fix(scan create): detect --default-branch=<name> misuse

`--default-branch` is a boolean meow flag, so
`--default-branch=main` silently becomes `defaultBranch=true` with
the `"main"` portion discarded. Users with that (reasonable)
intuition ended up with scans that weren't tagged with any branch
name and didn't show up in the Main/PR dashboard tabs.

Pre-flight check in `run()` scans the raw argv for
`--default-branch=<value>`. Values that coerce to boolean
(`true` / `false`, any case) are let through; anything else is
treated as a misuse and fails with:

    ✗ "--default-branch=main" looks like you meant the branch name "main".
    --default-branch is a boolean flag; pass the branch name with --branch instead:
      socket scan create --branch main --default-branch

Exits with code 2 (invalid usage), consistent with other flag
validation failures in this command.

Added tests:
  * misuse form with a branch-name value is caught and logged
  * explicit `--default-branch=true|false|TRUE` all pass through
  * bare `--default-branch` with paired `--branch main` flows through

Author: jdalton

packages/cli/src/commands/scan/cmd-scan-create.mts

@@ -202,10 +202,24 @@ const generalFlags: MeowFlags = {
   },
 }
 
-export const cmdScanCreate = {
-  description,
-  hidden,
-  run,
+// Scan argv for `--default-branch=<non-bool-string>`. The flag is declared
+// boolean, so meow coerces `--default-branch=main` to `true` and discards
+// "main" — silently leaving the scan without a branch tag.
+function findDefaultBranchValueMisuse(
+  argv: readonly string[],
+): string | undefined {
+  for (const arg of argv) {
+    if (!arg.startsWith('--default-branch=')) {
+      continue
+    }
+    const value = arg.slice('--default-branch='.length)
+    const normalized = value.toLowerCase()
+    if (normalized === 'true' || normalized === 'false' || value === '') {
+      continue
+    }
+    return value
+  }
+  return undefined
 }
 
 async function run(
@@ -272,6 +286,21 @@ async function run(
   `,
   }
 
+  // Detect the common `--default-branch=main` misuse before meow parses.
+  // `--default-branch` is a boolean — meow/yargs-parser treats
+  // `--default-branch=main` as `defaultBranch=true` and silently drops
+  // the "main" portion, so the user's scan gets tagged without the
+  // intended branch name and doesn't appear in the Main/PR dashboard
+  // tabs. Fail fast with a suggestion toward the correct form.
+  const defaultBranchMisuse = findDefaultBranchValueMisuse(argv)
+  if (defaultBranchMisuse) {
+    logger.fail(
+      `"--default-branch=${defaultBranchMisuse}" looks like you meant the branch name "${defaultBranchMisuse}".\n--default-branch is a boolean flag; pass the branch name with --branch instead:\n  socket scan create --branch ${defaultBranchMisuse} --default-branch`,
+    )
+    process.exitCode = 2
+    return
+  }
+
   const cli = meowOrExit({
     argv,
     config,
@@ -680,3 +709,9 @@ async function run(
     workspace: (workspace && String(workspace)) || '',
   })
 }
+
+export const cmdScanCreate = {
+  description,
+  hidden,
+  run,
+}

packages/cli/test/unit/commands/scan/cmd-scan-create.test.mts

@@ -1366,5 +1366,79 @@ describe('cmd-scan-create', () => {
         expect(mockHandleCreateNewScan).not.toHaveBeenCalled()
       })
     })
+
+    describe('--default-branch misuse detection', () => {
+      // --default-branch is a boolean flag; meow silently discards the
+      // `=<value>` portion on `--default-branch=<name>`. Catch that
+      // pattern before meow parses so users get a clear error pointing
+      // at the right shape (`--branch <name> --default-branch`).
+      it('fails when --default-branch=<name> is passed with a branch name', async () => {
+        await cmdScanCreate.run(
+          ['--org', 'test-org', '--default-branch=main', '.'],
+          importMeta,
+          context,
+        )
+
+        expect(process.exitCode).toBe(2)
+        expect(mockHandleCreateNewScan).not.toHaveBeenCalled()
+        expect(mockLogger.fail).toHaveBeenCalledWith(
+          expect.stringContaining(
+            '"--default-branch=main" looks like you meant the branch name "main"',
+          ),
+        )
+        expect(mockLogger.fail).toHaveBeenCalledWith(
+          expect.stringContaining('--branch main --default-branch'),
+        )
+      })
+
+      it.each([
+        '--default-branch=true',
+        '--default-branch=false',
+        '--default-branch=TRUE',
+      ])('allows %s (explicit boolean form)', async arg => {
+        mockHasDefaultApiToken.mockReturnValueOnce(true)
+
+        await cmdScanCreate.run(
+          [
+            '--org',
+            'test-org',
+            '--branch',
+            'main',
+            arg,
+            '.',
+            '--no-interactive',
+          ],
+          importMeta,
+          context,
+        )
+
+        // meow parses the flag normally and flows through to handleCreateNewScan.
+        expect(mockLogger.fail).not.toHaveBeenCalledWith(
+          expect.stringContaining('looks like you meant the branch name'),
+        )
+      })
+
+      it('allows bare --default-branch (default truthy form)', async () => {
+        mockHasDefaultApiToken.mockReturnValueOnce(true)
+
+        await cmdScanCreate.run(
+          [
+            '--org',
+            'test-org',
+            '--branch',
+            'main',
+            '--default-branch',
+            '.',
+            '--no-interactive',
+          ],
+          importMeta,
+          context,
+        )
+
+        expect(mockLogger.fail).not.toHaveBeenCalledWith(
+          expect.stringContaining('looks like you meant the branch name'),
+        )
+      })
+    })
   })
 })