths.mts
  - .claude/hooks/fleet/_shared/gha-allowlist.mts
  - .claude/hooks/fleet/_shared/git-state.mts
  - .claude/hooks/fleet/_shared/hook-env.mts
  - .claude/hooks/fleet/_shared/markers.mts
  - .claude/hooks/fleet/_shared/stop-reminder.mts
  - .claude/hooks/fleet/_shared/test/error-message-quality.test.mts
  - .claude/hooks/fleet/_shared/test/foreign-paths.test.mts
  - .claude/hooks/fleet/_shared/test/transcript.test.mts
  - .claude/hooks/fleet/_shared/transcript.mts
  - .claude/hooks/fleet/actionlint-on-workflow-edit/README.md
  - .claude/hooks/fleet/actionlint-on-workflow-edit/index.mts
  - .claude/hooks/fleet/ai-config-drift-reminder/README.md
  - .claude/hooks/fleet/ai-config-drift-reminder/index.mts
  ... and 604 more

Author: jdalton

.claude/commands/fleet/audit-gha-settings.md

@@ -22,9 +22,9 @@ If no arguments given, audit the canonical fleet repo list:
 
 ## Process
 
-1. Invoke the `auditing-gha-settings` skill runner:
+1. Invoke the `auditing-gha` skill runner:
 
-   node .claude/skills/auditing-gha-settings/run.mts <owner/repo>...
+   node .claude/skills/fleet/auditing-gha/run.mts <owner/repo>...
 
 2. The runner exits non-zero if any repo fails the baseline. Read the per-repo findings on stdout.
 

.claude/commands/fleet/codifying-disciplines.md

@@ -0,0 +1,12 @@
+---
+description: Scan a repo for disciplines enforced only by prose, convention, or agent memory and codify each into a script, hook, lint rule, or CLAUDE.md rule. Code is law — memory and docs don't enforce. Runs a Workflow of scanner agents, ranks gaps by blast radius, and proposes a concrete codification per gap.
+---
+
+Run the `codifying-disciplines` skill.
+
+Finds the disciplines a repo relies on but doesn't enforce (CLAUDE.md rules with
+no enforcer, repeated review feedback, build/release steps that depend on
+someone remembering, doc conventions with no validator) and turns each into
+executable law. Especially load-bearing for build and release steps. Interactive
+by default — confirms scope and which proposed codifications to apply now;
+non-interactive mode reports without applying.

.claude/commands/fleet/green-ci.md

@@ -10,7 +10,7 @@ Watch the latest CI run for `$ARGUMENTS` and drive it back to green.
 
 1.  Invoke the `greening-ci` skill runner:
 
-        node .claude/skills/greening-ci/run.mts --repo <owner/repo> [--workflow <name>] [--mode <fast|release|cool>] [--branch <ref>]
+        node .claude/skills/fleet/greening-ci/run.mts --repo <owner/repo> [--workflow <name>] [--mode <fast|release|cool>] [--branch <ref>]
 
     Parse the final stdout line as JSON.
 

.claude/commands/fleet/scanning-quality.md

@@ -0,0 +1,9 @@
+---
+description: Single-pass quality scan — fans out finders in parallel, runs variant analysis, adversarially verifies High/Critical findings, and produces an A-F report. Read-only; makes no commits.
+---
+
+Run the `scanning-quality` skill.
+
+**Read-only** — this produces a report and makes no code changes or commits.
+To iterate-fix-recheck until the report is clean, use the interactive loop
+driver `/fleet:looping-quality` instead.

.claude/hooks/fleet/_shared/README.md

@@ -6,8 +6,6 @@ Helper modules shared across multiple hooks under `.claude/hooks/`. **Not a depl
 
 - **`shell-command.mts`** — Tokenizes a Bash command string with `shell-quote` into discrete `Command`s (`binary`, `args`, leading env `assignments`, plus `viaVariable` / `viaEval` indirection flags). Exposes `parseCommands`, `findInvocation`, `commandsFor`, `invocationHasFlag`, and `hasOpaqueInvocation`. Used by every structure-sensitive Bash guard (`codex-no-write-guard`, `release-workflow-guard`, `no-empty-commit-guard`, the git-detection guards, …) so a forbidden invocation is matched on the actual parsed command — `$(…)` / `$VAR` / `eval` indirection is seen rather than evaded, and a quoted mention inside an `echo` or `-m` body can't false-trigger.
 
-- **`hook-env.mts`** — `isHookDisabled(slug)` and `hookLog(slug, ...lines)`. Standardizes the `SOCKET_<UPPER_SLUG>_DISABLED` env-var convention every hook supports plus the `[<slug>] <line>` stderr prefix shape. Use these in new hooks so every hook gets a uniform kill switch + output format for free.
-
 - **`markers.mts`** — Shared sentinel constants for bypass phrases the user can type to override a hook (`Allow <name> bypass`, etc.).
 
 - **`payload.mts`** — `ToolCallPayload` and `ToolInput` types for the PreToolUse JSON payload, plus `readCommand` / `readFilePath` / `readWriteContent` narrowing helpers. **Use this instead of re-declaring `tool_input` types per-hook** — the fleet had 7 hand-rolled variants before this module landed.
@@ -22,14 +20,12 @@ Helper modules shared across multiple hooks under `.claude/hooks/`. **Not a depl
 
 ## When to reach for what (new hook quick-reference)
 
-- Writing a **Stop hook** that just emits a reminder when patterns match? → `import { runStopReminder } from '../_shared/stop-reminder.mts'`. See `excuse-detector` for the single-group shape, or `voice-and-tone-reminder` (uses `runStopReminders`) for merging several pattern tables into one process while keeping per-group disable env vars.
+- Writing a **Stop hook** that just emits a reminder when patterns match? → `import { runStopReminder } from '../_shared/stop-reminder.mts'`. See `excuse-detector` for the single-group shape, or `yakback-reminder` (uses `runStopReminders`) for merging several pattern tables into one process while keeping per-group disable env vars.
 
