@involvex/msix-packager-cli 1.4.1

package/src/sea-handler.js

@@ -0,0 +1,1124 @@
+const path = require("path");
+const fs = require("fs-extra");
+const os = require("os");
+const { executeCommand } = require("./utils");
+
+/**
+ * Creates a Single Executable Application (SEA) using Node.js built-in capabilities with NCC bundling
+ * @param {string} packageDir - Directory cont        // If postject fails due to multiple sentinels and we haven't tried overwrite yet
+        if (postjectError.message.includes('Multiple occurences of sentinel')) {
+          console.log('🔧 Detected multiple sentinels, attempting overwrite recovery...');
+          
+          try {
+            const overwriteCommand = `npx postject "${executableName}" NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --overwrite`;
+            executeCommand(overwriteCommand);
+            console.log('✅ SEA blob injection successful with overwrite');
+          } catch (overwriteError) {
+            console.error(`❌ SEA injection failed even with overwrite: ${overwriteError.message}`);
+            
+            // If still failing, try a completely different approach - create a truly fresh binary
+            console.log('🔧 Attempting to create completely fresh binary...');
+            const superFreshPath = await createSuperFreshBinary();
+            if (superFreshPath && await fs.pathExists(superFreshPath)) {
+              console.log('📋 Copying super fresh binary...');
+              await fs.copyFile(superFreshPath, executablePath);
+              
+              // Try injection one more time
+              try {
+                const finalCommand = `npx postject "${executableName}" NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2`;
+                executeCommand(finalCommand);
+                console.log('✅ SEA blob injection successful with super fresh binary');
+              } catch (finalError) {
+                throw new Error(`All SEA injection attempts failed: ${finalError.message}`);
+              }
+            } else {
+              throw new Error(`Could not create super fresh binary: ${overwriteError.message}`);
+            }
+          }ckage
+ * @param {Object} config - Configuration object
+ * @param {Object} packageJson - package.json content
+ * @returns {Promise<boolean>} Success status
+ */
+async function createSingleExecutableApp(packageDir, config, packageJson) {
+  try {
+    console.log(
+      "🔨 Creating Single Executable Application (SEA) with NCC bundling...",
+    );
+
+    const appName = config.appName || "app";
+    const executableName = `${appName.replace(/[^a-zA-Z0-9.-]/g, "_")}.exe`;
+    const executablePath = path.join(packageDir, executableName);
+    const tempNodeBinary = path.join(packageDir, "temp-node.exe");
+
+    // Step 1: Install NCC and TypeScript dependencies if needed
+    console.log("📦 Installing @vercel/ncc...");
+    try {
+      executeCommand("bun install @vercel/ncc --no-save", { cwd: packageDir });
+    } catch (nccError) {
+      console.log("Installing NCC globally...");
+      executeCommand("bun install -g @vercel/ncc", { cwd: packageDir });
+    }
+
+    // Install TypeScript if TypeScript files are detected
+    const hasTypeScript =
+      (await fs.pathExists(path.join(packageDir, "tsconfig.json"))) ||
+      (await fs.readdir(packageDir)).some((file) => file.endsWith(".ts"));
+
+    if (hasTypeScript) {
+      console.log(
+        "📝 TypeScript detected - ensuring TypeScript compiler is available",
+      );
+      try {
+        executeCommand("bun install typescript --no-save", { cwd: packageDir });
+      } catch (tsError) {
+        console.log("Installing TypeScript globally...");
+        executeCommand("bun install -g typescript", { cwd: packageDir });
+      }
+    }
+
+    // Step 2: Detect entry point and handle TypeScript
+    const mainScript = packageJson.main || "index.js";
+    const isTypeScript =
+      mainScript.endsWith(".ts") ||
+      (await fs.pathExists(path.join(packageDir, "tsconfig.json")));
+
+    // Auto-detect TypeScript entry point if main is JS but TS files exist
+    let entryScript = mainScript;
+    if (!isTypeScript && !mainScript.endsWith(".ts")) {
+      const tsAlternatives = [
+        mainScript.replace(/\.js$/, ".ts"),
+        "index.ts",
+        "src/index.ts",
+        "app.ts",
+        "src/app.ts",
+      ];
+
+      for (const tsFile of tsAlternatives) {
+        if (await fs.pathExists(path.join(packageDir, tsFile))) {
+          entryScript = tsFile;
+          console.log(`📝 Detected TypeScript entry: ${tsFile}`);
+          break;
+        }
+      }
+    }
+
+    const entryContent = `#!/usr/bin/env node
+// SEA Entry Point for ${config.displayName || config.appName}
+
+console.log('🚀 Starting ${config.displayName || config.appName}...');
+
+// Check if running as SEA
+let isSEA = false;
+try {
+  const { sea } = require('node:sea');
+  isSEA = sea.isSea();
+  if (isSEA) {
+    console.log('Running in SEA mode');
+    // Set process title
+    process.title = '${config.displayName || config.appName}';
+  }
+} catch (err) {
+  // SEA module not available, running in regular Node.js
+  console.log('Running in development mode');
+}
+
+// Set working directory to executable directory
+try {
+  const path = require('path');
+  const execDir = path.dirname(process.execPath);
+  process.chdir(execDir);
+} catch (err) {
+  console.warn('Could not change working directory:', err.message);
+}
+
+// Load the main application
+try {
+  require('./${entryScript}');
+} catch (error) {
+  console.error('❌ Failed to start application:', error.message);
+  console.error(error.stack);
+  process.exit(1);
+}
+`;
+
+    const entryPath = path.join(packageDir, "sea-entry.js");
+    await fs.writeFile(entryPath, entryContent);
+
+    // Step 3: Bundle with NCC (with TypeScript support)
+    console.log("📦 Bundling application with NCC...");
+
+    // NCC automatically handles TypeScript files - no additional config needed!
