Refactor skills and add replacement skill

.claude-plugin/marketplace.json

@@ -9,29 +9,29 @@
   },
   "plugins": [
     {
-      "name": "research-scan",
-      "source": "./skills/research-scan",
+      "name": "scan",
+      "source": "./skills/scan",
       "skills": "./",
       "description": "Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation."
     },
     {
-      "name": "research-inspect",
-      "source": "./skills/research-inspect",
+      "name": "inspect",
+      "source": "./skills/inspect",
       "skills": "./",
       "description": "Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches."
     },
-    {
-      "name": "dep-patch",
-      "source": "./skills/dep-patch",
-      "skills": "./",
-      "description": "Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill."
-    },
     {
       "name": "setup",
       "source": "./skills/setup",
       "skills": "./",
       "description": "Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems."
     },
+    {
+      "name": "dep-patch",
+      "source": "./skills/dep-patch",
+      "skills": "./",
+      "description": "Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill."
+    },
     {
       "name": "dep-upgrade",
       "source": "./skills/dep-upgrade",
@@ -45,8 +45,14 @@
       "description": "Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification."
     },
     {
-      "name": "repair",
-      "source": "./skills/repair",
+      "name": "dep-replace",
+      "source": "./skills/dep-replace",
+      "skills": "./",
+      "description": "Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements."
+    },
+    {
+      "name": "fix",
+      "source": "./skills/fix",
       "skills": "./",
       "description": "Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full)."
     }

