@socketsecurity/lib 5.1.4 → 5.2.0

package/CHANGELOG.md

@@ -5,6 +5,21 @@ All notable changes to this project will be documented in this file.
 The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
 and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
 
+## [5.2.0](https://github.com/SocketDev/socket-lib/releases/tag/v5.2.0) - 2026-01-06
+
+### Added
+
+- **releases**: Added GitHub release download utilities for cross-project use
+  - Added `downloadGitHubRelease()` for downloading releases from any GitHub repository
+  - Added `downloadSocketBtmRelease()` specialized wrapper for socket-btm releases
+  - Features version caching with `.version` files to avoid redundant downloads
+  - Supports cross-platform binary downloads (darwin, linux, win32) with automatic platform/arch detection
+  - Includes Linux musl/glibc support with musl as default for broader compatibility
+  - Automatically removes macOS quarantine attributes from downloaded binaries
+  - Supports generic asset downloads (WASM files, models, etc.)
+  - API inspired by industry tools: `brew`, `cargo`, `gh` for intuitive usage
+  - Package exports: `@socketsecurity/lib/releases/github` and `@socketsecurity/lib/releases/socket-btm`
+
 ## [5.1.4](https://github.com/SocketDev/socket-lib/releases/tag/v5.1.4) - 2025-12-30
 
