chore: sync to socket-repo-template@899813d

jdalton · jdalton · commit 6bb32756d9c6 · 2026-05-03T00:43:23.000-04:00
- Adopt canonical scripts/security.mts (cross-platform which + spawn)
- Update scripts/update.mts + .config/taze.config.mts to template
- package.json: scripts.security delegates to wrapper

Verified: 0 findings against template.
diff --git a/.config/taze.config.mts b/.config/taze.config.mts
@@ -1,20 +1,40 @@
 import { defineConfig } from 'taze'
 
+/* Socket-owned scopes bypass the 7-day maturity cooldown.
+ *
+ * The cooldown (maturityPeriod: 7) exists to catch compromised
+ * upstream packages before we adopt them — but Socket-published
+ * packages go through our own provenance + publish pipeline, so
+ * we trust them to ship fresh.
+ *
+ * The scopes listed here are EXCLUDED from pass 1 (the
+ * cooldown-respecting pass) and INCLUDED in pass 2 (the
+ * immediate-bump pass). Keep this list in sync with
+ * scripts/update.mts if the repo ships one, or with whatever
+ * second-pass mechanism the consuming repo's update script
+ * uses.
+ */
+const SOCKET_SCOPES = [
+  '@socketregistry/*',
+  '@socketsecurity/*',
+  '@socketdev/*',
+  'socket-*',
+  'ecc-agentshield',
+  'sfw',
+]
+
 export default defineConfig({
-  // Exclude these packages.
-  exclude: [
-    'all-the-package-names',
-    'all-the-package-names-v1.3905.0',
-    'eslint-plugin-unicorn',
-  ],
   // Interactive mode disabled for automation.
   interactive: false,
-  // Use minimal logging.
+  // Minimal logging.
   loglevel: 'warn',
-  // Only update packages that have been stable for 7 days.
+  // Socket scopes handled by a second pass with maturityPeriod 0.
+  exclude: SOCKET_SCOPES,
+  // 7-day cooldown on third-party deps — matches `.npmrc`'s
+  // min-release-age setting for install-time enforcement.
   maturityPeriod: 7,
-  // Update mode: 'latest'.
+  // Bump to latest across major boundaries.
   mode: 'latest',
-  // Write to package.json automatically.
+  // Edit package.json in place.
   write: true,
 })
diff --git a/package.json b/package.json
@@ -54,7 +54,7 @@
     "format": "oxfmt --write .",
     "format:check": "oxfmt --check .",
     "lint": "node scripts/lint.mts",
-    "security": "agentshield scan && { command -v zizmor >/dev/null && zizmor .github/ || echo 'zizmor not installed — run pnpm run setup to install'; }",
+    "security": "node scripts/security.mts",
     "precommit": "pnpm run check --lint --staged",
     "prepare": "husky",
     "prepublishOnly": "echo 'ERROR: Use GitHub Actions workflow for publishing' && exit 1",
diff --git a/scripts/security.mts b/scripts/security.mts
@@ -1,52 +1,89 @@
 /**
- * @fileoverview Security scan runner. Runs agentshield on Claude config then
- * optionally runs zizmor against .github/. Cross-platform replacement for the
- * previous inline shell script.
+ * @fileoverview Canonical fleet security-scan runner.
+ *
+ * Runs the two static-analysis tools the fleet uses for local security
+ * checks before push:
+ *
+ *   1. AgentShield — scans `.claude/` config for prompt-injection,
+ *      leaked secrets, and overly-permissive tool permissions.
+ *   2. zizmor      — static analysis for `.github/workflows/*.yml`
+ *      (unpinned actions, secret exposure, template injection,
+ *      permission issues).
+ *
+ * Either tool missing prints a "run pnpm run setup" hint (which
+ * downloads + verifies the pinned binary via the setup-security-tools
+ * hook) and skips that scan rather than failing the entire run.
+ *
+ * Cross-platform: uses `which` from npm for binary discovery (handles
+ * Windows .exe/.cmd resolution) and `spawn` from
+ * `@socketsecurity/lib/spawn` for proper async lifecycle.
+ *
+ * Wired in via `package.json`:
+ *
+ *   "security": "node scripts/security.mts"
+ *
+ * Byte-identical across every fleet repo. Sync-scaffolding flags
+ * drift.
  */
 
 import process from 'node:process'
 
