chore(sync): apply remaining canonical fleet drift fixes

Author: jdalton

.config/oxfmtrc.json

@@ -55,6 +55,56 @@
     "**/.pnpm-store/**",
     "**/vendor/**",
     "**/wasm_exec.js",
+    "**/.config/lockstep.schema.json",
+    "**/.config/socket-registry-pins.json",
+    "**/.config/socket-wheelhouse-schema.json",
+    "**/.config/taze.config.mts",
+    "**/.config/tsconfig.base.json",
+    "**/packages/build-infra/lib/release-checksums/consumer.mts",
+    "**/packages/build-infra/lib/release-checksums/core.mts",
+    "**/packages/build-infra/lib/release-checksums/producer.mts",
+    "**/packages/build-infra/release-assets.schema.json",
+    "**/scripts/ai-lint-fix.mts",
+    "**/scripts/ai-lint-fix/cli.mts",
+    "**/scripts/ai-lint-fix/rule-guidance.mts",
+    "**/scripts/check-paths.mts",
+    "**/scripts/check-paths/allowlist.mts",
+    "**/scripts/check-paths/cli.mts",
+    "**/scripts/check-paths/exempt.mts",
+    "**/scripts/check-paths/rules.mts",
+    "**/scripts/check-paths/scan-code.mts",
+    "**/scripts/check-paths/scan-script.mts",
+    "**/scripts/check-paths/scan-workflow.mts",
+    "**/scripts/check-paths/state.mts",
+    "**/scripts/check-paths/types.mts",
+    "**/scripts/check-paths/walk.mts",
+    "**/scripts/check-prompt-less-setup.mts",
+    "**/scripts/fix.mts",
+    "**/scripts/install-git-hooks.mts",
+    "**/scripts/install-sfw.mts",
+    "**/scripts/lint-github-settings.mts",
+    "**/scripts/lockstep-emit-schema.mts",
+    "**/scripts/lockstep-schema.mts",
+    "**/scripts/lockstep.mts",
+    "**/scripts/lockstep/checks.mts",
+    "**/scripts/lockstep/cli.mts",
+    "**/scripts/lockstep/emit-schema.mts",
+    "**/scripts/lockstep/git.mts",
+    "**/scripts/lockstep/manifest.mts",
+    "**/scripts/lockstep/report.mts",
+    "**/scripts/lockstep/scan.mts",
+    "**/scripts/lockstep/schema.mts",
+    "**/scripts/lockstep/types.mts",
+    "**/scripts/power-state.mts",
+    "**/scripts/security.mts",
+    "**/scripts/socket-wheelhouse-emit-schema.mts",
+    "**/scripts/socket-wheelhouse-schema.mts",
+    "**/scripts/test/install-git-hooks.test.mts",
+    "**/scripts/update.mts",
+    "**/scripts/validate-bundle-deps.mts",
+    "**/scripts/validate-config-paths.mts",
+    "**/scripts/validate-esbuild-minify.mts",
+    "**/scripts/validate-file-size.mts",
     "#fleet-canonical-end"
   ]
 }

.config/oxlintrc.json

@@ -35,6 +35,7 @@
     "socket/export-top-level-functions": "error",
     "socket/inclusive-language": "error",
     "socket/max-file-lines": "error",
+    "socket/no-cached-for-on-iterable": "error",
     "socket/no-console-prefer-logger": "error",
     "socket/no-default-export": "error",
     "socket/no-dynamic-import-outside-bundle": "error",
@@ -119,6 +120,56 @@
     "**/.pnpm-store/**",
     "**/vendor/**",
     "**/wasm_exec.js",
+    "**/.config/lockstep.schema.json",
+    "**/.config/socket-registry-pins.json",
+    "**/.config/socket-wheelhouse-schema.json",
+    "**/.config/taze.config.mts",
+    "**/.config/tsconfig.base.json",
+    "**/packages/build-infra/lib/release-checksums/consumer.mts",
+    "**/packages/build-infra/lib/release-checksums/core.mts",
+    "**/packages/build-infra/lib/release-checksums/producer.mts",
+    "**/packages/build-infra/release-assets.schema.json",
+    "**/scripts/ai-lint-fix.mts",
+    "**/scripts/ai-lint-fix/cli.mts",
+    "**/scripts/ai-lint-fix/rule-guidance.mts",
+    "**/scripts/check-paths.mts",
+    "**/scripts/check-paths/allowlist.mts",
+    "**/scripts/check-paths/cli.mts",
+    "**/scripts/check-paths/exempt.mts",
+    "**/scripts/check-paths/rules.mts",
+    "**/scripts/check-paths/scan-code.mts",
+    "**/scripts/check-paths/scan-script.mts",
+    "**/scripts/check-paths/scan-workflow.mts",
+    "**/scripts/check-paths/state.mts",
+    "**/scripts/check-paths/types.mts",
+    "**/scripts/check-paths/walk.mts",
+    "**/scripts/check-prompt-less-setup.mts",
+    "**/scripts/fix.mts",
+    "**/scripts/install-git-hooks.mts",
+    "**/scripts/install-sfw.mts",
+    "**/scripts/lint-github-settings.mts",
+    "**/scripts/lockstep-emit-schema.mts",
+    "**/scripts/lockstep-schema.mts",
+    "**/scripts/lockstep.mts",
+    "**/scripts/lockstep/checks.mts",
+    "**/scripts/lockstep/cli.mts",
+    "**/scripts/lockstep/emit-schema.mts",
+    "**/scripts/lockstep/git.mts",
+    "**/scripts/lockstep/manifest.mts",
+    "**/scripts/lockstep/report.mts",
+    "**/scripts/lockstep/scan.mts",
+    "**/scripts/lockstep/schema.mts",
+    "**/scripts/lockstep/types.mts",
+    "**/scripts/power-state.mts",
+    "**/scripts/security.mts",
+    "**/scripts/socket-wheelhouse-emit-schema.mts",
+    "**/scripts/socket-wheelhouse-schema.mts",
+    "**/scripts/test/install-git-hooks.test.mts",
+    "**/scripts/update.mts",
+    "**/scripts/validate-bundle-deps.mts",
+    "**/scripts/validate-config-paths.mts",
+    "**/scripts/validate-esbuild-minify.mts",
+    "**/scripts/validate-file-size.mts",
     "#fleet-canonical-end"
   ]
 }

