chore(sync): re-sync fleet-canonical drift blocks

Picks up the `claude_md_fleet_drift`, `oxlint_fleet_ignore_drift`,
`oxfmt_fleet_ignore_drift`, and `gitattributes_fleet_drift` fixes that
the prior `chore(sync): cascade fleet template@72633be` run reported as
[FIXED] but didn't include in its auto-commit. Pure re-sync — no
behavior change.

Author: jdalton

.config/oxfmtrc.json

@@ -78,6 +78,7 @@
     "**/scripts/check-paths/types.mts",
     "**/scripts/check-paths/walk.mts",
     "**/scripts/check-prompt-less-setup.mts",
+    "**/scripts/check-soak-exclude-dates.mts",
     "**/scripts/fix.mts",
     "**/scripts/install-claude-plugins.mts",
     "**/scripts/install-git-hooks.mts",

.config/oxlintrc.json

@@ -1,13 +1,22 @@
 {
   "$schema": "https://raw.githubusercontent.com/oxc-project/oxc/main/npm/oxlint/configuration_schema.json",
-  "plugins": ["typescript", "unicorn", "import"],
-  "jsPlugins": ["./oxlint-plugin/index.mts"],
+  "plugins": [
+    "typescript",
+    "unicorn",
+    "import"
+  ],
+  "jsPlugins": [
+    "./oxlint-plugin/index.mts"
+  ],
   "categories": {
     "correctness": "error",
     "suspicious": "error"
   },
   "rules": {
-    "eslint/curly": ["error", "all"],
+    "eslint/curly": [
+      "error",
+      "all"
+    ],
     "eslint/no-await-in-loop": "off",
     "eslint/no-console": "off",
     "eslint/no-control-regex": "off",
@@ -50,6 +59,7 @@
     "socket/no-promise-race": "error",
     "socket/no-promise-race-in-loop": "error",
     "socket/no-status-emoji": "error",
+    "socket/no-underscore-identifier": "error",
     "socket/optional-explicit-undefined": "error",
     "socket/personal-path-placeholders": "error",
     "socket/prefer-async-spawn": "error",
@@ -63,6 +73,7 @@
     "socket/prefer-static-type-import": "error",
     "socket/prefer-undefined-over-null": "error",
     "socket/socket-api-token-env": "error",
+    "socket/sort-boolean-chains": "error",
     "socket/sort-equality-disjunctions": "error",
     "socket/sort-named-imports": "error",
     "socket/sort-regex-alternations": "error",
@@ -170,6 +181,7 @@
     "**/scripts/check-paths/types.mts",
     "**/scripts/check-paths/walk.mts",
     "**/scripts/check-prompt-less-setup.mts",
+    "**/scripts/check-soak-exclude-dates.mts",
     "**/scripts/fix.mts",
     "**/scripts/install-claude-plugins.mts",
     "**/scripts/install-git-hooks.mts",

.gitattributes

@@ -218,6 +218,10 @@
 .claude/hooks/no-token-in-dotenv-guard/package.json linguist-generated=true
 .claude/hooks/no-token-in-dotenv-guard/test/index.test.mts linguist-generated=true
 .claude/hooks/no-token-in-dotenv-guard/tsconfig.json linguist-generated=true
+.claude/hooks/no-underscore-identifier-guard/README.md linguist-generated=true
+.claude/hooks/no-underscore-identifier-guard/index.mts linguist-generated=true
+.claude/hooks/no-underscore-identifier-guard/package.json linguist-generated=true
+.claude/hooks/no-underscore-identifier-guard/tsconfig.json linguist-generated=true
 .claude/hooks/node-modules-staging-guard/README.md linguist-generated=true
 .claude/hooks/node-modules-staging-guard/index.mts linguist-generated=true
 .claude/hooks/node-modules-staging-guard/package.json linguist-generated=true
@@ -304,6 +308,11 @@
 .claude/hooks/setup-security-tools/test/setup-security-tools.test.mts linguist-generated=true
 .claude/hooks/setup-security-tools/test/shell-rc-bridge.test.mts linguist-generated=true
 .claude/hooks/setup-security-tools/tsconfig.json linguist-generated=true
+.claude/hooks/soak-exclude-date-annotation-guard/README.md linguist-generated=true
+.claude/hooks/soak-exclude-date-annotation-guard/index.mts linguist-generated=true
+.claude/hooks/soak-exclude-date-annotation-guard/package.json linguist-generated=true
+.claude/hooks/soak-exclude-date-annotation-guard/test/index.test.mts linguist-generated=true
+.claude/hooks/soak-exclude-date-annotation-guard/tsconfig.json linguist-generated=true
 .claude/hooks/stale-process-sweeper/README.md linguist-generated=true
 .claude/hooks/stale-process-sweeper/index.mts linguist-generated=true
 .claude/hooks/stale-process-sweeper/package.json linguist-generated=true
@@ -434,6 +443,7 @@
 .config/oxlint-plugin/rules/prefer-static-type-import.mts linguist-generated=true
 .config/oxlint-plugin/rules/prefer-undefined-over-null.mts linguist-generated=true
 .config/oxlint-plugin/rules/socket-api-token-env.mts linguist-generated=true
+.config/oxlint-plugin/rules/sort-boolean-chains.mts linguist-generated=true
 .config/oxlint-plugin/rules/sort-equality-disjunctions.mts linguist-generated=true
 .config/oxlint-plugin/rules/sort-named-imports.mts linguist-generated=true
 .config/oxlint-plugin/rules/sort-regex-alternations.mts linguist-generated=true
@@ -474,6 +484,7 @@
 .config/oxlint-plugin/test/prefer-static-type-import.test.mts linguist-generated=true
 .config/oxlint-plugin/test/prefer-undefined-over-null.test.mts linguist-generated=true
 .config/oxlint-plugin/test/socket-api-token-env.test.mts linguist-generated=true
+.config/oxlint-plugin/test/sort-boolean-chains.test.mts linguist-generated=true
 .config/oxlint-plugin/test/sort-equality-disjunctions.test.mts linguist-generated=true
 .config/oxlint-plugin/test/sort-named-imports.test.mts linguist-generated=true
 .config/oxlint-plugin/test/sort-regex-alternations.test.mts linguist-generated=true
@@ -559,6 +570,7 @@ scripts/check-paths/state.mts linguist-generated=true
 scripts/check-paths/types.mts linguist-generated=true
 scripts/check-paths/walk.mts linguist-generated=true
 scripts/check-prompt-less-setup.mts linguist-generated=true
+scripts/check-soak-exclude-dates.mts linguist-generated=true
 scripts/fix.mts linguist-generated=true
 scripts/install-claude-plugins.mts linguist-generated=true
 scripts/install-git-hooks.mts linguist-generated=true

