diff --git a/.claude/skills/quality-scan/SKILL.md b/.claude/skills/quality-scan/SKILL.md
index c75041421..11014b4af 100644
--- a/.claude/skills/quality-scan/SKILL.md
+++ b/.claude/skills/quality-scan/SKILL.md
@@ -1,479 +1,58 @@
 ---
 name: quality-scan
 description: >
-  Iteratively scanning socket-cli for code quality issues across critical bugs, logic errors,
-  caching problems, workflow issues, security vulnerabilities, and documentation gaps.
-  Automatically fixes all discovered issues and commits changes until zero issues remain or
-  5 iterations complete. Use when performing comprehensive quality improvement or preparing
-  for releases.
+  Runs iterative code quality scans on socket-cli, fixing all discovered issues
+  and committing changes until zero issues remain or 5 iterations complete.
 ---
 
 # quality-scan
 
-## Task Checklist
-
-Copy this checklist to track your progress through each iteration:
-
-```markdown
-### Iteration [N] Progress Tracker
-
-- [ ] Phase 1: Validate git environment
-- [ ] Phase 2: Update dependencies
-- [ ] Phase 3: Clean repository
-- [ ] Phase 4: Validate structure
-- [ ] Phase 5: Determine scan scope
-- [ ] Phase 5b: Install external tools (zizmor)
-- [ ] Phase 6: Execute scans (critical, logic, cache, workflow, security+zizmor, documentation)
-- [ ] Phase 7: Aggregate findings
-- [ ] Phase 8: Generate report
-- [ ] Phase 9: Fix all issues
-- [ ] Phase 10: Run tests
-- [ ] Phase 11: Commit fixes
-- [ ] Decision: Continue to next iteration or exit
-
-**Issues found**: [count]
-**Issues fixed**: [count]
-**Tests status**: [pass/fail]
-```
-
-## Execution Guidelines
-
-<principles>
-**Fix comprehensively**: Address all issues regardless of complexity. Architectural problems require fixing, not deferral, because incomplete fixes leave the codebase in an inconsistent state.
-
-**Test continuously**: Run `pnpm test` after each iteration because untested fixes risk introducing regressions that compound across iterations.
-
-**Bound iterations**: Cap at 5 iterations because unbounded loops escalate costs without guaranteed convergence; manual intervention becomes necessary beyond this threshold.
-
-**Work sequentially**: Execute one phase completely before starting the next because each phase's output informs subsequent phases; parallel execution causes missing dependencies.
-</principles>
-
-<commit_strategy>
-Examine repository history to choose the appropriate commit approach:
-
-```bash
-git rev-list --count HEAD
-```
-
-- **If count = 1**: Amend the single commit to maintain clean history
-- **If count > 1**: Create new commits to preserve development timeline
-
-Rationale: Single-commit repos indicate initial setup; amending keeps history clean. Multi-commit repos represent evolution; new commits preserve that narrative.
-</commit_strategy>
-
-## Phase-by-Phase Execution
-
-### Phase 1: Validate Environment
-
-<action>
-Run `git status` to check repository state.
-</action>
-
-<decision_tree>
-- Clean repository → Proceed to Phase 2
-- Dirty repository → Warn user; ask to continue or abort
-- Not a git repository → Exit with error (quality scans require version control)
-</decision_tree>
-
-Update checklist: Mark Phase 1 complete.
-
----
-
-### Phase 2: Update Dependencies
-
-<action>
-Run `pnpm install` to ensure current dependencies.
-</action>
-
-Rationale: Outdated packages trigger false positives when scans expect current API signatures.
-
-Track updated packages for commit message context.
-
-Update checklist: Mark Phase 2 complete.
-
----
-
-### Phase 3: Repository Cleanup
-
-<action>
-Find cleanup candidates using Glob tool, then ask user confirmation before deletion.
-</action>
-
-<cleanup_targets>
-1. SCREAMING_TEXT.md files outside `.claude/` and `docs/` directories
-2. Temporary files: `*.tmp`, `*.temp`, `.DS_Store`, `*~`, `*.swp`
-3. Test files outside `test/` or `__tests__/` directories
-</cleanup_targets>
-
-Request confirmation for each file because automated deletion risks removing intentional files with unconventional names.
-
-Update checklist: Mark Phase 3 complete.
-
----
-
-### Phase 4: Structural Validation
-
-<action>
-Use Glob and Grep tools to validate repository structure against socket-cli conventions.
-</action>
-
-<validation_checks>
-- package.json scripts follow naming conventions from CLAUDE.md
-- Test files have corresponding vitest configurations
-- Required files exist: tsconfig.json, .oxlintrc.json, vitest.config.mts
-- Imports use `@socketsecurity/lib/*` pattern (not Node.js built-ins where applicable)
-</validation_checks>
-
-<severity_mapping>
-- Missing required files → Critical (blocks builds)
-- Inconsistent naming → High (causes confusion)
-- Missing configs → Medium (reduces effectiveness)
-</severity_mapping>
-
-Update checklist: Mark Phase 4 complete.
-
----
-
-### Phase 5: Determine Scan Scope
-
-<action>
-Ask user which scans to execute.
-</action>
-
-<user_prompt>
-Which scans do you want to run?
-
-1. All scans (recommended for comprehensive quality improvement)
-2. Critical only (crashes, security, data corruption, auth)
-3. Custom selection (choose specific scans)
-
-Default: [1]
-</user_prompt>
-
-<available_scans>
-See `reference.md` @reference for detailed agent prompts. Each scan targets specific issue categories:
-
-- **critical**: Crashes, security vulnerabilities, data corruption, auth handling
-- **logic**: Algorithm errors, edge cases, validation bugs
-- **cache**: Config/token caching correctness
-- **workflow**: Build scripts, CI/CD, cross-platform compatibility
-- **security**: GitHub Actions security via zizmor + credential exposure patterns
-- **documentation**: Command examples, API accuracy, missing docs
-</available_scans>
-
-Update checklist: Mark Phase 5 complete.
-
----
-
-### Phase 5b: Install External Tools (zizmor)
-
-<action>
-Install zizmor for GitHub Actions security scanning using version that meets repository's minimumReleaseAge policy.
-</action>
-
-<version_selection>
-Determine the appropriate zizmor version dynamically:
-
-1. **Read minimumReleaseAge from `.pnpmrc`**:
-   ```bash
-   grep 'minimumReleaseAge' .pnpmrc | cut -d'=' -f2
-   ```
-   This returns minutes (e.g., `10080` = 7 days). Default to 10080 if not found.
-
-2. **Query zizmor releases** (using curl or gh):
-   ```bash
-   # Option A: curl (universally available)
-   curl -s "https://api.github.com/repos/zizmorcore/zizmor/releases" | \
-     jq '[.[] | select(.prerelease == false) | {tag: .tag_name, date: .published_at}] | .[0:10]'
-
-   # Option B: gh (if available)
-   gh api repos/zizmorcore/zizmor/releases --jq \
-     '[.[] | select(.prerelease == false) | {tag: .tag_name, date: .published_at}] | .[0:10]'
-   ```
-
-3. **Calculate age and select version**:
-   - Convert minimumReleaseAge from minutes to days: `minutes / 1440`
-   - Find latest stable release older than that threshold
-   - Example: If minimumReleaseAge=10080 (7 days) and today is March 24, select releases from March 17 or earlier
-
-4. **Install selected version** (choose based on available tools):
-   ```bash
-   # macOS with Homebrew (latest only, version pinning limited)
-   brew install zizmor
-
-   # Python environments (version pinning supported)
-   pipx install zizmor==VERSION
-   uv tool install zizmor==VERSION
-   uvx zizmor@VERSION --help
-   ```
-
-   **Recommended priority**: pipx/uvx > brew
-</version_selection>
-
-<rationale>
-Using minimumReleaseAge prevents supply chain attacks from compromised new releases. The 7-day window allows community detection of malicious packages before adoption.
-</rationale>
-
-<fallback>
-If no release meets the age requirement, warn the user and skip zizmor scan. Never install a release younger than minimumReleaseAge.
-</fallback>
-
-Update checklist: Note zizmor version installed.
-
----
-
-### Phase 6: Execute Scans
-
-<action>
-For each selected scan, spawn an agent using Task tool with the prompt from reference.md @reference.
-</action>
-
-<agent_spawning>
-1. Use Task tool with `subagent_type='general-purpose'`
-2. Pass the full agent prompt from reference.md for the scan type
-3. Include current repository context (recent git log, modified files)
-4. Collect findings from agent response
-5. Track completion status in your checklist
-</agent_spawning>
-
-<execution_strategy>
-Run scans **sequentially** (not parallel) because earlier scans may uncover issues that inform later scans. For example, critical crashes found early prevent wasting tokens on logic scans of unreachable code.
-
-Order: critical → logic → cache → workflow → security → documentation
-</execution_strategy>
-
-<zizmor_execution>
