chore(sync): cascade fleet skills + helpers from socket-repo-template

Pulls in the latest fleet-canonical skill changes from
socket-repo-template via `node scripts/sync-scaffolding.mts --fix`.

Highlights of what's new from upstream:
- _shared/ taxonomy: prose modules + scripts/ for shared TS helpers.
- New shared docs: variant-analysis.md, compound-lessons.md,
  skill-authoring.md.
- New shared TS: scripts/git-default-branch.mts (main → master fallback).
- worktree-management/ skill (new / pr-fanout / prune modes).
- scanning-quality/scans/ split: variant-analysis, insecure-defaults,
  differential.
- guarding-paths restructured: reference.md (prose) + templates/ (.tmpl
  scaffolding) instead of mixed reference/.
- Skill orchestrator/reference split across updating, updating-lockstep,
  driving-cursor-bugbot, refreshing-history, guarding-paths.
- refreshing-history/run.sh → run.mts (cross-platform via
  @socketsecurity/lib/spawn).
- CLAUDE.md fleet block: new rules for variant analysis, compound
  lessons, plan review, default-branch fallback, .mts-over-.sh runners.

Tests skipped via DISABLE_PRECOMMIT_TEST=1 (the project's documented
opt-out for sync / history operations); lint + format hooks still ran.

Author: jdalton

.claude/hooks/cross-repo-guard/index.mts

@@ -46,6 +46,7 @@ const logger = getDefaultLogger()
 
 const FLEET_REPO_NAMES = [
   'claude-code',
+  'skills',
   'socket-addon',
   'socket-btm',
   'socket-cli',
@@ -57,6 +58,7 @@ const FLEET_REPO_NAMES = [
   'socket-sdxgen',
   'socket-stuie',
   'ultrathink',
+  'vscode-socket-security',
 ] as const
 
 const FLEET_RE_FRAGMENT = FLEET_REPO_NAMES.join('|')

.claude/hooks/gitmodules-comment-guard/README.md

@@ -0,0 +1,79 @@
+# gitmodules-comment-guard
+
+A **Claude Code PreToolUse hook** that blocks Edit/Write tool calls
+which would land a `[submodule "..."]` section in `.gitmodules`
+without the canonical `# <slug>-<version>` comment immediately above
+it.
+
+## Why this rule
+
+The Socket fleet's lockstep harness uses the `# slug-version` annotation
+to surface upstream version drift in its update reports. Without it,
+`pnpm run lockstep` can't tell whether a submodule pin reflects v1.0 or
+v3.5 of the upstream — the report is meaningless. Adding the comment
+costs one line; missing it silently breaks the drift surface.
+
+## Conventional shape
+
+```gitmodules
+# semver-7.7.4
+[submodule "packages/node-smol-builder/upstream/semver"]
+	path = packages/node-smol-builder/upstream/semver
+	url = https://github.com/npm/node-semver.git
+	ignore = dirty
+```
+
+The slug is short (no path); the version is whatever upstream tags
+(`v25.9.0`, `1.7.19`, `liburing-2.14`, `epochs/three_hourly/2026-02-24_21H`).
+
+## What's enforced
+
+- Every `[submodule "PATH"]` line must be preceded *immediately* (no
+  blank line) by `# <slug>-<version>`.
+- The slug pattern is permissive: `[a-z0-9]([a-z0-9-]*[a-z0-9])?`.
+- The version is anything non-whitespace after the first hyphen.
+
+## What's not enforced
+
+- `ignore = dirty` — conventional but not blocked here. (It's a
+  parallel-Claude-sessions concern, not a build break.)
+- Repository URL format / branch — those don't affect lockstep.
+
+## Override marker
+
+For a legitimate one-off where the comment doesn't apply:
+
+```gitmodules
+[submodule "..."] # socket-hook: allow gitmodules-no-comment
+```
+
+Don't reach for this — fix the comment instead.
+
+## Wiring
+
+In `.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Edit|Write",
+        "hooks": [
+          {
+            "type": "command",
+            "command": "node .claude/hooks/gitmodules-comment-guard/index.mts"
+          }
+        ]
+      }
+    ]
+  }
+}
+```
+
+## Cross-fleet sync
+
+This hook lives in
+[`socket-repo-template`](https://github.com/SocketDev/socket-repo-template/tree/main/template/.claude/hooks/gitmodules-comment-guard)
+and is required to be byte-identical across every fleet repo.
+`scripts/sync-scaffolding.mts` flags drift; `--fix` rewrites it.

