chore(sync): cascade fleet template@3c55c23

Auto-applied by socket-wheelhouse sync-scaffolding into vscode-socket-security.
189 file(s) touched:
  - .claude/hooks/_shared/README.md
  - .claude/hooks/_shared/hook-env.mts
  - .claude/hooks/_shared/markers.mts
  - .claude/hooks/_shared/payload.mts
  - .claude/hooks/_shared/transcript.mts
  - .claude/hooks/auth-rotation-reminder/README.md
  - .claude/hooks/auth-rotation-reminder/index.mts
  - .claude/hooks/auth-rotation-reminder/package.json
  - .claude/hooks/auth-rotation-reminder/test/auth-rotation-reminder.test.mts
  - .claude/hooks/auth-rotation-reminder/tsconfig.json
  - .claude/hooks/check-new-deps/README.md
  - .claude/hooks/check-new-deps/index.mts
  - .claude/hooks/check-new-deps/package.json
  - .claude/hooks/check-new-deps/types.mts
  - .claude/hooks/claude-md-section-size-guard/tsconfig.json
  - .claude/hooks/claude-md-size-guard/tsconfig.json
  - .claude/hooks/comment-tone-reminder/tsconfig.json
  - .claude/hooks/commit-author-guard/tsconfig.json
  - .claude/hooks/commit-pr-reminder/test/index.test.mts
  - .claude/hooks/commit-pr-reminder/tsconfig.json
  ... and 169 more

Author: jdalton

.claude/hooks/_shared/README.md

@@ -0,0 +1,73 @@
+/**
+ * @fileoverview Hook-runtime helpers: disable-env check + prefixed
+ * stderr writer.
+ *
+ * Two responsibilities every hook needs:
+ *
+ *   1. `isHookDisabled(slug)` — check the canonical
+ *      `SOCKET_<UPPER_SLUG>_DISABLED` env var so every hook gets a
+ *      uniform kill switch. The hook's name is the only input; the
+ *      env-var name is derived (kebab → upper-snake + `_DISABLED`
+ *      suffix). Today 15 of 47 hooks have a manually-named disable
+ *      env; this helper makes it free for every hook.
+ *
+ *   2. `hookLog(slug, ...lines)` — write `[<slug>] <line>` to stderr.
+ *      Hooks have long duplicated this prefix shape with
+ *      `process.stderr.write(\`[hook-name] ...\`)`; centralizing it
+ *      keeps the format consistent and lets us evolve it later
+ *      (color, level prefixes, etc.) in one file.
+ *
+ * No dependency on `@socketsecurity/lib-stable` — hooks load fast at PreTool-
+ * Use time and the lib's logger ships a chunk of code (spinners, color
+ * detection, header/footer) that's wasted on a single stderr.write.
+ * Plain process.stderr is the right tool here.
+ */
+
+import process from 'node:process'
+
+/**
+ * Convert a hook slug (kebab-case) to its canonical disable env-var
+ * name. Pure string transform — exposed for tests + for hooks that
+ * want to mention the env-var name in their disable hint.
+ *
+ *   hookDisableEnvVar('no-revert-guard')        → 'SOCKET_NO_REVERT_GUARD_DISABLED'
+ *   hookDisableEnvVar('comment-tone-reminder')  → 'SOCKET_COMMENT_TONE_REMINDER_DISABLED'
+ *   hookDisableEnvVar('auth-rotation-reminder') → 'SOCKET_AUTH_ROTATION_REMINDER_DISABLED'
+ */
+export function hookDisableEnvVar(slug: string): string {
+  const upper = slug.toUpperCase().replace(/-/g, '_')
+  return `SOCKET_${upper}_DISABLED`
+}
+
+/**
+ * True when the canonical disable env is set to a truthy value. The
+ * fleet treats any non-empty value as "disabled" — `=1`, `=true`,
+ * `=yes`, all the same. An explicit `=0` or `=false` is also still
+ * non-empty, so technically "disabled"; if a user wants to enable
+ * after a session-wide disable, they should `unset` the var.
+ */
+export function isHookDisabled(slug: string): boolean {
+  return Boolean(process.env[hookDisableEnvVar(slug)])
+}
+
+/**
+ * Write one or more lines to stderr, each prefixed with `[<slug>] `.
+ * Trailing newlines are added automatically. Empty-string args are
+ * written as bare newlines (useful for visual separation).
+ *
+ *   hookLog('foo', 'first line', '', 'after blank')
+ *   →   [foo] first line\n
+ *       \n
+ *       [foo] after blank\n
+ */
+export function hookLog(slug: string, ...lines: readonly string[]): void {
+  const prefix = `[${slug}] `
+  for (let i = 0, { length } = lines; i < length; i += 1) {
+    const ln = lines[i]!
+    if (ln === '') {
+      process.stderr.write('\n')
+    } else {
+      process.stderr.write(`${prefix}${ln}\n`)
+    }
+  }
+}