-For the **security** scan, run zizmor first to get machine-verified findings:
-
-```bash
-# Run zizmor on all workflow files
-zizmor .github/workflows/*.yml --format json > /tmp/zizmor-output.json
-
-# Or for human-readable output
-zizmor .github/workflows/*.yml --format plain
-```
-
-Include zizmor findings in the security scan report. zizmor detects:
-- Template injection vulnerabilities
-- Unpinned action versions
-- Dangerous permissions
-- Artifact poisoning risks
-- Excessive permissions
-
-Merge zizmor output with agent-based security scan findings, deduplicating overlapping issues.
-</zizmor_execution>
-
-Choose an approach and commit to it. Execute all selected scans without revisiting scan selection unless you encounter blocking errors.
-
-Update checklist: Mark Phase 6 complete.
-
----
-
-### Phase 7: Aggregate Findings
-
-<action>
-Collect findings from all agent scans, deduplicate, and prioritize.
-</action>
-
-<deduplication_rules>
-- **Same file and line**: Keep the finding with highest severity
-- **Same issue pattern**: Merge descriptions, preserve most actionable fix
-- **Different scans, same root cause**: Combine into single finding with multiple scan references
-</deduplication_rules>
-
-<sorting_hierarchy>
-1. Severity: Critical → High → Medium → Low (severity gates determine release readiness)
-2. Scan type: critical → logic → cache → workflow → security → documentation
-3. File path: Alphabetical (enables systematic fixing)
-</sorting_hierarchy>
-
-<finding_structure>
-Ensure each finding includes:
-
-```
-File: packages/cli/src/path/file.mts:123
-Issue: One-line description
-Severity: Critical|High|Medium|Low
-Pattern: Code snippet (2-3 lines)
-Trigger: Input/condition causing the issue
-Fix: Specific code change
-Impact: Consequence if triggered
-```
-
-This structure enables you to apply fixes systematically without re-reading findings.
-</finding_structure>
-
-Update checklist: Mark Phase 7 complete.
-
----
-
-### Phase 8: Generate Report
-
-<action>
-Create a comprehensive report using the template below.
-</action>
-
-<report_template>
-```markdown
-# Quality Scan Report - socket-cli
-
-**Date**: YYYY-MM-DD | **Iteration**: N/5 | **Total Issues**: X
-
-## Summary
-
-| Severity | Count |
-|----------|-------|
-| Critical | X     |
-| High     | X     |
-| Medium   | X     |
-| Low      | X     |
-
-## Findings by Severity
-
-### Critical Issues (X)
-
-**1. [Issue title]**
-- File: `packages/cli/src/path/file.mts:123`
-- Pattern: `code snippet`
-- Trigger: When this happens
-- Fix: Specific change
-- Impact: What breaks
-
-[Repeat for each]
-
-[Additional severity sections follow same structure]
-
-## Scan Coverage
-
-| Scan Type     | Issues |
-|---------------|--------|
-| critical      | X      |
-| logic         | X      |
-| cache         | X      |
-| workflow      | X      |
-| security      | X      |
-| documentation | X      |
-```
-</report_template>
-
-Display report to user. Offer to save to `reports/quality-scan-YYYY-MM-DD.md`.
-
-Update checklist: Mark Phase 8 complete.
-
----
-
-### Phase 9: Fix All Issues
-
-<action>
-Apply fixes for every finding from the report, working from Critical to Low severity.
-</action>
-
-Read each file only once, then apply all fixes for that file using Edit tool. This batching approach minimizes tool calls.
-
-Never speculate about code you have not read. Open each file before editing.
-
-Update checklist: Mark Phase 9 complete.
-
----
-
-### Phase 10: Run Tests
-
-<action>
-Execute `pnpm test` to verify fixes didn't introduce regressions.
-</action>
-
-<test_outcomes>
-- **All pass**: Proceed to Phase 11
-- **Some fail**: Revert last changes, report failed tests to user, exit iteration
-</test_outcomes>
-
-Tests validate that fixes solve problems without creating new ones; failures indicate logic errors in fixes requiring manual review.
-
-Update checklist: Mark Phase 10 complete.
-
----
-
-### Phase 11: Commit Fixes
-
-<action>
-Stage changes and create commit using strategy from earlier.
-</action>
-
-<commit_message_template>
-```
-fix: resolve quality scan issues (iteration N)
-
-- Fixed X critical issues
-- Fixed X high priority issues
-- Fixed X medium priority issues
-- Fixed X low priority issues
-
-Scans: [list of scan types run]
-```
-</commit_message_template>
-
-Use `git add .` followed by commit (amend if single-commit repo, new commit otherwise).
-
-Update checklist: Mark Phase 11 complete.
-
----
-
-### Phase 12: Iteration Decision
-
-<action>
-Determine whether to continue or exit.
-</action>
-
-<decision_logic>
-**Exit conditions**:
-- Zero issues found → Success! Output `<promise>QUALITY_SCAN_COMPLETE</promise>`
-- Iteration count = 5 → Stop (manual intervention needed)
-
-**Continue condition**:
-- Issues remain AND iteration < 5 → Start new iteration, copy fresh checklist
-</decision_logic>
-
-When continuing, increment iteration counter and return to Phase 6 (re-run scans on updated code).
-
----
-
-## Error Recovery
-
-<error_scenarios>
-**Scan agent failures**: Log warning, continue with remaining scans, note failure in report. Don't abort the entire process because other scans may still find valuable issues.
-
-**Test failures after fixes**: Revert changes from current iteration using `git restore .`, report specific test failures to user, exit. Test failures indicate logic errors requiring human review.
-
-**Git commit failures**: Display error, ask user to resolve manually. Cannot proceed without clean commits because subsequent iterations depend on committed changes.
-
-**Dirty repository**: Warn user, offer to stash changes or continue with dirty state. Continuing risks conflating quality fixes with unrelated changes.
-</error_scenarios>
-
----
-
-## socket-cli Context
-
-<scan_scope>
-Primary targets: `packages/cli/src/`, `packages/cli/test/`, `.github/workflows/`, `scripts/`, `.config/`
-
+<task>
+Your task is to scan socket-cli for code quality issues and fix them iteratively.
+</task>
+
+<constraints>
+- Fix all issues regardless of complexity; do not defer architectural problems.
+- Run `pnpm test` after each iteration.
+- Cap at 5 iterations; stop and report if issues persist.
+- Execute phases sequentially; each phase's output informs the next.
+- If repo has 1 commit, amend; otherwise create new commits.
+</constraints>
+
+## Phases
+
+1. **Validate Environment** - `git status`; abort if not a git repo, warn if dirty.
+2. **Update Dependencies** - `pnpm install` to avoid stale-API false positives.
+3. **Repository Cleanup** - Glob for temp files, stray docs; confirm before deletion.
+4. **Structural Validation** - Verify required configs, naming conventions, import patterns.
+5. **Determine Scan Scope** - Ask user: all scans, critical only, or custom selection.
+5b. **Install zizmor** - Install version meeting `.pnpmrc` minimumReleaseAge policy.
+6. **Execute Scans** - Run selected scans sequentially via Task tool using prompts from `reference.md`.
+7. **Aggregate Findings** - Deduplicate, prioritize (Critical > High > Medium > Low).
+8. **Generate Report** - Summary table by severity + scan type, display to user.
+9. **Fix All Issues** - Apply fixes from Critical to Low; read each file before editing.
+10. **Run Tests** - `pnpm test`; revert and exit iteration on failure.
+11. **Commit Fixes** - Stage and commit with summary of fixed issue counts.
+12. **Iteration Decision** - Zero issues = done; otherwise loop back to Phase 6.
+
+## Available Scans
+
+See `reference.md` for detailed agent prompts. Scan types:
+
+- **critical** - Crashes, security vulnerabilities, data corruption, auth handling
+- **logic** - Algorithm errors, edge cases, validation bugs
+- **cache** - Config/token caching correctness
+- **workflow** - Build scripts, CI/CD, cross-platform compatibility
+- **security** - GitHub Actions security via zizmor + credential exposure patterns
+- **documentation** - Command examples, API accuracy, missing docs
+
+## Scan Scope
+
+Primary: `packages/cli/src/`, `packages/cli/test/`, `.github/workflows/`, `scripts/`, `.config/`
 Excluded: `node_modules/`, `dist/`, `build/`, `.pnpm-store/`, `packages/*/dist/`
-</scan_scope>
-
-<codebase_patterns>
-Apply these socket-cli conventions when scanning and fixing:
-
-- Import pattern: `@socketsecurity/lib/*` (not Node.js built-ins where Socket provides equivalents)
-- Error types: `InputError`, `AuthError` from `src/utils/errors.mts`
-- Logging: `getDefaultLogger()` from `@socketsecurity/lib/logger`
-- File extension: `.mts` for TypeScript modules
-- Type imports: `import type` separately (NEVER mix with runtime imports)
-- CLI framework: meow-based command structure
-</codebase_patterns>
 
