From 943e151a56586b9af6b695022cf5b48c91d6a48d Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Mon, 27 Apr 2026 11:09:56 -0400
Subject: [PATCH 1/6] chore: env allowlist + .cache exclude + CLAUDE.md fleet
 rules + NODE_COMPILE_CACHE removal

Doc/config-only updates split out from PR #1279.

CLAUDE.md
  - Sync sorting + open-PR + paths + inclusive-language + Set
    constructor sort + don't-revert-untouched rules from the fleet
  - Replace whitelist/blacklist with allowlist/denylist
  - Document workflow-dispatch rule

.config/tsconfig.check.json + tsconfig.json + packages/cli/.config/tsconfig.check.json
  - Restore .cache/** exclude

.gitignore
  - Add **/.cache/

.env.example, .env.precommit, packages/cli/.env.test
  - Drop NODE_COMPILE_CACHE convention

scripts/babel/babel-plugin-inline-process-env.mts
  - Remove NODE_COMPILE_CACHE handling

packages/cli/test/unit/utils/validation/check-input.test.mts
  - Drop NODE_COMPILE_CACHE assertion

.claude/agents/security-reviewer.md
.claude/skills/security-scan/SKILL.md
  - Sync from socket-repo-template canonical

No runtime behavior changes outside the dropped NODE_COMPILE_CACHE
convention.
---
 .claude/agents/security-reviewer.md           |  4 +-
 .claude/skills/security-scan/SKILL.md         |  1 +
 .config/tsconfig.check.json                   |  2 +
 .env.example                                  |  1 -
 .env.precommit                                |  1 -
 .gitignore                                    |  3 +
 CLAUDE.md                                     | 73 ++++++++++++++++++-
 packages/cli/.config/tsconfig.check.json      |  1 +
 packages/cli/.env.test                        |  1 -
 .../utils/validation/check-input.test.mts     |  2 +-
 .../babel/babel-plugin-inline-process-env.mts |  6 +-
 tsconfig.json                                 |  4 +-
 12 files changed, 87 insertions(+), 12 deletions(-)

diff --git a/.claude/agents/security-reviewer.md b/.claude/agents/security-reviewer.md
index a56250453..6ae108892 100644
--- a/.claude/agents/security-reviewer.md
+++ b/.claude/agents/security-reviewer.md
@@ -4,7 +4,7 @@ Apply these rules from CLAUDE.md exactly:
 
 **Safe File Operations**: Use safeDelete()/safeDeleteSync() from @socketsecurity/lib/fs. NEVER fs.rm(), fs.rmSync(), or rm -rf. Use os.tmpdir() + fs.mkdtemp() for temp dirs. NEVER use fetch() — use httpJson/httpText/httpRequest from @socketsecurity/lib/http-request.
 
-**Absolute Rules**: NEVER use npx, pnpm dlx, or yarn dlx. Use pnpm exec or pnpm run with pinned devDeps.
+**Absolute Rules**: NEVER use npx, pnpm dlx, or yarn dlx. Use pnpm exec or pnpm run with pinned devDeps. # zizmor: documentation-prohibition
 
 **Work Safeguards**: Scripts modifying multiple files must have backup/rollback. Git operations that rewrite history require explicit confirmation.
 
@@ -12,7 +12,7 @@ Apply these rules from CLAUDE.md exactly:
 
 1. **Secrets**: Hardcoded API keys, passwords, tokens, private keys in code or config
 2. **Injection**: Command injection via shell: true or string interpolation in spawn/exec. Path traversal in file operations.
-3. **Dependencies**: npx/dlx usage. Unpinned versions (^ or ~). Missing minimumReleaseAge bypass justification.
+3. **Dependencies**: npx/dlx usage. Unpinned versions (^ or ~). Missing minimumReleaseAge bypass justification. # zizmor: documentation-checklist
 4. **File operations**: fs.rm without safeDelete. process.chdir usage. fetch() usage (must use lib's httpRequest).
 5. **GitHub Actions**: Unpinned action versions (must use full SHA). Secrets outside env blocks. Template injection from untrusted inputs.
 6. **Error handling**: Sensitive data in error messages. Stack traces exposed to users.
diff --git a/.claude/skills/security-scan/SKILL.md b/.claude/skills/security-scan/SKILL.md
index 7f2fd77e8..0c2cf12ed 100644
--- a/.claude/skills/security-scan/SKILL.md
+++ b/.claude/skills/security-scan/SKILL.md
@@ -2,6 +2,7 @@
 name: security-scan
 description: Runs a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report. Use after modifying `.claude/` config, hooks, agents, or GitHub Actions workflows, and before releases.
 user-invocable: true
+allowed-tools: Task, Bash, Read, Grep, Glob
 ---
 
 # Security Scan
diff --git a/.config/tsconfig.check.json b/.config/tsconfig.check.json
index e19788a4f..2f0e97d1b 100644
--- a/.config/tsconfig.check.json
+++ b/.config/tsconfig.check.json
@@ -12,6 +12,8 @@
     "../packages/cli/.config/*.mts"
   ],
   "exclude": [
+    "../.cache/**",
+    "../packages/cli/.cache/**",
     "../packages/cli/**/*.tsx",
     "../packages/cli/**/*.d.mts",
     "../packages/cli/src/commands/analytics/output-analytics.mts",
diff --git a/.env.example b/.env.example
index 691c00890..de9adb650 100644
--- a/.env.example
+++ b/.env.example
@@ -2,7 +2,6 @@
 # Copy this file to .env.local and customize for your local environment.
 
