chore(sync): cascade fleet oxlint plugin from socket-repo-template

Adds .config/oxlint-plugin/ — six custom rules under the socket/
namespace (no-status-emoji, no-console-prefer-logger, no-inline-logger,
no-dynamic-import-outside-bundle, prefer-undefined-over-null,
no-fetch-prefer-http-request).

Plugin is in place but NOT activated in this repo's .oxlintrc.json.
Per-repo activation + cleanup pass lands separately so rule introduction
and mass autofix don't bundle into the same review.

Source: socket-repo-template@f864ca0 — 'feat(lint): fleet oxlint
plugin with 6 fixable rules'.

Author: jdalton

.config/oxlint-plugin/index.js

@@ -0,0 +1,39 @@
+/**
+ * @fileoverview Fleet oxlint plugin. Custom rules that encode the
+ * fleet's CLAUDE.md style guide as lint errors with autofix where
+ * the rewrite is unambiguous.
+ *
+ * Why a plugin instead of a separate scanner: oxlint's native plugin
+ * surface integrates with the existing `pnpm run lint` pipeline,
+ * inherits oxlint's AST + sourcemap + fix-application machinery, and
+ * keeps the rule set discoverable via `oxlint --rules`.
+ *
+ * Wiring: `.oxlintrc.json` adds this plugin via `jsPlugins:
+ * ["./.config/oxlint-plugin/index.js"]` and enables rules under the
+ * `socket/` namespace.
+ */
+
+import noStatusEmoji from './rules/no-status-emoji.js'
+import noConsolePreferLogger from './rules/no-console-prefer-logger.js'
+import noInlineLogger from './rules/no-inline-logger.js'
+import noDynamicImportOutsideBundle from './rules/no-dynamic-import-outside-bundle.js'
+import preferUndefinedOverNull from './rules/prefer-undefined-over-null.js'
+import noFetchPreferHttpRequest from './rules/no-fetch-prefer-http-request.js'
+
+/** @type {import('eslint').ESLint.Plugin} */
+const plugin = {
+  meta: {
+    name: 'socket',
+    version: '0.1.0',
+  },
+  rules: {
+    'no-status-emoji': noStatusEmoji,
+    'no-console-prefer-logger': noConsolePreferLogger,
+    'no-inline-logger': noInlineLogger,
+    'no-dynamic-import-outside-bundle': noDynamicImportOutsideBundle,
+    'prefer-undefined-over-null': preferUndefinedOverNull,
+    'no-fetch-prefer-http-request': noFetchPreferHttpRequest,
+  },
+}
+
+export default plugin

.config/oxlint-plugin/rules/no-console-prefer-logger.js

@@ -0,0 +1,76 @@
+/**
+ * @fileoverview Ban `console.log` / `console.error` / `console.warn`
+ * / `console.info` / `console.debug` / `console.trace`. The fleet uses
+ * `getDefaultLogger()` from `@socketsecurity/lib/logger` — those
+ * methods emit theme-aware coloring + canonical symbols.
+ *
+ * Autofix: rewrites `console.log(...)` → `logger.log(...)` and
+ * similar. Assumes a hoisted `logger` const at the top of the file
+ * (the no-inline-logger rule enforces that). If no `logger` import
+ * exists, the human can run `pnpm fix` then add the import.
+ */
+
+const CONSOLE_TO_LOGGER = {
+  log: 'log',
+  error: 'fail',
+  warn: 'warn',
+  info: 'info',
+  debug: 'log',
+  trace: 'log',
+}
+
+/** @type {import('eslint').Rule.RuleModule} */
+const rule = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description:
+        'Ban console.* calls; use logger from @socketsecurity/lib/logger.',
+      category: 'Best Practices',
+      recommended: true,
+    },
+    fixable: 'code',
+    messages: {
+      banned:
+        'console.{{method}}() — use logger.{{loggerMethod}}() from @socketsecurity/lib/logger.',
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      MemberExpression(node) {
+        if (
+          node.object.type !== 'Identifier' ||
+          node.object.name !== 'console' ||
+          node.property.type !== 'Identifier'
+        ) {
+          return
+        }
+        const method = node.property.name
+        const loggerMethod = CONSOLE_TO_LOGGER[method]
+        if (!loggerMethod) {
+          return
+        }
+
+        // Only flag when console.<method> is the callee of a call
+        // (skip e.g. `typeof console.log` or destructuring).
+        const parent = node.parent
+        if (!parent || parent.type !== 'CallExpression' || parent.callee !== node) {
+          return
+        }
+
+        context.report({
+          node,
+          messageId: 'banned',
+          data: { method, loggerMethod },
+          fix(fixer) {
+            return fixer.replaceText(node, `logger.${loggerMethod}`)
+          },
+        })
+      },
+    }
+  },
+}
+
+export default rule