 ### Fixed

package/dist/releases/github.d.ts

@@ -0,0 +1,179 @@
+/**
+ * Socket-btm GitHub repository configuration.
+ */
+export declare const SOCKET_BTM_REPO: {
+    readonly owner: "SocketDev";
+    readonly repo: "socket-btm";
+};
+/**
+ * Configuration for repository access.
+ */
+export interface RepoConfig {
+    /**
+     * GitHub repository owner/organization.
+     */
+    owner: string;
+    /**
+     * GitHub repository name.
+     */
+    repo: string;
+}
+/**
+ * Get latest release tag matching a tool prefix.
+ *
+ * Searches recent releases for the first tag matching the given prefix.
+ * Useful for finding latest versions of tools with date-based tags like
+ * `node-smol-20260105-c47753c` or `binject-20260106-1df5745`.
+ *
+ * @param toolPrefix - Tool name prefix to search for (e.g., 'node-smol-', 'binject-')
+ * @param repoConfig - Repository configuration (owner/repo)
+ * @param options - Additional options
+ * @returns Latest release tag or null if not found
+ *
+ * @example
+ * ```ts
+ * const tag = await getLatestRelease('node-smol-', {
+ *   owner: 'SocketDev',
+ *   repo: 'socket-btm'
+ * })
+ * // Returns: 'node-smol-20260105-c47753c'
+ * ```
+ */
+export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoConfig, options?: {
+    quiet?: boolean;
+}): Promise<string | null>;
+/**
+ * Get download URL for a specific release asset.
+ *
+ * @param tag - Release tag name (e.g., 'node-smol-20260105-c47753c')
+ * @param assetName - Asset name to download (e.g., 'node-linux-x64-musl')
+ * @param repoConfig - Repository configuration (owner/repo)
+ * @param options - Additional options
+ * @returns Browser download URL for the asset
+ *
+ * @example
+ * ```ts
+ * const url = await getReleaseAssetUrl(
+ *   'node-smol-20260105-c47753c',
+ *   'node-linux-x64-musl',
+ *   { owner: 'SocketDev', repo: 'socket-btm' }
+ * )
+ * ```
+ */
+export declare function getReleaseAssetUrl(tag: string, assetName: string, repoConfig: RepoConfig, options?: {
+    quiet?: boolean;
+}): Promise<string | null>;
+/**
+ * Download a specific release asset.
+ *
+ * Uses browser_download_url to avoid consuming GitHub API quota.
+ * Automatically follows redirects and retries on failure.
+ *
+ * @param tag - Release tag name
+ * @param assetName - Asset name to download
+ * @param outputPath - Path to write the downloaded file
+ * @param repoConfig - Repository configuration (owner/repo)
+ * @param options - Additional options
+ *
+ * @example
+ * ```ts
+ * await downloadReleaseAsset(
+ *   'node-smol-20260105-c47753c',
+ *   'node-linux-x64-musl',
+ *   '/path/to/output/node',
+ *   { owner: 'SocketDev', repo: 'socket-btm' }
+ * )
+ * ```
+ */
+export declare function downloadReleaseAsset(tag: string, assetName: string, outputPath: string, repoConfig: RepoConfig, options?: {
+    quiet?: boolean;
+}): Promise<void>;
+/**
+ * Configuration for downloading a GitHub release.
+ */
+export interface DownloadGitHubReleaseConfig {
+    /**
+     * GitHub repository owner/organization.
+     */
+    owner: string;
+    /**
+     * GitHub repository name.
+     */
+    repo: string;
+    /**
+     * Working directory (defaults to process.cwd()).
+     * Used to resolve relative paths in downloadDir.
+     */
+    cwd?: string;
+    /**
+     * Download destination directory.
+     * Can be absolute or relative to cwd.
+     * @default 'build/downloaded' (relative to cwd)
+     */
+    downloadDir?: string;
+    /**
+     * Tool name for directory structure (e.g., 'node-smol', 'binject', 'lief').
+     * Creates subdirectory: {downloadDir}/{toolName}/{platformArch}/
+     */
+    toolName: string;
+    /**
+     * Platform-arch identifier (e.g., 'linux-x64-musl', 'darwin-arm64').
+     * Used for the download directory path.
+     */
+    platformArch: string;
+    /**
+     * Binary filename (e.g., 'node', 'binject', 'lief', 'node.exe').
+     */
+    binaryName: string;
+    /**
+     * Asset name on GitHub (e.g., 'node-linux-x64-musl', 'binject-darwin-arm64').
+     */
+    assetName: string;
+    /**
+     * Tool prefix for finding latest release (e.g., 'node-smol-', 'binject-').
+     * Either this or `tag` must be provided.
+     */
+    toolPrefix?: string;
+    /**
+     * Specific release tag to download (e.g., 'node-smol-20260105-c47753c').
+     * If not provided, uses `toolPrefix` to find the latest release.
+     */
+    tag?: string;
+    /**
+     * Suppress log messages.
+     * @default false
+     */
+    quiet?: boolean;
+    /**
+     * Remove macOS quarantine attribute after download.
+     * Only applies when downloading on macOS for macOS binaries.
+     * @default true
+     */
+    removeMacOSQuarantine?: boolean;
+}
+/**
+ * Download a binary from any GitHub repository with version caching.
+ *
+ * Downloads to: `{downloadDir}/{toolName}/{platformArch}/{binaryName}`
+ * Caches version in: `{downloadDir}/{toolName}/{platformArch}/.version`
+ *
+ * @param config - Download configuration
+ * @returns Path to the downloaded binary
+ *
+ * @example
+ * ```ts
+ * // Download from any GitHub repo
+ * const nodePath = await downloadGitHubRelease({
+ *   owner: 'nodejs',
+ *   repo: 'node',
+ *   cwd: process.cwd(),
+ *   downloadDir: 'build/downloaded',  // relative to cwd
+ *   toolName: 'node',
+ *   platformArch: 'linux-x64',
+ *   binaryName: 'node',
+ *   assetName: 'node-v20.10.0-linux-x64.tar.gz',
+ *   tag: 'v20.10.0'
+ * })
+ * ```
+ */
+export declare function downloadGitHubRelease(config: DownloadGitHubReleaseConfig): Promise<string>;

