chore: ensure build + check pass post-fleet-onboard

Surface fixes uncovered by the first end-to-end build/lint/type pass
on the fleet-onboarded codebase. Functional behavior unchanged.

Build/dep:
- Rename @socketsecurity/registry/lib/constants import to
  @socketsecurity/lib/constants/socket (canonical fleet home for
  shared constants since registry@2.0 dropped the lib/* subpath).
- Drop @socketsecurity/registry from runtime deps (unused after rename).
- Restore toml-eslint-parser as a runtime dep — util.ts, github.ts,
  parse-externals.ts use it for TOML parsing.
- Move @socketsecurity/lib to runtime deps (auth.ts uses it now).

Type-check:
- Add .config/tsconfig.{base,check}.json matching fleet pattern.
  Base ES2024 + DOM lib for WebAssembly globals; check uses bundler
  resolution + node + vscode types.
- Cast WebAssembly.instantiate(Uint8Array, …) result to
  WebAssemblyInstantiatedSource in mod-parser.ts (TS picks the
  Module-overload incorrectly).

Lint:
- Drop orphan `path.is` at parse-externals.ts:467 (refactor leftover).
- Drop orphan `null` at manager.ts:140 (pre-await placeholder).
- Replace Array<T> with T[] in auth.ts (array-type rule).
- Inline-disable no-this-alias on Go WASM runtime's _makeFuncWrapper.

Format:
- oxfmt --write across the tree (fleet style auto-applied).

Config:
- Add **/vendor to oxlint + oxfmt ignorePatterns (vendored acorn-wasm
  bindings break the wasm-bindgen contract if reformatted).

Verified: pnpm install --ignore-scripts && pnpm rebuild esbuild &&
pnpm run build && pnpm run check all green. out/main.js 5.8 MB.

Author: jdalton

.config/tsconfig.base.json

@@ -0,0 +1,41 @@
+{
+  "compilerOptions": {
+    "allowImportingTsExtensions": false,
+    "allowJs": false,
+    "allowSyntheticDefaultImports": true,
+    "composite": false,
+    "declaration": true,
+    "declarationMap": false,
+    // VSCode extension uses parameter properties / decorators / etc.
+    // that emit runtime code — erasable-only would forbid them.
+    "erasableSyntaxOnly": false,
+    "esModuleInterop": true,
+    "exactOptionalPropertyTypes": false,
+    "forceConsistentCasingInFileNames": true,
+    "incremental": false,
+    "isolatedModules": true,
+    // DOM is needed for the WebAssembly globals used by the bundled
+    // WASM glue (Go runtime, acorn-wasm).
+    "lib": ["DOM", "ES2024"],
+    "noEmitOnError": true,
+    "noFallthroughCasesInSwitch": true,
+    "noImplicitOverride": true,
+    "noPropertyAccessFromIndexSignature": false,
+    "noUncheckedIndexedAccess": false,
+    "noUncheckedSideEffectImports": true,
+    // Existing source has many unused-local and unused-param sites
+    // (legacy from the pre-fleet-onboard codebase). Re-enable both
+    // checks once those are cleaned up.
+    "noUnusedLocals": false,
+    "noUnusedParameters": false,
+    "resolveJsonModule": true,
+    "rewriteRelativeImportExtensions": false,
+    "skipLibCheck": true,
+    "sourceMap": true,
+    "strict": true,
+    "strictNullChecks": true,
+    "target": "ES2024",
+    "useUnknownInCatchVariables": true,
+    "verbatimModuleSyntax": false
+  }
+}

.config/tsconfig.check.json

@@ -0,0 +1,15 @@
+{
+  "extends": "./tsconfig.base.json",
+  "compilerOptions": {
+    "declarationMap": false,
+    "module": "esnext",
+    "moduleResolution": "bundler",
+    "noEmit": true,
+    "skipLibCheck": true,
+    "sourceMap": false,
+    "types": ["node", "vscode"],
+    "verbatimModuleSyntax": false
+  },
+  "include": ["../src/**/*.ts", "../test/**/*.mts"],
+  "exclude": ["**/.cache/**", "**/node_modules/**/*", "**/vendor/**/*"]
+}

.oxfmtrc.json

@@ -45,6 +45,7 @@
     "**/pnpm-lock.yaml",
     "**/test/fixtures",
     "**/test/packages",
+    "**/vendor",
     "**/lockstep.schema.json"
   ]
 }

