You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Picks up the `claude_md_fleet_drift`, `oxlint_fleet_ignore_drift`,
`oxfmt_fleet_ignore_drift`, and `gitattributes_fleet_drift` fixes that
the prior `chore(sync): cascade fleet template@72633be` run reported as
[FIXED] but didn't include in its auto-commit. Pure re-sync — no
behavior change.
-**Package manager**: `pnpm`. Run scripts via `pnpm run foo --flag`, never `foo:bar`. After `package.json` edits, `pnpm install`.
78
78
- 🚨 NEVER use `npx`, `pnpm dlx`, or `yarn dlx` — use `pnpm exec <package>` or `pnpm run <script>` # socket-hook: allow npx
79
79
- 🚨 NEVER pass `--experimental-strip-types` to Node (enforced by `.claude/hooks/no-experimental-strip-types-guard/`).
80
-
-**New dependencies** — every new dep added to `package.json` runs a Socket-score check at edit time; low-scoring deps block (enforced by `.claude/hooks/check-new-deps/`). The 7-day `minimumReleaseAge` soak is intentional malware protection; never add to `pnpm-workspace.yaml``minimumReleaseAge.exclude[]` (bypass `Allow minimumReleaseAge bypass` for emergency CVE patches; enforced by `.claude/hooks/minimum-release-age-guard/`). Vitest `include` globs must not match `node:test` files — mismatched runners produce confusing "no test suite found" errors (enforced by `.claude/hooks/vitest-include-vs-node-test-guard/`).
80
+
- **New dependencies** — every new dep added to `package.json` runs a Socket-score check at edit time; low-scoring deps block (enforced by `.claude/hooks/check-new-deps/`). The 7-day `minimumReleaseAge` soak is intentional malware protection; never add to `pnpm-workspace.yaml` `minimumReleaseAge.exclude[]` (bypass `Allow minimumReleaseAge bypass` for emergency CVE patches; enforced by `.claude/hooks/minimum-release-age-guard/`). Every per-package soak-bypass entry (the `'pkg@1.2.3'` exact-pin form) MUST carry a `# published: YYYY-MM-DD | removable: YYYY-MM-DD` annotation as the LAST comment line above the bullet — `published` is the version's npm publish date, `removable` is `published + 7d` so a periodic cleanup can drop entries that no longer need the bypass (enforced by `.claude/hooks/soak-exclude-date-annotation-guard/` at edit time + `scripts/check-soak-exclude-dates.mts` at commit time). Vitest `include` globs must not match `node:test` files — mismatched runners produce confusing "no test suite found" errors (enforced by `.claude/hooks/vitest-include-vs-node-test-guard/`).
81
81
-**Bundler**: `rolldown`, NOT `esbuild`. The fleet standardizes on rolldown for direct bundling (see `template/.config/rolldown/`). Transitive esbuild deps (e.g. via vitest) are unavoidable today — the rule is no _new direct_ esbuild use anywhere in the fleet.
82
82
-**Backward compatibility** — FORBIDDEN to maintain. Actively remove when encountered.
83
-
- Full ruleset (packageManager field, `.config/` placement, `.mts` runners, soak time, shallow submodules, monorepo `engines.node`) in [`docs/claude.md/fleet/tooling.md`](docs/claude.md/fleet/tooling.md).
83
+
- Full ruleset (packageManager field, `.config/` placement, `.mts` runners, soak time, shallow submodules, monorepo `engines.node`, `npm-run-all2` + `node --run` opt-in) in [`docs/claude.md/fleet/tooling.md`](docs/claude.md/fleet/tooling.md).
