chore: sync to socket-repo-template@899813d

- Adopt canonical scripts/security.mts (cross-platform which + async
  spawn replaces inline agentshield+zizmor one-liner)
- Update scripts/update.mts + .config/taze.config.mts to template
- package.json: scripts.security delegates to wrapper

Verified: 0 findings against template.

Author: jdalton

.config/taze.config.mts

@@ -1,31 +1,40 @@
-/**
- * @fileoverview Taze dependency-update configuration for socket-lib.
- */
-
 import { defineConfig } from 'taze'
 
-const tazeConfig = defineConfig({
-  // Exclude these packages.
-  exclude: [
-    'debug',
-    'eslint-plugin-unicorn',
-    'make-fetch-happen',
-    'minimatch',
-    'normalize-package-data',
-  ],
+/* Socket-owned scopes bypass the 7-day maturity cooldown.
+ *
+ * The cooldown (maturityPeriod: 7) exists to catch compromised
+ * upstream packages before we adopt them — but Socket-published
+ * packages go through our own provenance + publish pipeline, so
+ * we trust them to ship fresh.
+ *
+ * The scopes listed here are EXCLUDED from pass 1 (the
+ * cooldown-respecting pass) and INCLUDED in pass 2 (the
+ * immediate-bump pass). Keep this list in sync with
+ * scripts/update.mts if the repo ships one, or with whatever
+ * second-pass mechanism the consuming repo's update script
+ * uses.
+ */
+const SOCKET_SCOPES = [
+  '@socketregistry/*',
+  '@socketsecurity/*',
+  '@socketdev/*',
+  'socket-*',
+  'ecc-agentshield',
+  'sfw',
+]
+
+export default defineConfig({
   // Interactive mode disabled for automation.
   interactive: false,
-  // Silent logging.
-  loglevel: 'silent',
-  // Only update packages that have been stable for 7 days.
+  // Minimal logging.
+  loglevel: 'warn',
+  // Socket scopes handled by a second pass with maturityPeriod 0.
+  exclude: SOCKET_SCOPES,
+  // 7-day cooldown on third-party deps — matches `.npmrc`'s
+  // min-release-age setting for install-time enforcement.
   maturityPeriod: 7,
-  // Update mode: 'latest'.
+  // Bump to latest across major boundaries.
   mode: 'latest',
-  // Recursive mode to handle all package.json files.
-  recursive: true,
-  // Write to package.json automatically.
+  // Edit package.json in place.
   write: true,
 })
-
-export { tazeConfig }
-export default tazeConfig

package.json

@@ -728,7 +728,7 @@
     "format:check": "oxfmt --check .",
     "lint": "node scripts/lint.mts",
     "prim": "node tools/prim/bin/prim.mts",
-    "security": "agentshield scan && { command -v zizmor >/dev/null && zizmor .github/ || echo 'zizmor not installed — run pnpm run setup to install'; }",
+    "security": "node scripts/security.mts",
     "prepare": "husky && node scripts/build/main.mts --quiet",
     "prepublishOnly": "pnpm run build",
     "test": "node scripts/test/main.mts",

scripts/security.mts

@@ -0,0 +1,89 @@
+/**
+ * @fileoverview Canonical fleet security-scan runner.
+ *
+ * Runs the two static-analysis tools the fleet uses for local security
+ * checks before push:
+ *
+ *   1. AgentShield — scans `.claude/` config for prompt-injection,
+ *      leaked secrets, and overly-permissive tool permissions.
+ *   2. zizmor      — static analysis for `.github/workflows/*.yml`
+ *      (unpinned actions, secret exposure, template injection,
+ *      permission issues).
+ *
+ * Either tool missing prints a "run pnpm run setup" hint (which
+ * downloads + verifies the pinned binary via the setup-security-tools
+ * hook) and skips that scan rather than failing the entire run.
+ *
+ * Cross-platform: uses `which` from npm for binary discovery (handles
+ * Windows .exe/.cmd resolution) and `spawn` from
+ * `@socketsecurity/lib/spawn` for proper async lifecycle.
+ *
+ * Wired in via `package.json`:
+ *
+ *   "security": "node scripts/security.mts"
+ *
+ * Byte-identical across every fleet repo. Sync-scaffolding flags
+ * drift.
+ */
+
+import process from 'node:process'
+
+import which from 'which'
+
+import { WIN32 } from '@socketsecurity/lib/constants/platform'
+import { getDefaultLogger } from '@socketsecurity/lib/logger'
+import { spawn } from '@socketsecurity/lib/spawn'
+
+const logger = getDefaultLogger()
+
+async function hasExecutable(name: string): Promise<boolean> {
+  try {
+    await which(name)
+    return true
+  } catch {
+    return false
+  }
+}
+
+async function runTool(command: string, args: string[]): Promise<number> {
+  try {
+    const result = await spawn(command, args, {
+      stdio: 'inherit',
+      shell: WIN32,
+    })
+    return result.code ?? 1
+  } catch (e) {
+    if (e && typeof e === 'object' && 'code' in e) {
+      const code = (e as { code: unknown }).code
+      return typeof code === 'number' ? code : 1
+    }
+    throw e
+  }
+}
+
+async function main(): Promise<void> {
+  if (!(await hasExecutable('agentshield'))) {
+    logger.info('agentshield not installed; run "pnpm run setup" to install')
+  } else {
+    const agentshieldCode = await runTool('agentshield', ['scan'])
+    if (agentshieldCode !== 0) {
+      process.exitCode = agentshieldCode
+      return
+    }
+  }
+
+  if (!(await hasExecutable('zizmor'))) {
+    logger.info('zizmor not installed; run "pnpm run setup" to install')
+    return
+  }
+
+  const zizmorCode = await runTool('zizmor', ['.github/'])
+  if (zizmorCode !== 0) {
+    process.exitCode = zizmorCode
+  }
+}
+
+main().catch((e: unknown) => {
+  logger.error(e)
+  process.exitCode = 1
+})

