From d0a1799c030d45f0b8043e4176a88a42be00d7ed Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 13:46:27 -0400
Subject: [PATCH 01/10] chore(ci): bump socket-registry SHA to ed311907

---
 .github/workflows/ci.yml            | 8 ++++----
 .github/workflows/provenance.yml    | 6 +++---
 .github/workflows/weekly-update.yml | 8 ++++----
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4437a7ee6..cd226971d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index e3e9c881a..9d0dac6bd 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -141,7 +141,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index a316e4d33..bfe9435c5 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
 
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           checkout: 'false'
 
@@ -75,7 +75,7 @@ jobs:
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@ed3119078118d558f095e9adf8800263166d65f9 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -302,7 +302,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@ed3119078118d558f095e9adf8800263166d65f9 # main
         if: always()
 
   notify:

From d7fa64adecae3eb7c7c1bba4404393b65e96eb0a Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 14:16:26 -0400
Subject: [PATCH 02/10] fix(ci): suppress pre-existing zizmor
 template-injection warnings in summary step

---
 .github/workflows/provenance.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 9d0dac6bd..960f24293 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -354,6 +354,7 @@ jobs:
           done
 
       - name: Summary
+        # zizmor: ignore[template-injection]
         run: |
           echo "## Publish Summary" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY

From 5843dd89ec8f1fd745333fe2c206ed4d26c1d2a8 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 14:20:10 -0400
Subject: [PATCH 03/10] fix(ci): document permissions, fix template injection
 in weekly-update

---
 .github/workflows/provenance.yml    | 2 +-
 .github/workflows/weekly-update.yml | 7 ++++---
 2 files changed, 5 insertions(+), 4 deletions(-)

diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 960f24293..5bc34c380 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -134,7 +134,7 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
-      id-token: write
+      id-token: write # NPM trusted publishing via OIDC
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index bfe9435c5..8ed25a789 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -52,8 +52,8 @@ jobs:
     if: needs.check-updates.outputs.has-updates == 'true' && inputs.dry-run != true
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # Push update branch
+      pull-requests: write # Create PR
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -69,9 +69,10 @@ jobs:
         id: branch
         env:
           GH_TOKEN: ${{ github.token }}
+          GITHUB_REPO: ${{ github.repository }}
         run: |
           BRANCH_NAME="weekly-update-$(date +%Y%m%d)"
-          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPO}.git"
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 

From 93633278cd2c5331a71d065b024c6f846bce38ea Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 16:09:56 -0400
Subject: [PATCH 04/10] chore(ci): bump socket-registry SHA to 07975491

---
 .github/workflows/ci.yml            | 8 ++++----
 .github/workflows/provenance.yml    | 6 +++---
 .github/workflows/weekly-update.yml | 8 ++++----
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index cd226971d..f602b141a 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 5bc34c380..6c9a7d8e9 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -141,7 +141,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index 8ed25a789..7a3d511a8 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
 
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           checkout: 'false'
 
@@ -76,7 +76,7 @@ jobs:
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -303,7 +303,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@ed3119078118d558f095e9adf8800263166d65f9 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@079754914791fc84cd6468ba1ea192ec904fe2aa # main
         if: always()
 
   notify:

From 8b1ef4a74ac02dcf583d5c5dc1aaff7ad7a734f0 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 16:12:23 -0400
Subject: [PATCH 05/10] chore(ci): bump socket-registry SHA to 47d61c98

---
 .github/workflows/ci.yml            | 8 ++++----
 .github/workflows/provenance.yml    | 6 +++---
 .github/workflows/weekly-update.yml | 8 ++++----
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index f602b141a..be3acb970 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 6c9a7d8e9..8da6bb651 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -141,7 +141,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index 7a3d511a8..d3cb5a6e2 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
 
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           checkout: 'false'
 
@@ -76,7 +76,7 @@ jobs:
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -303,7 +303,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@079754914791fc84cd6468ba1ea192ec904fe2aa # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@47d61c98b6a4b9db62db149f5f65655474b9901e # main
         if: always()
 
   notify:

From 84d79b95ccb6d527de0f358d5b97bfa973bfce6c Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 16:49:50 -0400
Subject: [PATCH 06/10] chore: trim CLAUDE.md and audit skills

Reduce CLAUDE.md from 26KB to 8KB (69% reduction) by removing:
- File-by-file codebase descriptions (Claude reads code directly)
- Verbose architecture/update mechanism sections
- Redundant examples repeating the rules they illustrate
- Tutorial-like explanations for standard workflows
- Duplicate information already in socket-registry/CLAUDE.md
- Configuration file listings discoverable from the repo
- Standard language conventions Claude already knows

Merged JUDGMENT/SCOPE and Critical Rules/ABSOLUTE RULES sections.
Condensed Documentation Policy to a single paragraph.
---
 CLAUDE.md | 520 +++++++++---------------------------------------------
 1 file changed, 83 insertions(+), 437 deletions(-)

diff --git a/CLAUDE.md b/CLAUDE.md
index 8b5872945..6aa55880f 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,132 +2,86 @@
 
 **MANDATORY**: Act as principal-level engineer. Follow these guidelines exactly.
 
-## 👤 USER CONTEXT
+## USER CONTEXT
 
-- **Identify users by git credentials**: Extract name from git commit author, GitHub account, or context
-- 🚨 **When identity is verified**: ALWAYS use their actual name - NEVER use "the user" or "user"
-- **Direct communication**: Use "you/your" when speaking directly to the verified user
-- **Discussing their work**: Use their actual name when referencing their commits/contributions
-- **Example**: If git shows "John-David Dalton <jdalton@example.com>", refer to them as "John-David"
-- **Other contributors**: Use their actual names from commit history/context
+- Identify users by git credentials (commit author, GitHub account). Use their actual name, never "the user".
+- Use "you/your" when speaking directly; use their name when discussing their work.
 
 ## PRE-ACTION PROTOCOL
 
 **MANDATORY**: Review CLAUDE.md before any action. No exceptions.
 
-- Before ANY structural refactor on a file >300 LOC: remove dead code, unused exports, unused imports first — commit that cleanup separately before the real work
-- Multi-file changes: break into phases (≤5 files each), verify each phase before the next
-- When pointed to existing code as a reference: study it before building — working code is a better spec than any description
-- Work from raw error data, not theories — if a bug report has no error output, ask for it
+- Before ANY structural refactor on a file >300 LOC: remove dead code, unused exports, unused imports first -- commit that cleanup separately
+- Multi-file changes: break into phases (<=5 files each), verify each phase before the next
+- When pointed to existing code as a reference: study it before building
+- Work from raw error data, not theories -- if a bug report has no error output, ask for it
 - On "yes", "do it", or "go": execute immediately, no plan recap
 
 ## VERIFICATION PROTOCOL
 
 **MANDATORY**: Before claiming any task is complete:
 
-1. Run the actual command — execute the script, run the test, check the output
+1. Run the actual command -- execute the script, run the test, check the output
 2. State what you verified, not just "looks good"
-3. **FORBIDDEN**: Claiming "Done" when any test output shows failures, or characterizing incomplete/broken work as complete
+3. **FORBIDDEN**: Claiming "Done" when any test output shows failures
 4. If type-check or lint is configured, run it and fix ALL errors before reporting done
 5. Re-read every file modified; confirm nothing references something that no longer exists
 
 ## CONTEXT & EDIT SAFETY
 
-- After 10+ messages: re-read any file before editing it — do not trust remembered contents
-- Read files >500 LOC in chunks using offset/limit; never assume one read captured the whole file
-- Before every edit: re-read the file. After every edit: re-read to confirm the change applied correctly
-- When renaming anything, search separately for: direct calls, type references, string literals, dynamic imports, re-exports, test files — one grep is not enough
-- Never fix a display/rendering problem by duplicating state — one source of truth, everything reads from it
+- After 10+ messages: re-read any file before editing it
+- Read files >500 LOC in chunks using offset/limit
+- Before every edit: re-read the file. After every edit: re-read to confirm
+- When renaming: search for direct calls, type references, string literals, dynamic imports, re-exports, test files -- one grep is not enough
+- Never fix a display/rendering problem by duplicating state
 
-## JUDGMENT PROTOCOL
+## JUDGMENT & SCOPE
 
-- If the user's request is based on a misconception, say so before executing
-- If you spot a bug adjacent to what was asked, flag it: "I also noticed X — want me to fix it?"
-- You are a collaborator, not just an executor
-
-## SCOPE PROTOCOL
-
-- Do not add features, refactor, or make improvements beyond what was asked — band-aids when asked for band-aids
-- Try the simplest approach first; if architecture is actually flawed, flag it and wait for approval before restructuring
-- When asked to "make a plan," output only the plan — no code until given the go-ahead
+- If the request is based on a misconception, say so before executing
+- If you spot a bug adjacent to what was asked, flag it
+- Do not add features, refactor, or make improvements beyond what was asked
+- Try the simplest approach first; flag architecture issues and wait for approval
+- When asked to "make a plan," output only the plan -- no code until given the go-ahead
 
