|
1 | 1 | # CLAUDE.md |
2 | 2 |
|
3 | | -🚨 **CRITICAL**: This file contains MANDATORY guidelines for Claude Code (claude.ai/code). You MUST follow these guidelines EXACTLY as specified. Act as a principal-level software engineer with deep expertise in TypeScript, Node.js, and SDK development. |
| 3 | +🚨 **MANDATORY**: Act as principal-level engineer with deep expertise in TypeScript, Node.js, and SDK development. |
4 | 4 |
|
5 | 5 | ## 📚 SHARED STANDARDS |
6 | 6 |
|
7 | | -**This project follows Socket's unified development standards.** For comprehensive guidelines on: |
8 | | -- Code style (imports, sorting, __proto__ patterns, comments) |
9 | | -- Git workflow (GitHub Actions, CI, commit messages) |
10 | | -- Error handling standards and message patterns |
11 | | -- Cross-platform compatibility |
12 | | -- Testing best practices (Vitest memory optimization) |
13 | | -- Dependency alignment |
14 | | -- Changelog management |
| 7 | +**See canonical reference:** `../socket-registry/CLAUDE.md` |
15 | 8 |
|
16 | | -**See the canonical reference:** `socket-registry/CLAUDE.md` (in sibling repository) |
| 9 | +For all shared Socket standards (git workflow, testing, code style, imports, sorting, error handling, cross-platform, CI, etc.), refer to socket-registry/CLAUDE.md. |
17 | 10 |
|
18 | | -This file contains **Socket SDK-specific** rules and patterns. When in doubt, consult socket-registry/CLAUDE.md first. |
19 | | - |
20 | | -## 🎯 YOUR ROLE |
21 | | - |
22 | | -You are a **Principal Software Engineer** responsible for production-quality code, architectural decisions, and system reliability. |
23 | | - |
24 | | -## 🔍 PRE-ACTION PROTOCOL |
25 | | - |
26 | | -- **🚨 MANDATORY**: Before ANY action, review both this file AND socket-registry/CLAUDE.md |
27 | | -- Check before you act - ensure approach follows established patterns |
28 | | -- No exceptions for code changes, commits, documentation, testing, file operations |
29 | | - |
30 | | -## 🛡️ ABSOLUTE RULES |
31 | | - |
32 | | -- 🚨 **NEVER** create files unless absolutely necessary |
33 | | -- 🚨 **ALWAYS** prefer editing existing files |
34 | | -- 🚨 **FORBIDDEN** to proactively create documentation files unless explicitly requested |
35 | | -- 🚨 **REQUIRED** to do exactly what was asked - nothing more, nothing less |
| 11 | +--- |
36 | 12 |
|
37 | | -## 🏗️ PROJECT ARCHITECTURE |
| 13 | +## 🏗️ SDK-SPECIFIC |
38 | 14 |
|
39 | | -### Socket SDK for JavaScript/TypeScript |
40 | | -Programmatic access to Socket.dev's security analysis capabilities. |
| 15 | +### Architecture |
| 16 | +Socket SDK for JavaScript/TypeScript - Programmatic access to Socket.dev security analysis |
41 | 17 |
|
42 | | -### Core Structure |
43 | | -- **Main entry**: `src/index.ts` - SDK entry point |
44 | | -- **SDK Class**: `src/socket-sdk-class.ts` - Main SDK class with all API methods |
45 | | -- **HTTP Client**: `src/http-client.ts` - HTTP request/response handling |
46 | | -- **Types**: `src/types.ts` - TypeScript type definitions |
| 18 | +**Core Structure**: |
| 19 | +- **Entry**: `src/index.ts` |
| 20 | +- **SDK Class**: `src/socket-sdk-class.ts` - All API methods |
| 21 | +- **HTTP Client**: `src/http-client.ts` - Request/response handling |
| 22 | +- **Types**: `src/types.ts` - TypeScript definitions |
47 | 23 | - **Utils**: `src/utils.ts` - Shared utilities |
48 | | -- **Constants**: `src/constants.ts` - Application constants |
49 | | - |
50 | | -### Key Features |
51 | | -- Full TypeScript support with comprehensive type definitions |
52 | | -- API client for Socket.dev platform |