 # Node.js Configuration (optional overrides).
-NODE_COMPILE_CACHE="./.cache"
 NODE_OPTIONS="--max-old-space-size=8192 --max-semi-space-size=1024"
 
 # Socket API Configuration (for e2e testing).
diff --git a/.env.precommit b/.env.precommit
index 1ee9eda75..75db740a8 100644
--- a/.env.precommit
+++ b/.env.precommit
@@ -8,5 +8,4 @@ SOCKET_CLI_NO_API_TOKEN=1
 VITEST=1
 
 # Node.js optimization for test performance.
-NODE_COMPILE_CACHE="./.cache"
 NODE_OPTIONS="--max-old-space-size=8192"
diff --git a/.gitignore b/.gitignore
index 7e31376b4..00cca54ed 100644
--- a/.gitignore
+++ b/.gitignore
@@ -12,6 +12,8 @@ Thumbs.db
 .env
 .env.*
 !.env.example
+!.env.precommit
+!.env.test
 /.env.local
 
 # ============================================================================
@@ -34,6 +36,7 @@ yarn-error.log*
 # ============================================================================
 **/.build-checkpoints
 **/*.build-signature
+**/.cache/
 /.rollup.cache
 **/.type-coverage/
 **/build/
diff --git a/CLAUDE.md b/CLAUDE.md
index cf06225ff..119d838db 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -29,6 +29,7 @@
 
 - **REQUIRED for staging**: surgical `git add <specific-file> [<file>…]` with explicit paths. Never `-A` / `.`.
 - **If you need a quick WIP save**: commit on a new branch from inside a worktree, not a stash.
+- **NEVER revert files you didn't touch.** If `git status` shows files you didn't modify, those belong to another session, an upstream pull, or a hook side-effect — leave them alone. Specifically: do not run `git checkout -- <unrelated-path>` to "clean up" the diff before committing, and do not include unrelated paths in `git add`. Stage only the explicit files you edited.
 
 The umbrella rule: never run a git command that mutates state belonging to a path other than the file you just edited.
 
@@ -101,6 +102,8 @@ The umbrella rule: never run a git command that mutates state belonging to a pat
 - 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec <package>` or `pnpm run <script>`
 - **NEVER reference Linear issues** (e.g. `SOC-123`, `ENG-456`, `ASK-789`, Linear URLs) in code, code comments, or PR titles/descriptions/review comments. Linear tracking lives in Linear; keep the codebase and PR history tool-agnostic.
 - 🚨 **NEVER write a real customer or company name into any commit, PR, issue, GitHub comment, or release note.** When about to write any name, stop and ask: "is this a real company?" If yes, replace it with `Acme Inc` (or drop the reference entirely). No enumerated denylist exists anywhere — a denylist is itself a leak. Recognition is done at write time, every time. The `.claude/hooks/public-surface-reminder` hook re-prints this rule on every public-surface `git`/`gh` command as a priming nudge; the rule still applies when the hook is not installed.
+- 🚨 **NEVER mention private repos or internal project names** in commits, PR titles/descriptions/comments, issues, release notes, or any public-surface text. Internal codenames, unreleased product names, internal tooling repo names not on the public org page, customer names, partner names — none belong in public surfaces. **Omit the reference entirely.** Don't substitute a placeholder ("an internal tool", "a downstream consumer", etc.) — the placeholder itself is a tell that something is being elided. Rewrite the sentence to not need the reference at all.
+- 🚨 **NEVER trigger Publish / Release / Provenance / Build-Release workflows** — no `gh workflow run`, `gh workflow dispatch`, or `gh api .../dispatches`. Workflow dispatches are irrevocable: Publish workflows push npm versions (unpublishable after 24h), Build/Release workflows pin GitHub releases by SHA, container workflows push immutable tags. Even build workflows with a `dry_run` input still treat the dispatch itself as the prod trigger. The user runs workflow_dispatch jobs manually after CI passes on the release commit + tag — Claude **never** dispatches them. If the user asks for a publish, tell them to run the command in their own terminal (or the GitHub Actions UI).
 
 ## EVOLUTION
 
@@ -109,6 +112,7 @@ If user repeats instruction 2+ times, ask: "Should I add this to CLAUDE.md?"
 ## SHARED STANDARDS
 
 - Commits: [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) `<type>(<scope>): <description>` — NO AI attribution
+- **Open PRs:** when adding commits to an OPEN PR, ALWAYS update the PR title and description to match the new scope. A title like `chore: foo` after you've added security-fix and docs commits to it is now a lie. Use `gh pr edit <num> --title "..." --body "..."` (or `--body-file`) and rewrite the body so it reflects every commit on the branch, grouped by theme. The reviewer should be able to read the PR description and know what's in it without scrolling commits.
 - Scripts: Prefer `pnpm run foo --flag` over `foo:bar` variants
 - Dependencies: After `package.json` edits, run `pnpm install`
 - Backward Compatibility: 🚨 FORBIDDEN to maintain — actively remove when encountered
@@ -125,6 +129,27 @@ Do NOT litter the repo with markdown. Allowed: `docs/`, root `README.md`/`CHANGE
 
 **`.claude/` exception**: markdown under `.claude/agents/`, `.claude/commands/`, `.claude/hooks/`, `.claude/skills/` is allowed (harness-loaded config). Ad-hoc analysis/session notes still disallowed.
 
+### 1 path, 1 reference
+
+**A path is *constructed* exactly once. Everywhere else *references* the constructed value.**
+
+Referencing a single computed path many times is fine — that's the whole point of computing it once. What's banned is *re-constructing* the same path in multiple places, because that's where drift is born.
+
+- **Within a package**: every script imports its own `scripts/paths.mts` (or `lib/paths.mts`). No `path.join('build', mode, ...)` outside that module.
+- **Across packages**: when package B consumes package A's output, B imports A's `paths.mts` via the workspace `exports` field. Never `path.join(PKG, '..', '<sibling>', 'build', ...)`.
+- **Workflows, Dockerfiles, shell scripts**: they can't `import` TS, so they construct the string once and reference it everywhere downstream. Workflows: a "Compute paths" step exposes `steps.paths.outputs.final_dir`; later steps read `${{ steps.paths.outputs.final_dir }}`. Dockerfiles/shell: assign once to a variable / `ENV`, reference by name thereafter. Each canonical construction carries a comment naming the source-of-truth `paths.mts`. **Re-building** the same path in a second step is the violation, not referring to the constructed value many times.
+- **Comments**: may describe path *structure* with placeholders ("`<mode>/<arch>`") but should not encode a complete literal path string. The import statement IS the comment.
+
+Code execution takes priority over docs: violations in `.mts`/`.cts`, Makefiles, Dockerfiles, workflow YAML, and shell scripts are blocking. README and doc-comment violations are advisory unless they contain a fully-qualified path with no parametric placeholders.
+
+**Three-level enforcement:**
+
+- **Hook** — `.claude/hooks/path-guard/` blocks `Edit`/`Write` calls that would introduce a violation in a `.mts`/`.cts` file at edit time.
+- **Gate** — `scripts/check-paths.mts` runs in `pnpm check`. Fails the build on any violation that isn't allowlisted in `.github/paths-allowlist.yml`.
+- **Skill** — `/path-guard` audits the repo and fixes findings; `/path-guard check` reports only; `/path-guard install` drops the gate + hook + rule into a fresh repo.
+
+The mantra is intentionally short so it sticks: **1 path, 1 reference**. When in doubt, find the canonical owner and import from it.
+
 ---
 