 - Writing a **PreToolUse hook** that inspects a tool call's input? → `import { ToolCallPayload, readCommand, readFilePath } from '../_shared/payload.mts'`. Saves you the `typeof === 'string'` guard.
 
 - Detecting whether a Bash command really invokes some binary/subcommand (and want `$(…)` / `$VAR` / quoted-mention false positives handled)? → `import { commandsFor, findInvocation } from '../_shared/shell-command.mts'`.
 
-- Want a kill switch for your hook? → `import { isHookDisabled, hookLog } from '../_shared/hook-env.mts'`. The hook is enabled by default and `SOCKET_<UPPER_SLUG>_DISABLED=1` opts out — same shape across the fleet.
-
 - Need to scan secret-bearing env-var names? → `import { ALL_TOKEN_KEY_PATTERNS } from '../_shared/token-patterns.mts'`.
 
 ## Adding to `_shared/`

.claude/hooks/fleet/_shared/error-message-quality.mts

@@ -0,0 +1,103 @@
+/**
+ * @file Shared error-message-quality classifier. The single source for "is this
+ *   a vague-only error message" — consumed by both
+ *   `error-message-quality-reminder` (Stop hook, grades code blocks the
+ *   assistant wrote) and the `error-messages-are-thorough` check (commit-time,
+ *   grades `throw new …Error("…")` across the committed tree). Extracted so the
+ *   pattern list + grading bar live in ONE place; a tweak to either lands for
+ *   both surfaces at once.
+ *
+ *   The bar (per CLAUDE.md "Error messages"): a message is vague when it is a
+ *   short static string carrying ONLY a vague verb/noun — no "what" rule, no
+ *   field/location, no saw-vs-wanted value. A message with a colon (field-path
+ *   prefix), an embedded quote (a shown value), or length > 40 is presumed to
+ *   carry specifics and is NOT graded.
+ */
+
+// Match any Error-suffixed class plus the legacy TemporalError name.
+export const ERROR_CLASS_RE = /(?:Error|TemporalError)$/
+
+export interface VaguePattern {
+  readonly label: string
+  readonly regex: RegExp
+  readonly hint: string
+}
+
+export const VAGUE_MESSAGE_PATTERNS: readonly VaguePattern[] = [
+  {
+    label: 'bare "invalid"',
+    regex:
+      /^(?:invalid|invalid value|invalid input|invalid argument|invalid format)\.?$/i,
+    hint: '"Invalid" describes the fallout, not the rule. Say what shape was expected: "must be lowercase", "must match /^[a-z]+$/", "must be one of X / Y / Z".',
+  },
+  {
+    label: 'bare "failed"',
+    regex:
+      /^(?:failed|failure|operation failed|request failed|action failed)\.?$/i,
+    hint: '"Failed" describes the symptom. Name what was attempted and what blocked it: "could not write <path>: ENOENT", "fetch <url> returned 503".',
+  },
+  {
+    label: 'bare "error occurred"',
+    regex: /^(?:an? )?error(?:\s+occurred)?\.?$/i,
+    hint: 'The message says nothing the reader can act on. State the rule, the location, the bad value.',
+  },
+  {
+    label: 'bare "something went wrong"',
+    regex: /^something went wrong\.?$/i,
+    hint: 'Pure filler. CLAUDE.md "Error messages": the reader should fix the problem from the message alone.',
+  },
+  {
+    label: 'bare "unable to X" / "could not X" (verb-only)',
+    regex: /^(?:unable to|could not|cannot|can'?t)\s+\w+\.?$/i,
+    hint: 'No object / no reason. "Unable to read" → "could not read <path>: <errno>".',
+  },
+  {
+    label: 'bare "not found"',
+    regex: /^(?:not found|not\s+exist|does not exist|missing)\.?$/i,
+    hint: 'Missing what? Where? Say "config file not found: <path>" with the specific path.',
+  },
+  {
+    label: 'bare "bad" / "wrong" / "incorrect"',
+    regex:
+      /^(?:bad|wrong|incorrect|invalid format)(?:\s+(?:argument|data|format|input|value))?\.?$/i,
+    hint: 'Same as "invalid" — describe the rule the value violated, not how you feel about it.',
+  },
+]
+
+export interface MessageGrade {
+  readonly label: string
+  readonly hint: string
+}
+
+/**
+ * Grade a single thrown-error message string. Returns the matched vague pattern,
+ * or undefined when the message clears the bar (carries a colon / quoted value,
+ * is longer than 40 chars, or matches no vague-only pattern). A non-string
+ * message (template literal with interpolation, an identifier) is out of scope —
+ * pass an empty string and it returns undefined.
+ */
+export function gradeMessage(message: string): MessageGrade | undefined {
+  const trimmed = message.trim()
+  if (trimmed.length === 0) {
+    return undefined
+  }
+  // A colon suggests a field-path prefix; an embedded quote/backtick suggests a
+  // shown "saw vs. wanted" value. Either way, presumed specific.
+  if (
+    trimmed.includes(':') ||
+    trimmed.includes('"') ||
+    trimmed.includes('`')
+  ) {
+    return undefined
+  }
+  if (trimmed.length > 40) {
+    return undefined
+  }
+  for (let i = 0, { length } = VAGUE_MESSAGE_PATTERNS; i < length; i += 1) {
+    const pattern = VAGUE_MESSAGE_PATTERNS[i]!
+    if (pattern.regex.test(trimmed)) {
+      return { label: pattern.label, hint: pattern.hint }
+    }
+  }
+  return undefined
+}