CLAUDE.md

@@ -62,10 +62,10 @@ Apply in: worktree creation, base-ref resolution for `git diff`/`git rev-list`,
 - **Package manager**: `pnpm`. Run scripts via `pnpm run foo --flag`, never `foo:bar`. After `package.json` edits, `pnpm install`.
 - 🚨 NEVER use `npx`, `pnpm dlx`, or `yarn dlx` — use `pnpm exec <package>` or `pnpm run <script>` # socket-hook: allow npx
 - 🚨 NEVER pass `--experimental-strip-types` to Node (enforced by `.claude/hooks/no-experimental-strip-types-guard/`).
-- **New dependencies** — every new dep added to `package.json` runs a Socket-score check at edit time; low-scoring deps block (enforced by `.claude/hooks/check-new-deps/`). The 7-day `minimumReleaseAge` soak is intentional malware protection; never add to `pnpm-workspace.yaml` `minimumReleaseAge.exclude[]` (bypass `Allow minimumReleaseAge bypass` for emergency CVE patches; enforced by `.claude/hooks/minimum-release-age-guard/`). Vitest `include` globs must not match `node:test` files — mismatched runners produce confusing "no test suite found" errors (enforced by `.claude/hooks/vitest-include-vs-node-test-guard/`).
+- **New dependencies** — every new dep added to `package.json` runs a Socket-score check at edit time; low-scoring deps block (enforced by `.claude/hooks/check-new-deps/`). The 7-day `minimumReleaseAge` soak is intentional malware protection; never add to `pnpm-workspace.yaml` `minimumReleaseAge.exclude[]` (bypass `Allow minimumReleaseAge bypass` for emergency CVE patches; enforced by `.claude/hooks/minimum-release-age-guard/`). Every per-package soak-bypass entry (the `'pkg@1.2.3'` exact-pin form) MUST carry a `# published: YYYY-MM-DD | removable: YYYY-MM-DD` annotation as the LAST comment line above the bullet — `published` is the version's npm publish date, `removable` is `published + 7d` so a periodic cleanup can drop entries that no longer need the bypass (enforced by `.claude/hooks/soak-exclude-date-annotation-guard/` at edit time + `scripts/check-soak-exclude-dates.mts` at commit time). Vitest `include` globs must not match `node:test` files — mismatched runners produce confusing "no test suite found" errors (enforced by `.claude/hooks/vitest-include-vs-node-test-guard/`).
 - **Bundler**: `rolldown`, NOT `esbuild`. The fleet standardizes on rolldown for direct bundling (see `template/.config/rolldown/`). Transitive esbuild deps (e.g. via vitest) are unavoidable today — the rule is no _new direct_ esbuild use anywhere in the fleet.
 - **Backward compatibility** — FORBIDDEN to maintain. Actively remove when encountered.
-- Full ruleset (packageManager field, `.config/` placement, `.mts` runners, soak time, shallow submodules, monorepo `engines.node`) in [`docs/claude.md/fleet/tooling.md`](docs/claude.md/fleet/tooling.md).
+- Full ruleset (packageManager field, `.config/` placement, `.mts` runners, soak time, shallow submodules, monorepo `engines.node`, `npm-run-all2` + `node --run` opt-in) in [`docs/claude.md/fleet/tooling.md`](docs/claude.md/fleet/tooling.md).
 