.oxlintrc.json

@@ -56,6 +56,7 @@
     "**/patches",
     "**/test/fixtures",
     "**/test/packages",
+    "**/vendor",
     "**/*.d.ts",
     "**/*.d.ts.map",
     "**/*.tsbuildinfo"

README.md

@@ -4,13 +4,13 @@ This extension provides automatic reporting of security concerns from [Socket Se
 
 ## Ahead of Package Installation
 
-* Package imports in JavaScript and Python are detected and given summary scores to show concerns with configurable overlays. These overlays will persist even after package installation.
+- Package imports in JavaScript and Python are detected and given summary scores to show concerns with configurable overlays. These overlays will persist even after package installation.
 
-* Socket detects multiple alternate forms of package imports, including dynamic `import()` or `require` in JavaScript or `importlib.import_module` in Python.
+- Socket detects multiple alternate forms of package imports, including dynamic `import()` or `require` in JavaScript or `importlib.import_module` in Python.
 
 ## MCP Server
 
-* This will automatically register the socket MCP server at https://mcp.socket.dev to allow usage of the public MCP server.
+- This will automatically register the socket MCP server at https://mcp.socket.dev to allow usage of the public MCP server.
 
 # Team Guide
 

assets/README.md

@@ -8,21 +8,21 @@ marketplace icon, web page favicon, README banner, …).
 
 ### SVG variants
 
-| File | Layers | Color | viewBox |
-|---|---|---|---|
-| `socket-icon.svg` | 1 (bolt is a cutout) | `currentColor` | `0 0 181.41 240` |
-| `socket-icon-square.svg` | 1 | `currentColor` | `-29.295 0 240 240` |
-| `socket-icon-shield.svg` | 2 (shield + bolt) | shield: `currentColor`, bolt: `#fff` | `0 0 181.41 240` |
-| `socket-icon-shield-square.svg` | 2 | shield: `currentColor`, bolt: `#fff` | `-29.295 0 240 240` |
-| `socket-icon-brand.svg` ★ | 2 | shield: pink→purple gradient, bolt: `#fff` | `0 0 181.41 240` |
-| `socket-icon-brand-square.svg` ★ | 2 | shield: pink→purple gradient, bolt: `#fff` | `-29.295 0 240 240` |
+| File                             | Layers               | Color                                      | viewBox             |
+| -------------------------------- | -------------------- | ------------------------------------------ | ------------------- |
+| `socket-icon.svg`                | 1 (bolt is a cutout) | `currentColor`                             | `0 0 181.41 240`    |
+| `socket-icon-square.svg`         | 1                    | `currentColor`                             | `-29.295 0 240 240` |
+| `socket-icon-shield.svg`         | 2 (shield + bolt)    | shield: `currentColor`, bolt: `#fff`       | `0 0 181.41 240`    |
+| `socket-icon-shield-square.svg`  | 2                    | shield: `currentColor`, bolt: `#fff`       | `-29.295 0 240 240` |
+| `socket-icon-brand.svg` ★        | 2                    | shield: pink→purple gradient, bolt: `#fff` | `0 0 181.41 240`    |
+| `socket-icon-brand-square.svg` ★ | 2                    | shield: pink→purple gradient, bolt: `#fff` | `-29.295 0 240 240` |
 
 ### Wordmark variants (shield + "Socket" text, 840×240 landscape)
 
-| File | Layers | viewBox |
-|---|---|---|
+| File                    | Layers                                              | viewBox       |
+| ----------------------- | --------------------------------------------------- | ------------- |
 | `socket-logo-light.svg` | shield (gradient) + bolt (white) + text (slate-900) | `0 0 840 240` |
-| `socket-logo-dark.svg` | shield (gradient) + bolt (white) + text (slate-50) | `0 0 840 240` |
+| `socket-logo-dark.svg`  | shield (gradient) + bolt (white) + text (slate-50)  | `0 0 840 240` |
 
