Skip to content

Commit 3aad6f6

Browse files
committed
docs: streamline CLAUDE.md to reference canonical source
- Reduce from ~285 to ~100 lines (65% reduction) - Reference socket-registry/CLAUDE.md for shared standards - Keep only SDK-specific patterns and architecture - Maintain OpenAPI changelog tracking guidance
1 parent 4c20176 commit 3aad6f6

1 file changed

Lines changed: 79 additions & 264 deletions

File tree

CLAUDE.md

Lines changed: 79 additions & 264 deletions
Original file line numberDiff line numberDiff line change
@@ -1,285 +1,100 @@
11
# CLAUDE.md
22

3-
🚨 **CRITICAL**: This file contains MANDATORY guidelines for Claude Code (claude.ai/code). You MUST follow these guidelines EXACTLY as specified. Act as a principal-level software engineer with deep expertise in TypeScript, Node.js, and SDK development.
3+
🚨 **MANDATORY**: Act as principal-level engineer with deep expertise in TypeScript, Node.js, and SDK development.
44

55
## 📚 SHARED STANDARDS
66

7-
**This project follows Socket's unified development standards.** For comprehensive guidelines on:
8-
- Code style (imports, sorting, __proto__ patterns, comments)
9-
- Git workflow (GitHub Actions, CI, commit messages)
10-
- Error handling standards and message patterns
11-
- Cross-platform compatibility
12-
- Testing best practices (Vitest memory optimization)
13-
- Dependency alignment
14-
- Changelog management
7+
**See canonical reference:** `../socket-registry/CLAUDE.md`
158

16-
**See the canonical reference:** `socket-registry/CLAUDE.md` (in sibling repository)
9+
For all shared Socket standards (git workflow, testing, code style, imports, sorting, error handling, cross-platform, CI, etc.), refer to socket-registry/CLAUDE.md.
1710

18-
This file contains **Socket SDK-specific** rules and patterns. When in doubt, consult socket-registry/CLAUDE.md first.
19-
20-
## 🎯 YOUR ROLE
21-
22-
You are a **Principal Software Engineer** responsible for production-quality code, architectural decisions, and system reliability.
23-
24-
## 🔍 PRE-ACTION PROTOCOL
25-
26-
- **🚨 MANDATORY**: Before ANY action, review both this file AND socket-registry/CLAUDE.md
27-
- Check before you act - ensure approach follows established patterns
28-
- No exceptions for code changes, commits, documentation, testing, file operations
29-
30-
## 🛡️ ABSOLUTE RULES
31-
32-
- 🚨 **NEVER** create files unless absolutely necessary
33-
- 🚨 **ALWAYS** prefer editing existing files
34-
- 🚨 **FORBIDDEN** to proactively create documentation files unless explicitly requested
35-
- 🚨 **REQUIRED** to do exactly what was asked - nothing more, nothing less
11+
---
3612

37-
## 🏗️ PROJECT ARCHITECTURE
13+
## 🏗️ SDK-SPECIFIC
3814

39-
### Socket SDK for JavaScript/TypeScript
40-
Programmatic access to Socket.dev's security analysis capabilities.
15+
### Architecture
16+
Socket SDK for JavaScript/TypeScript - Programmatic access to Socket.dev security analysis
4117

42-
### Core Structure
43-
- **Main entry**: `src/index.ts` - SDK entry point
44-
- **SDK Class**: `src/socket-sdk-class.ts` - Main SDK class with all API methods
45-
- **HTTP Client**: `src/http-client.ts` - HTTP request/response handling
46-
- **Types**: `src/types.ts` - TypeScript type definitions
18+
**Core Structure**:
19+
- **Entry**: `src/index.ts`
20+
- **SDK Class**: `src/socket-sdk-class.ts` - All API methods
21+
- **HTTP Client**: `src/http-client.ts` - Request/response handling
22+
- **Types**: `src/types.ts` - TypeScript definitions
4723
- **Utils**: `src/utils.ts` - Shared utilities
48-
- **Constants**: `src/constants.ts` - Application constants
49-
50-
### Key Features
51-
- Full TypeScript support with comprehensive type definitions
52-
- API client for Socket.dev platform
53-
- Package analysis and security scanning
54-
- Organization and repository management
55-
- SBOM support
56-
- High-performance data processing
57-
- Batch operations for package analysis
58-
- File upload capabilities with multipart form data
24+
- **Constants**: `src/constants.ts`
5925

