@socketsecurity/lib 6.0.5 → 6.0.6

package/dist/paths/normalize.js

@@ -20,6 +20,7 @@ const require_paths_resolve = require('./resolve.js');
 *     namespace preservation
 *   - `msysDriveToNative` — `/c/path` → `C:/path` on Windows
 */
+const DRIVE_LETTER_REGEXP = /^[A-Za-z]:$/;
 function msysDriveToNative(normalized) {
 	/* c8 ignore start - Windows-only branch. */
 	if (require_constants_platform.WIN32) return normalized.replace(require_paths__internal.msysDriveRegExp, (_, letter, sep) => `${letter.toUpperCase()}:${sep || "/"}`);
@@ -58,7 +59,7 @@ function msysDriveToNative(normalized) {
 * (HTTP requests, file uploads, URL parameters), you MUST validate for path traversal
 * attacks BEFORE calling this function.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function normalizePath(pathLike) {
 	const filepath = /* @__PURE__ */ require_paths__internal.pathLikeToString(pathLike);
 	const { length } = filepath;
@@ -196,6 +197,7 @@ function normalizePath(pathLike) {
 	}
 	/* c8 ignore stop */
 	if (collapsed.length === 0) return prefix || ".";
+	if (DRIVE_LETTER_REGEXP.test(collapsed) && (require_primordials_string.StringPrototypeCharCodeAt(filepath, 2) === 47 || require_primordials_string.StringPrototypeCharCodeAt(filepath, 2) === 92)) return msysDriveToNative(`${prefix}${collapsed}/`);
 	return msysDriveToNative(prefix + collapsed);
 }
 

package/dist/paths/packages.js

@@ -14,14 +14,14 @@ const require_node_path = require('../node/path.js');
 * POSIX and Windows-style separators so paths captured on either platform
 * classify the same regardless of the host we're running on.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isPackageJsonFile(filepath) {
 	return filepath === "package.json" || require_primordials_string.StringPrototypeEndsWith(filepath, "/package.json") || require_primordials_string.StringPrototypeEndsWith(filepath, "\\package.json");
 }
 /**
 * Resolve directory path from a package.json file path.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolvePackageJsonDirname(filepath) {
 	if (/* @__PURE__ */ isPackageJsonFile(filepath)) return /* @__PURE__ */ require_paths_normalize.normalizePath((/* @__PURE__ */ require_node_path.getNodePath()).dirname(filepath));
 	return /* @__PURE__ */ require_paths_normalize.normalizePath(filepath);
@@ -29,7 +29,7 @@ function resolvePackageJsonDirname(filepath) {
 /**
 * Resolve full path to package.json from a directory or file path.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolvePackageJsonPath(filepath) {
 	if (/* @__PURE__ */ isPackageJsonFile(filepath)) return /* @__PURE__ */ require_paths_normalize.normalizePath(filepath);
 	return /* @__PURE__ */ require_paths_normalize.normalizePath((/* @__PURE__ */ require_node_path.getNodePath()).join(filepath, "package.json"));

package/dist/paths/predicates.js

@@ -34,7 +34,7 @@ const require_primordials_regexp = require('../primordials/regexp.js');
 *
 * @returns {boolean} `true` if absolute, `false` otherwise
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isAbsolute(pathLike) {
 	const filepath = /* @__PURE__ */ require_paths__internal.pathLikeToString(pathLike);
 	const { length } = filepath;
@@ -64,7 +64,7 @@ function isAbsolute(pathLike) {
 *
 * @returns {boolean} `true` if the path contains `node_modules`
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isNodeModules(pathLike) {
 	return require_primordials_regexp.RegExpPrototypeTest(require_paths__internal.nodeModulesPathRegExp, /* @__PURE__ */ require_paths__internal.pathLikeToString(pathLike));
 }
@@ -87,7 +87,7 @@ function isNodeModules(pathLike) {
 *
 * @returns {boolean} `true` if the value is a valid file path
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isPath(pathLike) {
 	const filepath = /* @__PURE__ */ require_paths__internal.pathLikeToString(pathLike);
 	if (typeof filepath !== "string" || filepath.length === 0) return false;
@@ -117,7 +117,7 @@ function isPath(pathLike) {
 *
 * @returns {boolean} `true` if separator
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isPathSeparator(code) {
 	return code === 47 || code === 92;
 }
@@ -137,7 +137,7 @@ function isPathSeparator(code) {
 *
 * @returns {boolean} `true` if the path is relative
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isRelative(pathLike) {
 	const filepath = /* @__PURE__ */ require_paths__internal.pathLikeToString(pathLike);
 	/* c8 ignore start */
@@ -163,7 +163,7 @@ function isRelative(pathLike) {
 *
 * @returns {boolean} `true` if the path uses MSYS drive letter notation
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isUnixPath(pathLike) {
 	const filepath = /* @__PURE__ */ require_paths__internal.pathLikeToString(pathLike);
 	return typeof filepath === "string" && require_primordials_regexp.RegExpPrototypeTest(require_paths__internal.msysDriveRegExp, filepath);
@@ -183,7 +183,7 @@ function isUnixPath(pathLike) {
 * @returns {boolean} `true` if valid drive-letter code
 */
 /* c8 ignore start - Only called from Windows-only branches. */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isWindowsDeviceRoot(code) {
 	return code >= 65 && code <= 90 || code >= 97 && code <= 122;
 }

