SocketDev
diff --git a/‎CLAUDE.md‎
Lines changed: 151 additions & 25 deletions b/‎CLAUDE.md‎
Lines changed: 151 additions & 25 deletions
@@ -30,22 +30,24 @@ You are a **Principal Software Engineer** responsible for:
 ## Commands
 
 ### Development Commands
-- **Build**: `npm run build` (alias for `npm run build:dist`)
-- **Build source**: `npm run build:dist:src` or `pnpm build:dist:src`
-- **Build types**: `npm run build:dist:types`
-- **Test**: `npm run test` (runs check + all tests)
-- **Test unit only**: `npm run test:unit` or `pnpm test:unit`
-- **Lint**: `npm run check:lint` (uses eslint)
-- **Type check**: `npm run check:tsc` (uses tsgo)
-- **Check all**: `npm run check` (lint + typecheck)
-- **Fix linting**: `npm run lint:fix`
+- **Build**: `pnpm run build` (alias for `pnpm run build:dist`)
+- **Build source**: `pnpm run build:dist:src`
+- **Build types**: `pnpm run build:dist:types`
+- **Test**: `pnpm run test` (runs check + all tests)
+- **Test unit only**: `pnpm run test:unit`
+- **Lint**: `pnpm run check:lint` (uses eslint)
+- **Type check**: `pnpm run check:tsc` (uses tsgo)
+- **Check all**: `pnpm run check` (lint + typecheck)
+- **Fix linting**: `pnpm run lint:fix`
 - **Commit without tests**: `git commit --no-verify` (skips pre-commit hooks including tests)
 
 ### Cross-Platform Compatibility - CRITICAL: Windows and POSIX
 - **🚨 MANDATORY**: Tests and functionality MUST work on both POSIX (macOS/Linux) and Windows systems
 - **Path handling**: ALWAYS use `path.join()`, `path.resolve()`, `path.sep` for file paths
   - ❌ WRONG: `'/usr/local/bin/npm'` (hard-coded POSIX path)
-  - ✅ CORRECT: `path.join(path.sep, 'usr', 'local', 'bin', 'npm')` (cross-platform)
+  - ✅ CORRECT: `path.join(somePath, 'bin/npm')` (cross-platform)
+  - ✅ CORRECT: ``path.join(somePath, `bin/${binName}`)`` (cross-platform)
+  - ✅ CORRECT: `path.join(somePath, 'bin', binName)` (cross-platform)
   - ❌ WRONG: `'/project/package-lock.json'` (hard-coded forward slashes)
   - ✅ CORRECT: `path.join('project', 'package-lock.json')` (uses correct separator)
 - **Temp directories**: Use `os.tmpdir()` for temporary file paths in tests
@@ -58,41 +60,44 @@ You are a **Principal Software Engineer** responsible for:
   - Use `path.sep` when you need the separator character
   - Use `path.join()` to construct paths correctly
 - **File URLs**: Use `pathToFileURL()` and `fileURLToPath()` from `node:url` when working with file:// URLs
+  - ❌ WRONG: `path.dirname(new URL(import.meta.url).pathname)` (Windows path doubling)
+  - ✅ CORRECT: `path.dirname(fileURLToPath(import.meta.url))` (cross-platform)
 - **Line endings**: Be aware of CRLF (Windows) vs LF (Unix) differences when processing text files
 - **Shell commands**: Consider platform differences in shell commands and utilities
 
