chore(ci): update socket-registry pins, pin deps, add sfw aliases

.github/workflows/ci.yml

@@ -27,7 +27,7 @@ permissions:
 jobs:
   ci:
     name: Run CI Pipeline
-    uses: SocketDev/socket-registry/.github/workflows/ci.yml@adb5697306eb2619b3255c2406e52e04cc99d555 # main
+    uses: SocketDev/socket-registry/.github/workflows/ci.yml@6096b06b1790f411714c89c40f72aade2eeaab7c # main
     with:
       test-setup-script: 'pnpm run build'
       lint-script: 'pnpm run lint --all'
@@ -46,7 +46,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     steps:
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@24323cbd9e61a7e3a600b8c7e99eb27a29642a54 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@6096b06b1790f411714c89c40f72aade2eeaab7c # main
         with:
           node-version: '24'
 

.github/workflows/provenance.yml

@@ -21,7 +21,7 @@ permissions:
 
 jobs:
   publish:
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@b809e72d069356dfaf490134e9a20226dd9376c1 # main
+    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@6096b06b1790f411714c89c40f72aade2eeaab7c # main
     with:
       debug: ${{ inputs.debug }}
       package-name: '@socketsecurity/lib'

.github/workflows/weekly-update.yml

@@ -24,11 +24,13 @@ jobs:
     outputs:
       has-updates: ${{ steps.check.outputs.has-updates }}
     steps:
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@24323cbd9e61a7e3a600b8c7e99eb27a29642a54 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@6096b06b1790f411714c89c40f72aade2eeaab7c # main
 
       - name: Check for npm updates
         id: check
+        shell: bash
         run: |
+          alias pnpm="$SFW_BIN pnpm"
           echo "Checking for npm package updates..."
           HAS_UPDATES=false
           NPM_UPDATES=$(pnpm outdated 2>/dev/null || true)
@@ -47,10 +49,13 @@ jobs:
       contents: write
       pull-requests: write
     steps:
-      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@24323cbd9e61a7e3a600b8c7e99eb27a29642a54 # main
+      - uses: SocketDev/socket-registry/.github/actions/setup-and-install@6096b06b1790f411714c89c40f72aade2eeaab7c # main
 
       - name: Install Claude Code
-        run: npm install -g @anthropic-ai/claude-code
+        shell: bash
+        run: |
+          alias pnpm="$SFW_BIN pnpm"
+          pnpm add -g @anthropic-ai/claude-code@2.1.89
 
       - name: Create update branch
         id: branch
@@ -67,10 +72,12 @@ jobs:
       - name: Run updating skill with Claude Code
         id: claude
         timeout-minutes: 30
+        shell: bash
         env:
           ANTHROPIC_API_KEY: ${{ secrets.ANTHROPIC_API_KEY }}
           GITHUB_ACTIONS: 'true'
         run: |
+          alias pnpm="$SFW_BIN pnpm"
           if [ -z "$ANTHROPIC_API_KEY" ]; then
             echo "ANTHROPIC_API_KEY not set - skipping automated update"
             echo "success=false" >> $GITHUB_OUTPUT

CLAUDE.md

@@ -37,6 +37,8 @@
 - Read files >500 LOC in chunks using offset/limit; never assume one read captured the whole file
 - Before every edit: re-read the file. After every edit: re-read to confirm the change applied correctly
 - When renaming anything, search separately for: direct calls, type references, string literals, dynamic imports, re-exports, test files — one grep is not enough
+- Tool results over 50K characters are silently truncated — if search returns suspiciously few results, narrow scope and re-run
+- For tasks touching >5 files: use sub-agents with worktree isolation to prevent context decay
 
 ## JUDGMENT PROTOCOL
 
@@ -50,13 +52,36 @@
 - Try the simplest approach first; if architecture is actually flawed, flag it and wait for approval before restructuring
 - When asked to "make a plan," output only the plan — no code until given the go-ahead
 
+## COMPLETION PROTOCOL
+
+- **NEVER claim done with something 80% complete** — finish 100% before reporting
+- When a multi-step change doesn't immediately show gains, commit and keep iterating — don't revert
+- If one approach fails, fix forward: analyze why, adjust, rebuild, re-measure — not `git checkout`
+- After EVERY code change: build, test, verify, commit. This is a single atomic unit
+- Reverting is a last resort after exhausting forward fixes — and requires explicit user approval
+
 ## SELF-EVALUATION
 
 - Before calling anything done: present two views — what a perfectionist would reject vs. what a pragmatist would ship
 - After fixing a bug: explain why it happened
 - If a fix doesn't work after two attempts: stop, re-read the relevant section top-down, state where the mental model was wrong, propose something fundamentally different
 - If asked to "step back" or "going in circles": drop everything, rethink from scratch
 
+## SELF-IMPROVEMENT
+
+- After ANY correction from the user: log the pattern to memory so the same mistake is never repeated
+- Convert mistakes into strict rules — don't just note them, enforce them
+- After fixing a bug: explain why it happened and whether anything prevents that category of bug in the future
+
+## FILE SYSTEM AS STATE
+
+The file system is working memory. Use it actively:
+
+- Write intermediate results and analysis to files in `.claude/`
+- Use `.claude/` for plans, status tracking, and cross-session context
+- When debugging, save logs and outputs to files for reproducible verification
+- Don't hold large analysis in context — write it down, reference it later
+
 ## HOUSEKEEPING
 
 - Before risky changes: offer to checkpoint — "want me to commit before this?"