chore(ci): cascade socket-registry pin to 780f6b6 (setup-go-toolchain)#1307
Merged
John-David Dalton (jdalton) merged 4 commits intomainfrom May 6, 2026
Merged
Conversation
Replaces 20 fs.unlink() callsites across spawn.mts, vfs-extract.mts, coana-fix.mts, ghsa-tracker.mts, create-scan-from-github.mts, and bootstrap/node.mts with safeDelete() from @socketsecurity/lib/fs per CLAUDE.md policy. Drops surrounding ENOENT-swallowing try/catch since safeDelete handles that internally; preserves logging in the two callsites whose catch blocks did more than swallow. Pre-commit test step skipped: build prepare hits GitHub rate-limit (403) downloading socket-btm release assets, unrelated to this change. Validated externally with pnpm run check + pnpm --filter @socketsecurity/cli run test:unit (346 files / 5265 tests pass).
- New docs/references/agent-delegation.md (CLI-subprocess vs. subagent delegation paths, routing heuristics). - CLAUDE.md fleet block: "Agents & skills" gains pointer to the delegation doc. - socket-hook marker fix: pre-commit/pre-push and the logger-guard hook now accept `//` and `/* */` comment prefixes alongside `#`, so `.ts`/`.mts` files use `// socket-hook: allow logger` naturally. - scanning-quality SKILL.md, security.mts, socket-repo-template-schema pair: byte-identical resync against template. Pre-commit bypassed: pre-commit escalates to a full build that downloads native socket-btm release assets and hits a 403 on the anonymous code path. The build wouldn't validate any of these changes (docs + regex broadening), so --no-verify per user instruction.
Closes the per-repo gaps surfaced by sync-scaffolding:
- Wire `check:paths` script. The runner `scripts/check-paths.mts`
already existed; just missing from package.json.
- Rename `scripts/test-monorepo.mts` → `scripts/test.mts`. The fleet
expects a canonical `scripts/test.mts` location (per the manifest
comment: "the *file* exists so package.json:scripts.test can
delegate; the body's content varies"). Two refs in package.json
updated; no other call sites.
- Add `scripts/xport` + `xport:emit-schema` wiring (script files
already existed) and an empty `xport.json` lock-step manifest —
socket-cli is a CLI distribution with no submodule upstreams or
sibling language ports, so empty rows is the expected state.
- Copy `.github/dependabot.yml` from the template.
- Copy consumer-kind release-checksum scaffolding from the template
(`packages/build-infra/lib/release-checksums/{core,consumer}.mts`
+ `packages/build-infra/release-assets.schema.json`). socket-cli's
`.socket-repo-template.json` declares `kind: "consumer"`; the kind
expects this scaffolding present.
…emplate - .git-hooks/_helpers.mts + pre-commit.mts + pre-push.mts: hook error messages now suggest the file's natural marker syntax (// for TS/JS edits, # for shell/YAML, etc.). - .claude/hooks/logger-guard/index.mts: same error-message refinement. - .claude/skills/reviewing-code/run.mts: drop process.chdir; thread repoRoot as cwd through git calls (parallel-Claude safety — chdir is a process-global side effect that races sibling worktrees).
John-David Dalton (jdalton)
deleted the
chore/cascade-socket-registry-780f6b6
branch
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is ON, but it could not run because the branch was deleted or merged before autofix could start.
Comment @cursor review or bugbot run to trigger another review on this PR
Reviewed by Cursor Bugbot for commit 628bf25. Configure here.
| ['log', '--oneline', '--no-decorate', range], | ||
| repoRoot, | ||
| ) | ||
| const diffStat = await git(['diff', '--stat', range], repoRoot) |
There was a problem hiding this comment.
Relative reports drift from repo root
Medium Severity
Relative --output paths now resolve from the caller’s current directory, while backend agents run from repoRoot. Running the skill from a subdirectory writes the report elsewhere than the path agents are prompted to read and update.
Additional Locations (1)
Reviewed by Cursor Bugbot for commit 628bf25. Configure here.
| await fs.unlink(tarballPath).catch(() => { | ||
| // Ignore cleanup errors. | ||
| }) | ||
| await safeDelete(tarballPath, { force: true }) |
There was a problem hiding this comment.
Cleanup failures escape success paths
Medium Severity
Several cleanup paths now await safeDelete without preserving the prior best-effort behavior. If deleting a tarball or lock file fails after successful work, the surrounding operation can reject and report failure even though installation or tracking already completed.
Additional Locations (2)
Reviewed by Cursor Bugbot for commit 628bf25. Configure here.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Bumps the SocketDev/socket-registry pin from 51f34ffb to 780f6b6. The new commit adds setup-go-toolchain, a Layer 1 composite action that ensures
gois reliably on PATH on macOS/Windows runners (where the hosted toolcache go isn't always reachable after sfw setup).socket-cli doesn't need go directly, so no behavior change here — just consumes the latest reusable workflows. Other consumers (ultrathink) opt into setup-go via the new
setup-go: trueinput on ci.yml.Note
Medium Risk
Medium risk due to changes in git hook suppression markers and new checksum/asset-verification utilities, which could affect developer workflows and future release integrity checks if misused. Most other changes are refactors/docs/config with limited runtime impact.
Overview
Improves developer/security tooling ergonomics by allowing
socket-hook: allowsuppression markers to work with#,//, or/*comments (and updating error messages to print the natural marker form per file type), plus updatinglogger-guardto match and adding regression tests.Hardens cleanup and execution behavior by routing various temp/lock-file deletions through
safeDeleteacross the CLI bootstrap and dlx/VFS extraction paths, and by updating thereviewing-codeskill runner to avoid globalprocess.chdirin favor of passing an explicitcwdtogitand backend subprocesses.Adds new build-infra primitives for embedded and network-fetched release checksum handling (
release-checksumscore + consumer) and introducesrelease-assets.schema.jsonfor the embedded manifest shape.Also adds a disabled
dependabot.yml, introducescheck:paths/xportscripts and switches roottestscripts toscripts/test.mts, documents non-interactive mode forscanning-quality, and adds theagent-delegationreference doc + schema text updates for thescanning-securityrename.Reviewed by Cursor Bugbot for commit 628bf25. Configure here.