53 | | -- Package analysis and security scanning |
54 | | -- Organization and repository management |
55 | | -- SBOM support |
56 | | -- High-performance data processing |
57 | | -- Batch operations for package analysis |
58 | | -- File upload capabilities with multipart form data |
| 24 | +- **Constants**: `src/constants.ts` |
59 | 25 |
|
60 | | -## ⚡ COMMANDS |
| 26 | +**Features**: Full TypeScript support, API client, package analysis, security scanning, org/repo management, SBOM support, batch operations, file uploads |
61 | 27 |
|
62 | | -### Development Commands |
| 28 | +### Commands |
63 | 29 | - **Build**: `pnpm build` |
64 | 30 | - **Test**: `pnpm test` |
65 | | -- **Test runner**: `pnpm run test:run` (custom test runner with glob support) |
| 31 | +- **Test runner**: `pnpm run test:run` (glob support) |
66 | 32 | - **Type check**: `pnpm tsc` |
67 | 33 | - **Lint**: `pnpm check:lint` |
68 | 34 | - **Check all**: `pnpm check` |
69 | | -- **Coverage**: `pnpm run test:unit:coverage` |
70 | | -- **Coverage percentage**: `pnpm run coverage:percent` |
71 | | - |
72 | | -### Testing Best Practices |
73 | | -- **🚨 NEVER USE `--` BEFORE TEST FILE PATHS** - Runs ALL tests! |
74 | | -- **Always build before testing**: Ensure dist files are up to date |
75 | | -- **Test single file**: ✅ CORRECT: `pnpm test path/to/file.test.ts` |
76 | | - - ❌ WRONG: `pnpm test -- path/to/file.test.ts` |
77 | | -- **Update snapshots**: `pnpm test -u` |
78 | | -- **🚨 MANDATORY Coverage Requirements**: Before pushing commits, ensure test coverage is maintained or improved |
79 | | - - **Never decrease coverage**: All changes MUST maintain or increase existing coverage percentages |
80 | | - - **Check before push**: Run `pnpm run test` to verify coverage thresholds are met |
81 | | - - **Fix coverage drops**: If coverage decreases, add tests to restore or improve coverage before pushing |
82 | | - - **Rationale**: Declining coverage indicates untested code paths, which increases risk of bugs and regressions |
83 | | - |
84 | | -### Test Naming Standards (Critical for Coverage) |
85 | | -- **File names**: Use descriptive, specific names |
86 | | - - ✅ CORRECT: `socket-sdk-upload-manifest.test.mts`, `http-client-functions.test.mts` |
87 | | - - ❌ WRONG: `test1.test.mts`, `misc.test.mts` |
88 | | -- **Describe blocks**: Use clear, contextual descriptions |
89 | | - - ✅ CORRECT: `describe('SocketSdk - Upload Manifest Files', ...)` |
90 | | - - ❌ WRONG: `describe('tests', ...)` |
91 | | -- **Test descriptions**: Write meaningful descriptions |
92 | | - - ✅ CORRECT: `it('should handle API errors during upload', ...)` |
93 | | - - ❌ WRONG: `it('works', ...)` |
94 | | - |
95 | | -### CI Testing Infrastructure |
96 | | -- **🚨 MANDATORY**: Use `SocketDev/socket-registry/.github/workflows/ci.yml@<SHA>` with full commit SHA (not @main) |
97 | | -- **🚨 CRITICAL**: GitHub Actions require full-length commit SHAs. Format: `@662bbcab1b7533e24ba8e3446cffd8a7e5f7617e # main` |
98 | | -- **Reusable workflows**: Socket-registry provides centralized, reusable workflows for lint/type-check/test/coverage |
99 | | -- **Matrix testing**: Test across Node.js versions (20, 22, 24) and platforms |
100 | | -- **Custom test runner**: `scripts/test.mjs` provides glob expansion |
101 | | -- **Memory configuration**: Automatic heap size adjustment for CI (8GB) vs local (4GB) |
102 | | -- **Documentation**: See `docs/CI_TESTING.md` and `socket-registry/docs/CI_TESTING_TOOLS.md` |
103 | | - |
104 | | -## 🔒 SECURITY & SAFETY |
