chore(sync): apply remaining canonical fleet drift fixes

Author: jdalton

.config/oxfmtrc.json

@@ -64,6 +64,8 @@
     "**/scripts/ai-lint-fix.mts",
     "**/scripts/ai-lint-fix/cli.mts",
     "**/scripts/ai-lint-fix/rule-guidance.mts",
+    "**/scripts/check-lock-step-header.mts",
+    "**/scripts/check-lock-step-refs.mts",
     "**/scripts/check-paths.mts",
     "**/scripts/check-paths/allowlist.mts",
     "**/scripts/check-paths/cli.mts",
@@ -97,6 +99,8 @@
     "**/scripts/security.mts",
     "**/scripts/socket-wheelhouse-emit-schema.mts",
     "**/scripts/socket-wheelhouse-schema.mts",
+    "**/scripts/test/check-lock-step-header.test.mts",
+    "**/scripts/test/check-lock-step-refs.test.mts",
     "**/scripts/test/install-git-hooks.test.mts",
     "**/scripts/update.mts",
     "**/scripts/validate-bundle-deps.mts",

.config/oxlintrc.json

@@ -1,13 +1,22 @@
 {
   "$schema": "https://raw.githubusercontent.com/oxc-project/oxc/main/npm/oxlint/configuration_schema.json",
-  "plugins": ["typescript", "unicorn", "import"],
-  "jsPlugins": ["./oxlint-plugin/index.mts"],
+  "plugins": [
+    "typescript",
+    "unicorn",
+    "import"
+  ],
+  "jsPlugins": [
+    "./oxlint-plugin/index.mts"
+  ],
   "categories": {
     "correctness": "error",
     "suspicious": "error"
   },
   "rules": {
-    "eslint/curly": ["error", "all"],
+    "eslint/curly": [
+      "error",
+      "all"
+    ],
     "eslint/no-await-in-loop": "off",
     "eslint/no-console": "off",
     "eslint/no-control-regex": "off",
@@ -18,9 +27,9 @@
       }
     ],
     "eslint/no-new": "error",
-    "eslint/no-underscore-dangle": "off",
     "eslint/no-proto": "error",
     "eslint/no-shadow": "off",
+    "eslint/no-underscore-dangle": "off",
     "eslint/no-unmodified-loop-condition": "off",
     "eslint/no-unused-vars": "off",
     "eslint/no-useless-catch": "off",
@@ -41,6 +50,7 @@
     "socket/no-default-export": "error",
     "socket/no-dynamic-import-outside-bundle": "error",
     "socket/no-fetch-prefer-http-request": "error",
+    "socket/no-file-scope-oxlint-disable": "error",
     "socket/no-inline-logger": "error",
     "socket/no-logger-newline-literal": "error",
     "socket/no-npx-dlx": "error",
@@ -155,6 +165,8 @@
     "**/scripts/ai-lint-fix.mts",
     "**/scripts/ai-lint-fix/cli.mts",
     "**/scripts/ai-lint-fix/rule-guidance.mts",
+    "**/scripts/check-lock-step-header.mts",
+    "**/scripts/check-lock-step-refs.mts",
     "**/scripts/check-paths.mts",
     "**/scripts/check-paths/allowlist.mts",
     "**/scripts/check-paths/cli.mts",
@@ -188,6 +200,8 @@
     "**/scripts/security.mts",
     "**/scripts/socket-wheelhouse-emit-schema.mts",
     "**/scripts/socket-wheelhouse-schema.mts",
+    "**/scripts/test/check-lock-step-header.test.mts",
+    "**/scripts/test/check-lock-step-refs.test.mts",
     "**/scripts/test/install-git-hooks.test.mts",
     "**/scripts/update.mts",
     "**/scripts/validate-bundle-deps.mts",

