SocketDev
diff --git a/‎.claude/hooks/actionlint-on-workflow-edit/README.md‎
Lines changed: 30 additions & 0 deletions b/‎.claude/hooks/actionlint-on-workflow-edit/README.md‎
Lines changed: 30 additions & 0 deletions
diff --git a/‎.claude/hooks/actionlint-on-workflow-edit/index.mts‎
Lines changed: 108 additions & 0 deletions b/‎.claude/hooks/actionlint-on-workflow-edit/index.mts‎
Lines changed: 108 additions & 0 deletions
diff --git a/‎.claude/hooks/actionlint-on-workflow-edit/package.json‎
Lines changed: 15 additions & 0 deletions b/‎.claude/hooks/actionlint-on-workflow-edit/package.json‎
Lines changed: 15 additions & 0 deletions
diff --git a/‎.claude/hooks/actionlint-on-workflow-edit/test/index.test.mts‎
Lines changed: 75 additions & 0 deletions b/‎.claude/hooks/actionlint-on-workflow-edit/test/index.test.mts‎
Lines changed: 75 additions & 0 deletions
diff --git a/‎.claude/hooks/actionlint-on-workflow-edit/tsconfig.json‎
Lines changed: 16 additions & 0 deletions b/‎.claude/hooks/actionlint-on-workflow-edit/tsconfig.json‎
Lines changed: 16 additions & 0 deletions
diff --git a/‎.claude/hooks/consumer-grep-reminder/README.md‎
Lines changed: 45 additions & 0 deletions b/‎.claude/hooks/consumer-grep-reminder/README.md‎
Lines changed: 45 additions & 0 deletions
@@ -0,0 +1,30 @@
+# actionlint-on-workflow-edit
+
+PostToolUse Edit/Write hook that runs local `actionlint` against any
+`.github/workflows/*.y*ml` file after the edit. Reports any actionlint
+errors via stderr; never blocks (the edit already landed).
+
+## Why
+
+GitHub Actions' YAML parser fails silently — a malformed workflow shows
+"0 jobs" on the next push with no error in the UI. `actionlint` catches
+the same YAML / shell / SHA-pin issues locally, instantly. The fleet
+already has actionlint installed on dev machines (homebrew default
+`/opt/homebrew/bin/actionlint`).
+
+## What it covers
+
+Any Edit/Write to a file matching `.github/workflows/*.y*ml`. Runs
+`actionlint <file>`. If exit code is non-zero, surfaces stdout + stderr
+to Claude via this hook's stderr. If `actionlint` isn't on PATH, no-op.
+
+## Not a blocker
+
+This hook is reporting-only. Blocking is covered by:
+
+- `workflow-uses-comment-guard` (SHA-pin comment format)
+- `workflow-yaml-multiline-body-guard` (multi-line `--body "..."`)
+- `pull-request-target-guard` (privileged context misuse)
+
+If a future block-worthy actionlint check is identified, promote it to
+its own PreToolUse hook with a focused detection pattern.
@@ -0,0 +1,108 @@
+#!/usr/bin/env node
+// Claude Code PostToolUse hook — actionlint-on-workflow-edit.
+//
+// After an Edit/Write touches `.github/workflows/*.y*ml`, invoke local
+// `actionlint` (if installed) against the file. Surface any errors as
+// stderr so Claude sees the problem before the next turn.
+//
+// PostToolUse (not PreToolUse) so the edit lands first and actionlint
+// reads the on-disk state. No block — reporting only. The block surface
+// is covered by sibling hooks (`workflow-uses-comment-guard`,
+// `workflow-yaml-multiline-body-guard`, `pull-request-target-guard`).
+//
+// No-op when actionlint isn't on PATH — most fleet machines have it via
+// brew, CI runners have it preinstalled, but downstreams may not.