105 | | - |
106 | | -### File Operations (SECURITY CRITICAL) |
107 | | -- **Script usage only**: Use `trash` package ONLY in scripts/build files - NOT in `/src/` |
108 | | -- **Source code deletion**: In `/src/`, use `fs.rm()` with proper error handling |
109 | | -- **Script deletion**: Use `await trash(paths)` for scripts and utilities |
110 | | -- **NO rmSync**: 🚨 ABSOLUTELY FORBIDDEN - NEVER use `fs.rmSync()` or `rm -rf` |
111 | | - |
112 | | -## 🎨 SDK-SPECIFIC CODE PATTERNS |
113 | | - |
114 | | -### Logger Standardization |
115 | | -- **Consistent logger calls**: All `logger.error()` and `logger.log()` calls should include empty string parameters |
116 | | - - ✅ CORRECT: `logger.error('')`, `logger.log('')` |
117 | | - - ❌ WRONG: `logger.error()`, `logger.log()` |
118 | | - |
119 | | -### File Structure |
120 | | -- **File extensions**: `.mts` for TypeScript module files |
121 | | -- **Naming**: kebab-case for filenames |
122 | | -- **Module headers**: 🚨 MANDATORY - All modules MUST have `@fileoverview` headers |
123 | | -- **"use strict"**: 🚨 FORBIDDEN in .mjs/.mts files - ES modules are automatically strict |
124 | | - |
125 | | -### API Method Organization |
126 | | -- **Documentation**: API method documentation should be organized alphabetically within functional categories for better discoverability |
127 | | - |
128 | | -### TypeScript Patterns |
129 | | -- **Semicolons**: Use semicolons (unlike other Socket projects that omit them) |
130 | | -- **Type safety**: 🚨 FORBIDDEN - Avoid `any` type; prefer `unknown` or specific types |
131 | | -- **Type imports**: Always use `import type` for better tree-shaking |
132 | | -- **Null-prototype objects**: |
133 | | - - ✅ CORRECT: `{ __proto__: null, key: 'value' }` (object literal with properties) |
134 | | - - ✅ CORRECT: `{ __proto__: null, ...options }` (spread pattern) |
135 | | - - ✅ CORRECT: `const obj = Object.create(null)` (empty object, populate separately) |
136 | | - - ❌ WRONG: `const obj = { __proto__: null }` (empty object literal - use `Object.create(null)` instead) |
137 | | - - **Rationale**: Use `Object.create(null)` only for empty null-prototype objects; object literals with `__proto__: null` are fine when they have properties |
138 | | - |
139 | | -### Comprehensive Sorting Standards (MANDATORY) |
140 | | -All code elements MUST be sorted: |
141 | | - |
142 | | -#### Type Property Sorting |
143 | | -- Required properties first, then optional properties |
144 | | -- Within each group: Sort alphabetically/alphanumerically |
145 | | - |
146 | | -#### Class Member Sorting |
147 | | -1. Private properties (alphabetically) |
148 | | -2. Private methods (alphabetically) |
149 | | -3. Public methods (alphabetically) |
150 | | - |
151 | | -#### Object Property Sorting |
152 | | -- Sort object properties alphabetically in literals |
153 | | -- Exception: Preserve order when semantically meaningful |
154 | | - |
155 | | -#### Destructuring Property Sorting |
156 | | -- ✅ CORRECT: `const { apiKey, baseUrl, timeout } = config` |
157 | | -- ❌ WRONG: `const { timeout, apiKey, baseUrl } = config` |
158 | | - |
159 | | -## 🧪 TESTING STANDARDS |
160 | | - |
161 | | -### Test Organization |
162 | | -- **Modular structure**: Split large test files by functionality |
163 | | -- **Descriptive naming**: Use clear test file names |
164 | | -- **Test directory structure**: 🚨 MANDATORY |
165 | | - ``` |
166 | | - test/ |
167 | | - ├── unit/ # Unit tests |
168 | | - ├── integration/ # Integration tests |
169 | | - ├── fixtures/ # Test fixtures |