 ## 🏗️ CLI-SPECIFIC
@@ -154,7 +179,7 @@ Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). User-facing onl
 - Process spawning: MUST use `spawn` from `@socketsecurity/registry/lib/spawn` (NEVER `child_process`)
 - Array destructuring: `{ 0: key, 1: data }` instead of `[key, data]`
 - Dynamic imports: 🚨 FORBIDDEN — always static imports
-- Sorting: 🚨 MANDATORY — lists, exports, destructured properties, doc headers alphabetically
+- Sorting: 🚨 MANDATORY — lists, exports, destructured properties, `Set` constructor arguments, doc headers alphabetically
 - Comments: Default NO. Only when WHY is non-obvious. Own line, not inline.
 - Functions: alphabetical; private first, exported second
 - Object mappings: `__proto__: null` for static lookup; `Map` for dynamic
@@ -165,6 +190,52 @@ Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). User-facing onl
 - Error handling: `InputError`/`AuthError` from `src/utils/errors.mts`; prefer `CResult<T>`; avoid `process.exit(1)`
 - GitHub API: Octokit from `src/utils/github.mts`, not raw fetch
 
+### Sorting
+
+Sort lists alphanumerically (literal byte order, ASCII before letters). Apply this to:
+
+- **Config lists** — `permissions.allow` / `permissions.deny` in `.claude/settings.json`, `external-tools.json` checksum keys, allowlists in workflow YAML.
+- **Object key entries** — sort keys in plain JSON config + return-shape literals + internal-state objects. (Exception: `__proto__: null` always comes first, ahead of any data keys.)
+- **Import specifiers** — sort named imports inside a single statement: `import { encrypt, randomDataKey, wrapKey } from './crypto.mts'`. Imports that say `import type` follow the same rule. Statement *order* is the project's existing convention (`node:` → external → local → types) — that's separate from specifier order *within* a statement.
+- **Method / function source placement** — within a module, sort top-level functions alphabetically. Convention: private functions (lowercase / un-exported) sort first, exported functions second. The first-line `export` keyword is the divider.
+- **Array literals** — when the array is a config list, allowlist, or set-like collection. Position-bearing arrays (e.g. argv, anything where index matters semantically) keep their meaningful order.
+
+When in doubt, sort. The cost of a sorted list that didn't need to be is approximately zero; the cost of an unsorted list that did need to be is a merge conflict.
+
+### Paths: One Path, One Reference
+
+**If a path appears in two places, that's a bug.** Every artifact (build output, cache directory, generated file, config location) lives at exactly one canonical location, and that location is defined in exactly one place — typically a `paths.mts` (or equivalent path helper) module. Everything else — other scripts, READMEs, Dockerfiles, workflows, tests — derives from that source. No hand-assembled `path.join(...)` strings outside the module that owns them.
+
+- **Within a package**: every script imports its own path module. No script computes paths from raw segments.
+- **Across packages**: when package B consumes package A's artifact, B imports A's path module (or a typed helper exported from it) — never reconstructs the path from string segments. The classic failure: A adds a new path segment (e.g. inserts a `wasm/` directory), B's hand-built copy of the path drifts, builds break.
+- **Doc strings**: README "Output:" lines and `@fileoverview` comments describe the path; they don't *encode* it for tools to parse. The doc is for humans only — and even there, it must match what the path module actually produces, verified by running the function.
+- **Workflows / Dockerfiles**: GitHub Actions YAML and Dockerfiles can't `import` TS, so they're allowed to reference the path string directly — but they MUST add a comment pointing at the canonical path module so the next person editing knows where the source of truth lives, and any path string must match the module byte-for-byte. If you find yourself writing the same path twice in one workflow, hoist it to a step output or a job-level env var; reference that everywhere downstream.
+- **Comments that re-state the path**: forbidden. A comment like `// Path mirrors getBuildPaths(): build/<mode>/<arch>/out/Final/...` is duplication wearing a comment costume. The import statement is the comment.
+
+When you spot duplication, the answer is never "update both" — the answer is "delete one and import the other." Fix the architecture, not the symptom.
+
+### Inclusive Language
+
+Use precise, neutral terms over historical metaphors that imply hierarchy or exclusion. The substitutes are not euphemisms — they're more *accurate* (a list of allowed values genuinely is an "allowlist"; "whitelist" is a metaphor that hides what the list does).
+
+| Replace                                  | With                                                  |
+| ---------------------------------------- | ----------------------------------------------------- |
+| `whitelist` / `whitelisted`              | `allowlist` / `allowed` / `allowlisted`               |
+| `blacklist` / `blacklisted`              | `denylist` / `denied` / `blocklisted` / `blocked`     |
+| `master` (branch, process, copy)         | `main` (branch); `primary` / `controller` (process)   |
+| `slave`                                  | `replica`, `worker`, `secondary`, `follower`          |
+| `grandfathered`                          | `legacy`, `pre-existing`, `exempted`                  |
+| `sanity check`                           | `quick check`, `confidence check`, `smoke test`       |
+| `dummy` (placeholder)                    | `placeholder`, `stub`                                 |
+
+Apply across **code** (identifiers, comments, string literals), **docs** (READMEs, CLAUDE.md, markdown), **config files** (YAML, JSON), **commit messages**, **PR titles/descriptions**, and **CI logs** you control.
+
+Two exceptions where the legacy term must remain (because changing it breaks something external):
+- **Third-party APIs / upstream code**: when interfacing with an external API field literally named `whitelist`, keep the field name; rename your local variable. E.g. `const allowedDomains = response.whitelist`.
+- **Vendored upstream sources**: don't rewrite vendored code (`vendor/**`, `upstream/**`, `**/fixtures/**`). Patch around it if needed.
+
+When you encounter a legacy term during unrelated work, fix it inline — don't defer.
+
 ### Error Messages
 
