fix(lint): sort-source-methods - reorder 20 src files + oxfmt drift

Mechanical alphabetical reorder within visibility groups (private then
exports) across 20 src files flagged by socket(sort-source-methods),
plus oxfmt formatting drift swept in by `pnpm run format` on the same
files. No behavior change; tests pass (421 files / 6806 tests).

Reordered files (sort-source-methods):
- constants/paths.mts, flags.mts
- commands/fix/{ghsa-tracker,git}.mts
- commands/mcp/transport-http-helpers.mts
- utils/{basics,dlx}/spawn.mts
- utils/cli/with-subcommands.mts
- utils/command/logger.mts
- utils/config.mts
- utils/dlx/{resolve-binary,vfs-extract}.mts
- utils/git/{github,operations}.mts
- utils/process/os.mts
- utils/socket/{api,sdk}.mts
- utils/telemetry/integration.mts
- utils/terminal/{bordered-input,simple-output}.mts
- utils/update/checker.mts

Format-only drift (oxfmt):
- commands/ask/{handle-ask,onnx-match,word-overlap-match}.mts
- commands/fix/pull-request.mts
- commands/optimize/add-overrides.mts
- commands/raw-{npm,npx}/cmd-raw-*.mts
- meow.mts
- utils/command/builder.mts
- utils/ecosystem/windows-shims.mts
- utils/git/gitlab-provider.mts
- utils/project/context.mts
- utils/socket/{api-error-messages,api-wrapper,package-alert}.mts
- utils/terminal/iocraft.mts

Author: jdalton

packages/cli/src/commands/ask/handle-ask.mts

@@ -288,13 +288,15 @@ export async function parseIntent(query: string): Promise<ParsedIntent> {
   }
 
   // Match against patterns.
-  let bestMatch: {
-    action: string
-    command: string[]
-    explanation: string
-    confidence: number
-    score: number
-  } | undefined = undefined
+  let bestMatch:
+    | {
+        action: string
+        command: string[]
+        explanation: string
+        confidence: number
+        score: number
+      }
+    | undefined = undefined
 
   for (const [action, pattern] of Object.entries(PATTERNS)) {
     if (!pattern) {

packages/cli/src/commands/ask/onnx-match.mts

@@ -68,7 +68,9 @@ export async function ensureCommandEmbeddings(): Promise<void> {
  * Get the embedding for a text string. Returns null when the pipeline is
  * unavailable or the underlying call throws.
  */
-export async function getEmbedding(text: string): Promise<Float32Array | undefined> {
+export async function getEmbedding(
+  text: string,
+): Promise<Float32Array | undefined> {
   const model = await getEmbeddingPipeline()
   if (!model) {
     return undefined
@@ -122,10 +124,13 @@ export async function getEmbeddingPipeline() {
  * embedding pipeline is unavailable, the query embeds to null, or no
  * command meets the threshold.
  */
-export async function onnxSemanticMatch(query: string): Promise<{
-  action: string
-  confidence: number
-} | undefined> {
+export async function onnxSemanticMatch(query: string): Promise<
+  | {
+      action: string
+      confidence: number
+    }
+  | undefined
+> {
   await ensureCommandEmbeddings()
 
   const queryEmbedding = await getEmbedding(query)

packages/cli/src/commands/ask/word-overlap-match.mts

@@ -105,10 +105,13 @@ export function wordOverlap(
  * when the index isn't loaded, the query has no scoring tokens, or no
  * command meets the threshold.
  */
-export async function wordOverlapMatch(query: string): Promise<{
-  action: string
-  confidence: number
-} | undefined> {
+export async function wordOverlapMatch(query: string): Promise<
+  | {
+      action: string
+      confidence: number
+    }
+  | undefined
+> {
   const index = await loadSemanticIndex()
   if (!index || !index.commands) {
     return undefined

packages/cli/src/commands/fix/ghsa-tracker.mts

@@ -11,6 +11,52 @@ import {
 
 import { getSocketFixBranchName } from './git.mts'
 
+export type GhsaFixRecord = {
+  branch: string
+  fixedAt: string // ISO 8601
+  ghsaId: string
+  prNumber?: number
+}
+
+export type GhsaTracker = {
+  fixed: GhsaFixRecord[]
+  version: 1
+}
+
+const TRACKER_FILE = '.socket/fixed-ghsas.json'
+
+/**
+ * Get all fixed GHSA records from the tracker.
+ */
+export async function getFixedGhsas(cwd: string): Promise<GhsaFixRecord[]> {
+  try {
+    const tracker = await loadGhsaTracker(cwd)
+    return tracker.fixed
+    /* c8 ignore next 5 - loadGhsaTracker already returns a safe fallback on read failure */
+  } catch (e) {
+    debug('ghsa-tracker: failed to get fixed GHSAs')
+    debugDir(e)
+    return []
+  }
+}
+
+/**
+ * Check if a GHSA has been fixed according to the tracker.
+ */
+export async function isGhsaFixed(
+  cwd: string,
+  ghsaId: string,
+): Promise<boolean> {
+  try {
+    const tracker = await loadGhsaTracker(cwd)
+    return tracker.fixed.some(r => r.ghsaId === ghsaId)
+  } catch (e) {
+    debug(`ghsa-tracker: failed to check if ${ghsaId} is fixed`)
+    debugDir(e)
+    return false
+  }
+}
+
 /**
  * Check if a process with the given PID is still running.
  */
@@ -28,20 +74,6 @@ export function isPidAlive(pid: number): boolean {
   }
 }
 
