From f0ccde5cb40b2672ff5917474090c6601499dcc5 Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Wed, 22 Apr 2026 14:41:43 -0400
Subject: [PATCH] chore: replace fs.rm with safeDelete in scripts + hook
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

CLAUDE.md forbids fs.rm / fs.rmSync / rm -rf in our code —
safeDelete from @socketsecurity/lib/fs is the canonical wrapper.
Fixes sync-checksums.mts (3 sites) and the setup-security-tools
Claude hook (1 site).
---
 .claude/hooks/setup-security-tools/index.mts | 3 ++-
 packages/cli/scripts/sync-checksums.mts      | 8 +++++---
 2 files changed, 7 insertions(+), 4 deletions(-)

diff --git a/.claude/hooks/setup-security-tools/index.mts b/.claude/hooks/setup-security-tools/index.mts
index eb82e5181..ad5e31e6e 100644
--- a/.claude/hooks/setup-security-tools/index.mts
+++ b/.claude/hooks/setup-security-tools/index.mts
@@ -18,6 +18,7 @@ import { fileURLToPath } from 'node:url'
 
 import { whichSync } from '@socketsecurity/lib/bin'
 import { downloadBinary } from '@socketsecurity/lib/dlx/binary'
+import { safeDelete } from '@socketsecurity/lib/fs'
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { getSocketHomePath } from '@socketsecurity/lib/paths/socket'
 import { spawn, spawnSync } from '@socketsecurity/lib/spawn'
@@ -161,7 +162,7 @@ async function setupZizmor(): Promise<boolean> {
     await fs.copyFile(extractedBin, binPath)
     await fs.chmod(binPath, 0o755)
   } finally {
-    await fs.rm(extractDir, { recursive: true, force: true }).catch(() => {})
+    await safeDelete(extractDir).catch(() => {})
   }
 
   logger.log(`Installed to ${binPath}`)
diff --git a/packages/cli/scripts/sync-checksums.mts b/packages/cli/scripts/sync-checksums.mts
index c2bad102e..42aa27c0d 100644
--- a/packages/cli/scripts/sync-checksums.mts
+++ b/packages/cli/scripts/sync-checksums.mts
@@ -28,6 +28,8 @@ import path from 'node:path'
 import { fileURLToPath } from 'node:url'
 import { pipeline } from 'node:stream/promises'
 
+import { safeDelete } from '@socketsecurity/lib/fs'
+
 const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 const packageRoot = path.join(__dirname, '..')
@@ -135,7 +137,7 @@ async function fetchGitHubReleaseChecksums(
       const checksums = parseChecksums(content)
 
       // Clean up.
-      await fs.rm(tempDir, { recursive: true })
+      await safeDelete(tempDir)
 
       console.log(
         `  Parsed ${Object.keys(checksums).length} checksums from checksums.txt`,
@@ -143,7 +145,7 @@ async function fetchGitHubReleaseChecksums(
       return checksums
     } catch (error) {
       console.log(`  Failed to download checksums.txt: ${error.message}`)
-      await fs.rm(tempDir, { recursive: true }).catch(() => {})
+      await safeDelete(tempDir).catch(() => {})
       // Fall through to download assets.
     }
   }
@@ -183,7 +185,7 @@ async function fetchGitHubReleaseChecksums(
       await fs.unlink(assetPath)
     }
   } finally {
-    await fs.rm(tempDir, { recursive: true }).catch(() => {})
+    await safeDelete(tempDir).catch(() => {})
   }
 
   return checksums