 An error message is UI. The reader should be able to fix the problem from the message alone, without opening your source.
diff --git a/packages/cli/.config/tsconfig.check.json b/packages/cli/.config/tsconfig.check.json
index 256730d7d..6577a08d4 100644
--- a/packages/cli/.config/tsconfig.check.json
+++ b/packages/cli/.config/tsconfig.check.json
@@ -7,6 +7,7 @@
   },
   "include": ["../src/**/*.mts", "../*.config.mts", "./*.mts"],
   "exclude": [
+    "../.cache/**",
     "../**/*.tsx",
     "../**/*.d.mts",
     "../src/commands/analytics/output-analytics.mts",
diff --git a/packages/cli/.env.test b/packages/cli/.env.test
index d4f0fdaa7..bf0a05538 100644
--- a/packages/cli/.env.test
+++ b/packages/cli/.env.test
@@ -2,7 +2,6 @@
 # Used by unit tests, integration tests, and e2e tests.
 
 # Node.js Configuration.
-NODE_COMPILE_CACHE="./.cache"
 NODE_OPTIONS="--max-old-space-size=2048 --unhandled-rejections=warn"
 
 # Test Framework.
diff --git a/packages/cli/test/unit/utils/validation/check-input.test.mts b/packages/cli/test/unit/utils/validation/check-input.test.mts
index 2daed22d8..f04a46fab 100644
--- a/packages/cli/test/unit/utils/validation/check-input.test.mts
+++ b/packages/cli/test/unit/utils/validation/check-input.test.mts
@@ -9,7 +9,7 @@
  * - Type validation
  * - Format checking
  * - Length limits
- * - Whitelist/blacklist
+ * - Allowlist/denylist
  * - Error messages
  *
  * Testing Approach:
diff --git a/scripts/babel/babel-plugin-inline-process-env.mts b/scripts/babel/babel-plugin-inline-process-env.mts
index d3c38a04f..41a406aa4 100644
--- a/scripts/babel/babel-plugin-inline-process-env.mts
+++ b/scripts/babel/babel-plugin-inline-process-env.mts
@@ -22,8 +22,8 @@
  * @param {object} babel - Babel API object
  * @param {object} options - Plugin options
  * @param {Record<string, string>} [options.env] - Environment variables to inline
- * @param {string[]} [options.include] - Only inline these env vars (whitelist)
- * @param {string[]} [options.exclude] - Never inline these env vars (blacklist)
+ * @param {string[]} [options.include] - Only inline these env vars (allowlist)
+ * @param {string[]} [options.exclude] - Never inline these env vars (denylist)
  * @returns {object} Babel plugin object
  *
  * @example
@@ -57,7 +57,7 @@ export default function inlineProcessEnv(babel, options = {}) {
 
         const envKey = property.name
 
-        // Check whitelist/blacklist.
+        // Check allowlist/denylist.
         if (includeSet.size > 0 && !includeSet.has(envKey)) {
           return
         }
diff --git a/tsconfig.json b/tsconfig.json
index c5c9ec01d..7a0f85dad 100644
--- a/tsconfig.json
+++ b/tsconfig.json
@@ -11,12 +11,12 @@
     "src/commands/analytics/output-analytics.mts",
     "src/commands/audit-log/output-audit-log.mts",
     "src/commands/threat-feed/output-threat-feed.mts",
+    ".cache/**",
+    ".claude/**",
     "build/**",
     "binaries/**",
     "dist/**",
     "external/**",
-    ".cache/**",
-    ".claude/**",
     "node_modules/**",
     "pkg-binaries/**"
   ]

From 10e10dc98a8d5ac08ad347181a5ff51e62ac6261 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Mon, 27 Apr 2026 12:21:04 -0400
Subject: [PATCH 2/6] chore(skills): narrow allowed-tools to specific commands

Replaces blanket Bash/Grep/Glob entries with command-pattern-specific
matchers (Bash(prefix:*)) so the skill cannot run anything the body
of the skill doesn't actually invoke. Drops Grep/Glob from skills
that don't use them.

- security-scan: Task, Read, Bash(pnpm exec agentshield:*),
  Bash(zizmor:*), Bash(command -v:*),
  Bash(find .cache/external-tools/zizmor:*)
- updating: Task, Skill, Read, Edit, Bash(pnpm run:*), Bash(pnpm install:*),
  Bash(pnpm test:*), Bash(claude --version),
  Bash(node .claude/hooks/setup-security-tools/update.mts:*),
  Bash(git status:*), Bash(git diff:*), Bash(git add:*), Bash(git commit:*)
- updating-checksums: Read, Edit,
  Bash(node packages/cli/scripts/sync-checksums.mjs:*),
  Bash(git diff:*), Bash(git status:*), Bash(git add:*), Bash(git commit:*)

Addresses billxinli's review on PR #1283 / #624.
---
 .claude/skills/security-scan/SKILL.md      | 2 +-
 .claude/skills/updating-checksums/SKILL.md | 2 +-
 .claude/skills/updating/SKILL.md           | 2 +-
 3 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.claude/skills/security-scan/SKILL.md b/.claude/skills/security-scan/SKILL.md
index 0c2cf12ed..10a3ac3f2 100644
--- a/.claude/skills/security-scan/SKILL.md
+++ b/.claude/skills/security-scan/SKILL.md
@@ -2,7 +2,7 @@
 name: security-scan
 description: Runs a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report. Use after modifying `.claude/` config, hooks, agents, or GitHub Actions workflows, and before releases.
 user-invocable: true
-allowed-tools: Task, Bash, Read, Grep, Glob
+allowed-tools: Task, Read, Bash(pnpm exec agentshield:*), Bash(zizmor:*), Bash(command -v:*), Bash(find .cache/external-tools/zizmor:*)
 ---
 
 # Security Scan
diff --git a/.claude/skills/updating-checksums/SKILL.md b/.claude/skills/updating-checksums/SKILL.md
index 97777b04c..8d1bc0309 100644
--- a/.claude/skills/updating-checksums/SKILL.md
+++ b/.claude/skills/updating-checksums/SKILL.md
@@ -5,7 +5,7 @@ description: >
   Triggers when user mentions "update checksums", "sync checksums", or after
   releasing new tool versions.
 user-invocable: true
-allowed-tools: Bash, Read, Edit
+allowed-tools: Read, Edit, Bash(node packages/cli/scripts/sync-checksums.mjs:*), Bash(git diff:*), Bash(git status:*), Bash(git add:*), Bash(git commit:*)
 ---
 