170 | | - └── utils/ # Test utilities |
171 | | - ├── environment.mts # Test environment setup |
172 | | - ├── fixtures.mts # Test data configurations |
173 | | - ├── mock-helpers.mts # Mock setup utilities |
174 | | - └── constants.mts # Test constants |
175 | | - ``` |
176 | | - |
177 | | -### Test Utilities Organization |
178 | | -- **Modular utilities**: Split utilities by purpose into focused modules |
179 | | -- ✅ CORRECT: `import { setupTestEnvironment } from './utils/environment.mts'` |
180 | | -- ❌ OLD PATTERN: `import { setupTestEnvironment } from './test-utils.mts'` |
181 | | - |
182 | | -### Test Best Practices |
183 | | -- **Proper mocking**: Clean up HTTP mocks (nock) properly |
184 | | -- **Error scenarios**: Test both success and error paths |
185 | | -- **Edge cases**: Include tests for Unicode, empty responses, malformed data |
186 | | -- **Cross-platform**: Ensure tests work on Windows and POSIX |
187 | | - |
188 | | -## 🔧 GIT WORKFLOW |
189 | | - |
190 | | -### Commit Messages |
191 | | -- **🚨 ABSOLUTELY FORBIDDEN**: NEVER add Claude Code attribution to commit messages |
192 | | - - ❌ WRONG: Adding "🤖 Generated with [Claude Code]..." or "Co-Authored-By: Claude" |
193 | | - - ✅ CORRECT: Write commit messages without any AI attribution or signatures |
194 | | - - **Rationale**: This is a professional project and commit messages should not contain AI tool attributions |
195 | | - |
196 | | -### Pre-Commit Quality Checks |
197 | | -- **🚨 MANDATORY**: Always run these commands before committing: |
198 | | - - `pnpm run fix` (if available) or `pnpm check:lint:fix` - Fix linting and formatting issues |
199 | | - - `pnpm check` - Run all checks (lint, type-check, tests) |
200 | | - - **Rationale**: Ensures code quality regardless of whether hooks run |
201 | | - |
202 | | -### Commit Strategy with --no-verify |
203 | | -- **--no-verify usage**: Use `--no-verify` flag for commits that don't require pre-commit hooks |
204 | | - - ✅ **Safe to skip hooks**: Scripts (scripts/), GitHub Actions workflows (.github/workflows/), tests (test/), documentation (*.md, docs/), configuration files |
205 | | - - ❌ **Always run hooks**: SDK source code (src/), published package code, API implementations |
206 | | - - **Important**: Even when using `--no-verify`, you MUST still run linting/checking commands manually first |
207 | | - - **Rationale**: Pre-commit hooks run linting and type-checking which are critical for SDK source code but less critical for non-published files |
208 | | - |
209 | | -### Batch Commits Strategy |
210 | | -- **When making many changes**: Break large changesets into small, logical commits |
211 | | -- **First commit with tests**: Run full test suite (hooks) for the first commit only |
212 | | -- **Subsequent commits with --no-verify**: Use `--no-verify` for follow-up commits |
213 | | -- **Example workflow**: |
214 | | - 1. Make all changes and ensure `pnpm run fix && pnpm run check` passes |
215 | | - 2. Stage and commit core changes with hooks: `git commit -m "message"` |
216 | | - 3. Stage and commit related changes: `git commit --no-verify -m "message"` |
217 | | - 4. Stage and commit cleanup: `git commit --no-verify -m "message"` |
218 | | - 5. Stage and commit docs: `git commit --no-verify -m "message"` |
219 | | -- **Rationale**: Reduces commit time while maintaining code quality through initial validation |
220 | | - |
221 | | -### Git SHA Management (CRITICAL) |
222 | | -- **🚨 NEVER GUESS OR MAKE UP GIT SHAs**: Always retrieve the exact full SHA using `git rev-parse` |