scripts/update.mts

@@ -1,109 +1,72 @@
 /**
- * @fileoverview Monorepo-aware dependency update script.
- * Uses taze to update dependencies across all packages in the monorepo.
+ * Update: two-pass taze to apply the fleet's maturity policy
+ * correctly.
  *
- * Usage:
- *   node scripts/update.mts [options]
+ *   Pass 1: default config (.config/taze.config.mts) —
+ *     non-Socket deps respect maturityPeriod: 7.
  *
- * Options:
- *   --quiet    Suppress progress output
- *   --verbose  Show detailed output
+ *   Pass 2: CLI-flag override — Socket-owned scopes only,
+ *     maturityPeriod: 0. taze's config auto-discovery is
+ *     path-based and doesn't support a --config override, so
+ *     the second pass uses `--include <scopes> --maturity-
+ *     period 0` flags instead of a second config file.
+ *
+ *   Pass 3: pnpm install to refresh the lockfile against the
+ *     updated package.json.
+ *
+ * SOCKET_SCOPES below MUST match the `exclude` list in
+ * .config/taze.config.mts — drift causes double-bumps or
+ * misses.
+ *
+ * This is a reference script. Consuming repos can drop it into
+ * their own scripts/ dir and wire it in via a `"update": "node
+ * scripts/update.mts"` package.json entry.
  */
+import { spawn } from '@socketsecurity/lib/spawn'
 
-import process from 'node:process'
-
-import { isQuiet, isVerbose } from '@socketsecurity/lib-stable/argv/flags'
-import { WIN32 } from '@socketsecurity/lib-stable/constants/platform'
-import { getDefaultLogger } from '@socketsecurity/lib-stable/logger'
-import { spawn } from '@socketsecurity/lib-stable/spawn'
-
-async function main(): Promise<void> {
-  const quiet = isQuiet()
-  const verbose = isVerbose()
-  const logger = getDefaultLogger()
-
+async function run(cmd: string, args: string[]): Promise<boolean> {
   try {
-    if (!quiet) {
-      logger.log('\n🔨 Dependency Update\n')
-    }
-
-    // Build taze command with appropriate flags for monorepo
-    const tazeArgs = ['exec', 'taze', '-r', '-w']
-
-    if (!quiet) {
-      logger.progress('Updating dependencies...')
-    }
-
-    // Run taze at root level (recursive flag will check all packages).
-    const result = await spawn('pnpm', tazeArgs, {
-      shell: WIN32,
-      stdio: quiet ? 'pipe' : 'inherit',
-    })
-
-    // Clear progress line.
-    if (!quiet) {
-      process.stdout.write('\r\x1b[K')
-    }
-
-    // Update Socket packages — bypass minimum-release-age since these are
-    // our own packages and we trust them immediately.
-    if (!quiet) {
-      logger.progress('Updating Socket packages...')
-    }
-
-    const socketResult = await spawn(
-      'pnpm',
-      [
-        'update',
-        '@socketsecurity/*',
-        '@socketregistry/*',
-        '@socketbin/*',
-        '--latest',
-        '-r',
-      ],
-      {
-        env: { ...process.env, npm_config_minimum_release_age: '0' },
-        shell: WIN32,
-        stdio: quiet ? 'pipe' : 'inherit',
-      },
-    )
+    await spawn(cmd, args, { stdio: 'inherit' })
+    return true
+  } catch (e) {
+    process.exitCode = (e as { code?: number }).code ?? 1
+    return false
+  }
+}
 
-    if (!quiet) {
-      process.stdout.write('\r\x1b[K')
-    }
+/* Socket-owned scopes — keep in lockstep with the exclude list
+ * in .config/taze.config.mts. */
+const SOCKET_SCOPES = [
+  '@socketregistry/*',
+  '@socketsecurity/*',
+  '@socketdev/*',
+  'socket-*',
+  'ecc-agentshield',
+  'sfw',
+]
 
-    if (socketResult.code !== 0) {
-      if (!quiet) {
-        logger.fail('Failed to update Socket packages')
-      }
-      process.exitCode = 1
-      return
-    }
+const steps: Array<[string, string[]]> = [
+  /* Pass 1 — third-party deps, respects the 7-day cooldown. */
+  ['pnpm', ['exec', 'taze']],
+  /* Pass 2 — Socket deps, no cooldown. --include is comma-separated. */
+  [
+    'pnpm',
+    [
+      'exec',
+      'taze',
+      '--include',
+      SOCKET_SCOPES.join(','),
+      '--maturity-period',
+      '0',
+      '--write',
+    ],
+  ],
+  /* Pass 3 — resync lockfile against the updated package.json. */
+  ['pnpm', ['install']],
+]
 
-    if (result.code !== 0) {
-      if (!quiet) {
-        logger.fail('Failed to update dependencies')
-      }
-      process.exitCode = 1
-    } else {
-      if (!quiet) {
-        logger.success('Dependencies updated')
-        logger.log('')
-      }
-    }
-  } catch (e) {
-    if (!quiet) {
-      logger.fail(`Update failed: ${e.message}`)
-    }
-    if (verbose) {
-      logger.error(e)
-    }
-    process.exitCode = 1
+for (const [cmd, args] of steps) {
+  if (!(await run(cmd, args))) {
+    break
   }
 }
-
-main().catch((e: unknown) => {
-  const logger = getDefaultLogger()
-  logger.error(e)
-  process.exitCode = 1
-})