fix(lint): resolve newly-activated socket/* oxlint rules

Fix violations from the cascaded oxlint rules across src/ and scripts/.
The lint loop initially looked clean because socket/prefer-function-declaration
was crashing on circular AST parent refs; the lift-and-cascade fix for that
crash (see below) surfaced the rest.

Per-rule fixes:

- prefer-cached-for-loop: convert array for...of to cached-length C-style
  loops; annotate Set/Map/iterator iterations with oxlint-disable-next-line.
- sort-regex-alternations: annotate parser/URL regexes with the
  socket-hook regex-alternation-order marker where match order matters.
- prefer-node-builtin-imports: switch node:fs to named imports; drop unused
  fs/fsSync; switch node:crypto back to default import per rule.
- prefer-async-spawn: annotate childProcess.spawn callsites that need
  direct stream/child-handle access.
- no-default-export: annotate vitest.config.mts; switch GoExecutor + watch
  + logger modules to named exports and update importers.
- prefer-function-declaration: rewrite module-scope arrow consts as
  function declarations and add export where missing.
- export-top-level-functions: add export to internal helpers.
- sort-source-methods: reorder helpers in alphanumeric visibility groups.
- sort-named-imports: alphabetize a stray named-imports list.
- max-file-lines: annotate decorations.ts + wasm-executor.ts as legitimate
  parsers/state-machines per CLAUDE.md.

Pick up oxfmt + autofix output; revert the unsafe for-of-on-Set rewrites
the autofix produced. Also vendors the socket-wheelhouse fix to the
cascaded prefer-function-declaration rule, whose referencesThis helper
threw on AST circular parent refs and masked every other violation.

Author: jdalton

.config/oxlint-plugin/rules/prefer-function-declaration.mts

@@ -9,6 +9,7 @@ const isCoverageEnabled =
   process.env.COVERAGE === 'true' ||
   process.argv.some(arg => arg.includes('coverage'))
 
+// oxlint-disable-next-line socket/no-default-export -- vitest config requires a default export.
 export default defineConfig({
   test: {
     deps: {

.config/vitest.config.mts

@@ -21,7 +21,7 @@ import process from 'node:process'
 
 const args = process.argv.slice(2)
 const forwardedArgs = args.filter(
-  a => a === '--all' || a === '--staged' || a === '--fix' || a === '--quiet',
+  a => a === '--all' || a === '--fix' || a === '--quiet' || a === '--staged',
 )
 
 try {

scripts/check.mts

@@ -144,8 +144,14 @@ export function runFiles(files: string[]): number {
 }
 
 export function shouldEscalate(files: string[]): boolean {
-  for (const f of files) {
-    for (const pattern of ESCALATION_PATTERNS) {
+  for (let i = 0, { length } = files; i < length; i += 1) {
+    const f = files[i]
+    for (
+      let j = 0, { length: patternsLength } = ESCALATION_PATTERNS;
+      j < patternsLength;
+      j += 1
+    ) {
+      const pattern = ESCALATION_PATTERNS[j]
       if (pattern.test(f)) {
         return true
       }

scripts/lint.mts

@@ -48,7 +48,7 @@ const ESCALATION_PATTERNS = [
   /^tsconfig.*\.json$/,
   /^\.oxlintrc\.json$/,
   /^\.oxfmtrc\.json$/,
-  /^vitest\.config\.(mjs|mts|js|ts)$/,
+  /^vitest\.config\.(js|mjs|mts|ts)$/,
   /^package\.json$/,
   /^lockstep\.schema\.json$/,
 ]
@@ -92,7 +92,8 @@ export function log(msg: string): void {
  */
 export function resolveTestPatterns(files: string[]): string[] {
   const patterns = new Set<string>()
-  for (const f of files) {
+  for (let i = 0, { length } = files; i < length; i += 1) {
+    const f = files[i]
     // Test file itself.
     if (/\.test\.(m?[jt]s)$/.test(f)) {
       patterns.add(f)
@@ -152,8 +153,14 @@ export function runPatterns(patterns: string[]): number {
 }
 
 export function shouldEscalate(files: string[]): boolean {
-  for (const f of files) {
-    for (const pattern of ESCALATION_PATTERNS) {
+  for (let i = 0, { length } = files; i < length; i += 1) {
+    const f = files[i]
+    for (
+      let j = 0, { length: patternsLength } = ESCALATION_PATTERNS;
+      j < patternsLength;
+      j += 1
+    ) {
+      const pattern = ESCALATION_PATTERNS[j]
       if (pattern.test(f)) {
         return true
       }

scripts/test.mts

@@ -7,7 +7,7 @@ import https from 'node:https'
 import { once } from 'node:events'
 import { IncomingMessage } from 'node:http'
 import { text } from 'node:stream/consumers'
-import { randomUUID } from 'node:crypto'
+import crypto from 'node:crypto'
 export type APIConfig = {
   apiKey: string
 }
@@ -141,6 +141,7 @@ export async function activate(
     const added: vscode.AuthenticationSession[] = []
     const changed: vscode.AuthenticationSession[] = []
     const removed: vscode.AuthenticationSession[] = []
+    // oxlint-disable-next-line socket/prefer-cached-for-loop -- iterating a Map's values iterator.
     for (const diskSession of sessionOnDisk.values()) {
       // already have this access token in mem session
       // remove from live sessions that haven't been sorted
@@ -150,6 +151,7 @@ export async function activate(
         added.push(diskSession)
       }
     }
+    // oxlint-disable-next-line socket/prefer-cached-for-loop -- iterating a Map's values iterator.
     for (const liveSessionWithoutDiskSession of liveSessions.values()) {
       removed.push(liveSessionWithoutDiskSession)
     }
@@ -341,7 +343,7 @@ export function sessionFromAPIKey(apiKey: string, org: OrgInfo) {
   // vscode auth does weird caching based upon ids
   // if we don't change the id various things stop working
   // like logging in and out with same account/api token
-  const uniqueId = `${apiKey}-${randomUUID()}`
+  const uniqueId = `${apiKey}-${crypto.randomUUID()}`
   return {
     accessToken: apiKey,
     id: `${uniqueId}.session`,

