SocketDev
diff --git a/‎.claude/hooks/no-fleet-fork-guard/README.md‎
Lines changed: 69 additions & 0 deletions b/‎.claude/hooks/no-fleet-fork-guard/README.md‎
Lines changed: 69 additions & 0 deletions
diff --git a/‎.claude/hooks/no-fleet-fork-guard/index.mts‎
Lines changed: 296 additions & 0 deletions b/‎.claude/hooks/no-fleet-fork-guard/index.mts‎
Lines changed: 296 additions & 0 deletions
diff --git a/‎.claude/hooks/no-fleet-fork-guard/package.json‎
Lines changed: 15 additions & 0 deletions b/‎.claude/hooks/no-fleet-fork-guard/package.json‎
Lines changed: 15 additions & 0 deletions
@@ -0,0 +1,69 @@
+# no-fleet-fork-guard
+
+PreToolUse Edit/Write hook that blocks edits to fleet-canonical files inside downstream fleet repos.
+
+## What it enforces
+
+The fleet rule "Never fork fleet-canonical files locally" (CLAUDE.md fleet block, full reference at [`docs/claude.md/no-local-fork-canonical.md`](../../../docs/claude.md/no-local-fork-canonical.md)).
+
+Fleet-canonical surfaces (anything tracked by `socket-repo-template/scripts/sync-scaffolding/manifest.mts`):
+
+- `.config/oxlint-plugin/` — oxlint plugin index + rules
+- `.git-hooks/` — commit-msg / pre-commit / pre-push hooks + helpers
+- `.claude/hooks/` — PreToolUse / PostToolUse hooks
+- `.claude/skills/_shared/` — shared skill helpers
+- `docs/claude.md/` — CLAUDE.md offshoot references
+- `.husky/` — Husky entry shims
+
+When Claude tries to Edit/Write a file under one of these prefixes in a fleet member (any repo with `CLAUDE.md` containing the `BEGIN FLEET-CANONICAL` marker, except `socket-repo-template/template/`), the hook exits 2 with a stderr message that:
+
+1. States the rule.
+2. Names the canonical file path inside `socket-repo-template/template/...`.
+3. Provides the exact `sync-scaffolding` command to cascade.
+4. Documents the bypass phrase.
+
+Edits inside `socket-repo-template/template/` are ALLOWED — that IS the canonical home.
+
+## Bypass
+
+Reverting / overriding the block requires the user to type **`Allow fleet-fork bypass`** verbatim in a recent user turn. The phrase is scoped to the current conversation; it does NOT carry across sessions. Per the broader bypass-phrase contract enforced by `no-revert-guard` and the fleet CLAUDE.md "Hook bypasses" rule.
+
+## Why a hook + a rule + a memory
+
+- The CLAUDE.md fleet block documents the policy (visible at every prompt).
+- A user-memory entry keeps the assistant honest across sessions.
+- This hook is the actual enforcement at edit time.
+
+The hook catches the failure mode where Claude reaches for a "quick fix" in a downstream repo's canonical file (typically because the local copy has a known bug and the user is in a hurry to land something else). The block flips the workflow back to "fix-in-template, cascade out" where it belongs.
+
+## Detection
+
+For each Edit/Write/MultiEdit call:
+
+1. Resolve `tool_input.file_path` to an absolute path.
+2. Check if the path contains `/socket-repo-template/template/` — if yes, allow.
+3. Walk up directories looking for a fleet repo root: `package.json` AND `CLAUDE.md` containing the `BEGIN FLEET-CANONICAL` marker.
+4. If no fleet repo root is found (the file is outside any fleet repo), allow.
+5. Compute the file path relative to the repo root.
+6. If the relative path matches one of the canonical prefixes, check the bypass phrase.
+7. No bypass → exit 2 with the explanation.
+
+## Failing open
+
+The hook fails open on its own bugs (exit 0 + stderr log) so a bad deploy can't brick the session. The CLAUDE.md rule + memory still document the policy as a backstop.
