chore(sync): fleet scaffolding cascade — oxfmt/oxlint -c config + drift

Full sync-scaffolding pass from socket-wheelhouse. Most consequential
change: `oxfmt` / `oxlint` invocations in scripts/lint.mts now consistently
pass `-c .config/oxfmtrc.json` / `-c .config/oxlintrc.json`. Some repos
were missing the flag entirely (defaulting oxfmt to double-quotes-plus-
semis, which would silently rewrite ~200 files on first run); others had
the flag form `--config` followed by an empty arg, leaving oxlint
without a config path. Also picks up:

* package.json scripts `format` / `format:check` aligned to canonical
  `oxfmt -c .config/oxfmtrc.json --{write,check} .`
* `.claude/hooks/*` updates (excuse-detector, no-experimental-strip-
  types-guard, _shared helpers — whichever the repo was missing)
* `.config/oxlint-plugin/rules/*` rule definitions resynced
* `.git-hooks/*`, `scripts/{fix,security,update,power-state,...}.mts`,
  `scripts/lockstep-emit-schema.mts`, `scripts/socket-wheelhouse-*`
* `CLAUDE.md` fleet block

Run `pnpm run sync-scaffolding --check` to verify clean.

Author: jdalton

.claude/commands/quality-loop.md

@@ -1,3 +1,7 @@
+---
+description: Run /scanning-quality and fix all issues found, repeating until clean or 5 iterations complete
+---
+
 Run the `/scanning-quality` skill and fix all issues found. Repeat until zero issues remain or 5 iterations complete.
 
 **Interactive only** — this command makes code changes and commits. Do not use as an automated pipeline gate.

.claude/commands/security-scan.md

@@ -1,3 +1,7 @@
+---
+description: Chain AgentShield (AI scanner) + Zizmor (GH Actions scanner) + security-reviewer agent for a graded security report
+---
+
 Run the `/scanning-security` skill. This chains AgentShield (Claude config audit) → zizmor (GitHub Actions security) → security-reviewer agent (grading).
 
 For a quick manual run without the full pipeline: `pnpm run security`

.claude/hooks/_shared/bash-quote-mask.mts

@@ -0,0 +1,149 @@
+/**
+ * @fileoverview Shared helper for Bash-tool PreToolUse hooks.
+ *
+ * Hooks that inspect tool_input.command for a forbidden substring
+ * (e.g. a destructive verb, a stale flag, a secret pattern) all face
+ * the same false-positive risk: the match might fall inside a quoted
+ * string body (`echo "tip: drop --bad-flag from your script"`) or
+ * inside a heredoc that the shell will pass as literal text rather
+ * than execute. This module centralizes the parsing so each hook can
+ * reason in terms of "did the forbidden token appear as a real
+ * argument" rather than "does the string contain this text."
+ *
+ * Two-level API:
+ *
+ *   buildQuoteMask(s) — per-character boolean array; mask[i] === true
+ *     when the character at index i sits inside a single- or
+ *     double-quoted string. Use this when you need to check a regex
+ *     match's index against quote state.
+ *
+ *   matchOutsideQuotes(s, re) — convenience: run a regex against `s`
+ *     and return the first match whose index sits OUTSIDE all quotes
+ *     and outside any heredoc body. Returns undefined when every
+ *     match is inside quoted/heredoc text. Use this for the common
+ *     "does the live command contain this flag" check.
+ *
+ * Limitations:
+ *
+ *   - Not a full POSIX shell parser. Quote nesting (`$"..."`,
+ *     `$'...'` ANSI-C) and `$(...)` command substitution are not
+ *     tracked precisely; they fall through to the simple quote
+ *     state. In practice this is fine for the use cases here, which
+ *     all match a literal flag/verb that wouldn't appear inside
+ *     parameter expansion.
+ *
+ *   - Heredoc detection looks for `<<DELIM ... \nDELIM\b` patterns.
