chore(sync): cascade fleet template@86742ed

Auto-applied by socket-wheelhouse sync-scaffolding into vscode-socket-security.
7 file(s) touched:
  - .config/oxlint-plugin/rules/no-cached-for-on-iterable.mts
  - .config/oxlint-plugin/rules/no-file-scope-oxlint-disable.mts
  - .config/socket-registry-pins.json
  - scripts/check-lock-step-header.mts
  - scripts/install-claude-plugins.mts
  - scripts/test/check-lock-step-refs.test.mts
  - scripts/test/install-claude-plugins.test.mts

Author: jdalton

.config/oxlint-plugin/rules/no-cached-for-on-iterable.mts

@@ -1,36 +1,29 @@
 /**
- * @file Forbid file-scope `oxlint-disable <rule>` comments — every
- *   exemption must be justified per call site via
- *   `oxlint-disable-next-line <rule> -- <reason>`.
+ * @file Forbid file-scope `oxlint-disable <rule>` comments — every exemption
+ *   must be justified per call site via `oxlint-disable-next-line <rule> --
+ *   <reason>`. Why: a file-scope `/* oxlint-disable
+ *   socket/no-console-prefer-logger *\/` block at the top of a file silently
+ *   exempts the entire file from a fleet rule. The exemption applies to lines
+ *   the author never thought about — including future edits — and the reason
+ *   field at the top is easy to forget by the time someone adds a new call
+ *   below. Inline `oxlint-disable-next-line socket/<rule> -- <reason>` forces
+ *   the author to write a fresh justification per call site, which surfaces in
+ *   code review and in `git blame` next to the actual disabled code. Allowed:
  *
- *   Why: a file-scope `/* oxlint-disable socket/no-console-prefer-logger *\/`
- *   block at the top of a file silently exempts the entire file from a
- *   fleet rule. The exemption applies to lines the author never thought
- *   about — including future edits — and the reason field at the top is
- *   easy to forget by the time someone adds a new call below.
- *
- *   Inline `oxlint-disable-next-line socket/<rule> -- <reason>` forces the
- *   author to write a fresh justification per call site, which surfaces
- *   in code review and in `git blame` next to the actual disabled code.
- *
- *   Allowed:
  *   - `// oxlint-disable-next-line <rule> -- <reason>` (per call site)
  *   - `/* oxlint-disable-next-line <rule> *\/` block form, also per call
- *   - File-scope disable for **plugin-internal rules** where the file
- *     itself defines the rule and intentionally contains the banned
- *     shape as lookup-table data (e.g. `no-status-emoji.mts` containing
- *     the emoji it bans). Matched by file path: any file under
- *     `.config/oxlint-plugin/rules/` is exempt from this rule.
- *
- *   Banned:
+ *   - File-scope disable for **plugin-internal rules** where the file itself
+ *     defines the rule and intentionally contains the banned shape as
+ *     lookup-table data (e.g. `no-status-emoji.mts` containing the emoji it
+ *     bans). Matched by file path: any file under
+ *     `.config/oxlint-plugin/rules/` is exempt from this rule. Banned:
  *   - `/* oxlint-disable <rule> *\/` at file scope (no `-next-line`)
  *   - `// oxlint-disable <rule>` at file scope (no `-next-line`)
  *   - Block `oxlint-enable` toggles that come paired with file-scope
- *     `oxlint-disable` blocks — same anti-pattern.
- *
- *   No autofix: the rule reports each file-scope disable; the human
- *   moves each one to the call site that needs it (or removes it if
- *   the code can be rewritten to satisfy the rule).
+ *     `oxlint-disable` blocks — same anti-pattern. No autofix: the rule reports
+ *     each file-scope disable; the human moves each one to the call site that
+ *     needs it (or removes it if the code can be rewritten to satisfy the
+ *     rule).
  */
 