.opencode/skills

@@ -0,0 +1 @@
+../skills

README.md

@@ -5,6 +5,7 @@ Socket Security Skills are definitions for dependency security tasks like vulner
 - **Claude Code** (Anthropic) — native skill/plugin support
 - **Codex** (OpenAI) — Agent Skills standard + AGENTS.md fallback
 - **Gemini CLI** (Google DeepMind) — extensions support
+- **OpenCode** — skill directory support
 - **Cursor** — plugin manifest support
 - **VS Code Copilot / GitHub Copilot** — via AGENTS.md or Skills CLI
 - **Windsurf** — via Skills CLI
@@ -101,6 +102,15 @@ For contributors, regenerate manifests with:
 ./scripts/publish.sh
 ```
 
+### OpenCode
+
+This repository includes an `.opencode/skills` directory that OpenCode discovers automatically.
+
+1. Clone or install this repo into your project
+2. OpenCode will discover skills from `.opencode/skills/`
+
+Or manually copy skill folders into your project's `.opencode/skills/` directory.
+
 ### Other Agents (VS Code Copilot, Windsurf, Roo Code, etc.)
 
 For any agent that supports the Agent Skills standard or custom instructions:
@@ -131,14 +141,14 @@ Install, authenticate, and configure Socket for your project.
 |------|-------------|---------------|
 | `setup` | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. | [SKILL.md](skills/setup/SKILL.md) |
 
-#### Research
+#### Analysis
 
 Scan dependencies and inspect individual packages for security risks.
 
 | Name | Description | Documentation |
 |------|-------------|---------------|
-| `research-inspect` | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | [SKILL.md](skills/research-inspect/SKILL.md) |
-| `research-scan` | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | [SKILL.md](skills/research-scan/SKILL.md) |
+| `inspect` | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. | [SKILL.md](skills/inspect/SKILL.md) |
+| `scan` | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. | [SKILL.md](skills/scan/SKILL.md) |
 
 #### Dependency Management
 
@@ -148,15 +158,16 @@ Upgrade, patch, and clean up individual dependencies.
 |------|-------------|---------------|
 | `dep-cleanup` | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. | [SKILL.md](skills/dep-cleanup/SKILL.md) |
 | `dep-patch` | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill. | [SKILL.md](skills/dep-patch/SKILL.md) |
+| `dep-replace` | Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. | [SKILL.md](skills/dep-replace/SKILL.md) |
 | `dep-upgrade` | Use socket fix to find and update vulnerable dependencies one at a time, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. | [SKILL.md](skills/dep-upgrade/SKILL.md) |
 
-#### Repair
+#### Fix
 
 Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a single phased workflow.
 
 | Name | Description | Documentation |
 |------|-------------|---------------|
-| `repair` | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). | [SKILL.md](skills/repair/SKILL.md) |
+| `fix` | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). | [SKILL.md](skills/fix/SKILL.md) |
 <!-- END_SKILLS_TABLE -->
 
 ## Contributing

agents/AGENTS.md

@@ -8,10 +8,11 @@ You have additional SKILLs documented in directories containing a "SKILL.md" fil
 |-------|-------------|
 | dep-cleanup | Evaluate and remove a single unused dependency from your project. Searches the entire codebase for all usages (imports, requires, config refs, scripts, type packages, indirect usage), reports findings, and performs full removal with verification. |
 | dep-patch | Apply Socket's binary-level security patches without changing dependency versions. Uses socket-patch apply to fix vulnerabilities in-place. For CI/CD and infrastructure setup, use the /setup skill. |
+| dep-replace | Replace a dependency with an alternative package, eliminate it via code rewrite, or use socket-optimize for optimized replacements. |
 | dep-upgrade | Use socket fix to find and update vulnerable dependencies, then fix any breaking changes in the codebase. Security-audited upgrades with automated code migration. |
-| repair | Holistic dependency repair — orchestrates cleanup, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). Delegates to /dep-cleanup, /dep-patch, and /dep-upgrade as subroutines. |
-| research-inspect | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. |
-| research-scan | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. |
+| fix | Holistic dependency repair — orchestrates cleanup, replacement, patching, and upgrades in a single workflow with three aggressiveness levels (conservative, cautious, full). Delegates to /dep-cleanup, /dep-replace, /dep-patch, and /dep-upgrade as subroutines. |
+| inspect | Research a package before you depend on it — pull every signal from Socket (scores, alerts, malware verdicts, CVEs, supply-chain risk), check the socket.dev package page, evaluate alternatives, and surface available Socket patches. |
+| scan | Run a full dependency scan using the Socket CLI. Creates a scan in the Socket dashboard, checks all dependencies for vulnerabilities and supply-chain risks, performs Tier 1 reachability analysis for enterprise customers, and provides license compliance auditing with SBOM generation. |
 | setup | Set up Socket — prompt for API key, install the CLI, authenticate, configure policies and tokens, set up CI/CD for firewall or patch modes across GitHub, GitLab, Bitbucket, and other systems. |
 
 ## Usage
@@ -27,8 +28,9 @@ Paths referenced within SKILL folders are relative to that SKILL. For example th
 The skills are located in:
 - `skills/dep-cleanup/SKILL.md`
 - `skills/dep-patch/SKILL.md`
+- `skills/dep-replace/SKILL.md`
 - `skills/dep-upgrade/SKILL.md`
-- `skills/repair/SKILL.md`
-- `skills/research-inspect/SKILL.md`
-- `skills/research-scan/SKILL.md`
+- `skills/fix/SKILL.md`
+- `skills/inspect/SKILL.md`
+- `skills/scan/SKILL.md`
 - `skills/setup/SKILL.md`

scripts/generate-agents.ts

@@ -73,16 +73,16 @@ interface CategoryDef {
 
 const CATEGORIES: [string, CategoryDef][] = [
   ["setup", { label: "Setup", description: "Install, authenticate, and configure Socket for your project." }],
-  ["research", { label: "Research", description: "Scan dependencies and inspect individual packages for security risks." }],
+  ["analysis", { label: "Analysis", description: "Scan dependencies and inspect individual packages for security risks." }],
   ["dep", { label: "Dependency Management", description: "Upgrade, patch, and clean up individual dependencies." }],
-  ["repair", { label: "Repair", description: "Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a single phased workflow." }],
+  ["fix", { label: "Fix", description: "Holistic dependency repair — orchestrate cleanup, patching, and upgrades in a single phased workflow." }],
 ];
 
 function getCategory(skillName: string): string {
   if (skillName === "setup") return "setup";
-  if (skillName.startsWith("research-")) return "research";
+  if (skillName === "scan" || skillName === "inspect") return "analysis";
   if (skillName.startsWith("dep-")) return "dep";
-  if (skillName === "repair") return "repair";
+  if (skillName === "fix") return "fix";
   return "setup";
 }
 

skills/dep-cleanup/SKILL.md

@@ -24,7 +24,7 @@ If the user specifies a package name, use that. Otherwise, ask which package the
 If the user isn't sure which package to evaluate, help them pick one:
 - Check `devDependencies` first — removing unused dev dependencies is lower risk
 - Look for packages with names that suggest narrow or outdated functionality
-- Suggest running `/research-scan` first to get an overview of the dependency landscape
+- Suggest running `/scan` first to get an overview of the dependency landscape
 
 **One package at a time.** If the user wants to evaluate multiple packages, run this workflow once per package sequentially.
 
@@ -187,4 +187,4 @@ Follow the standard build & test verification workflow (see `skills/_shared/veri
 - Some packages are used only in CI, deployment scripts, or editor configs — the search in Step 3 covers these
 - For PyPI, consult the package metadata on pypi.org if the import name is unclear
 - For monorepos, check usage across all workspaces before removing a root dependency
-- After cleanup, use the `/research-scan` skill to verify no issues remain in the dependency set
+- After cleanup, use the `/scan` skill to verify no issues remain in the dependency set

skills/dep-patch/SKILL.md

@@ -106,5 +106,5 @@ To keep patches applied automatically in CI/CD or via postinstall hooks, use the
 - Use `SocketDev/action@v1` (correct casing) in GitHub workflow files
 - For monorepos, use `patch-cwd` to target specific directories
 - Commit `.socket/manifest.json` to track which patches are applied
-- After patching, use the `/research-scan` skill to verify no residual vulnerabilities remain
+- After patching, use the `/scan` skill to verify no residual vulnerabilities remain
 - Combine with the `/dep-upgrade` skill for vulnerabilities that don't have binary patches available