 # updating-checksums
diff --git a/.claude/skills/updating/SKILL.md b/.claude/skills/updating/SKILL.md
index f8d50f96f..40795259e 100644
--- a/.claude/skills/updating/SKILL.md
+++ b/.claude/skills/updating/SKILL.md
@@ -5,7 +5,7 @@ description: >
   Triggers when user asks to "update everything", "update dependencies", or
   prepare for a release.
 user-invocable: true
-allowed-tools: Task, Skill, Bash, Read, Grep, Glob, Edit
+allowed-tools: Task, Skill, Read, Edit, Bash(pnpm run:*), Bash(pnpm install:*), Bash(pnpm test:*), Bash(claude --version), Bash(node .claude/hooks/setup-security-tools/update.mts:*), Bash(git status:*), Bash(git diff:*), Bash(git add:*), Bash(git commit:*)
 ---
 
 # updating

From 1c77a455a6d7f75e8b58c7ab781cad53d0bb2b6b Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Mon, 27 Apr 2026 14:37:39 -0400
Subject: [PATCH 3/6] chore(claude): add tools: frontmatter to agents,
 deny-list to settings, allowed-tools to quality-scan

Extends the .claude/ tightening already on this branch:

- Adds tools: frontmatter to all three agents so they declare exactly
  what they need instead of inheriting the default tool set:
  - code-reviewer (read-only): Read, Grep, Glob, Bash(git/rg/grep/find/ls/wc/cat/head/tail:*)
  - security-reviewer: same + Bash(pnpm exec agentshield:*), Bash(zizmor:*),
    Bash(command -v:*)
  - refactor-cleaner: adds Edit, Write, Bash(pnpm run/test/exec:*), Bash(node:*)
- Adds permissions.deny block to .claude/settings.json blocking
  publish/release escape hatches: npm/pnpm/yarn publish, gh release
  create/delete, gh workflow run/dispatch, git push --force/-f.
  Enforces existing CLAUDE.md prohibitions at the harness layer so
  an agent cannot dispatch a publish workflow without explicit
  operator override.
- Adds allowed-tools: to quality-scan/SKILL.md (was missing entirely,
  inheriting full default access).

Mirrors the canonical pattern landed on socket-repo-template main.
---
 .claude/agents/code-reviewer.md      |  6 ++++++
 .claude/agents/refactor-cleaner.md   |  6 ++++++
 .claude/agents/security-reviewer.md  |  6 ++++++
 .claude/settings.json                | 13 +++++++++++++
 .claude/skills/quality-scan/SKILL.md |  1 +
 5 files changed, 32 insertions(+)

diff --git a/.claude/agents/code-reviewer.md b/.claude/agents/code-reviewer.md
index 1f3433334..e40362300 100644
--- a/.claude/agents/code-reviewer.md
+++ b/.claude/agents/code-reviewer.md
@@ -1,3 +1,9 @@
+---
+name: code-reviewer
+description: Reviews code in socket-cli against CLAUDE.md rules and reports style violations, logic bugs, and test gaps. Spawned by the quality-scan skill or invoked directly on a diff.
+tools: Read, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*), Bash(wc:*), Bash(cat:*), Bash(head:*), Bash(tail:*)
+---
+
 You are a code reviewer for a Node.js/TypeScript monorepo (socket-cli).
 
 Apply the rules from CLAUDE.md sections listed below. Reference the full section in CLAUDE.md for details — these are summaries, not the complete rules.
diff --git a/.claude/agents/refactor-cleaner.md b/.claude/agents/refactor-cleaner.md
index 7f823bd75..68e6b0a08 100644
--- a/.claude/agents/refactor-cleaner.md
+++ b/.claude/agents/refactor-cleaner.md
@@ -1,3 +1,9 @@
+---
+name: refactor-cleaner
+description: Refactor specialist for socket-cli. Removes dead code first, batches changes into ≤5-file phases, verifies each with the project's check + test scripts. Use after quality-scan or before structural refactors.
+tools: Read, Edit, Write, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*), Bash(pnpm run:*), Bash(pnpm test:*), Bash(pnpm exec:*), Bash(node:*), Bash(cat:*), Bash(head:*), Bash(tail:*)
+---
+
 You are a refactoring specialist for a Node.js/TypeScript monorepo (socket-cli).
 
 Apply these rules from CLAUDE.md exactly:
diff --git a/.claude/agents/security-reviewer.md b/.claude/agents/security-reviewer.md
index 6ae108892..83137fd62 100644
--- a/.claude/agents/security-reviewer.md
+++ b/.claude/agents/security-reviewer.md
@@ -1,3 +1,9 @@
+---
+name: security-reviewer
+description: Reviews findings from AgentShield + zizmor against socket-cli's CLAUDE.md security rules and grades the result A-F. Spawned by the security-scan skill after the static scans run.
+tools: Read, Grep, Glob, Bash(git:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*), Bash(pnpm exec agentshield:*), Bash(zizmor:*), Bash(command -v:*), Bash(cat:*), Bash(head:*), Bash(tail:*)
+---
+
 You are a security reviewer for Socket Security Node.js repositories.
 
