chore: sync hooks and skills from socket-repo-template

Author: jdalton

.claude/skills/_shared/security-tools.md

@@ -11,7 +11,7 @@ No install step needed — available after `pnpm install`.
 ## Zizmor
 
 Not an npm package. Installed via `pnpm run setup` which downloads the pinned version
-from GitHub releases with SHA256 checksum verification (see `bundle-tools.json`).
+from GitHub releases with SHA256 checksum verification (see `external-tools.json`).
 
 The binary is cached at `.cache/external-tools/zizmor/{version}-{platform}/zizmor`.
 

.claude/skills/security-scan/SKILL.md

@@ -1,19 +1,13 @@
 ---
 name: security-scan
 description: Runs a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report.
+user-invocable: true
 ---
 
 # Security Scan
 
 Multi-tool security scanning pipeline for the repository.
 
-## Related: check-new-deps Hook
-
-This repo includes a pre-tool hook (`.claude/hooks/check-new-deps/`) that automatically
-checks new dependencies against Socket.dev's malware API before Claude adds them.
-The hook runs on every Edit/Write to manifest files — see its README for details.
-This skill covers broader security scanning; the hook provides real-time dependency protection.
-
 ## When to Use
 
 - After modifying `.claude/` config, settings, hooks, or agent definitions

.git-hooks/commit-msg

@@ -23,14 +23,14 @@ if [ -n "$COMMITTED_FILES" ]; then
     if [ -f "$file" ]; then
       # Check for Socket API keys (except allowed).
       if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
-        echo "${RED}✗ SECURITY: Potential API key detected in commit!${NC}"
+        printf "${RED}✗ SECURITY: Potential API key detected in commit!${NC}\n"
         printf "File: %s\n" "$file"
         ERRORS=$((ERRORS + 1))
       fi
 
       # Check for .env files.
       if echo "$file" | grep -qE '^\.env(\.local)?$'; then
-        echo "${RED}✗ SECURITY: .env file in commit!${NC}"
+        printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
         ERRORS=$((ERRORS + 1))
       fi
     fi
@@ -41,7 +41,12 @@ fi
 COMMIT_MSG_FILE="$1"
 if [ -f "$COMMIT_MSG_FILE" ]; then
   # Create a temporary file to store the cleaned message.
-  TEMP_FILE=$(mktemp)
+  TEMP_FILE=$(mktemp) || {
+    printf "${RED}✗ Failed to create temporary file${NC}\n" >&2
+    exit 1
+  }
+  # Ensure cleanup on exit
+  trap 'rm -f "$TEMP_FILE"' EXIT
   REMOVED_LINES=0
 
   # Read the commit message line by line and filter out AI attribution.
@@ -58,15 +63,15 @@ if [ -f "$COMMIT_MSG_FILE" ]; then
   # Replace the original commit message with the cleaned version.
   if [ $REMOVED_LINES -gt 0 ]; then
     mv "$TEMP_FILE" "$COMMIT_MSG_FILE"
-    echo "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message"
+    printf "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message\n"
   else
     # No lines were removed, just clean up the temp file.
     rm -f "$TEMP_FILE"
   fi
 fi
 
 if [ $ERRORS -gt 0 ]; then
-  echo "${RED}✗ Commit blocked by security validation${NC}"
+  printf "${RED}✗ Commit blocked by security validation${NC}\n"
   exit 1
 fi
 

.husky/commit-msg

@@ -1,2 +1,7 @@
 # Run commit message validation and auto-strip AI attribution.
-.git-hooks/commit-msg "$1"
+if [ -x ".git-hooks/commit-msg" ]; then
+  .git-hooks/commit-msg "$1"
+else
+  printf "\033[0;31m✗ Error: .git-hooks/commit-msg not found or not executable\033[0m\n" >&2
+  exit 1
+fi