84
84
85
85
### Claude Code plugin pins
86
86
@@ -156,6 +156,10 @@ For non-trivial work (multi-file refactor, new feature, migration), the plan its
156
156
157
157
Default to no comments (enforced by `.claude/hooks/no-meta-comments-guard/` for meta-labels + removed-code refs); when written, write for a junior reader. Parsers mirroring an upstream get the exception ([`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md)). Cross-port files (Rust↔Go↔C++↔TS acorn ports; socket-btm `temporal-infra/src/socketsecurity/temporal/*.{cc,h}` C++ port of upstream `temporal_rs` Rust crate) use `Lock-step` comments — `// Lock-step from <Lang>: <path>` for port provenance, `// Lock-step with <Lang>: <path>` on the canonical side, inline `// Lock-step with <Lang>: <path>:<lines>` for specific cross-refs (point up at the source-of-truth, never down at a port), and `// Lock-step note: <why>` for _deliberate_ divergence. Every member of a quadruplet also carries a byte-identical `// BEGIN LOCK-STEP HEADER` / `// END LOCK-STEP HEADER` block (single-line `// ` syntax across every language — no `//!` / `///` / `/** */` mixing — so byte-compare across the quadruplet is trivial) (full forms in [`docs/claude.md/fleet/parser-comments.md`](docs/claude.md/fleet/parser-comments.md) §5–7; enforced edit-time by `.claude/hooks/lock-step-ref-guard/` and CI-gate-time by `scripts/check-lock-step-refs.mts` + `scripts/check-lock-step-header.mts`; bypass: `Allow lock-step bypass`). Pointer comments (`// see X`) need both the destination and an inline one-line claim (enforced by `.claude/hooks/pointer-comment-guard/`). Heaviest invariants: no `TODO`/`FIXME`/stubs; `undefined` over `null`; `httpJson`/`httpText` from `@socketsecurity/lib/http-request` over `fetch()`; `safeDelete()` from `@socketsecurity/lib/fs` over `fs.rm`; Edit tool over `sed`/`awk`; `'CI' in process.env` presence check over truthy; `import os from 'node:os'` over named imports; `getDefaultLogger()` over `console.*` (enforced by `.claude/hooks/logger-guard/`); doc filenames `lowercase-with-hyphens.md` under `docs/` or `.claude/` (enforced by `.claude/hooks/markdown-filename-guard/`); inline `<script defer>` / `<script async>` lacking a `src=` attribute is a spec no-op — wrap the body in a `DOMContentLoaded` listener instead (enforced by `.claude/hooks/inline-script-defer-guard/` + the `socket/no-inline-defer-async` oxlint rule; bypass: `Allow inline-defer bypass`); ESLint/Biome config refs (`.eslintrc`, `eslint-config-*`, `biome.json`, `@biomejs/*`) are stale — the fleet runs oxlint/oxfmt (enforced by the `socket/no-eslint-biome-config-ref` oxlint rule). Full ruleset (object literals, imports, subprocesses, file existence, generated reports, sorting, Promise.race, Safe suffix, `node:smol-*`, inclusive language) in [`docs/claude.md/fleet/code-style.md`](docs/claude.md/fleet/code-style.md). See also [`docs/claude.md/fleet/sorting.md`](docs/claude.md/fleet/sorting.md) and [`docs/claude.md/fleet/inclusive-language.md`](docs/claude.md/fleet/inclusive-language.md).
158
158
159
+
### No underscore-prefixed identifiers
160
+
161
+
🚨 Never prefix an **identifier** (function, variable, type, export) with `_` — patterns like `_resetX`, `_cache`, `_doFoo`, `_internal` are banned at the symbol level. Privacy in TS is handled by module boundaries (not exporting) or by `_internal/`_directory_ layout; the underscore-as-internal-marker convention from other languages adds noise without enforcement. Exporting "internal" helpers is fine and explicitly preferred — easier to unit-test. **Exception:** the directory name `_internal/` is allowed (and is the documented way to signal module-private files); the rule is about identifiers inside files, not folder layout (enforced by `.claude/hooks/no-underscore-identifier-guard/` + the `socket/no-underscore-identifier` oxlint rule; bypass: `Allow underscore-identifier bypass`).
162
+
159
163
### File size
160
164
161
165
Soft cap **500 lines**, hard cap **1000 lines** per source file. Past those, split along natural seams — group by domain, not line count; name files for what's in them; co-locate helpers with consumers. Exceptions: a single function that legitimately needs the space (note it inline), or a generated artifact. Full playbook in [`docs/claude.md/fleet/file-size.md`](docs/claude.md/fleet/file-size.md).
0 commit comments