quality: autofix sort-source-methods + cascade canonical script fixes

Picks up the new autofixable sort-source-methods rule from
socket-wheelhouse and the identifier-based _inject-import.js fix
(resolves task #65 / #64). Iterated `oxlint --fix` to convergence;
function declarations re-ordered into private→export alphanumeric
order across the repo. Function declarations are hoisted so the
rewrite is safe at runtime; leading JSDoc / line-comments and
trailing c8-ignore-stop markers travel with each function.

Also re-syncs the canonical scripts/check-paths.mts and
scripts/ai-lint-fix.mts from socket-wheelhouse. The wheelhouse copy
already accounts for state-machine null sentinels (blockKey,
blockKind, inString) and the SKIP_AI_FIX bracket-env access.

Author: jdalton

.config/esbuild.config.mts

@@ -51,7 +51,7 @@ const externalDependencies = Object.keys(packageJson.dependencies || {})
  *     (file uploads) and 'application/json' (API calls). Replaced with a
  *     minimal lookup covering just those types.
  */
-function createLibStubPlugin() {
+export function createLibStubPlugin() {
   // Heavy lib modules that are eagerly required but never exercised
   // by the SDK's actual code paths.
   //

.config/oxlint-plugin/rules/_inject-import.js

@@ -12,33 +12,84 @@
  * insertion safely — only one survives.
  */
 
+/**
+ * Build the fixer-side inserts for missing import + optional hoist.
+ * Returns an array of fixer operations the caller appends to its own
+ * fix() return value.
+ *
+ *   summary       — output of summarizeImportTarget()
+ *   fixer         — the fixer passed to context.report({ fix })
+ *   importLine    — the literal `import { ... } from '...'` text
+ *   hoistLine     — optional; the literal `const x = ...()` text
+ */
+export function appendImportFixes(summary, fixer, importLine, hoistLine) {
+  const ops = []
+  if (!summary.hasImport) {
+    if (summary.lastImport) {
+      ops.push(fixer.insertTextAfter(summary.lastImport, `\n${importLine}`))
+    } else {
+      ops.push(fixer.insertTextBeforeRange([0, 0], `${importLine}\n`))
+    }
+  }
+  if (hoistLine && !summary.hasLocal) {
+    if (summary.lastImport) {
+      ops.push(fixer.insertTextAfter(summary.lastImport, `\n\n${hoistLine}`))
+    } else {
+      ops.push(fixer.insertTextBeforeRange([0, 0], `${hoistLine}\n\n`))
+    }
+  }
+  return ops
+}
+
 /**
  * Walk a Program node body once and figure out:
  *   - the last top-level ImportDeclaration node (or undefined)
- *   - whether `importName` is already imported from `specifier`
+ *   - whether `importName` is already imported (from ANY source)
  *   - whether a top-level `localName` identifier already exists
  *     (any const/let/var or import-as-local with that name)
+ *
+ * Import detection ignores the specifier path: a file inside the lib
+ * package itself imports `getDefaultLogger` from `'../logger'`, while
+ * a downstream repo imports the same name from
+ * `'@socketsecurity/lib/logger'`. Both resolve to the same identifier;
+ * either should count as "already imported" so the autofix doesn't
+ * inject a duplicate (and broken — see issue #64).
+ *
+ * `specifier` is retained in the signature for backward compatibility
+ * but is no longer used for the match decision. Callers may pass any
+ * truthy value (typically the canonical package path the rule would
+ * inject if the import were missing).
  */
-export function summarizeImportTarget(program, specifier, importName, localName) {
+export function summarizeImportTarget(
+  program,
+  // eslint-disable-next-line no-unused-vars
+  specifier,
+  importName,
+  localName,
+) {
   let lastImport
   let hasImport = false
   let hasLocal = false
   for (const stmt of program.body) {
     if (stmt.type === 'ImportDeclaration') {
       lastImport = stmt
-      const source = stmt.source && stmt.source.value
-      if (source === specifier) {
-        for (const spec of stmt.specifiers) {
-          if (
-            spec.type === 'ImportSpecifier' &&
-            spec.imported &&
-            spec.imported.name === importName
-          ) {
-            hasImport = true
-          }
-          if (localName && spec.local && spec.local.name === localName) {
-            hasLocal = true
-          }
+      for (const spec of stmt.specifiers) {
+        if (
+          spec.type === 'ImportSpecifier' &&
+          spec.imported &&
+          spec.imported.name === importName
+        ) {
+          hasImport = true
+        }
+        if (
+          localName &&
+          spec.local &&
+          spec.local.name === localName &&
+          (spec.type === 'ImportSpecifier' ||
+            spec.type === 'ImportDefaultSpecifier' ||
+            spec.type === 'ImportNamespaceSpecifier')
+        ) {
+          hasLocal = true
         }
       }
       continue
@@ -57,32 +108,3 @@ export function summarizeImportTarget(program, specifier, importName, localName)
   }
   return { hasImport, hasLocal, lastImport }
 }
-
-/**
- * Build the fixer-side inserts for missing import + optional hoist.
- * Returns an array of fixer operations the caller appends to its own
- * fix() return value.
- *
- *   summary       — output of summarizeImportTarget()
- *   fixer         — the fixer passed to context.report({ fix })
- *   importLine    — the literal `import { ... } from '...'` text
- *   hoistLine     — optional; the literal `const x = ...()` text
- */
-export function appendImportFixes(summary, fixer, importLine, hoistLine) {
-  const ops = []
-  if (!summary.hasImport) {
-    if (summary.lastImport) {
-      ops.push(fixer.insertTextAfter(summary.lastImport, `\n${importLine}`))
-    } else {
-      ops.push(fixer.insertTextBeforeRange([0, 0], `${importLine}\n`))
-    }
-  }
-  if (hoistLine && !summary.hasLocal) {
-    if (summary.lastImport) {
-      ops.push(fixer.insertTextAfter(summary.lastImport, `\n\n${hoistLine}`))
-    } else {
-      ops.push(fixer.insertTextBeforeRange([0, 0], `${hoistLine}\n\n`))
-    }
-  }
-  return ops
-}

