chore(wheelhouse): cascade template@2c1da61a

jdalton · jdalton · commit c111d4826d8f · 2026-06-03T16:10:39.000-04:00
Auto-applied by socket-wheelhouse sync-scaffolding into socket-addon.
4 file(s) touched:
  - .claude/skills/fleet/cascading-fleet/SKILL.md
  - .github/workflows/ci.yml
  - .github/workflows/provenance.yml
  - docs/claude.md/fleet/tooling.md
diff --git a/.claude/skills/fleet/cascading-fleet/SKILL.md b/.claude/skills/fleet/cascading-fleet/SKILL.md
@@ -43,7 +43,7 @@ Propagates a `socket-registry` pin chain through the fleet. Different shape: use
 For now, the registry-pin cascade is two steps documented inline:
 
 ```
-Step 1 (intra-registry): node socket-registry/scripts/cascade-internal.mts
+Step 1 (intra-registry): node socket-registry/scripts/cascade-workflows.mts
 Step 2 (intra-registry): git push to registry main; record new tip M'.
 Step 3 (template): node socket-wheelhouse/scripts/repo/sync-registry-workflow-shas.mts --sha M' (cascade propagates to fleet)
 ```
@@ -84,11 +84,11 @@ The cascade script (`lib/cascade-template.mts`) is deterministic — it `--no-ve
 
 2. **Stranded local commits** (local `main` diverged with un-pushed `chore(wheelhouse): cascade …` commits that origin already superseded). Confirm with `git branch -r --contains <sha>` (empty = local-only) and `git log --oneline HEAD..origin/main` (origin has newer cascades). If origin already has the work in canonical form, `git reset --hard origin/main` (needs `Allow reset bypass`) — nothing real is lost. Otherwise rebase the genuine local-unique commits on top.
 
-3. **Soak-bypassing a tool bump** (pnpm/zizmor/sfw newer than the 7-day `minimumReleaseAge`). The auto-updater (`scripts/update-external-tools.mts`) skips fresh releases. To bump anyway: hand-pin `external-tools.json` (version + every platform asset + recomputed sha256 integrity from the upstream GitHub release; npm-tarball platforms use npm `dist.integrity`), needs `Allow soak-time bypass` (alias: `Allow minimumReleaseAge bypass`). Then run `socket-registry/scripts/cascade-internal.mts` to bump-until-stable the internal action pins, push, and `scripts/repo/sync-registry-workflow-shas.mts --sha <M'>` to rewrite the template workflow pins (the cascade propagates them fleet-wide). **Why:** 2026-06-01 a stale pnpm pin (11.4.0 vs runner 11.3.0) red-lined fleet CI; the bump to 11.5.0 also surfaced an `allowBuilds: esbuild` placeholder that `ERR_PNPM_IGNORED_BUILDS` then blocked on.
+3. **Soak-bypassing a tool bump** (pnpm/zizmor/sfw newer than the 7-day `minimumReleaseAge`). The auto-updater (`scripts/update-external-tools.mts`) skips fresh releases. To bump anyway: hand-pin `external-tools.json` (version + every platform asset + recomputed sha256 integrity from the upstream GitHub release; npm-tarball platforms use npm `dist.integrity`), needs `Allow soak-time bypass` (alias: `Allow minimumReleaseAge bypass`). Then run `socket-registry/scripts/cascade-workflows.mts` to bump-until-stable the internal action pins, push, and `scripts/repo/sync-registry-workflow-shas.mts --sha <M'>` to rewrite the template workflow pins (the cascade propagates them fleet-wide). **Why:** 2026-06-01 a stale pnpm pin (11.4.0 vs runner 11.3.0) red-lined fleet CI; the bump to 11.5.0 also surfaced an `allowBuilds: esbuild` placeholder that `ERR_PNPM_IGNORED_BUILDS` then blocked on.
 