package/dist/paths/resolve.js

@@ -38,7 +38,7 @@ const require_paths_normalize = require('./normalize.js');
 *
 * @returns {string} Relative path from `from` to `to`, or empty string if equal
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function relative(from, to) {
 	if (from === to) return "";
 	const actualFrom = /* @__PURE__ */ resolve(from);
@@ -106,7 +106,7 @@ function relative(from, to) {
 *
 * @returns {string} Normalized relative path, or empty string if equal
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function relativeResolve(from, to) {
 	const rel = /* @__PURE__ */ relative(from, to);
 	if (rel === "") return "";
@@ -131,7 +131,7 @@ function relativeResolve(from, to) {
 *
 * @returns {string} The resolved absolute path
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolve(...segments) {
 	let resolvedPath = "";
 	let resolvedAbsolute = false;

package/dist/process/spawn/_internal.js

@@ -20,9 +20,9 @@ let _npmCliPromiseSpawn;
 * issues. Required because the upstream module uses CJS dynamic-require
 * patterns that Webpack flags.
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getNpmCliPromiseSpawn() {
-	if (_npmCliPromiseSpawn === void 0) _npmCliPromiseSpawn = /* @__PURE__ */ require("../../external/@npmcli/promise-spawn");
+	if (_npmCliPromiseSpawn === void 0) _npmCliPromiseSpawn = /*@__PURE__*/ require("../../external/@npmcli/promise-spawn");
 	return _npmCliPromiseSpawn;
 }
 /**
@@ -33,7 +33,7 @@ function getNpmCliPromiseSpawn() {
 *
 * @returns {unknown} The modified result object
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function stripAnsiFromSpawnResult(result) {
 	const res = result;
 	const { stderr, stdout } = res;

package/dist/process/spawn/errors.js

@@ -34,7 +34,7 @@ let src_external_pony_cause = require("../../external/pony-cause");
 *   }
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function enhanceSpawnError(error) {
 	if (error === null || typeof error !== "object") return error;
 	if (!/* @__PURE__ */ isSpawnError(error)) return error;
@@ -109,7 +109,7 @@ function enhanceSpawnError(error) {
 *
 * @returns {boolean} `true` if the value has spawn error properties
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isSpawnError(value) {
 	if (value === null || typeof value !== "object") return false;
 	const err = value;

package/dist/process/spawn/stdio.js

@@ -39,7 +39,7 @@ const require_arrays_predicates = require('../../arrays/predicates.js');
 *
 * @returns {boolean} `true` if stdio matches the type or is valid
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function isStdioType(stdio, type) {
 	if (arguments.length === 1) return typeof stdio === "string" && [
 		"pipe",

package/dist/promises/_internal.js

@@ -24,7 +24,7 @@ const abortSignal = require_process_abort.getAbortSignal();
 *
 * @returns The Node.js timers/promises module
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function getTimers() {
 	return require("node:timers/promises");
 }

package/dist/promises/iterate.js

@@ -1,9 +1,9 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_promise = require('../primordials/promise.js');
 const require_promises_options = require('./options.js');
 const require_promises_retry = require('./retry.js');
-const require_primordials_promise = require('../primordials/promise.js');
 const require_arrays_chunk = require('../arrays/chunk.js');
 