.config/oxlint-plugin/rules/no-dynamic-import-outside-bundle.js

@@ -0,0 +1,80 @@
+/**
+ * @fileoverview Ban dynamic `import()` (ImportExpression) in code that
+ * isn't bundled. The fleet favors static ES6 imports — dynamic import
+ * is only meaningful when a bundler resolves it statically at build
+ * time. Scripts under `scripts/` run directly via `node`; nothing
+ * bundles them, so a dynamic import only adds a runtime async hop for
+ * no resolution win.
+ *
+ * Allowed paths: `src/**`, `.config/**` (bundler configs themselves
+ * may load tools dynamically via the bundler's API).
+ *
+ * No autofix: converting `await import('foo')` to `import 'foo'`
+ * requires moving the statement to the top of the file and removing
+ * `await`/destructuring — the bundler-aware AST rewrite is non-trivial
+ * to do safely. Reporting only.
+ */
+
+import path from 'node:path'
+
+const DEFAULT_BUNDLED_ROOTS = ['src/', '.config/', 'packages/']
+
+/** @type {import('eslint').Rule.RuleModule} */
+const rule = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description:
+        'Ban dynamic import() outside bundled trees (src/, .config/, packages/).',
+      category: 'Best Practices',
+      recommended: true,
+    },
+    messages: {
+      dynamic:
+        "Dynamic import() in {{file}} — favor a static `import` statement at the top of the file. Dynamic import is only valid in bundled code (src/, .config/, packages/). If lazy resolution is required, justify it explicitly.",
+    },
+    schema: [
+      {
+        type: 'object',
+        properties: {
+          bundledRoots: {
+            type: 'array',
+            items: { type: 'string' },
+            description:
+              'Path prefixes (relative to repo root) where dynamic import() is allowed.',
+          },
+        },
+        additionalProperties: false,
+      },
+    ],
+  },
+
+  create(context) {
+    const options = context.options[0] || {}
+    const bundledRoots = options.bundledRoots || DEFAULT_BUNDLED_ROOTS
+    const filename = context.physicalFilename || context.filename
+    const cwd = context.cwd || process.cwd()
+    const relative = path
+      .relative(cwd, filename)
+      .split(path.sep)
+      .join('/')
+
+    const inBundled = bundledRoots.some(root => relative.startsWith(root))
+
+    if (inBundled) {
+      return {}
+    }
+
+    return {
+      ImportExpression(node) {
+        context.report({
+          node,
+          messageId: 'dynamic',
+          data: { file: relative },
+        })
+      },
+    }
+  },
+}
+
+export default rule

.config/oxlint-plugin/rules/no-fetch-prefer-http-request.js

@@ -0,0 +1,63 @@
+/**
+ * @fileoverview Per CLAUDE.md "HTTP — never `fetch()`. Use httpJson /
+ * httpText / httpRequest from @socketsecurity/lib/http-request."
+ *
+ * Reports any `fetch(...)` call (global fetch). Does NOT auto-fix
+ * because the right replacement (`httpJson` vs `httpText` vs
+ * `httpRequest`) depends on what the caller does with the response —
+ * a wrong autofix would silently change behavior. Reporting only.
+ *
+ * Allowed exceptions (skipped):
+ *   - `globalThis.fetch` — explicit reference (often for monkey-patching
+ *     in tests).
+ *   - Method calls (`obj.fetch(...)`) — those aren't the global.
+ */
+
+/** @type {import('eslint').Rule.RuleModule} */
+const rule = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description:
+        'Use httpJson / httpText / httpRequest from @socketsecurity/lib/http-request instead of global fetch().',
+      category: 'Best Practices',
+      recommended: true,
+    },
+    messages: {
+      banned:
+        'global fetch() — use httpJson / httpText / httpRequest from @socketsecurity/lib/http-request. The right replacement depends on what you do with the response; the lib helpers ship consistent error shapes (HttpError) and JSON/text decoding.',
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      CallExpression(node) {
+        const callee = node.callee
+        // Only flag direct `fetch(...)` calls (Identifier callee).
+        if (callee.type !== 'Identifier' || callee.name !== 'fetch') {
+          return
+        }
+
+        // Skip if `fetch` is locally shadowed by a parameter / declaration.
+        // Best-effort: check the scope chain.
+        const scope = context.getScope ? context.getScope() : null
+        if (scope) {
+          const variable = scope.references.find(
+            ref => ref.identifier === callee,
+          )?.resolved
+          if (variable && variable.scope.type !== 'global') {
+            return
+          }
+        }
+
+        context.report({
+          node,
+          messageId: 'banned',
+        })
+      },
+    }
+  },
+}
+
+export default rule

.config/oxlint-plugin/rules/no-inline-logger.js

@@ -0,0 +1,61 @@
+/**
+ * @fileoverview Ban inline `getDefaultLogger().<method>(...)`. The
+ * logger must be hoisted at the top of the file:
+ *   const logger = getDefaultLogger()
+ *   ...
+ *   logger.success('...')
+ *
+ * Inline `getDefaultLogger().success(...)` re-resolves the logger on
+ * every call and reads inconsistently. The hoisted form is the
+ * fleet-canonical pattern.
+ *
+ * No autofix: the right hoist position depends on the file's import
+ * block layout, which can't be safely inferred at the call site.
+ * Reporting only.
+ */
+
+/** @type {import('eslint').Rule.RuleModule} */
+const rule = {
+  meta: {
+    type: 'problem',
+    docs: {
+      description:
+        'Hoist getDefaultLogger() to a const at the top of the file; do not call it inline.',
+      category: 'Best Practices',
+      recommended: true,
+    },
+    messages: {
+      inline:
+        'getDefaultLogger() must be hoisted: add `const logger = getDefaultLogger()` near the top of the file and use `logger.{{method}}(...)`.',
+    },
+    schema: [],
+  },
+
+  create(context) {
+    return {
+      MemberExpression(node) {
+        // Match: getDefaultLogger().<method>
+        if (node.property.type !== 'Identifier') {
+          return
+        }
+        const obj = node.object
+        if (
+          obj.type !== 'CallExpression' ||
+          obj.callee.type !== 'Identifier' ||
+          obj.callee.name !== 'getDefaultLogger' ||
+          obj.arguments.length !== 0
+        ) {
+          return
+        }
+
+        context.report({
+          node,
+          messageId: 'inline',
+          data: { method: node.property.name },
+        })
+      },
+    }
+  },
+}
+
+export default rule