60-
## ⚡ COMMANDS
26+
**Features**: Full TypeScript support, API client, package analysis, security scanning, org/repo management, SBOM support, batch operations, file uploads
6127

62-
### Development Commands
28+
### Commands
6329
- **Build**: `pnpm build`
6430
- **Test**: `pnpm test`
65-
- **Test runner**: `pnpm run test:run` (custom test runner with glob support)
31+
- **Test runner**: `pnpm run test:run` (glob support)
6632
- **Type check**: `pnpm tsc`
6733
- **Lint**: `pnpm check:lint`
6834
- **Check all**: `pnpm check`
69-
- **Coverage**: `pnpm run test:unit:coverage`
70-
- **Coverage percentage**: `pnpm run coverage:percent`
71-
72-
### Testing Best Practices
73-
- **🚨 NEVER USE `--` BEFORE TEST FILE PATHS** - Runs ALL tests!
74-
- **Always build before testing**: Ensure dist files are up to date
75-
- **Test single file**: ✅ CORRECT: `pnpm test path/to/file.test.ts`
76-
- ❌ WRONG: `pnpm test -- path/to/file.test.ts`
77-
- **Update snapshots**: `pnpm test -u`
78-
- **🚨 MANDATORY Coverage Requirements**: Before pushing commits, ensure test coverage is maintained or improved
79-
- **Never decrease coverage**: All changes MUST maintain or increase existing coverage percentages
80-
- **Check before push**: Run `pnpm run test` to verify coverage thresholds are met
81-
- **Fix coverage drops**: If coverage decreases, add tests to restore or improve coverage before pushing
82-
- **Rationale**: Declining coverage indicates untested code paths, which increases risk of bugs and regressions
83-
84-
### Test Naming Standards (Critical for Coverage)
85-
- **File names**: Use descriptive, specific names
86-
- ✅ CORRECT: `socket-sdk-upload-manifest.test.mts`, `http-client-functions.test.mts`
87-
- ❌ WRONG: `test1.test.mts`, `misc.test.mts`
88-
- **Describe blocks**: Use clear, contextual descriptions
89-
- ✅ CORRECT: `describe('SocketSdk - Upload Manifest Files', ...)`
90-
- ❌ WRONG: `describe('tests', ...)`
91-
- **Test descriptions**: Write meaningful descriptions
92-
- ✅ CORRECT: `it('should handle API errors during upload', ...)`
93-
- ❌ WRONG: `it('works', ...)`
94-
95-
### CI Testing Infrastructure
96-
- **🚨 MANDATORY**: Use `SocketDev/socket-registry/.github/workflows/ci.yml@<SHA>` with full commit SHA (not @main)
97-
- **🚨 CRITICAL**: GitHub Actions require full-length commit SHAs. Format: `@662bbcab1b7533e24ba8e3446cffd8a7e5f7617e # main`
98-
- **Reusable workflows**: Socket-registry provides centralized, reusable workflows for lint/type-check/test/coverage
99-
- **Matrix testing**: Test across Node.js versions (20, 22, 24) and platforms
100-
- **Custom test runner**: `scripts/test.mjs` provides glob expansion
101-
- **Memory configuration**: Automatic heap size adjustment for CI (8GB) vs local (4GB)
102-
- **Documentation**: See `docs/CI_TESTING.md` and `socket-registry/docs/CI_TESTING_TOOLS.md`
103-
104-
## 🔒 SECURITY & SAFETY
105-
106-
### File Operations (SECURITY CRITICAL)
107-
- **Script usage only**: Use `trash` package ONLY in scripts/build files - NOT in `/src/`
108-
- **Source code deletion**: In `/src/`, use `fs.rm()` with proper error handling
109-
- **Script deletion**: Use `await trash(paths)` for scripts and utilities
110-
- **NO rmSync**: 🚨 ABSOLUTELY FORBIDDEN - NEVER use `fs.rmSync()` or `rm -rf`
111-
112-
## 🎨 SDK-SPECIFIC CODE PATTERNS
113-
114-
### Logger Standardization
115-
- **Consistent logger calls**: All `logger.error()` and `logger.log()` calls should include empty string parameters
116-
- ✅ CORRECT: `logger.error('')`, `logger.log('')`
117-
- ❌ WRONG: `logger.error()`, `logger.log()`
118-
119-
### File Structure
120-
- **File extensions**: `.mts` for TypeScript module files
121-
- **Naming**: kebab-case for filenames
122-
- **Module headers**: 🚨 MANDATORY - All modules MUST have `@fileoverview` headers
123-
- **"use strict"**: 🚨 FORBIDDEN in .mjs/.mts files - ES modules are automatically strict
124-
125-
### API Method Organization
126-
- **Documentation**: API method documentation should be organized alphabetically within functional categories for better discoverability