.claude/hooks/_shared/hook-env.mts

@@ -0,0 +1,104 @@
+/**
+ * @fileoverview Shared types for Claude Code PreToolUse hook payloads.
+ *
+ * Claude Code sends a JSON object on stdin to every PreToolUse hook:
+ *
+ *   { "tool_name": "Edit" | "Write" | "Bash" | ..., "tool_input": {...} }
+ *
+ * The shape of `tool_input` varies by tool. The fleet's hooks need
+ * three subsets:
+ *
+ *   - Edit/Write hooks read `file_path` (always present) and either
+ *     `content` (Write) or `new_string` (Edit).
+ *   - Bash hooks read `command` (the shell line to run).
+ *   - A few hooks (cross-repo-guard, no-fleet-fork-guard) read
+ *     `file_path` to gate edits to specific paths.
+ *
+ * Each hook used to declare its own `tool_input` type inline — 7
+ * distinct shapes existed across the fleet for the same data. This
+ * file centralizes them so:
+ *
+ *   1. Future hooks copy-paste the right type instead of inventing one.
+ *   2. A schema change (new tool, new field) is a one-file edit.
+ *   3. The `unknown`-vs-`string` widening choice is consistent across
+ *      hooks (we widen to `unknown` and narrow at use; that's the
+ *      defensive shape for a payload we don't fully control).
+ *
+ * All fields are optional + `unknown` because:
+ *   - Hooks never know which tool they're inspecting until they read
+ *     `tool_name`. A Bash hook gets a Bash payload but the type is
+ *     the same union shape.
+ *   - The harness reserves the right to add fields; explicit `unknown`
+ *     forces callers to narrow at use, which prevents silent breakage
+ *     when an unexpected value lands in a known field.
+ */
+
+/**
+ * The full PreToolUse payload Claude Code sends on stdin. Every hook
+ * imports this and narrows the `tool_input` fields it reads.
+ */
+export interface ToolCallPayload {
+  readonly tool_name?: string | undefined
+  readonly tool_input?: ToolInput | undefined
+}
+
+/**
+ * Union of the `tool_input` fields the fleet's hooks read. Tool-
+ * specific fields are all optional and typed `unknown` — narrow at
+ * the use site so a payload-shape surprise (number where a string
+ * expected, etc.) doesn't crash the hook.
+ */
+export interface ToolInput {
+  // Edit/Write
+  readonly file_path?: unknown
+  readonly content?: unknown
+  readonly new_string?: unknown
+  readonly old_string?: unknown
+  // Bash
+  readonly command?: unknown
+}
+
+/**
+ * Narrow `tool_input.command` to a string. Returns `undefined` when
+ * the field is missing or non-string. Use as the canonical entry
+ * point for Bash hooks so the narrowing logic is one line at every
+ * call site:
+ *
+ *   const cmd = readCommand(payload)
+ *   if (!cmd) return
+ */
+export function readCommand(payload: ToolCallPayload): string | undefined {
+  const cmd = payload?.tool_input?.command
+  return typeof cmd === 'string' ? cmd : undefined
+}
+
+/**
+ * Narrow `tool_input.file_path` to a string. Same shape as
+ * `readCommand` — single entry point so callers don't repeat the
+ * `typeof === 'string'` guard.
+ */
+export function readFilePath(payload: ToolCallPayload): string | undefined {
+  const fp = payload?.tool_input?.file_path
+  return typeof fp === 'string' ? fp : undefined
+}
+
+/**
+ * Narrow the write-content field. For Write tools the field is
+ * `content`; for Edit it's `new_string`. Returns the first present
+ * string field or `undefined`. Useful for hooks that want to scan
+ * "what's about to land on disk" without caring whether it's a
+ * Write or an Edit.
+ */
+export function readWriteContent(
+  payload: ToolCallPayload,
+): string | undefined {
+  const content = payload?.tool_input?.content
+  if (typeof content === 'string') {
+    return content
+  }
+  const newStr = payload?.tool_input?.new_string
+  if (typeof newStr === 'string') {
+    return newStr
+  }
+  return undefined
+}