chore: sync to socket-repo-template@3e20767

- 9 hook READMEs rewritten to junior-dev approachable level
- programmatic-claude-lockdown SKILL.md backtick-fix for npx scanner
- xport.schema.json regenerated from template
- xport.json created (empty rows — single-package npm-only repo)
- package.json: add xport + xport:emit-schema scripts
- pnpm-workspace.yaml: add resolutionMode: highest

Verified: 0 findings against template.

Author: jdalton

.claude/hooks/auth-rotation-reminder/README.md

@@ -1,17 +1,25 @@
 # auth-rotation-reminder
 
-Claude Code `Stop` hook that periodically logs you out of authenticated
-CLIs (npm, pnpm, gcloud, vault, aws sso, docker, socket, …) so stale
-long-lived tokens don't sit in your dotfiles or keychain for days.
-
-## Why
-
-Long-lived auth tokens live in well-known locations: `~/.npmrc`,
-`~/.config/gh/hosts.yml`, `~/.config/gcloud/`, `~/.docker/config.json`.
-A compromised dev workstation has a wide blast radius on those files.
-Periodic auto-revocation tightens the window and forces explicit
-re-authentication, which is itself a small phishing-defense moment
-("did I really mean to publish?").
+A **Claude Code hook** that runs at the *end* of every Claude turn,
+notices when you've been logged into a CLI for "too long," and
+automatically logs you out so stale long-lived tokens don't sit in
+your dotfiles or keychain for days.
+
+> If you haven't worked with Claude Code hooks before: hooks are tiny
+> scripts that run at specific lifecycle points. A `Stop` hook like
+> this one fires *after* Claude finishes a turn. Stop hooks are a
+> good place for periodic maintenance — they have access to your
+> shell environment but don't gate any tool calls.
+
+## Why automatic logout
+
+Long-lived auth tokens live in well-known files: `~/.npmrc`,
+`~/.config/gh/hosts.yml`, `~/.config/gcloud/`, `~/.docker/config.json`,
+your OS keychain. A compromised dev workstation has a wide blast
+radius on those files. Periodic auto-revocation tightens the window
+where a stolen token is useful, and forces explicit re-authentication
+— which is itself a small phishing-defense moment ("did I really
+mean to publish?").
 
 ## Defaults
 
@@ -120,12 +128,20 @@ node --test test/*.test.mts
 
 ## Reusing the snooze convention
 
-Other hooks can adopt the same `.snooze` pattern. The convention is:
+Other hooks can adopt the same `.snooze` pattern. The convention:
 
 - Filename: `.claude/<hook-id>.snooze` (project) or
   `~/.claude/hooks/<hook-id>/snooze` (global).
 - Format: ISO 8601 expiry on line 1. Optional further lines ignored.
 - `.gitignore`: `.claude/*.snooze`.
-- Cleanup: hook auto-deletes expired files via `safeDelete`.
-- The `checkSnoozes` / `tryUnlink` helpers in `index.mts` are easy to
-  copy into a sibling hook.
+- Cleanup: hook auto-deletes expired files via `safeDelete` from
+  `@socketsecurity/lib/fs`.
+- The `checkSnoozes` helper in `index.mts` is easy to copy into a
+  sibling hook.
+
+## Cross-fleet sync
+
+This README and the hook itself live in
+[`socket-repo-template`](https://github.com/SocketDev/socket-repo-template/tree/main/template/.claude/hooks/auth-rotation-reminder)
+and are required to be byte-identical across every fleet repo.
+`scripts/sync-scaffolding.mts` flags drift; `--fix` rewrites it.

