Files
agentic-dev/docs/work/ci-security-and-supply-chain/02-socket-integration/_story.md
Danijel Martinek bae4b66fa4 refactor(work): drop date prefixes + move _state.json into _system/
Convention shift: epic folders + PRD filenames + frontmatter id
fields are now bare slugs. The created: timestamp (Phase 2) carries
the date; folder names don't repeat it. A future <task-id>-<slug>
shape (e.g. ClickUp) lands cleanly when that integration ships.

Renames (git mv preserves history):
- docs/work/2026-05-13-binder-wrap-helper/
    -> docs/work/binder-wrap-helper/
- docs/work/2026-05-14-library-evaluation-policy/
    -> docs/work/library-evaluation-policy/
- docs/work/2026-05-14-ci-security-and-supply-chain/
    -> docs/work/ci-security-and-supply-chain/
- docs/work/prds/2026-05-13-binder-wrap-helper.prd.md
    -> docs/work/prds/binder-wrap-helper.prd.md
- docs/work/prds/2026-05-13-coverage-architecture.prd.md
    -> docs/work/prds/coverage-architecture.prd.md
- docs/work/prds/2026-05-14-library-evaluation-policy.prd.md
    -> docs/work/prds/library-evaluation-policy.prd.md
- docs/work/prds/2026-05-14-ci-security-and-supply-chain.prd.md
    -> docs/work/prds/ci-security-and-supply-chain.prd.md

Frontmatter updates inside the renamed files: epic id, epic prd,
story epic, PRD id, PRD builds-on all drop date prefixes.

System folder + state file move:
- New docs/work/_system/ holds framework-managed state.
- docs/work/_state.json -> docs/work/_system/_state.json.
- state-builder.mjs adds _system to SKIP_FOLDERS.
- cli.mjs + state-sync-guard.mjs + .husky/pre-commit point at the
  new path.

template-reset-v1 epic deleted entirely (one-off cleanup epic from
the pre-date-convention era; status was already done).

Generator-template updates (so new artifacts ship in the right
shape):
- .sandcastle/decomposer.prompt.md emits bare-slug folder names +
  ISO created: timestamp.
- .claude/skills/to-prd/SKILL.md template uses bare-slug filename +
  bare-slug id field + ISO created: timestamp.

Doc reference updates: glossary, runbook, agent-first-workflow-
and-conformance, reviewer prompt, ADR-020, ADR-022, ADR-023 all
point at the new paths/slugs.
2026-05-14 21:16:51 +02:00

3.3 KiB

id, epic, title, type, status, feature, depends-on, blocks, created, updated
id epic title type status feature depends-on blocks created updated
02-socket-integration ci-security-and-supply-chain Socket integration (skill + CI) technical-story done tooling
01-trace-schema-extensions
08-reviewer-prompt-update
2026-05-14T18:59:12+02:00 2026-05-14T19:16:52.691Z

Goal

Wire Socket.dev into two enforcement layers: (1) the evaluate-library skill gains Filter 9 (supply-chain behavior) using socket-cli, and (2) ci.yml gains a socket-cli scan step that fails on critical severity findings.

Why

CVE databases are lagging indicators — event-stream, ua-parser-js, and tj-actions/changed-files all shipped malware before any CVE existed. Socket detects behavioral signals (new network calls, new post-install scripts, maintainer-account changes) in real time. Placing it as the 9th filter in evaluate-library + as a CI gate closes the behavior-compromise surface that CVE scanning misses.

External dependency: library-evaluation epic story 04 (evaluate-library skill) must be complete — the skill's SKILL.md must exist and have the 8-filter structure. That epic is marked done.

Done when

  • .claude/skills/evaluate-library/SKILL.md has a "Filter 9 — Supply-chain behavior (Socket)" section. The skill's fail-fast logic positions Socket as expensive (network call), running it after the cheap structural filters. The section documents the socket-cli verification command and the JSON output fields used to classify clean / flagged / <finding-summary>. The trace's socket-risk field in filter-results is set from this output.
  • .socket.json exists at repo root: { "issueRules": { "critical": "error", "high": "warn", "medium": "ignore", "low": "ignore" } }.
  • ci.yml's validate job has a step that runs socket-cli scan against the lockfile, filtered to PRs that touch package.json or pnpm-lock.yaml (via paths: condition). The step exits non-zero on any critical finding.
  • docs/guides/ci-security.md Socket App install instructions are deferred to Story 09 (the human guide). This story ships only the machine-enforced layers.
  • pnpm typecheck && pnpm lint && pnpm test && pnpm conformance && pnpm fallow:audit && pnpm coverage:diff all pass.

In scope

  • .claude/skills/evaluate-library/SKILL.md — Filter 9 section addition.
  • .socket.json — repo-root config file.
  • .github/workflows/ci.yml — one new step in the validate job (with paths: filter).

Out of scope

  • Paid Socket Team plan or server-side PR-block enforcement — explicitly out of PRD scope.
  • Socket GitHub App install — consumer-facing instructions live in Story 09's guide.
  • Backfilling existing traces with socket-risk — Story 05 (revalidation cron handles this).

Tasks

  • Add .socket.json at repo root and extend .claude/skills/evaluate-library/SKILL.md with a "Filter 9 — Supply-chain behavior (Socket)" section: position Socket after cheap filters, document socket-cli as the verification command, specify how clean/flagged/<finding-summary> maps to the trace's socket-risk field; one commit, all gates pass.
  • Add a socket-cli scan step to ci.yml's validate job, scoped to PRs touching package.json or pnpm-lock.yaml via a paths: condition; step exits non-zero on any critical finding; one commit, all gates pass.