chore(sync): cascade hook + reviewing-code updates from socket-repo-template

- .git-hooks/_helpers.mts + pre-commit.mts + pre-push.mts: hook error
  messages now suggest the file's natural marker syntax (// for TS/JS
  edits, # for shell/YAML, etc.).
- .claude/hooks/logger-guard/index.mts: same error-message refinement.
- .claude/skills/reviewing-code/run.mts: drop process.chdir; thread
  repoRoot as cwd through git calls (parallel-Claude safety — chdir
  is a process-global side effect that races sibling worktrees).

Author: jdalton

.claude/hooks/logger-guard/index.mts

@@ -220,7 +220,7 @@ function emitBlock(filePath: string, hits: Hit[]): void {
     out.push(`  …and ${hits.length - 3} more.`)
   }
   out.push(
-    '  Opt-out for one line (rare): append `// # socket-hook: allow logger`.',
+    '  Opt-out for one line (rare): append `// socket-hook: allow logger`.',
   )
   out.push('')
   process.stderr.write(out.join('\n'))

.claude/skills/reviewing-code/run.mts

@@ -384,8 +384,9 @@ Options:
   -h, --help              Show this help`)
 }
 
-async function git(args: readonly string[]): Promise<string> {
+async function git(args: readonly string[], cwd?: string): Promise<string> {
   const result = await spawn('git', args as string[], {
+    cwd,
     stdio: 'pipe',
     stdioString: true,
   })
@@ -453,6 +454,7 @@ async function runBackend(
   promptText: string,
   tempDir: string,
   passLabel: string,
+  cwd: string,
 ): Promise<{ ok: boolean; output: string; logPath: string }> {
   const desc = BACKENDS[backend]
   const promptFile = path.join(tempDir, `${passLabel}.prompt.txt`)
@@ -464,6 +466,7 @@ async function runBackend(
   let stdout = ''
   try {
     const child = spawn(desc.bin, argv as string[], {
+      cwd,
       stdio: 'pipe',
       stdioString: true,
     })
@@ -573,18 +576,20 @@ async function main(): Promise<void> {
     logger.error('Must be run inside a git repository.')
     process.exit(1)
   }
-  process.chdir(repoRoot)
 
-  const branchRaw = await git(['branch', '--show-current'])
+  const branchRaw = await git(['branch', '--show-current'], repoRoot)
   const branch =
     branchRaw.length > 0
       ? branchRaw
-      : `detached-${(await git(['rev-parse', '--short', 'HEAD']))}`
-  const baseRef = await resolveBaseRef(args.baseRef)
-  const mergeBase = await git(['merge-base', baseRef, 'HEAD'])
+      : `detached-${(await git(['rev-parse', '--short', 'HEAD'], repoRoot))}`
+  const baseRef = await resolveBaseRef(args.baseRef, repoRoot)
+  const mergeBase = await git(['merge-base', baseRef, 'HEAD'], repoRoot)
   const range = `${mergeBase}..HEAD`
-  const commitList = await git(['log', '--oneline', '--no-decorate', range])
-  const diffStat = await git(['diff', '--stat', range])
+  const commitList = await git(
+    ['log', '--oneline', '--no-decorate', range],
+    repoRoot,
+  )
+  const diffStat = await git(['diff', '--stat', range], repoRoot)
 
   const outputPath =
     args.outputPath ??
@@ -631,7 +636,13 @@ async function main(): Promise<void> {
     }
     logger.info(`${passLabel}: running on ${backend}`)
     const promptText = ROLES[role].buildPrompt(ctx)
-    const result = await runBackend(backend, promptText, tempDir, passLabel)
+    const result = await runBackend(
+      backend,
+      promptText,
+      tempDir,
+      passLabel,
+      repoRoot,
+    )
     if (!result.ok) {
       logger.error(`${passLabel}: failed; see ${result.logPath}`)
       await appendSkipNote(
@@ -674,17 +685,23 @@ async function main(): Promise<void> {
   }
 }
 
-async function resolveBaseRef(provided: string | undefined): Promise<string> {
+async function resolveBaseRef(
+  provided: string | undefined,
+  cwd: string,
+): Promise<string> {
   if (provided) {
     return provided
   }
   try {
-    const headRef = await git([
-      'symbolic-ref',
-      '--quiet',
-      '--short',
-      'refs/remotes/origin/HEAD',
-    ])
+    const headRef = await git(
+      [
+        'symbolic-ref',
+        '--quiet',
+        '--short',
+        'refs/remotes/origin/HEAD',
+      ],
+      cwd,
+    )
     if (headRef.length > 0) {
       return headRef
     }

