// Regenerates Node.js patches against pristine upstream source so each applies independently. Use after a Node.js version bump, when patches fail to apply, or when restructuring the patch chain.
Audits and fixes path duplication in a Socket repo. Applies the strict "1 path, 1 reference" rule: every build/test/runtime/config path is constructed exactly once; everywhere else references the constructed value. Default mode finds and fixes; `check` mode reports only; `install` mode drops the gate + hook + rule into a fresh repo. Use when path drift surfaces from `pnpm check`, when a new sibling package needs path conventions, or when bootstrapping a fresh Socket repo.
Umbrella update skill for a Socket fleet repo. Runs `pnpm run update` (npm), validates `lockstep.json` via `pnpm run lockstep` (if present), optionally bumps submodules, checks workflow SHA pins, resolves open Dependabot security alerts, refreshes the README coverage badge when applicable, and audits GitHub repo + Actions settings drift via `scripts/lint-github-settings.mts`. Use when asked to update dependencies, sync upstreams, fix security advisories, refresh coverage, or prepare for a release.
Propagate a wheelhouse template change to every fleet repo (or a registry-pin chain to every dependent repo). Packages the canonical fleet-repo list, the FLEET_SYNC=1 sentinel pattern, the worktree-per-repo loop, push-direct + PR-fallback, and worktree-cleanup that survives mid-loop crashes. Use when a wheelhouse template SHA needs to land in every fleet repo, when a registry pin chain needs propagation, or when batching multiple template SHAs into one cascade wave.
Scans the codebase for bugs, logic errors, cache races, workflow problems, insecure defaults, security regressions in the diff, and variant analysis on prior findings. Spawns specialized Task agents per scan type, deduplicates findings, and produces an A-F prioritized report. Use when preparing a release, investigating quality issues, running pre-merge checks, or whenever a recent diff touches security-sensitive code.
Squashes all commits on the repo's default branch (main, falling back to master) to a single "Initial commit" with backup branch, integrity verification, and user confirmation before force push. Use when cleaning history or preparing for fresh start.
Updates the Facebook Yoga layout library to a new version — bumps sources.yoga + the lockstep pin, rebuilds the WASM module (which regenerates YGEnums.mts from the C++ header), and AI-assists the wrapAssembly.mts re-port when upstream's JS layer changed. Use for Yoga version bumps, Flexbox/layout fixes, or periodic yoga maintenance.
| name | regenerating-patches |
| description | Regenerates Node.js patches against pristine upstream source so each applies independently. Use after a Node.js version bump, when patches fail to apply, or when restructuring the patch chain. |
| user-invocable | true |
| allowed-tools | Agent, Read, Edit, Write, Glob, Grep, Bash(git:*), Bash(patch:*), Bash(diff:*), Bash(cp:*), Bash(rm:*), Bash(mkdir:*), Bash(ls:*), Bash(cat:*), Bash(head:*), Bash(tail:*), Bash(wc:*), Bash(awk:*), Bash(grep:*), Bash(sed:*), Bash(find:*), AskUserQuestion |
Regenerate Node.js patches against the current pristine upstream tag so every patch applies cleanly in numeric order. This is the canonical recovery flow when an upstream version bump shifts line numbers under our patches.
packages/node-smol-builder/patches/source-patched/*.patch against packages/node-smol-builder/upstream/nodecd "$CLAUDE_PROJECT_DIR" 2>/dev/null || cd "$(git rev-parse --show-toplevel)"
git status --short
For each in-scope target:
[ -d "$UPSTREAM_DIR/.git" ] (file-or-dir).cd "$UPSTREAM_DIR"
VERSION=$(git describe --tags --exact-match 2>/dev/null || git rev-parse --short HEAD)
.node-version (with a leading v).git checkout -- . && git clean -fd (inside the submodule).for p in $PATCH_DIR/*.patch; do
tail -n +4 "$p" > /tmp/test.patch
git apply --check /tmp/test.patch >/dev/null 2>&1 || echo "FAIL $(basename $p)"
done
# @…-versions: / # @description: / blank-# / blank-# header that lives above the unified diff (see Patch Format below). All passing patches keep their existing content; only the FAIL list gets regenerated.If any pre-flight step errors, surface the diagnostic to the user and stop.
