fix: resolve quality scan issues (iteration 2)

Fixed 20 issues identified by quality-scan:

High priority (12 issues):
- src/github.ts:758 - Fixed race condition in cacheFetchGhsa using getOrFetch()
- .husky/pre-commit - Added .git-hooks script validation
- .husky/pre-push - Added .git-hooks script validation
- .husky/commit-msg - Added .git-hooks script validation
- scripts/test/main.mjs:492 - Removed explicit process.exit() for proper error propagation
- scripts/test/main.mjs:256 - Fixed NODE_OPTIONS concatenation with deduplication
- scripts/lint.mjs:200 - Fixed silent linter failures by checking stdout and stderr
- README.md - Removed 4 non-existent API references (getUserProfile, MIN_SUPPORTED_NODE_VERSION, MAIN_REGISTRY_URL, LINUX)

Medium priority (5 issues):
- src/cache-with-ttl.ts:402 - Fixed TOCTOU race in getOrFetch with double-check pattern
- .git-hooks/commit-msg:44 - Added mktemp error handling and cleanup trap
- .git-hooks/pre-push:28 - Added git range validation
- .husky/security-checks.sh - Fixed file iteration to handle spaces safely
- .git-hooks/pre-commit - Fixed file iteration (3 occurrences)
- .git-hooks/pre-push - Fixed file iteration

Low priority (3 issues):
- Bash scripts - Fixed file iteration to handle filenames with spaces using IFS

Author: jdalton

.git-hooks/commit-msg

@@ -41,7 +41,12 @@ fi
 COMMIT_MSG_FILE="$1"
 if [ -f "$COMMIT_MSG_FILE" ]; then
   # Create a temporary file to store the cleaned message.
-  TEMP_FILE=$(mktemp)
+  TEMP_FILE=$(mktemp) || {
+    printf "${RED}✗ Failed to create temporary file${NC}\n" >&2
+    exit 1
+  }
+  # Ensure cleanup on exit
+  trap 'rm -f "$TEMP_FILE"' EXIT
   REMOVED_LINES=0
 
   # Read the commit message line by line and filter out AI attribution.

.git-hooks/pre-commit

@@ -52,7 +52,7 @@ fi
 
 # Check for hardcoded user paths (generic detection).
 printf "Checking for hardcoded personal paths...\n"
-for file in $STAGED_FILES; do
+echo "$STAGED_FILES" | while IFS= read -r file; do
   if [ -f "$file" ]; then
     # Skip test files and hook scripts.
     if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
@@ -71,7 +71,7 @@ done
 
 # Check for Socket API keys.
 printf "Checking for API keys...\n"
-for file in $STAGED_FILES; do
+echo "$STAGED_FILES" | while IFS= read -r file; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
       printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
@@ -83,7 +83,7 @@ done
 
 # Check for common secret patterns.
 printf "Checking for potential secrets...\n"
-for file in $STAGED_FILES; do
+echo "$STAGED_FILES" | while IFS= read -r file; do
   if [ -f "$file" ]; then
     # Skip test files, example files, and hook scripts.
     if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then

.git-hooks/pre-push

@@ -48,6 +48,12 @@ while read local_ref local_sha remote_ref remote_sha; do
     fi
   fi
 
+  # Validate the computed range before using it
+  if ! git rev-list "$range" >/dev/null 2>&1; then
+    printf "${RED}✗ Invalid commit range: $range${NC}\n" >&2
+    exit 1
+  fi
+
   ERRORS=0
 
   # ============================================================================
@@ -111,7 +117,7 @@ while read local_ref local_sha remote_ref remote_sha; do
     fi
 
     # Check file contents for secrets.
-    for file in $CHANGED_FILES; do
+    echo "$CHANGED_FILES" | while IFS= read -r file; do
       if [ -f "$file" ] && [ ! -d "$file" ]; then
         # Skip test files, example files, and hook scripts.
         if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then

.husky/commit-msg

@@ -1,2 +1,7 @@
 # Run commit message validation and auto-strip AI attribution.
-.git-hooks/commit-msg "$1"
+if [ -x ".git-hooks/commit-msg" ]; then
+  .git-hooks/commit-msg "$1"
+else
+  printf "\033[0;31m✗ Error: .git-hooks/commit-msg not found or not executable\033[0m\n" >&2
+  exit 1
+fi

.husky/pre-commit

@@ -9,7 +9,12 @@ fi
 
 if [ -z "${DISABLE_PRECOMMIT_TEST}" ]; then
   if command -v dotenvx >/dev/null 2>&1 || [ -x "./node_modules/.bin/dotenvx" ]; then
-    dotenvx -q run -f .env.precommit -- pnpm test --staged
+    if [ -f ".env.precommit" ]; then
+      dotenvx -q run -f .env.precommit -- pnpm test --staged || pnpm test --staged
+    else
+      printf "⚠  .env.precommit not found, running tests without it\n"
+      pnpm test --staged
+    fi
   else
     printf "⚠  dotenvx not found, running tests without .env.precommit\n"
     pnpm test --staged