 //#region src/promises/iterate.ts
@@ -67,7 +67,7 @@ const require_arrays_chunk = require('../arrays/chunk.js');
 *
 * @returns Promise that resolves when all items are processed
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function pEach(array, callbackFn, options) {
 	const { concurrency, retries, signal } = /* @__PURE__ */ require_promises_options.normalizeIterationOptions(options);
 	const chunks = /* @__PURE__ */ require_arrays_chunk.arrayChunk(array, concurrency);
@@ -133,7 +133,7 @@ async function pEach(array, callbackFn, options) {
 *
 * @returns Promise that resolves when all chunks are processed
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function pEachChunk(array, callbackFn, options) {
 	const { chunkSize = 100, ...retryOpts } = options || {};
 	const chunks = /* @__PURE__ */ require_arrays_chunk.arrayChunk(array, chunkSize);
@@ -194,7 +194,7 @@ async function pEachChunk(array, callbackFn, options) {
 *
 * @returns Promise resolving to filtered array
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function pFilter(array, callbackFn, options) {
 	const iterOpts = /* @__PURE__ */ require_promises_options.normalizeIterationOptions(options);
 	return (await /* @__PURE__ */ pFilterChunk(/* @__PURE__ */ require_arrays_chunk.arrayChunk(array, iterOpts.concurrency), callbackFn, iterOpts.retries)).flat();
@@ -222,7 +222,7 @@ async function pFilter(array, callbackFn, options) {
 *
 * @returns Promise resolving to array of filtered chunks
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function pFilterChunk(chunks, callbackFn, options) {
 	const retryOpts = /* @__PURE__ */ require_promises_options.normalizeRetryOptions(options);
 	const { signal } = retryOpts;

package/dist/promises/options.js

@@ -33,7 +33,7 @@ const require_promises__internal = require('./_internal.js');
 *
 * @returns Normalized options with concurrency, retries, and signal
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function normalizeIterationOptions(options) {
 	const { concurrency = 1, retries, signal = require_promises__internal.abortSignal } = {
 		__proto__: null,
@@ -70,7 +70,7 @@ function normalizeIterationOptions(options) {
 *
 * @returns Normalized retry options with all properties set
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function normalizeRetryOptions(options) {
 	const { args = [], backoffFactor = 2, baseDelayMs = 200, jitter = true, maxDelayMs = 1e4, onRetry, onRetryCancelOnFalse = false, onRetryRethrow = false, retries = 0, signal = require_promises__internal.abortSignal } = /* @__PURE__ */ resolveRetryOptions(options);
 	return {
@@ -105,7 +105,7 @@ function normalizeRetryOptions(options) {
 *
 * @returns Resolved retry options with defaults for basic properties
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 function resolveRetryOptions(options) {
 	const defaults = {
 		__proto__: null,

package/dist/promises/retry.js

@@ -110,7 +110,7 @@ const require_promises_options = require('./options.js');
 *
 * @throws {Error} The last error if all retry attempts fail
 */
-/* @__NO_SIDE_EFFECTS__ */
+/*@__NO_SIDE_EFFECTS__*/
 async function pRetry(callbackFn, options) {
 	const { args, backoffFactor, baseDelayMs, jitter, maxDelayMs, onRetry, onRetryCancelOnFalse, onRetryRethrow, retries, signal } = /* @__PURE__ */ require_promises_options.normalizeRetryOptions(options);
 	if (signal?.aborted) return;

package/dist/secrets/_internal.js

@@ -1,6 +1,7 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_map_set = require('../primordials/map-set.js');
 
 //#region src/secrets/_internal.ts
 /**
@@ -29,8 +30,8 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 *   undefined (entry missing), `undefined` is cached too — callers that want a
 *   re-check after creating the entry must call `invalidate`.
 */
-const valueCache = /* @__PURE__ */ new Map();
-const inflight = /* @__PURE__ */ new Map();
+const valueCache = new require_primordials_map_set.MapCtor();
+const inflight = new require_primordials_map_set.MapCtor();
 function cacheKey(service, account) {
 	return `${service} ${account}`;
 }