 ## SELF-EVALUATION
 
-- Before calling anything done: present two views — what a perfectionist would reject vs. what a pragmatist would ship — let the user decide
+- Before calling anything done: present what a perfectionist would reject vs. what a pragmatist would ship
 - After fixing a bug: explain why it happened and what category of bug it represents
-- If a fix doesn't work after two attempts: stop, re-read the relevant section top-down, state where the mental model was wrong, propose something fundamentally different
-- If asked to "step back" or "we're going in circles": drop everything, rethink from scratch
+- If a fix doesn't work after two attempts: stop, re-read top-down, state where the mental model was wrong
+- If asked to "step back": drop everything, rethink from scratch
 
 ## HOUSEKEEPING
 
-- Before risky changes: offer to checkpoint — "want me to commit before this?"
-- If a file is getting unwieldy (>400 LOC): flag it — "this is big enough to cause pain — want me to split it?"
+- Before risky changes: offer to checkpoint
+- If a file is getting unwieldy (>400 LOC): flag it
 
 ## Critical Rules
 
-### Fix ALL Issues
-
-- **Fix ALL issues when asked** - Never dismiss issues as "pre-existing" or "not caused by my changes"
-- When asked to fix, lint, or check: fix everything found, regardless of who introduced it
-- Always address all issues found during lint/check operations
-
-## ABSOLUTE RULES
-
-- Never create files unless necessary
-- Always prefer editing existing files
+- **Fix ALL issues when asked** -- never dismiss issues as "pre-existing"
+- Never create files unless necessary; always prefer editing existing files
 - Forbidden to create docs unless requested
-- Required to do exactly what was asked
-- 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec <package>` for devDep binaries, or `pnpm run <script>` for package.json scripts. If a tool is needed, add it as a pinned devDependency first.
-
-## ROLE
-
-Principal Software Engineer: production code, architecture, reliability, ownership.
+- 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** -- use `pnpm exec <package>` for devDep binaries, or `pnpm run <script>` for package.json scripts
 
 ## EVOLUTION
 
 If user repeats instruction 2+ times, ask: "Should I add this to CLAUDE.md?"
 
-## 📚 SHARED STANDARDS
+## SHARED STANDARDS
 
 **Canonical reference**: `../socket-registry/CLAUDE.md`
 
 All shared standards (git, testing, code style, cross-platform, CI) defined in socket-registry/CLAUDE.md.
 
-**Quick references**:
-
-- Commits: [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) `<type>(<scope>): <description>` - NO AI attribution
+- Commits: [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) `<type>(<scope>): <description>` -- NO AI attribution
 - Scripts: Prefer `pnpm run foo --flag` over `foo:bar` scripts
 - Dependencies: After `package.json` edits, run `pnpm install` to update `pnpm-lock.yaml`
-- Backward Compatibility: 🚨 FORBIDDEN to maintain - actively remove when encountered (see canonical CLAUDE.md)
-- Work Safeguards: MANDATORY commit + backup branch before bulk changes
+- Backward Compatibility: 🚨 FORBIDDEN to maintain -- actively remove when encountered
 - Safe Deletion: Use `safeDelete()` from `@socketsecurity/lib/fs` (NEVER `fs.rm/rmSync` or `rm -rf`)
-- HTTP Requests: NEVER use `fetch()` — use `httpJson`/`httpText`/`httpRequest` from `@socketsecurity/lib/http-request`
+- HTTP Requests: NEVER use `fetch()` -- use `httpJson`/`httpText`/`httpRequest` from `@socketsecurity/lib/http-request`
 
 ### Documentation Policy
 
-🚨 **CRITICAL**: Do NOT litter the repository with documentation files.
-
-**Allowed documentation locations:**
-- `docs/` - Primary documentation folder (lowercase-with-hyphens.md filenames, pithy writing with visuals)
-- `README.md` - Root project README only
-- `CHANGELOG.md` - Root changelog only
-- `SECURITY.md` - Root security policy only
-- `CLAUDE.md` - Root project instructions only
-- `packages/*/README.md` - Package-specific READMEs only
-- `test/fixtures/*/README.md` - Test fixture explanations only (when fixtures are complex)
-- `test/*/README.md` - Test suite architecture docs only (e.g., `test/e2e/README.md`, `test/helpers/README.md`)
-
-**Forbidden documentation locations:**
-- ❌ `.claude/*.md` - No temporary analysis docs, architectural notes, coverage reports
-- ❌ Root directory clutter - No ad-hoc markdown files
-- ❌ Scattered docs - No documentation outside approved locations
-
-**When creating documentation:**
-1. Ask: Does this belong in `docs/`? (99% of the time, yes)
-2. Use descriptive lowercase-with-hyphens.md filenames
-3. Keep writing pithy and focused
-4. Include visuals where helpful
-5. Never create temporary/scratch documentation files
+Do NOT litter the repository with documentation files. Allowed locations: `docs/`, root `README.md`/`CHANGELOG.md`/`SECURITY.md`/`CLAUDE.md`, `packages/*/README.md`, `test/fixtures/*/README.md`, `test/*/README.md`. No `.claude/*.md` analysis docs, no ad-hoc markdown files.
 
 ---
 
@@ -135,385 +89,77 @@ All shared standards (git, testing, code style, cross-platform, CI) defined in s
 
 ## Commands
 
-### Development Commands
-
-- **Build**: `pnpm run build` (smart build, skips unchanged)
-- **Build force**: `pnpm run build --force` (force rebuild CLI + SEA for current platform)
-- **Build SEA**: `pnpm run build:sea` (build SEA binaries for all platforms)
-- **Build CLI**: `pnpm run build:cli` (CLI package only)
-- **Test**: `pnpm test` (runs check + all tests from monorepo root)
-- **Test unit only**: `pnpm --filter @socketsecurity/cli run test:unit`
-- **Lint**: `pnpm run lint` (uses oxlint)
-- **Type check**: `pnpm run type` (uses tsc)
-- **Check all**: `pnpm run check` (lint + typecheck)
-- **Fix all issues**: `pnpm run fix` (auto-fix linting and formatting)
-- **Commit without tests**: `git commit --no-verify` (skips pre-commit hooks including tests)
-
-### Binary Build Notes
-
-- **Node-smol binaries**: Downloaded from socket-btm releases (not built locally)
-- **Yoga WASM**: Downloaded from socket-btm releases (not built locally)
-- **SEA binaries**: Built by injecting CLI blob into downloaded node-smol binaries
-- **Output location**: `packages/package-builder/build/{dev|prod}/out/socketbin-cli-<platform>-<arch>/socket`
-- **Cache location**: Build assets in `packages/build-infra/build/downloaded/`, DLX packages and VFS-extracted tools in `~/.socket/_dlx/`
-
-### Testing Best Practices - CRITICAL: NO -- FOR FILE PATHS
-
-- **🚨 NEVER USE `--` BEFORE TEST FILE PATHS** - This runs ALL tests, not just your specified files!
-- **Always build before testing**: Run `pnpm run build:cli` before running tests to ensure dist files are up to date.
-- **Test all**: ✅ CORRECT: `pnpm test` (from monorepo root)
-- **Test single file**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts`
-  - ❌ WRONG: `pnpm test:unit src/commands/specific/cmd-file.test.mts` (command not found at root!)
-  - ❌ WRONG: `pnpm --filter @socketsecurity/cli run test:unit -- src/commands/specific/cmd-file.test.mts` (runs ALL tests!)
-- **Test multiple files**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit file1.test.mts file2.test.mts`
-- **Test with pattern**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts -t "pattern"`
-  - ❌ WRONG: `pnpm --filter @socketsecurity/cli run test:unit -- src/commands/specific/cmd-file.test.mts -t "pattern"`
-- **Update snapshots**:
-  - All tests: `pnpm testu` (builds first, then updates all snapshots)
-  - Single file: ✅ CORRECT: `pnpm testu src/commands/specific/cmd-file.test.mts`
-  - ❌ WRONG: `pnpm testu -- src/commands/specific/cmd-file.test.mts` (updates ALL snapshots!)
-- **Update with --update flag**: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts --update`
-- **Timeout for long tests**: Use `timeout` command or specify in test file.
-
-### Commit Messages
-
-Follow [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/):
-
-```
-<type>(<scope>): <description>
-
-Types: feat, fix, docs, style, refactor, test, chore, perf
-```
-
-- **NO AI attribution** in commit messages — the commit-msg hook auto-strips it
-
-### Running the CLI locally
-
-- **Watch mode**: `pnpm dev` (auto-rebuilds on file changes)
-- **Build and run**: `pnpm build:cli && node packages/cli/dist/index.js`
-- **Run built version**: `node packages/cli/dist/index.js <args>` (requires prior build)
-
-**Note**: Avoid `pnpm exec socket` if you have a global `socket` installation, as it may conflict with the local package.
-
-### Package Management
-
-- **Package Manager**: This project uses pnpm (v10.22+)
-- **Install dependencies**: `pnpm install`
-- **Add dependency**: `pnpm add <package>`
-- **Add dev dependency**: `pnpm add -D <package>`
-- **Update dependencies**: `pnpm update`
-- **Override behavior**: pnpm.overrides in package.json controls dependency versions across the entire project
-- **Using $ syntax**: `"$package-name"` in overrides means "use the version specified in dependencies"
-
-## Architecture
-
-This is a CLI tool for Socket.dev security analysis, built with TypeScript using .mts extensions.
-
-### Core Structure
-
-- **Entry point**: `src/cli.mts` - Main CLI entry with meow subcommands
-- **Commands**: `src/commands.mts` - Exports all command definitions
-- **Command modules**: `src/commands/*/` - Each feature has its own directory with cmd-_, handle-_, and output-\* files
-- **Utilities**: `src/utils/` - Shared utilities for API, config, formatting, etc.
-- **Constants**: `src/constants.mts` - Application constants
-- **Types**: `src/types.mts` - TypeScript type definitions
-
-### Command Architecture Pattern
-
-**✅ PREFERRED: Consolidated Pattern for Simple Commands**
-
-For commands with straightforward logic (no subcommands, < 200 lines total), consolidate into a single `cmd-*.mts` file:
-
-```typescript
-// Single cmd-*.mts file structure:
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
-// ... other imports
-
-const logger = getDefaultLogger()
-
-export const CMD_NAME = 'command-name'
-const description = 'Command description'
-const hidden = false
-
-// Types.
-interface CommandResult {
-  // Type definitions here.
-}
-
-// Helper functions.
-function helperFunction(): void {
-  // Helper logic here.
-}
-
-// Command handler.
-async function run(
-  argv: string[] | readonly string[],
-  importMeta: ImportMeta,
-  { parentName }: CliCommandContext,
-): Promise<void> {
-  const config: CliCommandConfig = {
-    /* ... */
-  }
-  const cli = meowOrExit({ argv, config, importMeta, parentName })
-
-  // Command logic here.
-}
-
-// Exported command.
-export const cmdCommandName = {
-  description,
-  hidden,
-  run,
-}
-```
-
-**Benefits**:
-
-- All command logic in one file for easy navigation
-- Clear sections: imports → constants → types → helpers → handler → export
-- Reduced file count (3 files → 1 file)
-- Maintained compatibility with existing meow-based CLI architecture
-
-**Examples**: `whoami`, `logout` (consolidated)
-
-**⚠️ Legacy Pattern for Complex Commands**
-
-Complex commands with subcommands or > 200 lines should keep the modular pattern:
-
-- `cmd-*.mts` - Command definition and CLI interface
-- `handle-*.mts` - Business logic and processing
-- `output-*.mts` - Output formatting (JSON, markdown, etc.)
-- `fetch-*.mts` - API calls (where applicable)
+- **Build**: `pnpm run build` (smart build) | `pnpm run build --force` | `pnpm run build:cli` (CLI only) | `pnpm run build:sea`
+- **Test**: `pnpm test` (all from monorepo root) | `pnpm --filter @socketsecurity/cli run test:unit`
+- **Lint**: `pnpm run lint` | **Type check**: `pnpm run type` | **Check all**: `pnpm run check`
+- **Fix**: `pnpm run fix` (auto-fix linting and formatting)
+- **Dev**: `pnpm dev` (watch mode) | **Run built**: `node packages/cli/dist/index.js <args>`
 