+    let bundleCommand = `npx ncc build sea-entry.js -o sea-dist --minify --no-source-map-register`;
+
+    // Add TypeScript-specific options if needed
+    if (isTypeScript || entryScript.endsWith(".ts")) {
+      console.log(
+        "📝 TypeScript detected - NCC will handle transpilation automatically",
+      );
+      // NCC will automatically detect and use tsconfig.json if present
+      bundleCommand += ` --target es2020`; // Ensure compatibility with Node.js SEA
+    }
+
+    // If there's a tsconfig.json, NCC will use it automatically
+    const tsconfigPath = path.join(packageDir, "tsconfig.json");
+    if (await fs.pathExists(tsconfigPath)) {
+      console.log("📄 Using existing tsconfig.json for TypeScript compilation");
+    } else if (isTypeScript || entryScript.endsWith(".ts")) {
+      // Create a basic tsconfig.json for SEA compatibility
+      console.log("📄 Creating basic tsconfig.json for SEA compatibility");
+      const basicTsConfig = {
+        compilerOptions: {
+          target: "ES2020",
+          module: "CommonJS",
+          lib: ["ES2020"],
+          outDir: "./dist",
+          rootDir: "./src",
+          strict: true,
+          esModuleInterop: true,
+          skipLibCheck: true,
+          forceConsistentCasingInFileNames: true,
+          moduleResolution: "node",
+          resolveJsonModule: true,
+          declaration: false,
+          declarationMap: false,
+          sourceMap: false,
+        },
+        include: ["**/*.ts"],
+        exclude: [
+          "node_modules",
+          "dist",
+          "sea-dist",
+          "**/*.test.ts",
+          "**/*.spec.ts",
+        ],
+      };
+      await fs.writeJson(tsconfigPath, basicTsConfig, { spaces: 2 });
+    }
+
+    executeCommand(bundleCommand, { cwd: packageDir });
+
+    const bundledPath = path.join(packageDir, "sea-dist", "index.js");
+    if (!(await fs.pathExists(bundledPath))) {
+      throw new Error("NCC bundling failed - bundled file not found");
+    }
+
+    // Step 4: Create SEA configuration
+    const seaConfig = {
+      main: "sea-dist/index.js",
+      output: "sea-prep.blob",
+      disableExperimentalSEAWarning: true,
+      useSnapshot: false,
+      useCodeCache: true,
+    };
+
+    const seaConfigPath = path.join(packageDir, "sea-config.json");
+    await fs.writeJson(seaConfigPath, seaConfig, { spaces: 2 });
+
+    // Step 5: Generate SEA blob
+    console.log("🗜️  Generating SEA blob...");
+    const originalCwd = process.cwd();
+    process.chdir(packageDir);
+
+    try {
+      executeCommand("node --experimental-sea-config sea-config.json");
+
+      const blobPath = path.join(packageDir, "sea-prep.blob");
+      if (!(await fs.pathExists(blobPath))) {
+        throw new Error("SEA blob generation failed");
+      }
+
+      console.log("✅ SEA blob created successfully");
+
+      // Step 6: Get a completely fresh Node.js executable (ensuring no SEA markers)
+      console.log("📄 Creating executable base with fresh Node.js binary...");
+
+      // Always get a fresh Node.js binary from alternative sources
+      const freshNodePath = await getFreshNodeBinary();
+      console.log(`📥 Using Node.js binary from: ${freshNodePath}`);
+
+      // Remove any existing executable to ensure clean state
+      if (await fs.pathExists(executablePath)) {
+        console.log(
+          "🗑️  Removing existing executable to ensure clean state...",
+        );
+        await fs.remove(executablePath);
+      }
+
+      // Remove any temporary files
+      if (await fs.pathExists(tempNodeBinary)) {
+        await fs.remove(tempNodeBinary);
+      }
+
+      // Copy the fresh Node.js binary to temporary location first
+      await fs.copyFile(freshNodePath, tempNodeBinary);
+
+      // Verify the temporary binary exists and is valid
+      if (!(await fs.pathExists(tempNodeBinary))) {
+        throw new Error("Failed to create temporary Node.js binary");
+      }
+
+      // Test that it's a valid Node.js binary
+      try {
+        const testCommand = `"${tempNodeBinary}" --version`;
+        const version = executeCommand(testCommand, { silent: true });
+        console.log(`✅ Fresh Node.js binary verified: ${version.trim()}`);
+      } catch (testError) {
+        throw new Error(
+          `Fresh Node.js binary is invalid: ${testError.message}`,
+        );
+      }
+
+      // Move to final executable name
+      await fs.move(tempNodeBinary, executablePath);
+
+      if (!(await fs.pathExists(executablePath))) {
+        throw new Error("Failed to create executable base");
+      }
+
+      console.log(`✅ Fresh Node.js binary prepared: ${executableName}`);
+
+      // Verify this is truly a fresh binary (no SEA markers)
+      try {
+        const { executeCommand: execCmd } = require("./utils");