223 | | - - ✅ CORRECT: `cd /path/to/repo && git rev-parse HEAD` or `git rev-parse main` |
224 | | - - ❌ WRONG: Guessing the rest of a SHA after seeing only the short version (e.g., `43a668e1`) |
225 | | - - **Why this matters**: GitHub Actions workflow references require exact, full 40-character SHAs |
226 | | - - **Consequences of wrong SHA**: Workflow failures with "workflow was not found" errors |
227 | | -- **Updating workflow SHA references**: When updating SHA references in workflow files: |
228 | | - 1. Get the exact full SHA: `cd repo && git rev-parse HEAD` |
229 | | - 2. Use the FULL 40-character SHA in sed commands |
230 | | - 3. Verify the SHA exists: `git show <sha> --stat` |
231 | | -- **Rationale**: Using incorrect SHAs breaks CI/CD pipelines and wastes debugging time |
| 35 | +- **Coverage**: `pnpm run test:unit:coverage`, `pnpm run coverage:percent` |
| 36 | + |
| 37 | +### SDK-Specific Patterns |
| 38 | + |
| 39 | +#### Logger Standardization |
| 40 | +All `logger.error()` and `logger.log()` calls include empty string: |
| 41 | +- ✅ `logger.error('')`, `logger.log('')` |
| 42 | +- ❌ `logger.error()`, `logger.log()` |
| 43 | + |
| 44 | +#### File Structure |
| 45 | +- **Extensions**: `.mts` for TypeScript modules |
| 46 | +- **Module headers**: 🚨 MANDATORY `@fileoverview` headers |
| 47 | +- **"use strict"**: ❌ FORBIDDEN in .mjs/.mts (ES modules are strict) |
| 48 | + |
| 49 | +#### TypeScript Patterns |
| 50 | +- **Semicolons**: Use semicolons (unlike other Socket projects) |
| 51 | +- **Type safety**: ❌ FORBIDDEN `any`; use `unknown` or specific |
| 52 | +- **Type imports**: Always `import type` |
| 53 | + |
| 54 | +#### API Method Organization |
| 55 | +Documentation organized alphabetically within functional categories |
| 56 | + |
| 57 | +#### Comprehensive Sorting (MANDATORY) |
| 58 | +- **Type properties**: Required first, then optional; alphabetical within groups |
| 59 | +- **Class members**: 1) Private properties, 2) Private methods, 3) Public methods (all alphabetical) |
| 60 | +- **Object properties**: Alphabetical in literals (except semantic ordering) |
| 61 | +- **Destructuring**: Alphabetical (`const { apiKey, baseUrl, timeout }`) |
| 62 | + |
| 63 | +### Testing |
| 64 | +- **Structure**: `test/unit/`, `test/integration/`, `test/fixtures/`, `test/utils/` |
| 65 | +- **Utils**: `environment.mts`, `fixtures.mts`, `mock-helpers.mts`, `constants.mts` |
| 66 | +- **Naming**: Descriptive names |
| 67 | + - ✅ `socket-sdk-upload-manifest.test.mts`, `describe('SocketSdk - Upload Manifest')` |
| 68 | + - ❌ `test1.test.mts`, `describe('tests')` |
| 69 | +- **Best practices**: Clean HTTP mocks (nock), test success + error paths, cross-platform |
| 70 | + |
| 71 | +### CI Testing |
| 72 | +- **🚨 MANDATORY**: `SocketDev/socket-registry/.github/workflows/ci.yml@<SHA>` with full SHA |
| 73 | +- **Format**: `@662bbcab1b7533e24ba8e3446cffd8a7e5f7617e # main` |
| 74 | +- **Custom runner**: `scripts/test.mjs` with glob expansion |
| 75 | +- **Memory**: Auto heap size (CI: 8GB, local: 4GB) |
| 76 | +- **Docs**: `docs/CI_TESTING.md`, `socket-registry/docs/CI_TESTING_TOOLS.md` |
232 | 77 |
|
233 | 78 | ### Changelog Management |
234 | | -- **🚨 MANDATORY**: When creating changelog entries for version bumps: |
235 | | - - **Check OpenAPI definition updates**: Always analyze `types/api.d.ts` changes |
236 | | - ```bash |
237 | | - git diff v{previous-version}..HEAD -- types/ |
238 | | - ``` |
239 | | - - **Document user-facing changes**: Include specific details about: |