+ *     The delimiter is captured from the opening line and matched on
+ *     a later line at column 0. Both `<<EOF` and `<<-EOF` (tab-stripped)
+ *     forms are recognized; quoted delimiters (`<<'EOF'`) are also
+ *     accepted.
+ */
+
+/**
+ * Per-character mask: true at positions inside a single- or double-
+ * quoted string. The opening and closing quote characters themselves
+ * are marked true (so they're treated as "inside" — handy for code
+ * that wants to skip both the quotes and the body).
+ */
+export function buildQuoteMask(s: string): boolean[] {
+  const mask = new Array<boolean>(s.length).fill(false)
+  let inSingle = false
+  let inDouble = false
+  for (let i = 0; i < s.length; i += 1) {
+    const c = s[i]
+    if (!inSingle && !inDouble && c === "'") {
+      inSingle = true
+      mask[i] = true
+      continue
+    }
+    if (inSingle && c === "'") {
+      inSingle = false
+      mask[i] = true
+      continue
+    }
+    if (!inSingle && !inDouble && c === '"') {
+      inDouble = true
+      mask[i] = true
+      continue
+    }
+    if (inDouble && c === '"') {
+      inDouble = false
+      mask[i] = true
+      continue
+    }
+    // Backslash escape inside double quotes: skip the escaped char.
+    // (Single quotes don't honor backslash in POSIX, so we only
+    // handle the double-quote case.)
+    if (inDouble && c === '\\' && i + 1 < s.length) {
+      mask[i] = true
+      mask[i + 1] = true
+      i += 1
+      continue
+    }
+    mask[i] = inSingle || inDouble
+  }
+  return mask
+}
+
+/**
+ * Replace heredoc bodies with empty strings of equivalent length so
+ * the surrounding indices stay valid. Recognizes:
+ *   <<EOF ... \nEOF
+ *   <<-EOF ... \nEOF       (tab-stripped form)
+ *   <<'EOF' ... \nEOF      (quoted delimiter, no interpolation)
+ *   <<"EOF" ... \nEOF
+ *
+ * The closing delimiter must appear at column 0 (POSIX), but we
+ * accept any leading whitespace as a small concession to the
+ * tab-stripped `<<-` form.
+ */
+export function stripHeredocBodies(s: string): string {
+  return s.replace(
+    /<<-?\s*['"]?(\w+)['"]?([\s\S]*?)\n\s*\1\b/g,
+    (full, _delim, body) => {
+      // Replace the body with spaces so indices in the outer string
+      // stay aligned. The opening line + delimiter line are kept so
+      // callers can still see the `<<EOF` token if they care.
+      return full.replace(body, ' '.repeat(body.length))
+    },
+  )
+}
+
+/**
+ * Search `s` for the first regex match whose index falls outside
+ * every single-/double-quoted string AND outside every heredoc body.
+ * Returns the match, or undefined if every match was inside quoted
+ * or heredoc text.
+ *
+ * The regex is run with the `g` flag implicitly — pass a non-global
+ * regex and we'll create a global clone so `.exec()` can iterate.
+ */
+export function matchOutsideQuotes(
+  s: string,
+  pattern: RegExp,
+): RegExpExecArray | undefined {
+  const stripped = stripHeredocBodies(s)
+  const mask = buildQuoteMask(stripped)
+  const re = pattern.global
+    ? pattern
+    : new RegExp(pattern.source, pattern.flags + 'g')
+  re.lastIndex = 0
+  let match: RegExpExecArray | null
+  while ((match = re.exec(stripped)) !== null) {
+    if (!mask[match.index]) {
+      return match
+    }
+    if (match.index === re.lastIndex) {
+      re.lastIndex += 1
+    }
+  }
+  return undefined
+}
+
+/**
+ * Convenience predicate: true when `pattern` matches `s` at an
+ * unquoted, non-heredoc position. Wraps matchOutsideQuotes.
+ */
+export function containsOutsideQuotes(s: string, pattern: RegExp): boolean {
+  return matchOutsideQuotes(s, pattern) !== undefined
+}