+        const checkCommand = `npx postject "${executableName}" NODE_SEA_BLOB --info 2>nul || echo "NO_SEA_MARKERS"`;
+        const checkResult = execCmd(checkCommand, { silent: true });
+        if (checkResult.includes("NO_SEA_MARKERS")) {
+          console.log("✅ Confirmed: Binary has no existing SEA markers");
+        } else {
+          console.warn("⚠️  Warning: Binary may have existing SEA markers");
+        }
+      } catch (checkError) {
+        // This is fine, just means postject check failed
+        console.log("✅ Binary check completed");
+      }
+
+      // Step 7: Remove signature (Windows) to prepare for SEA injection
+      console.log("🔓 Removing executable signature...");
+      try {
+        const { findWindowsSDKTools } = require("./utils");
+        const tools = findWindowsSDKTools();
+        const removeSignCommand = `"${tools.signtool}" remove /s "${executableName}"`;
+        executeCommand(removeSignCommand);
+        console.log("✅ Signature removed successfully");
+      } catch (sigError) {
+        console.warn("⚠️  Could not remove signature (this is usually fine)");
+      }
+
+      // Step 8: Inject blob with postject (with enhanced error handling)
+      console.log("💉 Injecting SEA blob into executable...");
+
+      // First, verify that our executable doesn't have multiple sentinels
+      let sentinelCount = 0;
+      try {
+        const binaryData = await fs.readFile(executablePath);
+        const sentinelPattern = Buffer.from(
+          "NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2",
+          "utf8",
+        );
+        let searchPos = 0;
+        while (true) {
+          const index = binaryData.indexOf(sentinelPattern, searchPos);
+          if (index === -1) break;
+          sentinelCount++;
+          searchPos = index + 1;
+        }
+        console.log(`🔍 Found ${sentinelCount} sentinel markers in executable`);
+      } catch (readError) {
+        console.warn("⚠️  Could not analyze binary for sentinels");
+      }
+
+      try {
+        let postjectCommand;
+
+        if (sentinelCount > 1) {
+          // Use overwrite flag immediately if multiple sentinels detected
+          console.log(
+            "⚠️  Multiple sentinels detected, using overwrite mode...",
+          );
+          postjectCommand = `npx postject "${executableName}" NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --overwrite`;
+        } else {
+          // Use normal injection for clean binaries
+          console.log(
+            `Start injection of NODE_SEA_BLOB in ${executableName}...`,
+          );
+          postjectCommand = `npx postject "${executableName}" NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2`;
+        }
+
+        executeCommand(postjectCommand);
+        console.log("✅ SEA blob injection successful");
+      } catch (postjectError) {
+        console.error(`❌ SEA blob injection failed: ${postjectError.message}`);
+
+        // If postject fails due to multiple sentinels, this means our fresh binary isn't actually fresh
+        if (postjectError.message.includes("Multiple occurences of sentinel")) {
+          console.error(
+            "❌ Fresh binary still contains SEA markers - this should not happen!",
+          );
+          console.log("� Attempting emergency recovery with overwrite...");
+
+          try {
+            // Try with overwrite flag as last resort
+            const overwriteCommand = `npx postject "${executableName}" NODE_SEA_BLOB sea-prep.blob --sentinel-fuse NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2 --overwrite`;
+            executeCommand(overwriteCommand);
+            console.log("✅ SEA blob injection successful with overwrite");
+          } catch (overwriteError) {
+            throw new Error(
+              `SEA injection failed even with overwrite: ${overwriteError.message}`,
+            );
+          }
+        } else {
+          // For other postject errors, re-throw
+          throw postjectError;
+        }
+      }
+
+      // Step 9: Sign the executable
+      await signSEAExecutable(executablePath, config);
+
+      // Step 10: Cleanup temporary files
+      await fs.remove(entryPath);
+      await fs.remove(path.join(packageDir, "sea-dist"));
+      await fs.remove(seaConfigPath);
+      await fs.remove(blobPath);
+
+      // Clean up any temporary Node.js binaries
+      if (await fs.pathExists(tempNodeBinary)) {
+        await fs.remove(tempNodeBinary);
+      }
+
+      // Remove temporary tsconfig.json if we created it
+      const tsconfigPath = path.join(packageDir, "tsconfig.json");
+      if (
+        !(await fs.pathExists(tsconfigPath.replace(".json", ".original.json")))
+      ) {
+        // Only remove if we didn't backup an existing one