package/dist/secrets/keychain.js

@@ -1,6 +1,7 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_error = require('../primordials/error.js');
 const require_secrets__internal = require('./_internal.js');
 const require_secrets_macos = require('./macos.js');
 const require_secrets_linux = require('./linux.js');
@@ -228,9 +229,9 @@ function readSecretSync({ service, account }) {
 * shouldn't show "rewrote N secrets" when nothing actually changed).
 */
 async function writeSecret({ service, account, value, label }) {
-	if (!value || typeof value !== "string") throw new TypeError("writeSecret: value must be a non-empty string");
+	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new Error(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (await readSecret({
 		service,
 		account
@@ -251,9 +252,9 @@ async function writeSecret({ service, account, value, label }) {
 	return "written";
 }
 function writeSecretSync({ service, account, value, label }) {
-	if (!value || typeof value !== "string") throw new TypeError("writeSecret: value must be a non-empty string");
+	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new Error(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (readSecretSync({
 		service,
 		account

package/dist/secrets/linux.js

@@ -1,6 +1,8 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_promise = require('../primordials/promise.js');
 let node_child_process = require("node:child_process");
 
 //#region src/secrets/linux.ts
@@ -19,7 +21,7 @@ let node_child_process = require("node:child_process");
 */
 const SECRET_TOOL_BIN = "secret-tool";
 async function deleteLinux(service, account) {
-	return new Promise((resolve) => {
+	return new require_primordials_promise.PromiseCtor((resolve) => {
 		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
 			"clear",
 			"service",
@@ -44,7 +46,7 @@ function isLinuxBackendAvailable() {
 	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
 }
 async function readLinux(service, account) {
-	return new Promise((resolve) => {
+	return new require_primordials_promise.PromiseCtor((resolve) => {
 		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
 			"lookup",
 			"service",
@@ -90,7 +92,7 @@ function readLinuxSync(service, account) {
 	return r.stdout.trim() || void 0;
 }
 async function writeLinux(service, account, value, label) {
-	return new Promise((resolve, reject) => {
+	return new require_primordials_promise.PromiseCtor((resolve, reject) => {
 		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
 			"store",
 			`--label=${label}`,
@@ -136,7 +138,7 @@ function writeLinuxSync(service, account, value, label) {
 			"pipe"
 		]
 	});
-	if (r.status !== 0) throw new Error(`secret-tool store failed (status=${r.status}, user=${account}): ${r.stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`secret-tool store failed (status=${r.status}, user=${account}): ${r.stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`);
 }
 
 //#endregion

package/dist/secrets/macos.js

@@ -1,6 +1,8 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_promise = require('../primordials/promise.js');
 let node_child_process = require("node:child_process");
 
 //#region src/secrets/macos.ts
@@ -78,7 +80,7 @@ function readMacOSSync(service, account) {
 	return r.stdout.trim() || void 0;
 }
 function runAsync(args, opts = {}) {
-	return new Promise((resolve) => {
+	return new require_primordials_promise.PromiseCtor((resolve) => {
 		const child = (0, node_child_process.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
 			"ignore",
 			"pipe",
@@ -128,7 +130,7 @@ async function writeMacOS(service, account, value, label) {
 		"-l",
 		label
 	]);
-	if (r.status !== 0) throw new Error(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
 }
 function writeMacOSSync(service, account, value, label) {
 	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
@@ -155,7 +157,7 @@ function writeMacOSSync(service, account, value, label) {
 			"pipe"
 		]
 	});
-	if (r.status !== 0) throw new Error(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
 }
 