.gitattributes

@@ -114,6 +114,11 @@
 .claude/hooks/judgment-reminder/package.json linguist-generated=true
 .claude/hooks/judgment-reminder/test/index.test.mts linguist-generated=true
 .claude/hooks/judgment-reminder/tsconfig.json linguist-generated=true
+.claude/hooks/lock-step-ref-guard/README.md linguist-generated=true
+.claude/hooks/lock-step-ref-guard/index.mts linguist-generated=true
+.claude/hooks/lock-step-ref-guard/package.json linguist-generated=true
+.claude/hooks/lock-step-ref-guard/test/index.test.mts linguist-generated=true
+.claude/hooks/lock-step-ref-guard/tsconfig.json linguist-generated=true
 .claude/hooks/logger-guard/README.md linguist-generated=true
 .claude/hooks/logger-guard/index.mts linguist-generated=true
 .claude/hooks/logger-guard/package.json linguist-generated=true
@@ -144,6 +149,10 @@
 .claude/hooks/no-external-issue-ref-guard/package.json linguist-generated=true
 .claude/hooks/no-external-issue-ref-guard/test/index.test.mts linguist-generated=true
 .claude/hooks/no-external-issue-ref-guard/tsconfig.json linguist-generated=true
+.claude/hooks/no-file-scope-oxlint-disable-guard/README.md linguist-generated=true
+.claude/hooks/no-file-scope-oxlint-disable-guard/index.mts linguist-generated=true
+.claude/hooks/no-file-scope-oxlint-disable-guard/package.json linguist-generated=true
+.claude/hooks/no-file-scope-oxlint-disable-guard/tsconfig.json linguist-generated=true
 .claude/hooks/no-fleet-fork-guard/README.md linguist-generated=true
 .claude/hooks/no-fleet-fork-guard/index.mts linguist-generated=true
 .claude/hooks/no-fleet-fork-guard/package.json linguist-generated=true
@@ -328,6 +337,7 @@
 .config/oxlint-plugin/rules/no-default-export.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-dynamic-import-outside-bundle.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-fetch-prefer-http-request.mts linguist-generated=true
+.config/oxlint-plugin/rules/no-file-scope-oxlint-disable.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-inline-logger.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-logger-newline-literal.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-npx-dlx.mts linguist-generated=true
@@ -453,6 +463,8 @@ packages/build-infra/release-assets.schema.json linguist-generated=true
 scripts/ai-lint-fix.mts linguist-generated=true
 scripts/ai-lint-fix/cli.mts linguist-generated=true
 scripts/ai-lint-fix/rule-guidance.mts linguist-generated=true
+scripts/check-lock-step-header.mts linguist-generated=true
+scripts/check-lock-step-refs.mts linguist-generated=true
 scripts/check-paths.mts linguist-generated=true
 scripts/check-paths/allowlist.mts linguist-generated=true
 scripts/check-paths/cli.mts linguist-generated=true
@@ -486,6 +498,8 @@ scripts/power-state.mts linguist-generated=true
 scripts/security.mts linguist-generated=true
 scripts/socket-wheelhouse-emit-schema.mts linguist-generated=true
 scripts/socket-wheelhouse-schema.mts linguist-generated=true
+scripts/test/check-lock-step-header.test.mts linguist-generated=true
+scripts/test/check-lock-step-refs.test.mts linguist-generated=true
 scripts/test/install-git-hooks.test.mts linguist-generated=true
 scripts/update.mts linguist-generated=true
 scripts/validate-bundle-deps.mts linguist-generated=true

CLAUDE.md

@@ -69,7 +69,7 @@ Apply in: worktree creation, base-ref resolution for `git diff`/`git rev-list`,
 
 ### Claude Code plugin pins
 
-🚨 Fleet-blessed Claude Code plugins are SHA-pinned in the wheelhouse-canonical [`.claude-plugin/marketplace.json`](../.claude-plugin/marketplace.json), with companion human-readable metadata (pin date, pinner) in [`.claude-plugin/README.md`](../.claude-plugin/README.md). The pair is enforced together: every `plugins[].source.sha` in `marketplace.json` must have a row in the README table with matching `version` + `sha` + an ISO-8601 `date`. Same staleness signal the GHA `uses:` SHA-pin comments carry. Bump the SHA → bump the row. Run `pnpm run install-claude-plugins` to reconcile a machine to the pinned set; the script also merges `env.CODEX_TRUSTED_ENV_PARENTS` into `~/.claude/settings.json` so the upstream codex plugin honors `~/.claude/session-env/` as a trusted env-file parent (enforced by `.claude/hooks/marketplace-comment-guard/`).
+🚨 Fleet-blessed Claude Code plugins are SHA-pinned in the wheelhouse-canonical [`.claude-plugin/marketplace.json`](../.claude-plugin/marketplace.json), with companion human-readable metadata (pin date, pinner) in [`.claude-plugin/README.md`](../.claude-plugin/README.md). The pair is enforced together: every `plugins[].source.sha` in `marketplace.json` must have a row in the README table with matching `version` + `sha` + an ISO-8601 `date`. Same staleness signal the GHA `uses:` SHA-pin comments carry. Bump the SHA → bump the row. Run `pnpm run install-claude-plugins` to reconcile a machine to the pinned set — adds the marketplace + installs each plugin at its pinned SHA, no plugin modifications (enforced by `.claude/hooks/marketplace-comment-guard/`).
 
 ### Fix it, don't defer
 
@@ -133,7 +133,7 @@ For non-trivial work (multi-file refactor, new feature, migration), the plan its
 