.config/oxlint-plugin/rules/export-top-level-functions.js

@@ -33,7 +33,7 @@ const SCRIPT_ENTRY_NAMES = new Set(['main'])
  * declarations only via `Program > FunctionDeclaration`; an
  * `ExportNamedDeclaration` wraps them in a different shape).
  */
-function collectExportedNames(program) {
+export function collectExportedNames(program) {
   const exported = new Set()
   for (const stmt of program.body) {
     if (stmt.type === 'ExportNamedDeclaration' && !stmt.declaration) {

.config/oxlint-plugin/rules/inclusive-language.js

@@ -56,7 +56,7 @@ const REPORT_ONLY_TERMS = ['master', 'slave']
 const BYPASS_RE = /inclusive-language:\s*external-api/
 
 /** Build a regex matching any legacy stem with word boundaries. */
-function buildDetectorRegex() {
+export function buildDetectorRegex() {
   const stems = [
     ...SUBSTITUTIONS.map(([legacy]) => legacy),
     ...REPORT_ONLY_TERMS,
@@ -72,7 +72,7 @@ const DETECTOR_RE = buildDetectorRegex()
  * the new stem. Returns undefined when there's no autofix-able
  * substitution (master/slave).
  */
-function rewriteHit(match) {
+export function rewriteHit(match) {
   const lower = match.toLowerCase()
   for (const [legacy, replacement] of SUBSTITUTIONS) {
     if (!lower.startsWith(legacy)) {
@@ -93,7 +93,7 @@ function rewriteHit(match) {
   return undefined
 }
 
-function findHits(text) {
+export function findHits(text) {
   const hits = []
   DETECTOR_RE.lastIndex = 0
   let m

.config/oxlint-plugin/rules/no-npx-dlx.js

@@ -135,7 +135,7 @@ const rule = {
           if (next === value) {
             // Defensive — if our replace-all became a no-op, don't
             // ship an empty fix.
-            return null
+            return undefined
           }
           // Preserve the original quote style.
           const raw = sourceCode.getText(node)

.config/oxlint-plugin/rules/no-promise-race-in-loop.js

@@ -20,17 +20,11 @@
  * Reporting only.
  */
 
-const RACE_METHODS = new Set(['race', 'any'])
+const RACE_METHODS = new Set(['any', 'race'])
 