 //#endregion

package/dist/secrets/rc.js

@@ -2,6 +2,9 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_string = require('../primordials/string.js');
+const require_primordials_regexp = require('../primordials/regexp.js');
+const require_primordials_object = require('../primordials/object.js');
 const require_env_home = require('../env/home.js');
 let node_fs = require("node:fs");
 let node_path = require("node:path");
@@ -54,7 +57,7 @@ function buildBlock(opts) {
 	const begin = `# BEGIN ${opts.service} env (managed)`;
 	const end = `# END ${opts.service} env (managed)`;
 	const noteLines = (opts.notes ?? []).map((line) => `# ${line}`);
-	const exportLines = Object.entries(opts.exports).map(([name, value]) => `export ${name}=${shellSingleQuote(value)}`);
+	const exportLines = require_primordials_object.ObjectEntries(opts.exports).map(([name, value]) => `export ${name}=${shellSingleQuote(value)}`);
 	const body = [...noteLines, ...exportLines].join("\n");
 	return {
 		begin,
@@ -79,7 +82,7 @@ function clear(service, legacySentinels = []) {
 		const end = begin.replace(/\bBEGIN\b/, "END");
 		const endStripped = end.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = end === endStripped ? escapeRegExp(end) : `(?:${escapeRegExp(end)}|${escapeRegExp(endStripped)})`;
-		const re = new RegExp(`\n*${escapeRegExp(begin)}[\\s\\S]*?${endAlt}\n?`, "g");
+		const re = new require_primordials_regexp.RegExpCtor(`\n*${escapeRegExp(begin)}[\\s\\S]*?${endAlt}\n?`, "g");
 		const next = existing.replace(re, "\n");
 		if (next !== existing) {
 			removedAny = true;
@@ -96,7 +99,7 @@ function pickRcFile(shellOverride) {
 	const home = /* @__PURE__ */ require_env_home.getHome();
 	if (!home) return;
 	const shellPath = node_process.default.env["SHELL"] ?? "";
-	const shell = shellOverride ?? (shellPath.endsWith("zsh") ? "zsh" : shellPath.endsWith("bash") ? "bash" : shellPath.endsWith("fish") ? "fish" : void 0);
+	const shell = shellOverride ?? (require_primordials_string.StringPrototypeEndsWith(shellPath, "zsh") ? "zsh" : require_primordials_string.StringPrototypeEndsWith(shellPath, "bash") ? "bash" : require_primordials_string.StringPrototypeEndsWith(shellPath, "fish") ? "fish" : void 0);
 	if (shell === "zsh") return node_path.default.join(home, ".zshenv");
 	if (shell === "bash") {
 		const bashrc = node_path.default.join(home, ".bashrc");
@@ -149,10 +152,10 @@ function write(opts) {
 		const legacyEnd = legacyBegin.replace(/\bBEGIN\b/, "END");
 		const legacyEndStripped = legacyEnd.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = legacyEnd === legacyEndStripped ? escapeRegExp(legacyEnd) : `(?:${escapeRegExp(legacyEnd)}|${escapeRegExp(legacyEndStripped)})`;
-		const legacyRe = new RegExp(`\n*${escapeRegExp(legacyBegin)}[\\s\\S]*?${endAlt}\n?`, "g");
+		const legacyRe = new require_primordials_regexp.RegExpCtor(`\n*${escapeRegExp(legacyBegin)}[\\s\\S]*?${endAlt}\n?`, "g");
 		working = working.replace(legacyRe, "\n");
 	}
-	const match = new RegExp(`${escapeRegExp(begin)}[\\s\\S]*?${escapeRegExp(end)}`).exec(working);
+	const match = new require_primordials_regexp.RegExpCtor(`${escapeRegExp(begin)}[\\s\\S]*?${escapeRegExp(end)}`).exec(working);
 	if (match) {
 		if (match[0] === desiredBlock && working === onDisk) return {
 			rcPath,
@@ -164,7 +167,7 @@ function write(opts) {
 			outcome: "updated"
 		};
 	}
-	const prefix = working.length > 0 && !working.endsWith("\n\n") ? working.endsWith("\n") ? "\n" : "\n\n" : "";
+	const prefix = working.length > 0 && !require_primordials_string.StringPrototypeEndsWith(working, "\n\n") ? require_primordials_string.StringPrototypeEndsWith(working, "\n") ? "\n" : "\n\n" : "";
 	writeRcFile(rcPath, `${working}${prefix}${desiredBlock}\n`.replace(/\n{3,}/g, "\n\n"));
 	return {
 		rcPath,