 import type { AstNode, RuleContext } from '../lib/rule-types.mts'
@@ -62,7 +55,7 @@ const rule = {
     fixable: undefined,
     messages: {
       fileScopeDisable:
-        'File-scope `oxlint-disable {{rule}}` silently exempts the whole file from a fleet rule. Move the disable to `oxlint-disable-next-line {{rule}} -- <reason>` on the specific line that needs it. If the entire file legitimately can\'t comply, the file probably needs a refactor instead.',
+        "File-scope `oxlint-disable {{rule}}` silently exempts the whole file from a fleet rule. Move the disable to `oxlint-disable-next-line {{rule}} -- <reason>` on the specific line that needs it. If the entire file legitimately can't comply, the file probably needs a refactor instead.",
     },
     schema: [],
   },

.config/oxlint-plugin/rules/no-file-scope-oxlint-disable.mts

@@ -1,55 +1,36 @@
 #!/usr/bin/env node
 /**
- * @file Lock-step header byte-equality gate. Mantra: the four impls
- *   of a quadruplet agree about WHAT THE FILE IS FOR. The `BEGIN
- *   LOCK-STEP HEADER` / `END LOCK-STEP HEADER` block names that
- *   contract; every member of the quadruplet carries the same block,
- *   byte-for-byte (after stripping the `// ` comment prefix). Drift
- *   on the contract is a different failure mode from a stale path
- *   reference (which `check-lock-step-refs.mts` catches) — this gate
- *   is the _intent_ tripwire.
+ * @file Lock-step header byte-equality gate. Mantra: the four impls of a
+ *   quadruplet agree about WHAT THE FILE IS FOR. The `BEGIN LOCK-STEP HEADER` /
+ *   `END LOCK-STEP HEADER` block names that contract; every member of the
+ *   quadruplet carries the same block, byte-for-byte (after stripping the `// `
+ *   comment prefix). Drift on the contract is a different failure mode from a
+ *   stale path reference (which `check-lock-step-refs.mts` catches) — this gate
+ *   is the _intent_ tripwire. Opt-in per repo: uses the same
+ *   `.config/lock-step-refs.json` as the path gate. Without the config, the
+ *   gate is a no-op. With the config, the gate walks every scanned source file,
+ *   looks for a `BEGIN LOCK-STEP HEADER` marker on the canonical side (a file
+ *   whose header contains one or more `Lock-step with <Lang>: <path>` refs),
+ *   extracts the header content, then opens each named peer and demands its
+ *   header block be byte-identical. "Canonical side" is determined by the
+ *   header content itself:
  *
- *   Opt-in per repo: uses the same `.config/lock-step-refs.json` as
- *   the path gate. Without the config, the gate is a no-op. With the
- *   config, the gate walks every scanned source file, looks for a
- *   `BEGIN LOCK-STEP HEADER` marker on the canonical side (a file
- *   whose header contains one or more `Lock-step with <Lang>: <path>`
- *   refs), extracts the header content, then opens each named peer
- *   and demands its header block be byte-identical.
- *
- *   "Canonical side" is determined by the header content itself:
- *
- *     - A file with `Lock-step with <Lang>: <path>` is canonical for
- *       that peer. (The peer should reciprocate with
- *       `Lock-step from <Lang>: <my-path>`, but the gate doesn't rely
- *       on that — symmetry is a §5 rule, not a §7 rule.)
- *     - A file with only `Lock-step from <Lang>: <path>` is a port
- *       and is checked against its canonical source.
- *
- *   Header format (single-line `// ` across every language):
- *
- *     // BEGIN LOCK-STEP HEADER
- *     // Class Parsing (Declarations, Expressions, Elements, Methods)
- *     //
- *     // Lock-step with Go: src/parser/class.go
- *     // Lock-step with C++: src/parser/class.cpp
- *     // END LOCK-STEP HEADER
- *
- *   Comparison strips the `// ` prefix from each line; an empty
- *   comment line (`//`) is preserved as an empty content line. The
- *   content between BEGIN and END is the contract.
- *
- *   Usage:
- *
- *     node scripts/check-lock-step-header.mts          # report + fail
- *     node scripts/check-lock-step-header.mts --json   # machine-readable
- *     node scripts/check-lock-step-header.mts --quiet  # silent on clean
- *
- *   Exit codes:
- *
- *     0 — clean (no quadruplets diverged, or config absent)
- *     1 — at least one quadruplet has a header diff
- *     2 — gate itself crashed
+ *   - A file with `Lock-step with <Lang>: <path>` is canonical for that peer.
+ *     (The peer should reciprocate with `Lock-step from <Lang>: <my-path>`, but
+ *     the gate doesn't rely on that — symmetry is a §5 rule, not a §7 rule.)
+ *   - A file with only `Lock-step from <Lang>: <path>` is a port and is checked
+ *     against its canonical source. Header format (single-line `// ` across
+ *     every language): // BEGIN LOCK-STEP HEADER // Class Parsing
+ *     (Declarations, Expressions, Elements, Methods) // // Lock-step with Go:
+ *     src/parser/class.go // Lock-step with C++: src/parser/class.cpp // END
+ *     LOCK-STEP HEADER Comparison strips the `// ` prefix from each line; an
+ *     empty comment line (`//`) is preserved as an empty content line. The
+ *     content between BEGIN and END is the contract. Usage: node
+ *     scripts/check-lock-step-header.mts # report + fail node
+ *     scripts/check-lock-step-header.mts --json # machine-readable node
+ *     scripts/check-lock-step-header.mts --quiet # silent on clean Exit codes:
+ *     0 — clean (no quadruplets diverged, or config absent) 1 — at least one
+ *     quadruplet has a header diff 2 — gate itself crashed
  */
 