----
-
-## Reference
-
-See `reference.md` @reference for complete agent prompts and pattern definitions.
+## Error Recovery
 
-**Version**: 1.1.0 (2026-03-24)
+- **Scan agent failure**: Log warning, continue remaining scans.
+- **Test failure after fixes**: `git restore .`, report failures, exit iteration.
+- **Git commit failure**: Display error, ask user to resolve.
diff --git a/.claude/skills/security-scan/SKILL.md b/.claude/skills/security-scan/SKILL.md
index 0ba403fea..161fb5bfa 100644
--- a/.claude/skills/security-scan/SKILL.md
+++ b/.claude/skills/security-scan/SKILL.md
@@ -1,6 +1,6 @@
 ---
 name: security-scan
-description: Run a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report.
+description: Runs a multi-tool security scan — AgentShield for Claude config, zizmor for GitHub Actions, and optionally Socket CLI for dependency scanning. Produces an A-F graded security report.
 ---
 
 # Security Scan
diff --git a/.claude/skills/updating-checksums/SKILL.md b/.claude/skills/updating-checksums/SKILL.md
index 9a3e5bf0c..2ba0ffb56 100644
--- a/.claude/skills/updating-checksums/SKILL.md
+++ b/.claude/skills/updating-checksums/SKILL.md
@@ -1,6 +1,9 @@
 ---
 name: updating-checksums
-description: Updates SHA-256 checksums from GitHub releases to external-tools.json. Triggers when user mentions "update checksums", "sync checksums", or after releasing new tool versions.
+description: >
+  Syncs SHA-256 checksums from GitHub releases to external-tools.json.
+  Triggers when user mentions "update checksums", "sync checksums", or after
+  releasing new tool versions.
 user-invocable: true
 allowed-tools: Bash, Read, Edit
 ---
@@ -11,168 +14,26 @@ allowed-tools: Bash, Read, Edit
 Your task is to sync SHA-256 checksums from GitHub releases to the embedded `external-tools.json` file, ensuring SEA builds have up-to-date integrity verification.
 </task>
 
-<context>
-**What is this?**
-socket-cli downloads prebuilt security tools (opengrep, python, socket-patch, sfw, trivy, trufflehog) from GitHub releases for bundling into SEA (Single Executable Application) builds. Each release may include a `checksums.txt` file with SHA-256 hashes.
-
-**Architecture:**
-
-- `packages/cli/external-tools.json` - Configuration with embedded checksums
-- `packages/cli/scripts/sync-checksums.mjs` - Sync script for GitHub release tools
-
-**Tool Types in external-tools.json:**
-
-| Type | Example | Checksums |
-|------|---------|-----------|
-| `github-release` | opengrep, trivy, sfw | Synced from releases |
-| `npm` | @coana-tech/cli, synp | SRI integrity hashes |
-| `pypi` | socketsecurity | May have checksums |
-
-**Why Sync?**
-- After tool updates (new versions), checksums become stale
-- SEA builds verify downloads against embedded checksums
-- Version-controlled checksums enable audit trail
-</context>
-
 <constraints>
-**CRITICAL Requirements:**
-- Network access required to fetch from GitHub API
-- Only `github-release` type tools are synced
-
-**Do NOT:**
-- Modify checksums manually (always fetch from releases)
-- Skip verification after sync
-- Commit without reviewing changes
-
-**Do ONLY:**
-- Fetch checksums from official GitHub releases
-- Update external-tools.json with new checksums
-- Verify the JSON is valid after update
+- Network access required to fetch from GitHub API.
+- Only `github-release` type tools are synced (not npm or pypi).
+- Never modify checksums manually; always fetch from releases.
+- Verify JSON validity after sync.
+- Review changes before committing.
 </constraints>
 
-<instructions>
-
-## Process
-
-### Phase 1: Check Current State
-
-<action>
-Review current embedded checksums and tool versions:
-</action>
-
-```bash
-# Show current GitHub release tools in external-tools.json
-grep -A2 '"type": "github-release"' packages/cli/external-tools.json | head -40
-```
-
----
-
-### Phase 2: Sync Checksums
-
-<action>
-Run the sync script to fetch latest checksums:
-</action>
-
-```bash
-# Sync all GitHub release tools
-node packages/cli/scripts/sync-checksums.mjs
-
-# Or sync specific tool
-# node packages/cli/scripts/sync-checksums.mjs --tool=opengrep
-```
-
-<validation>
-**Expected Output:**
-```
-Syncing checksums for 6 GitHub release tool(s)...
-
-[opengrep] opengrep/opengrep @ v1.16.0
-  Found checksums.txt, downloading...
-  Parsed 5 checksums from checksums.txt
-  Unchanged: 5 checksums
-
-[python] astral-sh/python-build-standalone @ 3.11.14
-  No checksums.txt found, downloading 8 assets to compute checksums...
-  ...
-
-Summary: X updated, Y unchanged
-```
-
-**If sync fails:**
-- Check network connectivity
-- Verify release exists: `gh release view <tag> --repo <owner/repo>`
-- Check GitHub API rate limits
-</validation>
-
----
-
-### Phase 3: Verify Changes
-
-<action>
-Review the updated checksums:
-</action>
-
-```bash
-# Show what changed
-git diff packages/cli/external-tools.json
-
-# Validate JSON syntax
-node -e "JSON.parse(require('fs').readFileSync('packages/cli/external-tools.json'))"
-```
+## Phases
 
----
-
-### Phase 4: Commit Changes (if any)
-
-<action>
-If checksums were updated, commit the changes:
-</action>
-
-```bash
-# Only if there are changes
-git add packages/cli/external-tools.json
-git commit -m "chore(cli): sync external tool checksums
-
-Update embedded SHA-256 checksums from GitHub releases.
-Enables SEA builds with up-to-date integrity verification."
-```
-
-</instructions>
-
-## Success Criteria
-
-- All GitHub release tools synced from releases
-- external-tools.json updated with latest checksums
-- JSON syntax validated
-- Changes committed (if any updates)
+1. **Check Current State** - Review current checksums and tool versions in `packages/cli/external-tools.json`.
+2. **Sync Checksums** - Run `node packages/cli/scripts/sync-checksums.mjs`. Tries `checksums.txt` from the release first; falls back to downloading assets and computing SHA-256.
+3. **Verify Changes** - `git diff packages/cli/external-tools.json`; validate JSON syntax.
+4. **Commit Changes** - If updated, commit `packages/cli/external-tools.json`.
 