+        const tsconfigContent = await fs
+          .readJson(tsconfigPath)
+          .catch(() => null);
+        if (
+          tsconfigContent &&
+          tsconfigContent.compilerOptions &&
+          tsconfigContent.compilerOptions.target === "ES2020"
+        ) {
+          console.log("🧹 Cleaning up temporary tsconfig.json");
+          await fs.remove(tsconfigPath);
+        }
+      }
+
+      // Update config
+      config.executable = executableName;
+      delete config.executableArgs;
+
+      console.log(`✅ SEA executable created: ${executableName}`);
+      return true;
+    } finally {
+      process.chdir(originalCwd);
+    }
+  } catch (error) {
+    console.warn(`⚠️  SEA creation failed: ${error.message}`);
+    console.log("Falling back to PKG...");
+    return false;
+  }
+}
+
+/**
+ * Gets the Node.js binary path for the current platform
+ * @returns {Promise<string>} Path to Node.js binary
+ */
+async function getNodeBinaryPath() {
+  return process.execPath;
+}
+
+/**
+ * Gets a fresh Node.js binary path, trying alternative sources if needed
+ * @returns {Promise<string>} Path to a fresh Node.js binary
+ */
+async function getFreshNodeBinary() {
+  const { executeCommand } = require("./utils");
+
+  // Always try to get a completely fresh Node.js binary
+  const freshSources = [];
+
+  // 1. Try to find Node.js installation via where command (different from current process)
+  try {
+    const whereResult = executeCommand("where node", { silent: true });
+    const nodePaths = whereResult
+      .split("\n")
+      .map((p) => p.trim())
+      .filter((p) => p && p.includes("node.exe") && p !== process.execPath);
+    freshSources.push(...nodePaths);
+  } catch (err) {
+    // Ignore where command failures
+  }
+
+  // 2. Try common Node.js installation paths (avoid current process path)
+  const commonPaths = [
+    "C:\\Program Files\\nodejs\\node.exe",
+    "C:\\Program Files (x86)\\nodejs\\node.exe",
+    process.env.PROGRAMFILES
+      ? path.join(process.env.PROGRAMFILES, "nodejs", "node.exe")
+      : null,
+    process.env["PROGRAMFILES(X86)"]
+      ? path.join(process.env["PROGRAMFILES(X86)"], "nodejs", "node.exe")
+      : null,
+    // Try appdata paths
+    process.env.APPDATA
+      ? path.join(process.env.APPDATA, "npm", "node.exe")
+      : null,
+    process.env.LOCALAPPDATA
+      ? path.join(process.env.LOCALAPPDATA, "npm", "node.exe")
+      : null,
+  ]
+    .filter(Boolean)
+    .filter((p) => p !== process.execPath);
+
+  freshSources.push(...commonPaths);
+
+  // 3. Check if we can find Node.js through PowerShell Get-Command
+  try {
+    const psResult = executeCommand(
+      'powershell -Command "Get-Command node -ErrorAction SilentlyContinue | Select-Object -ExpandProperty Source"',
+      { silent: true },
+    );
+    const psPath = psResult.trim();
+    if (psPath && psPath !== process.execPath && psPath.includes("node.exe")) {
+      freshSources.push(psPath);
+    }
+  } catch (err) {
+    // Ignore PowerShell command failures
+  }
+
+  // Remove duplicates and current process path
+  const uniquePaths = [...new Set(freshSources)].filter(
+    (p) => p !== process.execPath,
+  );
+
+  console.log(
+    `🔍 Found ${uniquePaths.length} alternative Node.js binary sources`,
+  );
+
+  // Test each path to find a working one WITHOUT existing SEA markers
+  for (const nodePath of uniquePaths) {
+    try {
+      if (await fs.pathExists(nodePath)) {
+        // Verify it's a valid Node.js executable by checking version
+        const versionResult = executeCommand(`"${nodePath}" --version`, {
+          silent: true,
+        });
+        if (versionResult.includes("v")) {
+          // Check if this binary already has SEA markers
+          const hasSeaMarkers = await checkForSeaMarkers(nodePath);
+          if (!hasSeaMarkers) {
+            console.log(
+              `✅ Found clean Node.js binary (no SEA markers): ${nodePath}`,
+            );
+            return nodePath;
+          } else {
+            console.log(
+              `⚠️  Skipping binary with existing SEA markers: ${nodePath}`,
+            );
+          }
+        }
+      }
+    } catch (err) {
+      // Skip invalid binaries
+      continue;
+    }
+  }
+
+  // If no clean alternative found, create a fresh copy by downloading immediately
+  console.log(
+    "🔧 No clean Node.js binary found locally, downloading fresh copy...",
+  );
+  const superFreshPath = await createSuperFreshBinary();
+  if (superFreshPath) {
+    return superFreshPath;
+  }
+
+  // Absolute fallback - at least log the issue
+  console.error(
+    "❌ Unable to create fresh Node.js binary - using current process (may have SEA markers)",
+  );
+  throw new Error(
