Merge branch 'main' into barslev/add-option-reach-use-unreachable-from-precomputation

Author: jdalton

.git-hooks/pre-push

@@ -1,6 +1,7 @@
 #!/bin/bash
 # Socket Security Pre-push Hook
-# Final security check before pushing to remote.
+# MANDATORY ENFORCEMENT LAYER - Cannot be bypassed with --no-verify.
+# Validates all commits being pushed for security issues and AI attribution.
 
 set -e
 
@@ -10,7 +11,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 
-echo "${GREEN}Running final security validation before push...${NC}"
+echo "${GREEN}Running mandatory pre-push validation...${NC}"
 
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
@@ -19,6 +20,8 @@ ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 remote="$1"
 url="$2"
 
+TOTAL_ERRORS=0
+
 # Read stdin for refs being pushed.
 while read local_ref local_sha remote_ref remote_sha; do
   # Get the range of commits being pushed.
@@ -30,59 +33,122 @@ while read local_ref local_sha remote_ref remote_sha; do
     range="$remote_sha..$local_sha"
   fi
 
-  # Get all files changed in these commits.
-  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
-
-  if [ -z "$CHANGED_FILES" ]; then
-    continue
-  fi
-
   ERRORS=0
 
-  # Check for sensitive files.
-  if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-    echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
-    echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
-    ERRORS=$((ERRORS + 1))
-  fi
+  # ============================================================================
+  # CHECK 1: Scan commit messages for AI attribution
+  # ============================================================================
+  echo "Checking commit messages for AI attribution..."
 
-  # Check for .DS_Store.
-  if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-    echo "${YELLOW}⚠ WARNING: .DS_Store file in push${NC}"
-    echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
-  fi
+  # Check each commit in the range for AI patterns.
+  while IFS= read -r commit_sha; do
+    full_msg=$(git log -1 --format='%B' "$commit_sha")
 
-  # Sample files for API keys (only check files that exist).
-  for file in $CHANGED_FILES; do
-    if [ -f "$file" ] && [ ! -d "$file" ]; then
-      # Skip test files.
-      if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.example$'; then
-        continue
-      fi
-
-      # Check for Socket API keys.
-      if grep -E 'sktsec_[a-zA-Z0-9_-]{40,}' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-        echo "${RED}✗ BLOCKED: Real API key detected in push!${NC}"
-        echo "File: $file"
-        echo "Line(s):"
-        grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-        ERRORS=$((ERRORS + 1))
+    if echo "$full_msg" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
+      if [ $ERRORS -eq 0 ]; then
+        echo "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}"
+        echo "Commits with AI attribution:"
       fi
+      echo "  - $(git log -1 --oneline "$commit_sha")"
+      ERRORS=$((ERRORS + 1))
     fi
-  done
+  done < <(git rev-list "$range")
 
   if [ $ERRORS -gt 0 ]; then
     echo ""
-    echo "${RED}✗ Push blocked by security validation!${NC}"
-    echo "Remove sensitive data from your commits before pushing."
+    echo "These commits were likely created with --no-verify, bypassing the"
+    echo "commit-msg hook that strips AI attribution."
     echo ""
     echo "To fix:"
-    echo "  1. Remove sensitive data from files"
-    echo "  2. Amend or rebase your commits"
-    echo "  3. Push again"
-    exit 1
+    echo "  git rebase -i $remote_sha"
+    echo "  Mark commits as 'reword', remove AI attribution, save"
+    echo "  git push"
+  fi
+
+  # ============================================================================
+  # CHECK 2: File content security checks
+  # ============================================================================
+  echo "Checking files for security issues..."
+
+  # Get all files changed in these commits.
+  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
+
+  if [ -n "$CHANGED_FILES" ]; then
+    # Check for sensitive files.
+    if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
+      echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
+      echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for .DS_Store.
+    if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
+      echo "${RED}✗ BLOCKED: .DS_Store file in push!${NC}"
+      echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for log files.
+    if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
+      echo "${RED}✗ BLOCKED: Log file in push!${NC}"
+      echo "Files: $(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check file contents for secrets.
+    for file in $CHANGED_FILES; do
+      if [ -f "$file" ] && [ ! -d "$file" ]; then
+        # Skip test files, example files, and hook scripts.
+        if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+          continue
+        fi
+
+        # Check for hardcoded user paths.
+        if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}"
+          grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for Socket API keys.
+        if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+          echo "${RED}✗ BLOCKED: Real API key detected in: $file${NC}"
+          grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for AWS keys.
+        if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}"
+          grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for GitHub tokens.
+        if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}"
+          grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for private keys.
+        if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+          echo "${RED}✗ BLOCKED: Private key found in: $file${NC}"
+          ERRORS=$((ERRORS + 1))
+        fi
+      fi
+    done
   fi
+
+  TOTAL_ERRORS=$((TOTAL_ERRORS + ERRORS))
 done
 
-echo "${GREEN}✓ Security validation passed!${NC}"
+if [ $TOTAL_ERRORS -gt 0 ]; then
+  echo ""
+  echo "${RED}✗ Push blocked by mandatory validation!${NC}"
+  echo "Fix the issues above before pushing."
+  exit 1
+fi
+
+echo "${GREEN}✓ All mandatory validation passed!${NC}"
 exit 0

