fix(workflows): update and harden CI workflows

- Update all workflow and action SHAs to current HEAD (full 40-char format)
- Add zizmor ignore directives for intentional template expansion
- Harden actions against template injection and credential leaks
- Disable credential persistence in checkout actions
- Inline ci.yml jobs instead of calling deleted workflows
- Remove cache-build action (no longer needed)
- Simplify workflow names and titles with minimal branding
- Use packageManager from package.json instead of explicit pnpm version
- Remove unused workflow documentation files

Author: jdalton

.git-hooks/commit-msg

@@ -23,14 +23,14 @@ if [ -n "$COMMITTED_FILES" ]; then
     if [ -f "$file" ]; then
       # Check for Socket API keys (except allowed).
       if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
-        echo "${RED}✗ SECURITY: Potential API key detected in commit!${NC}"
-        echo "File: $file"
+        printf "${RED}✗ SECURITY: Potential API key detected in commit!${NC}\n"
+        printf "File: %s\n" "$file"
         ERRORS=$((ERRORS + 1))
       fi
 
       # Check for .env files.
       if echo "$file" | grep -qE '^\.env(\.local)?$'; then
-        echo "${RED}✗ SECURITY: .env file in commit!${NC}"
+        printf "${RED}✗ SECURITY: .env file in commit!${NC}\n"
         ERRORS=$((ERRORS + 1))
       fi
     fi
@@ -58,15 +58,15 @@ if [ -f "$COMMIT_MSG_FILE" ]; then
   # Replace the original commit message with the cleaned version.
   if [ $REMOVED_LINES -gt 0 ]; then
     mv "$TEMP_FILE" "$COMMIT_MSG_FILE"
-    echo "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message"
+    printf "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message\n"
   else
     # No lines were removed, just clean up the temp file.
     rm -f "$TEMP_FILE"
   fi
 fi
 
 if [ $ERRORS -gt 0 ]; then
-  echo "${RED}✗ Commit blocked by security validation${NC}"
+  printf "${RED}✗ Commit blocked by security validation${NC}\n"
   exit 1
 fi
 

.git-hooks/pre-commit

@@ -13,45 +13,45 @@ NC='\033[0m'
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 
-echo "${GREEN}Running Socket Security checks...${NC}"
+printf "${GREEN}Running Socket Security checks...${NC}\n"
 
 # Get list of staged files.
 STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
 
 if [ -z "$STAGED_FILES" ]; then
-  echo "${GREEN}✓ No files to check${NC}"
+  printf "${GREEN}✓ No files to check${NC}\n"
   exit 0
 fi
 
 ERRORS=0
 
 # Check for .DS_Store files.
-echo "Checking for .DS_Store files..."
+printf "Checking for .DS_Store files...\n"
 if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
-  echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+  printf "${RED}✗ ERROR: .DS_Store file detected!${NC}\n"
   echo "$STAGED_FILES" | grep '\.DS_Store'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for log files.
-echo "Checking for log files..."
+printf "Checking for log files...\n"
 if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
-  echo "${RED}✗ ERROR: Log file detected!${NC}"
+  printf "${RED}✗ ERROR: Log file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for .env files.
-echo "Checking for .env files..."
+printf "Checking for .env files...\n"
 if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
-  echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+  printf "${RED}✗ ERROR: .env or .env.local file detected!${NC}\n"
   echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
-  echo "These files should never be committed. Use .env.example instead."
+  printf "These files should never be committed. Use .env.example instead.\n"
   ERRORS=$((ERRORS + 1))
 fi
 
 # Check for hardcoded user paths (generic detection).
-echo "Checking for hardcoded personal paths..."
+printf "Checking for hardcoded personal paths...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files and hook scripts.
@@ -61,28 +61,28 @@ for file in $STAGED_FILES; do
 
     # Check for common user path patterns.
     if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+      printf "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}\n"
       grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
-      echo "Replace with relative paths or environment variables."
+      printf "Replace with relative paths or environment variables.\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 # Check for Socket API keys.
-echo "Checking for API keys..."
+printf "Checking for API keys...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-      echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+      printf "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}\n"
       grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-      echo "If this is a real API key, DO NOT COMMIT IT."
+      printf "If this is a real API key, DO NOT COMMIT IT.\n"
     fi
   fi
 done
 
 # Check for common secret patterns.
-echo "Checking for potential secrets..."
+printf "Checking for potential secrets...\n"
 for file in $STAGED_FILES; do
   if [ -f "$file" ]; then
     # Skip test files, example files, and hook scripts.
@@ -92,32 +92,32 @@ for file in $STAGED_FILES; do
 
     # Check for AWS keys.
     if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}\n"
       grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for GitHub tokens.
     if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+      printf "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}\n"
       grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
       ERRORS=$((ERRORS + 1))
     fi
 
     # Check for private keys.
     if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
-      echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+      printf "${RED}✗ ERROR: Private key found in: $file${NC}\n"
       ERRORS=$((ERRORS + 1))
     fi
   fi
 done
 
 if [ $ERRORS -gt 0 ]; then
-  echo ""
-  echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
-  echo "Fix the issues above and try again."
+  printf "\n"
+  printf "${RED}✗ Security check failed with $ERRORS error(s).${NC}\n"
+  printf "Fix the issues above and try again.\n"
   exit 1
 fi
 
-echo "${GREEN}✓ All security checks passed!${NC}"
+printf "${GREEN}✓ All security checks passed!${NC}\n"
 exit 0

