chore(sync): cascade fleet template@764ec50

Auto-applied by socket-wheelhouse sync-scaffolding into vscode-socket-security.
2 file(s) touched:
  - .claude/hooks/marketplace-comment-guard/README.md
  - .claude/hooks/marketplace-comment-guard/test/index.test.mts

Author: jdalton

.claude/hooks/marketplace-comment-guard/README.md

@@ -41,14 +41,16 @@ against — opaque pins look fine and stay broken for months.
 
 ```markdown
 <!-- .claude-plugin/README.md -->
-| plugin | version | sha                                      | date       | by      |
-|--------|---------|------------------------------------------|------------|---------|
-| codex  | v1.0.1  | 9cb4fe4099195b2587c402117a3efce6ab5aac78 | 2026-05-18 | jdalton |
+| plugin | version | sha                                      | date       | notes                            |
+|--------|---------|------------------------------------------|------------|----------------------------------|
+| codex  | v1.0.1  | 9cb4fe4099195b2587c402117a3efce6ab5aac78 | 2026-05-18 | upstream openai/codex-plugin-cc  |
 ```
 
-The first four columns are required and inspected. Extra columns (`by`,
-free-form `notes`) are accepted but not validated — those are human
-metadata.
+The first four columns are required and inspected. Any trailing column
+(e.g. free-form `notes`) is accepted but not validated. `git blame` is the
+authoritative record of *who* bumped a pin, so a `by` column is deliberately
+absent — duplicating personal identifiers into fleet-canonical files is a
+public-surface-hygiene mistake.
 
 ## What's enforced
 
@@ -64,7 +66,7 @@ metadata.
 
 - The accuracy of `date` — that's a human-review concern (same as the
   GHA `uses:` rule).
-- The `by` / `notes` columns — free-form metadata.
+- Any trailing `notes` column — free-form metadata.
 - Source types other than `git-subdir` carrying a `ref` field — if you
   add a new source type that doesn't have `ref`, the guard skips that
   entry rather than blocking. Add explicit support if the new type

.claude/hooks/marketplace-comment-guard/test/index.test.mts

@@ -56,9 +56,9 @@ const VALID_JSON = JSON.stringify(
 
 const VALID_README = `# marketplace
 
-| plugin | version | sha                                      | date       | by      |
-|--------|---------|------------------------------------------|------------|---------|
-| codex  | v1.0.1  | ${SHA} | 2026-05-18 | jdalton |
+| plugin | version | sha                                      | date       | notes |
+|--------|---------|------------------------------------------|------------|-------|
+| codex  | v1.0.1  | ${SHA} | 2026-05-18 | test  |
 `
 
 test('SKIPS non-marketplace paths', () => {
@@ -142,8 +142,8 @@ test('BLOCKS Write of marketplace.json when README version is stale', () => {
 test('BLOCKS Write of marketplace.json when README has no row for a plugin', () => {
   const noRowReadme = `# marketplace
 
-| plugin | version | sha | date | by |
-|--------|---------|-----|------|-----|
+| plugin | version | sha | date | notes |
+|--------|---------|-----|------|-------|
 `
   const { dir, jsonPath } = makeFixture(null, noRowReadme)
   try {
@@ -207,7 +207,7 @@ test('BLOCKS Edit of README that removes a plugin row', () => {
       tool_name: 'Edit',
       tool_input: {
         file_path: readmePath,
-        old_string: `| codex  | v1.0.1  | ${SHA} | 2026-05-18 | jdalton |\n`,
+        old_string: `| codex  | v1.0.1  | ${SHA} | 2026-05-18 | test  |\n`,
         new_string: '',
       },
     })
@@ -230,8 +230,8 @@ test('ALLOWS Edit of README that bumps a row in sync with a JSON bump (simulated
         file_path: readmePath,
         // No-op edit (replacing a string with itself) — content stays
         // consistent with on-disk JSON.
-        old_string: 'jdalton',
-        new_string: 'jdalton',
+        old_string: 'test',
+        new_string: 'test',
       },
     })
     assert.equal(exitCode, 0)