-**Examples**: `scan`, `organization`, `repository` (keep modular)
+### Testing -- CRITICAL
 
-### Key Command Categories
+- 🚨 **NEVER USE `--` BEFORE TEST FILE PATHS** -- this runs ALL tests, not just specified files
+- Always build before testing: `pnpm run build:cli`
+- Single file: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts`
+- Update snapshots: `pnpm testu src/commands/specific/cmd-file.test.mts`
+- Update with flag: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts --update`
+- NEVER write source-code-scanning tests -- verify behavior, not string patterns
 
-- **npm/npx wrapping**: `socket npm`, `socket npx` - Wraps npm/npx with security scanning
-- **Scanning**: `socket scan` - Create and manage security scans
-- **Organization management**: `socket organization` - Manage org settings and policies
-- **Package analysis**: `socket package` - Analyze package scores
-- **Optimization**: `socket optimize` - Apply Socket registry overrides
-- **Configuration**: `socket config` - Manage CLI configuration
+### Changelog
 
-### Update Mechanism
+Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). User-facing changes only: Added, Changed, Fixed, Removed. Marketing voice, stay concise.
 
-Socket CLI has different update mechanisms depending on installation method:
+## Code Style (MANDATORY)
 
-#### SEA Binaries (Standalone Executables)
+### File Organization
 
-- **Update checking**: Handled by node-smol C stub via embedded `--update-config`
-- **Configuration**: Embedded during build in `packages/cli/scripts/sea-build-utils/builder.mjs`
-- **GitHub releases**: Checks `https://api.github.com/repos/SocketDev/socket-cli/releases`
-- **Tag pattern**: Matches `socket-cli-*` (e.g., `socket-cli-20260127-abc1234`)
-- **Notification**: Shown on CLI exit (non-blocking)
-- **Update command**: `socket self-update` (handled by node-smol, not TypeScript CLI)
-- **Environment variable**: `SOCKET_CLI_SKIP_UPDATE_CHECK=1` to disable
+- `.mts` extensions for TypeScript modules
+- 🚨 ALWAYS use separate `import type` statements -- NEVER mix runtime and type imports
+- Node.js fs: `import { someSyncThing, promises as fs } from 'node:fs'`
+- Process spawning: MUST use `spawn` from `@socketsecurity/registry/lib/spawn` (NEVER `child_process`)
+- File existence: ALWAYS use `existsSync()` from `node:fs` (NEVER `fs.access`)
 
-#### npm/pnpm/yarn Installations
+### Code Patterns
 
-- **Update checking**: TypeScript-based in `src/utils/update/manager.mts`
-- **Registry**: Checks npm registry for `socket` package
-- **Notification**: Shown on CLI exit (non-blocking)
-- **Update command**: Use package manager (e.g., `npm update -g socket`)
-- **Environment variable**: `SOCKET_CLI_SKIP_UPDATE_CHECK=1` to disable
+- Array destructuring: Use `{ 0: key, 1: data }` instead of `[key, data]`
+- Dynamic imports: 🚨 FORBIDDEN -- always use static imports
+- Sorting: 🚨 MANDATORY -- sort lists, exports, destructured properties, documentation headers alphabetically
+- Comments: Default NO. Only when the WHY is non-obvious. Own line, not inline.
+- Functions: Alphabetical order, private first, exported second
+- Object mappings: Use `__proto__: null` for static lookup tables; `Map` for dynamic collections
+- Array length: `!array.length` not `=== 0`; `array.length` or `!!array.length` for truthy
+- Catch: `catch (e)` not `catch (error)`
+- Numbers: Use underscore separators (`20_000`). Do NOT modify number values inside strings.
+- Flags: MUST use `MeowFlags` type with descriptive help text
+- Error handling: Use `InputError` and `AuthError` from `src/utils/errors.mts`; prefer `CResult<T>` for fallible functions; avoid `process.exit(1)`
+- GitHub API: Use Octokit from `src/utils/github.mts`, not raw fetch
 
