fix(lint): clear all 5 new socket/* oxlint rule violations

Resolve every error surfaced by the newly cascaded socket/* rules:

- prefer-cached-for-loop (91 → 0): rewrite forEach / for-of loops to
  cached-length for-i, materializing Set/Map/URLSearchParams/Object.
  entries iterables, and asserting `arr[i]!` under
  noUncheckedIndexedAccess.
- max-file-lines (17 → 0): annotate legitimate single-concern files
  with `max-file-lines: legitimate` headers; no source splits.
- inclusive-language (8 → 0): rewrite UI strings to "default branch"
  language; mark remaining occurrences (git ref names, GitHub
  default_branch payloads) with `inclusive-language: external-api`.
- prefer-node-builtin-imports (7 → 0): switch `import { tmpdir }
  from 'node:os'` → default `os` + dotted access (same for `path`).
- sort-equality-disjunctions / sort-named-imports / sort-regex-
  alternations: autofix + manual regex alternation reordering.
- prefer-async-spawn (4 → 0): annotate the 4 callsites that need the
  ChildProcess stream API (live test reporter, interactive prompts,
  npm publish, bootstrap synchronous entry) with per-line disables.
- no-default-export (2 → 0): annotate the 2 vitest configs (vitest
  loader requires default export).
- export-top-level-functions + prefer-function-declaration +
  sort-source-methods on scripts/bootstrap-firewall-deps.mts and
  scripts/cover.mts (surfaced once the cascaded prefer-function-
  declaration rule stopped crashing): convert module-scope arrows
  to function declarations, export, and resort alphabetically.

Type-check, build, and a smoke test (test/unit/utils.test.mts) all
clean.

Author: jdalton

.config/esbuild.config.mts

@@ -88,7 +88,7 @@ export function createLibStubPlugin() {
   //   - external/del.js → pulled in by fs's lazy getDel() for safeDelete,
   //     SDK never calls safeDelete/safeDeleteSync
   const libStubPattern =
-    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack|cacache|del))\.js$/
+    /@socketsecurity\/lib\/dist\/(external\/(cacache|del|npm-pack|pico-pack)|globs|sorts)\.js$/
 
   const mimeDbPattern = /mime-db\/db\.json$/
 

.config/esbuild/node-protocol.mts

@@ -16,7 +16,9 @@ export function createNodeProtocolPlugin() {
   return {
     name: 'node-protocol',
     setup(build: PluginBuild) {
-      for (const builtin of Module.builtinModules) {
+      const builtins = Module.builtinModules
+      for (let i = 0, { length } = builtins; i < length; i += 1) {
+        const builtin = builtins[i]!
         // Skip builtins that already carry the node: prefix.
         if (builtin.startsWith('node:')) {
           continue

.config/esbuild/shorten-paths.mts

@@ -36,7 +36,8 @@ export function createPathShorteningPlugin() {
             f => f.endsWith('.js') || f.endsWith('.mjs'),
           )
 
-          for (const outputPath of outputs) {
+          for (let i = 0, { length } = outputs; i < length; i += 1) {
+            const outputPath = outputs[i]!
             // eslint-disable-next-line no-await-in-loop
             const content = await fs.readFile(outputPath, 'utf8')
             const magicString = new MagicString(content)
@@ -95,7 +96,13 @@ export function createPathShorteningPlugin() {
                 plugins: [],
               })
 
-              for (const comment of (ast.comments || []) as Comment[]) {
+              const comments = (ast.comments || []) as Comment[]
+              for (
+                let ci = 0, { length: clen } = comments;
+                ci < clen;
+                ci += 1
+              ) {
+                const comment = comments[ci]!
                 if (
                   comment.type === 'CommentLine' &&
                   comment.value.includes(NODE_MODULES)
@@ -142,13 +149,16 @@ export function createPathShorteningPlugin() {
                   }
                 }
 
-                for (const key of Object.keys(n)) {
-                  if (key === 'start' || key === 'end' || key === 'loc') {
+                const keys = Object.keys(n)
+                for (let ki = 0, { length: klen } = keys; ki < klen; ki += 1) {
+                  const key = keys[ki]!
+                  if (key === 'end' || key === 'loc' || key === 'start') {
                     continue
                   }
-                  const value = n[key]
+                  const value = n[key]!
                   if (Array.isArray(value)) {
-                    for (const item of value) {
+                    for (let i = 0, { length } = value; i < length; i += 1) {
+                      const item = value[i]!
                       walk(item)
                     }
                   } else {