package/dist/releases/github.js

@@ -0,0 +1,258 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var github_exports = {};
+__export(github_exports, {
+  SOCKET_BTM_REPO: () => SOCKET_BTM_REPO,
+  downloadGitHubRelease: () => downloadGitHubRelease,
+  downloadReleaseAsset: () => downloadReleaseAsset,
+  getLatestRelease: () => getLatestRelease,
+  getReleaseAssetUrl: () => getReleaseAssetUrl
+});
+module.exports = __toCommonJS(github_exports);
+var import_node_fs = require("node:fs");
+var import_promises = require("node:fs/promises");
+var import_node_path = __toESM(require("node:path"));
+var import_fs = require("../fs.js");
+var import_http_request = require("../http-request.js");
+var import_logger = require("../logger.js");
+var import_promises2 = require("../promises.js");
+var import_spawn = require("../spawn.js");
+const logger = (0, import_logger.getDefaultLogger)();
+const SOCKET_BTM_REPO = {
+  owner: "SocketDev",
+  repo: "socket-btm"
+};
+const RETRY_CONFIG = Object.freeze({
+  __proto__: null,
+  // Exponential backoff: delay doubles with each retry (5s, 10s, 20s).
+  backoffFactor: 2,
+  // Initial delay before first retry.
+  baseDelayMs: 5e3,
+  // Maximum number of retry attempts (excluding initial request).
+  retries: 2
+});
+function getAuthHeaders() {
+  const token = process.env["GH_TOKEN"] || process.env["GITHUB_TOKEN"];
+  const headers = {
+    Accept: "application/vnd.github+json",
+    "X-GitHub-Api-Version": "2022-11-28"
+  };
+  if (token) {
+    headers["Authorization"] = `Bearer ${token}`;
+  }
+  return headers;
+}
+async function getLatestRelease(toolPrefix, repoConfig, options = {}) {
+  const { owner, repo } = repoConfig;
+  const { quiet = false } = options;
+  return await (0, import_promises2.pRetry)(
+    async () => {
+      const response = await (0, import_http_request.httpRequest)(
+        `https://api.github.com/repos/${owner}/${repo}/releases?per_page=100`,
+        {
+          headers: getAuthHeaders()
+        }
+      );
+      if (!response.ok) {
+        throw new Error(`Failed to fetch releases: ${response.status}`);
+      }
+      const releases = JSON.parse(response.body.toString("utf8"));
+      for (const release of releases) {
+        const { tag_name: tag } = release;
+        if (tag.startsWith(toolPrefix)) {
+          if (!quiet) {
+            logger.info(`Found release: ${tag}`);
+          }
+          return tag;
+        }
+      }
+      if (!quiet) {
+        logger.info(`No ${toolPrefix} release found in latest 100 releases`);
+      }
+      return null;
+    },
+    {
+      ...RETRY_CONFIG,
+      onRetry: (attempt, error) => {
+        if (!quiet) {
+          logger.info(
+            `Retry attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} for ${toolPrefix} release...`
+          );
+          logger.warn(
+            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+        return void 0;
+      }
+    }
+  );
+}
+async function getReleaseAssetUrl(tag, assetName, repoConfig, options = {}) {
+  const { owner, repo } = repoConfig;
+  const { quiet = false } = options;
+  return await (0, import_promises2.pRetry)(
+    async () => {
+      const response = await (0, import_http_request.httpRequest)(
+        `https://api.github.com/repos/${owner}/${repo}/releases/tags/${tag}`,
+        {
+          headers: getAuthHeaders()
+        }
+      );
+      if (!response.ok) {
+        throw new Error(`Failed to fetch release ${tag}: ${response.status}`);
+      }
+      const release = JSON.parse(response.body.toString("utf8"));
+      const asset = release.assets.find(
+        (a) => a.name === assetName
+      );
+      if (!asset) {
+        throw new Error(`Asset ${assetName} not found in release ${tag}`);