127-
128-
### TypeScript Patterns
129-
- **Semicolons**: Use semicolons (unlike other Socket projects that omit them)
130-
- **Type safety**: 🚨 FORBIDDEN - Avoid `any` type; prefer `unknown` or specific types
131-
- **Type imports**: Always use `import type` for better tree-shaking
132-
- **Null-prototype objects**:
133-
- ✅ CORRECT: `{ __proto__: null, key: 'value' }` (object literal with properties)
134-
- ✅ CORRECT: `{ __proto__: null, ...options }` (spread pattern)
135-
- ✅ CORRECT: `const obj = Object.create(null)` (empty object, populate separately)
136-
- ❌ WRONG: `const obj = { __proto__: null }` (empty object literal - use `Object.create(null)` instead)
137-
- **Rationale**: Use `Object.create(null)` only for empty null-prototype objects; object literals with `__proto__: null` are fine when they have properties
138-
139-
### Comprehensive Sorting Standards (MANDATORY)
140-
All code elements MUST be sorted:
141-
142-
#### Type Property Sorting
143-
- Required properties first, then optional properties
144-
- Within each group: Sort alphabetically/alphanumerically
145-
146-
#### Class Member Sorting
147-
1. Private properties (alphabetically)
148-
2. Private methods (alphabetically)
149-
3. Public methods (alphabetically)
150-
151-
#### Object Property Sorting
152-
- Sort object properties alphabetically in literals
153-
- Exception: Preserve order when semantically meaningful
154-
155-
#### Destructuring Property Sorting
156-
- ✅ CORRECT: `const { apiKey, baseUrl, timeout } = config`
157-
- ❌ WRONG: `const { timeout, apiKey, baseUrl } = config`
158-
159-
## 🧪 TESTING STANDARDS
160-
161-
### Test Organization
162-
- **Modular structure**: Split large test files by functionality
163-
- **Descriptive naming**: Use clear test file names
164-
- **Test directory structure**: 🚨 MANDATORY
165-
```
166-
test/
167-
├── unit/ # Unit tests
168-
├── integration/ # Integration tests
169-
├── fixtures/ # Test fixtures
170-
└── utils/ # Test utilities
171-
├── environment.mts # Test environment setup
172-
├── fixtures.mts # Test data configurations
173-
├── mock-helpers.mts # Mock setup utilities
174-
└── constants.mts # Test constants
175-
```
176-
177-
### Test Utilities Organization
178-
- **Modular utilities**: Split utilities by purpose into focused modules
179-
- ✅ CORRECT: `import { setupTestEnvironment } from './utils/environment.mts'`
180-
- ❌ OLD PATTERN: `import { setupTestEnvironment } from './test-utils.mts'`
181-
182-
### Test Best Practices
183-
- **Proper mocking**: Clean up HTTP mocks (nock) properly
184-
- **Error scenarios**: Test both success and error paths
185-
- **Edge cases**: Include tests for Unicode, empty responses, malformed data
186-
- **Cross-platform**: Ensure tests work on Windows and POSIX
187-
188-
## 🔧 GIT WORKFLOW
189-
190-
### Commit Messages
191-
- **🚨 ABSOLUTELY FORBIDDEN**: NEVER add Claude Code attribution to commit messages
192-
- ❌ WRONG: Adding "🤖 Generated with [Claude Code]..." or "Co-Authored-By: Claude"
193-
- ✅ CORRECT: Write commit messages without any AI attribution or signatures
194-
- **Rationale**: This is a professional project and commit messages should not contain AI tool attributions
195-
196-
### Pre-Commit Quality Checks
197-
- **🚨 MANDATORY**: Always run these commands before committing:
198-
- `pnpm run fix` (if available) or `pnpm check:lint:fix` - Fix linting and formatting issues
199-
- `pnpm check` - Run all checks (lint, type-check, tests)
200-
- **Rationale**: Ensures code quality regardless of whether hooks run
201-
202-
### Commit Strategy with --no-verify
203-
- **--no-verify usage**: Use `--no-verify` flag for commits that don't require pre-commit hooks
204-
-**Safe to skip hooks**: Scripts (scripts/), GitHub Actions workflows (.github/workflows/), tests (test/), documentation (*.md, docs/), configuration files
205-
-**Always run hooks**: SDK source code (src/), published package code, API implementations
206-