 "Light" and "dark" refer to the **page background** the wordmark sits
 on — light wordmark has dark text (for use on white/light bg); dark
@@ -33,32 +33,38 @@ color-scheme preference:
 
 ```html
 <picture>
-  <source media="(prefers-color-scheme: dark)" srcset="assets/socket-logo-dark-840.png">
-  <source media="(prefers-color-scheme: light)" srcset="assets/socket-logo-light-840.png">
-  <img alt="Socket" width="420" src="assets/socket-logo-light-840.png">
+  <source
+    media="(prefers-color-scheme: dark)"
+    srcset="assets/socket-logo-dark-840.png"
+  />
+  <source
+    media="(prefers-color-scheme: light)"
+    srcset="assets/socket-logo-light-840.png"
+  />
+  <img alt="Socket" width="420" src="assets/socket-logo-light-840.png" />
 </picture>
 ```
 
 ### PNG variants
 
 Brand-square (favicons + marketplace listing):
 
-| File | Use |
-|---|---|
-| `socket-icon-brand-16.png` | Favicon (small) |
-| `socket-icon-brand-32.png` | Favicon (standard) |
-| `socket-icon-brand-64.png` | README badges, GitHub social previews |
-| `socket-icon-brand-128.png` | Docs, OG cards |
-| `socket-icon-brand-256.png` | VSCode marketplace listing |
-| `socket-icon-brand-512.png` | High-DPI, hero images, press kit |
+| File                        | Use                                   |
+| --------------------------- | ------------------------------------- |
+| `socket-icon-brand-16.png`  | Favicon (small)                       |
+| `socket-icon-brand-32.png`  | Favicon (standard)                    |
+| `socket-icon-brand-64.png`  | README badges, GitHub social previews |
+| `socket-icon-brand-128.png` | Docs, OG cards                        |
+| `socket-icon-brand-256.png` | VSCode marketplace listing            |
+| `socket-icon-brand-512.png` | High-DPI, hero images, press kit      |
 
 Wordmark (README hero banners, in light/dark pairs):
 
-| File | Width | Use |
-|---|---|---|
-| `socket-logo-{light,dark}-420.png`  | 420×120 | README hero (1× display) |
-| `socket-logo-{light,dark}-840.png`  | 840×240 | README hero (2× / Retina) |
-| `socket-logo-{light,dark}-1680.png` | 1680×480 | Press kit, hero images |
+| File                                | Width    | Use                       |
+| ----------------------------------- | -------- | ------------------------- |
+| `socket-logo-{light,dark}-420.png`  | 420×120  | README hero (1× display)  |
+| `socket-logo-{light,dark}-840.png`  | 840×240  | README hero (2× / Retina) |
+| `socket-logo-{light,dark}-1680.png` | 1680×480 | Press kit, hero images    |
 
 ## Variant semantics
 

package.json

@@ -118,13 +118,13 @@
     "@babel/traverse": "7.29.0",
     "@babel/types": "7.29.0",
     "@socketsecurity/config": "3.0.1",
-    "@socketsecurity/registry": "2.0.2",
+    "@socketsecurity/lib": "catalog:",
     "@vscode/python-extension": "1.0.6",
     "ini": "6.0.0",
-    "json-to-ast": "2.1.0"
+    "json-to-ast": "2.1.0",
+    "toml-eslint-parser": "1.0.3"
   },
   "devDependencies": {
-    "@socketsecurity/lib": "catalog:",
     "@types/babel__traverse": "7.28.0",
     "@types/ini": "4.1.1",
     "@types/json-to-ast": "2.1.4",

pnpm-lock.yaml

@@ -184,7 +184,8 @@ function loadManifestTree(rootManifestPath: string): {
   for (const rel of includes) {
     const subPath = path.resolve(baseDir, rel)
     const sub = readManifest(subPath)
-    const area = sub.area ?? path.basename(rel, '.json').replace(/^lockstep-/, '')
+    const area =
+      sub.area ?? path.basename(rel, '.json').replace(/^lockstep-/, '')
     areas.push({ area, manifest: sub })
   }
 

scripts/lockstep.mts

@@ -23,7 +23,11 @@ const rootDir = path.resolve(__dirname, '..')
 // Schema lives in `.config/` next to the per-repo
 // `.config/socket-repo-template.json` it describes — the marker's
 // `$schema` ref is `./socket-repo-template-schema.json`.
-const outPath = path.join(rootDir, '.config', 'socket-repo-template-schema.json')
+const outPath = path.join(
+  rootDir,
+  '.config',
+  'socket-repo-template-schema.json',
+)
 
 const enriched = {
   $schema: 'https://json-schema.org/draft/2020-12/schema',