-#### Key Implementation Details
+### Command Pattern
 
-- `scheduleUpdateCheck()` in `manager.mts` skips when `isSeaBinary()` returns true
-- SEA binaries use embedded update-config.json (1112 bytes)
-- node-smol handles HTTP requests via embedded libcurl
-- Update checks respect CI/TTY detection and rate limiting
-
-### Build System
-
-- Uses esbuild for building distribution files
-- TypeScript compilation with tsgo
-- Environment config (.env.test for testing)
-- Linting with Oxlint
-- Formatting with Oxfmt
-
-### Testing
-
-- Vitest for unit testing
-- Test files use `.test.mts` extension
-- Fixtures in `test/fixtures/`
-- Coverage reporting available
-
-### Test Style — Functional Over Source Scanning
-
-**NEVER write source-code-scanning tests**
-
-Do not read source files and assert on their contents (`.toContain('pattern')`). These tests are brittle and break on any refactor.
-
-- Write functional tests that verify **behavior**, not string patterns
-- For modules requiring a built binary: use integration tests
-- For pure logic: use unit tests with real function calls
-
-### External Dependencies
-
-- Dependencies bundled into `dist/cli.js` via esbuild
-- Uses Socket registry overrides for security
-- Custom patches applied to dependencies in `patches/`
-
-## Environment and Configuration
-
-### Environment Files
-
-- **`.env.test`** - Test environment configuration
-
-### Configuration Files
-
-- **`.oxfmtrc.json`** - Oxfmt formatter configuration
-- **`.oxlintrc.json`** - Oxlint linter configuration
-- **`vitest.config.mts`** - Vitest test runner configuration
-- **`tsconfig.json`** - Main TypeScript configuration
-- **`tsconfig.dts.json`** - TypeScript configuration for type definitions
-
-### Package Structure
-
-- **Binary entries**: `socket`, `socket-npm`, `socket-npx` (defined in package.json `bin` field, pointing to `dist/index.js`)
-- **Distribution**: Built files go to `dist/` directory
-- **External dependencies**: Bundled into `dist/cli.js` via esbuild
-- **Test fixtures**: Located in `test/fixtures/`
-
-### Dependency Management
-
-- Uses Socket registry overrides for enhanced alternatives
-- Custom patches applied to dependencies via `custompatch`
-- Overrides specified in package.json for enhanced alternatives
-
-## Changelog Management
-
-Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) format. Include user-facing changes only: Added, Changed, Fixed, Removed. Exclude: dependency updates, refactoring, tests, CI/CD, formatting. Marketing voice, stay concise.
-
-### Third-Party Integrations
-
-Socket CLI integrates with various third-party tools and services:
-
-- **@coana-tech/cli**: Static analysis tool for reachability analysis and vulnerability detection
-- **cdxgen**: CycloneDX BOM generator for creating software bill of materials
-- **synp**: Tool for converting between yarn.lock and package-lock.json formats
-
-## 🔧 Code Style (MANDATORY)
-
-### 📁 File Organization
-
-- **File extensions**: Use `.mts` for TypeScript module files
-- **Import order**: Node.js built-ins first, then third-party packages, then local imports
-- **Import grouping**: Group imports by source (Node.js, external packages, local modules)
-- **Type imports**: 🚨 ALWAYS use separate `import type` statements for TypeScript types, NEVER mix runtime imports with type imports in the same statement
-  - ✅ CORRECT: `import { readPackageJson } from '@socketsecurity/registry/lib/packages'` followed by `import type { PackageJson } from '@socketsecurity/registry/lib/packages'`
-  - ❌ FORBIDDEN: `import { readPackageJson, type PackageJson } from '@socketsecurity/registry/lib/packages'`
-
-### Naming Conventions
-
-- **Constants**: Use `UPPER_SNAKE_CASE` for constants (e.g., `CMD_NAME`, `REPORT_LEVEL`)
-- **Files**: Use kebab-case for filenames (e.g., `cmd-scan-create.mts`, `handle-create-new-scan.mts`)
-- **Variables**: Use camelCase for variables and functions
-
-### 🏗️ Code Structure (CRITICAL PATTERNS)
-
-- **Command pattern**: Complex commands use modular pattern (`cmd-*.mts`, `handle-*.mts`, `output-*.mts`); simple commands use consolidated single `cmd-*.mts` file
-- **Type definitions**: 🚨 ALWAYS use `import type` for better tree-shaking
-- **Flags**: 🚨 MUST use `MeowFlags` type with descriptive help text
-- **Error handling**: 🚨 REQUIRED - Use custom error types `AuthError` and `InputError`
-- **Array destructuring**: Use object notation `{ 0: key, 1: data }` instead of array destructuring `[key, data]`
-- **Dynamic imports**: 🚨 FORBIDDEN - Never use dynamic imports (`await import()`). Always use static imports at the top of the file
-- **Sorting**: 🚨 MANDATORY - Always sort lists, exports, and items in documentation headers alphabetically/alphanumerically for consistency
-- **Comment policy**: Default to NO comments. Only add one when the WHY is non-obvious to a senior engineer reading the code cold
-- **Comment placement**: Place comments on their own line, not to the right of code
-- **Comment formatting**: Use fewer hyphens/dashes and prefer commas, colons, or semicolons for better readability
-- **Await in loops**: When using `await` inside for-loops, sequential processing is acceptable when iterations depend on each other
-- **If statement returns**: Never use single-line return if statements; always use proper block syntax with braces
-- **List formatting**: Use `-` for bullet points in text output, not `•` or other Unicode characters, for better terminal compatibility
-- **Existence checks**: Perform simple existence checks first before complex operations
-- **Destructuring order**: Sort destructured properties alphabetically in const declarations
-- **Function ordering**: Place functions in alphabetical order, with private functions first, then exported functions
-- **GitHub API calls**: Use Octokit instances from `src/utils/github.mts` (`getOctokit()`, `getOctokitGraphql()`) instead of raw fetch calls for GitHub API interactions
-- **Object mappings**: Use objects with `__proto__: null` (not `undefined`) for static string-to-string mappings and lookup tables to prevent prototype pollution; use `Map` for dynamic collections that will be mutated
-- **Mapping constants**: Move static mapping objects outside functions as module-level constants with descriptive UPPER_SNAKE_CASE names
-- **Array length checks**: Use `!array.length` instead of `array.length === 0`. For `array.length > 0`, use `!!array.length` when function must return boolean, or `array.length` when used in conditional contexts
-- **Catch parameter naming**: Use `catch (e)` instead of `catch (error)` for consistency across the codebase
-- **Node.js fs imports**: 🚨 MANDATORY pattern - `import { someSyncThing, promises as fs } from 'node:fs'`
-- **Process spawning**: 🚨 FORBIDDEN to use Node.js built-in `child_process.spawn` - MUST use `spawn` from `@socketsecurity/registry/lib/spawn`
-- **Number formatting**: 🚨 REQUIRED - Use underscore separators (e.g., `20_000`) for large numeric literals. 🚨 FORBIDDEN - Do NOT modify number values inside strings
-
-### Error Handling
-
-- **Input validation errors**: Use `InputError` from `src/utils/errors.mts` for user input validation failures (missing files, invalid arguments, etc.)
-- **Authentication errors**: Use `AuthError` from `src/utils/errors.mts` for API authentication issues
-- **CResult pattern**: Use `CResult<T>` type for functions that can fail, following the Result/Either pattern with `ok: true/false`
-- **Process exit**: Avoid `process.exit(1)` unless absolutely necessary; prefer throwing appropriate error types that the CLI framework handles
-- **Error messages**: Write clear, actionable error messages that help users understand what went wrong and how to fix it
-- **Examples**:
-  - ✅ `throw new InputError('No .socket directory found in current directory')`
-  - ✅ `throw new AuthError('Invalid API token')`
-  - ❌ `logger.error('Error occurred'); return` (doesn't set proper exit code)
-  - ❌ `process.exit(1)` (bypasses error handling framework)
-
-### Safe File Operations (SECURITY CRITICAL)
-
-- **File deletion**: See SHARED STANDARDS section
-- 🚨 Use `safeDelete()` from `@socketsecurity/lib/fs` (NEVER `fs.rm/rmSync` or `rm -rf`)
-
-### Debugging and Troubleshooting
-
-- **CI vs Local Differences**: CI uses published npm packages, not local versions. Be defensive when using @socketsecurity/registry features
-- **File Existence Checks**: ALWAYS use `existsSync()` from `node:fs`, NEVER use `fs.access()` or `fs.promises.access()` for file/directory existence checks. `existsSync()` is synchronous, more direct, and the established pattern in this codebase for consistency
-
-### Formatting
-
-- **Linting**: Uses Oxlint with TypeScript and import plugins
-- **Formatting**: Uses Oxfmt for code formatting with 2-space indentation
-- **Line length**: Target 80 character line width where practical
+- Simple commands (<200 LOC, no subcommands): single `cmd-*.mts` file
+- Complex commands: modular `cmd-*.mts` + `handle-*.mts` + `output-*.mts` + `fetch-*.mts`
 
 ### Completion Protocol
-- **NEVER claim done with something 80% complete** — finish 100% before reporting
-- When a multi-step change doesn't immediately show gains, commit and keep iterating — don't revert
-- If one approach fails, fix forward: analyze why, adjust, rebuild, re-measure — not `git checkout`
-- After EVERY code change: build, test, verify, commit. This is a single atomic unit
-- Reverting is a last resort after exhausting forward fixes — and requires explicit user approval
-
-### File System as State
-The file system is working memory. Use it actively:
-- Write intermediate results and analysis to files in `.claude/`
-- Use `.claude/` for plans, status tracking, and cross-session context
-- When debugging, save logs and outputs to files for reproducible verification
-- Don't hold large analysis in context — write it down, reference it later
-
-### Self-Improvement
-- After ANY correction from the user: log the pattern to memory so the same mistake is never repeated
-- Convert mistakes into strict rules — don't just note them, enforce them
-- After fixing a bug: explain why it happened and whether anything prevents that category of bug in the future
+
+- NEVER claim done at 80% -- finish 100% before reporting
+- Fix forward: if an approach fails, analyze why, adjust, rebuild -- not `git checkout`
+- After EVERY code change: build, test, verify, commit as a single atomic unit
+- Reverting requires explicit user approval
 
 ### Context Awareness
-- Tool results over 50K characters are silently truncated — if search returns suspiciously few results, narrow scope and re-run
-- For tasks touching >5 files: use sub-agents with worktree isolation to prevent context decay
 
----
+- Tool results over 50K characters are silently truncated -- narrow scope and re-run if results look incomplete
+- For tasks touching >5 files: use sub-agents with worktree isolation
 