+
+import { spawnSync } from 'node:child_process'
+import process from 'node:process'
+
+import { readStdin } from '../_shared/transcript.mts'
+
+interface ToolInput {
+  readonly tool_name?: string | undefined
+  readonly tool_input?: { readonly file_path?: string | undefined } | undefined
+}
+
+function isWorkflowYaml(filePath: string): boolean {
+  return /[\\/]\.github[\\/]workflows[\\/][^\\/]+\.ya?ml$/.test(filePath)
+}
+
+function actionlintAvailable(): boolean {
+  const r = spawnSync('command', ['-v', 'actionlint'], {
+    encoding: 'utf8',
+    timeout: 2_000,
+  })
+  return r.status === 0 && (r.stdout?.trim().length ?? 0) > 0
+}
+
+async function main(): Promise<void> {
+  let raw: string
+  try {
+    raw = await readStdin()
+  } catch {
+    process.exit(0)
+  }
+  if (!raw) {
+    process.exit(0)
+  }
+  let payload: ToolInput
+  try {
+    payload = JSON.parse(raw) as ToolInput
+  } catch {
+    process.exit(0)
+  }
+  if (payload.tool_name !== 'Edit' && payload.tool_name !== 'Write') {
+    process.exit(0)
+  }
+  const filePath = payload.tool_input?.file_path
+  if (!filePath || !isWorkflowYaml(filePath)) {
+    process.exit(0)
+  }
+
+  if (!actionlintAvailable()) {
+    process.exit(0)
+  }
+
+  const r = spawnSync('actionlint', [filePath], {
+    encoding: 'utf8',
+    timeout: 10_000,
+  })
+  if (r.status === 0) {
+    process.exit(0)
+  }
+
+  // actionlint failed — surface its output to stderr so Claude reads it.
+  process.stderr.write(
+    [
+      '[actionlint-on-workflow-edit] actionlint reported errors',
+      '',
+      `  File: ${filePath}`,
+      '',
+      '  Output:',
+      ...(r.stdout ?? '')
+        .trim()
+        .split('\n')
+        .map(l => `    ${l}`),
+      ...(r.stderr
+        ? r.stderr
+            .trim()
+            .split('\n')
+            .map(l => `    ${l}`)
+        : []),
+      '',
+      '  Fix the workflow before relying on it firing in CI. actionlint',
+      "  catches the same YAML / shell / SHA-pin issues GitHub Actions'",
+      '  parser would (silently) reject as "0 jobs."',
+      '',
+    ].join('\n'),
+  )
+  // PostToolUse — emit warning to stderr but don't block the edit
+  // (the edit already happened). Exit 0 so Claude sees the stderr.
+  process.exit(0)
+}
+
+main().catch(e => {
+  process.stderr.write(
+    `[actionlint-on-workflow-edit] hook error (allowing): ${(e as Error).message}\n`,
+  )
+})
@@ -0,0 +1,15 @@
+{
+  "name": "hook-actionlint-on-workflow-edit",
+  "private": true,
+  "type": "module",
+  "main": "./index.mts",
+  "exports": {
+    ".": "./index.mts"
+  },
+  "scripts": {
+    "test": "node --test test/*.test.mts"
+  },
+  "devDependencies": {
+    "@types/node": "catalog:"
+  }
+}
@@ -0,0 +1,75 @@
+// node --test specs for the actionlint-on-workflow-edit hook.