+      }
+      if (!quiet) {
+        logger.info(`Found asset: ${assetName}`);
+      }
+      return asset.browser_download_url;
+    },
+    {
+      ...RETRY_CONFIG,
+      onRetry: (attempt, error) => {
+        if (!quiet) {
+          logger.info(
+            `Retry attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} for asset URL...`
+          );
+          logger.warn(
+            `Attempt ${attempt + 1}/${RETRY_CONFIG.retries + 1} failed: ${error instanceof Error ? error.message : String(error)}`
+          );
+        }
+        return void 0;
+      }
+    }
+  );
+}
+async function downloadReleaseAsset(tag, assetName, outputPath, repoConfig, options = {}) {
+  const { owner, repo } = repoConfig;
+  const { quiet = false } = options;
+  const downloadUrl = await getReleaseAssetUrl(
+    tag,
+    assetName,
+    { owner, repo },
+    { quiet }
+  );
+  if (!downloadUrl) {
+    throw new Error(`Asset ${assetName} not found in release ${tag}`);
+  }
+  await (0, import_fs.safeMkdir)(import_node_path.default.dirname(outputPath));
+  await (0, import_http_request.httpDownload)(downloadUrl, outputPath, {
+    logger: quiet ? void 0 : logger,
+    progressInterval: 10,
+    retries: 2,
+    retryDelay: 5e3
+  });
+}
+async function downloadGitHubRelease(config) {
+  const {
+    assetName,
+    binaryName,
+    cwd = process.cwd(),
+    downloadDir = "build/downloaded",
+    owner,
+    platformArch,
+    quiet = false,
+    removeMacOSQuarantine = true,
+    repo,
+    tag: explicitTag,
+    toolName,
+    toolPrefix
+  } = config;
+  let tag;
+  if (explicitTag) {
+    tag = explicitTag;
+  } else if (toolPrefix) {
+    const latestTag = await getLatestRelease(
+      toolPrefix,
+      { owner, repo },
+      { quiet }
+    );
+    if (!latestTag) {
+      throw new Error(`No ${toolPrefix} release found in ${owner}/${repo}`);
+    }
+    tag = latestTag;
+  } else {
+    throw new Error("Either toolPrefix or tag must be provided");
+  }
+  const resolvedDownloadDir = import_node_path.default.isAbsolute(downloadDir) ? downloadDir : import_node_path.default.join(cwd, downloadDir);
+  const binaryDir = import_node_path.default.join(resolvedDownloadDir, toolName, platformArch);
+  const binaryPath = import_node_path.default.join(binaryDir, binaryName);
+  const versionPath = import_node_path.default.join(binaryDir, ".version");
+  if ((0, import_node_fs.existsSync)(versionPath) && (0, import_node_fs.existsSync)(binaryPath)) {
+    const cachedVersion = (await (0, import_promises.readFile)(versionPath, "utf8")).trim();
+    if (cachedVersion === tag) {
+      if (!quiet) {
+        logger.info(`Using cached ${toolName} (${platformArch}): ${binaryPath}`);
+      }
+      return binaryPath;
+    }
+  }
+  if (!quiet) {
+    logger.info(`Downloading ${toolName} for ${platformArch}...`);
+  }
+  await downloadReleaseAsset(
+    tag,
+    assetName,
+    binaryPath,
+    { owner, repo },
+    { quiet }
+  );
+  const isWindows = binaryName.endsWith(".exe");
+  if (!isWindows) {
+    await (0, import_promises.chmod)(binaryPath, 493);
+    if (removeMacOSQuarantine && process.platform === "darwin" && platformArch.startsWith("darwin")) {
+      try {
+        await (0, import_spawn.spawn)("xattr", ["-d", "com.apple.quarantine", binaryPath], {
+          stdio: "ignore"
+        });
+      } catch {
+      }
+    }
+  }
+  await (0, import_promises.writeFile)(versionPath, tag, "utf8");
+  if (!quiet) {
+    logger.info(`Downloaded ${toolName} to ${binaryPath}`);
+  }
+  return binaryPath;
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  SOCKET_BTM_REPO,
+  downloadGitHubRelease,
+  downloadReleaseAsset,
+  getLatestRelease,
+  getReleaseAssetUrl
+});