 ## Codex Usage
 
-- **Codex is for advice and critical assessment ONLY — never for making code changes**
-- Ask Codex to: analyze, diagnose, review, estimate, suggest approaches
-- Do NOT ask Codex to: implement, write, modify, add code to files
-- Implement changes yourself after understanding Codex's advice
-- **Proactive consultation**: Before diving deep into a complex optimization (>30min estimated), consult Codex for critical analysis first — this catches fundamental design flaws early
-- **Bounce ideas**: Use Codex as a sounding board when stuck — describe the problem, what you've tried, and ask for honest assessment of whether the approach is worth continuing
+- Codex is for advice and critical assessment ONLY -- never for making code changes
+- Before complex optimizations (>30min), consult Codex for critical analysis first
 
 ## Agents & Skills
 
-- `/security-scan` — runs AgentShield + zizmor security audit
-- `/quality-scan` — comprehensive code quality analysis
-- `/quality-loop` — scan and fix iteratively
+- `/security-scan` -- AgentShield + zizmor security audit
+- `/quality-scan` -- comprehensive code quality analysis
+- `/quality-loop` -- scan and fix iteratively
+- `/sync-checksums` -- sync external tool SHA-256 checksums
 - Agents: `code-reviewer`, `security-reviewer`, `refactor-cleaner` (in `.claude/agents/`)
 - Shared subskills in `.claude/skills/_shared/`
-- Pipeline state tracked in `.claude/ops/queue.yaml`
-
-## Quality Standards
-
-- Code MUST pass all existing lints and type checks
-- All patterns MUST follow established codebase conventions
-- Error handling MUST be robust and user-friendly
-- Performance considerations MUST be evaluated for any changes

From a898b4f8a6dcf83f57a4886172377607ec750830 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 16:52:32 -0400
Subject: [PATCH 07/10] fix: use third-person in skill descriptions

---
 .claude/skills/quality-scan/SKILL.md  | 2 +-
 .claude/skills/security-scan/SKILL.md | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.claude/skills/quality-scan/SKILL.md b/.claude/skills/quality-scan/SKILL.md
index c75041421..d52923898 100644
--- a/.claude/skills/quality-scan/SKILL.md
+++ b/.claude/skills/quality-scan/SKILL.md
@@ -1,7 +1,7 @@
 ---
 name: quality-scan
 description: >
-  Iteratively scanning socket-cli for code quality issues across critical bugs, logic errors,
+  Iteratively scans socket-cli for code quality issues across critical bugs, logic errors,
   caching problems, workflow issues, security vulnerabilities, and documentation gaps.
   Automatically fixes all discovered issues and commits changes until zero issues remain or
   5 iterations complete. Use when performing comprehensive quality improvement or preparing
diff --git a/.claude/skills/security-scan/SKILL.md b/.claude/skills/security-scan/SKILL.md
index 0ba403fea..161fb5bfa 100644
--- a/.claude/skills/security-scan/SKILL.md
+++ b/.claude/skills/security-scan/SKILL.md
@@ -1,6 +1,6 @@
 ---
 name: security-scan
-description: Run a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report.
+description: Runs a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report.
 ---
 
 # Security Scan

From 8c2c74ab9f709b0e4f6904cbb88a69842124f695 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 16:55:29 -0400
Subject: [PATCH 08/10] chore: trim skill files and fix third-person
 descriptions

---
 .claude/skills/quality-scan/SKILL.md       | 517 ++-------------------
 .claude/skills/updating-checksums/SKILL.md | 175 +------
 .claude/skills/updating/SKILL.md           | 192 +-------
 3 files changed, 83 insertions(+), 801 deletions(-)

diff --git a/.claude/skills/quality-scan/SKILL.md b/.claude/skills/quality-scan/SKILL.md
index d52923898..11014b4af 100644
--- a/.claude/skills/quality-scan/SKILL.md
+++ b/.claude/skills/quality-scan/SKILL.md
@@ -1,479 +1,58 @@
 ---
 name: quality-scan
 description: >
-  Iteratively scans socket-cli for code quality issues across critical bugs, logic errors,
-  caching problems, workflow issues, security vulnerabilities, and documentation gaps.
-  Automatically fixes all discovered issues and commits changes until zero issues remain or
-  5 iterations complete. Use when performing comprehensive quality improvement or preparing
-  for releases.
+  Runs iterative code quality scans on socket-cli, fixing all discovered issues
+  and committing changes until zero issues remain or 5 iterations complete.
 ---
 
