Skip to content

chore: add security scanning and enforce no-npx rule#177

Open
jdalton wants to merge 7 commits intomainfrom
chore/security-guardrails
Open

chore: add security scanning and enforce no-npx rule#177
jdalton wants to merge 7 commits intomainfrom
chore/security-guardrails

Conversation

@jdalton
Copy link
Copy Markdown
Collaborator

@jdalton jdalton commented Apr 5, 2026

Summary

  • Add ecc-agentshield (1.4.0) as pinned devDep for Claude Code config scanning
  • Add pnpm run security script — runs agentshield (Grade A, 97/100) + zizmor (0 findings)
  • Add /security-scan command for Claude
  • Add npx/pnpm-dlx/yarn-dlx detection to .git-hooks/pre-commit (blocks commits with npx usage)
  • Add NEVER use npx/dlx to CLAUDE.md ABSOLUTE RULES
  • Remove dead .husky/security-checks.sh (was exact duplicate of .git-hooks/pre-commit)

Test plan

  • pnpm run security runs both agentshield and zizmor
  • pnpm run fix --all clean
  • pnpm run check --all clean

@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Apr 5, 2026
edited
Loading

Warning

Review the following alerts detected in dependencies.

According to your organization's Security Policy, it is recommended to resolve "Warn" alerts. Learn more about Socket for GitHub.

Action Severity Alert  (click "▶" to expand/collapse)
Warn Medium
Deprecated by its maintainer: npm node-domexception

Reason: Use your platform's native DOMException instead

From: pnpm-lock.yamlnpm/ecc-agentshield@1.4.0npm/node-domexception@1.0.0

ℹ Read more on: This package | This alert | What is a deprecated package?

Next steps: Take a moment to review the security alert above. Review the linked package source code to understand the potential risk. Ensure the package is not malicious before proceeding. If you're unsure how to proceed, reach out to your security team or ask the Socket team for help at support@socket.dev.

Suggestion: Research the state of the package and determine if there are non-deprecated versions that can be used, or if it should be replaced with a new, supported solution.

Mark the package as acceptable risk. To ignore this alert only in this pull request, reply with the comment @SocketSecurity-Staging ignore npm/node-domexception@1.0.0. You can also ignore all packages with @SocketSecurity-Staging ignore-all. To ignore an alert for all future pull requests, use Socket's Dashboard to change the triage state of this alert.

View full report

@jdalton jdalton force-pushed the chore/security-guardrails branch from cc733bf to f4611b0 Compare April 5, 2026 19:56
@jdalton
chore: add security scanning and enforce no-npx rule
cb2d285 
- Add ecc-agentshield as pinned devDep for Claude Code config scanning
- Add `pnpm run security` script (agentshield + zizmor)
- Add /security-scan command for Claude
- Add npx/dlx/yarn-dlx check to pre-commit hook
- Add NEVER npx/dlx rule to CLAUDE.md ABSOLUTE RULES
- Remove dead .husky/security-checks.sh (duplicate of .git-hooks/pre-commit)
@jdalton jdalton force-pushed the chore/security-guardrails branch from f4611b0 to cb2d285 Compare April 5, 2026 20:13
@jdalton
chore: add agents, ci-cascade skill, and release-changelog command
bb9f582 
Agents (reference CLAUDE.md rules, don't duplicate them):
- code-reviewer: applies code style, test style, sorting rules
- security-reviewer: applies safe file ops, secret detection, dependency rules
- refactor-cleaner: applies pre-action protocol, dead code removal, scope rules

Skills:
- ci-cascade: extracts SHA pin cascade procedure from CLAUDE.md into executable workflow

Commands:
- release-changelog: generates changelog entries following Keep a Changelog format
@jdalton jdalton force-pushed the chore/security-guardrails branch from d302eb5 to 76f47bf Compare April 5, 2026 22:14
@jdalton
fix: address audit findings in agents, skills, and commands
111c855 
- security-reviewer: remove fabricated os.tmpdir() prohibition (CLAUDE.md
  recommends it), add fetch() prohibition from CLAUDE.md
- code-reviewer: add missing rules (undefined over null, __proto__: null,
  error handling, backward compat, spawn, loop annotations)
- ci-cascade: add missing Layer 4 (local wrappers) before external propagation
- quality-scan: fix "4 scan types" → "all scan types", fix "Task tool" → "Agent tool"
- quality-loop: remove stale architectural issue from wrong repo (socket-btm)
- Delete stale scratch scripts from .claude/ (migration scripts, update-workflow-shas)
@jdalton jdalton force-pushed the chore/security-guardrails branch from 76f47bf to 111c855 Compare April 5, 2026 22:29
jdalton added 2 commits April 5, 2026 23:28
@jdalton
feat: implement skill graph architecture
7e2a958 
Shared subskills (_shared/):
- env-check: environment validation for all pipelines
- verify-build: pnpm fix/check/test pattern
- security-tools: zizmor + agentshield + socket CLI detection
- report-format: severity levels, A-F grading, HANDOFF protocol

New skills:
- security-scan: promoted from command to full pipeline
  (agentshield → zizmor → security-reviewer agent grading)
- release: orchestrator pipeline
  (quality gate → security gate → changelog → version bump)

Pipeline state tracking:
- .claude/ops/queue.yaml: tracks pipeline runs with phase progression

Updated commands:
- security-scan: delegates to security-scan skill
- release-changelog: delegates to release skill
- quality-loop: references refactor-cleaner agent for fixes

Architecture: 5 pipelines, 4 shared subskills, 3 agents wired in.
Follows arscontexta queue pattern and Socket Skills orchestrator pattern.
@jdalton
refactor: integrate existing skills with skill graph
466c1de 
- quality-scan: reference _shared/env-check, _shared/security-tools,
  wire code-reviewer + security-reviewer agents into scan phase,
  replace <promise> with HANDOFF block, add queue tracking, fix
  constraints (not read-only), fix tool references
- updating: reference _shared/env-check + _shared/verify-build,
  add HANDOFF output, add queue tracking
- ci-cascade: reference _shared/env-check, add queue tracking,
  add HANDOFF output
- queue.yaml: fix phase_order to match actual skill phases
@socket-security
Copy link
Copy Markdown

socket-security bot commented Apr 6, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​ecc-agentshield@​1.4.08010010089100

View full report

@jdalton
fix: address remaining audit findings
6a8a1ce 
- quality-scan: add CI/gate mode to skip interactive prompts in
  Phases 3 (cleanup), 5 (scan scope), and 8 (save report)
- quality-scan: remove hardcoded AskUserQuestion tool name
- quality-loop: document as interactive-only (not for pipeline gates)
@socket-security-staging
Copy link
Copy Markdown

socket-security-staging bot commented Apr 6, 2026
edited
Loading

Review the following changes in direct dependencies. Learn more about Socket for GitHub.

Diff Package Supply Chain
Security		 Vulnerability Quality Maintenance License
Addednpm/​ecc-agentshield@​1.4.08010010087100

View full report

@jdalton
fix: address final review operability issues
75cf70c 
- quality-scan: replace missing check-consistency.mjs with pnpm run check
- quality-scan: replace fragile line-number refs with section name refs
- quality-scan/reference.md: replace stale zizmor v1.22.0 install block
  with reference to _shared/security-tools.md + external-tools.json
- security-tools.md: add zizmor PATH detection via .cache/ fallback
- release: handle missing CHANGELOG.md and missing tags gracefully
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@jdalton