.git-hooks/_helpers.mts

@@ -122,6 +122,25 @@ const PERSONAL_PATH_PLACEHOLDER_RE =
 // renames the marker.
 const SOCKET_HOOK_MARKER_RE =
   /(?:#|\/\/|\/\*)\s*socket-hook:\s*allow(?:\s+([\w-]+))?/
+
+// File extensions whose natural comment syntax is `//` (C-family + cousins).
+// Anything else falls through to `#` (shell / YAML / TOML / Dockerfile /
+// Makefile / Python / Ruby / etc).
+const SLASH_COMMENT_EXT_RE =
+  /\.(m?ts|tsx|cts|m?js|jsx|cjs|rs|go|c|cc|cpp|cxx|h|hpp|java|swift|kt|scala|dart|php|css|scss|less)$/i
+
+/**
+ * Pick the natural per-line opt-out marker for a host file.
+ *
+ * The marker regex above accepts `#`, `//`, and `/*` prefixes — but error
+ * messages should print the *one* form a contributor would actually paste
+ * into that file. TS edits get `// socket-hook: allow <rule>`; YAML gets
+ * `# socket-hook: allow <rule>`. Same rule, different comment lexer.
+ */
+export const socketHookMarkerFor = (filePath: string, rule: string): string =>
+  SLASH_COMMENT_EXT_RE.test(filePath)
+    ? `// socket-hook: allow ${rule}`
+    : `# socket-hook: allow ${rule}`
 const LEGACY_ZIZMOR_MARKER_RE = /(?:#|\/\/|\/\*)\s*zizmor:\s*[\w-]+/
 
 function lineIsSuppressed(line: string, rule?: string): boolean {
@@ -351,7 +370,8 @@ export const scanNpxDlx = (text: string): LineHit[] => {
 // `@socketsecurity/lib/logger`. Direct calls to `process.stderr.write`,
 // `process.stdout.write`, `console.log`, `console.error`, `console.warn`,
 // `console.info`, `console.debug` are blocked. Doc-context lines are
-// exempt; lines carrying `# socket-hook: allow logger` are exempt too.
+// exempt; lines carrying `// socket-hook: allow logger` (or `#` in
+// non-TS files) are exempt too.
 
 const LOGGER_LEAK_RE =
   /\b(process\.std(?:err|out)\.write|console\.(?:log|error|warn|info|debug))\s*\(/

.git-hooks/pre-commit.mts

@@ -26,6 +26,7 @@ import {
   scanPrivateKeys,
   scanSocketApiKeys,
   shouldSkipFile,
+  socketHookMarkerFor,
   yellow,
 } from './_helpers.mts'
 
@@ -195,7 +196,7 @@ const main = (): number => {
       out(
         "Use 'pnpm exec <package>' or 'pnpm run <script>' instead. For " +
           'documentation lines that need the literal `npx` form, append ' +
-          'the marker `# socket-hook: allow npx`.',
+          `the marker \`${socketHookMarkerFor(file, 'npx')}\`.`,
       )
       errors++
     }
@@ -244,7 +245,7 @@ const main = (): number => {
       out(
         'Use `getDefaultLogger()` from `@socketsecurity/lib/logger`. ' +
           'For documentation lines that need the literal call, append ' +
-          'the marker `# socket-hook: allow logger`.',
+          `the marker \`${socketHookMarkerFor(file, 'logger')}\`.`,
       )
       errors++
     }

.git-hooks/pre-push.mts

@@ -37,6 +37,7 @@ import {
   scanPrivateKeys,
   scanSocketApiKeys,
   shouldSkipFile,
+  socketHookMarkerFor,
 } from './_helpers.mts'
 
 const ZERO_SHA = '0000000000000000000000000000000000000000'
@@ -315,7 +316,7 @@ const scanFilesInRange = (range: string): number => {
         out(
           'Use `getDefaultLogger()` from `@socketsecurity/lib/logger`. ' +
             'For documentation lines that need the literal call, append ' +
-            'the marker `# socket-hook: allow logger`.',
+            `the marker \`${socketHookMarkerFor(file, 'logger')}\`.`,
         )
         errors++
       }