 # quality-scan
 
-## Task Checklist
-
-Copy this checklist to track your progress through each iteration:
-
-```markdown
-### Iteration [N] Progress Tracker
-
-- [ ] Phase 1: Validate git environment
-- [ ] Phase 2: Update dependencies
-- [ ] Phase 3: Clean repository
-- [ ] Phase 4: Validate structure
-- [ ] Phase 5: Determine scan scope
-- [ ] Phase 5b: Install external tools (zizmor)
-- [ ] Phase 6: Execute scans (critical, logic, cache, workflow, security+zizmor, documentation)
-- [ ] Phase 7: Aggregate findings
-- [ ] Phase 8: Generate report
-- [ ] Phase 9: Fix all issues
-- [ ] Phase 10: Run tests
-- [ ] Phase 11: Commit fixes
-- [ ] Decision: Continue to next iteration or exit
-
-**Issues found**: [count]
-**Issues fixed**: [count]
-**Tests status**: [pass/fail]
-```
-
-## Execution Guidelines
-
-<principles>
-**Fix comprehensively**: Address all issues regardless of complexity. Architectural problems require fixing, not deferral, because incomplete fixes leave the codebase in an inconsistent state.
-
-**Test continuously**: Run `pnpm test` after each iteration because untested fixes risk introducing regressions that compound across iterations.
-
-**Bound iterations**: Cap at 5 iterations because unbounded loops escalate costs without guaranteed convergence; manual intervention becomes necessary beyond this threshold.
-
-**Work sequentially**: Execute one phase completely before starting the next because each phase's output informs subsequent phases; parallel execution causes missing dependencies.
-</principles>
-
-<commit_strategy>
-Examine repository history to choose the appropriate commit approach:
-
-```bash
-git rev-list --count HEAD
-```
-
-- **If count = 1**: Amend the single commit to maintain clean history
-- **If count > 1**: Create new commits to preserve development timeline
-
-Rationale: Single-commit repos indicate initial setup; amending keeps history clean. Multi-commit repos represent evolution; new commits preserve that narrative.
-</commit_strategy>
-
-## Phase-by-Phase Execution
-
-### Phase 1: Validate Environment
-
-<action>
-Run `git status` to check repository state.
-</action>
-
-<decision_tree>
-- Clean repository → Proceed to Phase 2
-- Dirty repository → Warn user; ask to continue or abort
-- Not a git repository → Exit with error (quality scans require version control)
-</decision_tree>
-
-Update checklist: Mark Phase 1 complete.
-
----
-
-### Phase 2: Update Dependencies
-
-<action>
-Run `pnpm install` to ensure current dependencies.
-</action>
-
-Rationale: Outdated packages trigger false positives when scans expect current API signatures.
-
-Track updated packages for commit message context.
-
-Update checklist: Mark Phase 2 complete.
-
----
-
-### Phase 3: Repository Cleanup
-
-<action>
-Find cleanup candidates using Glob tool, then ask user confirmation before deletion.
-</action>
-
-<cleanup_targets>
-1. SCREAMING_TEXT.md files outside `.claude/` and `docs/` directories
-2. Temporary files: `*.tmp`, `*.temp`, `.DS_Store`, `*~`, `*.swp`
-3. Test files outside `test/` or `__tests__/` directories
-</cleanup_targets>
-
-Request confirmation for each file because automated deletion risks removing intentional files with unconventional names.
-
-Update checklist: Mark Phase 3 complete.
-
----
-
-### Phase 4: Structural Validation
-
-<action>
-Use Glob and Grep tools to validate repository structure against socket-cli conventions.
-</action>
-
-<validation_checks>
-- package.json scripts follow naming conventions from CLAUDE.md
-- Test files have corresponding vitest configurations
-- Required files exist: tsconfig.json, .oxlintrc.json, vitest.config.mts
-- Imports use `@socketsecurity/lib/*` pattern (not Node.js built-ins where applicable)
-</validation_checks>
-
-<severity_mapping>
-- Missing required files → Critical (blocks builds)
-- Inconsistent naming → High (causes confusion)
-- Missing configs → Medium (reduces effectiveness)
-</severity_mapping>
-
-Update checklist: Mark Phase 4 complete.
-
----
-
-### Phase 5: Determine Scan Scope
-
-<action>
-Ask user which scans to execute.
-</action>
-
-<user_prompt>
-Which scans do you want to run?
-
-1. All scans (recommended for comprehensive quality improvement)
-2. Critical only (crashes, security, data corruption, auth)
-3. Custom selection (choose specific scans)
-
-Default: [1]
-</user_prompt>
-
-<available_scans>
-See `reference.md` @reference for detailed agent prompts. Each scan targets specific issue categories:
-
-- **critical**: Crashes, security vulnerabilities, data corruption, auth handling
-- **logic**: Algorithm errors, edge cases, validation bugs
-- **cache**: Config/token caching correctness
-- **workflow**: Build scripts, CI/CD, cross-platform compatibility
-- **security**: GitHub Actions security via zizmor + credential exposure patterns
-- **documentation**: Command examples, API accuracy, missing docs
-</available_scans>
-
-Update checklist: Mark Phase 5 complete.
-
----
-
-### Phase 5b: Install External Tools (zizmor)
-
-<action>
-Install zizmor for GitHub Actions security scanning using version that meets repository's minimumReleaseAge policy.
-</action>
-
-<version_selection>
-Determine the appropriate zizmor version dynamically:
-
-1. **Read minimumReleaseAge from `.pnpmrc`**:
-   ```bash
-   grep 'minimumReleaseAge' .pnpmrc | cut -d'=' -f2
-   ```
-   This returns minutes (e.g., `10080` = 7 days). Default to 10080 if not found.
-
-2. **Query zizmor releases** (using curl or gh):
-   ```bash
-   # Option A: curl (universally available)
-   curl -s "https://api.github.com/repos/zizmorcore/zizmor/releases" | \
-     jq '[.[] | select(.prerelease == false) | {tag: .tag_name, date: .published_at}] | .[0:10]'
-
-   # Option B: gh (if available)
-   gh api repos/zizmorcore/zizmor/releases --jq \
-     '[.[] | select(.prerelease == false) | {tag: .tag_name, date: .published_at}] | .[0:10]'
-   ```
-
-3. **Calculate age and select version**:
-   - Convert minimumReleaseAge from minutes to days: `minutes / 1440`
-   - Find latest stable release older than that threshold
-   - Example: If minimumReleaseAge=10080 (7 days) and today is March 24, select releases from March 17 or earlier
-
-4. **Install selected version** (choose based on available tools):
-   ```bash
-   # macOS with Homebrew (latest only, version pinning limited)
-   brew install zizmor
-
-   # Python environments (version pinning supported)
-   pipx install zizmor==VERSION
-   uv tool install zizmor==VERSION
-   uvx zizmor@VERSION --help
-   ```
-
-   **Recommended priority**: pipx/uvx > brew
-</version_selection>
-
-<rationale>
-Using minimumReleaseAge prevents supply chain attacks from compromised new releases. The 7-day window allows community detection of malicious packages before adoption.
-</rationale>
-
-<fallback>
-If no release meets the age requirement, warn the user and skip zizmor scan. Never install a release younger than minimumReleaseAge.
-</fallback>
-
-Update checklist: Note zizmor version installed.
-
----
-
-### Phase 6: Execute Scans
-
-<action>
-For each selected scan, spawn an agent using Task tool with the prompt from reference.md @reference.
-</action>
-
-<agent_spawning>
-1. Use Task tool with `subagent_type='general-purpose'`
-2. Pass the full agent prompt from reference.md for the scan type
-3. Include current repository context (recent git log, modified files)
-4. Collect findings from agent response
-5. Track completion status in your checklist
-</agent_spawning>
-
-<execution_strategy>
-Run scans **sequentially** (not parallel) because earlier scans may uncover issues that inform later scans. For example, critical crashes found early prevent wasting tokens on logic scans of unreachable code.
-
-Order: critical → logic → cache → workflow → security → documentation
-</execution_strategy>
-
-<zizmor_execution>
-For the **security** scan, run zizmor first to get machine-verified findings:
-
-```bash
-# Run zizmor on all workflow files
-zizmor .github/workflows/*.yml --format json > /tmp/zizmor-output.json
-
-# Or for human-readable output
-zizmor .github/workflows/*.yml --format plain
-```
-
-Include zizmor findings in the security scan report. zizmor detects:
-- Template injection vulnerabilities
-- Unpinned action versions
-- Dangerous permissions
-- Artifact poisoning risks
-- Excessive permissions
-
-Merge zizmor output with agent-based security scan findings, deduplicating overlapping issues.
-</zizmor_execution>
-
-Choose an approach and commit to it. Execute all selected scans without revisiting scan selection unless you encounter blocking errors.
-
-Update checklist: Mark Phase 6 complete.
-
----
-
-### Phase 7: Aggregate Findings
-
-<action>
-Collect findings from all agent scans, deduplicate, and prioritize.
-</action>
-
-<deduplication_rules>
-- **Same file and line**: Keep the finding with highest severity
-- **Same issue pattern**: Merge descriptions, preserve most actionable fix
-- **Different scans, same root cause**: Combine into single finding with multiple scan references
-</deduplication_rules>
-
-<sorting_hierarchy>
-1. Severity: Critical → High → Medium → Low (severity gates determine release readiness)
-2. Scan type: critical → logic → cache → workflow → security → documentation
-3. File path: Alphabetical (enables systematic fixing)
-</sorting_hierarchy>
-
-<finding_structure>
-Ensure each finding includes:
-
-```
-File: packages/cli/src/path/file.mts:123
-Issue: One-line description
-Severity: Critical|High|Medium|Low
-Pattern: Code snippet (2-3 lines)
-Trigger: Input/condition causing the issue
-Fix: Specific code change
-Impact: Consequence if triggered
-```
-
-This structure enables you to apply fixes systematically without re-reading findings.
-</finding_structure>
-
-Update checklist: Mark Phase 7 complete.
-
----
-
-### Phase 8: Generate Report
-
-<action>
-Create a comprehensive report using the template below.
-</action>
-
-<report_template>
-```markdown
-# Quality Scan Report - socket-cli
-
-**Date**: YYYY-MM-DD | **Iteration**: N/5 | **Total Issues**: X
-
-## Summary
-
-| Severity | Count |
-|----------|-------|
-| Critical | X     |
-| High     | X     |
-| Medium   | X     |
-| Low      | X     |
-
-## Findings by Severity
-
-### Critical Issues (X)
-
-**1. [Issue title]**
-- File: `packages/cli/src/path/file.mts:123`
-- Pattern: `code snippet`
-- Trigger: When this happens
-- Fix: Specific change
-- Impact: What breaks
-
-[Repeat for each]
-
-[Additional severity sections follow same structure]
-
-## Scan Coverage
-
-| Scan Type     | Issues |
-|---------------|--------|
-| critical      | X      |
-| logic         | X      |
-| cache         | X      |
-| workflow      | X      |
-| security      | X      |
-| documentation | X      |
-```
-</report_template>
-
-Display report to user. Offer to save to `reports/quality-scan-YYYY-MM-DD.md`.
-
-Update checklist: Mark Phase 8 complete.
-
----
-
-### Phase 9: Fix All Issues
-
-<action>
-Apply fixes for every finding from the report, working from Critical to Low severity.
-</action>
-
-Read each file only once, then apply all fixes for that file using Edit tool. This batching approach minimizes tool calls.
-
-Never speculate about code you have not read. Open each file before editing.
-
-Update checklist: Mark Phase 9 complete.
-
----
-
-### Phase 10: Run Tests
-
-<action>
-Execute `pnpm test` to verify fixes didn't introduce regressions.
-</action>
-
-<test_outcomes>
-- **All pass**: Proceed to Phase 11
-- **Some fail**: Revert last changes, report failed tests to user, exit iteration
-</test_outcomes>
-
-Tests validate that fixes solve problems without creating new ones; failures indicate logic errors in fixes requiring manual review.
-
-Update checklist: Mark Phase 10 complete.
-
----
-
-### Phase 11: Commit Fixes
-
-<action>
-Stage changes and create commit using strategy from earlier.
-</action>
-
-<commit_message_template>
-```
-fix: resolve quality scan issues (iteration N)
-
-- Fixed X critical issues
-- Fixed X high priority issues
-- Fixed X medium priority issues
-- Fixed X low priority issues
-
-Scans: [list of scan types run]
-```
-</commit_message_template>
-
-Use `git add .` followed by commit (amend if single-commit repo, new commit otherwise).
-
-Update checklist: Mark Phase 11 complete.
-
----
-
-### Phase 12: Iteration Decision
-
-<action>
-Determine whether to continue or exit.
-</action>
-
-<decision_logic>
-**Exit conditions**:
-- Zero issues found → Success! Output `<promise>QUALITY_SCAN_COMPLETE</promise>`
-- Iteration count = 5 → Stop (manual intervention needed)
-
-**Continue condition**:
-- Issues remain AND iteration < 5 → Start new iteration, copy fresh checklist
-</decision_logic>
-
-When continuing, increment iteration counter and return to Phase 6 (re-run scans on updated code).
-
----
-
-## Error Recovery
-
-<error_scenarios>
-**Scan agent failures**: Log warning, continue with remaining scans, note failure in report. Don't abort the entire process because other scans may still find valuable issues.
-
-**Test failures after fixes**: Revert changes from current iteration using `git restore .`, report specific test failures to user, exit. Test failures indicate logic errors requiring human review.
-
-**Git commit failures**: Display error, ask user to resolve manually. Cannot proceed without clean commits because subsequent iterations depend on committed changes.
-
-**Dirty repository**: Warn user, offer to stash changes or continue with dirty state. Continuing risks conflating quality fixes with unrelated changes.
-</error_scenarios>
-
----
-
-## socket-cli Context
-
-<scan_scope>
-Primary targets: `packages/cli/src/`, `packages/cli/test/`, `.github/workflows/`, `scripts/`, `.config/`
-
+<task>
+Your task is to scan socket-cli for code quality issues and fix them iteratively.
+</task>
+
+<constraints>
+- Fix all issues regardless of complexity; do not defer architectural problems.
+- Run `pnpm test` after each iteration.
+- Cap at 5 iterations; stop and report if issues persist.
+- Execute phases sequentially; each phase's output informs the next.
+- If repo has 1 commit, amend; otherwise create new commits.
+</constraints>
+
+## Phases
+
+1. **Validate Environment** - `git status`; abort if not a git repo, warn if dirty.
+2. **Update Dependencies** - `pnpm install` to avoid stale-API false positives.
+3. **Repository Cleanup** - Glob for temp files, stray docs; confirm before deletion.
+4. **Structural Validation** - Verify required configs, naming conventions, import patterns.
+5. **Determine Scan Scope** - Ask user: all scans, critical only, or custom selection.
+5b. **Install zizmor** - Install version meeting `.pnpmrc` minimumReleaseAge policy.
+6. **Execute Scans** - Run selected scans sequentially via Task tool using prompts from `reference.md`.
+7. **Aggregate Findings** - Deduplicate, prioritize (Critical > High > Medium > Low).
+8. **Generate Report** - Summary table by severity + scan type, display to user.
+9. **Fix All Issues** - Apply fixes from Critical to Low; read each file before editing.
+10. **Run Tests** - `pnpm test`; revert and exit iteration on failure.
+11. **Commit Fixes** - Stage and commit with summary of fixed issue counts.
+12. **Iteration Decision** - Zero issues = done; otherwise loop back to Phase 6.
+
+## Available Scans
+
+See `reference.md` for detailed agent prompts. Scan types:
+
+- **critical** - Crashes, security vulnerabilities, data corruption, auth handling
+- **logic** - Algorithm errors, edge cases, validation bugs
+- **cache** - Config/token caching correctness
+- **workflow** - Build scripts, CI/CD, cross-platform compatibility
+- **security** - GitHub Actions security via zizmor + credential exposure patterns
+- **documentation** - Command examples, API accuracy, missing docs
+
+## Scan Scope
+
+Primary: `packages/cli/src/`, `packages/cli/test/`, `.github/workflows/`, `scripts/`, `.config/`
 Excluded: `node_modules/`, `dist/`, `build/`, `.pnpm-store/`, `packages/*/dist/`
-</scan_scope>
-
-<codebase_patterns>
-Apply these socket-cli conventions when scanning and fixing:
-
-- Import pattern: `@socketsecurity/lib/*` (not Node.js built-ins where Socket provides equivalents)
-- Error types: `InputError`, `AuthError` from `src/utils/errors.mts`
-- Logging: `getDefaultLogger()` from `@socketsecurity/lib/logger`
-- File extension: `.mts` for TypeScript modules
-- Type imports: `import type` separately (NEVER mix with runtime imports)
-- CLI framework: meow-based command structure
-</codebase_patterns>
 