 ## Commands
 
 ```bash
-# Sync all GitHub release tools
-node packages/cli/scripts/sync-checksums.mjs
-
-# Sync specific tool
-node packages/cli/scripts/sync-checksums.mjs --tool=opengrep
-
-# Dry run (show what would change)
-node packages/cli/scripts/sync-checksums.mjs --dry-run
-
-# Force update even if unchanged
-node packages/cli/scripts/sync-checksums.mjs --force
+node packages/cli/scripts/sync-checksums.mjs              # Sync all
+node packages/cli/scripts/sync-checksums.mjs --tool=opengrep  # Sync one
+node packages/cli/scripts/sync-checksums.mjs --dry-run     # Preview
+node packages/cli/scripts/sync-checksums.mjs --force       # Force update
 ```
-
-## Context
-
-This skill is useful for:
-
-- After updating tool versions in external-tools.json
-- When new GitHub releases are published
-- Before building SEA executables
-- Regular maintenance to keep checksums current
-
-**Behavior:**
-1. First tries to download `checksums.txt` from the GitHub release
-2. If not available, downloads each asset and computes SHA-256 hashes
-3. Only updates tools with `type: "github-release"`
-4. npm packages use SRI integrity hashes (not handled by this script)
diff --git a/.claude/skills/updating/SKILL.md b/.claude/skills/updating/SKILL.md
index 4a43b1c97..8d8d3b207 100644
--- a/.claude/skills/updating/SKILL.md
+++ b/.claude/skills/updating/SKILL.md
@@ -1,6 +1,9 @@
 ---
 name: updating
-description: Coordinates all dependency updates (npm packages and external tool checksums). Triggers when user asks to "update everything", "update dependencies", or prepare for a release.
+description: >
+  Coordinates all dependency updates (npm packages and external tool checksums).
+  Triggers when user asks to "update everything", "update dependencies", or
+  prepare for a release.
 user-invocable: true
 allowed-tools: Task, Skill, Bash, Read, Grep, Glob, Edit
 ---
@@ -11,183 +14,22 @@ allowed-tools: Task, Skill, Bash, Read, Grep, Glob, Edit
 Your task is to update all dependencies in socket-cli: npm packages via `pnpm run update`, then sync external tool checksums, ensuring all builds and tests pass.
 </task>
 
-<context>
-**What is this?**
-socket-cli uses npm packages and external tools (opengrep, python, socket-patch, sfw, trivy, trufflehog) that need periodic updates for security patches, bug fixes, and new features.
-
-**Existing Skills:**
-- `updating-checksums` - Syncs SHA-256 checksums from GitHub releases to external-tools.json
-- `quality-scan` - Comprehensive quality scanning and issue fixing
-
-**Update Targets:**
-1. **npm packages** - Updated via `pnpm run update`
-2. **External tool checksums** - Updated via `updating-checksums` skill
-</context>
-
 <constraints>
-**Requirements:**
-- Start with clean working directory (no uncommitted changes)
-- Target stable releases only (exclude -rc, -alpha, -beta tags)
-
-**CI Mode** (detected via `CI=true` or `GITHUB_ACTIONS`):
-- Create atomic commits, skip build validation (CI validates separately)
-- Workflow handles push and PR creation
-
-**Interactive Mode** (default):
-- Validate each update with build/tests before proceeding
-- Report validation results to user
-
-**Actions:**
-- Update npm packages and external tool checksums
-- Create atomic commits for each update
-- Report comprehensive summary of all changes
+- Start with clean working directory (no uncommitted changes).
+- Target stable releases only (exclude -rc, -alpha, -beta tags).
+- **CI mode** (`CI=true` or `GITHUB_ACTIONS`): Create atomic commits, skip build validation.
+- **Interactive mode** (default): Validate each update with build/tests before proceeding.
 </constraints>
 
-<instructions>
-
-## Process
-
-### Phase 1: Validate Environment
-
-<action>
-Check working directory is clean and detect CI mode:
-</action>
-
-```bash
-# Detect CI mode
-if [ "$CI" = "true" ] || [ -n "$GITHUB_ACTIONS" ]; then
-  CI_MODE=true
-  echo "Running in CI mode - will skip build validation"
-else
-  CI_MODE=false
-  echo "Running in interactive mode - will validate builds"
-fi
-
-# Check working directory is clean
-git status --porcelain
-```
-
-<validation>
-- Working directory must be clean
-- CI_MODE detected for subsequent phases
-</validation>
-
----
-
-### Phase 2: Update npm Packages
-
-<action>
-Run pnpm run update to update npm dependencies:
-</action>
-
-```bash
-# Update npm packages
-pnpm run update
-
-# Check if there are changes
-if [ -n "$(git status --porcelain pnpm-lock.yaml package.json packages/*/package.json)" ]; then
-  git add pnpm-lock.yaml package.json packages/*/package.json
-  git commit -m "chore: update npm dependencies
-
-Updated npm packages via pnpm run update."
-  echo "npm packages updated"
-else
-  echo "npm packages already up to date"
-fi
-```
-
----
-
-### Phase 3: Update External Tool Checksums
-
-<action>
-Use the updating-checksums skill to sync SHA-256 checksums from GitHub releases:
-</action>
-
-```
-Skill({ skill: "updating-checksums" })
-```
-
-Wait for skill completion before proceeding.
-
----
-
-### Phase 4: Final Validation
-
-<action>
-Run full build and test suite (skip in CI mode):
-</action>
-
-```bash
-if [ "$CI_MODE" = "true" ]; then
-  echo "CI mode: Skipping final validation (CI will run builds/tests separately)"
-  echo "Commits created - ready for push by CI workflow"
-else
-  echo "Interactive mode: Running full validation..."
-  pnpm run fix --all
-  pnpm run check --all
-  pnpm test
-fi
-```
-
----
-
-### Phase 5: Report Summary
-
-<action>
-Generate comprehensive update report:
-</action>
-
-```
-## Update Complete
-
-### Updates Applied:
-
-| Category | Status |
-|----------|--------|
-| npm packages | Updated/Up to date |
-| External tool checksums | Updated/Up to date |
-
-### Commits Created:
-- [list commits]
-
-### Validation:
-- Build: SUCCESS/SKIPPED (CI mode)
-- Tests: PASS/SKIPPED (CI mode)
-
-### Next Steps:
-**Interactive mode:**
-1. Review changes: `git log --oneline -N`
-2. Push to remote: `git push origin main`
-
-**CI mode:**
-1. Workflow will push branch and create PR
-2. CI will run full build/test validation
-3. Review PR when CI passes
-```
-
-</instructions>
-
-## Success Criteria
-
-- All npm packages checked for updates
-- External tool checksums synced
-- Full build and tests pass (interactive mode)
-- Comprehensive summary report generated
-
-## Commands
-
-This skill coordinates other skills:
-
-- Uses `updating-checksums` skill for external tool checksums
-- Direct pnpm commands for npm package updates
-
-## Context
+## Phases
 
-This skill is useful for:
+1. **Validate Environment** - Verify clean working directory; detect CI vs interactive mode.
+2. **Update npm Packages** - Run `pnpm run update`; commit if changes detected.
+3. **Update External Tool Checksums** - Invoke the `updating-checksums` skill.
+4. **Final Validation** - In interactive mode: `pnpm run fix --all`, `pnpm run check --all`, `pnpm test`. Skipped in CI.
+5. **Report Summary** - List updates applied, commits created, validation results, and next steps.
 
-- Weekly maintenance (automated via weekly-update.yml)
-- Security patch rollout across all dependencies
-- Pre-release preparation
+## Coordinates
 
-**Safety:** Each update is validated independently. Failures stop the process.
+- `updating-checksums` skill for external tool checksums
+- `pnpm run update` for npm packages
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 4437a7ee6..a3b2ed9f8 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -109,7 +109,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -168,7 +168,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -234,7 +234,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
@@ -310,7 +310,7 @@ jobs:
           export default { text, view, renderToString, renderToStringWithWidth, printComponent, eprintComponent, getTerminalSize, TuiRenderer, init }
           CODE
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           node-version: ${{ matrix.node-version }}
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
index e3e9c881a..86ceac345 100644
--- a/.github/workflows/provenance.yml
+++ b/.github/workflows/provenance.yml
@@ -51,7 +51,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -91,7 +91,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -134,14 +134,14 @@ jobs:
     timeout-minutes: 45
     permissions:
       contents: read
-      id-token: write
+      id-token: write # NPM trusted publishing via OIDC
 
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
           registry-url: 'https://registry.npmjs.org'
@@ -354,6 +354,7 @@ jobs:
           done
 
       - name: Summary
+        # zizmor: ignore[template-injection]
         run: |
           echo "## Publish Summary" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
diff --git a/.github/workflows/weekly-update.yml b/.github/workflows/weekly-update.yml
index a316e4d33..0d95bec1d 100644
--- a/.github/workflows/weekly-update.yml
+++ b/.github/workflows/weekly-update.yml
@@ -29,7 +29,7 @@ jobs:
         with:
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -52,8 +52,8 @@ jobs:
     if: needs.check-updates.outputs.has-updates == 'true' && inputs.dry-run != true
     runs-on: ubuntu-latest
     permissions:
-      contents: write
-      pull-requests: write
+      contents: write # Push update branch
+      pull-requests: write # Create PR
     steps:
       - name: Checkout repository
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -61,7 +61,7 @@ jobs:
           fetch-depth: 0
           persist-credentials: false
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           checkout: 'false'
 
