chore: sync hooks and skills from socket-repo-template

Author: jdalton

.claude/skills/security-scan/SKILL.md

@@ -1,19 +1,13 @@
 ---
 name: security-scan
 description: Runs a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report.
+user-invocable: true
 ---
 
 # Security Scan
 
 Multi-tool security scanning pipeline for the repository.
 
-## Related: check-new-deps Hook
-
-This repo includes a pre-tool hook (`.claude/hooks/check-new-deps/`) that automatically
-checks new dependencies against Socket.dev's malware API before Claude adds them.
-The hook runs on every Edit/Write to manifest files — see its README for details.
-This skill covers broader security scanning; the hook provides real-time dependency protection.
-
 ## When to Use
 
 - After modifying `.claude/` config, settings, hooks, or agent definitions

.git-hooks/commit-msg

@@ -15,7 +15,7 @@ ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 ERRORS=0
 
 # Get files in this commit (for security checks).
-COMMITTED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || echo "")
+COMMITTED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || printf "\n")
 
 # Quick checks for critical issues in committed files.
 if [ -n "$COMMITTED_FILES" ]; then
@@ -41,13 +41,18 @@ fi
 COMMIT_MSG_FILE="$1"
 if [ -f "$COMMIT_MSG_FILE" ]; then
   # Create a temporary file to store the cleaned message.
-  TEMP_FILE=$(mktemp)
+  TEMP_FILE=$(mktemp) || {
+    printf "${RED}✗ Failed to create temporary file${NC}\n" >&2
+    exit 1
+  }
+  # Ensure cleanup on exit
+  trap 'rm -f "$TEMP_FILE"' EXIT
   REMOVED_LINES=0
 
   # Read the commit message line by line and filter out AI attribution.
   while IFS= read -r line || [ -n "$line" ]; do
     # Check if this line contains AI attribution patterns.
-    if echo "$line" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic\.com|Assistant:|Generated by Claude|Machine generated)" && ! echo "$line" | grep -qE "@anthropic-ai/"; then
+    if echo "$line" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
       REMOVED_LINES=$((REMOVED_LINES + 1))
     else
       # Line doesn't contain AI attribution, keep it.

.husky/commit-msg

@@ -1,2 +1,7 @@
 # Run commit message validation and auto-strip AI attribution.
-.git-hooks/commit-msg "$1"
+if [ -x ".git-hooks/commit-msg" ]; then
+  .git-hooks/commit-msg "$1"
+else
+  printf "\033[0;31m✗ Error: .git-hooks/commit-msg not found or not executable\033[0m\n" >&2
+  exit 1
+fi