+import which from 'which'
+
+import { WIN32 } from '@socketsecurity/lib/constants/platform'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
-import type { Logger } from '@socketsecurity/lib/logger'
-import { spawnSync } from '@socketsecurity/lib/spawn'
-
-import { runCommand } from './utils/run-command.mts'
-import { errorMessage } from './utils/error-message.mts'
-
-const logger: Logger = getDefaultLogger()
-
-function hasCommand(command: string): boolean {
-  const probe = process.platform === 'win32' ? 'where' : 'command'
-  const args = process.platform === 'win32' ? [command] : ['-v', command]
-  const result = spawnSync(probe, args, {
-    stdio: 'ignore',
-    shell: process.platform === 'win32',
-  })
-  return result.status === 0
+import { spawn } from '@socketsecurity/lib/spawn'
+
+const logger = getDefaultLogger()
+
+async function hasExecutable(name: string): Promise<boolean> {
+  try {
+    await which(name)
+    return true
+  } catch {
+    return false
+  }
 }
 
-async function main(): Promise<void> {
-  const agentshieldCode = await runCommand('agentshield', ['scan'])
-  if (agentshieldCode !== 0) {
-    process.exitCode = agentshieldCode
-    return
+async function runTool(command: string, args: string[]): Promise<number> {
+  try {
+    const result = await spawn(command, args, {
+      stdio: 'inherit',
+      shell: WIN32,
+    })
+    return result.code ?? 1
+  } catch (e) {
+    if (e && typeof e === 'object' && 'code' in e) {
+      const code = (e as { code: unknown }).code
+      return typeof code === 'number' ? code : 1
+    }
+    throw e
   }
+}
 
-  if (hasCommand('zizmor')) {
-    const zizmorCode = await runCommand('zizmor', ['.github/'])
-    if (zizmorCode !== 0) {
-      process.exitCode = zizmorCode
+async function main(): Promise<void> {
+  if (!(await hasExecutable('agentshield'))) {
+    logger.info('agentshield not installed; run "pnpm run setup" to install')
+  } else {
+    const agentshieldCode = await runTool('agentshield', ['scan'])
+    if (agentshieldCode !== 0) {
+      process.exitCode = agentshieldCode
       return
     }
-  } else {
-    logger.info('zizmor not installed — run pnpm run setup to install')
   }
 
-  process.exitCode = 0
+  if (!(await hasExecutable('zizmor'))) {
+    logger.info('zizmor not installed; run "pnpm run setup" to install')
+    return
+  }
+
+  const zizmorCode = await runTool('zizmor', ['.github/'])
+  if (zizmorCode !== 0) {
+    process.exitCode = zizmorCode
+  }
 }
 
-void main().catch((e: unknown) => {
-  const message = errorMessage(e)
-  logger.error(`security scan failed: ${message}`)
+main().catch((e: unknown) => {
+  logger.error(e)
   process.exitCode = 1
 })
diff --git a/scripts/update.mts b/scripts/update.mts
@@ -1,115 +1,72 @@
 /**
- * @fileoverview Monorepo-aware dependency update script.
- * Uses taze to update dependencies across all packages in the monorepo.
+ * Update: two-pass taze to apply the fleet's maturity policy
+ * correctly.
  *
- * Usage:
- *   node scripts/update.mts [options]
+ *   Pass 1: default config (.config/taze.config.mts) —
+ *     non-Socket deps respect maturityPeriod: 7.
  *
- * Options:
- *   --quiet    Suppress progress output
- *   --verbose  Show detailed output
+ *   Pass 2: CLI-flag override — Socket-owned scopes only,
+ *     maturityPeriod: 0. taze's config auto-discovery is
+ *     path-based and doesn't support a --config override, so
+ *     the second pass uses `--include <scopes> --maturity-
+ *     period 0` flags instead of a second config file.
+ *
+ *   Pass 3: pnpm install to refresh the lockfile against the
+ *     updated package.json.
+ *
+ * SOCKET_SCOPES below MUST match the `exclude` list in
+ * .config/taze.config.mts — drift causes double-bumps or
+ * misses.
+ *
+ * This is a reference script. Consuming repos can drop it into
+ * their own scripts/ dir and wire it in via a `"update": "node
+ * scripts/update.mts"` package.json entry.
  */
-
-import process from 'node:process'
-
-import { isQuiet, isVerbose } from '@socketsecurity/lib/argv/flags'
-import { WIN32 } from '@socketsecurity/lib/constants/platform'
-import type { Logger } from '@socketsecurity/lib/logger'
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
-import type { SpawnResult } from '@socketsecurity/lib/spawn'
 import { spawn } from '@socketsecurity/lib/spawn'
-import { errorMessage } from './utils/error-message.mts'
-
-function getErrorMessage(error: unknown): string {
-  return errorMessage(error)
-}
-
-async function main(): Promise<void> {
-  const quiet: boolean = isQuiet()
-  const verbose: boolean = isVerbose()
-  const logger: Logger = getDefaultLogger()
 
