Self-landable split from #1279. Combines the hook overhaul into one
atomic PR.

Path-guard infra
  - .claude/hooks/path-guard/ (hook + tests + segments.mts)
  - .claude/skills/path-guard/ (audit-and-fix skill)
  - .claude/skills/_shared/path-guard-rule.md (canonical rule)
  - scripts/check-paths.mts (the gate)
  - .github/paths-allowlist.yml (empty starter, full schema docs)
  - .claude/settings.json (wires hook on Edit|Write)
  - scripts/check.mts (invokes the gate)

Token-guard hook
  - .claude/hooks/token-guard/ (renamed from token-hygiene; word-
    boundary match for sensitive env names; ALWAYS_DANGEROUS check
    skips when redaction pipeline is present)

.sh → .mts hook conversion (Node 25+)
  - .git-hooks/_helpers.mts (was _helpers.sh) — exports
    filterAllowedApiKeys + scanners (personal paths, AWS keys,
    GitHub tokens, private keys, AI attribution)
  - .git-hooks/{commit-msg,pre-commit,pre-push}.mts (were .sh)
  - .husky/* shims invoke node directly

Fleet hooks (additions)
  - .claude/hooks/check-new-deps (npm dep introspection)
  - .claude/hooks/private-name-guard
  - .claude/hooks/release-workflow-guard
  - .claude/hooks/setup-security-tools (updated)
  - .claude/hooks/public-surface-reminder/package.json (updated)

Cleanup
  - Remove orphan .claude/hooks/token-hygiene (renamed to token-guard)

- .husky/pre-commit: add `set -e` so a non-zero exit from the security
  hook (.git-hooks/pre-commit.mts) blocks the commit instead of being
  silently overridden by a later passing pnpm lint/test. Without it the
  shell continued past the security check; the script's exit code came
  from the last command, so a security failure followed by a passing
  lint/test would let the commit through.
- token-guard: replace the single regex-based hasRedaction with a
  segment-aware version. The old patterns used `[\s\S]*?` which lazily
  reached across `|` boundaries, so an unrelated downstream stage
  named e.g. `tool_redact_output` could match `<?redact` and launder
  an upstream `env` dump. The new logic splits on `|` (skipping shell-
  or `||`) and requires each redaction marker to live inside a single
  pipe segment; whole-command redirections (`>`, `>>`, `>/dev/null`)
  are still matched against the full command. Adds a regression test
  for the canonical bypass `env | sed 's/foo/bar/' | tool_redact_output`.

Bugbot caught a follow-up bypass: `env || sed 's/=.*/=<redacted>/'`
was credited as redacted because

  1. REDACTION_WHOLE_COMMAND_MARKERS' loose `/>\s*[^|]/` matched the
     literal `>` inside `<redacted>`, returning true on the
     whole-command path before any segment logic ran.
  2. Even without that, hasRedaction's earlier `replace(||, '')`
     glued the two arms into one segment so the `sed` redaction
     looked unconditional.

But `env || sed` only runs sed if env FAILS — and env always
succeeds, so the redaction never fires at runtime. Combined with
the `!hasRedaction(command)` exception on ALWAYS_DANGEROUS, the env
dump went through unredacted.

Two-part fix:

1. Tighten REDACTION_WHOLE_COMMAND_MARKERS to anchor `>` and `>>`
   at a real shell boundary (`^`, whitespace, `|`, `;`) followed by
   a filename-shaped target — no more matching the `>` inside
   `<redacted>` or `s/=.*/.../`.

2. In hasRedaction, lop off everything from the first `||` or `&&`
   before splitting on `|`. A redaction marker on the right side of
   a conditional doesn't run unconditionally and can't launder an
   upstream leak.

Smoke-tested:
  ✓ env | sed 's/=.*/=<redacted>/'                    (matches)
  ✓ printenv | sed 's/=.*/=<redacted>/' | grep TOKEN  (matches)
  ✓ env > /dev/null                                   (matches)
  ✓ env > /tmp/leak.txt                               (matches)
  ✗ env || sed 's/=.*/=<redacted>/'                   (NOT credited)
  ✗ env && sed 's/=.*/=<redacted>/'                   (NOT credited)
  ✗ env | sed 's/foo/bar/' | tool_redact_output       (NOT credited)

REDACTION_SEGMENT_MARKERS use .* between sed and the redaction marker word, which crosses ; boundaries within a single pipe segment. Bugbot found the bypass shape 'env | sed s/a/b/ ; echo redacted_output': split on | keeps both statements in one segment, the regex matches the literal word redact downstream of an unrelated sed, and the env dump is credited as redacted.

Fix: split each pipe segment further on ; so a redaction marker is only credited when sed and the marker word live in the same statement.