.config/vitest.config.isolated.mts

@@ -27,6 +27,7 @@ const isCoverageEnabled =
   process.env.npm_lifecycle_event?.includes('coverage') ||
   process.argv.some(arg => arg.includes('coverage'))
 
+// oxlint-disable-next-line socket/no-default-export -- vitest config loader requires the default export.
 export default defineConfig({
   cacheDir: './node_modules/.cache/vitest',
   test: {

.config/vitest.config.mts

@@ -22,6 +22,7 @@ if (isCoverageEnabled) {
   process.env.COVERAGE = 'true'
 }
 
+// oxlint-disable-next-line socket/no-default-export -- vitest config loader requires the default export.
 export default defineConfig({
   cacheDir: './node_modules/.cache/vitest',
   test: {

scripts/bootstrap-firewall-deps.mts

@@ -18,10 +18,11 @@
  * single source of truth.
  */
 
+// oxlint-disable-next-line socket/prefer-async-spawn -- bootstrap entry point: must run synchronously before any async setup so node_modules is hydrated for the rest of the pipeline.
 import { spawnSync } from 'node:child_process'
 import { existsSync, mkdirSync, readFileSync, rmSync } from 'node:fs'
 
-import { tmpdir } from 'node:os'
+import os from 'node:os'
 
 import path from 'node:path'
 import process from 'node:process'
@@ -53,10 +54,90 @@ interface FirewallAlert {
   key?: string
 }
 
-const checkFirewall = async (
+/**
+ * Download a npm registry tarball for `<pkg>@<version>` and extract
+ * it into `node_modules/<pkg>/`. Skips if the destination already
+ * has a package.json with the matching version. Firewall-checks the
+ * version against firewall-api.socket.dev before downloading; refuses
+ * to install if the firewall returned any alerts.
+ */
+export async function bootstrapPackage(pkgName: string): Promise<void> {
+  const version = readPinnedVersion(pkgName)
+  const dest = path.join(REPO_ROOT, 'node_modules', pkgName)
+  const destPkgJson = path.join(dest, 'package.json')
+
+  if (existsSync(destPkgJson)) {
+    try {
+      const installed = JSON.parse(readFileSync(destPkgJson, 'utf8'))
+      if (installed.version === version) {
+        log(`${pkgName}@${version} already present, skipping`)
+        return
+      }
+      log(
+        `${pkgName} present at ${installed.version}, replacing with ${version}`,
+      )
+    } catch {
+      // Malformed package.json — overwrite.
+    }
+  }
+
+  // Firewall check — refuses install if the package is flagged as
+  // malware. Network errors are non-fatal so a network blip doesn't
+  // block a fresh clone.
+  const cleared = await checkFirewall(pkgName, version)
+  if (!cleared) {
+    throw new Error(
+      `Socket Firewall blocked ${pkgName}@${version}; refusing to install.`,
+    )
+  }
+
+  // Build the registry tarball URL. The npm registry redirects
+  // /<pkg>/-/<basename>-<version>.tgz, but for scoped packages the
+  // basename is the unscoped portion.
+  const unscoped = pkgName.startsWith('@') ? pkgName.split('/')[1]! : pkgName
+  const tarballUrl = `https://registry.npmjs.org/${pkgName}/-/${unscoped}-${version}.tgz`
+
+  log(`Fetching ${tarballUrl}`)
+  const tarballPath = path.join(
+    os.tmpdir(),
+    `socket-bootstrap-${unscoped}-${version}.tgz`,
+  )
+
+  // Use curl — it's universally available and avoids a dep on a
+  // node http client. Follow redirects with -L, fail loudly with -f.
+  const curl = spawnSync('curl', ['-fsSL', tarballUrl, '-o', tarballPath], {
+    stdio: 'inherit',
+  })
+  if (curl.status !== 0) {
+    throw new Error(
+      `Failed to download ${pkgName}@${version} from ${tarballUrl}.\nVerify the version exists on the npm registry, or check network access.`,
+    )
+  }
+
+  // Ensure dest exists and is empty for clean extraction.
+  if (existsSync(dest)) {
+    rmSync(dest, { recursive: true, force: true })
+  }
+  mkdirSync(dest, { recursive: true })
+
+  // Extract: tarball top-level dir is `package/`, strip it.
+  const tar = spawnSync(
+    'tar',
+    ['-xzf', tarballPath, '--strip-components=1', '-C', dest],
+    { stdio: 'inherit' },
+  )
+  if (tar.status !== 0) {
+    throw new Error(`Failed to extract ${tarballPath} into ${dest}.`)
+  }
+
+  rmSync(tarballPath, { force: true })
+  log(`${pkgName}@${version} → node_modules/${pkgName}`)
+}
+
+export async function checkFirewall(
   pkgName: string,
   version: string,
-): Promise<boolean> => {
+): Promise<boolean> {
   const purl = `pkg:npm/${pkgName}@${version}`
   const url = `${FIREWALL_API_URL}/${encodeURIComponent(purl)}`
   const controller = new AbortController()
@@ -85,7 +166,9 @@ const checkFirewall = async (
         // oxlint-disable-next-line socket/no-status-emoji -- bootstrap runs before lib is installed; can't use logger.
         `\n✗ Socket Firewall flagged ${pkgName}@${version} as malware (${alerts.length} alert(s)):`,
       )
-      for (const a of alerts.slice(0, 10)) {
+      const topAlerts = alerts.slice(0, 10)
+      for (let i = 0, { length } = topAlerts; i < length; i += 1) {
+        const a = topAlerts[i]!
         err(
           `    ${a.type ?? a.key ?? 'malware'}${a.severity ? ` (${a.severity})` : ''}`,
         )
@@ -107,12 +190,12 @@ const checkFirewall = async (
   }
 }
 