+    "Could not obtain a fresh Node.js binary without SEA markers",
+  );
+}
+
+/**
+ * Checks if a Node.js binary already contains SEA markers
+ * @param {string} binaryPath - Path to the Node.js binary
+ * @returns {Promise<boolean>} True if SEA markers are found
+ */
+async function checkForSeaMarkers(binaryPath) {
+  try {
+    // Method 1: Use postject to check for existing SEA blob
+    const { executeCommand } = require("./utils");
+    try {
+      const checkCommand = `npx postject "${binaryPath}" NODE_SEA_BLOB --info`;
+      const result = executeCommand(checkCommand, { silent: true });
+
+      // If postject finds info about SEA blob, it means markers exist
+      if (
+        result.includes("NODE_SEA_BLOB") ||
+        result.includes("NODE_SEA_FUSE")
+      ) {
+        return true;
+      }
+    } catch (postjectError) {
+      // Postject error usually means no SEA markers, but let's do binary check too
+    }
+
+    // Method 2: Direct binary content check for SEA markers
+    const binaryData = await fs.readFile(binaryPath);
+    const seaFusePattern = Buffer.from(
+      "NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2",
+      "utf8",
+    );
+    const seaBlobPattern = Buffer.from("NODE_SEA_BLOB", "utf8");
+
+    // Check for any occurrence of SEA markers
+    if (
+      binaryData.indexOf(seaFusePattern) !== -1 ||
+      binaryData.indexOf(seaBlobPattern) !== -1
+    ) {
+      return true;
+    }
+
+    return false;
+  } catch (error) {
+    // If we can't check, assume no SEA markers (safer for injection)
+    console.warn(`⚠️  Could not check for SEA markers: ${error.message}`);
+    return false;
+  }
+}
+
+/**
+ * Creates a guaranteed fresh Node.js binary by downloading or extracting from system
+ * @returns {Promise<string>} Path to the fresh binary
+ */
+async function createFreshNodeBinary() {
+  const os = require("os");
+  const crypto = require("crypto");
+
+  // Create a unique temporary path for our fresh binary
+  const tempDir = os.tmpdir();
+  const uniqueId = crypto.randomBytes(8).toString("hex");
+  const freshBinaryPath = path.join(tempDir, `node-fresh-${uniqueId}.exe`);
+
+  try {
+    // Strategy 1: Try to extract Node.js from an MSI installer if available
+    const msiPath = await findNodeMsiInstaller();
+    if (msiPath) {
+      console.log("📦 Extracting fresh Node.js from MSI installer...");
+      const extractedPath = await extractNodeFromMsi(msiPath, freshBinaryPath);
+      if (extractedPath) {
+        return extractedPath;
+      }
+    }
+
+    // Strategy 2: Copy from current process but strip SEA markers
+    console.log(
+      "🔧 Creating fresh copy by stripping SEA markers from current binary...",
+    );
+    await fs.copyFile(process.execPath, freshBinaryPath);
+
+    // Remove any existing SEA markers using binary manipulation
+    const cleaned = await stripSeaMarkers(freshBinaryPath);
+    if (cleaned) {
+      console.log("✅ Successfully created clean Node.js binary");
+      return freshBinaryPath;
+    }
+
+    // Strategy 3: As absolute last resort, download Node.js
+    console.log("⬇️  Downloading fresh Node.js binary...");
+    const downloadedPath = await downloadFreshNodeBinary(freshBinaryPath);
+    if (downloadedPath) {
+      return downloadedPath;
+    }
+  } catch (error) {
+    console.warn(`⚠️  Failed to create fresh binary: ${error.message}`);
+  }
+
+  // Absolute fallback - at least log the issue
+  console.error(
+    "❌ Unable to create fresh Node.js binary - using current process (may have SEA markers)",
+  );
+  throw new Error(
+    "Could not obtain a fresh Node.js binary without SEA markers",
+  );
+}
+
+/**
+ * Strips SEA markers from a Node.js binary using multiple methods
+ * @param {string} binaryPath - Path to the binary to clean
+ * @returns {Promise<boolean>} True if successful
+ */
+async function stripSeaMarkers(binaryPath) {
+  try {
+    console.log(`🧹 Attempting to strip SEA markers from: ${binaryPath}`);
+
+    // Read the binary file
+    const binaryData = await fs.readFile(binaryPath);
+    const originalSize = binaryData.length;
+
+    // Define all possible SEA-related patterns to remove
+    const patterns = [
+      "NODE_SEA_FUSE_fce680ab2cc467b6e072b8b5df1996b2",
+      "NODE_SEA_BLOB",
+      "NODE_SEA_FUSE",
+      "sea_blob_size",
+      "SEA_BLOB_START",
+      "SEA_BLOB_END",
+    ];
+
+    let modified = false;
+    let totalReplacements = 0;
+
+    // Replace all patterns with null bytes
+    for (const patternStr of patterns) {
+      const pattern = Buffer.from(patternStr, "utf8");
+      const nullReplacement = Buffer.alloc(pattern.length, 0);
+      let searchStart = 0;
+      let patternReplacements = 0;
+
+      while (true) {
+        const index = binaryData.indexOf(pattern, searchStart);