----
-
-## Reference
-
-See `reference.md` @reference for complete agent prompts and pattern definitions.
+## Error Recovery
 
-**Version**: 1.1.0 (2026-03-24)
+- **Scan agent failure**: Log warning, continue remaining scans.
+- **Test failure after fixes**: `git restore .`, report failures, exit iteration.
+- **Git commit failure**: Display error, ask user to resolve.
diff --git a/.claude/skills/updating-checksums/SKILL.md b/.claude/skills/updating-checksums/SKILL.md
index 9a3e5bf0c..2ba0ffb56 100644
--- a/.claude/skills/updating-checksums/SKILL.md
+++ b/.claude/skills/updating-checksums/SKILL.md
@@ -1,6 +1,9 @@
 ---
 name: updating-checksums
-description: Updates SHA-256 checksums from GitHub releases to external-tools.json. Triggers when user mentions "update checksums", "sync checksums", or after releasing new tool versions.
+description: >
+  Syncs SHA-256 checksums from GitHub releases to external-tools.json.
+  Triggers when user mentions "update checksums", "sync checksums", or after
+  releasing new tool versions.
 user-invocable: true
 allowed-tools: Bash, Read, Edit
 ---
@@ -11,168 +14,26 @@ allowed-tools: Bash, Read, Edit
 Your task is to sync SHA-256 checksums from GitHub releases to the embedded `external-tools.json` file, ensuring SEA builds have up-to-date integrity verification.
 </task>
 
-<context>
-**What is this?**
-socket-cli downloads prebuilt security tools (opengrep, python, socket-patch, sfw, trivy, trufflehog) from GitHub releases for bundling into SEA (Single Executable Application) builds. Each release may include a `checksums.txt` file with SHA-256 hashes.
-
-**Architecture:**
-
-- `packages/cli/external-tools.json` - Configuration with embedded checksums
-- `packages/cli/scripts/sync-checksums.mjs` - Sync script for GitHub release tools
-
-**Tool Types in external-tools.json:**
-
-| Type | Example | Checksums |
-|------|---------|-----------|
-| `github-release` | opengrep, trivy, sfw | Synced from releases |
-| `npm` | @coana-tech/cli, synp | SRI integrity hashes |
-| `pypi` | socketsecurity | May have checksums |
-
-**Why Sync?**
-- After tool updates (new versions), checksums become stale
-- SEA builds verify downloads against embedded checksums
-- Version-controlled checksums enable audit trail
-</context>
-
 <constraints>
-**CRITICAL Requirements:**
-- Network access required to fetch from GitHub API
-- Only `github-release` type tools are synced
-
-**Do NOT:**
-- Modify checksums manually (always fetch from releases)
-- Skip verification after sync
-- Commit without reviewing changes
-
-**Do ONLY:**
-- Fetch checksums from official GitHub releases
-- Update external-tools.json with new checksums
-- Verify the JSON is valid after update
+- Network access required to fetch from GitHub API.
+- Only `github-release` type tools are synced (not npm or pypi).
+- Never modify checksums manually; always fetch from releases.
+- Verify JSON validity after sync.
+- Review changes before committing.
 </constraints>
 
-<instructions>
-
-## Process
-
-### Phase 1: Check Current State
-
-<action>
-Review current embedded checksums and tool versions:
-</action>
-
-```bash
-# Show current GitHub release tools in external-tools.json
-grep -A2 '"type": "github-release"' packages/cli/external-tools.json | head -40
-```
-
----
-
-### Phase 2: Sync Checksums
-
-<action>
-Run the sync script to fetch latest checksums:
-</action>
-
-```bash
-# Sync all GitHub release tools
-node packages/cli/scripts/sync-checksums.mjs
-
-# Or sync specific tool
-# node packages/cli/scripts/sync-checksums.mjs --tool=opengrep
-```
-
-<validation>
-**Expected Output:**
-```
-Syncing checksums for 6 GitHub release tool(s)...
-
-[opengrep] opengrep/opengrep @ v1.16.0
-  Found checksums.txt, downloading...
-  Parsed 5 checksums from checksums.txt
-  Unchanged: 5 checksums
-
-[python] astral-sh/python-build-standalone @ 3.11.14
-  No checksums.txt found, downloading 8 assets to compute checksums...
-  ...
-
-Summary: X updated, Y unchanged
-```
-
-**If sync fails:**
-- Check network connectivity
-- Verify release exists: `gh release view <tag> --repo <owner/repo>`
-- Check GitHub API rate limits
-</validation>
-
----
-
-### Phase 3: Verify Changes
-
-<action>
-Review the updated checksums:
-</action>
-
-```bash
-# Show what changed
-git diff packages/cli/external-tools.json
-
-# Validate JSON syntax
-node -e "JSON.parse(require('fs').readFileSync('packages/cli/external-tools.json'))"
-```
+## Phases
 
----
-
-### Phase 4: Commit Changes (if any)
-
-<action>
-If checksums were updated, commit the changes:
-</action>
-
-```bash
-# Only if there are changes
-git add packages/cli/external-tools.json
-git commit -m "chore(cli): sync external tool checksums
-
-Update embedded SHA-256 checksums from GitHub releases.
-Enables SEA builds with up-to-date integrity verification."
-```
-
-</instructions>
-
-## Success Criteria
-
-- All GitHub release tools synced from releases
-- external-tools.json updated with latest checksums
-- JSON syntax validated
-- Changes committed (if any updates)
+1. **Check Current State** - Review current checksums and tool versions in `packages/cli/external-tools.json`.
+2. **Sync Checksums** - Run `node packages/cli/scripts/sync-checksums.mjs`. Tries `checksums.txt` from the release first; falls back to downloading assets and computing SHA-256.
+3. **Verify Changes** - `git diff packages/cli/external-tools.json`; validate JSON syntax.
+4. **Commit Changes** - If updated, commit `packages/cli/external-tools.json`.
 
