Merge remote-tracking branch 'origin/jdalton/enable-curly-rule' into chore/sync-template

jdalton · jdalton · commit c65579316e92 · 2026-04-15T16:33:06.000-04:00
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
@@ -168,10 +168,10 @@ while read local_ref local_sha remote_ref remote_sha; do
           ERRORS=$((ERRORS + 1))
         fi
 
-        # AWS keys.
-        if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})'; then
+        # AWS keys (word-boundary match to avoid false positives in base64 data).
+        if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)'; then
           printf "${RED}✗ BLOCKED: Potential AWS credentials found in: %s${NC}\n" "$file"
-          echo "$file_text" | grep -niE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' | head -3
+          echo "$file_text" | grep -niE '(aws_access_key|aws_secret|\bAKIA[0-9A-Z]{16}\b)' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
diff --git a/.oxlintrc.json b/.oxlintrc.json
@@ -6,7 +6,7 @@
     "suspicious": "error"
   },
   "rules": {
-    "eslint/curly": "off",
+    "eslint/curly": ["error", "all"],
     "eslint/no-await-in-loop": "off",
     "eslint/no-console": "off",
     "eslint/no-control-regex": "off",
diff --git a/package.json b/package.json
@@ -52,6 +52,7 @@
     "pretest": "pnpm run build:cli"
   },
   "devDependencies": {
+    "@typescript/native-preview": "7.0.0-dev.20260415.1",
     "@anthropic-ai/claude-code": "catalog:",
     "@babel/core": "catalog:",
     "@babel/parser": "catalog:",
diff --git a/packages/build-infra/lib/github-releases.mjs b/packages/build-infra/lib/github-releases.mjs
@@ -12,11 +12,11 @@ import { pRetry } from '@socketsecurity/lib/promises'
 
 const logger = getDefaultLogger()
 
-// Cache GitHub API responses for 1 hour to avoid rate limiting.
+// Cache GitHub API responses for 4 hours to reduce API calls and avoid rate limiting.
 const cache = createTtlCache({
   memoize: true,
   prefix: 'github-releases',
-  ttl: 60 * 60 * 1000, // 1 hour.
+  ttl: 4 * 60 * 60 * 1000, // 4 hours.
 })
 
 /**
@@ -155,8 +155,8 @@ export async function getLatestRelease(
         return null
       },
       {
-        backoffFactor: 1,
-        baseDelayMs: 5_000,
+        backoffFactor: 2,
+        baseDelayMs: 3_000,
         onRetry: (attempt, error) => {
           if (!quiet) {
             logger.info(
@@ -231,8 +231,8 @@ export async function getReleaseAssetUrl(
         return asset.browser_download_url
       },
       {
-        backoffFactor: 1,
-        baseDelayMs: 5_000,
+        backoffFactor: 2,
+        baseDelayMs: 3_000,
         onRetry: (attempt, error) => {
           if (!quiet) {
             logger.info(`  Retry attempt ${attempt + 1}/3 for asset URL...`)
diff --git a/packages/cli/package.json b/packages/cli/package.json
@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/cli",
-  "version": "0.0.0-copied-from-packages-socket",
+  "version": "0.0.0",
   "description": "CLI for Socket.dev",
   "private": true,
   "license": "MIT",
diff --git a/packages/cli/scripts/download-assets.mjs b/packages/cli/scripts/download-assets.mjs
@@ -231,6 +231,14 @@ async function downloadAssets(assetNames, parallel = true) {
  * Main entry point.
  */
 async function main() {
+  // Skip downloads entirely when SKIP_ASSET_DOWNLOAD is set.
+  // Useful for repeated local builds where assets are already cached,
+  // or when GitHub API rate limits are exhausted.
+  if (process.env.SKIP_ASSET_DOWNLOAD) {
+    logger.info('Skipping asset downloads (SKIP_ASSET_DOWNLOAD is set)')
+    return
+  }
+
   const args = process.argv.slice(2)
   const parallel = !args.includes('--no-parallel')
   const assetArgs = args.filter(arg => !arg.startsWith('--'))
diff --git a/packages/cli/scripts/sync-checksums.mjs b/packages/cli/scripts/sync-checksums.mjs
@@ -17,7 +17,12 @@
  */
 