 ### Code style
 
-Default to no comments (enforced by `.claude/hooks/no-meta-comments-guard/` for meta-labels + removed-code refs); when written, write for a junior reader. Parsers mirroring an upstream get the exception ([`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md)). Cross-port files (Rust↔Go↔C++↔TS acorn ports; socket-btm `mcp/*.cpp` ports of upstream) use `Lock-step` comments — `//! Lock-step from <path>` for port provenance, `//! Lock-step with <Lang>: <path>` on the canonical side, inline `// Lock-step with <Lang>: <path>:<lines>` for specific cross-refs (point up at the source-of-truth, never down at a port), and `// Lock-step note: <why>` for _deliberate_ divergence (full forms in [`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md) §5–6). Pointer comments (`// see X`) need both the destination and an inline one-line claim (enforced by `.claude/hooks/pointer-comment-guard/`). Heaviest invariants: no `TODO`/`FIXME`/stubs; `undefined` over `null`; `httpJson`/`httpText` from `@socketsecurity/lib/http-request` over `fetch()`; `safeDelete()` from `@socketsecurity/lib/fs` over `fs.rm`; Edit tool over `sed`/`awk`; `'CI' in process.env` presence check over truthy; `import os from 'node:os'` over named imports; `getDefaultLogger()` over `console.*` (enforced by `.claude/hooks/logger-guard/`); doc filenames `lowercase-with-hyphens.md` under `docs/` or `.claude/` (enforced by `.claude/hooks/markdown-filename-guard/`). Full ruleset (object literals, imports, subprocesses, file existence, generated reports, sorting, Promise.race, Safe suffix, `node:smol-*`, inclusive language) in [`docs/claude.md/fleet/code-style.md`](docs/claude.md/fleet/code-style.md). See also [`docs/claude.md/fleet/sorting.md`](docs/claude.md/fleet/sorting.md) and [`docs/claude.md/fleet/inclusive-language.md`](docs/claude.md/fleet/inclusive-language.md).
+Default to no comments (enforced by `.claude/hooks/no-meta-comments-guard/` for meta-labels + removed-code refs); when written, write for a junior reader. Parsers mirroring an upstream get the exception ([`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md)). Cross-port files (Rust↔Go↔C++↔TS acorn ports; socket-btm `mcp/*.cpp` ports of upstream) use `Lock-step` comments — `// Lock-step from <Lang>: <path>` for port provenance, `// Lock-step with <Lang>: <path>` on the canonical side, inline `// Lock-step with <Lang>: <path>:<lines>` for specific cross-refs (point up at the source-of-truth, never down at a port), and `// Lock-step note: <why>` for _deliberate_ divergence. Every member of a quadruplet also carries a byte-identical `// BEGIN LOCK-STEP HEADER` / `// END LOCK-STEP HEADER` block (single-line `// ` syntax across every language — no `//!` / `///` / `/** */` mixing — so byte-compare across the quadruplet is trivial) (full forms in [`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md) §5–7; enforced edit-time by `.claude/hooks/lock-step-ref-guard/` and CI-gate-time by `scripts/check-lock-step-refs.mts` + `scripts/check-lock-step-header.mts`; bypass: `Allow lock-step bypass`). Pointer comments (`// see X`) need both the destination and an inline one-line claim (enforced by `.claude/hooks/pointer-comment-guard/`). Heaviest invariants: no `TODO`/`FIXME`/stubs; `undefined` over `null`; `httpJson`/`httpText` from `@socketsecurity/lib/http-request` over `fetch()`; `safeDelete()` from `@socketsecurity/lib/fs` over `fs.rm`; Edit tool over `sed`/`awk`; `'CI' in process.env` presence check over truthy; `import os from 'node:os'` over named imports; `getDefaultLogger()` over `console.*` (enforced by `.claude/hooks/logger-guard/`); doc filenames `lowercase-with-hyphens.md` under `docs/` or `.claude/` (enforced by `.claude/hooks/markdown-filename-guard/`). Full ruleset (object literals, imports, subprocesses, file existence, generated reports, sorting, Promise.race, Safe suffix, `node:smol-*`, inclusive language) in [`docs/claude.md/fleet/code-style.md`](docs/claude.md/fleet/code-style.md). See also [`docs/claude.md/fleet/sorting.md`](docs/claude.md/fleet/sorting.md) and [`docs/claude.md/fleet/inclusive-language.md`](docs/claude.md/fleet/inclusive-language.md).
 
 ### File size
 
@@ -146,6 +146,7 @@ Soft cap **500 lines**, hard cap **1000 lines** per source file. Past those, spl
 - **Skill or hook ≠ no rule.** Defense in depth — skill is docs, hook is edit-time, lint is commit-time.
 - **Tooling: oxlint + oxfmt only.** No ESLint, no Prettier. Fleet socket-\* oxlint plugin lives in `template/.config/oxlint-plugin/`.
 - **Invoke oxfmt / oxlint with `-c .config/...rc.json` explicitly.** Both tools accept a `-c PATH` (oxfmt) / `--config PATH` (oxlint). The fleet keeps both configs under `.config/`, not at repo root. Without the flag, the tools fall through to their built-in defaults — oxfmt's default is double-quotes + semis, the opposite of the fleet style, and would silently rewrite ~200 files on `pnpm run format`. Canonical script bodies in `manifest.mts` already encode the flag; the sync-scaffolding gate rewrites drifted scripts back to the canonical form.
+- **No file-scope `oxlint-disable`.** Always use `oxlint-disable-next-line <rule> -- <reason>` per call site so each exemption is independently justified in `git blame`. File-scope blocks silently exempt future edits the author never thought about (enforced by `socket/no-file-scope-oxlint-disable` lint rule + `.claude/hooks/no-file-scope-oxlint-disable-guard/` edit-time guard).
 
 Full rationale + cascade behavior in [`docs/claude.md/fleet/lint-rules.md`](docs/claude.md/fleet/lint-rules.md).