+async function run(cmd: string, args: string[]): Promise<boolean> {
   try {
-    if (!quiet) {
-      logger.log('\n🔨 Dependency Update\n')
-    }
-
-    // Build taze command with appropriate flags for monorepo
-    const tazeArgs: string[] = ['exec', 'taze', '-r', '-w']
-
-    if (!quiet) {
-      logger.progress('Updating dependencies...')
-    }
-
-    // Run taze at root level (recursive flag will check all packages).
-    const result: Awaited<SpawnResult> = await spawn('pnpm', tazeArgs, {
-      shell: WIN32,
-      stdio: quiet ? 'pipe' : 'inherit',
-    })
-
-    // Clear progress line.
-    if (!quiet) {
-      process.stdout.write('\r\x1b[K')
-    }
-
-    // Always update Socket packages (bypass taze maturity period).
-    if (!quiet) {
-      logger.progress('Updating Socket packages...')
-    }
-
-    const socketResult: Awaited<SpawnResult> = await spawn(
-      'pnpm',
-      [
-        'update',
-        '@socketsecurity/*',
-        '@socketregistry/*',
-        '@socketbin/*',
-        '--latest',
-        '-r',
-      ],
-      {
-        shell: WIN32,
-        stdio: quiet ? 'pipe' : 'inherit',
-      },
-    )
+    await spawn(cmd, args, { stdio: 'inherit' })
+    return true
+  } catch (e) {
+    process.exitCode = (e as { code?: number }).code ?? 1
+    return false
+  }
+}
 
-    // Clear progress line.
-    if (!quiet) {
-      process.stdout.write('\r\x1b[K')
-    }
+/* Socket-owned scopes — keep in lockstep with the exclude list
+ * in .config/taze.config.mts. */
+const SOCKET_SCOPES = [
+  '@socketregistry/*',
+  '@socketsecurity/*',
+  '@socketdev/*',
+  'socket-*',
+  'ecc-agentshield',
+  'sfw',
+]
 
-    if (socketResult.code !== 0) {
-      if (!quiet) {
-        logger.fail('Failed to update Socket packages')
-      }
-      process.exitCode = 1
-      return
-    }
+const steps: Array<[string, string[]]> = [
+  /* Pass 1 — third-party deps, respects the 7-day cooldown. */
+  ['pnpm', ['exec', 'taze']],
+  /* Pass 2 — Socket deps, no cooldown. --include is comma-separated. */
+  [
+    'pnpm',
+    [
+      'exec',
+      'taze',
+      '--include',
+      SOCKET_SCOPES.join(','),
+      '--maturity-period',
+      '0',
+      '--write',
+    ],
+  ],
+  /* Pass 3 — resync lockfile against the updated package.json. */
+  ['pnpm', ['install']],
+]
 
-    if (result.code !== 0) {
-      if (!quiet) {
-        logger.fail('Failed to update dependencies')
-      }
-      process.exitCode = 1
-    } else {
-      if (!quiet) {
-        logger.success('Dependencies updated')
-        logger.log('')
-      }
-    }
-  } catch (e) {
-    if (!quiet) {
-      logger.fail(`Update failed: ${getErrorMessage(e)}`)
-    }
-    if (verbose) {
-      logger.error(e)
-    }
-    process.exitCode = 1
+for (const [cmd, args] of steps) {
+  if (!(await run(cmd, args))) {
+    break
   }
 }
-
-main().catch((error: unknown) => {
-  const logger: Logger = getDefaultLogger()
-  logger.error(error)
-  process.exitCode = 1
-})