240 | | - - New endpoints added (e.g., `/openapi.json`) |
241 | | - - Updated parameter descriptions and behavior |
242 | | - - New type categories or enum values (e.g., 'dual' threat type) |
243 | | - - Breaking changes to API contracts |
244 | | - - **Focus on user impact**: Only include changes that affect SDK users, not internal infrastructure |
245 | | - - **Rationale**: OpenAPI changes directly impact SDK users and must be documented for API discoverability |
246 | | - |
247 | | -## 🔍 DEBUGGING |
248 | | - |
249 | | -### Common Issues |
250 | | -- **CI vs Local**: CI uses published packages from npm, not local versions |
251 | | -- **Package detection**: Use `existsSync()` not `fs.access()` for consistency |
252 | | -- **Test failures**: Check for unused nock mocks and ensure proper cleanup |
253 | | -
|
254 | | -## 🚀 PROJECT-SPECIFIC NOTES |
255 | | -
|
256 | | -### Socket SDK Specifics |
257 | | -- SDK providing programmatic access to Socket.dev security features |
258 | | -- Be careful with file operations - prefer trash over permanent deletion in scripts |
259 | | -- Windows compatibility is important - test path handling carefully |
260 | | -- Use existing utilities from @socketsecurity/registry where available |
261 | | -- Follow existing patterns in the codebase |
| 79 | +**🚨 MANDATORY**: When creating changelog entries for version bumps: |
| 80 | +- **Check OpenAPI updates**: Analyze `types/api.d.ts` changes |
| 81 | + ```bash |
| 82 | + git diff v{prev}..HEAD -- types/ |
| 83 | + ``` |
| 84 | +- **Document user-facing changes**: |
| 85 | + - New endpoints (e.g., `/openapi.json`) |
| 86 | + - Updated parameter descriptions/behavior |
| 87 | + - New type categories/enum values (e.g., 'dual' threat type) |
| 88 | + - Breaking changes to API contracts |
| 89 | +- **Focus**: User impact only, not internal infrastructure |
| 90 | +- **Rationale**: OpenAPI changes directly impact SDK users |
| 91 | + |
| 92 | +### Debugging |
| 93 | +- **CI vs Local**: CI uses published npm packages, not local |
| 94 | +- **Package detection**: Use `existsSync()` not `fs.access()` |
| 95 | +- **Test failures**: Check unused nock mocks, ensure cleanup |
| 96 | + |
| 97 | +### SDK Notes |
| 98 | +- Windows compatibility important - test path handling |
| 99 | +- Use utilities from @socketsecurity/registry where available |
262 | 100 | - Maintain consistency with surrounding code |
263 | | -
|
264 | | -### Recent Improvements |
265 | | -- ✅ Split monolithic test file into modular test files by functionality |
266 | | -- ✅ Fixed all TypeScript compilation errors |
267 | | -- ✅ Standardized logger calls across the project |
268 | | -- ✅ Improved test organization and maintainability |
269 | | -- ✅ Enhanced error handling patterns |
270 | | -
|
271 | | -## 📝 SCRATCH DOCUMENTS |
272 | | -
|
273 | | -### Working Documents Directory |
274 | | -- **Location**: `.claude/` directory (gitignored) |
275 | | -- **Purpose**: Store scratch documents, planning notes, analysis reports, and temporary documentation |
276 | | -- **🚨 CRITICAL**: NEVER commit files in `.claude/` to version control |
277 | | -- **Examples of scratch documents**: |
278 | | - - Working notes and implementation plans |
279 | | - - Analysis reports from codebase investigations |
280 | | - - Temporary documentation and TODO lists |
281 | | - - Any files not intended for production use |
282 | | -
|
283 | | ---- |
284 | | -
|
285 | | -**For all other standards not covered here, refer to `socket-registry/CLAUDE.md` (in sibling repository)** |
0 commit comments