 ### Testing Best Practices - CRITICAL: NO -- FOR FILE PATHS
 - **🚨 NEVER USE `--` BEFORE TEST FILE PATHS** - This runs ALL tests, not just your specified files!
-- **Always build before testing**: Run `pnpm build:dist:src` before running tests to ensure dist files are up to date
-- **Test single file**: ✅ CORRECT: `pnpm test:unit src/commands/specific/cmd-file.test.mts`
-  - ❌ WRONG: `pnpm test:unit -- src/commands/specific/cmd-file.test.mts` (runs ALL tests!)
-- **Test multiple files**: ✅ CORRECT: `pnpm test:unit file1.test.mts file2.test.mts`
-- **Test with pattern**: ✅ CORRECT: `pnpm test:unit src/commands/specific/cmd-file.test.mts -t "pattern"`
-  - ❌ WRONG: `pnpm test:unit -- src/commands/specific/cmd-file.test.mts -t "pattern"`
+- **Always build before testing**: Run `pnpm run build:dist:src` before running tests to ensure dist files are up to date
+- **Test single file**: ✅ CORRECT: `pnpm run test:unit src/commands/specific/cmd-file.test.mts`
+  - ❌ WRONG: `pnpm run test:unit -- src/commands/specific/cmd-file.test.mts` (runs ALL tests!)
+- **Test multiple files**: ✅ CORRECT: `pnpm run test:unit file1.test.mts file2.test.mts`
+- **Test with pattern**: ✅ CORRECT: `pnpm run test:unit src/commands/specific/cmd-file.test.mts -t "pattern"`
+  - ❌ WRONG: `pnpm run test:unit -- src/commands/specific/cmd-file.test.mts -t "pattern"`
 - **Update snapshots**:
-  - All tests: `pnpm testu` (builds first, then updates all snapshots)
-  - Single file: ✅ CORRECT: `pnpm testu src/commands/specific/cmd-file.test.mts`
-  - ❌ WRONG: `pnpm testu -- src/commands/specific/cmd-file.test.mts` (updates ALL snapshots!)
-- **Update with --update flag**: `pnpm test:unit src/commands/specific/cmd-file.test.mts --update`
+  - All tests: `pnpm run testu` (builds first, then updates all snapshots)
+  - Single file: ✅ CORRECT: `pnpm run testu src/commands/specific/cmd-file.test.mts`
+  - ❌ WRONG: `pnpm run testu -- src/commands/specific/cmd-file.test.mts` (updates ALL snapshots!)
+- **Update with --update flag**: `pnpm run test:unit src/commands/specific/cmd-file.test.mts --update`
 - **Timeout for long tests**: Use `timeout` command or specify in test file
 
 #### Vitest Memory Optimization (CRITICAL)
 - **Pool configuration**: Use `pool: 'forks'` with `singleFork: true`, `maxForks: 1`, `isolate: true`
 - **Memory limits**: Set `NODE_OPTIONS="--max-old-space-size=4096 --max-semi-space-size=512"` in `.env.test`
 - **Timeout settings**: Use `testTimeout: 60000, hookTimeout: 60000` for stability
 - **Thread limits**: Use `singleThread: true, maxThreads: 1` to prevent RegExp compiler exhaustion
-- **Test cleanup**: 🚨 MANDATORY - Import and use `trash` package: `import { trash } from 'trash'` then `await trash([paths])`
+- **Test cleanup**: 🚨 MANDATORY - Use `await trash([paths])` in test scripts/utilities only. For cleanup within `/src/` test files, use `fs.rm()` with proper error handling
 
 ### Git Commit Guidelines
 - **🚨 FORBIDDEN**: NEVER add Claude co-authorship or Claude signatures to commits
 - **🚨 FORBIDDEN**: Do NOT include "Generated with Claude Code" or similar AI attribution in commit messages
 - **Commit messages**: Should be written as if by a human developer, focusing on the what and why of changes
 - **Professional commits**: Write clear, concise commit messages that describe the actual changes made
+- **Pithy messages**: Keep commit messages concise and to the point - avoid lengthy explanations
 
 ### Running the CLI locally
-- **Build and run**: `npm run build && npm exec socket` or `pnpm build && pnpm exec socket`
-- **Quick build + run**: `npm run bs` or `pnpm bs` (builds source only, then runs socket)
-- **Run without build**: `npm run s` or `pnpm s` (runs socket directly)
+- **Build and run**: `pnpm run build && pnpm exec socket`
+- **Quick build + run**: `pnpm run bs` (builds source only, then runs socket)
+- **Run without build**: `pnpm run s` (runs socket directly)
 - **Native TypeScript**: `./sd` (runs the CLI without building using Node.js native TypeScript support on Node 22+)
 