@@ -69,13 +69,14 @@ jobs:
         id: branch
         env:
           GH_TOKEN: ${{ github.token }}
+          GITHUB_REPO: ${{ github.repository }}
         run: |
           BRANCH_NAME="weekly-update-$(date +%Y%m%d)"
-          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${{ github.repository }}.git"
+          git remote set-url origin "https://x-access-token:${GH_TOKEN}@github.com/${GITHUB_REPO}.git"
           git checkout -b "$BRANCH_NAME"
           echo "branch=$BRANCH_NAME" >> $GITHUB_OUTPUT
 
-      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-git-signing@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         with:
           gpg-private-key: ${{ secrets.BOT_GPG_PRIVATE_KEY }}
 
@@ -302,7 +303,7 @@ jobs:
             test.log
           retention-days: 7
 
-      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@4edf2e3c3beff7d536e79ce43dfb61abba7cb537 # main
+      - uses: SocketDev/socket-registry/.github/actions/cleanup-git-signing@96c2a403934488b2b1d6127e44f65fd2c36c1150 # main
         if: always()
 
   notify:
diff --git a/CLAUDE.md b/CLAUDE.md
index 8b5872945..6aa55880f 100644
--- a/CLAUDE.md
+++ b/CLAUDE.md
@@ -2,132 +2,86 @@
 
 **MANDATORY**: Act as principal-level engineer. Follow these guidelines exactly.
 
-## 👤 USER CONTEXT
+## USER CONTEXT
 
-- **Identify users by git credentials**: Extract name from git commit author, GitHub account, or context
-- 🚨 **When identity is verified**: ALWAYS use their actual name - NEVER use "the user" or "user"
-- **Direct communication**: Use "you/your" when speaking directly to the verified user
-- **Discussing their work**: Use their actual name when referencing their commits/contributions
-- **Example**: If git shows "John-David Dalton <jdalton@example.com>", refer to them as "John-David"
-- **Other contributors**: Use their actual names from commit history/context
+- Identify users by git credentials (commit author, GitHub account). Use their actual name, never "the user".
+- Use "you/your" when speaking directly; use their name when discussing their work.
 
 ## PRE-ACTION PROTOCOL
 
 **MANDATORY**: Review CLAUDE.md before any action. No exceptions.
 
-- Before ANY structural refactor on a file >300 LOC: remove dead code, unused exports, unused imports first — commit that cleanup separately before the real work
-- Multi-file changes: break into phases (≤5 files each), verify each phase before the next
-- When pointed to existing code as a reference: study it before building — working code is a better spec than any description
-- Work from raw error data, not theories — if a bug report has no error output, ask for it
+- Before ANY structural refactor on a file >300 LOC: remove dead code, unused exports, unused imports first -- commit that cleanup separately
+- Multi-file changes: break into phases (<=5 files each), verify each phase before the next
+- When pointed to existing code as a reference: study it before building
+- Work from raw error data, not theories -- if a bug report has no error output, ask for it
 - On "yes", "do it", or "go": execute immediately, no plan recap
 
 ## VERIFICATION PROTOCOL
 
 **MANDATORY**: Before claiming any task is complete:
 
-1. Run the actual command — execute the script, run the test, check the output
+1. Run the actual command -- execute the script, run the test, check the output
 2. State what you verified, not just "looks good"
-3. **FORBIDDEN**: Claiming "Done" when any test output shows failures, or characterizing incomplete/broken work as complete
+3. **FORBIDDEN**: Claiming "Done" when any test output shows failures
 4. If type-check or lint is configured, run it and fix ALL errors before reporting done
 5. Re-read every file modified; confirm nothing references something that no longer exists
 
 ## CONTEXT & EDIT SAFETY
 
-- After 10+ messages: re-read any file before editing it — do not trust remembered contents
-- Read files >500 LOC in chunks using offset/limit; never assume one read captured the whole file
-- Before every edit: re-read the file. After every edit: re-read to confirm the change applied correctly
-- When renaming anything, search separately for: direct calls, type references, string literals, dynamic imports, re-exports, test files — one grep is not enough
-- Never fix a display/rendering problem by duplicating state — one source of truth, everything reads from it
+- After 10+ messages: re-read any file before editing it
+- Read files >500 LOC in chunks using offset/limit
+- Before every edit: re-read the file. After every edit: re-read to confirm
+- When renaming: search for direct calls, type references, string literals, dynamic imports, re-exports, test files -- one grep is not enough
+- Never fix a display/rendering problem by duplicating state
 
-## JUDGMENT PROTOCOL
+## JUDGMENT & SCOPE
 
-- If the user's request is based on a misconception, say so before executing
-- If you spot a bug adjacent to what was asked, flag it: "I also noticed X — want me to fix it?"
-- You are a collaborator, not just an executor
-
-## SCOPE PROTOCOL
-
-- Do not add features, refactor, or make improvements beyond what was asked — band-aids when asked for band-aids
-- Try the simplest approach first; if architecture is actually flawed, flag it and wait for approval before restructuring
-- When asked to "make a plan," output only the plan — no code until given the go-ahead
+- If the request is based on a misconception, say so before executing
+- If you spot a bug adjacent to what was asked, flag it
+- Do not add features, refactor, or make improvements beyond what was asked
+- Try the simplest approach first; flag architecture issues and wait for approval
+- When asked to "make a plan," output only the plan -- no code until given the go-ahead
 
 ## SELF-EVALUATION
 
-- Before calling anything done: present two views — what a perfectionist would reject vs. what a pragmatist would ship — let the user decide
+- Before calling anything done: present what a perfectionist would reject vs. what a pragmatist would ship
 - After fixing a bug: explain why it happened and what category of bug it represents
-- If a fix doesn't work after two attempts: stop, re-read the relevant section top-down, state where the mental model was wrong, propose something fundamentally different
-- If asked to "step back" or "we're going in circles": drop everything, rethink from scratch
+- If a fix doesn't work after two attempts: stop, re-read top-down, state where the mental model was wrong
+- If asked to "step back": drop everything, rethink from scratch
 
 ## HOUSEKEEPING
 
-- Before risky changes: offer to checkpoint — "want me to commit before this?"
-- If a file is getting unwieldy (>400 LOC): flag it — "this is big enough to cause pain — want me to split it?"
+- Before risky changes: offer to checkpoint
+- If a file is getting unwieldy (>400 LOC): flag it
 
 ## Critical Rules
 
-### Fix ALL Issues
-
-- **Fix ALL issues when asked** - Never dismiss issues as "pre-existing" or "not caused by my changes"
-- When asked to fix, lint, or check: fix everything found, regardless of who introduced it
-- Always address all issues found during lint/check operations
-
-## ABSOLUTE RULES
-
-- Never create files unless necessary
-- Always prefer editing existing files
+- **Fix ALL issues when asked** -- never dismiss issues as "pre-existing"
+- Never create files unless necessary; always prefer editing existing files
 - Forbidden to create docs unless requested
-- Required to do exactly what was asked
-- 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec <package>` for devDep binaries, or `pnpm run <script>` for package.json scripts. If a tool is needed, add it as a pinned devDependency first.
-
-## ROLE
-
-Principal Software Engineer: production code, architecture, reliability, ownership.
+- 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** -- use `pnpm exec <package>` for devDep binaries, or `pnpm run <script>` for package.json scripts
 
 ## EVOLUTION
 
 If user repeats instruction 2+ times, ask: "Should I add this to CLAUDE.md?"
 
-## 📚 SHARED STANDARDS
+## SHARED STANDARDS
 
 **Canonical reference**: `../socket-registry/CLAUDE.md`
 
 All shared standards (git, testing, code style, cross-platform, CI) defined in socket-registry/CLAUDE.md.
 