+
+## Companion files
+
+- `index.mts` — the hook itself.
+- `test/index.test.mts` — node:test specs.
+- `package.json` — workspace declaration so `taze` can see the hook's deps.
+- `tsconfig.json` — fleet-canonical TS config.
+
+## Adding a new canonical surface
+
+When a new directory becomes fleet-canonical (cascades via sync-scaffolding):
+
+1. Add it to `CANONICAL_PREFIXES` in `index.mts`.
+2. Add it to the bullet list in this README.
+3. Add it to the bullet list in `docs/claude.md/no-local-fork-canonical.md`.
+4. Add the surface to the sync manifest.
@@ -0,0 +1,296 @@
+#!/usr/bin/env node
+// Claude Code PreToolUse hook — no-fleet-fork-guard.
+//
+// Blocks Edit/Write tool calls that target a fleet-canonical file
+// path inside a downstream fleet repo. The fleet rule
+// ("Never fork fleet-canonical files locally") says these files
+// MUST be edited in socket-repo-template/template/... and cascaded
+// out via sync-scaffolding — never branched locally in a downstream
+// repo. Local forks turn into "drift to preserve" hacks that block
+// fleet-wide improvements from reaching the forked repo.
+//
+// The hook detects a fleet-canonical edit by:
+//   1. Resolving the absolute file path of the Edit/Write target.
+//   2. Checking if the path is INSIDE socket-repo-template/template/
+//      → allow (this IS the canonical home).
+//   3. Otherwise, checking if the path matches a fleet-canonical
+//      surface prefix:
+//        - .config/oxlint-plugin/
+//        - .git-hooks/
+//        - .claude/hooks/
+//        - .claude/skills/_shared/
+//        - docs/claude.md/
+//        - .husky/
+//      → block.
+//
+// The bypass phrase: `Allow fleet-fork bypass`. Reading the recent
+// user turns from the transcript follows the same pattern as the
+// no-revert-guard hook.
+//
+// Why a hook on top of the CLAUDE.md rule + memory: the rule
+// documents the policy, the memory keeps the assistant honest across
+// sessions, the hook is the actual enforcement at edit time. Catches
+// the failure mode where Claude reaches for a "quick fix" in a
+// downstream repo's canonical file (typically because the local
+// version has a known bug and the user is in a hurry to land
+// something else). The block flips the workflow back to
+// "fix-in-template, cascade out" where it belongs.
+//
+// Reads a Claude Code PreToolUse JSON payload from stdin:
+//   { "tool_name": "Edit" | "Write" | "MultiEdit",
+//     "tool_input": { "file_path": "...", ... },
+//     "transcript_path": "/.../session.jsonl" }
+//
+// Exits:
+//   0 — allowed (not a fleet-canonical edit, OR target is the template,
+//       OR bypass phrase present).
+//   2 — blocked (with a stderr message that explains the rule + the
+//       canonical fix path + the bypass phrase).
+//   0 (with stderr log) — fail-open on hook bugs so a bad deploy can't
+//       brick the session.
+
+import { existsSync, readFileSync } from 'node:fs'
+import path from 'node:path'
+import process from 'node:process'
+
+type ToolInput = {
+  tool_input?: { file_path?: string } | undefined
+  tool_name?: string | undefined
+  transcript_path?: string | undefined
+}
+
+// Fleet-canonical directory prefixes. Matches relative-to-repo-root.
+// Order matters for nested prefixes (more-specific first), but these
+// are all leaves — no nesting between them.
+const CANONICAL_PREFIXES = [
+  '.config/oxlint-plugin/',
+  '.git-hooks/',
+  '.claude/hooks/',
+  '.claude/skills/_shared/',
+  'docs/claude.md/',
+  '.husky/',
+]
+
+// Fleet-canonical individual files (not under one of the prefix
+// dirs). Matches relative-to-repo-root.