+        if (index === -1) break;
+
+        console.log(`🧹 Removing "${patternStr}" marker at offset ${index}`);
+        binaryData.set(nullReplacement, index);
+        modified = true;
+        patternReplacements++;
+        totalReplacements++;
+        searchStart = index + pattern.length;
+      }
+
+      if (patternReplacements > 0) {
+        console.log(
+          `   ✅ Removed ${patternReplacements} instances of "${patternStr}"`,
+        );
+      }
+    }
+
+    if (modified) {
+      // Create backup before modifying
+      const backupPath = `${binaryPath}.backup`;
+      await fs.copyFile(binaryPath, backupPath);
+      console.log(`📋 Created backup: ${backupPath}`);
+
+      // Write the cleaned binary back
+      await fs.writeFile(binaryPath, binaryData);
+      console.log(
+        `✅ Successfully stripped ${totalReplacements} SEA markers from binary`,
+      );
+
+      // Verify the binary still works
+      const { executeCommand } = require("./utils");
+      try {
+        const versionResult = executeCommand(`"${binaryPath}" --version`, {
+          silent: true,
+        });
+        if (versionResult.includes("v")) {
+          console.log(`✅ Cleaned binary verified: ${versionResult.trim()}`);
+
+          // Clean up backup if verification successful
+          await fs.remove(backupPath);
+
+          return true;
+        } else {
+          throw new Error("Binary verification failed");
+        }
+      } catch (verifyError) {
+        console.warn(
+          `⚠️  Binary verification failed, restoring backup: ${verifyError.message}`,
+        );
+        await fs.copyFile(backupPath, binaryPath);
+        await fs.remove(backupPath);
+        return false;
+      }
+    } else {
+      console.log(
+        `✅ No SEA markers found in binary (size: ${originalSize} bytes)`,
+      );
+      return true; // No markers to strip is success
+    }
+  } catch (error) {
+    console.warn(`⚠️  Failed to strip SEA markers: ${error.message}`);
+    return false;
+  }
+}
+
+/**
+ * Finds Node.js MSI installer files on the system
+ * @returns {Promise<string|null>} Path to MSI installer or null
+ */
+async function findNodeMsiInstaller() {
+  // Common locations where Node.js MSI installers might be found
+  const searchPaths = [
+    path.join(os.homedir(), "Downloads"),
+    path.join(os.homedir(), "Desktop"),
+    "C:\\Temp",
+    "C:\\Downloads",
+  ];
+
+  for (const searchPath of searchPaths) {
+    try {
+      if (await fs.pathExists(searchPath)) {
+        const files = await fs.readdir(searchPath);
+        const msiFile = files.find(
+          (file) =>
+            file.toLowerCase().includes("node") &&
+            file.toLowerCase().endsWith(".msi"),
+        );
+        if (msiFile) {
+          return path.join(searchPath, msiFile);
+        }
+      }
+    } catch (error) {
+      // Ignore search errors
+    }
+  }
+
+  return null;
+}
+
+/**
+ * Extracts Node.js binary from MSI installer
+ * @param {string} msiPath - Path to MSI installer
+ * @param {string} outputPath - Where to extract the binary
+ * @returns {Promise<string|null>} Path to extracted binary or null
+ */
+async function extractNodeFromMsi(msiPath, outputPath) {
+  try {
+    const { executeCommand } = require("./utils");
+    const tempExtractDir = path.join(os.tmpdir(), `node-extract-${Date.now()}`);
+
+    // Extract MSI contents
+    const extractCommand = `msiexec /a "${msiPath}" /qn TARGETDIR="${tempExtractDir}"`;
+    executeCommand(extractCommand, { silent: true });
+
+    // Find node.exe in extracted contents
+    const findNodePath = async (dir) => {
+      const items = await fs.readdir(dir);
+      for (const item of items) {
+        const itemPath = path.join(dir, item);
+        const stat = await fs.stat(itemPath);
+        if (stat.isDirectory()) {
+          const found = await findNodePath(itemPath);
+          if (found) return found;
+        } else if (item === "node.exe") {
+          return itemPath;
+        }
+      }
+      return null;
+    };
+
+    const extractedNodePath = await findNodePath(tempExtractDir);
+    if (extractedNodePath) {
+      await fs.copyFile(extractedNodePath, outputPath);
+      await fs.remove(tempExtractDir);
+      return outputPath;
+    }
+
+    await fs.remove(tempExtractDir);
+    return null;
+  } catch (error) {
+    console.warn(`⚠️  MSI extraction failed: ${error.message}`);
+    return null;
+  }
+}
+
+/**
+ * Downloads a fresh Node.js binary from the official website
+ * @param {string} outputPath - Where to save the downloaded binary
+ * @returns {Promise<string|null>} Path to downloaded binary or null
+ */
+async function downloadFreshNodeBinary(outputPath) {
+  try {
+    const https = require("https");