.claude/hooks/gitmodules-comment-guard/index.mts

@@ -0,0 +1,133 @@
+#!/usr/bin/env node
+// Claude Code PreToolUse hook — gitmodules-comment-guard.
+//
+// Blocks Edit/Write tool calls that introduce a `[submodule "..."]`
+// section into `.gitmodules` without the canonical `# <name>-<version>`
+// comment immediately above it. Without that comment, the harness
+// can't surface upstream version drift in the `lockstep` reports — the
+// fleet relies on this annotation to know what version each pinned
+// submodule represents.
+//
+// What's enforced:
+//   - Every `[submodule "PATH"]` line must be preceded (immediately,
+//     no blank line) by `# <slug>-<version>` where <slug> matches
+//     `[a-z0-9]([a-z0-9-]*[a-z0-9])?` and <version> is whatever the
+//     upstream uses (`v25.9.0`, `0.1.0`, `1.7.19`, `liburing-2.14`,
+//     `epochs/three_hourly/2026-02-24_21H`, etc.). The version is
+//     the part after the FIRST hyphen — we don't try to parse it
+//     beyond "non-empty".
+//   - `ignore = dirty` is conventional but not enforced here (it's a
+//     parallel-Claude-sessions concern; submodule add without it is
+//     not a build break).
+//
+// Scope:
+//   - Fires on Edit and Write tool calls.
+//   - Only inspects `.gitmodules` at the repo root.
+//   - Lines marked `# socket-hook: allow gitmodules-no-comment` are
+//     exempt for one-off legitimate cases.
+//
+// The hook fails OPEN on its own bugs (exit 0 + stderr log) so a bad
+// hook deploy can't brick the session.
+
+import process from 'node:process'
+
+const ALLOW_MARKER = '# socket-hook: allow gitmodules-no-comment'
+
+// Match `[submodule "PATH"]` with PATH captured. Tolerant of
+// whitespace and quoting variations.
+const SUBMODULE_RE = /^\s*\[submodule\s+"([^"]+)"\s*\]\s*$/
+
+// Match `# <slug>-<version>` where the version is whatever follows
+// the first hyphen. We only require: starts with `# `, contains a
+// hyphen, has non-empty version part.
+const COMMENT_RE = /^#\s+[a-z0-9]+([a-z0-9-]*[a-z0-9])?-[^\s]/
+
+interface Hook {
+  // tool_name and tool_input shape — keeping it loose because the
+  // PreToolUse payload schema isn't versioned beyond JSON-with-body.
+  tool_name?: string
+  tool_input?: {
+    file_path?: string
+    new_string?: string
+    content?: string
+  }
+}
+
+// Read newline-separated lines for analysis.
+function findOrphanSubmoduleSections(text: string): string[] {
+  const lines = text.split('\n')
+  const orphans: string[] = []
+  for (let i = 0; i < lines.length; i++) {
+    const line = lines[i]
+    if (!line) continue
+    const match = SUBMODULE_RE.exec(line)
+    if (!match) continue
+    // Allow marker on the [submodule] line or the line above is
+    // a one-off escape hatch.
+    if (line.includes(ALLOW_MARKER)) continue
+    if (i > 0 && lines[i - 1]?.includes(ALLOW_MARKER)) continue
+    // The previous line must be a comment matching `# <slug>-<ver>`.
+    const prev = i > 0 ? lines[i - 1] : ''
+    if (!prev || !COMMENT_RE.test(prev)) {
+      orphans.push(match[1] ?? line)
+    }
+  }
+  return orphans
+}
+
+function main() {
+  let stdin = ''
+  process.stdin.on('data', chunk => {
+    stdin += chunk
+  })
+  process.stdin.on('end', () => {
+    let payload: Hook
+    try {
+      payload = JSON.parse(stdin) as Hook
+    } catch {
+      // Bad payload — fail open.
+      process.exit(0)
+    }
+    const tool = payload.tool_name
+    if (tool !== 'Edit' && tool !== 'Write') {
+      process.exit(0)
+    }
+    const filePath = payload.tool_input?.file_path
+    if (!filePath || !filePath.endsWith('/.gitmodules')) {
+      process.exit(0)
+    }
+    // Edit gives us new_string (the replacement); Write gives us
+    // content (the full new file). Either way, we scan the proposed
+    // text for the orphan condition. For Edit calls the new_string
+    // may be a fragment that doesn't contain a [submodule] header —
+    // that's fine, the check passes.
+    const proposed =
+      payload.tool_input?.content ?? payload.tool_input?.new_string ?? ''
+    const orphans = findOrphanSubmoduleSections(proposed)
+    if (orphans.length === 0) {
+      process.exit(0)
+    }
+    // Block the tool call. Exit code 2 makes Claude Code refuse and
+    // surface the stderr to the model so it can retry.
+    process.stderr.write(
+      `[gitmodules-comment-guard] refusing edit: ${orphans.length} ` +
+        `submodule section(s) lack the canonical ` +
+        `# <slug>-<version> comment immediately above:\n` +
+        orphans.map(o => `    [submodule "${o}"]`).join('\n') +
+        '\n\nFix: prepend a comment line on the line BEFORE each\n' +
+        '[submodule "..."] section. Example:\n' +
+        '\n  # semver-7.7.4\n  [submodule "packages/.../upstream/semver"]\n' +
+        '\nThe slug should be a short name (no path); the version is\n' +
+        'whatever the upstream tags (v25.9.0, 1.7.19, liburing-2.14, etc.).\n' +
+        '\nOne-off override: append `# socket-hook: allow gitmodules-no-comment`\n' +
+        'to the [submodule] line.\n',
+    )
+    process.exit(2)
+  })
+  // If stdin is closed before any data, treat as empty payload.
+  if (process.stdin.readable === false) {
+    process.exit(0)
+  }
+}
+
+main()