+const CANONICAL_FILES: string[] = [
+  // Add specific files here when needed. Most canonical content lives
+  // under the prefix dirs above.
+]
+
+const BYPASS_PHRASE = 'Allow fleet-fork bypass'
+
+// How many recent user turns to scan for the bypass phrase. Matches
+// the no-revert-guard hook's window.
+const BYPASS_LOOKBACK_USER_TURNS = 8
+
+// File-path tokens that identify the socket-repo-template canonical
+// home. If the resolved absolute path contains one of these, we're
+// editing the source of truth — allow.
+//
+// `socket-repo-template/template/` covers the standard checkout shape
+// (e.g. /Users/<user>/projects/socket-repo-template/template/...).
+// `repo-template/template/` covers any rename / mirror / fork that
+// keeps the trailing component.
+const TEMPLATE_PATH_TOKENS = [
+  '/socket-repo-template/template/',
+  '/repo-template/template/',
+]
+
+function readStdin(): Promise<string> {
+  return new Promise(resolve => {
+    let buf = ''
+    process.stdin.setEncoding('utf8')
+    process.stdin.on('data', chunk => {
+      buf += chunk
+    })
+    process.stdin.on('end', () => resolve(buf))
+  })
+}
+
+/**
+ * Walk the recent user turns in the transcript, looking for an exact
+ * occurrence of the bypass phrase. Returns true if found within the
+ * last BYPASS_LOOKBACK_USER_TURNS user-turn entries.
+ */
+function bypassPhrasePresent(transcriptPath: string | undefined): boolean {
+  if (!transcriptPath || !existsSync(transcriptPath)) {
+    return false
+  }
+  let raw: string
+  try {
+    raw = readFileSync(transcriptPath, 'utf8')
+  } catch {
+    return false
+  }
+  const lines = raw.split('\n').filter(Boolean)
+  let userTurns = 0
+  for (let i = lines.length - 1; i >= 0; i--) {
+    const line = lines[i]!
+    let entry: { type?: string; message?: { role?: string; content?: unknown } }
+    try {
+      entry = JSON.parse(line)
+    } catch {
+      continue
+    }
+    if (entry.type !== 'user' || entry.message?.role !== 'user') {
+      continue
+    }
+    userTurns++
+    const content = entry.message?.content
+    const text =
+      typeof content === 'string'
+        ? content
+        : Array.isArray(content)
+          ? content
+              .map(c =>
+                typeof c === 'object' && c && 'text' in c
+                  ? String((c as { text: unknown }).text)
+                  : '',
+              )
+              .join('\n')
+          : ''
+    if (text.includes(BYPASS_PHRASE)) {
+      return true
+    }
+    if (userTurns >= BYPASS_LOOKBACK_USER_TURNS) {
+      break
+    }
+  }
+  return false
+}
+
+/**
+ * Find the fleet repo root for an absolute file path by walking up
+ * until we hit a directory that has package.json AND a CLAUDE.md
+ * containing the FLEET-CANONICAL marker. Returns the repo root path
+ * or undefined if the file is outside a fleet repo.
