Add Socket supply-chain scanning; tune dependency audit noise

.github/workflows/nightly-socket-scan.yaml

@@ -0,0 +1,28 @@
+name: Nightly Socket supply-chain scan
+on:
+  schedule:
+    # 07:45 UTC — offset from the nightly dependency audit (07:15)
+    - cron: '45 7 * * *'
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  socket-scan:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Use Node.js 24.x
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24.x"
+      # Socket reads manifests + lockfiles directly and queries the Socket API,
+      # so no `bun install` is needed. Run the CLI via bunx to avoid pulling a
+      # third-party marketplace Action into our trusted set.
+      - name: Socket scan
+        run: bunx socket ci
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}

.github/workflows/weekly-socket-fix.yaml

@@ -0,0 +1,36 @@
+name: Weekly Socket remediation PRs
+on:
+  schedule:
+    # Mondays 08:00 UTC — weekly, offset from the nightly scans
+    - cron: '0 8 * * 1'
+  workflow_dispatch:
+
+# socket fix opens PRs, so it needs write scope. This is the ONLY Socket job
+# that carries write permissions — detection (nightly-socket-scan) stays read-only.
+permissions:
+  contents: write
+  pull-requests: write
+
+jobs:
+  socket-fix:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v6
+      - name: Setup Bun
+        uses: oven-sh/setup-bun@v2
+      - name: Use Node.js 24.x
+        uses: actions/setup-node@v6
+        with:
+          node-version: "24.x"
+      - name: Install js deps (w/ bun)
+        run: bun install
+      # No --autopilot: Socket opens remediation PRs but never merges them.
+      # A human reviews the actual dep diff before it lands — deliberate, given
+      # we publish to npm.
+      - name: Socket fix
+        run: bunx socket fix --pr-limit 10
+        env:
+          SOCKET_SECURITY_API_KEY: ${{ secrets.SOCKET_SECURITY_API_KEY }}
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SOCKET_CLI_GIT_USER_NAME: 'socket-fix[bot]'
+          SOCKET_CLI_GIT_USER_EMAIL: 'socket-fix@users.noreply.github.com'

package.json

@@ -25,7 +25,7 @@
     "dev": "turbo run dev --concurrency=40 --parallel --filter=\"!smoke-test-*\"",
     "lint": "eslint .",
     "lint:fix": "eslint . --fix",
-    "audit:changed": "bun run scripts/audit-changed-packages.ts --audit-level=moderate",
+    "audit:changed": "bun run scripts/audit-changed-packages.ts --audit-level=critical",
     "audit:full": "bun audit --audit-level=moderate",
     "bumpy:add": "bumpy add",
     "release:create-missing-tags": "node scripts/create-missing-release-tags.js",

socket.yml

@@ -0,0 +1,47 @@
+# Socket (socket.dev) configuration — read by the Socket GitHub App.
+# Lives in-repo so our supply-chain policy is reviewable + version-controlled
+# instead of buried in the dashboard.
+#
+# NOTE: issueRules here control *whether an alert is reported at all* (noise).
+# Whether a reported alert *blocks* a PR vs. just comments is governed by the
+# org Security Policy in the Socket dashboard — keep the high-signal ones below
+# set to "block" there, and the rest to "monitor".
+version: 2
+
+# Only scan PRs that actually change dependencies. A PR that touches no manifest
+# or lockfile has nothing for Socket to say — this alone kills most of the noise.
+triggerPaths:
+  - "**/package.json"
+  - "bun.lock"
+  - "bun.lockb"
+
+githubApp:
+  enabled: true
+  # Keep real security alerts on PRs...
+  pullRequestAlertsEnabled: true
+  # ...but drop the big auto-generated dependency-overview / report comments that
+  # land on every PR and train people to scroll past Socket.
+  dependencyOverviewEnabled: false
+  projectReportsEnabled: false
+
+issueRules:
+  # --- High signal: the malicious-bump / credential-theft threat model ---
+  malware: true              # known malware
+  installScripts: true       # postinstall/preinstall hooks (the classic exfil vector)
+  shellScriptOverride: true  # package overrides shell scripts
+  networkAccess: true        # phones home
+  envVars: true              # reads env vars — directly relevant to a secrets tool
+  gitDependency: true        # non-registry source (git)
+  httpDependency: true       # non-registry source (http url)
+  didYouMean: true           # typosquat / lookalike name
+  troll: true                # protestware / sabotage
+  obfuscatedRequire: true    # obfuscated code paths
+  criticalCVE: true          # critical known vulns
+
+  # --- Low signal for us: reputational/heuristic noise we were ignoring anyway ---
+  newAuthor: false           # new maintainer publishing — fires constantly
+  unstableOwnership: false
+  telemetry: false           # covered by networkAccess for the cases we care about
+  minifiedFile: false        # common in legit deps
+  hasNativeCode: false       # we ship native binaries ourselves; not a useful signal here
+  deprecated: false          # handled by our dependency hygiene, not a security gate