.claude/hooks/gitmodules-comment-guard/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-gitmodules-comment-guard",
+  "private": true,
+  "type": "module",
+  "main": "./index.mts",
+  "exports": {
+    ".": "./index.mts"
+  },
+  "scripts": {
+    "test": "node --test test/*.test.mts"
+  }
+}

.claude/hooks/gitmodules-comment-guard/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "declarationMap": false,
+    "erasableSyntaxOnly": true,
+    "module": "nodenext",
+    "moduleResolution": "nodenext",
+    "noEmit": true,
+    "rewriteRelativeImportExtensions": true,
+    "skipLibCheck": true,
+    "sourceMap": false,
+    "strict": true,
+    "target": "esnext",
+    "verbatimModuleSyntax": true
+  }
+}

.claude/skills/_shared/compound-lessons.md

@@ -0,0 +1,44 @@
+# Compound lessons
+
+How a fleet skill or review turns a finding into a durable rule, instead of fixing it once and forgetting.
+
+## The principle
+
+Each unit of engineering work should make subsequent units **easier**, not harder. A bug fix that doesn't update the rule that allowed the bug is a half-finished job: the next change in the same area will hit the same class of bug, and the cycle repeats.
+
+Three places a lesson can land in this fleet:
+
+| Where | When | Effect |
+|---|---|---|
+| **CLAUDE.md fleet rule** | The mistake recurs across repos or is a fleet-wide invariant | Every fleet repo inherits the rule on next sync |
+| **`.claude/hooks/*` block** | The mistake is mechanical and can be detected from tool input/output | Hook blocks the next attempt before the file is written |
+| **Skill prompt update** | The mistake is judgment-shaped (review pass missed a class of finding) | Future runs of that skill catch the variant |
+
+## When to compound
+
+Compound a lesson **only** when one of these is true:
+
+1. **Recurrence** — the same kind of bug has now appeared 2+ times. Write down the rule that would have caught both.
+2. **High blast radius** — the bug shipped, broke a downstream user, or required a revert. The rule prevents the next shipping incident.
+3. **Drift signal** — fleet repos disagreed on the answer. The rule reconciles which answer wins.
+
+Don't compound for one-off fixes that won't recur. Don't write a "lesson" doc when the lesson is just "we fixed it." The fleet rule **is** the lesson; if you can't crystallize it into a rule, the lesson isn't ready.
+
+## How to compound
+
+1. **Name the rule** — one sentence, imperative voice. "Never X." "Always Y."
+2. **Cite the incident** — one-line `**Why:**` line referencing the commit, PR, or finding. Don't write a paragraph.
+3. **State the application** — one-line `**How to apply:**` line saying when the rule fires.
+4. **Land it where it'll fire** — CLAUDE.md, hook, or skill prompt. Pick the lowest-friction surface that catches the next occurrence.
+
+Skip the retrospective doc. Skip the post-mortem template. The rule is the artifact.
+
+## Anti-patterns
+
+- **The "lessons learned" graveyard** — a `docs/lessons/` folder where dated markdown files rot. Don't. The rule belongs in the live config that fires on the next run.
+- **Vague rules** — "be careful with X." Useless. If you can't write the rule as a `rg` pattern or a CLAUDE.md `🚨` line, it isn't a rule yet.
+- **Rules without why** — future readers can't judge edge cases without the original incident. Always cite.
+
+## Source
+
+Borrowed from Every Inc.'s _Compound Engineering_ playbook (https://every.to/chain-of-thought/compound-engineering-how-every-codes-with-agents). Their `/ce-compound` slash command is the verb form of this principle; we encode the same discipline as a fleet convention rather than a slash command.