+ */
+function findFleetRepoRoot(filePath: string): string | undefined {
+  let cur = path.dirname(filePath)
+  const root = path.parse(cur).root
+  while (cur && cur !== root) {
+    const pkgPath = path.join(cur, 'package.json')
+    const claudePath = path.join(cur, 'CLAUDE.md')
+    if (existsSync(pkgPath) && existsSync(claudePath)) {
+      try {
+        const claudeContent = readFileSync(claudePath, 'utf8')
+        if (claudeContent.includes('BEGIN FLEET-CANONICAL')) {
+          return cur
+        }
+      } catch {
+        // unreadable — skip and continue walking up
+      }
+    }
+    const parent = path.dirname(cur)
+    if (parent === cur) {
+      break
+    }
+    cur = parent
+  }
+  return undefined
+}
+
+function isInsideTemplate(filePath: string): boolean {
+  const normalized = filePath.replace(/\\/g, '/')
+  return TEMPLATE_PATH_TOKENS.some(token => normalized.includes(token))
+}
+
+function isCanonicalRelativePath(rel: string): boolean {
+  const normalized = rel.replace(/\\/g, '/')
+  for (const prefix of CANONICAL_PREFIXES) {
+    if (normalized.startsWith(prefix)) {
+      return true
+    }
+  }
+  return CANONICAL_FILES.includes(normalized)
+}
+
+async function main(): Promise<number> {
+  const raw = await readStdin()
+  if (!raw.trim()) {
+    return 0
+  }
+
+  let payload: ToolInput
+  try {
+    payload = JSON.parse(raw) as ToolInput
+  } catch {
+    process.stderr.write(
+      'no-fleet-fork-guard: failed to parse stdin payload — fail-open\n',
+    )
+    return 0
+  }
+
+  const tool = payload.tool_name
+  if (tool !== 'Edit' && tool !== 'Write' && tool !== 'MultiEdit') {
+    return 0
+  }
+
+  const filePath = payload.tool_input?.file_path
+  if (!filePath) {
+    return 0
+  }
+
+  const absPath = path.resolve(filePath)
+
+  // The canonical home is allowed.
+  if (isInsideTemplate(absPath)) {
+    return 0
+  }
+
+  // Walk up to find the fleet repo root. If the file isn't inside a
+  // fleet repo at all, this hook doesn't apply — let it through.
+  const repoRoot = findFleetRepoRoot(absPath)
+  if (!repoRoot) {
+    return 0
+  }
+
+  const relToRepo = path.relative(repoRoot, absPath)
+
+  if (!isCanonicalRelativePath(relToRepo)) {
+    return 0
+  }
+
+  // Bypass-phrase check.
+  if (bypassPhrasePresent(payload.transcript_path)) {
+    return 0
+  }
+
+  process.stderr.write(
+    [
+      `🚨 no-fleet-fork-guard: blocked Edit/Write to fleet-canonical path.`,
+      ``,
+      `File:  ${relToRepo}`,
+      `Repo:  ${path.basename(repoRoot)}`,
+      ``,
+      `Fleet-canonical files (anything tracked by`,
+      `socket-repo-template/scripts/sync-scaffolding/manifest.mts) MUST`,
+      `be edited in socket-repo-template/template/${relToRepo} and`,
+      `cascaded out — never branched locally in a downstream fleet repo.`,
+      ``,
+      `Fix path:`,
+      `  1. Edit socket-repo-template/template/${relToRepo}`,
+      `  2. Commit + push template`,
+      `  3. Cascade with: node scripts/sync-scaffolding/main.mts \\`,
+      `       --target ${repoRoot} --fix`,
+      ``,
+      `If you genuinely need to bypass (e.g. emergency hotfix that`,
+      `can't wait for cascade), the user must type \`${BYPASS_PHRASE}\``,
+      `verbatim in a recent user turn. Reference:`,
+      `docs/claude.md/no-local-fork-canonical.md`,
+      ``,
+    ].join('\n'),
+  )
+  return 2
+}
+
+main().then(
+  code => process.exit(code),
+  e => {
+    process.stderr.write(
+      `no-fleet-fork-guard: hook bug — fail-open. ${e instanceof Error ? e.message : String(e)}\n`,
+    )
+    process.exit(0)
+  },
+)
@@ -0,0 +1,15 @@
+{
+  "name": "hook-no-fleet-fork-guard",
+  "private": true,
+  "type": "module",
+  "main": "./index.mts",
+  "exports": {
+    ".": "./index.mts"
+  },
+  "devDependencies": {
+    "@types/node": "catalog:"
+  },
+  "scripts": {
+    "test": "node --test test/*.test.mts"
+  }
+}