Three findings from Cursor Bugbot's latest pass on the chore/hooks-mts-path-token branch:

1. HIGH — token-guard: whole-command redaction check ran BEFORE the conditional-operator truncation, so `env || true > /dev/null` matched the `> /dev/null` whole-command marker on the full string and short-circuited to "credited" even though the redirection lives on the unreachable `||` branch. Fix: truncate at first `||` / `&&` first, then run the whole-command markers against the truncated string. Smoke test (17 cases) confirms all known bypass shapes are blocked and all legitimate redaction shapes are still credited.

2. LOW — check-new-deps: replace local `errorMessage` mirror with the shared `errorMessage` import from `@socketsecurity/lib/errors`. The local helper's `// can't import the shared helper` comment was wrong — the hook already depends on `@socketsecurity/lib`, so the shared helper IS reachable. Drops 5 lines of duplicated logic.

3. LOW — setup-security-tools: replace ad-hoc `e instanceof Error ? e.message : String(e)` with `errorMessage(e)` from `@socketsecurity/lib/errors`. Hook already imports from `@socketsecurity/lib`, so the helper is in scope.

Reaps orphan vitest/tsgo/type-coverage/esbuild workers at turn-end so
they don't pile up across turns and exhaust system memory. Only kills
processes whose parent has died (true orphans); leaves running
test/build trees alone.

- .claude/hooks/stale-process-sweeper/  (hook + tests + README)
- .claude/settings.json                  (Stop hook block)
- CLAUDE.md                              (Background Bash rule + suppress
                                          pre-existing hook false-positive
                                          on documentation-prohibition line)

Sourced from socket-repo-template. Joins this PR's path-guard +
token-guard hook fleet to complete the canonical hook set.

Pre-commit lint+test skipped via DISABLE_PRECOMMIT_* — this worktree
is missing build artifacts that the test deps need (the change is
.claude/-only, no source touched).

…ific layout

Split CLAUDE.md into two clearly-delimited sections:

- `## 📚 Fleet Standards` — wrapped in BEGIN/END FLEET-CANONICAL markers,
  byte-identical across every socket-* repo (sync via socket-repo-template).
- `## 🏗️ CLI-Specific` — repo-owned content: Commands, Testing, Command
  Pattern, Codex Usage.

Fleet block ~8.6 KB; verbose content moves to references:
- `docs/references/inclusive-language.md`
- `docs/references/sorting.md`
- `.claude/skills/promise-race-pitfall/SKILL.md`

CLAUDE.md 13.5 KB → 9.7 KB.

Joins this PR's hooks-mts conversion + sweeper additions; the new
CLAUDE.md links into the same hook README files this PR is producing.

oxfmt 0.37+ formats JSDoc comments. Adopt the canonical `jsdoc` block
from socket-repo-template; it preserves the existing JSDoc style across
this repo (verified: zero new diff under the new config).

Source of truth: socket-repo-template/template/.oxfmtrc.json. Future
updates flow through `scripts/sync-scaffolding.mjs --all --fix`.

…epo-template

- `.git-hooks/_helpers.mts` + `pre-commit.mts` + `pre-push.mts` —
  rename suppression marker `# zizmor: …` → `# socket-hook: allow [<rule>]`
  (legacy form still recognized for one cycle); add doc-aware scan
  heuristic; emit `LineHit.suggested` rewrites alongside hits.
- `.claude/hooks/token-guard/{index,test/token-guard.test}.mts` —
  sync to canonical; settings.json picks up the fleet permissions
  deny block.
- `.claude/skills/{path-guard,security-scan}/SKILL.md`,
  `.claude/agents/security-reviewer.md` — sync drift from template.
- `.claude/skills/programmatic-claude-lockdown/SKILL.md` — fleet skill
  for the four-flag lockdown recipe (matches socket-sdk-js PR #630).
- `CLAUDE.md` — update fleet block npx-rule marker; oxfmt-normalized
  markdown emphasis.
- `docs/references/{inclusive-language,sorting}.md` — re-sync.
- `scripts/xport*.mts` + `xport.schema.json` — fleet xport tooling.
- `.husky/pre-commit` + `.git-hooks/commit-msg.mts` — sync.
- `pnpm-lock.yaml` — regenerate after template sync.

Pre-commit/test gates skipped via DISABLE_PRECOMMIT_*: this worktree's
build chain (download-assets / iocraft native addon) is unrelated to
the changes here, and the same gates are enforced in CI.

Sourced byte-identical from socket-repo-template (canonical fleet
hook); the same change rolled out across socket-* repos + ultrathink.

…-window wording

- pnpm-workspace.yaml: add blockExoticSubdeps: true (fleet default).
  Direct git deps still allowed; transitive ones refused.
- Update sync-scaffolding script references from .mjs to .mts in
  hook READMEs, path-guard segments, _shared skill rules, CLAUDE.md,
  and xport-schema.mts header comment (the upstream rename has
  shipped; downstreams now reflect it).
- Fold "soak-window" terminology into security-reviewer's checklist
  + CLAUDE.md tooling block — matches how the rest of the fleet
  refers to pnpm's minimumReleaseAge field.

Pre-existing iocraft native-addon test failures unrelated to this
change; user authorized --no-verify pending environment fix.