-**Quick references**:
-
-- Commits: [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) `<type>(<scope>): <description>` - NO AI attribution
+- Commits: [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) `<type>(<scope>): <description>` -- NO AI attribution
 - Scripts: Prefer `pnpm run foo --flag` over `foo:bar` scripts
 - Dependencies: After `package.json` edits, run `pnpm install` to update `pnpm-lock.yaml`
-- Backward Compatibility: 🚨 FORBIDDEN to maintain - actively remove when encountered (see canonical CLAUDE.md)
-- Work Safeguards: MANDATORY commit + backup branch before bulk changes
+- Backward Compatibility: 🚨 FORBIDDEN to maintain -- actively remove when encountered
 - Safe Deletion: Use `safeDelete()` from `@socketsecurity/lib/fs` (NEVER `fs.rm/rmSync` or `rm -rf`)
-- HTTP Requests: NEVER use `fetch()` — use `httpJson`/`httpText`/`httpRequest` from `@socketsecurity/lib/http-request`
+- HTTP Requests: NEVER use `fetch()` -- use `httpJson`/`httpText`/`httpRequest` from `@socketsecurity/lib/http-request`
 
 ### Documentation Policy
 
-🚨 **CRITICAL**: Do NOT litter the repository with documentation files.
-
-**Allowed documentation locations:**
-- `docs/` - Primary documentation folder (lowercase-with-hyphens.md filenames, pithy writing with visuals)
-- `README.md` - Root project README only
-- `CHANGELOG.md` - Root changelog only
-- `SECURITY.md` - Root security policy only
-- `CLAUDE.md` - Root project instructions only
-- `packages/*/README.md` - Package-specific READMEs only
-- `test/fixtures/*/README.md` - Test fixture explanations only (when fixtures are complex)
-- `test/*/README.md` - Test suite architecture docs only (e.g., `test/e2e/README.md`, `test/helpers/README.md`)
-
-**Forbidden documentation locations:**
-- ❌ `.claude/*.md` - No temporary analysis docs, architectural notes, coverage reports
-- ❌ Root directory clutter - No ad-hoc markdown files
-- ❌ Scattered docs - No documentation outside approved locations
-
-**When creating documentation:**
-1. Ask: Does this belong in `docs/`? (99% of the time, yes)
-2. Use descriptive lowercase-with-hyphens.md filenames
-3. Keep writing pithy and focused
-4. Include visuals where helpful
-5. Never create temporary/scratch documentation files
+Do NOT litter the repository with documentation files. Allowed locations: `docs/`, root `README.md`/`CHANGELOG.md`/`SECURITY.md`/`CLAUDE.md`, `packages/*/README.md`, `test/fixtures/*/README.md`, `test/*/README.md`. No `.claude/*.md` analysis docs, no ad-hoc markdown files.
 
 ---
 
@@ -135,385 +89,77 @@ All shared standards (git, testing, code style, cross-platform, CI) defined in s
 
 ## Commands
 
-### Development Commands
-
-- **Build**: `pnpm run build` (smart build, skips unchanged)
-- **Build force**: `pnpm run build --force` (force rebuild CLI + SEA for current platform)
-- **Build SEA**: `pnpm run build:sea` (build SEA binaries for all platforms)
-- **Build CLI**: `pnpm run build:cli` (CLI package only)
-- **Test**: `pnpm test` (runs check + all tests from monorepo root)
-- **Test unit only**: `pnpm --filter @socketsecurity/cli run test:unit`
-- **Lint**: `pnpm run lint` (uses oxlint)
-- **Type check**: `pnpm run type` (uses tsc)
-- **Check all**: `pnpm run check` (lint + typecheck)
-- **Fix all issues**: `pnpm run fix` (auto-fix linting and formatting)
-- **Commit without tests**: `git commit --no-verify` (skips pre-commit hooks including tests)
-
-### Binary Build Notes
-
-- **Node-smol binaries**: Downloaded from socket-btm releases (not built locally)
-- **Yoga WASM**: Downloaded from socket-btm releases (not built locally)
-- **SEA binaries**: Built by injecting CLI blob into downloaded node-smol binaries
-- **Output location**: `packages/package-builder/build/{dev|prod}/out/socketbin-cli-<platform>-<arch>/socket`
-- **Cache location**: Build assets in `packages/build-infra/build/downloaded/`, DLX packages and VFS-extracted tools in `~/.socket/_dlx/`
-
-### Testing Best Practices - CRITICAL: NO -- FOR FILE PATHS
-
-- **🚨 NEVER USE `--` BEFORE TEST FILE PATHS** - This runs ALL tests, not just your specified files!
-- **Always build before testing**: Run `pnpm run build:cli` before running tests to ensure dist files are up to date.
-- **Test all**: ✅ CORRECT: `pnpm test` (from monorepo root)
-- **Test single file**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts`
-  - ❌ WRONG: `pnpm test:unit src/commands/specific/cmd-file.test.mts` (command not found at root!)
-  - ❌ WRONG: `pnpm --filter @socketsecurity/cli run test:unit -- src/commands/specific/cmd-file.test.mts` (runs ALL tests!)
-- **Test multiple files**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit file1.test.mts file2.test.mts`
-- **Test with pattern**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts -t "pattern"`
-  - ❌ WRONG: `pnpm --filter @socketsecurity/cli run test:unit -- src/commands/specific/cmd-file.test.mts -t "pattern"`
-- **Update snapshots**:
-  - All tests: `pnpm testu` (builds first, then updates all snapshots)
-  - Single file: ✅ CORRECT: `pnpm testu src/commands/specific/cmd-file.test.mts`
-  - ❌ WRONG: `pnpm testu -- src/commands/specific/cmd-file.test.mts` (updates ALL snapshots!)
-- **Update with --update flag**: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts --update`
-- **Timeout for long tests**: Use `timeout` command or specify in test file.
-
-### Commit Messages
-
-Follow [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/):
-
-```
-<type>(<scope>): <description>
-
-Types: feat, fix, docs, style, refactor, test, chore, perf
-```
-
-- **NO AI attribution** in commit messages — the commit-msg hook auto-strips it
-
-### Running the CLI locally
-
-- **Watch mode**: `pnpm dev` (auto-rebuilds on file changes)
-- **Build and run**: `pnpm build:cli && node packages/cli/dist/index.js`
-- **Run built version**: `node packages/cli/dist/index.js <args>` (requires prior build)
-
-**Note**: Avoid `pnpm exec socket` if you have a global `socket` installation, as it may conflict with the local package.
-
-### Package Management
-
-- **Package Manager**: This project uses pnpm (v10.22+)
-- **Install dependencies**: `pnpm install`
-- **Add dependency**: `pnpm add <package>`
-- **Add dev dependency**: `pnpm add -D <package>`
-- **Update dependencies**: `pnpm update`
-- **Override behavior**: pnpm.overrides in package.json controls dependency versions across the entire project
-- **Using $ syntax**: `"$package-name"` in overrides means "use the version specified in dependencies"
-
-## Architecture
-
-This is a CLI tool for Socket.dev security analysis, built with TypeScript using .mts extensions.
-
-### Core Structure
-
-- **Entry point**: `src/cli.mts` - Main CLI entry with meow subcommands
-- **Commands**: `src/commands.mts` - Exports all command definitions
-- **Command modules**: `src/commands/*/` - Each feature has its own directory with cmd-_, handle-_, and output-\* files
-- **Utilities**: `src/utils/` - Shared utilities for API, config, formatting, etc.
-- **Constants**: `src/constants.mts` - Application constants
-- **Types**: `src/types.mts` - TypeScript type definitions
-
-### Command Architecture Pattern
-
-**✅ PREFERRED: Consolidated Pattern for Simple Commands**
-
-For commands with straightforward logic (no subcommands, < 200 lines total), consolidate into a single `cmd-*.mts` file:
-
-```typescript
-// Single cmd-*.mts file structure:
-import { getDefaultLogger } from '@socketsecurity/lib/logger'
-// ... other imports
-
-const logger = getDefaultLogger()
-
-export const CMD_NAME = 'command-name'
-const description = 'Command description'
-const hidden = false
-
-// Types.
-interface CommandResult {
-  // Type definitions here.
-}
-
-// Helper functions.
-function helperFunction(): void {
-  // Helper logic here.
-}
-
-// Command handler.
-async function run(
-  argv: string[] | readonly string[],
-  importMeta: ImportMeta,
-  { parentName }: CliCommandContext,
-): Promise<void> {
-  const config: CliCommandConfig = {
-    /* ... */
-  }
-  const cli = meowOrExit({ argv, config, importMeta, parentName })
-
-  // Command logic here.
-}
-
-// Exported command.
-export const cmdCommandName = {
-  description,
-  hidden,
-  run,
-}
-```
-
-**Benefits**:
-
-- All command logic in one file for easy navigation
-- Clear sections: imports → constants → types → helpers → handler → export
-- Reduced file count (3 files → 1 file)
-- Maintained compatibility with existing meow-based CLI architecture
-
-**Examples**: `whoami`, `logout` (consolidated)
-
-**⚠️ Legacy Pattern for Complex Commands**
-
-Complex commands with subcommands or > 200 lines should keep the modular pattern:
-
-- `cmd-*.mts` - Command definition and CLI interface
-- `handle-*.mts` - Business logic and processing
-- `output-*.mts` - Output formatting (JSON, markdown, etc.)
-- `fetch-*.mts` - API calls (where applicable)
+- **Build**: `pnpm run build` (smart build) | `pnpm run build --force` | `pnpm run build:cli` (CLI only) | `pnpm run build:sea`
+- **Test**: `pnpm test` (all from monorepo root) | `pnpm --filter @socketsecurity/cli run test:unit`
+- **Lint**: `pnpm run lint` | **Type check**: `pnpm run type` | **Check all**: `pnpm run check`
+- **Fix**: `pnpm run fix` (auto-fix linting and formatting)
+- **Dev**: `pnpm dev` (watch mode) | **Run built**: `node packages/cli/dist/index.js <args>`
 
