From 8c844bd78b630769c732a262b2bab9dae6ab5264 Mon Sep 17 00:00:00 2001
From: Declan McMullen <declan.mcmullen@intercom.io>
Date: Wed, 10 Jun 2026 14:51:32 +0100
Subject: [PATCH] Route CI npm/yarn installs through Socket Firewall registry
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Points yarn at the Socket Firewall registry so CI dependency installs are
scanned for supply-chain risk before fetch. Auth is injected at runtime via
the socket-firewall CircleCI context — no credential committed.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
---
 .circleci/config.yml | 11 ++++++++++-
 .npmrc               |  4 ++++
 2 files changed, 14 insertions(+), 1 deletion(-)
 create mode 100644 .npmrc

diff --git a/.circleci/config.yml b/.circleci/config.yml
index af5dbaae..952f5df5 100644
--- a/.circleci/config.yml
+++ b/.circleci/config.yml
@@ -16,6 +16,13 @@ jobs:
             - v1-dependencies-{{arch}}-{{ checksum "package.json" }}
             - v1-dependencies-{{arch}}-
 
+      - run:
+          name: Verify Socket Firewall registry is active
+          command: |
+            REGISTRY=$(npm config get registry)
+            echo "npm registry: $REGISTRY"
+            echo "$REGISTRY" | grep -q socket-firewall-registry || { echo "FAIL: npm not routed through Socket Firewall"; exit 1; }
+
       - run: yarn install
 
       - save_cache:
@@ -40,4 +47,6 @@ workflows:
 
   test:
     jobs:
-      - test
+      - test:
+          context:
+            - socket-firewall
diff --git a/.npmrc b/.npmrc
new file mode 100644
index 00000000..4e205ba5
--- /dev/null
+++ b/.npmrc
@@ -0,0 +1,4 @@
+# Route all npm/yarn installs through the Socket Firewall registry
+registry=https://socket-firewall-registry.corporate.intercom.io/npm
+//socket-firewall-registry.corporate.intercom.io/npm/:_authToken=${SOCKET_NPM_TOKEN}
+always-auth=true