 Apply these rules from CLAUDE.md exactly:
diff --git a/.claude/settings.json b/.claude/settings.json
index 3490c309f..c969b131c 100644
--- a/.claude/settings.json
+++ b/.claude/settings.json
@@ -24,5 +24,18 @@
         ]
       }
     ]
+  },
+  "permissions": {
+    "deny": [
+      "Bash(gh release create:*)",
+      "Bash(gh release delete:*)",
+      "Bash(gh workflow dispatch:*)",
+      "Bash(gh workflow run:*)",
+      "Bash(git push --force:*)",
+      "Bash(git push -f:*)",
+      "Bash(npm publish:*)",
+      "Bash(pnpm publish:*)",
+      "Bash(yarn publish:*)"
+    ]
   }
 }
diff --git a/.claude/skills/quality-scan/SKILL.md b/.claude/skills/quality-scan/SKILL.md
index 4dafcdf72..034198ced 100644
--- a/.claude/skills/quality-scan/SKILL.md
+++ b/.claude/skills/quality-scan/SKILL.md
@@ -5,6 +5,7 @@ description: >
   and committing changes until zero issues remain or 5 iterations complete.
   Use when improving code quality, investigating regressions, or before
   releases.
+allowed-tools: Task, Skill, Read, Edit, Grep, Glob, AskUserQuestion, Bash(pnpm run check:*), Bash(pnpm run test:*), Bash(pnpm test:*), Bash(pnpm run fix:*), Bash(git status:*), Bash(git diff:*), Bash(git log:*), Bash(git add:*), Bash(git commit:*), Bash(rg:*), Bash(grep:*), Bash(find:*), Bash(ls:*)
 ---
 
 # quality-scan

From 215c707544f72c4fa21ccf59a4876fbb61448795 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 28 Apr 2026 12:44:11 -0400
Subject: [PATCH 4/6] docs(claude): add programmatic-Claude lockdown rule +
 skill
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Cascaded from socket-repo-template. CLAUDE.md gains one bullet
alongside the other security 🚨 rules; the skill at
.claude/skills/programmatic-claude-lockdown/SKILL.md holds the
four-flag table (`tools`/`allowedTools`/`disallowedTools`/
`permissionMode: 'dontAsk'`), both recipes (read-only and
Bash-needing), and the never-do list.

Reference impl: socket-lib/tools/prim/src/disambiguate.mts (SDK form);
socket-registry weekly-update.yml uses the Bash-needing CLI form.
---
 .../programmatic-claude-lockdown/SKILL.md     | 84 +++++++++++++++++++
 CLAUDE.md                                     |  1 +
 2 files changed, 85 insertions(+)
 create mode 100644 .claude/skills/programmatic-claude-lockdown/SKILL.md

diff --git a/.claude/skills/programmatic-claude-lockdown/SKILL.md b/.claude/skills/programmatic-claude-lockdown/SKILL.md
new file mode 100644
index 000000000..f2561013a
--- /dev/null
+++ b/.claude/skills/programmatic-claude-lockdown/SKILL.md
@@ -0,0 +1,84 @@
+---
+name: programmatic-claude-lockdown
+description: Reference for locking down programmatic Claude invocations (the `claude` CLI in workflows/scripts, the `@anthropic-ai/claude-agent-sdk` `query()` in code). Loads on demand when writing or reviewing any callsite that runs Claude programmatically. Source: https://code.claude.com/docs/en/agent-sdk/permissions.
+user-invocable: false
+allowed-tools: Read, Grep, Glob
+---
+
+# Programmatic Claude lockdown
+
+**Rule:** every programmatic Claude callsite sets four flags. Skip any one and a future edit silently widens the surface.
+
+## The four flags
+
+| Layer | SDK option | CLI flag | What it does |
+|---|---|---|---|
+| Definition | `tools` | `--tools` | Base set the model is told about. Tools not listed are invisible — no `tool_use` block possible. |
+| Auto-approve | `allowedTools` | `--allowedTools` | Step 4. Listed tools run without invoking `canUseTool`. |
+| Deny | `disallowedTools` | `--disallowedTools` | Step 2. Wins even against `bypassPermissions`. Defense-in-depth. |
+| Mode | `permissionMode: 'dontAsk'` | `--permission-mode dontAsk` | Step 3. Unmatched tools denied without falling through to a missing `canUseTool`. |
+
+The official permission flow (1) hooks → (2) deny rules → (3) permission mode → (4) allow rules → (5) `canUseTool`. In `dontAsk` mode step 5 is skipped — denied. The doc states verbatim: *"`allowedTools` and `disallowedTools` ... control whether a tool call is approved, not whether the tool is available."* Availability is `tools`.
+
+## Recipe — read-only agent (audit, classify, summarize)
+
+```ts
+import { query } from '@anthropic-ai/claude-agent-sdk'
+
+query({
+  prompt: '...',
+  options: {
+    tools: ['Read', 'Grep', 'Glob'],
+    allowedTools: ['Read', 'Grep', 'Glob'],
+    disallowedTools: ['Agent', 'Bash', 'Edit', 'NotebookEdit', 'Task', 'WebFetch', 'WebSearch', 'Write'],
+    permissionMode: 'dontAsk',
+  },
+})
+```
+
+CLI form for workflow YAML / shell scripts:
+
+```yaml
+claude --print \
+  --tools "Read" "Grep" "Glob" \
+  --allowedTools "Read" "Grep" "Glob" \
+  --disallowedTools "Agent" "Bash" "Edit" "NotebookEdit" "Task" "WebFetch" "WebSearch" "Write" \
+  --permission-mode dontAsk \
+  --model "$MODEL" \
+  --max-turns 25 \
+  "<prompt>"
+```
+