 ### Claude Code plugin pins
 
@@ -141,6 +141,10 @@ For non-trivial work (multi-file refactor, new feature, migration), the plan its
 
 Default to no comments (enforced by `.claude/hooks/no-meta-comments-guard/` for meta-labels + removed-code refs); when written, write for a junior reader. Parsers mirroring an upstream get the exception ([`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md)). Cross-port files (Rust↔Go↔C++↔TS acorn ports; socket-btm `temporal-infra/src/socketsecurity/temporal/*.{cc,h}` C++ port of upstream `temporal_rs` Rust crate) use `Lock-step` comments — `// Lock-step from <Lang>: <path>` for port provenance, `// Lock-step with <Lang>: <path>` on the canonical side, inline `// Lock-step with <Lang>: <path>:<lines>` for specific cross-refs (point up at the source-of-truth, never down at a port), and `// Lock-step note: <why>` for _deliberate_ divergence. Every member of a quadruplet also carries a byte-identical `// BEGIN LOCK-STEP HEADER` / `// END LOCK-STEP HEADER` block (single-line `// ` syntax across every language — no `//!` / `///` / `/** */` mixing — so byte-compare across the quadruplet is trivial) (full forms in [`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md) §5–7; enforced edit-time by `.claude/hooks/lock-step-ref-guard/` and CI-gate-time by `scripts/check-lock-step-refs.mts` + `scripts/check-lock-step-header.mts`; bypass: `Allow lock-step bypass`). Pointer comments (`// see X`) need both the destination and an inline one-line claim (enforced by `.claude/hooks/pointer-comment-guard/`). Heaviest invariants: no `TODO`/`FIXME`/stubs; `undefined` over `null`; `httpJson`/`httpText` from `@socketsecurity/lib/http-request` over `fetch()`; `safeDelete()` from `@socketsecurity/lib/fs` over `fs.rm`; Edit tool over `sed`/`awk`; `'CI' in process.env` presence check over truthy; `import os from 'node:os'` over named imports; `getDefaultLogger()` over `console.*` (enforced by `.claude/hooks/logger-guard/`); doc filenames `lowercase-with-hyphens.md` under `docs/` or `.claude/` (enforced by `.claude/hooks/markdown-filename-guard/`); inline `<script defer>` / `<script async>` lacking a `src=` attribute is a spec no-op — wrap the body in a `DOMContentLoaded` listener instead (enforced by `.claude/hooks/inline-script-defer-guard/` + the `socket/no-inline-defer-async` oxlint rule; bypass: `Allow inline-defer bypass`); ESLint/Biome config refs (`.eslintrc`, `eslint-config-*`, `biome.json`, `@biomejs/*`) are stale — the fleet runs oxlint/oxfmt (enforced by the `socket/no-eslint-biome-config-ref` oxlint rule). Full ruleset (object literals, imports, subprocesses, file existence, generated reports, sorting, Promise.race, Safe suffix, `node:smol-*`, inclusive language) in [`docs/claude.md/fleet/code-style.md`](docs/claude.md/fleet/code-style.md). See also [`docs/claude.md/fleet/sorting.md`](docs/claude.md/fleet/sorting.md) and [`docs/claude.md/fleet/inclusive-language.md`](docs/claude.md/fleet/inclusive-language.md).
 
+### No underscore-prefixed identifiers
+
+🚨 Never prefix an **identifier** (function, variable, type, export) with `_` — patterns like `_resetX`, `_cache`, `_doFoo`, `_internal` are banned at the symbol level. Privacy in TS is handled by module boundaries (not exporting) or by `_internal/` _directory_ layout; the underscore-as-internal-marker convention from other languages adds noise without enforcement. Exporting "internal" helpers is fine and explicitly preferred — easier to unit-test. **Exception:** the directory name `_internal/` is allowed (and is the documented way to signal module-private files); the rule is about identifiers inside files, not folder layout (enforced by `.claude/hooks/no-underscore-identifier-guard/` + the `socket/no-underscore-identifier` oxlint rule; bypass: `Allow underscore-identifier bypass`).
+
 ### File size
 
 Soft cap **500 lines**, hard cap **1000 lines** per source file. Past those, split along natural seams — group by domain, not line count; name files for what's in them; co-locate helpers with consumers. Exceptions: a single function that legitimately needs the space (note it inline), or a generated artifact. Full playbook in [`docs/claude.md/fleet/file-size.md`](docs/claude.md/fleet/file-size.md).

pnpm-lock.yaml

@@ -100,6 +100,7 @@ catalog:
   minimatch: 9.0.5
   normalize-package-data: 8.0.0
   npm-package-arg: 13.0.0
+  'npm-run-all2': 9.0.0
   out-url: 1.2.2
   'oxfmt': 0.48.0
   'oxlint': 1.63.0
@@ -139,6 +140,7 @@ minimumReleaseAgeExclude:
   # Network-mocking lib used in fleet test suites. v15 betas pre-date
   # npm's `time` field for the major; allow pinned beta until v15 GA.
   - 'nock@15.0.0-beta.11'
+  - 'npm-run-all2@9.0.0'
 
 # Refuse transitive dependencies declared via git/tarball/local-tarball
 # specs — an npm package shouldn't be allowed to drag in a git URL we