+
+import { spawn, spawnSync } from 'node:child_process'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+import test from 'node:test'
+import assert from 'node:assert/strict'
+
+const here = path.dirname(fileURLToPath(import.meta.url))
+const HOOK = path.join(here, '..', 'index.mts')
+
+type Result = { code: number; stderr: string }
+
+async function runHook(payload: Record<string, unknown>): Promise<Result> {
+  const child = spawn(process.execPath, [HOOK], { stdio: 'pipe' })
+  child.stdin.end(JSON.stringify(payload))
+  let stderr = ''
+  child.stderr.on('data', chunk => {
+    stderr += chunk.toString('utf8')
+  })
+  return new Promise(resolve => {
+    child.on('exit', code => {
+      resolve({ code: code ?? 0, stderr })
+    })
+  })
+}
+
+const actionlintInstalled = (() => {
+  const r = spawnSync('command', ['-v', 'actionlint'])
+  return r.status === 0
+})()
+
+test('non-workflow file passes silently', async () => {
+  const r = await runHook({
+    tool_name: 'Write',
+    tool_input: { file_path: '/tmp/foo.txt' },
+  })
+  assert.strictEqual(r.code, 0)
+  assert.strictEqual(r.stderr, '')
+})
+
+test('non-Edit/Write tool passes silently', async () => {
+  const r = await runHook({
+    tool_name: 'Bash',
+    tool_input: { command: 'echo hi' },
+  })
+  assert.strictEqual(r.code, 0)
+})
+
+test('workflow edit always exits 0 (PostToolUse — reporting only)', async () => {
+  // We don't need actionlint installed to verify the exit code; the
+  // hook short-circuits to 0 on actionlint-not-found.
+  const r = await runHook({
+    tool_name: 'Edit',
+    tool_input: { file_path: '/tmp/some.github/workflows/x.yml' },
+  })
+  assert.strictEqual(r.code, 0)
+})
+
+test('workflow edit with installed actionlint runs the tool (smoke)', async t => {
+  if (!actionlintInstalled) {
+    t.skip('actionlint not on PATH')
+    return
+  }
+  // Smoke test only — provide a path to a nonexistent file; actionlint
+  // will error but the hook itself exits 0. We just check it doesn't
+  // crash.
+  const r = await runHook({
+    tool_name: 'Edit',
+    tool_input: {
+      file_path: '/this/path/does/not/exist/.github/workflows/x.yml',
+    },
+  })
+  assert.strictEqual(r.code, 0)
+})
@@ -0,0 +1,16 @@
+{
+  "compilerOptions": {
+    "declarationMap": false,
+    "erasableSyntaxOnly": true,
+    "module": "nodenext",
+    "moduleResolution": "nodenext",
+    "noEmit": true,
+    "rewriteRelativeImportExtensions": true,
+    "skipLibCheck": true,
+    "sourceMap": false,
+    "strict": true,
+    "target": "esnext",
+    "types": ["node"],
+    "verbatimModuleSyntax": true
+  }
+}
@@ -0,0 +1,45 @@
+# consumer-grep-reminder
+
+PreToolUse Edit hook (reminder, NOT a block) that fires when an edit
+removes a CSS class, HTML attribute, or named export AND the repo has
+consumer-bearing subtrees (`upstream/`, `vendor/`, `third_party/`,
+`external/`, `deps/`, `additions/source-patched/`).
+
+## Why
+
+Past incident: an agent stripped a CSS class because repo-root grep
+found 0 hits. The project's upstream bundle (in `upstream/`) hydrated
+from that class — the rendered page went blank in production.
+
+Repo-root grep doesn't see code in `upstream/` / `vendor/` / etc. when
+those are gitignored or submodules. This hook surfaces the reminder to
+grep those subtrees BEFORE relying on a "0 consumers" finding.
+
+## What it surfaces
+
+| Edit pattern                                             | Reminder? |
+| -------------------------------------------------------- | --------- |
+| Removes `.my-class-name` (hyphenated CSS class)          | yes       |
+| Removes `data-foo` / `aria-bar` (HTML attribute literal) | yes       |
+| Removes `export const foo` / `export function foo`       | yes       |
+| Removes any of the above when NO consumer subtree exists | no        |
+| Pure additions (no removals)                             | no        |
+| Non-Edit tools                                           | no        |
+
+## Not a block
+
+False-positive surface is real — not every CSS class removal is a
+hydration target. The reminder lets the agent verify with a grep
+against the listed subtrees, then continue. The user can also ignore
+the reminder if they've already verified.
+
+## Suggested response
+
+When this fires, run something like:
+
+```bash
+rg -nF '.removed-class' upstream/ vendor/ third_party/
+```
+
+If the grep finds hits, the removal needs coordination with the
+upstream bundle. If 0 hits, proceed.