 ### Package Management
@@ -101,6 +106,9 @@ You are a **Principal Software Engineer** responsible for:
 - **Add dependency**: `pnpm add <package> --save-exact`
 - **Add dev dependency**: `pnpm add -D <package> --save-exact`
 - **Update dependencies**: `pnpm update`
+- **Script execution**: Always use `pnpm run <script>` for package.json scripts to distinguish from built-in pnpm commands
+  - ✅ CORRECT: `pnpm run build`, `pnpm run test`, `pnpm run check`
+  - ❌ AVOID: `pnpm build`, `pnpm test` (unclear if built-in or script)
 - **🚨 MANDATORY**: Always add dependencies with exact versions using `--save-exact` flag to ensure reproducible builds
 - **Dependency validation**: All dependencies MUST be pinned to exact versions without range specifiers like `^` or `~`
 - **Override behavior**: pnpm.overrides in package.json controls dependency versions across the entire project
@@ -148,6 +156,38 @@ Each command follows a consistent pattern:
 - Fixtures in `test/fixtures/`
 - Coverage reporting available
 
+#### Test Organization Best Practices
+- **Modular test files**: Split large test files by functionality (e.g., `main.test.mts` → `socket-sdk-basic.test.mts`, `socket-sdk-organization.test.mts`, etc.)
+- **Test file naming**: Use descriptive names that reflect the module being tested
+- **Test directory structure**: 🚨 MANDATORY - Standardize test directory organization across all Socket projects:
+  ```
+  test/
+  ├── unit/                   # Unit tests
+  ├── integration/           # Integration tests (if applicable)
+  ├── fixtures/              # Test fixtures and data files
+  └── utils/                 # Test utilities and helpers
+  ```
+- **Test fixtures**: Store reusable test data, mock responses, and sample files in `test/fixtures/` directory
+  - **Organization**: Group fixtures by test category or functionality
+  - **File formats**: Support JSON, text, binary files as needed for comprehensive testing
+  - **Naming**: Use descriptive names that clearly indicate the fixture's purpose
+- **Test utilities organization**: 🚨 MANDATORY - Organize test utilities in `test/utils/` directory
+  - **Directory structure**: Create `test/utils/` subdirectory for reusable test utilities
+  - **Modular utilities**: Split utilities by purpose into focused modules:
+    - `environment.mts` - Test environment setup and cleanup (nock, error handling)
+    - `fixtures.mts` - Test data configurations and mock objects
+    - `mock-helpers.mts` - Mock setup and configuration utilities
+    - `constants.mts` - Test constants and configuration values
+  - **Import paths**: Update all test file imports to reference specific utility modules
+  - **Cross-project consistency**: Apply this pattern across all Socket projects for standardization
+  - **Examples**:
+    - ✅ CORRECT: `import { setupTestEnvironment } from './utils/environment.mts'`
+    - ✅ CORRECT: `import { TEST_PACKAGE_CONFIGS } from './utils/fixtures.mts'`
+    - ❌ OLD PATTERN: `import { setupTestEnvironment } from './test-utils.mts'`
+- **Test structure**: Group tests by logical functionality, not just by class methods
+- **Shared setup**: Use common beforeEach/afterEach patterns across test files
+- **Mock management**: Clean up mocks properly to prevent test interference
+
 ### External Dependencies
 - Bundles external dependencies in `external/` directory
 - Uses Socket registry overrides for security
@@ -184,7 +224,6 @@ Each command follows a consistent pattern:
 
 ### Dependency Management
 - Uses Socket registry overrides for enhanced alternatives
-- Custom patches applied to dependencies via `custompatch`
 - Overrides specified in package.json for enhanced alternatives
 