Dispatch one Agent call with subagent_type: general-purpose. The full task — read each failing patch, re-anchor against pristine upstream, write the regenerated patch back to its original path — is delegated to the agent. The skill's role is to construct the prompt and validate the output; it does not edit patches itself.
The Agent call MUST include in its prompt:
UPSTREAM_DIR (absolute) and PATCH_DIR (absolute)VERSION string (e.g. v26.1.0)git apply --check)023-smol-power-binding.patch modifies a block that 018-smol-builtin-bindings.patch introduces)reference.md for edge cases (timestamp collisions, target-file-not-found, header normalization, common failure modes)The agent's per-patch loop:
git checkout -- . && git clean -fdtail -n +4 strip:
tail -n +4 "$EARLIER_PATCH" | patch -p1 --silent
# @node-versions: … and # @description: … lines), all +/− content lines, and the file path(s) it modifies./tmp/patch-rebuild/b/<file>, copy a parallel pristine-cumulative version to /tmp/patch-rebuild/a/<file>, and use the Edit tool to add/remove the same lines the original patch did. The Edit tool's exact-match semantics force the agent to preserve indentation and surrounding context byte-for-byte.diff -ruN /tmp/patch-rebuild/a/ /tmp/patch-rebuild/b/ \
| sed -E 's@^(--- |\+\+\+ )/tmp/patch-rebuild/[ab]/@\1a/@; t; s@^(--- |\+\+\+ )/tmp/patch-rebuild/[ab]/@\1b/@'
sed is wrong — use this canonical form instead:
diff -ruN /tmp/patch-rebuild/a/ /tmp/patch-rebuild/b/ \
| sed -E 's@/tmp/patch-rebuild/a/@a/@; s@/tmp/patch-rebuild/b/@b/@' \
| grep -v '^[-+]\{3\}.*\t' # strip timestamps
# @node-versions: …, # @description: …, optional # detail lines each followed by a # separator — see Patch Format below).tail -n +4 NEW_PATCH | git apply --check (against the cumulative-patched tree). Must exit 0.$PATCH_DIR/<original-name>.patch, overwriting.After all failing patches are regenerated, run a final pristine→all-patches replay to confirm every patch in the directory still applies in numeric order. End with the submodule at pristine HEAD (not committed).
The skill (not the agent) should print:
version: the pristine tag/SHAregenerated: list of patch basenames the agent rewroteunchanged: count of patches that already appliedunrecoverable: any patches the agent couldn't fix automatically + the diagnosticThe skill does not commit. The user reviews the diff and commits manually.
Patches use a 4-line metadata header above the unified diff:
# @node-versions: v26.1.0
# @description: One-line summary
#
# Optional multi-line detail. Each non-blank line begins with #.
#
--- a/<target-file>
+++ b/<target-file>
@@ -<line>,<n> +<line>,<n> @@
context
-old
+new
context
For iocraft patches: replace # @node-versions: with # @iocraft-versions:. Never put timestamps on the ---/+++ lines (diff -ruN adds them; the post-process sed strips them).
The validator git apply --check rejects timestamps and demands matching context — those are the two most common regen failures. See reference.md § Common Failure Modes for the full list.
.backup-* files. Earlier versions of this skill did; they pollute the patch directory and confuse find $PATCH_DIR -name '*.patch'. If a working tree already has them, leave them — but generate new patches only.diff -ruN for the regen, never git diff or git format-patch. Both inject git-specific markers (index <hash>, new file mode) that the build pipeline's patch -p1 doesn't expect.grep -v $'^[-+]\{3\}.*\t' (or equivalent).# … lines between # @description: and the first --- a/; never add # … or // … lines inside hunk bodies just to explain the change. Inline comments inflate the diff against upstream, force hunk-count bumps when edited, and survive into the patched source as noise. See docs/references/btm-source-patches.md § Comments: header, not inline.See reference.md for: edge cases, rollback procedures, retry logic, header normalization details, common failure modes, and cross-platform considerations (BSD vs GNU diff/sed).