package/dist/releases/socket-btm.d.ts

@@ -0,0 +1,221 @@
+/**
+ * Platform type for socket-btm binaries.
+ */
+export type Platform = 'darwin' | 'linux' | 'win32';
+/**
+ * Architecture type for socket-btm binaries.
+ */
+export type Arch = 'arm64' | 'x64';
+/**
+ * Linux libc variant.
+ */
+export type Libc = 'musl' | 'glibc';
+/**
+ * Configuration for downloading socket-btm binary releases.
+ */
+export interface SocketBtmBinaryConfig {
+    /**
+     * Working directory (defaults to process.cwd()).
+     */
+    cwd?: string;
+    /**
+     * Download destination directory.
+     * Can be absolute or relative to cwd.
+     * @default 'build/downloaded' (relative to cwd)
+     *
+     * Inspired by: gh release download --dir
+     */
+    downloadDir?: string;
+    /**
+     * Tool/package name for directory structure and release matching.
+     * Similar to: brew install <formula>, cargo install <crate>
+     *
+     * Examples: 'node-smol', 'binject', 'binflate'
+     *
+     * Used for:
+     * - Directory path: {downloadDir}/{tool}/{platformArch}/
+     * - Finding release: Searches for tags starting with '{tool}-'
+     */
+    tool: string;
+    /**
+     * Binary/executable name (without extension).
+     * Similar to: brew formula→binary mapping (postgresql→psql, imagemagick→magick)
+     *
+     * Examples: 'node', 'binject', 'psql', 'magick'
+     *
+     * Used to construct:
+     * - Asset pattern: {bin}-{platform}-{arch}[-musl][.exe]
+     * - Output filename: {bin} or {bin}.exe
+     *
+     * Presence of this field indicates binary download (vs asset download).
+     *
+     * @default tool (e.g., 'binject'→'binject', but 'node-smol'→'node-smol')
+     */
+    bin?: string;
+    /**
+     * Target platform (defaults to current platform).
+     */
+    targetPlatform?: Platform;
+    /**
+     * Target architecture (defaults to current arch).
+     */
+    targetArch?: Arch;
+    /**
+     * Linux libc variant (musl or glibc).
+     * Defaults to musl for Linux for broader compatibility.
+     * Ignored for non-Linux platforms.
+     */
+    libc?: Libc;
+    /**
+     * Specific release tag to download.
+     * Inspired by: gh release download <tag>
+     *
+     * If not provided, downloads the latest release matching '{tool}-*' pattern.
+     *
+     * Examples: 'node-smol-20260105-c47753c', 'binject-20260106-1df5745'
+     */
+    tag?: string;
+    /**
+     * Suppress log messages.
+     * @default false
+     */
+    quiet?: boolean;
+    /**
+     * Remove macOS quarantine attribute after download.
+     * Only applies when downloading on macOS for macOS binaries.
+     * @default true
+     */
+    removeMacOSQuarantine?: boolean;
+    // Discriminator: presence of 'asset' means this is NOT a binary config
+    asset?: never;
+}
+/**
+ * Configuration for downloading socket-btm generic assets.
+ */
+export interface SocketBtmAssetConfig {
+    /**
+     * Working directory (defaults to process.cwd()).
+     */
+    cwd?: string;
+    /**
+     * Download destination directory.
+     * Can be absolute or relative to cwd.
+     * @default 'build/downloaded' (relative to cwd)
+     *
+     * Inspired by: gh release download --dir
+     */
+    downloadDir?: string;
+    /**
+     * Tool/package name for directory structure and release matching.