 import { createHash } from 'node:crypto'
-import { createReadStream, existsSync, readFileSync, promises as fs } from 'node:fs'
+import {
+  createReadStream,
+  existsSync,
+  readFileSync,
+  promises as fs,
+} from 'node:fs'
 import os from 'node:os'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
@@ -48,7 +53,9 @@ function parseChecksums(content) {
   const checksums = {}
   for (const line of content.split('\n')) {
     const trimmed = line.trim()
-    if (!trimmed) continue
+    if (!trimmed) {
+      continue
+    }
     // Format: hash  filename (two spaces or whitespace between)
     const match = trimmed.match(/^([a-f0-9]{64})\s+(.+)$/)
     if (match) {
@@ -64,7 +71,7 @@ function parseChecksums(content) {
 async function downloadFile(url, destPath) {
   const response = await fetch(url, {
     headers: {
-      'Accept': 'application/octet-stream',
+      Accept: 'application/octet-stream',
       'User-Agent': 'socket-cli-sync-checksums',
     },
     redirect: 'follow',
@@ -87,21 +94,27 @@ async function downloadFile(url, destPath) {
  * Fetch checksums for a GitHub release.
  * First tries checksums.txt, then falls back to downloading assets.
  */
-async function fetchGitHubReleaseChecksums(repo, releaseTag, existingChecksums = {}) {
+async function fetchGitHubReleaseChecksums(
+  repo,
+  releaseTag,
+  existingChecksums = {},
+) {
   const [owner, repoName] = repo.split('/')
   const apiUrl = `https://api.github.com/repos/${owner}/${repoName}/releases/tags/${releaseTag}`
 
   console.log(`  Fetching release info from ${apiUrl}...`)
 
   const response = await fetch(apiUrl, {
     headers: {
-      'Accept': 'application/vnd.github.v3+json',
+      Accept: 'application/vnd.github.v3+json',
       'User-Agent': 'socket-cli-sync-checksums',
     },
   })
 
   if (!response.ok) {
-    throw new Error(`GitHub API error: ${response.status} ${response.statusText}`)
+    throw new Error(
+      `GitHub API error: ${response.status} ${response.statusText}`,
+    )
   }
 
   const release = await response.json()
@@ -111,7 +124,9 @@ async function fetchGitHubReleaseChecksums(repo, releaseTag, existingChecksums =
   const checksumsAsset = assets.find(a => a.name === 'checksums.txt')
   if (checksumsAsset) {
     console.log(`  Found checksums.txt, downloading...`)
-    const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'socket-checksums-'))
+    const tempDir = await fs.mkdtemp(
+      path.join(os.tmpdir(), 'socket-checksums-'),
+    )
     const checksumPath = path.join(tempDir, 'checksums.txt')
 
     try {
@@ -122,7 +137,9 @@ async function fetchGitHubReleaseChecksums(repo, releaseTag, existingChecksums =
       // Clean up.
       await fs.rm(tempDir, { recursive: true })
 
-      console.log(`  Parsed ${Object.keys(checksums).length} checksums from checksums.txt`)
+      console.log(
+        `  Parsed ${Object.keys(checksums).length} checksums from checksums.txt`,
+      )
       return checksums
     } catch (error) {
       console.log(`  Failed to download checksums.txt: ${error.message}`)
@@ -139,7 +156,9 @@ async function fetchGitHubReleaseChecksums(repo, releaseTag, existingChecksums =
     return {}
   }
 