.git-hooks/pre-push

@@ -1,6 +1,7 @@
 #!/bin/bash
 # Socket Security Pre-push Hook
-# Final security check before pushing to remote.
+# MANDATORY ENFORCEMENT LAYER - Cannot be bypassed with --no-verify.
+# Validates all commits being pushed for security issues and AI attribution.
 
 set -e
 
@@ -10,7 +11,7 @@ YELLOW='\033[1;33m'
 GREEN='\033[0;32m'
 NC='\033[0m'
 
-echo "${GREEN}Running final security validation before push...${NC}"
+printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
 
 # Allowed public API key (used in socket-lib).
 ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
@@ -19,6 +20,8 @@ ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
 remote="$1"
 url="$2"
 
+TOTAL_ERRORS=0
+
 # Read stdin for refs being pushed.
 while read local_ref local_sha remote_ref remote_sha; do
   # Get the range of commits being pushed.
@@ -30,59 +33,122 @@ while read local_ref local_sha remote_ref remote_sha; do
     range="$remote_sha..$local_sha"
   fi
 
-  # Get all files changed in these commits.
-  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
+  ERRORS=0
 
-  if [ -z "$CHANGED_FILES" ]; then
-    continue
-  fi
+  # ============================================================================
+  # CHECK 1: Scan commit messages for AI attribution
+  # ============================================================================
+  printf "Checking commit messages for AI attribution...\n"
 
-  ERRORS=0
+  # Check each commit in the range for AI patterns.
+  while IFS= read -r commit_sha; do
+    full_msg=$(git log -1 --format='%B' "$commit_sha")
 
-  # Check for sensitive files.
-  if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
-    echo "${RED}✗ BLOCKED: Attempting to push .env file!${NC}"
-    echo "Files: $(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
-    ERRORS=$((ERRORS + 1))
-  fi
+    if echo "$full_msg" | grep -qiE "(Generated with.*(Claude|AI)|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|@anthropic\.com|Assistant:|Generated by Claude|Machine generated)"; then
+      if [ $ERRORS -eq 0 ]; then
+        printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
+        printf "Commits with AI attribution:\n"
+      fi
+      printf "  - %s\n" "$(git log -1 --oneline "$commit_sha")"
+      ERRORS=$((ERRORS + 1))
+    fi
+  done < <(git rev-list "$range")
 
-  # Check for .DS_Store.
-  if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
-    echo "${YELLOW}⚠ WARNING: .DS_Store file in push${NC}"
-    echo "Files: $(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+  if [ $ERRORS -gt 0 ]; then
+    printf "\n"
+    printf "These commits were likely created with --no-verify, bypassing the\n"
+    printf "commit-msg hook that strips AI attribution.\n"
+    printf "\n"
+    printf "To fix:\n"
+    printf "  git rebase -i %s\n" "$remote_sha"
+    printf "  Mark commits as 'reword', remove AI attribution, save\n"
+    printf "  git push\n"
   fi
 
-  # Sample files for API keys (only check files that exist).
-  for file in $CHANGED_FILES; do
-    if [ -f "$file" ] && [ ! -d "$file" ]; then
-      # Skip test files.
-      if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.example$'; then
-        continue
-      fi
+  # ============================================================================
+  # CHECK 2: File content security checks
+  # ============================================================================
+  printf "Checking files for security issues...\n"
 
-      # Check for Socket API keys.
-      if grep -E 'sktsec_[a-zA-Z0-9_-]{40,}' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
-        echo "${RED}✗ BLOCKED: Real API key detected in push!${NC}"
-        echo "File: $file"
-        echo "Line(s):"
-        grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
-        ERRORS=$((ERRORS + 1))
-      fi
+  # Get all files changed in these commits.
+  CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || echo "")
+
+  if [ -n "$CHANGED_FILES" ]; then
+    # Check for sensitive files.
+    if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
+      printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
+      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+      ERRORS=$((ERRORS + 1))
     fi
-  done
 
-  if [ $ERRORS -gt 0 ]; then
-    echo ""
-    echo "${RED}✗ Push blocked by security validation!${NC}"
-    echo "Remove sensitive data from your commits before pushing."
-    echo ""
-    echo "To fix:"
-    echo "  1. Remove sensitive data from files"
-    echo "  2. Amend or rebase your commits"
-    echo "  3. Push again"
-    exit 1
+    # Check for .DS_Store.
+    if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
+      printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
+      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check for log files.
+    if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
+      printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
+      printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+      ERRORS=$((ERRORS + 1))
+    fi
+
+    # Check file contents for secrets.
+    for file in $CHANGED_FILES; do
+      if [ -f "$file" ] && [ ! -d "$file" ]; then
+        # Skip test files, example files, and hook scripts.
+        if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+          continue
+        fi
+
+        # Check for hardcoded user paths.
+        if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+          printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
+          grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for Socket API keys.
+        if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+          printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
+          grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for AWS keys.
+        if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+          printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
+          grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for GitHub tokens.
+        if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+          printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
+          grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+          ERRORS=$((ERRORS + 1))
+        fi
+
+        # Check for private keys.
+        if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+          printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
+          ERRORS=$((ERRORS + 1))
+        fi
+      fi
+    done
   fi
+
+  TOTAL_ERRORS=$((TOTAL_ERRORS + ERRORS))
 done
 
-echo "${GREEN}✓ Security validation passed!${NC}"
+if [ $TOTAL_ERRORS -gt 0 ]; then
+  printf "\n"
+  printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
+  printf "Fix the issues above before pushing.\n"
+  exit 1
+fi
+
+printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
 exit 0