fix: remove unused process imports

Removed 24 unused 'import process from node:process' statements across source files, test files, scripts, and plugins that were causing TypeScript compilation errors.

Files affected:
- src/dlx/package.ts
- src/dlx/paths.ts
- src/env.ts
- src/paths/normalize.ts
- src/releases/socket-btm.ts
- src/signal-exit.ts
- src/stdio/prompts.ts
- plugins/babel-plugin-inline-require-calls.js
- scripts/build-externals/esbuild-config.mjs
- 15 test files in test/unit/env/, test/unit/argv/, test/unit/stdio/

Author: jdalton

.claude/skills/quality-scan/SKILL.md

@@ -112,6 +112,61 @@ pnpm run update
 
 ---
 
+### Phase 2b: Install External Tools (zizmor)
+
+<action>
+Install zizmor for GitHub Actions security scanning using version that meets repository's minimumReleaseAge policy.
+</action>
+
+<version_selection>
+Determine the appropriate zizmor version dynamically:
+
+1. **Read minimumReleaseAge from `.pnpmrc`**:
+   ```bash
+   grep 'minimumReleaseAge' .pnpmrc | cut -d'=' -f2
+   ```
+   This returns minutes (e.g., `10080` = 7 days). Default to 10080 if not found.
+
+2. **Query zizmor releases** (using curl or gh):
+   ```bash
+   # Option A: curl (universally available)
+   curl -s "https://api.github.com/repos/zizmorcore/zizmor/releases" | \
+     jq '[.[] | select(.prerelease == false) | {tag: .tag_name, date: .published_at}] | .[0:10]'
+
+   # Option B: gh (if available)
+   gh api repos/zizmorcore/zizmor/releases --jq \
+     '[.[] | select(.prerelease == false) | {tag: .tag_name, date: .published_at}] | .[0:10]'
+   ```
+
+3. **Calculate age and select version**:
+   - Convert minimumReleaseAge from minutes to days: `minutes / 1440`
+   - Find latest stable release older than that threshold
+   - Example: If minimumReleaseAge=10080 (7 days) and today is March 24, select releases from March 17 or earlier
+
+4. **Install selected version** (choose based on available tools):
+   ```bash
+   # macOS with Homebrew (latest only, version pinning limited)
+   brew install zizmor
+
+   # Python environments (version pinning supported)
+   pipx install zizmor==VERSION
+   uv tool install zizmor==VERSION
+   uvx zizmor@VERSION --help
+   ```
+
+   **Recommended priority**: pipx/uvx > brew
+</version_selection>
+
+<rationale>
+Using minimumReleaseAge prevents supply chain attacks from compromised new releases. The 7-day window allows community detection of malicious packages before adoption.
+</rationale>
+
+<fallback>
+If no release meets the age requirement, warn the user and skip zizmor scan. Never install a release younger than minimumReleaseAge.
+</fallback>
+
+---
+
 ### Phase 3: Repository Cleanup
 
 <action>

plugins/babel-plugin-inline-require-calls.js

@@ -1,4 +1,3 @@
-import process from 'node:process'
 const { createRequire } = require('node:module')
 const fs = require('node:fs')
 const path = require('node:path')

scripts/build-externals/esbuild-config.mjs

@@ -5,7 +5,6 @@
 import { readFileSync } from 'node:fs'
 import path from 'node:path'
 import { fileURLToPath } from 'node:url'
-import process from 'node:process'
 
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const stubsDir = path.join(__dirname, 'stubs')

src/dlx/package.ts

@@ -30,7 +30,6 @@
  * - dlxPackage() combines both for convenience
  */
 
-import process from 'node:process'
 import { WIN32 } from '../constants/platform'
 import { generateCacheKey } from './cache'
 import Arborist from '../external/@npmcli/arborist'

src/dlx/paths.ts

@@ -1,6 +1,5 @@
 /** @fileoverview Path utilities for DLX package installations. */
 
-import process from 'node:process'
 import { normalizePath } from '../paths/normalize'
 import { getSocketDlxDir } from '../paths/socket'
 

src/env.ts

@@ -63,7 +63,6 @@ const caseInsensitiveKeys = new Set([
  *   env: createEnvProxy(process.env, { NODE_ENV: 'test' })
  * })
  */
-import process from 'node:process'
 export function createEnvProxy(
   base: NodeJS.ProcessEnv,
   overrides?: Record<string, string | undefined>,

src/paths/normalize.ts

@@ -3,7 +3,6 @@
  * Provides path normalization, validation, and file extension handling.
  */
 
-import process from 'node:process'
 import { WIN32 } from '../constants/platform'
 
 import { search } from '../strings'

src/releases/socket-btm.ts

@@ -2,7 +2,6 @@
  * @fileoverview Socket-btm release download utilities.
  */
 
-import process from 'node:process'
 import {
   type Arch,
   getArch,

src/signal-exit.ts

@@ -146,7 +146,6 @@ let loaded = false
  * Load signal handlers and hook into process exit events.
  */
 /*@__NO_SIDE_EFFECTS__*/
-import process from 'node:process'
 export function load(): void {
   if (loaded || !globalProcess) {
     return

src/stdio/prompts.ts

@@ -3,7 +3,6 @@
  * Provides inquirer.js integration with spinner support, context handling, and theming.
  */
 
-import process from 'node:process'
 import { getAbortSignal } from '../constants/process'
 
 import checkboxRaw from '../external/@inquirer/checkbox'