 ## Changelog Management
@@ -241,8 +280,20 @@ Socket CLI integrates with various third-party tools and services:
 
 ### 📁 File Organization
 - **File extensions**: Use `.mts` for TypeScript module files
+- **Module headers**: 🚨 MANDATORY - All JavaScript/TypeScript modules MUST have `@fileoverview` headers
+  - **Format**: Use `/** @fileoverview Brief description of module purpose. */` at the top of each file
+  - **Placement**: Must be the very first content in the file, before imports or other code
+  - **Content**: Provide a concise, clear description of what the module does and its primary purpose
+  - **Examples**:
+    - ✅ CORRECT: `/** @fileoverview CLI command for scanning packages and generating security reports. */`
+    - ✅ CORRECT: `/** @fileoverview Configuration utilities for Socket CLI settings and preferences. */`
+    - ❌ FORBIDDEN: Missing @fileoverview header entirely
+    - ❌ FORBIDDEN: Placing @fileoverview after imports or other code
 - **Import order**: Node.js built-ins first, then third-party packages, then local imports
 - **Import grouping**: Group imports by source (Node.js, external packages, local modules)
+- **Node.js module imports**: 🚨 MANDATORY - Always use `node:` prefix for Node.js built-in modules
+  - ✅ CORRECT: `import { readFile } from 'node:fs'`, `import path from 'node:path'`
+  - ❌ FORBIDDEN: `import { readFile } from 'fs'`, `import path from 'path'`
 - **Type imports**: 🚨 ALWAYS use separate `import type` statements for TypeScript types, NEVER mix runtime imports with type imports in the same statement
   - ✅ CORRECT: `import { readPackageJson } from '@socketsecurity/registry/lib/packages'` followed by `import type { PackageJson } from '@socketsecurity/registry/lib/packages'`
   - ❌ FORBIDDEN: `import { readPackageJson, type PackageJson } from '@socketsecurity/registry/lib/packages'`
@@ -261,11 +312,14 @@ Socket CLI integrates with various third-party tools and services:
 - **Dynamic imports**: 🚨 FORBIDDEN - Never use dynamic imports (`await import()`). Always use static imports at the top of the file
 - **Sorting**: 🚨 MANDATORY - Always sort lists, exports, and items in documentation headers alphabetically/alphanumerically for consistency
 - **Comment formatting**: 🚨 MANDATORY - ALL comments MUST follow these rules:
+  - **Single-line preference**: Prefer single-line comments (`//`) over multiline comments (`/* */`) unless for method headers, module headers, or copyright notices. Use single-line comments for property descriptions, inline explanations, and general code comments.
   - **Periods required**: Every comment MUST end with a period, except ESLint disable comments and URLs which are directives/references. This includes single-line, multi-line, inline, and c8 ignore comments.
   - **Sentence structure**: Comments should be complete sentences with proper capitalization and grammar.
   - **Placement**: Place comments on their own line above the code they describe, not trailing to the right of code.
   - **Style**: Use fewer hyphens/dashes and prefer commas, colons, or semicolons for better readability.
   - **Examples**:
+    - ✅ CORRECT: `// Custom GitHub host (default: github.com).` (property description)
+    - ❌ WRONG: `/** Custom GitHub host (default: github.com). */` (multiline for simple property)
     - ✅ CORRECT: `// This function validates user input.`
     - ✅ CORRECT: `/* This is a multi-line comment that explains the complex logic below. */`
     - ✅ CORRECT: `// eslint-disable-next-line no-await-in-loop` (directive, no period)
@@ -274,6 +328,7 @@ Socket CLI integrates with various third-party tools and services:
     - ❌ WRONG: `// this validates input` (no period, not capitalized)
     - ❌ WRONG: `const x = 5 // some value` (trailing comment)
 - **Await in loops**: When using `await` inside for-loops, add `// eslint-disable-next-line no-await-in-loop` to suppress the ESLint warning when sequential processing is intentional
+- **For...of loop type annotations**: 🚨 FORBIDDEN - Never use type annotations in for...of loop variable declarations. TypeScript cannot parse `for await (const chunk: Buffer of stream)` - use `for await (const chunk of stream)` instead and let TypeScript infer the type
 - **If statement returns**: Never use single-line return if statements; always use proper block syntax with braces
 - **List formatting**: Use `-` for bullet points in text output, not `•` or other Unicode characters, for better terminal compatibility
 - **Existence checks**: Perform simple existence checks first before complex operations
@@ -287,6 +342,51 @@ Socket CLI integrates with various third-party tools and services:
 - **Node.js fs imports**: 🚨 MANDATORY pattern - `import { someSyncThing, promises as fs } from 'node:fs'`
 - **Process spawning**: 🚨 FORBIDDEN to use Node.js built-in `child_process.spawn` - MUST use `spawn` from `@socketsecurity/registry/lib/spawn`
 - **Number formatting**: 🚨 REQUIRED - Use underscore separators (e.g., `20_000`) for large numeric literals. 🚨 FORBIDDEN - Do NOT modify number values inside strings
+- **JSDoc function documentation**: 🚨 MANDATORY - Function JSDoc comments MUST follow this exact pattern:
+  - **Format**: Description only, with optional `@throws` - NO `@param` or `@returns` tags
+  - **Order**: Description paragraph, then `@throws` tag (if needed)
+  - **Closure**: End with `*/` immediately after the last JSDoc tag
+  - **Examples**:
+    - ✅ CORRECT:
+      ```javascript
+      /**
+       * Check if a string contains a trusted domain using proper URL parsing.
+       */
+      ```
+    - ✅ CORRECT (with throws):
+      ```javascript
+      /**
+       * Parse a configuration file and validate its contents.
+       * @throws {Error} When file cannot be read or parsed.
+       */
+      ```
+    - ❌ FORBIDDEN: Adding `@param` or `@returns` tags
+    - ❌ FORBIDDEN: Adding extra tags like `@author`, `@since`, `@example`, etc.
+    - ❌ FORBIDDEN: Adding empty lines between JSDoc tags
+    - ❌ FORBIDDEN: Adding extra content after the last JSDoc tag
+
+### 🏗️ Function Options Pattern (MANDATORY)
+- **🚨 REQUIRED**: ALL functions accepting options MUST follow this exact pattern:
+  ```typescript
+  function foo(a: SomeA, b: SomeB, options?: SomeOptions | undefined): FooResult {
+    const opts = { __proto__: null, ...options } as SomeOptions
+    // OR for destructuring with defaults:
+    const { someOption = 'someDefaultValue' } = { __proto__: null, ...options } as SomeOptions
+    // ... rest of function
+  }
+  ```
+- **Key requirements**:
+  - Options parameter MUST be optional with `?` and explicitly typed as `| undefined`
+  - MUST use `{ __proto__: null, ...options }` pattern to prevent prototype pollution
+  - MUST use `as SomeOptions` type assertion after spreading
+  - Use destructuring form when you need defaults for individual options
+  - Use direct assignment form when passing entire options object to other functions
+- **Examples**:
+  - ✅ CORRECT: `const opts = { __proto__: null, ...options } as SomeOptions`
+  - ✅ CORRECT: `const { timeout = 5000, retries = 3 } = { __proto__: null, ...options } as SomeOptions`
+  - ❌ FORBIDDEN: `const opts = { ...options }` (vulnerable to prototype pollution)
+  - ❌ FORBIDDEN: `const opts = options || {}` (doesn't handle null prototype)
+  - ❌ FORBIDDEN: `const opts = Object.assign({}, options)` (inconsistent pattern)
 