+     *
+     * Examples: 'yoga-layout', 'onnxruntime', 'models'
+     *
+     * Used for:
+     * - Directory path: {downloadDir}/{tool}/assets/
+     * - Finding release: Searches for tags starting with '{tool}-'
+     */
+    tool: string;
+    /**
+     * Asset name pattern on GitHub.
+     * Inspired by: gh release download --pattern
+     *
+     * Examples: 'yoga-sync.mjs', 'ort-wasm-simd.wasm', '*.onnx'
+     *
+     * Presence of this field indicates asset download (vs binary download).
+     */
+    asset: string;
+    /**
+     * Output filename (e.g., 'yoga-sync.mjs').
+     * Inspired by: gh release download --output
+     *
+     * @default asset (uses the asset name as-is)
+     */
+    output?: string;
+    /**
+     * Specific release tag to download.
+     * Inspired by: gh release download <tag>
+     *
+     * If not provided, downloads the latest release matching '{tool}-*' pattern.
+     *
+     * Examples: 'yoga-layout-v20260106-a39285c', 'onnxruntime-v20260106-a39285c'
+     */
+    tag?: string;
+    /**
+     * Suppress log messages.
+     * @default false
+     */
+    quiet?: boolean;
+    /**
+     * Remove macOS quarantine attribute after download.
+     * @default false (not needed for non-executable assets)
+     */
+    removeMacOSQuarantine?: boolean;
+    // Discriminators: mutually exclusive with binary-specific fields
+    bin?: never;
+    targetPlatform?: never;
+    targetArch?: never;
+    libc?: never;
+}
+/**
+ * Configuration for downloading socket-btm releases (binary or asset).
+ */
+export type SocketBtmReleaseConfig = SocketBtmBinaryConfig | SocketBtmAssetConfig;
+/**
+ * Download a release from socket-btm.
+ *
+ * Generic function for downloading any socket-btm binary or asset.
+ * Handles both platform-specific binaries and generic assets.
+ *
+ * @param config - Download configuration
+ * @returns Path to the downloaded file
+ *
+ * @example
+ * ```ts
+ * // Binary: node-smol (like: brew install nodejs → node)
+ * const nodePath = await downloadSocketBtmRelease({
+ *   tool: 'node-smol',
+ *   bin: 'node'
+ * })
+ *
+ * // Binary: binject (like: cargo install binject → binject)
+ * const binjectPath = await downloadSocketBtmRelease({
+ *   tool: 'binject'
+ * })
+ *
+ * // Binary: cross-platform
+ * const binflatePath = await downloadSocketBtmRelease({
+ *   tool: 'binflate',
+ *   targetPlatform: 'linux',
+ *   targetArch: 'x64',
+ *   libc: 'musl'
+ * })
+ *
+ * // Asset: WASM file
+ * const yogaPath = await downloadSocketBtmRelease({
+ *   tool: 'yoga-layout',
+ *   asset: 'yoga-sync.mjs'
+ * })
+ *
+ * // Asset: with custom output name
+ * const ortPath = await downloadSocketBtmRelease({
+ *   tool: 'onnxruntime',
+ *   asset: 'ort-wasm-simd.wasm',
+ *   output: 'ort.wasm'
+ * })
+ *
+ * // Custom paths (like: gh release download --dir)
+ * await downloadSocketBtmRelease({
+ *   tool: 'node-smol',
+ *   bin: 'node',
+ *   cwd: '/path/to/project',
+ *   downloadDir: 'build/cache'
+ * })
+ *
+ * // Specific version (like: gh release download <tag>)
+ * await downloadSocketBtmRelease({
+ *   tool: 'binject',
+ *   tag: 'binject-20260106-1df5745'
+ * })
+ * ```
+ */
+export declare function downloadSocketBtmRelease(config: SocketBtmReleaseConfig): Promise<string>;