+## Recipe — agent that needs Bash (e.g. `/updating`: pnpm + git + jq)
+
+Narrow `Bash(...)` patterns surgically. Block dangerous Bash patterns explicitly. Fleet rules: no `npx`/`pnpm dlx`/`yarn dlx`; no `curl`/`wget` exfil; no destructive `rm -rf`; no `sudo`. Build the deny list as shell vars so the npx/dlx denials can carry the `# zizmor:` exemption marker (the pre-commit `scanNpxDlx` hook treats those literal strings as the prohibited tools, not as exemptions, unless the line is tagged):
+
+```yaml
+DISALLOW_BASE='Agent Task NotebookEdit WebFetch WebSearch Bash(curl:*) Bash(wget:*) Bash(rm -rf*) Bash(sudo:*)'
+DISALLOW_PKG_EXEC='Bash(npx:*) Bash(pnpm dlx:*) Bash(yarn dlx:*)'  # zizmor: documentation-prohibition
+claude --print \
+  --tools "Bash" "Read" "Write" "Edit" "Glob" "Grep" \
+  --allowedTools "Bash(pnpm:*)" "Bash(git:*)" "Bash(jq:*)" "Read" "Write" "Edit" "Glob" "Grep" \
+  --disallowedTools $DISALLOW_BASE $DISALLOW_PKG_EXEC \
+  --permission-mode dontAsk \
+  --model "$MODEL" --max-turns 25 \
+  "<prompt>"
+```
+
+## Never
+
+- ❌ `permissionMode: 'default'` in headless contexts — falls through to a missing `canUseTool`. Behavior undefined.
+- ❌ `permissionMode: 'bypassPermissions'` / `allowDangerouslySkipPermissions: true`.
+- ❌ Omitting `tools` — SDK default is the full claude_code preset.
+- ❌ `Agent` / `Task` permitted — sub-agents inherit modes and can escape per-subagent restrictions when the parent is `bypassPermissions`/`acceptEdits`/`auto`.
+
+## Reference implementation
+
+`socket-lib/tools/prim/src/disambiguate.mts` — canonical SDK-form callsite. The file header documents each flag against the eval-flow step it enforces.
+
+`socket-lib/tools/prim/test/disambiguate.test.mts` — source-text guards that fail the build if `BASE_TOOLS` widens, if `tools: BASE_TOOLS` is unwired, if `permissionMode` drifts from `'dontAsk'`, or if `bypassPermissions` / `allowDangerouslySkipPermissions: true` ever appears. Mirror this pattern in any new callsite.
+
+## Existing fleet callsites
+
+- `socket-registry/.github/workflows/weekly-update.yml` — two `claude --print` invocations (run `/updating` skill, fix test failures). Bash recipe above.
+- `socket-lib/tools/prim/src/disambiguate.mts` — read-only recipe above (`query()` SDK form).
diff --git a/CLAUDE.md b/CLAUDE.md
index 119d838db..efdf83a22 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -104,6 +104,7 @@ The umbrella rule: never run a git command that mutates state belonging to a pat
 - 🚨 **NEVER write a real customer or company name into any commit, PR, issue, GitHub comment, or release note.** When about to write any name, stop and ask: "is this a real company?" If yes, replace it with `Acme Inc` (or drop the reference entirely). No enumerated denylist exists anywhere — a denylist is itself a leak. Recognition is done at write time, every time. The `.claude/hooks/public-surface-reminder` hook re-prints this rule on every public-surface `git`/`gh` command as a priming nudge; the rule still applies when the hook is not installed.
 - 🚨 **NEVER mention private repos or internal project names** in commits, PR titles/descriptions/comments, issues, release notes, or any public-surface text. Internal codenames, unreleased product names, internal tooling repo names not on the public org page, customer names, partner names — none belong in public surfaces. **Omit the reference entirely.** Don't substitute a placeholder ("an internal tool", "a downstream consumer", etc.) — the placeholder itself is a tell that something is being elided. Rewrite the sentence to not need the reference at all.
 - 🚨 **NEVER trigger Publish / Release / Provenance / Build-Release workflows** — no `gh workflow run`, `gh workflow dispatch`, or `gh api .../dispatches`. Workflow dispatches are irrevocable: Publish workflows push npm versions (unpublishable after 24h), Build/Release workflows pin GitHub releases by SHA, container workflows push immutable tags. Even build workflows with a `dry_run` input still treat the dispatch itself as the prod trigger. The user runs workflow_dispatch jobs manually after CI passes on the release commit + tag — Claude **never** dispatches them. If the user asks for a publish, tell them to run the command in their own terminal (or the GitHub Actions UI).
+- 🚨 **Programmatic Claude calls** (workflows, skills, scripts that invoke `claude` CLI or `@anthropic-ai/claude-agent-sdk`) MUST set all four lockdown flags: `--tools`/`tools`, `--allowedTools`/`allowedTools`, `--disallowedTools`/`disallowedTools`, and `--permission-mode dontAsk`/`permissionMode: 'dontAsk'`. NEVER `default` mode in headless contexts (falls through to a missing `canUseTool` → undefined behavior). NEVER `bypassPermissions`. See `.claude/skills/programmatic-claude-lockdown/SKILL.md` for the recipe + reference impl (`socket-lib/tools/prim/src/disambiguate.mts`).
 