+    const { executeCommand } = require("./utils");
+
+    // Get current Node.js version to download the same version
+    const currentVersion = process.version; // e.g., v18.17.0
+
+    // Download URL for Windows x64 Node.js binary
+    const downloadUrl = `https://nodejs.org/dist/${currentVersion}/win-x64/node.exe`;
+
+    console.log(
+      `📥 Downloading Node.js ${currentVersion} from official source...`,
+    );
+
+    // Use curl or PowerShell to download
+    try {
+      const curlCommand = `curl -L -o "${outputPath}" "${downloadUrl}"`;
+      executeCommand(curlCommand, { silent: true });
+    } catch (curlError) {
+      // Fallback to PowerShell
+      const psCommand = `powershell -Command "Invoke-WebRequest -Uri '${downloadUrl}' -OutFile '${outputPath}'"`;
+      executeCommand(psCommand, { silent: true });
+    }
+
+    // Verify the download
+    if (await fs.pathExists(outputPath)) {
+      const versionResult = executeCommand(`"${outputPath}" --version`, {
+        silent: true,
+      });
+      if (versionResult.includes("v")) {
+        console.log(
+          `✅ Downloaded fresh Node.js binary: ${versionResult.trim()}`,
+        );
+        return outputPath;
+      }
+    }
+
+    return null;
+  } catch (error) {
+    console.warn(`⚠️  Download failed: ${error.message}`);
+    return null;
+  }
+}
+
+/**
+ * Creates a super fresh Node.js binary using direct download
+ * @returns {Promise<string|null>} Path to the super fresh binary or null
+ */
+async function createSuperFreshBinary() {
+  try {
+    const os = require("os");
+    const crypto = require("crypto");
+    const https = require("https");
+
+    // Create a unique temporary path for our super fresh binary
+    const tempDir = os.tmpdir();
+    const uniqueId = crypto.randomBytes(8).toString("hex");
+    const superFreshBinaryPath = path.join(
+      tempDir,
+      `node-super-fresh-${uniqueId}.exe`,
+    );
+
+    // Get current Node.js version to download the same version
+    const currentVersion = process.version; // e.g., v18.17.0
+    const downloadUrl = `https://nodejs.org/dist/${currentVersion}/win-x64/node.exe`;
+
+    console.log(
+      `📥 Downloading guaranteed fresh Node.js ${currentVersion} binary from official source...`,
+    );
+
+    // Use Node.js built-in https to download (most reliable method)
+    await new Promise((resolve, reject) => {
+      const file = fs.createWriteStream(superFreshBinaryPath);
+
+      https
+        .get(downloadUrl, (response) => {
+          if (response.statusCode === 200) {
+            response.pipe(file);
+            file.on("finish", () => {
+              file.close();
+              resolve();
+            });
+          } else if (
+            response.statusCode === 302 ||
+            response.statusCode === 301
+          ) {
+            // Handle redirects
+            file.close();
+            fs.unlink(superFreshBinaryPath, () => {});
+            https
+              .get(response.headers.location, (redirectResponse) => {
+                if (redirectResponse.statusCode === 200) {
+                  const redirectFile =
+                    fs.createWriteStream(superFreshBinaryPath);
+                  redirectResponse.pipe(redirectFile);
+                  redirectFile.on("finish", () => {
+                    redirectFile.close();
+                    resolve();
+                  });
+                } else {
+                  reject(
+                    new Error(
+                      `Failed to download after redirect: HTTP ${redirectResponse.statusCode}`,
+                    ),
+                  );
+                }
+              })
+              .on("error", reject);
+          } else {
+            reject(
+              new Error(
+                `Failed to download Node.js: HTTP ${response.statusCode}`,
+              ),
+            );
+          }
+        })
+        .on("error", (err) => {
+          fs.unlink(superFreshBinaryPath, () => {});
+          reject(err);
+        });
+    });
+
+    // Verify the download
+    if (await fs.pathExists(superFreshBinaryPath)) {
+      const { executeCommand } = require("./utils");
+      const versionResult = executeCommand(
+        `"${superFreshBinaryPath}" --version`,
+        { silent: true },
+      );
+      if (versionResult.includes("v")) {
+        console.log(
+          `✅ Downloaded super fresh Node.js binary: ${versionResult.trim()}`,
+        );
+
+        // Verify it has no SEA markers
+        const hasSeaMarkers = await checkForSeaMarkers(superFreshBinaryPath);
+        if (!hasSeaMarkers) {
+          console.log("✅ Confirmed: Super fresh binary has no SEA markers");
+          return superFreshBinaryPath;
+        } else {
+          console.warn(
