fix(hooks): address Cursor Bugbot feedback on hooks-mts conversion

Bugbot review on commit 1e30641 surfaced 4 regressions from the
.sh→.mts conversion. Fixed all four:

1. **Linear issue reference check restored** (high) — the original
   commit-msg.sh blocked Socket Linear team-key references
   (ASK-123, ENG-456, linear.app URLs). Re-added scanLinearReferences
   to _helpers.mts and wired into commit-msg.mts.
2. **scanSocketApiKeys duplicate-line bug** (low) — the post-filter
   reconstructed LineHits via `hits.find(h => h.line === line)`,
   which collapses duplicates onto the first match's line number.
   Replaced with Set-membership filter that preserves all hits.
3. **SOCKET_CLI_NO_API_TOKEN restored in .husky/pre-commit** (medium)
   — original husky shim ran `SOCKET_CLI_NO_API_TOKEN=1 pnpm test
   --staged` so contributors without a real API token don't see
   test failures pre-commit.
4. **.env.precommit allowlist** (low) — pre-commit.mts allowlist
   only had example/test variants; commit-msg.mts had precommit
   too. Aligned both to allow .env.{example,test,precommit}.

Smoke-tested commit-msg.mts:
  - "ENG-123 in body" → exit 1 (blocked) ✓
  - "fix: legit" → exit 0 (clean) ✓

Author: jdalton

.git-hooks/_helpers.mts

@@ -140,10 +140,10 @@ export const scanSocketApiKeys = (text: string): LineHit[] => {
       hits.push({ lineNumber: i + 1, line })
     }
   }
-  return filterAllowedApiKeys(hits.map(h => h.line)).map(line => ({
-    lineNumber: hits.find(h => h.line === line)!.lineNumber,
-    line,
-  }))
+  // Filter the LineHit objects directly so duplicate-content lines
+  // at different line numbers keep their correct numbers.
+  const allowedSet = new Set(filterAllowedApiKeys(hits.map(h => h.line)))
+  return hits.filter(h => allowedSet.has(h.line))
 }
 
 export const scanAwsKeys = (text: string): LineHit[] => {
@@ -198,6 +198,34 @@ export const scanNpxDlx = (text: string): LineHit[] => {
   return hits
 }
 
+// ── Linear issue reference scanner ─────────────────────────────────
+// CLAUDE.md "ABSOLUTE RULES": NEVER reference Linear issues in commits.
+// Team keys enumerated from the Socket workspace. PATCH listed before
+// PAT so the alternation matches the longer prefix first.
+
+const LINEAR_TEAM_KEYS =
+  'ASK|AUTO|BOT|CE|CORE|DAT|DES|DEV|ENG|INFRA|LAB|MAR|MET|OPS|PAR|PATCH|PAT|PLAT|REA|SALES|SBOM|SEC|SMO|SUP|TES|TI|WEB'
+
+const LINEAR_ISSUE_RE = new RegExp(
+  `(?:^|[^A-Za-z0-9_])((?:${LINEAR_TEAM_KEYS})-[0-9]+)(?:$|[^A-Za-z0-9_])`,
+  'gm',
+)
+
+const LINEAR_URL_RE = /linear\.app\/[A-Za-z0-9/_-]+/g
+
+export const scanLinearReferences = (commitMsg: string): string[] => {
+  const hits: string[] = []
+  const lines = commitMsg.split('\n').filter(l => !l.startsWith('#'))
+  const body = lines.join('\n')
+  for (const m of body.matchAll(LINEAR_ISSUE_RE)) {
+    hits.push(m[1]!)
+  }
+  for (const m of body.matchAll(LINEAR_URL_RE)) {
+    hits.push(m[0]!)
+  }
+  return hits.slice(0, 5)
+}
+
 // ── AI attribution scanner ─────────────────────────────────────────
 
 const AI_ATTRIBUTION_RE =

.git-hooks/commit-msg.mts

@@ -1,11 +1,13 @@
 #!/usr/bin/env node
 // Socket Security Commit-msg Hook
 //
-// Two responsibilities:
+// Three responsibilities:
 //   1. Block commits that introduce API keys / .env files (security
 //      layer that runs even when pre-commit is bypassed via
 //      `--no-verify`).
-//   2. Auto-strip AI attribution lines from the commit message before
+//   2. Block commits whose message references Linear issues — Socket
+//      keeps Linear tracking out of git history per CLAUDE.md.
+//   3. Auto-strip AI attribution lines from the commit message before
 //      git records the commit.
 //
 // Wired via .husky/commit-msg, which invokes this with the path to the
@@ -23,6 +25,7 @@ import {
   out,
   red,
   readFileForScan,
+  scanLinearReferences,
   scanSocketApiKeys,
   shouldSkipFile,
   stripAiAttribution,
@@ -67,10 +70,28 @@ const main = (): number => {
     }
   }
 
-  // Auto-strip AI attribution lines from the commit message.
   const commitMsgFile = process.argv[2]
   if (commitMsgFile && existsSync(commitMsgFile)) {
     const original = readFileSync(commitMsgFile, 'utf8')
+
+    // Block Linear issue references in the commit message. Socket
+    // keeps Linear tracking out of git history; commit messages stay
+    // tool-agnostic.
+    const linearHits = scanLinearReferences(original)
+    if (linearHits.length > 0) {
+      out(red('✗ Commit message references Linear issue(s):'))
+      for (const hit of linearHits) {
+        out(`  ${hit}`)
+      }
+      out(
+        red(
+          'Linear tracking lives in Linear. Remove the reference from the commit message.',
+        ),
+      )
+      errors++
+    }
+
+    // Auto-strip AI attribution lines from the commit message.
     const { cleaned, removed } = stripAiAttribution(original)
     if (removed > 0) {
       writeFileSync(commitMsgFile, cleaned)

.git-hooks/pre-commit.mts

@@ -62,10 +62,14 @@ const main = (): number => {
     errors++
   }
 
-  // .env files (allowlist .env.example / .env.test).
+  // .env files (allowlist .env.example / .env.test / .env.precommit).
+  // Match commit-msg.mts allowlist — .env.precommit is a tracked file
+  // some repos use to disable test API tokens during pre-commit runs.
   out('Checking for .env files...')
   const envFiles = stagedFiles.filter(
-    f => /^\.env(\.[^/]+)?$/.test(f) && !/^\.env\.(example|test)$/.test(f),
+    f =>
+      /^\.env(\.[^/]+)?$/.test(f) &&
+      !/^\.env\.(example|test|precommit)$/.test(f),
   )
   if (envFiles.length > 0) {
     out(red('✗ ERROR: .env file detected!'))

.husky/pre-commit

@@ -31,8 +31,11 @@ else
 fi
 
 if [ -z "${DISABLE_PRECOMMIT_TEST}" ]; then
-  # Only run tests if there are staged test files
-  pnpm test --staged
+  # Only run tests if there are staged test files. SOCKET_CLI_NO_API_TOKEN=1
+  # disables the API-token requirement so contributors without a real key
+  # configured don't see test failures during pre-commit (matches the
+  # original .env.precommit behavior).
+  SOCKET_CLI_NO_API_TOKEN=1 pnpm test --staged
 else
   echo "Skipping testing due to DISABLE_PRECOMMIT_TEST env var"
 fi