-  console.log(`  No checksums.txt found, downloading ${assetNames.length} assets to compute checksums...`)
+  console.log(
+    `  No checksums.txt found, downloading ${assetNames.length} assets to compute checksums...`,
+  )
 
   const tempDir = await fs.mkdtemp(path.join(os.tmpdir(), 'socket-checksums-'))
   const checksums = {}
@@ -192,24 +211,32 @@ async function main() {
   // Find all GitHub-released tools.
   const githubTools = Object.entries(externalTools)
     .filter(([key, value]) => {
-      if (key.startsWith('$')) return false // Skip schema keys
+      if (key.startsWith('$')) {
+        return false
+      } // Skip schema keys
       return value.release === 'asset'
     })
     .map(([key, value]) => ({ key, ...value }))
 
   if (toolFilter) {
     const filtered = githubTools.filter(t => t.key === toolFilter)
     if (filtered.length === 0) {
-      console.error(`Error: Tool '${toolFilter}' not found or is not a GitHub release tool`)
-      console.log(`Available GitHub release tools: ${githubTools.map(t => t.key).join(', ')}`)
+      console.error(
+        `Error: Tool '${toolFilter}' not found or is not a GitHub release tool`,
+      )
+      console.log(
+        `Available GitHub release tools: ${githubTools.map(t => t.key).join(', ')}`,
+      )
       process.exitCode = 1
       return
     }
     githubTools.length = 0
     githubTools.push(...filtered)
   }
 
-  console.log(`Syncing checksums for ${githubTools.length} GitHub release tool(s)...\n`)
+  console.log(
+    `Syncing checksums for ${githubTools.length} GitHub release tool(s)...\n`,
+  )
 
   let updated = 0
   let unchanged = 0
@@ -235,10 +262,13 @@ async function main() {
 
       // Check if update is needed.
       const oldChecksums = tool.checksums || {}
-      const checksumChanged = JSON.stringify(newChecksums) !== JSON.stringify(oldChecksums)
+      const checksumChanged =
+        JSON.stringify(newChecksums) !== JSON.stringify(oldChecksums)
 
       if (!force && !checksumChanged) {
-        console.log(`  Unchanged: ${Object.keys(newChecksums).length} checksums\n`)
+        console.log(
+          `  Unchanged: ${Object.keys(newChecksums).length} checksums\n`,
+        )
         unchanged++
         continue
       }
@@ -269,7 +299,9 @@ async function main() {
   }
 
   // Summary.
-  console.log(`\nSummary: ${updated} updated, ${unchanged} unchanged, ${failed} failed`)
+  console.log(
+    `\nSummary: ${updated} updated, ${unchanged} unchanged, ${failed} failed`,
+  )
 
   if (failed > 0) {
     process.exitCode = 1
diff --git a/scripts/validate-checksums.mjs b/scripts/validate-checksums.mjs
@@ -26,10 +26,7 @@ const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const rootPath = path.join(__dirname, '..')
 
 // Load external tools configuration.
-const externalToolsPath = path.join(
-  rootPath,
-  'packages/cli/bundle-tools.json',
-)
+const externalToolsPath = path.join(rootPath, 'packages/cli/bundle-tools.json')
 const externalTools = JSON.parse(readFileSync(externalToolsPath, 'utf8'))
 
 /**
@@ -47,10 +44,14 @@ function validateChecksums() {
 
   // Collect all assets needed across all platforms.
   for (const [platform, tools] of Object.entries(PLATFORM_MAP_TOOLS)) {
-    if (!tools) continue
+    if (!tools) {
+      continue
+    }
 
     for (const [toolName, assetName] of Object.entries(tools)) {
-      if (!assetName) continue
+      if (!assetName) {
+        continue
+      }
 
       if (!requiredAssets.has(toolName)) {
         requiredAssets.set(toolName, new Set())
@@ -130,7 +131,9 @@ function validateChecksums() {
     logger.error(
       'All external tool assets MUST have SHA-256 checksums defined in bundle-tools.json.',
     )
-    logger.error('This is a security requirement to prevent supply chain attacks.')
+    logger.error(
+      'This is a security requirement to prevent supply chain attacks.',
+    )
     return false
   }
 

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "@socketsecurity/cli",`
`3`		`- "version": "0.0.0-copied-from-packages-socket",`
	`3`	`+ "version": "0.0.0",`
`4`	`4`	`"description": "CLI for Socket.dev",`
`5`	`5`	`"private": true,`
`6`	`6`	`"license": "MIT",`