 ## Reference
 
 - FLEET_SYNC sentinel: `template/.claude/hooks/fleet/no-revert-guard/` + `template/.claude/hooks/fleet/overeager-staging-guard/`.
 - Wheelhouse sync-scaffolding: `socket-wheelhouse/scripts/repo/sync-scaffolding/cli.mts`.
 - Fleet-repo manifest: `lib/fleet-repos.txt`.
-- Registry-pin cascade (Mode 2): `socket-registry/scripts/cascade-internal.mts` (intra-registry bump-until-stable) → `scripts/repo/sync-registry-workflow-shas.mts --sha <M'>` (rewrites template workflows; cascade propagates fleet-wide).
+- Registry-pin cascade (Mode 2): `socket-registry/scripts/cascade-workflows.mts` (intra-registry bump-until-stable) → `scripts/repo/sync-registry-workflow-shas.mts --sha <M'>` (rewrites template workflows; cascade propagates fleet-wide).
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -21,7 +21,7 @@ concurrency:
 jobs:
   ci:
     name: Run CI Pipeline
-    uses: SocketDev/socket-registry/.github/workflows/ci.yml@67bd6087956fa1d6a9b216e76eafac17d762495b # main (2026-05-28)
+    uses: SocketDev/socket-registry/.github/workflows/ci.yml@74f3353793b9a9619bef7badae29821260bd4225 # main (2026-05-28)
     with:
       # Force --all so push/PR runs the full suite. The default `pnpm test`
       # uses --modified, which is a no-op on a clean CI checkout.
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
@@ -39,7 +39,7 @@ permissions:
 
 jobs:
   publish:
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@67bd6087956fa1d6a9b216e76eafac17d762495b # main (2026-05-28)
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@74f3353793b9a9619bef7badae29821260bd4225 # main (2026-05-28)
     with:
       debug: ${{ inputs.debug }}
       dist-tag: ${{ inputs.dist-tag }}
diff --git a/docs/claude.md/fleet/tooling.md b/docs/claude.md/fleet/tooling.md
@@ -60,7 +60,7 @@ This is a four-stage orchestrator. Don't reach for any of the lower-level script
 | Stage | Does                                                                                                                                                                                                                                                                                                                                                                                                                       | Driven by                                                    |
 | ----- | -------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- | ------------------------------------------------------------ |
 | A     | Bumps `socket-registry/external-tools.json`: downloads every platform binary from upstream, recomputes sha256 ourselves (integrity model is binary-download + own-checksum, not trust in upstream-published values), writes the file. Commits to registry.                                                                                                                                                                 | `tools/pnpm.mts#applyToRegistry` (+ `zizmor.mts`, `sfw.mts`) |
-| B     | Delegates to `socket-registry/scripts/cascade-internal.mts`: recursively bumps every SHA pin in registry's own workflows (`setup-and-install` → `setup` → `checkout`), converging to a fixed point. Commits to registry.                                                                                                                                                                                                   | `pipeline.mts#stageB`                                        |
+| B     | Delegates to `socket-registry/scripts/cascade-workflows.mts`: recursively bumps every SHA pin in registry's own workflows (`setup-and-install` → `setup` → `checkout`), converging to a fixed point. Commits to registry.                                                                                                                                                                                                   | `pipeline.mts#stageB`                                        |
 | C     | Pushes registry main; polls GitHub Actions for the cascade SHA's CI to land green. Aborts the whole cascade if registry CI fails. Fleet repos must not pin to a broken registry. Skipped via `--skip-ci-wait`.                                                                                                                                                                                                             | `pipeline.mts#stageC`                                        |
 | D     | For every primary fleet checkout: runs `cleanup-stranded.mts --against <stageBSha>` (no-layering rule discards prior unpushed cascade commits), rewrites every `setup-and-install@<old-sha>` reference to the new registry SHA via diff-based pin matching, optionally runs the tool's per-fleet step (pnpm bumps `packageManager` + `engines.pnpm`), runs `pnpm run format` to fold pre-existing drift, commits + pushes. | `pipeline.mts#stageD`                                        |
 
@@ -70,7 +70,7 @@ Stage A honors the 7-day `minimumReleaseAge` cooldown via `--soak-days <n>` (def
 
 ### Recovery from an interrupted cascade
 
-If Stage A+B+C landed (registry has a new tip) but Stage D didn't run, pass `--force-fanout` to skip Stages A+B+C and use the current registry HEAD as the propagation SHA. This is the only sanctioned way to "resume" a cascade. Manually invoking `cascade-internal.mts` then `cascade-fleet.mts` without the resume flag would re-run Stages A+B+C and produce a no-op commit / extra runner minutes.
+If Stage A+B+C landed (registry has a new tip) but Stage D didn't run, pass `--force-fanout` to skip Stages A+B+C and use the current registry HEAD as the propagation SHA. This is the only sanctioned way to "resume" a cascade. Manually invoking `cascade-workflows.mts` then `cascade-fleet.mts` without the resume flag would re-run Stages A+B+C and produce a no-op commit / extra runner minutes.
 
 ### What this does NOT do
 
