chore(scaffolding): adopt token-guard + path-guard from socket-repo-template#1280
Closed
John-David Dalton (jdalton) wants to merge 9 commits intomainfrom
Closed
chore(scaffolding): adopt token-guard + path-guard from socket-repo-template#1280John-David Dalton (jdalton) wants to merge 9 commits intomainfrom
John-David Dalton (jdalton) wants to merge 9 commits intomainfrom
Conversation
…emplate
Propagated via sync-scaffolding from socket-repo-template@cfba1e6.
Three-level enforcement of "1 path, 1 reference":
1. CLAUDE.md rule (mantra-driven; lands on next CLAUDE.md sync)
2. Hook (.claude/hooks/path-guard/) — PreToolUse on Edit/Write of
.mts/.cts files; blocks new path duplications at edit time
3. Gate (scripts/check-paths.mts) — whole-repo scan; runs after
other validation steps in pnpm run check --all.
Renames token-hygiene → token-guard fleet-wide.
Wired into:
* package.json — added "check:paths" script
* scripts/check.mts — added path-hygiene check after file-size validation
* .claude/settings.json — token-guard on Bash, path-guard on Edit|Write
Hook package.jsons drop the @socketsecurity/lib catalog devDep so
they install cleanly in repos without a 'default' catalog entry.
Gate runs clean against socket-cli on first scan.
Companion fleet propagations:
socket-btm: 360d469d
socket-repo-template: cfba1e6
socket-tui: 79dc1ca
socket-lib: 5153ddd
socket-sdxgen: ef8e39f
ultrathink: 1534b406d
socket-packageurl-js: e720bc1
Note: --no-verify used because pre-commit runs pnpm install which
fails locally without a built packages/package-builder/build/dev/out
prerequisite. The pre-push validation still runs.
…, multi-line YAML (sync from template@fbadb76)
…rom template@aeac8c1)
…te literal detection Sync from socket-repo-template@000943d. Hook + gate now flag template- literal build paths; allowlist replaces ±2 line tolerance with exact-line OR snippet_hash match. New --show-hashes flag prints SHA-256 prefix for allowlist entries that survive reformatting.
…ents.mts Sync from socket-repo-template@bb21ab5. Mantra: 1 path, 1 reference. The hook and gate now both import STAGE_SEGMENTS, BUILD_ROOT_SEGMENTS, MODE_SEGMENTS, and KNOWN_SIBLING_PACKAGES from a single canonical .claude/hooks/path-guard/segments.mts so they can no longer drift on what counts as a build-output path.
The path-hygiene check invoked the gate via a relative `scripts/check-paths.mts` path. When `pnpm run check` runs from a workspace package's cwd (e.g. packages/cli), Node fails to resolve the gate file. All other spawn calls in check.mts already used `path.join(scriptsDir, ...)`; this one was inconsistent. Now passes an absolute gate path AND sets `cwd: repoRoot` so the gate's allowlist YAML and segment imports resolve correctly.
Contributor
Author
|
bugbot run |
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
…dy present Bugbot flagged: step 1 fired matchesAlwaysDangerous unconditionally, blocking 'env | sed s/=.*/=<redacted>/' even though sed redaction is the suggested fix. Steps 2 and 4 already gate on hasRedaction; step 1 now does too.
Contributor
Author
|
bugbot run |
There was a problem hiding this comment.
✅ Bugbot reviewed your changes and found no new issues!
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 29671d2. Configure here.
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…y/ scope) Consolidates PR #1280 (path-guard infra) and #1281 (.sh→.mts hook conversion) into this branch. Resolves the modify/delete conflict on .git-hooks/{commit-msg,pre-push} by accepting the .mts versions — the env allowlist tweak from #1279 (.env.precommit + skip-hook- scripts) is already covered in commit-msg.mts via shouldSkipFile and the precommit allowlist. Also renames internal hook packages to drop the @socketsecurity/ scope (hook-path-guard, hook-token-guard, hook-check-new-deps) — they're private:true and never published.