- **Important**: Even when using `--no-verify`, you MUST still run linting/checking commands manually first
207-
- **Rationale**: Pre-commit hooks run linting and type-checking which are critical for SDK source code but less critical for non-published files
208-
209-
### Batch Commits Strategy
210-
- **When making many changes**: Break large changesets into small, logical commits
211-
- **First commit with tests**: Run full test suite (hooks) for the first commit only
212-
- **Subsequent commits with --no-verify**: Use `--no-verify` for follow-up commits
213-
- **Example workflow**:
214-
1. Make all changes and ensure `pnpm run fix && pnpm run check` passes
215-
2. Stage and commit core changes with hooks: `git commit -m "message"`
216-
3. Stage and commit related changes: `git commit --no-verify -m "message"`
217-
4. Stage and commit cleanup: `git commit --no-verify -m "message"`
218-
5. Stage and commit docs: `git commit --no-verify -m "message"`
219-
- **Rationale**: Reduces commit time while maintaining code quality through initial validation
220-
221-
### Git SHA Management (CRITICAL)
222-
- **🚨 NEVER GUESS OR MAKE UP GIT SHAs**: Always retrieve the exact full SHA using `git rev-parse`
223-
- ✅ CORRECT: `cd /path/to/repo && git rev-parse HEAD` or `git rev-parse main`
224-
- ❌ WRONG: Guessing the rest of a SHA after seeing only the short version (e.g., `43a668e1`)
225-
- **Why this matters**: GitHub Actions workflow references require exact, full 40-character SHAs
226-
- **Consequences of wrong SHA**: Workflow failures with "workflow was not found" errors
227-
- **Updating workflow SHA references**: When updating SHA references in workflow files:
228-
1. Get the exact full SHA: `cd repo && git rev-parse HEAD`
229-
2. Use the FULL 40-character SHA in sed commands
230-
3. Verify the SHA exists: `git show <sha> --stat`
231-
- **Rationale**: Using incorrect SHAs breaks CI/CD pipelines and wastes debugging time
35+
- **Coverage**: `pnpm run test:unit:coverage`, `pnpm run coverage:percent`
36+
37+
### SDK-Specific Patterns
38+
39+
#### Logger Standardization
40+
All `logger.error()` and `logger.log()` calls include empty string:
41+
-`logger.error('')`, `logger.log('')`
42+
-`logger.error()`, `logger.log()`
43+
44+
#### File Structure
45+
- **Extensions**: `.mts` for TypeScript modules
46+
- **Module headers**: 🚨 MANDATORY `@fileoverview` headers
47+
- **"use strict"**: ❌ FORBIDDEN in .mjs/.mts (ES modules are strict)
48+
49+
#### TypeScript Patterns
50+
- **Semicolons**: Use semicolons (unlike other Socket projects)
51+
- **Type safety**: ❌ FORBIDDEN `any`; use `unknown` or specific
52+
- **Type imports**: Always `import type`
53+
54+
#### API Method Organization
55+
Documentation organized alphabetically within functional categories
56+
57+
#### Comprehensive Sorting (MANDATORY)
58+
- **Type properties**: Required first, then optional; alphabetical within groups
59+
- **Class members**: 1) Private properties, 2) Private methods, 3) Public methods (all alphabetical)
60+
- **Object properties**: Alphabetical in literals (except semantic ordering)
61+
- **Destructuring**: Alphabetical (`const { apiKey, baseUrl, timeout }`)
62+
63+
### Testing
64+
- **Structure**: `test/unit/`, `test/integration/`, `test/fixtures/`, `test/utils/`
65+
- **Utils**: `environment.mts`, `fixtures.mts`, `mock-helpers.mts`, `constants.mts`
66+
- **Naming**: Descriptive names
67+
-`socket-sdk-upload-manifest.test.mts`, `describe('SocketSdk - Upload Manifest')`
68+
-`test1.test.mts`, `describe('tests')`
69+
- **Best practices**: Clean HTTP mocks (nock), test success + error paths, cross-platform
70+
71+
### CI Testing
72+
- **🚨 MANDATORY**: `SocketDev/socket-registry/.github/workflows/ci.yml@<SHA>` with full SHA
73+
- **Format**: `@662bbcab1b7533e24ba8e3446cffd8a7e5f7617e # main`
74+
- **Custom runner**: `scripts/test.mjs` with glob expansion
75+
- **Memory**: Auto heap size (CI: 8GB, local: 4GB)
76+
- **Docs**: `docs/CI_TESTING.md`, `socket-registry/docs/CI_TESTING_TOOLS.md`
23277