.gitattributes

@@ -308,13 +308,15 @@
 .claude/skills/worktree-management/SKILL.md linguist-generated=true
 .config/lockstep.schema.json linguist-generated=true
 .config/oxlint-plugin/index.mts linguist-generated=true
+.config/oxlint-plugin/lib/iterable-kind.mts linguist-generated=true
 .config/oxlint-plugin/lib/rule-tester.mts linguist-generated=true
 .config/oxlint-plugin/lib/rule-types.mts linguist-generated=true
 .config/oxlint-plugin/package.json linguist-generated=true
 .config/oxlint-plugin/rules/_inject-import.mts linguist-generated=true
 .config/oxlint-plugin/rules/export-top-level-functions.mts linguist-generated=true
 .config/oxlint-plugin/rules/inclusive-language.mts linguist-generated=true
 .config/oxlint-plugin/rules/max-file-lines.mts linguist-generated=true
+.config/oxlint-plugin/rules/no-cached-for-on-iterable.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-console-prefer-logger.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-default-export.mts linguist-generated=true
 .config/oxlint-plugin/rules/no-dynamic-import-outside-bundle.mts linguist-generated=true
@@ -348,6 +350,7 @@
 .config/oxlint-plugin/test/export-top-level-functions.test.mts linguist-generated=true
 .config/oxlint-plugin/test/inclusive-language.test.mts linguist-generated=true
 .config/oxlint-plugin/test/max-file-lines.test.mts linguist-generated=true
+.config/oxlint-plugin/test/no-cached-for-on-iterable.test.mts linguist-generated=true
 .config/oxlint-plugin/test/no-console-prefer-logger.test.mts linguist-generated=true
 .config/oxlint-plugin/test/no-default-export.test.mts linguist-generated=true
 .config/oxlint-plugin/test/no-dynamic-import-outside-bundle.test.mts linguist-generated=true
@@ -477,6 +480,7 @@ scripts/socket-wheelhouse-emit-schema.mts linguist-generated=true
 scripts/socket-wheelhouse-schema.mts linguist-generated=true
 scripts/test/install-git-hooks.test.mts linguist-generated=true
 scripts/update.mts linguist-generated=true
+scripts/validate-bundle-deps.mts linguist-generated=true
 scripts/validate-config-paths.mts linguist-generated=true
 scripts/validate-esbuild-minify.mts linguist-generated=true
 scripts/validate-file-size.mts linguist-generated=true