+            "⚠️  Warning: Even downloaded binary has SEA markers (very unusual)",
+          );
+          return superFreshBinaryPath; // Still return it, might work with overwrite
+        }
+      }
+    }
+
+    return null;
+  } catch (error) {
+    console.warn(`⚠️  Super fresh binary download failed: ${error.message}`);
+    return null;
+  }
+}
+
+/**
+ * Signs the SEA executable
+ * @param {string} executablePath - Path to executable
+ * @param {Object} config - Configuration object
+ */
+async function signSEAExecutable(executablePath, config) {
+  try {
+    const { determineSigningMethod } = require("./certificates");
+    const { findWindowsSDKTools } = require("./utils");
+
+    const signingMethod = await determineSigningMethod(config);
+    if (!signingMethod) {
+      console.log("No signing configuration found, skipping...");
+      return;
+    }
+
+    const tools = findWindowsSDKTools();
+    let signCommand;
+
+    if (signingMethod.method === "pfx") {
+      const { pfxPath, password, timestampUrl } = signingMethod.parameters;
+      signCommand = `"${tools.signtool}" sign /f "${pfxPath}" /p "${password}" /tr "${timestampUrl}" /td SHA256 /fd SHA256 "${executablePath}"`;
+    } else if (signingMethod.method === "store") {
+      const { thumbprint, store, timestampUrl } = signingMethod.parameters;
+      const storeLocation = store.toLowerCase() === "localmachine" ? "/sm" : "";
+      signCommand = `"${tools.signtool}" sign /sha1 "${thumbprint}" /s "My" ${storeLocation} /fd SHA256 "${executablePath}"`;
+    }
+
+    if (signCommand) {
+      executeCommand(signCommand);
+      console.log("✅ SEA executable signed successfully");
+    }
+  } catch (error) {
+    console.warn(`Warning: Could not sign SEA executable: ${error.message}`);
+  }
+}
+
+/**
+ * Creates a PKG fallback executable
+ * @param {string} packageDir - Package directory path
+ * @param {Object} config - Configuration object
+ * @param {Object} packageJson - package.json content
+ */
+async function createFallbackLauncher(packageDir, config, packageJson) {
+  try {
+    console.log("📦 Creating PKG fallback executable...");
+
+    const executableName = `${config.appName || "app"}.exe`;
+    const executablePath = path.join(packageDir, executableName);
+    const mainScript = packageJson.main || "index.js";
+
+    // Create launcher script with proper directory handling
+    const launcherContent = `#!/usr/bin/env node
+// PKG Launcher for ${config.displayName || config.appName}
+
+console.log('🚀 Starting ${config.displayName || config.appName}...');
+
+// Set working directory - handle PKG snapshot case
+try {
+  if (__dirname.includes('snapshot')) {
+    // Running from PKG, use the executable's directory
+    const path = require('path');
+    const execDir = path.dirname(process.execPath);
+    process.chdir(execDir);
+  } else {
+    // Running in development mode
+    process.chdir(__dirname);
+  }
+} catch (err) {
+  console.warn('Could not change working directory:', err.message);
+}
+
+// Load the main application
+try {
+  require('./${mainScript}');
+} catch (error) {
+  console.error('❌ Failed to start application:', error.message);
+  console.error(error.stack);
+  process.exit(1);
+}
+`;
+
+    const launcherScript = path.join(packageDir, "launcher.js");
+    await fs.writeFile(launcherScript, launcherContent);
+
+    // Create PKG configuration
+    const pkgConfig = {
+      name: config.appName || "app",
+      version: packageJson.version || "1.0.0",
+      main: "launcher.js",
+      bin: "launcher.js",
+      pkg: {
+        scripts: [mainScript],
+        targets: ["node18-win-x64"],
+        outputPath: ".",
+      },
+      dependencies: packageJson.dependencies || {},
+    };
+
+    const pkgConfigPath = path.join(packageDir, "pkg-config.json");
+    await fs.writeJson(pkgConfigPath, pkgConfig, { spaces: 2 });
+
+    // Create executable with PKG
+    const finalExeName = path.basename(executablePath, ".exe");
+    const pkgCommand = `npx pkg launcher.js --target node18-win-x64 --output "${finalExeName}" --config pkg-config.json`;
+
+    executeCommand(pkgCommand, { cwd: packageDir });
+
+    // Verify executable was created
+    if (await fs.pathExists(executablePath)) {
+      console.log(`✅ Created executable with PKG: ${executableName}`);
+
+      // Clean up temporary files
+      await fs.remove(launcherScript);
+      await fs.remove(pkgConfigPath);
+
+      // Update config
+      config.executable = executableName;
+      delete config.executableArgs;
+
+      return true;
+    }
+  } catch (pkgError) {
+    console.warn(`⚠️  PKG fallback failed: ${pkgError.message}`);
+    return false;
+  }
+}
+
+module.exports = {
+  createSingleExecutableApp,
+  createFallbackLauncher,
+  getFreshNodeBinary,
+};