chore(claude+deps): programmatic-Claude lockdown rule + skill + pnpm v11.0.0 GA bump#630
Open
John-David Dalton (jdalton) wants to merge 3 commits intomainfrom
Open
chore(claude+deps): programmatic-Claude lockdown rule + skill + pnpm v11.0.0 GA bump#630John-David Dalton (jdalton) wants to merge 3 commits intomainfrom
John-David Dalton (jdalton) wants to merge 3 commits intomainfrom
Conversation
Cascaded from socket-repo-template. CLAUDE.md gains one bullet alongside the other security 🚨 rules; the skill at .claude/skills/programmatic-claude-lockdown/SKILL.md holds the four-flag table (`tools`/`allowedTools`/`disallowedTools`/ `permissionMode: 'dontAsk'`), both recipes (read-only and Bash-needing), and the never-do list. Reference impl: socket-lib/tools/prim/src/disambiguate.mts (SDK form); socket-registry weekly-update.yml uses the Bash-needing CLI form.
pnpm v11 is now stable: https://github.com/pnpm/pnpm/releases/tag/v11.0.0 - package.json: packageManager pin "pnpm@11.0.0-rc.5" → "pnpm@11.0.0"; engines.pnpm ">=11.0.0-rc.0" → ">=11.0.0". - external-tools.json: bump version + 6 platform sha256s (darwin arm64/x64, linux arm64/x64, win arm64/x64). Hashes computed locally from the v11.0.0 release tarballs. pnpm-workspace.yaml already on the v11 idioms (allowBuilds, pmOnFail, minimumReleaseAge); lockfile shape unchanged.
John-David Dalton (jdalton)
changed the title
Bill Li (billxinli)
approved these changes
Apr 29, 2026
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
CLAUDE.md— adds one bullet alongside the existing security 🚨 rules requiring all four lockdown flags on any programmatic Claude callsite (--tools/tools,--allowedTools/allowedTools,--disallowedTools/disallowedTools,--permission-mode dontAsk/permissionMode: 'dontAsk')..claude/skills/programmatic-claude-lockdown/SKILL.md— new fleet-canonical skill (cascaded from socket-repo-template) holding the four-flag table, both recipes (read-only and Bash-needing), the never-do list, and the reference impl pointer.package.json— packageManagerpnpm@11.0.0-rc.5→pnpm@11.0.0(GA); engines.pnpm>=11.0.0-rc.0→>=11.0.0external-tools.json— pnpm version + 6 platform sha256s bumped to v11.0.0 release tarballsWhy (lockdown)
Following https://code.claude.com/docs/en/agent-sdk/permissions:
permissionMode: 'default'in headless contexts falls through to a missingcanUseToolcallback, which is undefined behavior. The doc's prescribed lockdown recipe is'dontAsk'paired withtools(definition-level base set the model is told about),allowedTools(auto-approve) anddisallowedTools(deny-first defense-in-depth that wins even againstbypassPermissions).Reference impl:
socket-lib/tools/prim/src/disambiguate.mts(SDK form, with source-text test guards intools/prim/test/disambiguate.test.mtsthat fail the build ifBASE_TOOLSwidens, iftools: BASE_TOOLSis unwired, or ifpermissionModedrifts from'dontAsk').socket-registry/.github/workflows/weekly-update.ymluses the Bash-needing CLI form (narrowedBash(...)allowlist forpnpm/git/jq; explicitBash(curl:*)/Bash(wget:*)/Bash(rm -rf*)/Bash(sudo:*)/Bash(npx:*)denials).Why (pnpm v11.0.0 GA)
pnpm v11 is now stable: https://github.com/pnpm/pnpm/releases/tag/v11.0.0
This repo's pnpm-workspace.yaml is already on the v11 idioms (allowBuilds, pmOnFail, minimumReleaseAge); lockfile shape unchanged from rc.5.
Test plan