refactor(hooks): convert git hooks from .sh to .mts (Node 25+)#622
Closed
John-David Dalton (jdalton) wants to merge 2 commits intomainfrom
Closed
refactor(hooks): convert git hooks from .sh to .mts (Node 25+)#622John-David Dalton (jdalton) wants to merge 2 commits intomainfrom
John-David Dalton (jdalton) wants to merge 2 commits intomainfrom
Conversation
Sync from socket-repo-template@f415207. All four hook files become .mts modules running on Node 25+ (stable type stripping, no flag). - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution. - .git-hooks/commit-msg.mts - .git-hooks/pre-commit.mts - .git-hooks/pre-push.mts _helpers.mts hard-fails at module load if Node < 25. Husky shims invoke node directly.
Contributor
Author
|
bugbot run |
1 similar comment
Contributor
Author
|
bugbot run |
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…y/ scope) Consolidates PR #621 (path-guard infra) and #622 (.sh→.mts hook conversion) into this branch. Resolves the modify/delete conflict on .git-hooks/{commit-msg,pre-push} by accepting the .mts versions — the env allowlist tweak from #620 is already covered in commit-msg.mts via shouldSkipFile and the precommit allowlist. Also renames internal hook packages to drop the @socketsecurity/ scope (hook-path-guard, hook-token-guard, hook-check-new-deps) — they're private:true and never published.
Contributor
Author
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Consolidates the work previously split across PRs #620 (env allowlist), #621 (path-guard infra), and #622 (.sh→.mts hook conversion) into a single commit on chore/harden-env-allowlist. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE-equivalent stale env entries - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Exclude .cache/** in tsconfig.check.json - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names (no more false positives on substring matches inside identifiers) - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published to npm Dep - Add @sinclair/typebox 0.34.49 to devDependencies (used by scripts/xport-schema.mts)
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
Consolidates the work previously split across PRs #620 (env allowlist), #621 (path-guard infra), and #622 (.sh→.mts hook conversion) into a single commit on chore/harden-env-allowlist. What's included: Env allowlist + .cache/ + CLAUDE.md - Drop NODE_COMPILE_CACHE-equivalent stale env entries - Allow .env.precommit at any depth in commit-msg hook - Skip hook scripts in scanners (they contain the literal regex) - Exclude .cache/** in tsconfig.check.json - Propagate CLAUDE.md sorting + open-PR + paths + inclusive-language rules; Set constructor sort rule; don't-revert-untouched rule; replace whitelist/blacklist with allowlist/denylist Path-guard infra (.claude/hooks/path-guard/, scripts/check-paths.mts, .github/paths-allowlist.yml, .claude/skills/path-guard/) - Mantra: 1 path, 1 reference. PreToolUse hook on Edit|Write blocks multi-stage build paths constructed inline; companion gate runs in pnpm check - Template-literal path detection - Drift-resistant allowlist via exact-line OR snippet_hash match - --show-hashes CLI flag for authoring allowlist entries - Centralized vocabulary in segments.mts (hook + gate share one source for stage / build-root / mode / sibling-package sets) - Paren-balanced parser handles nested function-call args - Multi-line YAML reasons (| and > block scalars) Token-guard renamed from token-hygiene - Word-boundary match for sensitive env names (no more false positives on substring matches inside identifiers) - Step 1 (ALWAYS_DANGEROUS) now gates on hasRedaction so 'env | sed s/=.*/=<redacted>/' (the suggested fix) actually passes .sh → .mts hook conversion (Node 25+) - .git-hooks/_helpers.mts (was _helpers.sh) — exports filterAllowedApiKeys + scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh) - _helpers.mts hard-fails at module load if Node < 25 (relies on stable type stripping, no flag) - Husky shims invoke node directly Hook package rename - Drop @socketsecurity/ scope from internal hook packages (hook-path-guard, hook-token-guard, hook-check-new-deps); they are private:true and never published to npm Dep - Add @sinclair/typebox 0.34.49 to devDependencies (used by scripts/xport-schema.mts)
John-David Dalton (jdalton)
added a commit
that referenced
this pull request
Apr 27, 2026
…rap + cascade Consolidated PR — combines the original work from #620, #621, #622 plus follow-up commits (private-name rule, socket-registry pin cascades) into a single squashed commit. Includes: - env allowlist + .cache/ + CLAUDE.md hygiene (restore .cache/** exclude in tsconfigs; propagate CLAUDE.md sorting/open-PR/paths/ inclusive-language/Set-sort/don't-revert-untouched/private-name rules; replace whitelist/blacklist with allowlist/denylist) - path-guard infra (PreToolUse hook + scripts/check-paths.mts gate + .github/paths-allowlist.yml + /path-guard skill — enforces "1 path, 1 reference" so multi-stage build paths are constructed exactly once) - token-guard hook (renamed from token-hygiene; word-boundary match for sensitive env names; ALWAYS_DANGEROUS gates on hasRedaction so redacted env dumps pass) - .sh -> .mts hook conversion on Node 25+ (stable type stripping; _helpers.mts hard-fails at module load if Node < 25; husky shims invoke node directly) - internal hook package rename (drop @socketsecurity/ scope from hook-path-guard, hook-token-guard, hook-check-new-deps; private, never published) - xport lock-step manifest (scripts/xport.mts + scripts/xport-schema.mts + scripts/xport-emit-schema.mts + xport.schema.json) - bootstrap-from-registry (scripts/bootstrap-from-registry.mts downloads zero-dep Socket packages from npm registry into node_modules/ via preinstall hook, solving fresh-clone chicken-and-egg) - socket-registry pins cascaded to ceab1e26 (picks up the @socketsecurity/lib bootstrap move from the install action into setup, so consumers calling only setup also benefit)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Converts the four shell-based git-hook files into TypeScript-first .mts modules running on Node 25+ (stable type stripping, no flag needed).
Files:
.git-hooks/_helpers.mts(was_helpers.sh) — exportsfilterAllowedApiKeys+ scanners for personal paths, AWS keys, GitHub tokens, private keys, AI attribution..git-hooks/commit-msg.mts.git-hooks/pre-commit.mts.git-hooks/pre-push.mts_helpers.mtshard-fails at module load if Node < 25.Husky shims invoke node directly.
Companion: socket-btm #120/#121 (merged), socket-repo-template@f415207.