-**Examples**: `scan`, `organization`, `repository` (keep modular)
+### Testing -- CRITICAL
 
-### Key Command Categories
+- 🚨 **NEVER USE `--` BEFORE TEST FILE PATHS** -- this runs ALL tests, not just specified files
+- Always build before testing: `pnpm run build:cli`
+- Single file: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts`
+- Update snapshots: `pnpm testu src/commands/specific/cmd-file.test.mts`
+- Update with flag: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts --update`
+- NEVER write source-code-scanning tests -- verify behavior, not string patterns
 
-- **npm/npx wrapping**: `socket npm`, `socket npx` - Wraps npm/npx with security scanning
-- **Scanning**: `socket scan` - Create and manage security scans
-- **Organization management**: `socket organization` - Manage org settings and policies
-- **Package analysis**: `socket package` - Analyze package scores
-- **Optimization**: `socket optimize` - Apply Socket registry overrides
-- **Configuration**: `socket config` - Manage CLI configuration
+### Changelog
 
-### Update Mechanism
+Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/). User-facing changes only: Added, Changed, Fixed, Removed. Marketing voice, stay concise.
 
-Socket CLI has different update mechanisms depending on installation method:
+## Code Style (MANDATORY)
 
-#### SEA Binaries (Standalone Executables)
+### File Organization
 
-- **Update checking**: Handled by node-smol C stub via embedded `--update-config`
-- **Configuration**: Embedded during build in `packages/cli/scripts/sea-build-utils/builder.mjs`
-- **GitHub releases**: Checks `https://api.github.com/repos/SocketDev/socket-cli/releases`
-- **Tag pattern**: Matches `socket-cli-*` (e.g., `socket-cli-20260127-abc1234`)
-- **Notification**: Shown on CLI exit (non-blocking)
-- **Update command**: `socket self-update` (handled by node-smol, not TypeScript CLI)
-- **Environment variable**: `SOCKET_CLI_SKIP_UPDATE_CHECK=1` to disable
+- `.mts` extensions for TypeScript modules
+- 🚨 ALWAYS use separate `import type` statements -- NEVER mix runtime and type imports
+- Node.js fs: `import { someSyncThing, promises as fs } from 'node:fs'`
+- Process spawning: MUST use `spawn` from `@socketsecurity/registry/lib/spawn` (NEVER `child_process`)
+- File existence: ALWAYS use `existsSync()` from `node:fs` (NEVER `fs.access`)
 
-#### npm/pnpm/yarn Installations
+### Code Patterns
 
-- **Update checking**: TypeScript-based in `src/utils/update/manager.mts`
-- **Registry**: Checks npm registry for `socket` package
-- **Notification**: Shown on CLI exit (non-blocking)
-- **Update command**: Use package manager (e.g., `npm update -g socket`)
-- **Environment variable**: `SOCKET_CLI_SKIP_UPDATE_CHECK=1` to disable
+- Array destructuring: Use `{ 0: key, 1: data }` instead of `[key, data]`
+- Dynamic imports: 🚨 FORBIDDEN -- always use static imports
+- Sorting: 🚨 MANDATORY -- sort lists, exports, destructured properties, documentation headers alphabetically
+- Comments: Default NO. Only when the WHY is non-obvious. Own line, not inline.
+- Functions: Alphabetical order, private first, exported second
+- Object mappings: Use `__proto__: null` for static lookup tables; `Map` for dynamic collections
+- Array length: `!array.length` not `=== 0`; `array.length` or `!!array.length` for truthy
+- Catch: `catch (e)` not `catch (error)`
+- Numbers: Use underscore separators (`20_000`). Do NOT modify number values inside strings.
+- Flags: MUST use `MeowFlags` type with descriptive help text
+- Error handling: Use `InputError` and `AuthError` from `src/utils/errors.mts`; prefer `CResult<T>` for fallible functions; avoid `process.exit(1)`
+- GitHub API: Use Octokit from `src/utils/github.mts`, not raw fetch
 