.husky/pre-push

@@ -1,2 +1,7 @@
 # Run pre-push security validation.
-.git-hooks/pre-push "$@"
+if [ -x ".git-hooks/pre-push" ]; then
+  .git-hooks/pre-push "$@"
+else
+  printf "\033[0;31m✗ Error: .git-hooks/pre-push not found or not executable\033[0m\n" >&2
+  exit 1
+fi

.husky/security-checks.sh

@@ -54,7 +54,7 @@ fi
 
 # Check for hardcoded user paths (generic detection).
 printf "Checking for hardcoded personal paths...\n"
-for file in $STAGED_FILES; do
+echo "$STAGED_FILES" | while IFS= read -r file; do
   if [ -f "$file" ]; then
     # Skip test files and hook scripts.
     if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then

README.md

@@ -96,7 +96,7 @@ Type-safe environment variable access and platform detection.
 - `getCI()` - Detect CI environment
 - `getNodeEnv()` - Get NODE_ENV value
 - `isTest()` - Check if running tests
-- `getHome()`, `getUserProfile()` - Cross-platform home directory
+- `getHome()` - Home directory (Unix/Linux/macOS)
 - Test rewiring with `setEnv()`, `resetEnv()`
 
 ### Package Management
@@ -107,9 +107,8 @@ Detect and work with npm, pnpm, and yarn.
 
 ### Constants
 Pre-defined values for Node.js, npm, and platform detection.
-- `MIN_SUPPORTED_NODE_VERSION` - Minimum Node.js version
-- `MAIN_REGISTRY_URL` - npm registry URL
-- `WIN32`, `DARWIN`, `LINUX` - Platform booleans
+- `getNodeMajorVersion()` - Get current Node.js major version
+- `WIN32`, `DARWIN` - Platform booleans (use `!WIN32 && !DARWIN` for Linux)
 - `getAbortSignal()` - Global abort signal
 
 ### Utilities

scripts/lint.mjs

@@ -212,7 +212,11 @@ async function runLintOnFiles(files, options = {}) {
       }
 
       // When fixing, non-zero exit codes are normal if fixes were applied.
-      if (!fix || (result.stderr && result.stderr.trim().length > 0)) {
+      // Check both stdout and stderr for error output (some linters use stdout)
+      const hasOutput =
+        (result.stderr && result.stderr.trim().length > 0) ||
+        (result.stdout && result.stdout.trim().length > 0)
+      if (!fix || hasOutput) {
         if (!quiet) {
           logger.error('Linting failed')
         }
@@ -286,7 +290,11 @@ async function runLintOnAll(options = {}) {
       }
 
       // When fixing, non-zero exit codes are normal if fixes were applied.
-      if (!fix || (result.stderr && result.stderr.trim().length > 0)) {
+      // Check both stdout and stderr for error output (some linters use stdout)
+      const hasOutput =
+        (result.stderr && result.stderr.trim().length > 0) ||
+        (result.stdout && result.stdout.trim().length > 0)
+      if (!fix || hasOutput) {
         if (!quiet) {
           logger.error('Linting failed')
         }

scripts/test/main.mjs

@@ -249,12 +249,26 @@ async function runTests(
     vitestArgs.push(...positionals)
   }
 
+  // Build NODE_OPTIONS with deduplication to avoid conflicts
+  const existingOpts = (process.env.NODE_OPTIONS || '')
+    .split(/\s+/)
+    .filter(Boolean)
+  // Remove existing max-old-space-size to avoid conflicts
+  const filteredOpts = existingOpts.filter(
+    opt => !opt.startsWith('--max-old-space-size'),
+  )
+  const maxOldSpace = process.env.CI ? 8192 : 4096
+  const nodeOptions = [
+    ...filteredOpts,
+    `--max-old-space-size=${maxOldSpace}`,
+    '--unhandled-rejections=warn',
+  ].join(' ')
+
   const spawnOptions = {
     cwd: rootPath,
     env: {
       ...process.env,
-      NODE_OPTIONS:
-        `${process.env.NODE_OPTIONS || ''} --max-old-space-size=${process.env.CI ? 8192 : 4096} --unhandled-rejections=warn`.trim(),
+      NODE_OPTIONS: nodeOptions,
       VITEST: '1',
     },
     stdio: 'inherit',
@@ -488,8 +502,8 @@ async function main() {
       spinner.stop()
     } catch {}
     removeExitHandler()
-    // Explicitly exit to prevent hanging
-    process.exit(process.exitCode || 0)
+    // Exit code already set via process.exitCode (line 465/475)
+    // Let process exit naturally to allow parent process error handlers
   }
 }