23378
### Changelog Management
234-
- **🚨 MANDATORY**: When creating changelog entries for version bumps:
235-
- **Check OpenAPI definition updates**: Always analyze `types/api.d.ts` changes
236-
```bash
237-
git diff v{previous-version}..HEAD -- types/
238-
```
239-
- **Document user-facing changes**: Include specific details about:
240-
- New endpoints added (e.g., `/openapi.json`)
241-
- Updated parameter descriptions and behavior
242-
- New type categories or enum values (e.g., 'dual' threat type)
243-
- Breaking changes to API contracts
244-
- **Focus on user impact**: Only include changes that affect SDK users, not internal infrastructure
245-
- **Rationale**: OpenAPI changes directly impact SDK users and must be documented for API discoverability
246-
247-
## 🔍 DEBUGGING
248-
249-
### Common Issues
250-
- **CI vs Local**: CI uses published packages from npm, not local versions
251-
- **Package detection**: Use `existsSync()` not `fs.access()` for consistency
252-
- **Test failures**: Check for unused nock mocks and ensure proper cleanup
253-
254-
## 🚀 PROJECT-SPECIFIC NOTES
255-
256-
### Socket SDK Specifics
257-
- SDK providing programmatic access to Socket.dev security features
258-
- Be careful with file operations - prefer trash over permanent deletion in scripts
259-
- Windows compatibility is important - test path handling carefully
260-
- Use existing utilities from @socketsecurity/registry where available
261-
- Follow existing patterns in the codebase
79+
**🚨 MANDATORY**: When creating changelog entries for version bumps:
80+
- **Check OpenAPI updates**: Analyze `types/api.d.ts` changes
81+
```bash
82+
git diff v{prev}..HEAD -- types/
83+
```
84+
- **Document user-facing changes**:
85+
- New endpoints (e.g., `/openapi.json`)
86+
- Updated parameter descriptions/behavior
87+
- New type categories/enum values (e.g., 'dual' threat type)
88+
- Breaking changes to API contracts
89+
- **Focus**: User impact only, not internal infrastructure
90+
- **Rationale**: OpenAPI changes directly impact SDK users
91+
92+
### Debugging
93+
- **CI vs Local**: CI uses published npm packages, not local
94+
- **Package detection**: Use `existsSync()` not `fs.access()`
95+
- **Test failures**: Check unused nock mocks, ensure cleanup
96+
97+
### SDK Notes
98+
- Windows compatibility important - test path handling
99+
- Use utilities from @socketsecurity/registry where available
262100
- Maintain consistency with surrounding code
263-
264-
### Recent Improvements
265-
- ✅ Split monolithic test file into modular test files by functionality
266-
- ✅ Fixed all TypeScript compilation errors
267-
- ✅ Standardized logger calls across the project
268-
- ✅ Improved test organization and maintainability
269-
- ✅ Enhanced error handling patterns
270-
271-
## 📝 SCRATCH DOCUMENTS
272-
273-
### Working Documents Directory
274-
- **Location**: `.claude/` directory (gitignored)
275-
- **Purpose**: Store scratch documents, planning notes, analysis reports, and temporary documentation
276-
- **🚨 CRITICAL**: NEVER commit files in `.claude/` to version control
277-
- **Examples of scratch documents**:
278-
- Working notes and implementation plans
279-
- Analysis reports from codebase investigations
280-
- Temporary documentation and TODO lists
281-
- Any files not intended for production use
282-
283-
---
284-
285-
**For all other standards not covered here, refer to `socket-registry/CLAUDE.md` (in sibling repository)**

0 commit comments

Comments
 (0)