package/dist/releases/socket-btm.js

@@ -0,0 +1,131 @@
+"use strict";
+/* Socket Lib - Built with esbuild */
+var __create = Object.create;
+var __defProp = Object.defineProperty;
+var __getOwnPropDesc = Object.getOwnPropertyDescriptor;
+var __getOwnPropNames = Object.getOwnPropertyNames;
+var __getProtoOf = Object.getPrototypeOf;
+var __hasOwnProp = Object.prototype.hasOwnProperty;
+var __export = (target, all) => {
+  for (var name in all)
+    __defProp(target, name, { get: all[name], enumerable: true });
+};
+var __copyProps = (to, from, except, desc) => {
+  if (from && typeof from === "object" || typeof from === "function") {
+    for (let key of __getOwnPropNames(from))
+      if (!__hasOwnProp.call(to, key) && key !== except)
+        __defProp(to, key, { get: () => from[key], enumerable: !(desc = __getOwnPropDesc(from, key)) || desc.enumerable });
+  }
+  return to;
+};
+var __toESM = (mod, isNodeMode, target) => (target = mod != null ? __create(__getProtoOf(mod)) : {}, __copyProps(
+  // If the importer is in node compatibility mode or this is not an ESM
+  // file that has been converted to a CommonJS file using a Babel-
+  // compatible transform (i.e. "__esModule" has not been set), then set
+  // "default" to the CommonJS "module.exports" for node compatibility.
+  isNodeMode || !mod || !mod.__esModule ? __defProp(target, "default", { value: mod, enumerable: true }) : target,
+  mod
+));
+var __toCommonJS = (mod) => __copyProps(__defProp({}, "__esModule", { value: true }), mod);
+var socket_btm_exports = {};
+__export(socket_btm_exports, {
+  downloadSocketBtmRelease: () => downloadSocketBtmRelease
+});
+module.exports = __toCommonJS(socket_btm_exports);
+var import_node_os = __toESM(require("node:os"));
+var import_github = require("./github.js");
+const ARCH_MAP = {
+  arm64: "arm64",
+  x64: "x64"
+};
+function getBinaryAssetName(binaryBaseName, platform, arch, libc) {
+  const mappedArch = ARCH_MAP[arch];
+  if (!mappedArch) {
+    throw new Error(`Unsupported architecture: ${arch}`);
+  }
+  const muslSuffix = platform === "linux" && libc === "musl" ? "-musl" : "";
+  const ext = platform === "win32" ? ".exe" : "";
+  if (platform === "darwin") {
+    return `${binaryBaseName}-darwin-${mappedArch}${ext}`;
+  }
+  if (platform === "linux") {
+    return `${binaryBaseName}-linux-${mappedArch}${muslSuffix}${ext}`;
+  }
+  if (platform === "win32") {
+    return `${binaryBaseName}-win-${mappedArch}${ext}`;
+  }
+  throw new Error(`Unsupported platform: ${platform}`);
+}
+function getPlatformArch(platform, arch, libc) {
+  const mappedArch = ARCH_MAP[arch];
+  if (!mappedArch) {
+    throw new Error(`Unsupported architecture: ${arch}`);
+  }
+  const muslSuffix = platform === "linux" && libc === "musl" ? "-musl" : "";
+  return `${platform}-${mappedArch}${muslSuffix}`;
+}
+function getBinaryName(binaryBaseName, platform) {
+  return platform === "win32" ? `${binaryBaseName}.exe` : binaryBaseName;
+}
+async function downloadSocketBtmRelease(config) {
+  const { cwd, downloadDir, quiet = false, tag, tool } = config;
+  const toolPrefix = `${tool}-`;
+  let downloadConfig;
+  if ("asset" in config) {
+    const {
+      asset,
+      output,
+      removeMacOSQuarantine = false
+    } = config;
+    const outputName = output || asset;
+    const platformArch = "assets";
+    downloadConfig = {
+      owner: import_github.SOCKET_BTM_REPO.owner,
+      repo: import_github.SOCKET_BTM_REPO.repo,
+      cwd,
+      downloadDir,
+      toolName: tool,
+      platformArch,
+      binaryName: outputName,
+      assetName: asset,
+      toolPrefix,
+      tag,
+      quiet,
+      removeMacOSQuarantine
+    };
+  } else {
+    const {
+      bin,
+      libc,
+      removeMacOSQuarantine = true,
+      targetArch,
+      targetPlatform
+    } = config;
+    const baseName = bin || tool;
+    const platform = targetPlatform || import_node_os.default.platform();
+    const arch = targetArch || import_node_os.default.arch();
+    const libcType = libc || (platform === "linux" ? "musl" : void 0);
+    const assetName = getBinaryAssetName(baseName, platform, arch, libcType);
+    const platformArch = getPlatformArch(platform, arch, libcType);
+    const binaryName = getBinaryName(baseName, platform);
+    downloadConfig = {
+      owner: import_github.SOCKET_BTM_REPO.owner,
+      repo: import_github.SOCKET_BTM_REPO.repo,
+      cwd,
+      downloadDir,
+      toolName: tool,
+      platformArch,
+      binaryName,
+      assetName,
+      toolPrefix,
+      tag,
+      quiet,
+      removeMacOSQuarantine
+    };
+  }
+  return await (0, import_github.downloadGitHubRelease)(downloadConfig);
+}
+// Annotate the CommonJS export names for ESM import in node:
+0 && (module.exports = {
+  downloadSocketBtmRelease
+});

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "@socketsecurity/lib",
-  "version": "5.1.4",
+  "version": "5.2.0",
   "packageManager": "pnpm@10.26.2",
   "license": "MIT",
   "description": "Core utilities and infrastructure for Socket.dev security tools",
@@ -523,6 +523,14 @@
       "types": "./dist/regexps.d.ts",
       "default": "./dist/regexps.js"
     },
+    "./releases/github": {
+      "types": "./dist/releases/github.d.ts",
+      "default": "./dist/releases/github.js"
+    },
+    "./releases/socket-btm": {
+      "types": "./dist/releases/socket-btm.d.ts",
+      "default": "./dist/releases/socket-btm.js"
+    },
     "./sea": {
       "types": "./dist/sea.d.ts",
       "default": "./dist/sea.js"