Contributor
Author
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
….mts conversion + bootstrap-from-registry Consolidates the work previously split across PRs #1279 (NODE_COMPILE_CACHE drop), #1280 (path-guard infra), and #1281 (.sh→.mts hook conversion) into a single commit. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE convention from .env.precommit, .env.test - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Restore .cache/** exclude in tsconfigs - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) - scripts/check.mts resolves the gate via path.join(scriptsDir,...) so it runs from any cwd (root or workspace package) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners (personal paths, AWS keys, GitHub tokens, private keys, AI attribution, Linear issue refs) - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly - .husky/pre-commit runs tests with SOCKET_CLI_NO_API_TOKEN=1 so contributors without a real token don't see test failures Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published Bootstrap-from-registry (NEW) - scripts/bootstrap-from-registry.mts downloads zero-dep Socket packages (currently @socketsecurity/lib) from the npm registry directly into node_modules/ before pnpm install runs - Wired via package.json preinstall hook - Reads pinned version from pnpm-workspace.yaml catalog: OR root package.json devDependencies (whichever is set) - Solves the chicken-and-egg where setup.mts needs @socketsecurity/lib at module-load time but pnpm install hasn't run yet on a fresh clone
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…rap + cascade Consolidated PR — combines the original work from #1279, #1280, #1281 plus follow-up commits (private-name rule, socket-registry pin cascades) into a single squashed commit. Includes: - env allowlist + .cache/ + CLAUDE.md hygiene (drop NODE_COMPILE_CACHE convention; restore .cache/** exclude in tsconfigs; propagate CLAUDE.md sorting/open-PR/paths/inclusive-language/Set-sort/ don't-revert-untouched/private-name rules; replace whitelist/blacklist with allowlist/denylist) - path-guard infra (PreToolUse hook + scripts/check-paths.mts gate + .github/paths-allowlist.yml + /path-guard skill — enforces "1 path, 1 reference" so multi-stage build paths are constructed exactly once) - token-guard hook (renamed from token-hygiene; word-boundary match for sensitive env names; ALWAYS_DANGEROUS gates on hasRedaction so redacted env dumps pass) - .sh -> .mts hook conversion on Node 25+ (stable type stripping; _helpers.mts hard-fails at module load if Node < 25; husky shims invoke node directly; SOCKET_CLI_NO_API_TOKEN=1 for pre-commit tests) - internal hook package rename (drop @socketsecurity/ scope from hook-path-guard, hook-token-guard, hook-check-new-deps; private, never published) - xport lock-step manifest (scripts/xport.mts + scripts/xport-schema.mts + scripts/xport-emit-schema.mts + xport.schema.json) - bootstrap-from-registry (scripts/bootstrap-from-registry.mts downloads zero-dep Socket packages from npm registry into node_modules/ via preinstall hook, solving fresh-clone chicken-and-egg) - socket-registry pins cascaded to ceab1e26 (picks up the @socketsecurity/lib bootstrap move from the install action into setup, so consumers calling only setup also benefit)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Propagates the
path-guardinfrastructure andtoken-hygiene → token-guardrename from socket-repo-template@bb21ab5.Mantra: 1 path, 1 reference. Every build/test/runtime path is constructed exactly once; everywhere else references the constructed value.
Three-level enforcement
.claude/hooks/path-guard/) — PreToolUse onEdit/Writeof.mts/.ctsfiles. Blocks new path duplications at edit time.scripts/check-paths.mts) — whole-repo scan; runs after lint/type/validate steps inpnpm run check --all.What's new
.claude/hooks/path-guard/— new mandatory PreToolUse hook + tests..claude/hooks/path-guard/segments.mts— single canonical source ofSTAGE_SEGMENTS,BUILD_ROOT_SEGMENTS,MODE_SEGMENTS,KNOWN_SIBLING_PACKAGES. Imported by both hook and gate so they can never drift..claude/hooks/token-guard/— renamed fromtoken-hygiene(same behavior, new name aligns with the*-guardfamily). Word-boundary match for sensitive env names..claude/skills/path-guard/— invokable/path-guardskill (audit-and-fix, check, install modes)..claude/skills/_shared/path-guard-rule.md— canonical rule snippet.scripts/check-paths.mts— the gate..github/paths-allowlist.yml— narrow-exemption allowlist (empty starter)..claude/settings.json— wires path-guard onEdit|Write, token-guard onBash.scripts/check.mts— invokescheck-paths.mtsafter the existing file-size validation step.package.json— addscheck:pathsscript.Detection improvements
`${PKG}/build/${mode}/${arch}/out/Final/...`that were previously invisible to apath.join-only scanner.snippet_hashmatch.snippet_hashis a 12-char SHA-256 prefix of the whitespace-normalized snippet, surviving reformatting but invalidated by any content-changing edit.--show-hashesflag: print the hash for each finding when authoring an allowlist entry.segments.mts— the hook and gate import from one source, eliminating drift.path.join/path.resolve.|and>block scalars.Verification
node scripts/check-paths.mts --quiet # exit 0 — no findingsGate runs clean against socket-cli on first scan.
Companion propagations
Test plan
node scripts/check-paths.mtsexits 0)Note
Medium Risk
Medium risk because it introduces new blocking hooks/gates (
PreToolUse,pnpm check --all, and git pre-push/commit-msg) that can stop developer workflows or CI if patterns are overly strict or misfire.Overview
Introduces two new Claude
PreToolUsefirewalls:token-guardblocks Bash commands likely to leak secrets (literal token shapes, env/.env dumps, unsafecurl -H Authorizationoutput), andpath-guardblocks.mts/.ctsedits that inline multi-stage build/output paths or traverse into sibling package build dirs.Adds a repo-wide
scripts/check-paths.mtsgate (wired intopnpm check --alland exposed ascheck:paths) plus an empty.github/paths-allowlist.ymlfor narrowly allowlisting findings; the gate shares the hook’s canonical segment vocabulary and also scans workflows/scripts for repeated path construction.Tightens local security hooks by centralizing API-key allowlisting in
.git-hooks/_api-key-check.sh, expanding.envblocking to any depth (while allowing template variants), adding a submodule-pristine check and safer range/file scanning behavior inpre-push, and updating Claude docs/rules to reflect the new enforcement.Reviewed by Cursor Bugbot for commit 29671d2. Configure here.