.claude/hooks/check-new-deps/README.md

@@ -1,19 +1,41 @@
-# check-new-deps Hook
-
-A Claude Code pre-tool hook that checks new dependencies against [Socket.dev](https://socket.dev) before they're added to the project. It runs automatically every time Claude tries to edit or create a dependency manifest file.
-
-## What it does
-
-When Claude edits a file like `package.json`, `requirements.txt`, `Cargo.toml`, or any of 17+ supported ecosystems, this hook:
-
-1. **Detects the file type** and extracts dependency names from the content
-2. **Diffs against the old content** (for edits) so only *newly added* deps are checked
-3. **Queries the Socket.dev API** to check for malware and critical security alerts
-4. **Blocks the edit** (exit code 2) if malware or critical alerts are found
-5. **Warns** (but allows) if a package has a low quality score
-6. **Allows** (exit code 0) if everything is clean or the file isn't a manifest
-
-## How it works
+# check-new-deps
+
+A **Claude Code hook** that runs whenever Claude tries to edit or
+create a dependency manifest (`package.json`, `requirements.txt`,
+`Cargo.toml`, and 14+ other ecosystems). It extracts the
+*newly added* dependencies, asks [Socket.dev](https://socket.dev) if
+any of them are known malware or have critical security alerts, and
+**blocks** the edit if so.
+
+> If you haven't worked with Claude Code hooks before: hooks are tiny
+> scripts that run at specific lifecycle points. A `PreToolUse` hook
+> like this one fires *before* Claude calls a tool (here, `Edit` or
+> `Write`). It can either **prime** (write to stderr, exit 0, model
+> carries on) or **block** (exit 2, edit never happens). This one
+> blocks for malware/critical findings and primes for low-quality
+> warnings.
+
+## What it does, step by step
+
+1. Claude tries to edit `package.json` (or any other supported
+   manifest).
+2. The hook reads the proposed edit from stdin.
+3. It detects the file type and extracts dependency names from the
+   new content.
+4. For an `Edit` (not a `Write`), it diffs new content vs. old, so
+   only *newly added* dependencies get checked — existing deps
+   aren't re-scanned every time you bump an unrelated version.
+5. It builds a [Package URL (PURL)](https://github.com/package-url/purl-spec)
+   for each new dep and calls Socket.dev's `checkMalware` API.
+6. Three outcomes:
+   - **Malware or critical alert** → exit `2`. Edit is blocked,
+     Claude reads the alert reason from stderr and either picks a
+     different package or asks the user.
+   - **Low quality score** → exit `0` with a warning. Edit proceeds.
+   - **Clean (or file isn't a manifest)** → exit `0` silently. Edit
+     proceeds.
+
+## Flow diagram
 
 ```
 Claude wants to edit package.json
@@ -23,25 +45,25 @@ Hook receives the edit via stdin (JSON)
         │
         ▼
 Extract new deps from new_string
-Diff against old_string (if Edit)
+Diff against old_string (if Edit, not Write)
         │
         ▼
 Build Package URLs (PURLs) for each dep
         │
         ▼
 Call sdk.checkMalware(components)
   - ≤5 deps: parallel firewall API (fast, full data)
-  - >5 deps: batch PURL API (efficient)
+  - >5 deps:  batch PURL API (efficient)
         │
         ├── Malware/critical alert → EXIT 2 (blocked)
-        ├── Low score → warn, EXIT 0 (allowed)
-        └── Clean → EXIT 0 (allowed)
+        ├── Low score              → warn, EXIT 0 (allowed)
+        └── Clean                  → EXIT 0 (allowed)
 ```
 