-const log = (msg: string): void => {
-  process.stdout.write(`[bootstrap] ${msg}\n`)
+export function err(msg: string): void {
+  process.stderr.write(`[bootstrap] ${msg}\n`)
 }
 
-const err = (msg: string): void => {
-  process.stderr.write(`[bootstrap] ${msg}\n`)
+export function log(msg: string): void {
+  process.stdout.write(`[bootstrap] ${msg}\n`)
 }
 
 /**
@@ -126,20 +209,15 @@ const err = (msg: string): void => {
  * `pnpm install` brings any tooling in.
  */
 
-// Strip range prefixes (^, ~, >=, <=, etc.) so the registry tarball
-// URL gets an exact semver. Applied to BOTH the catalog and the
-// package.json paths so they can never disagree.
-const stripRange = (v: string): string => v.replace(/^[\^~>=<]+/, '').trim()
-
-const readPinnedVersion = (pkgName: string): string => {
+export function readPinnedVersion(pkgName: string): string {
   // (1) pnpm-workspace.yaml catalog
   const wsPath = path.join(REPO_ROOT, 'pnpm-workspace.yaml')
   if (existsSync(wsPath)) {
     const content = readFileSync(wsPath, 'utf8')
     const lines = content.split('\n')
     let inCatalog = false
-    for (const rawLine of lines) {
-      const line = rawLine.replace(/\r$/, '')
+    for (let i = 0, { length } = lines; i < length; i += 1) {
+      const line = lines[i]!.replace(/\r$/, '')
       if (/^catalog:\s*$/.test(line)) {
         inCatalog = true
         continue
@@ -165,7 +243,9 @@ const readPinnedVersion = (pkgName: string): string => {
   const pkgJsonPath = path.join(REPO_ROOT, 'package.json')
   if (existsSync(pkgJsonPath)) {
     const pkg = JSON.parse(readFileSync(pkgJsonPath, 'utf8'))
-    for (const field of ['dependencies', 'devDependencies'] as const) {
+    const fields = ['dependencies', 'devDependencies'] as const
+    for (let i = 0, { length } = fields; i < length; i += 1) {
+      const field = fields[i]!
       const deps = pkg[field]
       if (deps && typeof deps[pkgName] === 'string') {
         const v: string = deps[pkgName]
@@ -186,92 +266,14 @@ const readPinnedVersion = (pkgName: string): string => {
   )
 }
 