 ## Commands
 
 ```bash
-# Sync all GitHub release tools
-node packages/cli/scripts/sync-checksums.mjs
-
-# Sync specific tool
-node packages/cli/scripts/sync-checksums.mjs --tool=opengrep
-
-# Dry run (show what would change)
-node packages/cli/scripts/sync-checksums.mjs --dry-run
-
-# Force update even if unchanged
-node packages/cli/scripts/sync-checksums.mjs --force
+node packages/cli/scripts/sync-checksums.mjs              # Sync all
+node packages/cli/scripts/sync-checksums.mjs --tool=opengrep  # Sync one
+node packages/cli/scripts/sync-checksums.mjs --dry-run     # Preview
+node packages/cli/scripts/sync-checksums.mjs --force       # Force update
 ```
-
-## Context
-
-This skill is useful for:
-
-- After updating tool versions in external-tools.json
-- When new GitHub releases are published
-- Before building SEA executables
-- Regular maintenance to keep checksums current
-
-**Behavior:**
-1. First tries to download `checksums.txt` from the GitHub release
-2. If not available, downloads each asset and computes SHA-256 hashes
-3. Only updates tools with `type: "github-release"`
-4. npm packages use SRI integrity hashes (not handled by this script)
diff --git a/.claude/skills/updating/SKILL.md b/.claude/skills/updating/SKILL.md
index 4a43b1c97..8d8d3b207 100644
--- a/.claude/skills/updating/SKILL.md
+++ b/.claude/skills/updating/SKILL.md
@@ -1,6 +1,9 @@
 ---
 name: updating
-description: Coordinates all dependency updates (npm packages and external tool checksums). Triggers when user asks to "update everything", "update dependencies", or prepare for a release.
+description: >
+  Coordinates all dependency updates (npm packages and external tool checksums).
+  Triggers when user asks to "update everything", "update dependencies", or
+  prepare for a release.
 user-invocable: true
 allowed-tools: Task, Skill, Bash, Read, Grep, Glob, Edit
 ---
@@ -11,183 +14,22 @@ allowed-tools: Task, Skill, Bash, Read, Grep, Glob, Edit
 Your task is to update all dependencies in socket-cli: npm packages via `pnpm run update`, then sync external tool checksums, ensuring all builds and tests pass.
 </task>
 
-<context>
-**What is this?**
-socket-cli uses npm packages and external tools (opengrep, python, socket-patch, sfw, trivy, trufflehog) that need periodic updates for security patches, bug fixes, and new features.
-
-**Existing Skills:**
-- `updating-checksums` - Syncs SHA-256 checksums from GitHub releases to external-tools.json
-- `quality-scan` - Comprehensive quality scanning and issue fixing
-
-**Update Targets:**
-1. **npm packages** - Updated via `pnpm run update`
-2. **External tool checksums** - Updated via `updating-checksums` skill
-</context>
-
 <constraints>
-**Requirements:**
-- Start with clean working directory (no uncommitted changes)
-- Target stable releases only (exclude -rc, -alpha, -beta tags)
-
-**CI Mode** (detected via `CI=true` or `GITHUB_ACTIONS`):
-- Create atomic commits, skip build validation (CI validates separately)
-- Workflow handles push and PR creation
-
-**Interactive Mode** (default):
-- Validate each update with build/tests before proceeding
-- Report validation results to user
-
-**Actions:**
-- Update npm packages and external tool checksums
-- Create atomic commits for each update
-- Report comprehensive summary of all changes
+- Start with clean working directory (no uncommitted changes).
+- Target stable releases only (exclude -rc, -alpha, -beta tags).
+- **CI mode** (`CI=true` or `GITHUB_ACTIONS`): Create atomic commits, skip build validation.
+- **Interactive mode** (default): Validate each update with build/tests before proceeding.
 </constraints>
 
-<instructions>
-
-## Process
-
-### Phase 1: Validate Environment
-
-<action>
-Check working directory is clean and detect CI mode:
-</action>
-
-```bash
-# Detect CI mode
-if [ "$CI" = "true" ] || [ -n "$GITHUB_ACTIONS" ]; then
-  CI_MODE=true
-  echo "Running in CI mode - will skip build validation"
-else
-  CI_MODE=false
-  echo "Running in interactive mode - will validate builds"
-fi
-
-# Check working directory is clean
-git status --porcelain
-```
-
-<validation>
-- Working directory must be clean
-- CI_MODE detected for subsequent phases
-</validation>
-
----
-
-### Phase 2: Update npm Packages
-
-<action>
-Run pnpm run update to update npm dependencies:
-</action>
-
-```bash
-# Update npm packages
-pnpm run update
-
-# Check if there are changes
-if [ -n "$(git status --porcelain pnpm-lock.yaml package.json packages/*/package.json)" ]; then
-  git add pnpm-lock.yaml package.json packages/*/package.json
-  git commit -m "chore: update npm dependencies
-
-Updated npm packages via pnpm run update."
-  echo "npm packages updated"
-else
-  echo "npm packages already up to date"
-fi
-```
-
----
-
-### Phase 3: Update External Tool Checksums
-
-<action>
-Use the updating-checksums skill to sync SHA-256 checksums from GitHub releases:
-</action>
-
-```
-Skill({ skill: "updating-checksums" })
-```
-
-Wait for skill completion before proceeding.
-
----
-
-### Phase 4: Final Validation
-
-<action>
-Run full build and test suite (skip in CI mode):
-</action>
-
-```bash
-if [ "$CI_MODE" = "true" ]; then
-  echo "CI mode: Skipping final validation (CI will run builds/tests separately)"
-  echo "Commits created - ready for push by CI workflow"
-else
-  echo "Interactive mode: Running full validation..."
-  pnpm run fix --all
-  pnpm run check --all
-  pnpm test
-fi
-```
-
----
-
-### Phase 5: Report Summary
-
-<action>
-Generate comprehensive update report:
-</action>
-
-```
-## Update Complete
-
-### Updates Applied:
-
-| Category | Status |
-|----------|--------|
-| npm packages | Updated/Up to date |
-| External tool checksums | Updated/Up to date |
-
-### Commits Created:
-- [list commits]
-
-### Validation:
-- Build: SUCCESS/SKIPPED (CI mode)
-- Tests: PASS/SKIPPED (CI mode)
-
-### Next Steps:
-**Interactive mode:**
-1. Review changes: `git log --oneline -N`
-2. Push to remote: `git push origin main`
-
-**CI mode:**
-1. Workflow will push branch and create PR
-2. CI will run full build/test validation
-3. Review PR when CI passes
-```
-
-</instructions>
-
-## Success Criteria
-
-- All npm packages checked for updates
-- External tool checksums synced
-- Full build and tests pass (interactive mode)
-- Comprehensive summary report generated
-
-## Commands
-
-This skill coordinates other skills:
-
-- Uses `updating-checksums` skill for external tool checksums
-- Direct pnpm commands for npm package updates
-
-## Context
+## Phases
 
-This skill is useful for:
+1. **Validate Environment** - Verify clean working directory; detect CI vs interactive mode.
+2. **Update npm Packages** - Run `pnpm run update`; commit if changes detected.
+3. **Update External Tool Checksums** - Invoke the `updating-checksums` skill.
+4. **Final Validation** - In interactive mode: `pnpm run fix --all`, `pnpm run check --all`, `pnpm test`. Skipped in CI.
+5. **Report Summary** - List updates applied, commits created, validation results, and next steps.
 
-- Weekly maintenance (automated via weekly-update.yml)
-- Security patch rollout across all dependencies
-- Pre-release preparation
+## Coordinates
 
-**Safety:** Each update is validated independently. Failures stop the process.
+- `updating-checksums` skill for external tool checksums
+- `pnpm run update` for npm packages

From 135c41d1480232951e989c6397bd0df8cb2d5b95 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 17:24:17 -0400
Subject: [PATCH 09/10] chore(ci): bump socket-registry SHA to 1dc0e87d

---
 .github/workflows/ci.yml            | 8 ++++----
 .github/workflows/provenance.yml    | 6 +++---
 .github/workflows/weekly-update.yml | 8 ++++----
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index be3acb970..66e984ec0 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 8da6bb651..02d8e5037 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -141,7 +141,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index d3cb5a6e2..a3e2017f6 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
 
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           checkout: 'false'
 
@@ -76,7 +76,7 @@ jobs:
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -303,7 +303,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@47d61c98b6a4b9db62db149f5f65655474b9901e # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
         if: always()
 
   notify:

From 23e6ad871fce4cfff30060ed6902dad833b60b1b Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Thu, 9 Apr 2026 17:39:18 -0400
Subject: [PATCH 10/10] chore(ci): bump socket-registry SHA to 96c2a403

---
 .github/workflows/ci.yml            | 8 ++++----
 .github/workflows/provenance.yml    | 6 +++---
 .github/workflows/weekly-update.yml | 8 ++++----
 3 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 66e984ec0..a3b2ed9f8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index 02d8e5037..86ceac345 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -141,7 +141,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index a3e2017f6..0d95bec1d 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -76,7 +76,7 @@ jobs:
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -303,7 +303,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@1dc0e87db45927365e0622ed56a583f97c6cbbab # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         if: always()
 
   notify: