chore(claude): sync hooks to template canonical

Adds private-name-guard, public-surface-reminder, and
release-workflow-guard hooks (previously the rules were in CLAUDE.md
without the enforcement hook). Refreshes check-new-deps index.mts +
README to canonical (Cargo.toml fragment-mode parsing,
score-based warnings, module-aware main).

Wires the 4 Bash hooks alphabetically in settings.json. Now
byte-identical with template/.claude/hooks/ for index.mts +
README.md across all four hooks. package.json kept at per-repo
catalog/pin style.

Author: jdalton

.claude/hooks/check-new-deps/README.md

@@ -8,9 +8,10 @@ When Claude edits a file like `package.json`, `requirements.txt`, `Cargo.toml`,
 
 1. **Detects the file type** and extracts dependency names from the content
 2. **Diffs against the old content** (for edits) so only *newly added* deps are checked
-3. **Queries the Socket.dev API** to check for malware
-4. **Blocks the edit** (exit code 2) if malware is detected
-5. **Allows** (exit code 0) if everything is clean or the file isn't a manifest
+3. **Queries the Socket.dev API** to check for malware and critical security alerts
+4. **Blocks the edit** (exit code 2) if malware or critical alerts are found
+5. **Warns** (but allows) if a package has a low quality score
+6. **Allows** (exit code 0) if everything is clean or the file isn't a manifest
 