-export type GhsaFixRecord = {
-  branch: string
-  fixedAt: string // ISO 8601
-  ghsaId: string
-  prNumber?: number
-}
-
-export type GhsaTracker = {
-  fixed: GhsaFixRecord[]
-  version: 1
-}
-
-const TRACKER_FILE = '.socket/fixed-ghsas.json'
-
 /**
  * Load the GHSA tracker from the repository.
  * Creates a new tracker if the file doesn't exist.
@@ -58,23 +90,6 @@ export async function loadGhsaTracker(cwd: string): Promise<GhsaTracker> {
   }
 }
 
-/**
- * Save the GHSA tracker to the repository.
- * Creates the .socket directory if it doesn't exist.
- */
-export async function saveGhsaTracker(
-  cwd: string,
-  tracker: GhsaTracker,
-): Promise<void> {
-  const trackerPath = path.join(cwd, TRACKER_FILE)
-
-  // Ensure .socket directory exists.
-  await safeMkdir(path.dirname(trackerPath), { recursive: true })
-
-  await writeJson(trackerPath, tracker, { spaces: 2 })
-  debug(`ghsa-tracker: saved ${tracker.fixed.length} records to ${trackerPath}`)
-}
-
 /**
  * Mark a GHSA as fixed in the tracker.
  * Removes any existing record for the same GHSA before adding the new one.
@@ -161,33 +176,18 @@ export async function markGhsaFixed(
 }
 
 /**
- * Check if a GHSA has been fixed according to the tracker.
+ * Save the GHSA tracker to the repository.
+ * Creates the .socket directory if it doesn't exist.
  */
-export async function isGhsaFixed(
+export async function saveGhsaTracker(
   cwd: string,
-  ghsaId: string,
-): Promise<boolean> {
-  try {
-    const tracker = await loadGhsaTracker(cwd)
-    return tracker.fixed.some(r => r.ghsaId === ghsaId)
-  } catch (e) {
-    debug(`ghsa-tracker: failed to check if ${ghsaId} is fixed`)
-    debugDir(e)
-    return false
-  }
-}
+  tracker: GhsaTracker,
+): Promise<void> {
+  const trackerPath = path.join(cwd, TRACKER_FILE)
 
-/**
- * Get all fixed GHSA records from the tracker.
- */
-export async function getFixedGhsas(cwd: string): Promise<GhsaFixRecord[]> {
-  try {
-    const tracker = await loadGhsaTracker(cwd)
-    return tracker.fixed
-    /* c8 ignore next 5 - loadGhsaTracker already returns a safe fallback on read failure */
-  } catch (e) {
-    debug('ghsa-tracker: failed to get fixed GHSAs')
-    debugDir(e)
-    return []
-  }
+  // Ensure .socket directory exists.
+  await safeMkdir(path.dirname(trackerPath), { recursive: true })
+
+  await writeJson(trackerPath, tracker, { spaces: 2 })
+  debug(`ghsa-tracker: saved ${tracker.fixed.length} records to ${trackerPath}`)
 }

packages/cli/src/commands/fix/git.mts

@@ -6,18 +6,10 @@ import type { GhsaDetails } from '../../utils/git/github.mts'
 
 const GITHUB_ADVISORIES_URL = 'https://github.com/advisories'
 
-/**
- * Extract unique package names with ecosystems from vulnerability details.
- */
-export function getUniquePackages(details: GhsaDetails): string[] {
-  return [
-    ...new Set(
-      details.vulnerabilities.nodes.map(
-        v => `${v.package.name} (${v.package.ecosystem})`,
-      ),
-    ),
-  ]
-}
+export const genericSocketFixBranchParser = createSocketFixBranchParser()
+
+// GHSA ID pattern: GHSA-xxxx-xxxx-xxxx (4 alphanumeric segments).
+const GHSA_ID_PATTERN = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i
 
 export type SocketFixBranchParser = (
   branch: string,
@@ -43,15 +35,10 @@ export function createSocketFixBranchParser(
   }
 }
 
-export const genericSocketFixBranchParser = createSocketFixBranchParser()
-
 export function getSocketFixBranchName(ghsaId: string): string {
   return `socket/fix/${ghsaId}`
 }
 
-// GHSA ID pattern: GHSA-xxxx-xxxx-xxxx (4 alphanumeric segments).
-const GHSA_ID_PATTERN = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/i
-
 export function getSocketFixBranchPattern(ghsaId?: string | undefined): RegExp {
   // Escape special regex characters to prevent ReDoS attacks.
   const pattern = ghsaId
@@ -118,3 +105,16 @@ export function getSocketFixPullRequestTitle(ghsaIds: string[]): string {
     ? `Fix for ${firstGhsa}`
     : `Fixes for ${vulnCount} GHSAs`
 }
+
+/**
+ * Extract unique package names with ecosystems from vulnerability details.
+ */
+export function getUniquePackages(details: GhsaDetails): string[] {
+  return [
+    ...new Set(
+      details.vulnerabilities.nodes.map(
+        v => `${v.package.name} (${v.package.ecosystem})`,
+      ),
+    ),
+  ]
+}

packages/cli/src/commands/fix/pull-request.mts

@@ -412,18 +412,16 @@ export async function openSocketFixPr(
 
     // Handle RequestError from Octokit/provider.
     if (e instanceof RequestError) {
-      const errors = (
-        e.response?.data as { errors?: unknown } | undefined
-      )?.errors
+      const errors = (e.response?.data as { errors?: unknown } | undefined)
+        ?.errors
       const errorMessages = Array.isArray(errors)
         ? errors.map(
             (d: {
               message?: string
               resource?: string
               field?: string
               code?: string
-            }) =>
-              d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`,
+            }) => d.message?.trim() ?? `${d.resource}.${d.field} (${d.code})`,
           )
         : []