 ### Error Handling
 - **Input validation errors**: Use `InputError` from `src/utils/errors.mts` for user input validation failures (missing files, invalid arguments, etc.)
@@ -357,3 +457,29 @@ Socket CLI integrates with various third-party tools and services:
 - All patterns MUST follow established codebase conventions
 - Error handling MUST be robust and user-friendly
 - Performance considerations MUST be evaluated for any changes
+
+## 📋 Recurring Patterns & Instructions
+
+These are patterns and instructions that should be consistently applied across all Socket projects:
+
+### 🏗️ Mandatory Code Patterns
+1. **Options Parameter Pattern**: Use `{ __proto__: null, ...options } as SomeOptions` for all functions accepting options
+2. **Reflect.apply Pattern**: Use `const { apply: ReflectApply } = Reflect` and `ReflectApply(fn, thisArg, [])` instead of `.call()` for method invocation
+3. **Object Mappings**: Use `{ __proto__: null, ...mapping }` for static string-to-string mappings to prevent prototype pollution
+4. **Import Separation**: ALWAYS separate type imports (`import type`) from runtime imports
+5. **Node.js Imports**: ALWAYS use `node:` prefix for Node.js built-in modules
+6. **🚨 TSGO PRESERVATION**: NEVER replace tsgo with tsc - tsgo provides enhanced performance and should be maintained across all Socket projects
+
+### 🧪 Test Patterns & Cleanup
+1. **Remove Duplicate Tests**: Eliminate tests that verify the same functionality across multiple files
+2. **Centralize Test Data**: Use shared test fixtures instead of hardcoded values repeated across projects
+3. **Focus Test Scope**: Each project should test its specific functionality, not dependencies' core features
+
+### 🔄 Cross-Project Consistency
+These patterns should be enforced across all Socket repositories:
+- `socket-cli`
+- `socket-packageurl-js`
+- `socket-registry`
+- `socket-sdk-js`
+
+When working in any Socket repository, check CLAUDE.md files in other Socket projects for consistency and apply these patterns universally.