.claude/hooks/_shared/test/bash-quote-mask.test.mts

@@ -0,0 +1,159 @@
+// node --test specs for the shared bash-quote-mask helper.
+//
+// Run from this dir:
+//   node --test test/*.test.mts
+
+import test from 'node:test'
+import assert from 'node:assert/strict'
+
+import {
+  buildQuoteMask,
+  containsOutsideQuotes,
+  matchOutsideQuotes,
+  stripHeredocBodies,
+} from '../bash-quote-mask.mts'
+
+test('buildQuoteMask: empty string', () => {
+  assert.deepEqual(buildQuoteMask(''), [])
+})
+
+test("buildQuoteMask: plain text is all false", () => {
+  const mask = buildQuoteMask('git status --short')
+  assert.ok(mask.every(b => b === false))
+})
+
+test('buildQuoteMask: single-quoted region is true', () => {
+  const s = "echo 'hi'"
+  const mask = buildQuoteMask(s)
+  // 'echo ' → 5 false
+  for (let i = 0; i < 5; i += 1) {
+    assert.strictEqual(mask[i], false)
+  }
+  // "'hi'" → 4 true (open quote, h, i, close quote)
+  for (let i = 5; i < 9; i += 1) {
+    assert.strictEqual(mask[i], true)
+  }
+})
+
+test('buildQuoteMask: double-quoted region is true', () => {
+  const s = 'echo "hi"'
+  const mask = buildQuoteMask(s)
+  assert.strictEqual(mask[5], true) // "
+  assert.strictEqual(mask[6], true) // h
+  assert.strictEqual(mask[7], true) // i
+  assert.strictEqual(mask[8], true) // "
+})
+
+test('buildQuoteMask: escaped double quote inside double quotes', () => {
+  const s = 'echo "a\\"b"'
+  const mask = buildQuoteMask(s)
+  // 'a' is at index 6, the \\ at 7-8 should be marked, then "b" at 9, " at 10.
+  assert.strictEqual(mask[5], true) // opening "
+  assert.strictEqual(mask[6], true) // a
+  assert.strictEqual(mask[7], true) // backslash (escape)
+  assert.strictEqual(mask[8], true) // escaped "
+  assert.strictEqual(mask[9], true) // b
+  assert.strictEqual(mask[10], true) // closing "
+})
+
+test('buildQuoteMask: single quotes do not honor backslash', () => {
+  // POSIX single quotes: backslash is literal. The runtime string is
+  // `echo 'a\b'` (10 chars): e c h o ␠ ' a \ b '
+  const s = "echo 'a\\b'"
+  const mask = buildQuoteMask(s)
+  assert.strictEqual(s.length, 10)
+  // Opening quote through closing quote (indices 5..9) are all masked.
+  for (let i = 5; i < 10; i += 1) {
+    assert.strictEqual(mask[i], true, `index ${i} should be masked`)
+  }
+})
+
+test('buildQuoteMask: single quotes nested inside double quotes are text', () => {
+  // Inside a double-quoted string, ' is just a literal apostrophe.
+  const s = 'echo "it\'s ok"'
+  const mask = buildQuoteMask(s)
+  // Every char from index 5 to end is inside the double-quoted region.
+  for (let i = 5; i < s.length; i += 1) {
+    assert.strictEqual(mask[i], true)
+  }
+})
+
+test('stripHeredocBodies: replaces body with spaces, preserves length', () => {
+  const s = "cat <<EOF\nhello\nworld\nEOF\nrest"
+  const stripped = stripHeredocBodies(s)
+  assert.strictEqual(stripped.length, s.length)
+  // The word `hello` should be blanked out.
+  assert.ok(!stripped.includes('hello'))
+  // The opening `<<EOF` and closing `EOF` remain.
+  assert.ok(stripped.includes('<<EOF'))
+  // `rest` after the heredoc is untouched.
+  assert.ok(stripped.endsWith('rest'))
+})
+
+test('stripHeredocBodies: handles quoted delimiter', () => {
+  const s = "cat <<'EOF'\nbody\nEOF"
+  const stripped = stripHeredocBodies(s)
+  assert.ok(!stripped.includes('body'))
+})
+
+test('stripHeredocBodies: handles tab-stripped form', () => {
+  const s = "cat <<-EOF\n\tbody\n\tEOF"
+  const stripped = stripHeredocBodies(s)
+  assert.ok(!stripped.includes('body'))
+})
+
+test('containsOutsideQuotes: matches free text', () => {
+  assert.ok(containsOutsideQuotes('node --bad-flag foo', /--bad-flag/))
+})
+
+test('containsOutsideQuotes: does not match inside single quotes', () => {
+  assert.ok(
+    !containsOutsideQuotes(
+      "echo 'reminder: --bad-flag is gone'",
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('containsOutsideQuotes: does not match inside double quotes', () => {
+  assert.ok(
+    !containsOutsideQuotes(
+      'echo "reminder: --bad-flag is gone"',
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('containsOutsideQuotes: does not match inside heredoc body', () => {
+  assert.ok(
+    !containsOutsideQuotes(
+      "git commit -m \"$(cat <<'EOF'\nmention --bad-flag here\nEOF\n)\"",
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('containsOutsideQuotes: matches when both quoted + unquoted occurrences exist', () => {
+  assert.ok(
+    containsOutsideQuotes(
+      "echo 'tip: --bad-flag' && node --bad-flag foo",
+      /--bad-flag/,
+    ),
+  )
+})
+
+test('matchOutsideQuotes: returns the unquoted match', () => {
+  const m = matchOutsideQuotes(
+    "echo 'noise --x' && node --x foo",
+    /--x/,
+  )
+  assert.ok(m)
+  // The unquoted occurrence sits at the end, well past the quoted one.
+  assert.ok(m!.index > 20)
+})
+
+test('matchOutsideQuotes: handles non-global regex by cloning', () => {
+  const m = matchOutsideQuotes('node --x foo', /--x/)
+  assert.ok(m)
+  assert.strictEqual(m![0], '--x')
+})

.claude/hooks/check-new-deps/index.mts

@@ -28,20 +28,14 @@ import type { PackageURL } from '@socketregistry/packageurl-js'
 import {
   SOCKET_PUBLIC_API_TOKEN,
 } from '@socketsecurity/lib/constants/socket'
+import { errorMessage } from '@socketsecurity/lib/errors'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import {
   normalizePath,
 } from '@socketsecurity/lib/paths/normalize'
 import { SocketSdk } from '@socketsecurity/sdk'
 import type { MalwareCheckPackage } from '@socketsecurity/sdk'
 
-// Local mirror of build-infra/lib/error-utils#errorMessage. Hook runs
-// standalone (no workspace deps beyond @socketsecurity/*) so we can't import
-// the shared helper, but the contract is identical.
-function errorMessage(error: unknown): string {
-  return error instanceof Error ? error.message : String(error)
-}
-
 const logger = getDefaultLogger()
 
 // Per-request timeout (ms) to avoid blocking the hook on slow responses.

.claude/hooks/check-new-deps/package.json

@@ -15,6 +15,6 @@
     "@socketsecurity/sdk": "4.0.1"
   },
   "devDependencies": {
-    "@types/node": "24.9.2"
+    "@types/node": "catalog:"
   }
 }