CLAUDE.md

@@ -49,10 +49,9 @@ Apply in: worktree creation, base-ref resolution for `git diff`/`git rev-list`,
 - **Real customer / company names** — never write one into a commit, PR, issue, comment, or release note. Replace with `Acme Inc` or rewrite the sentence to not need the reference. (No enumerated denylist exists — a denylist is itself a leak.)
 - **Private repos / internal project names** — never mention. Omit the reference entirely; don't substitute "an internal tool" — the placeholder is a tell.
 - **Linear refs** — never put `SOC-123`/`ENG-456`/Linear URLs in code, comments, or PR text. Linear lives in Linear.
-- **Publish / release / build-release workflows** — never `gh workflow run|dispatch` or `gh api …/dispatches`. Dispatches are irrevocable. The user runs them manually. Bypass: either a `gh workflow run -f dry-run=true` when the workflow declares a `dry-run:` input and no force-prod override (`-f release=true` / `-f publish=true` / `-f prod=true`) is set, OR `Allow workflow-dispatch bypass: <workflow>` typed verbatim by the user — **one phrase authorizes one dispatch of that exact workflow**. A re-dispatch (same workflow) or a different workflow needs its own fresh phrase. `<workflow>` is the workflow filename, basename, or numeric id (e.g. `publish.yml`, `publish`, `12345` all work). The per-trigger shape replaces the older blanket `Allow workflow-dispatch bypass` — a single phrase shouldn't open the door for unrelated dispatches later in the session.
-- **Workflow input naming** — `workflow_dispatch.inputs` keys are kebab-case (`dry-run`, `build-mode`), not snake_case. The release-workflow-guard hook only recognizes kebab; a `dry_run` input silently fails the dry-run bypass.
-- **`uses:` SHA-pin comment format** — every `uses: <action>@<40-char-sha>` line must carry a trailing `# <tag-or-version-or-branch> (YYYY-MM-DD)` comment, e.g. `# v6.4.0 (2026-05-15)` or `# main (2026-05-15)`. The date is the day the SHA was pinned/refreshed and gives the staleness signal at-a-glance during reviews (enforced by `.claude/hooks/workflow-uses-comment-guard/`).
-- **`pull_request_target` is privileged** — it runs in the BASE repo's context with secrets. Never combine it with `actions/checkout` of `${{ github.event.pull_request.head.* }}` AND a step that executes the checked-out fork code (`pnpm i` / `npm i` / `pnpm build` / `cargo build` / `make` / etc.). Prefer the split-workflow pattern (build in `pull_request`, publish artifact, separate `workflow_run` posts the comment) or gate `pull_request_target` on `types: [labeled]` so only maintainers can trigger. Enforced by `.claude/hooks/pull-request-target-guard/`.
+- **Publish / release / build-release workflows** — never `gh workflow run|dispatch`. The user runs them manually. Bypass: either `gh workflow run -f dry-run=true` (workflow must declare `dry-run:` input, no force-prod override set) OR `Allow workflow-dispatch bypass: <workflow>` typed verbatim — one phrase authorizes one dispatch. `workflow_dispatch.inputs` keys are kebab-case (`dry-run`, `build-mode`); snake_case silently fails the bypass.
+- **`uses:` SHA-pin comment format** — every `uses: <action>@<40-char-sha>` line must carry a trailing `# <tag-or-version-or-branch> (YYYY-MM-DD)` comment, e.g. `# v6.4.0 (2026-05-15)`. The date is when the SHA was pinned/refreshed (enforced by `.claude/hooks/workflow-uses-comment-guard/`).
+- **`pull_request_target` is privileged** — runs in BASE-repo context with secrets. Never combine it with `actions/checkout` of fork head + a step that executes the checked-out code (enforced by `.claude/hooks/pull-request-target-guard/`). Full threat model + safer patterns in [`docs/claude.md/fleet/pull-request-target.md`](docs/claude.md/fleet/pull-request-target.md).
 - **No external issue/PR refs in commit messages or PR bodies.** GitHub auto-links `<owner>/<repo>#<num>` and `https://github.com/<owner>/<repo>/(issues|pull)/<num>` mentions back to the target issue, spamming the maintainer with `added N commits that reference this issue` events. Only SocketDev-owned refs are allowed (`SocketDev/<repo>#<num>` is fine). For upstream maintainer issues, link them in _the PR description prose_ (which doesn't trigger backrefs from commits) or use `[#1203](https://npmx.dev/...)` link form that omits the `owner/repo#` token. Bypass: `Allow external-issue-ref bypass` (enforced by `.claude/hooks/no-external-issue-ref-guard/`).
 
 ### Commits & PRs
@@ -87,6 +86,8 @@ Apply in: worktree creation, base-ref resolution for `git diff`/`git rev-list`,
 
 🚨 See a lint/type/test error or broken comment in your reading window — fix it. Stop current task, fix the issue in a sibling commit, resume. Don't label as "pre-existing", "unrelated", or "out of scope" — the labels are rationalizations (enforced by `.claude/hooks/excuse-detector/`).
 
+🚨 Don't blame the user (or "the linter") when your own edits get reverted between turns. The cause is almost always your own scripts: pre-commit autofix, sync-cascade from `template/`, oxlint --fix. Investigate with `git log -S`, run pre-commit phases in isolation, diff `template/` canonical sources. Only attribute to the user with direct evidence (enforced by `.claude/hooks/dont-blame-user-reminder/`).
+
 🚨 Never offer "fix vs accept-as-gap" as a choice — pick the fix.
 
 Exceptions (state the trade-off and ask): genuinely large refactor on a small bug, file belongs to another session, fix needs off-machine action.

pnpm-lock.yaml

@@ -25,6 +25,7 @@ catalog:
   '@socketsecurity/lib': 5.28.0
   '@socketsecurity/lib-stable': npm:@socketsecurity/lib@5.28.0
   '@socketsecurity/registry': 2.0.2
+  '@socketsecurity/registry-stable': npm:@socketsecurity/registry@2.0.2
   '@socketsecurity/sdk': 4.0.1
   '@socketsecurity/sdk-stable': npm:@socketsecurity/sdk@4.0.1
   '@types/mdast': 4.0.4