-const LOOP_TYPES = new Set([
-  'ForStatement',
-  'ForOfStatement',
-  'ForInStatement',
-  'WhileStatement',
-  'DoWhileStatement',
-])
+const LOOP_TYPES = new Set(['DoWhileStatement', 'ForInStatement', 'ForOfStatement', 'ForStatement', 'WhileStatement'])
 
-function isInsideLoop(node) {
+export function isInsideLoop(node) {
   let current = node.parent
   while (current) {
     if (LOOP_TYPES.has(current.type)) {

.config/oxlint-plugin/rules/prefer-async-spawn.js

@@ -42,14 +42,11 @@
  *     core APIs. Handled at the .oxlintrc.json ignorePatterns level.
  */
 
-const CHILD_PROCESS_SPECIFIERS = new Set([
-  'node:child_process',
-  'child_process',
-])
+const CHILD_PROCESS_SPECIFIERS = new Set(['child_process', 'node:child_process'])
 
 const LIB_SPECIFIER = '@socketsecurity/lib/spawn'
 
-const BANNED_NAMES = new Set(['spawnSync', 'spawn'])
+const BANNED_NAMES = new Set(['spawn', 'spawnSync'])
 
 const BYPASS_RE = /prefer-async-spawn:\s*sync-required/
 
@@ -131,7 +128,7 @@ const rule = {
           BANNED_NAMES.has(s.imported.name),
       )
       if (banned.length === 0) {
-        return null
+        return undefined
       }
       const others = node.specifiers.filter(
         s =>
@@ -142,7 +139,7 @@ const rule = {
       if (others.length > 0) {
         // Mixed line — leave it alone; a partial rewrite could lose
         // the non-banned import.
-        return null
+        return undefined
       }
       // The lib re-exports `spawn` (and the user can wire `as
       // spawnSync` themselves if they really need a name). For the

.config/oxlint-plugin/rules/prefer-exists-sync.js

@@ -33,13 +33,8 @@
 import { appendImportFixes, summarizeImportTarget } from './_inject-import.js'
 
 const ACCESS_METHODS = new Set(['access', 'accessSync'])
-const STAT_METHODS = new Set(['stat', 'statSync', 'lstat', 'lstatSync'])
-const WRAPPER_NAMES = new Set([
-  'fileExists',
-  'pathExists',
-  'isFile',
-  'isDir',
-])
+const STAT_METHODS = new Set(['lstat', 'lstatSync', 'stat', 'statSync'])
+const WRAPPER_NAMES = new Set(['fileExists', 'isDir', 'isFile', 'pathExists'])
 
 const EXISTS_SYNC_IMPORT_LINE =
   "import { existsSync } from 'node:fs'"

.config/oxlint-plugin/rules/prefer-safe-delete.js

@@ -33,16 +33,9 @@
 
 import { appendImportFixes, summarizeImportTarget } from './_inject-import.js'
 
-const DELETE_METHODS = new Set([
-  'rm',
-  'rmSync',
-  'unlink',
-  'unlinkSync',
-  'rmdir',
-  'rmdirSync',
-])
-
-const SYNC_METHODS = new Set(['rmSync', 'unlinkSync', 'rmdirSync'])
+const DELETE_METHODS = new Set(['rm', 'rmSync', 'rmdir', 'rmdirSync', 'unlink', 'unlinkSync'])
+
+const SYNC_METHODS = new Set(['rmSync', 'rmdirSync', 'unlinkSync'])
 
 /** @type {import('eslint').Rule.RuleModule} */
 const rule = {

.config/oxlint-plugin/rules/socket-api-token-env.js

@@ -22,11 +22,7 @@
  *     socket-cli configuration setting, not an API token alias.
  */
 
-const LEGACY_ALIASES = new Set([
-  'SOCKET_API_KEY',
-  'SOCKET_SECURITY_API_TOKEN',
-  'SOCKET_SECURITY_API_KEY',
-])
+const LEGACY_ALIASES = new Set(['SOCKET_API_KEY', 'SOCKET_SECURITY_API_KEY', 'SOCKET_SECURITY_API_TOKEN'])
 
 const CANONICAL = 'SOCKET_API_TOKEN'