 ## Supported ecosystems
 
-| File | Ecosystem | Example dep format |
-|------|-----------|-------------------|
+| File pattern | Ecosystem | Example |
+|-------------|-----------|---------|
 | `package.json` | npm | `"express": "^4.19"` |
 | `package-lock.json`, `pnpm-lock.yaml`, `yarn.lock` | npm | lockfile entries |
 | `requirements.txt`, `pyproject.toml`, `setup.py` | PyPI | `flask>=3.0` |
@@ -51,7 +73,7 @@ Call sdk.checkMalware(components)
 | `composer.json`, `composer.lock` | Composer (PHP) | `"vendor/package": "^3.0"` |
 | `pom.xml`, `build.gradle` | Maven (Java) | `<artifactId>commons</artifactId>` |
 | `pubspec.yaml`, `pubspec.lock` | Pub (Dart) | `flutter_bloc: ^8.1` |
-| `.csproj` | NuGet (.NET) | `<PackageReference Include="..."/>` |
+| `.csproj` | NuGet (.NET) | `<PackageReference Include="..." />` |
 | `mix.exs` | Hex (Elixir) | `{:phoenix, "~> 1.7"}` |
 | `Package.swift` | Swift PM | `.package(url: "...", from: "4.0")` |
 | `*.tf` | Terraform | `source = "hashicorp/aws"` |
@@ -60,7 +82,13 @@ Call sdk.checkMalware(components)
 | `flake.nix` | Nix | `github:owner/repo` |
 | `.github/workflows/*.yml` | GitHub Actions | `uses: owner/repo@ref` |
 
-## Configuration
+## Caching
+
+API responses are cached in-memory for 5 minutes (max 500 entries)
+to avoid redundant network calls when Claude touches the same
+manifest a few times in one session.
+
+## Wiring
 
 The hook is registered in `.claude/settings.json`:
 
@@ -84,19 +112,23 @@ The hook is registered in `.claude/settings.json`:
 
 ## Dependencies
 
-All dependencies use `catalog:` references from the workspace root (`pnpm-workspace.yaml`):
+All dependencies use `catalog:` references from the workspace root
+(`pnpm-workspace.yaml`):
 
-- `@socketsecurity/sdk` — Socket.dev SDK v4 with `checkMalware()` API
-- `@socketsecurity/lib` — shared constants and path utilities
-- `@socketregistry/packageurl-js` — Package URL (PURL) parsing and stringification
+- `@socketsecurity/sdk` — Socket.dev SDK v4, exposes `checkMalware()`.
+- `@socketsecurity/lib` — shared constants and path utilities.
+- `@socketregistry/packageurl-js` — Package URL (PURL) parsing.
 
-## Caching
+## Exit codes
 
-API responses are cached in-memory for 5 minutes (max 500 entries) to avoid redundant network calls when Claude checks the same dependency multiple times in a session.
+| Code | Meaning | What Claude does next |
+|------|---------|----------------------|
+| `0` | Allow | Edit/Write proceeds normally. |
+| `2` | Block | Edit/Write is rejected; Claude reads the block reason from stderr. |
 
-## Exit codes
+## Cross-fleet sync
 
-| Code | Meaning | Claude behavior |
-|------|---------|----------------|
-| 0 | Allow | Edit/Write proceeds normally |
-| 2 | Block | Edit/Write is rejected, Claude sees the error message |
+This README and the hook itself live in
+[`socket-repo-template`](https://github.com/SocketDev/socket-repo-template/tree/main/template/.claude/hooks/check-new-deps)
+and are required to be byte-identical across every fleet repo.
+`scripts/sync-scaffolding.mts` flags drift; `--fix` rewrites it.

.claude/hooks/logger-guard/README.md

@@ -1,40 +1,62 @@
 # logger-guard
 
-Claude Code `PreToolUse` hook that blocks `Edit`/`Write` tool calls
-introducing direct stream writes (`process.stderr.write`,
-`process.stdout.write`, `console.log/error/warn/info/debug`) into
-source files.
+A **Claude Code hook** that runs before `Edit` or `Write` tool calls
+on TypeScript source files and **blocks** edits that introduce direct
+stream writes — `process.stderr.write`, `process.stdout.write`,
+`console.log` / `error` / `warn` / `info` / `debug` — into source
+code that's supposed to use a logger.
 
-## Why
+> If you haven't worked with Claude Code hooks before: hooks are tiny
+> scripts that run at specific lifecycle points. A `PreToolUse` hook
+> like this one fires *before* Claude calls a tool. It can either
+> **prime** (write to stderr, exit 0, model carries on) or **block**
+> (exit 2, edit never happens). This one blocks.
 