 import { existsSync, readFileSync, readdirSync, statSync } from 'node:fs'
@@ -172,7 +153,8 @@ function extractHeader(file: string): HeaderBlock | undefined {
     const stripped = stripCommentPrefix(raw)
     bodyLines.push(stripped)
   }
-  const withRe = /Lock-step with ([A-Za-z][A-Za-z0-9+#-]*): ([^\s:,]*[./][^\s:,]*)/g
+  const withRe =
+    /Lock-step with ([A-Za-z][A-Za-z0-9+#-]*): ([^\s:,]*[./][^\s:,]*)/g
   const withRefs: Array<{ lang: string; refPath: string }> = []
   for (const line of bodyLines) {
     withRe.lastIndex = 0
@@ -239,7 +221,9 @@ function bodyEqual(a: readonly string[], b: readonly string[]): boolean {
 function formatDiff(d: Diff, repoRoot: string): string {
   const out: string[] = []
   const rel = (p: string) => path.relative(repoRoot, p)
-  out.push(`\n${rel(d.canonical)} (canonical) ↔ ${rel(d.peer)} (${d.lang} peer):`)
+  out.push(
+    `\n${rel(d.canonical)} (canonical) ↔ ${rel(d.peer)} (${d.lang} peer):`,
+  )
   if (d.reason === 'peer-not-found') {
     out.push(`  peer path doesn't exist on disk: ${rel(d.peer)}`)
     return out.join('\n')
@@ -274,9 +258,7 @@ function main(): void {
   try {
     config = loadConfig(repoRoot)
   } catch (e) {
-    process.stderr.write(
-      `check-lock-step-header: ${(e as Error).message}\n`,
-    )
+    process.stderr.write(`check-lock-step-header: ${(e as Error).message}\n`)
     process.exitCode = 2
     return
   }
@@ -307,12 +289,7 @@ function main(): void {
     }
     canonicalCount += 1
     for (const ref of header.withRefs) {
-      const peerPath = resolveRefPath(
-        config,
-        repoRoot,
-        ref.lang,
-        ref.refPath,
-      )
+      const peerPath = resolveRefPath(config, repoRoot, ref.lang, ref.refPath)
       if (!peerPath) {
         diffs.push({
           canonical: file,