 ## EVOLUTION
 

From 487ba3fe2a173a946dc376e7bd39f73f7cfb8023 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 28 Apr 2026 13:02:07 -0400
Subject: [PATCH 5/6] =?UTF-8?q?chore(deps):=20bump=20pnpm=2011.0.0-rc.5=20?=
 =?UTF-8?q?=E2=86=92=2011.0.0=20(GA)?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

pnpm v11 is now stable: https://github.com/pnpm/pnpm/releases/tag/v11.0.0

- package.json: packageManager pin "pnpm@11.0.0-rc.5" → "pnpm@11.0.0";
  engines.pnpm ">=11.0.0-rc.3" → ">=11.0.0".
- external-tools.json: bump version + 6 platform sha256s (darwin
  arm64/x64, linux arm64/x64, win arm64/x64). Hashes computed locally
  from the v11.0.0 release tarballs.

pnpm-workspace.yaml already on the v11 idioms (allowBuilds,
pmOnFail, minimumReleaseAge); lockfile shape unchanged.
---
 external-tools.json | 14 +++++++-------
 package.json        |  4 ++--
 2 files changed, 9 insertions(+), 9 deletions(-)

diff --git a/external-tools.json b/external-tools.json
index d643cf7a2..885ca8b6b 100644
--- a/external-tools.json
+++ b/external-tools.json
@@ -22,7 +22,7 @@
     },
     "pnpm": {
       "description": "pnpm — the fleet's package manager.",
-      "version": "11.0.0-rc.5",
+      "version": "11.0.0",
       "packageManager": "pnpm",
       "repository": "github:pnpm/pnpm",
       "release": "asset",
@@ -34,27 +34,27 @@
       "checksums": {
         "darwin-arm64": {
           "asset": "pnpm-darwin-arm64.tar.gz",
-          "sha256": "32a50710ccacfdcf14e6d5995d5368298eec913b0ce3903b9e09b6555f06f4e5"
+          "sha256": "3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b"
         },
         "darwin-x64": {
           "asset": "pnpm-darwin-x64.tar.gz",
-          "sha256": "71dca33f4275da6b43bf1eb40bdc4d876f59a116716eacbf01079c3d985ff85d"
+          "sha256": "1701748b75187f1333a9c616827943ff84ff46cc42becc156ff6864b9bd0f948"
         },
         "linux-arm64": {
           "asset": "pnpm-linux-arm64.tar.gz",
-          "sha256": "2dd04127ff10b1f9dd20bae248b779c77a8ec67e3afa35e7256e5f94abddd493"
+          "sha256": "1e6d87ebfd7ff169966ff5b3ad71b780b883c68d3e59987df1096dfd8853df75"
         },
         "linux-x64": {
           "asset": "pnpm-linux-x64.tar.gz",
-          "sha256": "7ebef4b616ba41fb0d54a207b36508fae3346723283a088b43fc1e038ee6fed0"
+          "sha256": "9b44acc77ada40fc41b665fde1d57367a5ebec31bd4b1b00598daed195da3e17"
         },
         "win-arm64": {
           "asset": "pnpm-win32-arm64.zip",
-          "sha256": "e4a39ad4c251db5e34b18b98561ef25bab5506ad65cad2fa3602af58d1972667"
+          "sha256": "0746be8e98ca183078d0747559f0cbbd30a13a53eb177f67474eb3c52dc21bc8"
         },
         "win-x64": {
           "asset": "pnpm-win32-x64.zip",
-          "sha256": "147485ae2f38c3d1ccf2f5db00d0244416bcd22b9114c02388e6a78f41538fc4"
+          "sha256": "581e222e622cd0cc4f0ac5f85dd0db76b65117e3b17507979d89e63fdc68edca"
         }
       }
     },
diff --git a/package.json b/package.json
index 3b8310e47..cdc07ed28 100644
--- a/package.json
+++ b/package.json
@@ -1,11 +1,11 @@
 {
   "name": "socket-cli-monorepo",
   "version": "0.0.0",
-  "packageManager": "pnpm@11.0.0-rc.5",
+  "packageManager": "pnpm@11.0.0",
   "private": true,
   "engines": {
     "node": ">=25.9.0",
-    "pnpm": ">=11.0.0-rc.3"
+    "pnpm": ">=11.0.0"
   },
   "scripts": {
     "// Build": "",

From 249be45e8122e90387a98131eb18323616f332a5 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Tue, 28 Apr 2026 13:15:51 -0400
Subject: [PATCH 6/6] fix(cli): point @socketaddon/iocraft file: ref at the
 template, not gitignored build output
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The previous file: ref pointed at
`packages/package-builder/build/dev/out/socketaddon-iocraft`,
which is gitignored — the directory only exists after running
`pnpm --filter package-builder run generate:socketaddon`. In a
fresh checkout or git worktree, the path doesn't exist, and pnpm
v11.0.0 GA's `verifyDepsBeforeRun: install` default flushed this
out: every pnpm-prefixed command pre-flight-installs and trips on
`ERR_PNPM_LINKED_PKG_DIR_NOT_FOUND`.

Repoint to `packages/package-builder/templates/socketaddon-main`,
which IS committed (it's the handlebars-free static template the
generator copies into the build output). Same files,
byte-identical content: package.json declares
@socketaddon/iocraft@1.0.0-pre.0 with the per-platform native
addons as optionalDependencies, and the index.mjs does runtime
platform detection + require() of the matching .node binary.

Tests that depend on the native .node binary still need the per-
platform addon to be present (built by the package-builder Rust
generation step); that's a separate concern from install-time
resolution.
---
 packages/cli/package.json |  2 +-
 pnpm-lock.yaml            | 11 ++++++-----
 2 files changed, 7 insertions(+), 6 deletions(-)

diff --git a/packages/cli/package.json b/packages/cli/package.json
index 666f54dfa..729285b1a 100644
--- a/packages/cli/package.json
+++ b/packages/cli/package.json
@@ -76,7 +76,7 @@
     "@octokit/graphql": "catalog:",
     "@octokit/request-error": "catalog:",
     "@octokit/rest": "catalog:",
-    "@socketaddon/iocraft": "file:../package-builder/build/dev/out/socketaddon-iocraft",
+    "@socketaddon/iocraft": "file:../package-builder/templates/socketaddon-main",
     "@socketregistry/hyrious__bun.lockb": "catalog:",
     "@socketregistry/indent-string": "catalog:",
     "@socketregistry/is-interactive": "catalog:",
diff --git a/pnpm-lock.yaml b/pnpm-lock.yaml
index 0acdb3bee..e6b6237eb 100644
--- a/pnpm-lock.yaml
+++ b/pnpm-lock.yaml
@@ -656,8 +656,8 @@ importers:
         specifier: 'catalog:'
         version: 22.0.0
       '@socketaddon/iocraft':
-        specifier: file:../package-builder/build/dev/out/socketaddon-iocraft
-        version: file:packages/package-builder/build/dev/out/socketaddon-iocraft
+        specifier: file:../package-builder/templates/socketaddon-main
+        version: file:packages/package-builder/templates/socketaddon-main
       '@socketregistry/hyrious__bun.lockb':
         specifier: 'catalog:'
         version: 1.0.19
@@ -2174,8 +2174,9 @@ packages:
     resolution: {integrity: sha512-LtoMMhxAlorcGhmFYI+LhPgbPZCkgP6ra1YL604EeF6U98pLlQ3iWIGMdWSC+vWmPBWBNgmDBAhnAobLROJmwg==}
     engines: {node: '>=18'}
 
-  '@socketaddon/iocraft@file:packages/package-builder/build/dev/out/socketaddon-iocraft':
-    resolution: {directory: packages/package-builder/build/dev/out/socketaddon-iocraft, type: directory}
+  '@socketaddon/iocraft@file:packages/package-builder/templates/socketaddon-main':
+    resolution: {directory: packages/package-builder/templates/socketaddon-main, type: directory}
+    engines: {node: '>=18'}
 
   '@socketregistry/es-set-tostringtag@1.0.10':
     resolution: {integrity: sha512-btXmvw1JpA8WtSoXx9mTapo9NAyIDKRRzK84i48d8zc0X09M6ORfobVnHbgwhXf7CFhkRzhYrHG9dqbI9vpELQ==}
@@ -5689,7 +5690,7 @@ snapshots:
 
   '@sindresorhus/merge-streams@2.3.0': {}
 
-  '@socketaddon/iocraft@file:packages/package-builder/build/dev/out/socketaddon-iocraft': {}
+  '@socketaddon/iocraft@file:packages/package-builder/templates/socketaddon-main': {}
 
   '@socketregistry/es-set-tostringtag@1.0.10': {}