 ## How it works
 
@@ -29,8 +30,11 @@ Build Package URLs (PURLs) for each dep
         │
         ▼
 Call sdk.checkMalware(components)
+  - ≤5 deps: parallel firewall API (fast, full data)
+  - >5 deps: batch PURL API (efficient)
         │
-        ├── Malware detected → EXIT 2 (blocked)
+        ├── Malware/critical alert → EXIT 2 (blocked)
+        ├── Low score → warn, EXIT 0 (allowed)
         └── Clean → EXIT 0 (allowed)
 ```
 

.claude/hooks/check-new-deps/index.mts

@@ -35,8 +35,9 @@ import {
 import { SocketSdk } from '@socketsecurity/sdk'
 import type { MalwareCheckPackage } from '@socketsecurity/sdk'
 
-// Hook runs standalone with only @socketsecurity/* deps, so this
-// one-liner lives here instead of importing a shared helper.
+// Local mirror of build-infra/lib/error-utils#errorMessage. Hook runs
+// standalone (no workspace deps beyond @socketsecurity/*) so we can't import
+// the shared helper, but the contract is identical.
 function errorMessage(error: unknown): string {
   return error instanceof Error ? error.message : String(error)
 }
@@ -159,23 +160,46 @@ const extractors: Record<string, Extractor> = {
     (m): Dep => ({ type: 'cargo', name: m[1] })
   ),
   'Cargo.toml': (content: string): Dep[] => {
-    // Rust: only extract from [dependencies], [dev-dependencies], [build-dependencies] sections.
-    // Skip [package], [lib], [bin], [workspace], [profile] metadata sections.
+    // Rust: extract crate names from dep lines.
+    //
+    // Two-mode strategy because the hook receives either a full
+    // Cargo.toml (Write) or a fragment (Edit's new_string, often just
+    // the added line with no section header):
+    //
+    //   Full file  — scan only [dependencies] / [dev-dependencies] /
+    //                [build-dependencies] (incl. target-specific
+    //                [target.*.dependencies] via the `.<name>` suffix)
+    //                and skip [package], [features], [profile], etc.
+    //   Fragment   — no section headers at all → treat the whole
+    //                content as an implicit [dependencies] body and
+    //                match any `name = "..."` or `name = { version = "..." }`.
+    //
+    // The lineRe requires the value to look like a version spec
+    // (string or table with a `version` key), so `[features]`-style
+    // `key = ["derive"]` array values don't match even in fragment mode.
     const deps: Dep[] = []
-    const depSectionRe = /^\[(?:(?:dev-|build-)?dependencies(?:\.[^\]]+)?)\]\s*$/gm
+    const depSectionRe = /^\[(?:(?:dev-|build-)?dependencies(?:\.[^\]]+)?|target\.[^\]]+\.(?:dev-|build-)?dependencies(?:\.[^\]]+)?)\]\s*$/gm
     const anySectionRe = /^\[/gm
+    const lineRe = /^(\w[\w-]*)\s*=\s*(?:\{[^}]*version\s*=\s*"[^"]*"|\s*"[^"]*")/gm
+    const push = (section: string) => {
+      let m
+      while ((m = lineRe.exec(section)) !== null) {
+        deps.push({ type: 'cargo', name: m[1] })
+      }
+      lineRe.lastIndex = 0
+    }
+    const hasAnySection = /^\[/m.test(content)
+    if (!hasAnySection) {
+      push(content)
+      return deps
+    }
     let sectionMatch
     while ((sectionMatch = depSectionRe.exec(content)) !== null) {
       const sectionStart = sectionMatch.index + sectionMatch[0].length
       anySectionRe.lastIndex = sectionStart
       const nextSection = anySectionRe.exec(content)
       const sectionEnd = nextSection ? nextSection.index : content.length
-      const sectionText = content.slice(sectionStart, sectionEnd)
-      const lineRe = /^(\w[\w-]*)\s*=\s*(?:\{[^}]*version\s*=\s*"[^"]*"|\s*"[^"]*")/gm
-      let m
-      while ((m = lineRe.exec(sectionText)) !== null) {
-        deps.push({ type: 'cargo', name: m[1] })
-      }
+      push(content.slice(sectionStart, sectionEnd))
     }
     return deps
   },
@@ -280,21 +304,6 @@ const extractors: Record<string, Extractor> = {
   'yarn.lock': extractNpmLockfile,
 }
 
-// --- main (only when executed directly, not imported) ---
-
-if (fileURLToPath(import.meta.url) === path.resolve(process.argv[1])) {
-  // Read the full JSON blob from stdin (piped by Claude Code).
-  let input = ''
-  for await (const chunk of process.stdin) input += chunk
-  const hook: HookInput = JSON.parse(input)
-
-  if (hook.tool_name !== 'Edit' && hook.tool_name !== 'Write') {
-    process.exitCode = 0
-  } else {
-    process.exitCode = await check(hook)
-  }
-}
-
 // --- core ---
 
 // Orchestrates the full check: extract deps, diff against old, query API.
@@ -728,3 +737,26 @@ export {
   extractTerraform,
   findExtractor,
 }
+
+// --- main (only when executed directly, not imported) ---
+//
+// Kept at the bottom because the module uses top-level await
+// (`for await (const chunk of process.stdin)`) to read the hook payload.
+// Top-level await suspends module evaluation at the suspension point, so
+// any `const` declared AFTER the suspending block is still in the TDZ
+// when the awaited work calls back into the module (e.g. extractNpm →
+// PACKAGE_JSON_METADATA_KEYS). Placing main last guarantees every
+// module-level declaration is initialized before main runs.
+
+if (fileURLToPath(import.meta.url) === path.resolve(process.argv[1])) {
+  // Read the full JSON blob from stdin (piped by Claude Code).
+  let input = ''
+  for await (const chunk of process.stdin) input += chunk
+  const hook: HookInput = JSON.parse(input)
+
+  if (hook.tool_name !== 'Edit' && hook.tool_name !== 'Write') {
+    process.exitCode = 0
+  } else {
+    process.exitCode = await check(hook)
+  }
+}

.claude/hooks/private-name-guard/README.md

@@ -0,0 +1,59 @@
+# private-name-guard
+
+`PreToolUse` hook that **never blocks**. On every `Bash` command that
+would publish text to a public Git/GitHub surface, writes a short
+reminder to stderr so the model re-reads the command with the rule
+freshly in mind:
+
+> No private repos or internal project names in public surfaces. Omit
+> the reference entirely — don't substitute a placeholder. The
+> placeholder itself is a tell.
+
+Attention priming, not enforcement. The model is responsible for
+applying the rule — the hook just ensures the rule is in the active
+context at the moment the command is about to fire.
+
+Sibling to `public-surface-reminder`, which covers customer/company
+names and internal work-item IDs. The two hooks compose: both fire on
+the same public-surface commands, each priming a distinct slice of the
+rule set.
+
+## What counts as "public surface"
+
