The previous layout placed epic folders directly under docs/work/
alongside prds/ and _system/. Tightening: epics now live in their
own docs/work/epics/ subfolder, peer to prds/ and _system/. Same
shape as the existing prds/ bucket.
Final docs/work/ layout:
README.md
prds/<slug>.prd.md
_system/_state.json
epics/<slug>/_epic.md + <story-folder>/_story.md
Renames (git mv preserves history):
- docs/work/binder-wrap-helper/
-> docs/work/epics/binder-wrap-helper/
- docs/work/library-evaluation-policy/
-> docs/work/epics/library-evaluation-policy/
- docs/work/ci-security-and-supply-chain/
-> docs/work/epics/ci-security-and-supply-chain/
Tooling updates:
- state-builder.mjs walks workRoot/epics/ directly; SKIP_FOLDERS
obsoleted (no more sibling folders to filter out).
- dispatch.mjs's findNextTask, tickStoryBulletInEpic, and
flipEpicDoneIfAllStoriesDone all join with "epics" segment.
- prd-ship.mjs's deriveShippingCommits walks workRoot/epics/ and
git-logs docs/work/epics/<epic>/.
- decomposer.prompt.md emits epics under docs/work/epics/<epic-id>/.
- handoff + grill-with-docs glossary references updated.
- Glossary entry for Epic updated.
Reserved future shape: when a task-tracker integration (ClickUp,
Linear) ships, the epics/ subfolder hosts <task-id>-<slug>/
folders. Today it just hosts bare slugs.
3.3 KiB
id, epic, title, type, status, feature, depends-on, blocks, created, updated
| id | epic | title | type | status | feature | depends-on | blocks | created | updated | ||
|---|---|---|---|---|---|---|---|---|---|---|---|
| 02-socket-integration | ci-security-and-supply-chain | Socket integration (skill + CI) | technical-story | done | tooling |
|
|
2026-05-14T18:59:12+02:00 | 2026-05-14T19:21:52.308Z |
Goal
Wire Socket.dev into two enforcement layers: (1) the evaluate-library skill gains Filter 9 (supply-chain behavior) using socket-cli, and (2) ci.yml gains a socket-cli scan step that fails on critical severity findings.
Why
CVE databases are lagging indicators — event-stream, ua-parser-js, and tj-actions/changed-files all shipped malware before any CVE existed. Socket detects behavioral signals (new network calls, new post-install scripts, maintainer-account changes) in real time. Placing it as the 9th filter in evaluate-library + as a CI gate closes the behavior-compromise surface that CVE scanning misses.
External dependency: library-evaluation epic story 04 (evaluate-library skill) must be complete — the skill's SKILL.md must exist and have the 8-filter structure. That epic is marked done.
Done when
.claude/skills/evaluate-library/SKILL.mdhas a "Filter 9 — Supply-chain behavior (Socket)" section. The skill's fail-fast logic positions Socket as expensive (network call), running it after the cheap structural filters. The section documents thesocket-cliverification command and the JSON output fields used to classifyclean/flagged/<finding-summary>. The trace'ssocket-riskfield infilter-resultsis set from this output..socket.jsonexists at repo root:{ "issueRules": { "critical": "error", "high": "warn", "medium": "ignore", "low": "ignore" } }.ci.yml'svalidatejob has a step that runssocket-cli scanagainst the lockfile, filtered to PRs that touchpackage.jsonorpnpm-lock.yaml(viapaths:condition). The step exits non-zero on anycriticalfinding.docs/guides/ci-security.mdSocket App install instructions are deferred to Story 09 (the human guide). This story ships only the machine-enforced layers.pnpm typecheck && pnpm lint && pnpm test && pnpm conformance && pnpm fallow:audit && pnpm coverage:diffall pass.
In scope
.claude/skills/evaluate-library/SKILL.md— Filter 9 section addition..socket.json— repo-root config file..github/workflows/ci.yml— one new step in thevalidatejob (withpaths:filter).
Out of scope
- Paid Socket Team plan or server-side PR-block enforcement — explicitly out of PRD scope.
- Socket GitHub App install — consumer-facing instructions live in Story 09's guide.
- Backfilling existing traces with
socket-risk— Story 05 (revalidation cron handles this).
Tasks
- Add
.socket.jsonat repo root and extend.claude/skills/evaluate-library/SKILL.mdwith a "Filter 9 — Supply-chain behavior (Socket)" section: position Socket after cheap filters, documentsocket-clias the verification command, specify howclean/flagged/<finding-summary>maps to the trace'ssocket-riskfield; one commit, all gates pass. - Add a
socket-cli scanstep toci.yml'svalidatejob, scoped to PRs touchingpackage.jsonorpnpm-lock.yamlvia apaths:condition; step exits non-zero on anycriticalfinding; one commit, all gates pass.