.gitignore

@@ -60,6 +60,10 @@ packages/*/.onnx-source
 packages/*/.minilm-source
 **/html
 
+# Ignore WASM and Rust build artifacts
+**/wasm-bundle
+**/target
+
 # Workspace ignores
 packages/cli/CHANGELOG.md
 packages/cli/LICENSE

.husky/commit-msg

@@ -0,0 +1,2 @@
+# Run commit message validation and auto-strip AI attribution.
+.git-hooks/commit-msg "$1"

.husky/pre-commit

@@ -1,5 +1,5 @@
-# Run security checks first.
-.husky/security-checks.sh
+# Optional checks - can be bypassed with --no-verify for fast local commits.
+# Mandatory security checks run in pre-push hook.
 
 if [ -z "${DISABLE_PRECOMMIT_LINT}" ]; then
   pnpm lint --staged

.husky/pre-push

@@ -0,0 +1,2 @@
+# Run pre-push security validation.
+.git-hooks/pre-push "$@"

package.json

@@ -35,15 +35,15 @@
     "@socketregistry/packageurl-js": "catalog:",
     "@socketregistry/yocto-spinner": "1.0.24",
     "@socketsecurity/config": "3.0.1",
-    "@socketsecurity/lib": "3.1.3",
-    "@socketsecurity/registry": "2.0.1",
-    "@socketsecurity/sdk": "3.0.30",
+    "@socketsecurity/lib": "catalog:",
+    "@socketsecurity/registry": "catalog:",
+    "@socketsecurity/sdk": "catalog:",
     "@types/cmd-shim": "5.0.2",
     "@types/ink": "2.0.3",
     "@types/js-yaml": "4.0.9",
     "@types/micromatch": "4.0.9",
     "@types/mock-fs": "4.13.4",
-    "@types/node": "24.9.2",
+    "@types/node": "catalog:",
     "@types/npm-package-arg": "6.1.4",
     "@types/npmcli__arborist": "6.3.1",
     "@types/npmcli__config": "6.0.3",
@@ -60,7 +60,7 @@
     "cmd-shim": "7.0.0",
     "del-cli": "6.0.0",
     "dev-null-cli": "2.0.0",
-    "esbuild": "0.25.11",
+    "esbuild": "catalog:",
     "eslint": "9.35.0",
     "eslint-import-resolver-typescript": "4.4.4",
     "eslint-plugin-import-x": "4.16.1",
@@ -90,7 +90,7 @@
     "react-reconciler": "0.33.0",
     "registry-auth-token": "5.1.0",
     "registry-url": "7.2.0",
-    "semver": "7.7.2",
+    "semver": "catalog:",
     "ssri": "12.0.0",
     "synp": "1.9.14",
     "taze": "19.6.0",
@@ -131,7 +131,7 @@
       "isarray": "npm:@socketregistry/isarray@^1.0.8",
       "lodash": "4.17.21",
       "npm-package-arg": "13.0.0",
-      "packageurl-js": "npm:@socketregistry/packageurl-js@^1.3.2",
+      "packageurl-js": "npm:@socketregistry/packageurl-js@^1.3.5",
       "path-parse": "npm:@socketregistry/path-parse@^1.0.8",
       "safe-buffer": "npm:@socketregistry/safe-buffer@^1.0.9",
       "safer-buffer": "npm:@socketregistry/safer-buffer@^1.0.10",

packages/bootstrap/dist/bootstrap-npm.js

@@ -22,7 +22,7 @@
     "@babel/types": "^7.28.5",
     "@socketsecurity/build-infra": "workspace:*",
     "@socketsecurity/cli": "workspace:*",
-    "@socketsecurity/lib": "2.10.4",
+    "@socketsecurity/lib": "catalog:",
     "del-cli": "catalog:",
     "esbuild": "catalog:",
     "magic-string": "catalog:",

packages/bootstrap/dist/bootstrap-smol.js

@@ -5,45 +5,46 @@
  */
 
 import loggerPkg from '@socketsecurity/lib/logger'
-const { getDefaultLogger } = loggerPkg
+
+const logger = loggerPkg.getDefaultLogger()
 
 /**
  * Print header.
  */
 export function printHeader(message) {
-  getDefaultLogger().step(message)
+  logger.step(message)
 }
 
 /**
  * Print step.
  */
 export function printStep(message) {
-  getDefaultLogger().substep(message)
+  logger.substep(message)
 }
 
 /**
  * Print substep.
  */
 export function printSubstep(message) {
-  getDefaultLogger().info(`  ${message}`)
+  logger.info(`  ${message}`)
 }
 
 /**
  * Print success message.
  */
 export function printSuccess(message) {
-  getDefaultLogger().success(message)
+  logger.success(message)
 }
 
 /**
  * Print error message.
  */
 export function printError(message, error = null) {
-  getDefaultLogger().error(message)
+  logger.error(message)
   if (error) {
-    getDefaultLogger().error(error.message)
+    logger.error(error.message)
     if (error.stack) {
-      getDefaultLogger().error(error.stack)
+      logger.error(error.stack)
     }
   }
 }
@@ -52,5 +53,5 @@ export function printError(message, error = null) {
  * Print warning message.
  */
 export function printWarning(message) {
-  getDefaultLogger().warn(message)
+  logger.warn(message)
 }