-Source code uses `getDefaultLogger()` from `@socketsecurity/lib/logger`
-for all output. Direct stream writes bypass:
+## Why a logger and not console.log
 
-- Color/theme handling
-- Indentation tracking
-- Stream redirection in tests
-- Counter increments used by spinners and progress bars
+Source code in this fleet uses `getDefaultLogger()` from
+`@socketsecurity/lib/logger` for all output. That logger handles:
 
-so they produce inconsistent output that breaks layout-sensitive
-workflows (spinner clears, footer rendering).
+- **Color and theme.** Terminal colors honor the user's environment
+  (no-color, light/dark, etc.). Direct `console.log` doesn't.
+- **Indentation tracking.** Nested operations indent their output.
+  Direct writes don't, so you get unaligned messages.
+- **Stream redirection in tests.** Vitest captures and asserts on
+  logger output. Direct writes go to the real stdout/stderr and
+  pollute test reports.
+- **Layout-sensitive features.** Spinners, progress bars, and footer
+  rendering all increment counters the logger maintains. Bypassing
+  the logger leaves those counters wrong, which produces visual
+  artifacts (a spinner that doesn't clear, a footer that
+  duplicates).
+
+The block is what keeps the logger as the single source of truth.
+If even one file directly writes to stdout, the next person on a
+related file sees the precedent and follows it; the convention
+erodes.
 
 ## Scope
 
-- Only fires on `Edit` / `Write` tools.
-- Only inspects files matching `*.{ts,mts,tsx,cts}` under repo
-  source. Hooks (`.claude/hooks/`), git-hooks (`.git-hooks/`), build
-  scripts (`scripts/`), tests, fixtures, and external/vendored code
-  are exempt.
-- Lines containing `# socket-hook: allow logger` are exempt
-  (canonical opt-out). The bare `# socket-hook: allow` form also
-  works.
-- Lines that look like documentation (`*` / `//` / `#` comments,
-  JSDoc tags, fully-backticked code spans) are exempt.
+The hook is intentionally narrow:
+
+- **Fires** on `Edit` and `Write` calls.
+- **Inspects** files matching `*.{ts,mts,tsx,cts}` under repo source.
+- **Exempts** `.claude/hooks/`, `.git-hooks/`, `scripts/`, tests,
+  fixtures, and external/vendored code — those have legitimate
+  reasons to write directly.
+- **Exempts** lines tagged `# socket-hook: allow logger` (canonical
+  per-line opt-out). The bare form `# socket-hook: allow` also
+  works for blanket suppression.
+- **Exempts** lines that look like documentation: lines starting
+  with `*`, `//`, or `#`; JSDoc tags; fully-backticked code spans.
 
 ## Suggested replacements
 
+When the hook blocks, it surfaces a concrete rewrite per hit so the
+agent can apply it directly:
+
 | Direct call | Logger equivalent |
-| --- | --- |
+|-------------|-------------------|
 | `process.stderr.write(s)` | `logger.error(s)` |
 | `process.stdout.write(s)` | `logger.info(s)` |
 | `console.error(...)` | `logger.error(...)` |
@@ -43,12 +65,38 @@ workflows (spinner clears, footer rendering).
 | `console.debug(...)` | `logger.debug(...)` |
 | `console.log(...)` | `logger.info(...)` |
 
-The hook surfaces the rewrite as a `Fix:` line per hit so the agent
-can apply it directly.
+## Wiring
+
+`.claude/settings.json`:
 
-## Tests
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node .claude/hooks/logger-guard/index.mts"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+## Testing
 
 ```bash
 cd .claude/hooks/logger-guard
 node --test test/*.test.mts
 ```
+
+## Cross-fleet sync
+
+This README and the hook itself live in
+[`socket-repo-template`](https://github.com/SocketDev/socket-repo-template/tree/main/template/.claude/hooks/logger-guard)
+and are required to be byte-identical across every fleet repo.
+`scripts/sync-scaffolding.mts` flags drift; `--fix` rewrites it.