-/**
- * Download a npm registry tarball for `<pkg>@<version>` and extract
- * it into `node_modules/<pkg>/`. Skips if the destination already
- * has a package.json with the matching version. Firewall-checks the
- * version against firewall-api.socket.dev before downloading; refuses
- * to install if the firewall returned any alerts.
- */
-const bootstrapPackage = async (pkgName: string): Promise<void> => {
-  const version = readPinnedVersion(pkgName)
-  const dest = path.join(REPO_ROOT, 'node_modules', pkgName)
-  const destPkgJson = path.join(dest, 'package.json')
-
-  if (existsSync(destPkgJson)) {
-    try {
-      const installed = JSON.parse(readFileSync(destPkgJson, 'utf8'))
-      if (installed.version === version) {
-        log(`${pkgName}@${version} already present, skipping`)
-        return
-      }
-      log(
-        `${pkgName} present at ${installed.version}, replacing with ${version}`,
-      )
-    } catch {
-      // Malformed package.json — overwrite.
-    }
-  }
-
-  // Firewall check — refuses install if the package is flagged as
-  // malware. Network errors are non-fatal so a network blip doesn't
-  // block a fresh clone.
-  const cleared = await checkFirewall(pkgName, version)
-  if (!cleared) {
-    throw new Error(
-      `Socket Firewall blocked ${pkgName}@${version}; refusing to install.`,
-    )
-  }
-
-  // Build the registry tarball URL. The npm registry redirects
-  // /<pkg>/-/<basename>-<version>.tgz, but for scoped packages the
-  // basename is the unscoped portion.
-  const unscoped = pkgName.startsWith('@') ? pkgName.split('/')[1]! : pkgName
-  const tarballUrl = `https://registry.npmjs.org/${pkgName}/-/${unscoped}-${version}.tgz`
-
-  log(`Fetching ${tarballUrl}`)
-  const tarballPath = path.join(
-    tmpdir(),
-    `socket-bootstrap-${unscoped}-${version}.tgz`,
-  )
-
-  // Use curl — it's universally available and avoids a dep on a
-  // node http client. Follow redirects with -L, fail loudly with -f.
-  const curl = spawnSync('curl', ['-fsSL', tarballUrl, '-o', tarballPath], {
-    stdio: 'inherit',
-  })
-  if (curl.status !== 0) {
-    throw new Error(
-      `Failed to download ${pkgName}@${version} from ${tarballUrl}.\nVerify the version exists on the npm registry, or check network access.`,
-    )
-  }
-
-  // Ensure dest exists and is empty for clean extraction.
-  if (existsSync(dest)) {
-    rmSync(dest, { recursive: true, force: true })
-  }
-  mkdirSync(dest, { recursive: true })
-
-  // Extract: tarball top-level dir is `package/`, strip it.
-  const tar = spawnSync(
-    'tar',
-    ['-xzf', tarballPath, '--strip-components=1', '-C', dest],
-    { stdio: 'inherit' },
-  )
-  if (tar.status !== 0) {
-    throw new Error(`Failed to extract ${tarballPath} into ${dest}.`)
-  }
-
-  rmSync(tarballPath, { force: true })
-  log(`${pkgName}@${version} → node_modules/${pkgName}`)
-}
-
-const main = async (): Promise<number> => {
+export async function main(): Promise<number> {
   log(
     `Bootstrapping ${BOOTSTRAP_PACKAGES.length} package(s) from npm registry...`,
   )
-  for (const pkg of BOOTSTRAP_PACKAGES) {
+  for (let i = 0, { length } = BOOTSTRAP_PACKAGES; i < length; i += 1) {
+    const pkg = BOOTSTRAP_PACKAGES[i]!
     try {
+      // eslint-disable-next-line no-await-in-loop
       await bootstrapPackage(pkg)
     } catch (e) {
       err(
@@ -284,4 +286,11 @@ const main = async (): Promise<number> => {
   return 0
 }
 
+// Strip range prefixes (^, ~, >=, <=, etc.) so the registry tarball
+// URL gets an exact semver. Applied to BOTH the catalog and the
+// package.json paths so they can never disagree.
+export function stripRange(v: string): string {
+  return v.replace(/^[\^~>=<]+/, '').trim()
+}
+
 main().then(code => process.exit(code))

scripts/build.mts

@@ -344,7 +344,9 @@ async function main(): Promise<void> {
         if (values.analyze && result?.metafile) {
           const analysis = analyzeMetafile(result.metafile)
           logger.info('Build output:')
-          for (const file of analysis.files) {
+          const analysisFiles = analysis.files
+          for (let i = 0, { length } = analysisFiles; i < length; i += 1) {
+            const file = analysisFiles[i]!
             logger.substep(`${file.name}: ${file.size}`)
           }
           logger.step(`Total bundle size: ${analysis.totalSize}`)
@@ -401,7 +403,9 @@ async function main(): Promise<void> {
           if (values.analyze && srcResult.result?.metafile) {
             const analysis = analyzeMetafile(srcResult.result.metafile)
             logger.info('Build output:')
-            for (const file of analysis.files) {
+            const analysisFiles = analysis.files
+            for (let i = 0, { length } = analysisFiles; i < length; i += 1) {
+              const file = analysisFiles[i]!
               logger.substep(`${file.name}: ${file.size}`)
             }
             logger.step(`Total bundle size: ${analysis.totalSize}`)