chore(wheelhouse): cascade template@7aa47e23

Backfill soak-exclude-scope-guard tests + README, CLAUDE.md fleet
block, and docs/claude.md/wheelhouse/no-local-fork-canonical.md.
Removes the 4 stale .mjs duplicates of the .mts markdownlint rule
modules (tombstoned in socket-wheelhouse manifest).

Author: jdalton

.claude/hooks/fleet/soak-exclude-scope-guard/README.md

@@ -29,10 +29,11 @@ The hook fires on Edit/Write to `pnpm-workspace.yaml` when the
 edit adds an entry under `minimumReleaseAgeExclude:` whose package
 name is NOT scoped to one of:
 
-    @socketsecurity/*
-    @socketregistry/*
-    @socketbin/*
     @socketaddon/*
+    @socketbin/*
+    @socketregistry/*
+    @socketsecurity/*
+    @stuie/*
 
 Both glob-form (`@socketsecurity/*`) and exact-pin form
 (`@socketsecurity/lib@6.0.0`) are accepted; the hook splits on

.claude/hooks/fleet/soak-exclude-scope-guard/index.mts

@@ -29,11 +29,16 @@ const logger = getDefaultLogger()
 
 const BYPASS_PHRASE = 'Allow soak-exclude-third-party bypass'
 
+// Fleet-internal first-party scopes published by trusted Socket pipelines —
+// soak-exempt by design. The danger the guard targets is a third-party
+// scope-glob (the 2026-04-06 `@anthropic-ai/*` incident), not a fleet repo's
+// own scope. `@stuie` is the first-party scope of the stuie fleet repo.
 const ALLOWED_SCOPES = new Set([
-  '@socketsecurity',
-  '@socketregistry',
-  '@socketbin',
   '@socketaddon',
+  '@socketbin',
+  '@socketregistry',
+  '@socketsecurity',
+  '@stuie',
 ])
 
 const SECTION_HEADER = /^minimumReleaseAgeExclude:\s*$/
@@ -179,7 +184,7 @@ await withEditGuard((filePath, content, payload) => {
     '  `minimumReleaseAgeExclude:` is a security-policy bypass for Socket',
     '  first-party scopes only:',
     '',
-    '    @socketsecurity/* @socketregistry/* @socketbin/* @socketaddon/*',
+    '    @socketaddon/* @socketbin/* @socketregistry/* @socketsecurity/* @stuie/*',
     '',
     '  Adding a third-party package weakens the malware-protection soak gate.',
     '',

.claude/hooks/fleet/soak-exclude-scope-guard/test/index.test.mts

@@ -63,6 +63,19 @@ test('adding @socketsecurity/* glob passes', async () => {
   assert.strictEqual(r.code, 0)
 })
 
+test('adding @stuie/* first-party glob passes', async () => {
+  const p = tmpYaml('minimumReleaseAgeExclude:\n  - \'@socketregistry/*\'\n')
+  const r = await runHook({
+    tool_name: 'Write',
+    tool_input: {
+      file_path: p,
+      content:
+        "minimumReleaseAgeExclude:\n  - '@socketregistry/*'\n  - '@stuie/*'\n",
+    },
+  })
+  assert.strictEqual(r.code, 0)
+})
+
 test('adding @socketsecurity/lib@6.0.0 exact pin passes', async () => {
   const p = tmpYaml('minimumReleaseAgeExclude:\n  - \'@socketregistry/*\'\n')
   const r = await runHook({

.config/markdownlint-rules/_shared/wheelhouse-self-skip.mjs

@@ -157,11 +157,11 @@ For non-trivial work (multi-file refactor, new feature, migration), the plan its
 
 ### Stranded cascades
 
-🚨 Local-only `chore(wheelhouse): cascade template@<sha>` commits + `chore/wheelhouse-<sha>` worktrees whose template SHA has been superseded on origin accumulate from interrupted cascade waves and silently block future pushes. The wheelhouse cascade auto-runs `socket-wheelhouse/scripts/fleet/cleanup-stranded.mts --target <repo>` at the start of every wave (default = fix; pass `--dry-run` to report only). Safety rails: cascade-subject regex match + trusted commit author + strict-ancestor proof of supersession + cascade-allowlist file check. Any ambiguity → bail the whole repo. Full algorithm + recovery instructions in [`docs/claude.md/fleet/stranded-cascades.md`](docs/claude.md/fleet/stranded-cascades.md).
+🚨 Local-only `chore(wheelhouse): cascade template@<sha>` commits + `chore/wheelhouse-<sha>` worktrees whose template SHA has been superseded on origin accumulate from interrupted cascade waves and silently block future pushes. The wheelhouse cascade auto-runs `socket-wheelhouse/scripts/fleet/cleanup-stranded.mts --target <repo>` at the start of every wave (default = fix; pass `--dry-run` to report only). Safety rails + recovery in [`docs/claude.md/fleet/stranded-cascades.md`](docs/claude.md/fleet/stranded-cascades.md).
 
 ### Never fork fleet-canonical files locally
 
-🚨 Edit fleet-canonical files ONLY in `socket-wheelhouse/template/...` — never downstream. Lift missing helpers upstream + re-cascade. **Trust the wheelhouse:** don't grep / read / debug canonical files in downstream repos to verify contents — treat the wheelhouse as oracle (enforced by `.claude/hooks/fleet/no-fleet-fork-guard/`; bypass: `Allow fleet-fork bypass`). Full ruleset: [`docs/claude.md/wheelhouse/no-local-fork-canonical.md`](docs/claude.md/wheelhouse/no-local-fork-canonical.md).
+🚨 Edit fleet-canonical files ONLY in `socket-wheelhouse/template/...` — never downstream. **Trust the wheelhouse:** don't grep / read / debug canonical files downstream — treat the wheelhouse as oracle. **Composite-file rule:** in `CLAUDE.md` only the `BEGIN/END FLEET-CANONICAL` block is canonical; preamble + `🏗️ Project-Specific` postamble are repo-owned — trim them when the whole-file total approaches the 40 KB cap (enforced by `.claude/hooks/fleet/no-fleet-fork-guard/`; bypass: `Allow fleet-fork bypass`). Full ruleset: [`docs/claude.md/wheelhouse/no-local-fork-canonical.md`](docs/claude.md/wheelhouse/no-local-fork-canonical.md).
 
 ### Code style