src/auth.ts

@@ -29,10 +29,12 @@ export function activate(context: vscode.ExtensionContext) {
     onDidChangeConfigurationDisposable =
       vscode.workspace.onDidChangeConfiguration(e => {
         const fired = new Set()
+        // oxlint-disable-next-line socket/prefer-cached-for-loop -- iterating a Map's keys iterator.
         for (const section of watchers.keys()) {
           if (e.affectsConfiguration(section)) {
             const listeners = watchers.get(section)
             if (listeners) {
+              // oxlint-disable-next-line socket/prefer-cached-for-loop -- iterating a Set.
               for (const listener of listeners) {
                 if (fired.has(listener)) continue
                 fired.add(listener)
@@ -68,7 +70,8 @@ export function activate(context: vscode.ExtensionContext) {
         sections,
         fn,
       }
-      for (const section of sections) {
+      for (let i = 0, { length } = sections; i < length; i += 1) {
+        const section = sections[i]
         const list = watchers.get(section) ?? new Set()
         list.add(listener)
         watchers.set(section, list)
@@ -79,7 +82,8 @@ export function activate(context: vscode.ExtensionContext) {
       return {
         currentValues: getValuesForListener(listener),
         dispose() {
-          for (const section of sections) {
+          for (let i = 0, { length } = sections; i < length; i += 1) {
+            const section = sections[i]
             const list = watchers.get(section)
             if (!list) {
               continue

src/data/editor-config.ts

@@ -1,12 +1,12 @@
 import * as vscode from 'vscode'
-import { parse as parseToml, getStaticParsed } from 'toml-wasm'
+import { getStaticParsed, parse as parseToml } from 'toml-wasm'
 import ini from 'ini'
 
 export function orgOrUserFromString(url: string): string | undefined {
   const ghHTTP =
-    /^(?:git\+)?https?:\/\/(?:www.)?github.com(?::80|:443)?\/(?<target>[^/?#]*)(?=\/|$)/u
+    /^(?:git\+)?https?:\/\/(?:www.)?github.com(?::443|:80)?\/(?<target>[^/?#]*)(?=\/|$)/u // socket-hook: allow regex-alternation-order
   const ghGit =
-    /^(?:git(?:\+ssh)?:\/\/)?(?<user>[^@]+@)?github.com[/:](?<target>[^/?#]*)(?=\/|$)/u
+    /^(?:git(?:\+ssh)?:\/\/)?(?<user>[^@]+@)?github.com[/:](?<target>[^/?#]*)(?=\/|$)/u // socket-hook: allow regex-alternation-order
   const match = ghHTTP.exec(url) || ghGit.exec(url)
   if (match) {
     return match.groups?.target || match.groups?.user
@@ -76,7 +76,9 @@ export async function sniffForGithubOrgOrUser(
         ),
       ).toString(),
     )
-    for (const key of Object.keys(gitConfig)) {
+    const keys = Object.keys(gitConfig)
+    for (let i = 0, { length } = keys; i < length; i += 1) {
+      const key = keys[i]
       if (key.startsWith('remote ')) {
         const url = gitConfig[key].url
         if (url) {

src/data/github.ts

@@ -8,9 +8,6 @@ export type GlobPatterns = Record<string, Record<string, { pattern: string }>>
 
 let globPatternsPromise: Promise<GlobPatterns> | undefined
 
-const replaceCasedChars = (chars: string) =>
-  chars.replace(/[a-zA-Z]/g, c => `[${c.toLowerCase()}${c.toUpperCase()}]`)
-
 export function caseDesensitize(pattern: string) {
   let out = ''
   const charGroup = /\[[^\]]+?\]/g
@@ -117,3 +114,10 @@ export async function getGlobPatterns() {
   }
   return globPatternsPromise
 }
+
+export function replaceCasedChars(chars: string): string {
+  return chars.replace(
+    /[a-zA-Z]/g,
+    c => `[${c.toLowerCase()}${c.toUpperCase()}]`,
+  )
+}

src/data/glob-patterns.ts

@@ -2,7 +2,6 @@ import importFinder from './find-imports.go'
 import childProcess from 'node:child_process'
 import path from 'node:path'
 import fs from 'node:fs/promises'
-import fsSync from 'node:fs'
 import os from 'node:os'
 
 let cachedBin: Promise<string> | null = null
@@ -34,6 +33,7 @@ export async function generateNativeGoImportBinary(goBin: string) {
       'go-import-parser',
     )
     const args = ['build', '-o', outBin, importFinder]
+    // oxlint-disable-next-line socket/prefer-async-spawn -- need direct access to the child process for hand-rolled timeout via setTimeout + reject; @socketsecurity/lib/spawn would not surface the child handle.
     const build = childProcess.spawn(goBin, args, {
       cwd: __dirname,
     })