.claude/skills/_shared/scripts/git-default-branch.mts

@@ -0,0 +1,88 @@
+/**
+ * Default-branch resolution for fleet skill runners.
+ *
+ * Per CLAUDE.md "Default branch fallback" rule: prefer main, fall back
+ * to master. Never hard-code one or the other — fleet repos are mostly
+ * on main, but a few legacy / vendored repos still use master, and a
+ * script that hard-codes main silently no-ops on those.
+ *
+ * Cross-platform: shells out to git via @socketsecurity/lib/spawn, which
+ * works the same on macOS / Linux / Windows.
+ */
+import { isSpawnError, spawn } from '@socketsecurity/lib/spawn'
+
+export type ResolveDefaultBranchOptions = {
+  /** Working directory; defaults to process.cwd(). */
+  readonly cwd?: string | undefined
+  /** Remote name; defaults to 'origin'. */
+  readonly remote?: string | undefined
+}
+
+/**
+ * Resolve the remote's default branch, preferring `main` and falling back
+ * to `master`. Returns `'main'` as a final fallback when the remote has
+ * neither branch (e.g., fresh clone before `git fetch`).
+ *
+ * Resolution order:
+ *   1. `git symbolic-ref refs/remotes/<remote>/HEAD` — most reliable.
+ *   2. Probe `refs/remotes/<remote>/main` — true on the vast majority of fleet repos.
+ *   3. Probe `refs/remotes/<remote>/master` — legacy / vendored repos.
+ *   4. Assume `main` and let the next git command fail loudly.
+ */
+export async function resolveDefaultBranch(
+  options: ResolveDefaultBranchOptions = {},
+): Promise<string> {
+  const { cwd = process.cwd(), remote = 'origin' } = options
+
+  // Step 1: ask the remote what its HEAD points to.
+  try {
+    const ref = await runGit(
+      ['symbolic-ref', '--quiet', '--short', `refs/remotes/${remote}/HEAD`],
+      cwd,
+    )
+    if (ref) {
+      // Strip the "<remote>/" prefix.
+      return ref.startsWith(`${remote}/`) ? ref.slice(remote.length + 1) : ref
+    }
+  } catch {
+    // Fall through.
+  }
+
+  // Step 2 + 3: probe main, then master.
+  for (const branch of ['main', 'master']) {
+    if (await branchExists(branch, cwd, remote)) {
+      return branch
+    }
+  }
+
+  // Step 4: last resort.
+  return 'main'
+}
+
+async function branchExists(
+  branch: string,
+  cwd: string,
+  remote: string,
+): Promise<boolean> {
+  try {
+    await runGit(
+      ['show-ref', '--verify', '--quiet', `refs/remotes/${remote}/${branch}`],
+      cwd,
+    )
+    return true
+  } catch {
+    return false
+  }
+}
+
+async function runGit(args: readonly string[], cwd: string): Promise<string> {
+  try {
+    const result = await spawn('git', args, { cwd, stdioString: true })
+    return String(result.stdout ?? '').trim()
+  } catch (e) {
+    if (isSpawnError(e)) {
+      throw e
+    }
+    throw e
+  }
+}