-#### Key Implementation Details
+### Command Pattern
 
-- `scheduleUpdateCheck()` in `manager.mts` skips when `isSeaBinary()` returns true
-- SEA binaries use embedded update-config.json (1112 bytes)
-- node-smol handles HTTP requests via embedded libcurl
-- Update checks respect CI/TTY detection and rate limiting
-
-### Build System
-
-- Uses esbuild for building distribution files
-- TypeScript compilation with tsgo
-- Environment config (.env.test for testing)
-- Linting with Oxlint
-- Formatting with Oxfmt
-
-### Testing
-
-- Vitest for unit testing
-- Test files use `.test.mts` extension
-- Fixtures in `test/fixtures/`
-- Coverage reporting available
-
-### Test Style — Functional Over Source Scanning
-
-**NEVER write source-code-scanning tests**
-
-Do not read source files and assert on their contents (`.toContain('pattern')`). These tests are brittle and break on any refactor.
-
-- Write functional tests that verify **behavior**, not string patterns
-- For modules requiring a built binary: use integration tests
-- For pure logic: use unit tests with real function calls
-
-### External Dependencies
-
-- Dependencies bundled into `dist/cli.js` via esbuild
-- Uses Socket registry overrides for security
-- Custom patches applied to dependencies in `patches/`
-
-## Environment and Configuration
-
-### Environment Files
-
-- **`.env.test`** - Test environment configuration
-
-### Configuration Files
-
-- **`.oxfmtrc.json`** - Oxfmt formatter configuration
-- **`.oxlintrc.json`** - Oxlint linter configuration
-- **`vitest.config.mts`** - Vitest test runner configuration
-- **`tsconfig.json`** - Main TypeScript configuration
-- **`tsconfig.dts.json`** - TypeScript configuration for type definitions
-
-### Package Structure
-
-- **Binary entries**: `socket`, `socket-npm`, `socket-npx` (defined in package.json `bin` field, pointing to `dist/index.js`)
-- **Distribution**: Built files go to `dist/` directory
-- **External dependencies**: Bundled into `dist/cli.js` via esbuild
-- **Test fixtures**: Located in `test/fixtures/`
-
-### Dependency Management
-
-- Uses Socket registry overrides for enhanced alternatives
-- Custom patches applied to dependencies via `custompatch`
-- Overrides specified in package.json for enhanced alternatives
-
-## Changelog Management
-
-Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) format. Include user-facing changes only: Added, Changed, Fixed, Removed. Exclude: dependency updates, refactoring, tests, CI/CD, formatting. Marketing voice, stay concise.
-
-### Third-Party Integrations
-
-Socket CLI integrates with various third-party tools and services:
-
-- **@coana-tech/cli**: Static analysis tool for reachability analysis and vulnerability detection
-- **cdxgen**: CycloneDX BOM generator for creating software bill of materials
-- **synp**: Tool for converting between yarn.lock and package-lock.json formats
-
-## 🔧 Code Style (MANDATORY)
-
-### 📁 File Organization
-
-- **File extensions**: Use `.mts` for TypeScript module files
-- **Import order**: Node.js built-ins first, then third-party packages, then local imports
-- **Import grouping**: Group imports by source (Node.js, external packages, local modules)
-- **Type imports**: 🚨 ALWAYS use separate `import type` statements for TypeScript types, NEVER mix runtime imports with type imports in the same statement
-  - ✅ CORRECT: `import { readPackageJson } from '@socketsecurity/registry/lib/packages'` followed by `import type { PackageJson } from '@socketsecurity/registry/lib/packages'`
-  - ❌ FORBIDDEN: `import { readPackageJson, type PackageJson } from '@socketsecurity/registry/lib/packages'`
-
-### Naming Conventions
-
-- **Constants**: Use `UPPER_SNAKE_CASE` for constants (e.g., `CMD_NAME`, `REPORT_LEVEL`)
-- **Files**: Use kebab-case for filenames (e.g., `cmd-scan-create.mts`, `handle-create-new-scan.mts`)
-- **Variables**: Use camelCase for variables and functions
-
-### 🏗️ Code Structure (CRITICAL PATTERNS)
-
-- **Command pattern**: Complex commands use modular pattern (`cmd-*.mts`, `handle-*.mts`, `output-*.mts`); simple commands use consolidated single `cmd-*.mts` file
-- **Type definitions**: 🚨 ALWAYS use `import type` for better tree-shaking
-- **Flags**: 🚨 MUST use `MeowFlags` type with descriptive help text
-- **Error handling**: 🚨 REQUIRED - Use custom error types `AuthError` and `InputError`
-- **Array destructuring**: Use object notation `{ 0: key, 1: data }` instead of array destructuring `[key, data]`
-- **Dynamic imports**: 🚨 FORBIDDEN - Never use dynamic imports (`await import()`). Always use static imports at the top of the file
-- **Sorting**: 🚨 MANDATORY - Always sort lists, exports, and items in documentation headers alphabetically/alphanumerically for consistency
-- **Comment policy**: Default to NO comments. Only add one when the WHY is non-obvious to a senior engineer reading the code cold
-- **Comment placement**: Place comments on their own line, not to the right of code
-- **Comment formatting**: Use fewer hyphens/dashes and prefer commas, colons, or semicolons for better readability
-- **Await in loops**: When using `await` inside for-loops, sequential processing is acceptable when iterations depend on each other
-- **If statement returns**: Never use single-line return if statements; always use proper block syntax with braces
-- **List formatting**: Use `-` for bullet points in text output, not `•` or other Unicode characters, for better terminal compatibility
-- **Existence checks**: Perform simple existence checks first before complex operations
-- **Destructuring order**: Sort destructured properties alphabetically in const declarations
-- **Function ordering**: Place functions in alphabetical order, with private functions first, then exported functions
-- **GitHub API calls**: Use Octokit instances from `src/utils/github.mts` (`getOctokit()`, `getOctokitGraphql()`) instead of raw fetch calls for GitHub API interactions
-- **Object mappings**: Use objects with `__proto__: null` (not `undefined`) for static string-to-string mappings and lookup tables to prevent prototype pollution; use `Map` for dynamic collections that will be mutated
-- **Mapping constants**: Move static mapping objects outside functions as module-level constants with descriptive UPPER_SNAKE_CASE names
-- **Array length checks**: Use `!array.length` instead of `array.length === 0`. For `array.length > 0`, use `!!array.length` when function must return boolean, or `array.length` when used in conditional contexts
-- **Catch parameter naming**: Use `catch (e)` instead of `catch (error)` for consistency across the codebase
-- **Node.js fs imports**: 🚨 MANDATORY pattern - `import { someSyncThing, promises as fs } from 'node:fs'`
-- **Process spawning**: 🚨 FORBIDDEN to use Node.js built-in `child_process.spawn` - MUST use `spawn` from `@socketsecurity/registry/lib/spawn`
-- **Number formatting**: 🚨 REQUIRED - Use underscore separators (e.g., `20_000`) for large numeric literals. 🚨 FORBIDDEN - Do NOT modify number values inside strings
-
-### Error Handling
-
-- **Input validation errors**: Use `InputError` from `src/utils/errors.mts` for user input validation failures (missing files, invalid arguments, etc.)
-- **Authentication errors**: Use `AuthError` from `src/utils/errors.mts` for API authentication issues
-- **CResult pattern**: Use `CResult<T>` type for functions that can fail, following the Result/Either pattern with `ok: true/false`
-- **Process exit**: Avoid `process.exit(1)` unless absolutely necessary; prefer throwing appropriate error types that the CLI framework handles
-- **Error messages**: Write clear, actionable error messages that help users understand what went wrong and how to fix it
-- **Examples**:
-  - ✅ `throw new InputError('No .socket directory found in current directory')`
-  - ✅ `throw new AuthError('Invalid API token')`
-  - ❌ `logger.error('Error occurred'); return` (doesn't set proper exit code)
-  - ❌ `process.exit(1)` (bypasses error handling framework)
-
-### Safe File Operations (SECURITY CRITICAL)
-
-- **File deletion**: See SHARED STANDARDS section
-- 🚨 Use `safeDelete()` from `@socketsecurity/lib/fs` (NEVER `fs.rm/rmSync` or `rm -rf`)
-
-### Debugging and Troubleshooting
-
-- **CI vs Local Differences**: CI uses published npm packages, not local versions. Be defensive when using @socketsecurity/registry features
-- **File Existence Checks**: ALWAYS use `existsSync()` from `node:fs`, NEVER use `fs.access()` or `fs.promises.access()` for file/directory existence checks. `existsSync()` is synchronous, more direct, and the established pattern in this codebase for consistency
-
-### Formatting
-
-- **Linting**: Uses Oxlint with TypeScript and import plugins
-- **Formatting**: Uses Oxfmt for code formatting with 2-space indentation
-- **Line length**: Target 80 character line width where practical
+- Simple commands (<200 LOC, no subcommands): single `cmd-*.mts` file
+- Complex commands: modular `cmd-*.mts` + `handle-*.mts` + `output-*.mts` + `fetch-*.mts`
 
 ### Completion Protocol
-- **NEVER claim done with something 80% complete** — finish 100% before reporting
-- When a multi-step change doesn't immediately show gains, commit and keep iterating — don't revert
-- If one approach fails, fix forward: analyze why, adjust, rebuild, re-measure — not `git checkout`
-- After EVERY code change: build, test, verify, commit. This is a single atomic unit
-- Reverting is a last resort after exhausting forward fixes — and requires explicit user approval
-
-### File System as State
-The file system is working memory. Use it actively:
-- Write intermediate results and analysis to files in `.claude/`
-- Use `.claude/` for plans, status tracking, and cross-session context
-- When debugging, save logs and outputs to files for reproducible verification
-- Don't hold large analysis in context — write it down, reference it later
-
-### Self-Improvement
-- After ANY correction from the user: log the pattern to memory so the same mistake is never repeated
-- Convert mistakes into strict rules — don't just note them, enforce them
-- After fixing a bug: explain why it happened and whether anything prevents that category of bug in the future
+
+- NEVER claim done at 80% -- finish 100% before reporting
+- Fix forward: if an approach fails, analyze why, adjust, rebuild -- not `git checkout`
+- After EVERY code change: build, test, verify, commit as a single atomic unit
+- Reverting requires explicit user approval
 
 ### Context Awareness
-- Tool results over 50K characters are silently truncated — if search returns suspiciously few results, narrow scope and re-run
-- For tasks touching >5 files: use sub-agents with worktree isolation to prevent context decay
 
----
+- Tool results over 50K characters are silently truncated -- narrow scope and re-run if results look incomplete
+- For tasks touching >5 files: use sub-agents with worktree isolation
 
 ## Codex Usage
 
-- **Codex is for advice and critical assessment ONLY — never for making code changes**
-- Ask Codex to: analyze, diagnose, review, estimate, suggest approaches
-- Do NOT ask Codex to: implement, write, modify, add code to files
-- Implement changes yourself after understanding Codex's advice
-- **Proactive consultation**: Before diving deep into a complex optimization (>30min estimated), consult Codex for critical analysis first — this catches fundamental design flaws early
-- **Bounce ideas**: Use Codex as a sounding board when stuck — describe the problem, what you've tried, and ask for honest assessment of whether the approach is worth continuing
+- Codex is for advice and critical assessment ONLY -- never for making code changes
+- Before complex optimizations (>30min), consult Codex for critical analysis first
 
 ## Agents & Skills
 
-- `/security-scan` — runs AgentShield + zizmor security audit
-- `/quality-scan` — comprehensive code quality analysis
-- `/quality-loop` — scan and fix iteratively
+- `/security-scan` -- AgentShield + zizmor security audit
+- `/quality-scan` -- comprehensive code quality analysis
+- `/quality-loop` -- scan and fix iteratively
+- `/sync-checksums` -- sync external tool SHA-256 checksums
 - Agents: `code-reviewer`, `security-reviewer`, `refactor-cleaner` (in `.claude/agents/`)
 - Shared subskills in `.claude/skills/_shared/`
-- Pipeline state tracked in `.claude/ops/queue.yaml`
-
-## Quality Standards
-
-- Code MUST pass all existing lints and type checks
-- All patterns MUST follow established codebase conventions
-- Error handling MUST be robust and user-friendly
-- Performance considerations MUST be evaluated for any changes