+- `git commit` (including `--amend`)
+- `git push`
+- `gh pr (create|edit|comment|review)`
+- `gh issue (create|edit|comment)`
+- `gh api -X POST|PATCH|PUT`
+- `gh release (create|edit)`
+
+Any other `Bash` command passes through silently.
+
+## Why no denylist
+
+Because a denylist is itself a leak. A file named `private-projects.txt`
+that enumerates "these are our internal repos" is worse than no list at
+all — anyone who finds it gets the org's full internal map for free.
+Recognition happens at write time, every time, by the model reading the
+text it's about to send. The hook just makes sure that read happens.
+
+## Wiring
+
+`.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [{ "type": "command", "command": "node .claude/hooks/private-name-guard/index.mts" }]
+      }
+    ]
+  }
+}
+```
+
+## Exit code
+
+Always `0`. The hook never blocks; it only prints to stderr.

.claude/hooks/private-name-guard/index.mts

@@ -0,0 +1,89 @@
+#!/usr/bin/env node
+// Claude Code PreToolUse hook — private-name guard.
+//
+// Never blocks. On every Bash command that would publish text to a public
+// Git/GitHub surface (git commit, git push, gh pr/issue/api/release write),
+// writes a short reminder to stderr so the model re-reads the command with
+// the rule freshly in mind:
+//
+//   No private repos or internal project names in public surfaces.
+//   Omit the reference entirely — don't substitute a placeholder.
+//
+// Exit code is always 0. This is attention priming, not enforcement. The
+// model is responsible for applying the rule — the hook just makes sure
+// the rule is in the active context at the moment the command is about
+// to fire.
+//
+// Deliberately carries no enumerated denylist. Recognition and replacement
+// happen at write time, not via a list of names. A denylist is itself a
+// leak — a file named `private-projects.txt` would be the very thing it
+// tries to prevent.
+//
+// Reads a Claude Code PreToolUse JSON payload from stdin:
+//   { "tool_name": "Bash", "tool_input": { "command": "..." } }
+
+import { readFileSync } from 'node:fs'
+
+type ToolInput = {
+  tool_name?: string
+  tool_input?: {
+    command?: string
+  }
+}
+
+// Commands that can publish content outside the local machine.
+// Keep broad — better to remind on an extra read than miss a write.
+const PUBLIC_SURFACE_PATTERNS: RegExp[] = [
+  /\bgit\s+commit\b/,
+  /\bgit\s+push\b/,
+  /\bgh\s+pr\s+(create|edit|comment|review)\b/,
+  /\bgh\s+issue\s+(create|edit|comment)\b/,
+  /\bgh\s+api\b[^|]*-X\s*(POST|PATCH|PUT)\b/i,
+  /\bgh\s+release\s+(create|edit)\b/,
+]
+
+function isPublicSurface(command: string): boolean {
+  const normalized = command.replace(/\s+/g, ' ')
+  return PUBLIC_SURFACE_PATTERNS.some(re => re.test(normalized))
+}
+
+function main(): void {
+  let raw = ''
+  try {
+    raw = readFileSync(0, 'utf8')
+  } catch {
+    return
+  }
+
+  let input: ToolInput
+  try {
+    input = JSON.parse(raw)
+  } catch {
+    return
+  }
+
+  if (input.tool_name !== 'Bash') {
+    return
+  }
+  const command = input.tool_input?.command
+  if (!command || typeof command !== 'string') {
+    return
+  }
+  if (!isPublicSurface(command)) {
+    return
+  }
+
+  const lines = [
+    '[private-name-guard] This command writes to a public Git/GitHub surface.',
+    '  • Re-read the commit message / PR body / comment BEFORE it sends.',
+    '  • No private repo names. No internal project codenames. No unreleased',
+    '    product names. No internal-only tooling repos absent from the public',
+    '    org page. No customer/partner names.',
+    '  • Omit the reference entirely. Do not substitute a placeholder — the',
+    '    placeholder itself is a tell.',
+    '  • If you spot one, cancel and rewrite the text first.',
+  ]
+  process.stderr.write(lines.join('\n') + '\n')
+}
+
+main()

.claude/hooks/private-name-guard/package.json

@@ -0,0 +1,12 @@
+{
+  "name": "hook-private-name-guard",
+  "private": true,
+  "type": "module",
+  "main": "./index.mts",
+  "exports": {
+    ".": "./index.mts"
+  },
+  "devDependencies": {
+    "@types/node": "24.9.2"
+  }
+}

.claude/hooks/release-workflow-guard/README.md

@@ -0,0 +1,68 @@
+# release-workflow-guard
+
+`PreToolUse` hook that **blocks** every Bash command that would
+dispatch a GitHub Actions workflow. Exit code `2`; the model never
+gets to fire the command.
+
+> Workflow dispatches are irrevocable. Publish workflows push npm
+> versions (unpublishable after 24h). Build/Release workflows pin
+> GitHub releases by SHA. Container workflows push immutable image
+> tags. Even build workflows with a `dry_run` input still treat the
+> dispatch itself as the prod trigger — the user runs them
+> manually, never Claude.
+
+## What gets blocked
+
+- `gh workflow run <id>`
+- `gh workflow dispatch <id>` (alias of `run`)
+- `gh api .../actions/workflows/<id>/dispatches` POST/PUT
+
+Any other `Bash` command passes through silently.
+
+## Why no per-workflow allowlist
+
+Because allowlists drift. A "benign" CI dispatch today becomes a
+prod-touching dispatch tomorrow when someone wires a publish step
+behind it; the allowlist hasn't updated. The cost of an extra
+block is one re-prompt (the user runs the command in their own
+terminal). The cost of a missed prod dispatch is irreversible.
+Block all dispatches; let the user judge.
+
+## Override
+
+There is no opt-out. If a real workflow id needs dispatching during
+a Claude session, the user runs it themselves — either in a plain
+shell, via the GitHub Actions UI, or by typing `! gh workflow run
+...` outside of a Claude prompt where the hook doesn't fire.
+
+## Wiring
+
+`.claude/settings.json`:
+
+```json
+{
+  "hooks": {
+    "PreToolUse": [
+      {
+        "matcher": "Bash",
+        "hooks": [{ "type": "command", "command": "node .claude/hooks/release-workflow-guard/index.mts" }]
+      }
+    ]
+  }
+}
+```
+
+## Exit code
+
+- `0` — command is not a workflow dispatch; pass through
+- `2` — command is a workflow dispatch; block + write reason to stderr
+
+## Sibling hooks
+
+- `private-name-guard` — primes the model on private repo / project names
+- `public-surface-reminder` — primes on customer / company names
+- `token-guard` — blocks token-leaking shell shapes
+
+`release-workflow-guard` is the third hook that **blocks** rather
+than primes (alongside `token-guard` and `path-guard`). The shared
+rule: block when the harm of a wrong fire is irreversible.