package/dist/secrets/windows.js

@@ -2,6 +2,9 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_json = require('../primordials/json.js');
+const require_primordials_promise = require('../primordials/promise.js');
 let node_fs = require("node:fs");
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
@@ -125,7 +128,7 @@ function readWindowsSync(service, account) {
 	return readDpapiSync(getDpapiFilePath(service, account));
 }
 function runPsAsync(script, input) {
-	return new Promise((resolve) => {
+	return new require_primordials_promise.PromiseCtor((resolve) => {
 		const child = (0, node_child_process.spawn)(POWERSHELL_BIN, [
 			"-NoProfile",
 			"-Command",
@@ -189,7 +192,7 @@ function runPsSync(script, input) {
 * identifiers (e.g. `socket-cli`, `SOCKET_API_KEY`), not paths.
 */
 function validateKeychainComponent(value, name) {
-	if (/[\\/]/.test(value) || value.includes("..") || value.includes("\0") || value === "" || value === ".") throw new Error(`secrets/windows: ${name} contains path-traversal characters: ${JSON.stringify(value)}. Use a plain identifier (no \\\\, /, .., or NUL).`);
+	if (/[\\/]/.test(value) || value.includes("..") || value.includes("\0") || value === "" || value === ".") throw new require_primordials_error.ErrorCtor(`secrets/windows: ${name} contains path-traversal characters: ${require_primordials_json.JSONStringify(value)}. Use a plain identifier (no \\\\, /, .., or NUL).`);
 }
 async function writeDpapi(filePath, value) {
 	const dir = node_path.default.dirname(filePath);
@@ -201,7 +204,7 @@ async function writeDpapi(filePath, value) {
     $protected = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, 'CurrentUser')
     [Convert]::ToBase64String($protected) | Set-Content -Path ${quotePs(filePath)} -NoNewline
   `, value);
-	if (r.status !== 0) throw new Error(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
 }
 function writeDpapiSync(filePath, value) {
 	const dir = node_path.default.dirname(filePath);
@@ -213,7 +216,7 @@ function writeDpapiSync(filePath, value) {
     $protected = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, 'CurrentUser')
     [Convert]::ToBase64String($protected) | Set-Content -Path ${quotePs(filePath)} -NoNewline
   `, value);
-	if (r.status !== 0) throw new Error(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
 }
 async function writeWindows(service, account, value, _label) {
 	if ((await runPsAsync(`

package/dist/shell/parse.d.ts

@@ -8,10 +8,100 @@
  *   against `env`; unresolved ones collapse to an empty string.
  */
 import type { ParseEntry } from '../external/shell-quote';
+/**
+ * Visit each simple command in `cmd` in order. A "simple command" is the
+ * POSIX-grammar term for a run of bare-string tokens between shell
+ * control-operator boundaries (`&&`, `;`, `||`, `|`) — e.g. in `sudo apt && rm
+ * -rf /`, the two simple commands are `['sudo', 'apt']` and `['rm', '-rf',
+ * '/']`. Glob and comment tokens are ignored.
+ *
+ * The visitor receives each simple command's tokens as a `readonly string[]`;
+ * returning `true` short-circuits the walk so callers like `hasBinCall` /
+ * `findBinCall` can bail on the first match without finishing the parse.
+ *
+ * Public so consumers can write their own per-command matchers without
+ * re-parsing the command line. Used internally by `findBinCall` /
+ * `findBinCalls` / `hasBinCall`.
+ *
+ * Shell-quote is permissive (partial parses don't throw); the walk tolerates
+ * any shape it returns.
+ *
+ * @example
+ *   eachSimpleCommand('sudo apt && rm -rf /', tokens => {
+ *     console.log(tokens)
+ *     // → ['sudo', 'apt']
+ *     // → ['rm', '-rf', '/']
+ *   })
+ *
+ *   // Short-circuit on first match:
+ *   eachSimpleCommand('a ; b ; c', tokens => {
+ *     if (tokens[0] === 'b') {
+ *       return true // stop the walk
+ *     }
+ *   })
+ */
+export declare function eachSimpleCommand(cmd: string, visit: (tokens: readonly string[]) => boolean | void): void;
+/**
+ * Walk a parsed shell command and return the args of the FIRST binary call
+ * whose leading tokens match `prefix` (e.g. `['sudo']`, `['gh', 'auth',
+ * 'refresh']`). Returns `undefined` when no call matches.
+ *
+ * Short-circuits on the first match — does NOT materialize every match. Use
+ * this when "did any call match, and what were its args?" is enough. For audit
+ * / counting use cases where every match matters, use `findBinCalls`.
+ *
+ * @example
+ *   findBinCall('sudo apt update && sudo -k', ['sudo'])
+ *   // → ['apt', 'update']
+ *
+ *   findBinCall('echo "sudo foo"', ['sudo'])
+ *   // → undefined
+ */
+export declare function findBinCall(cmd: string, prefix: readonly string[]): readonly string[] | undefined;
+/**
+ * Walk a parsed shell command and return the args of every binary call whose
+ * leading tokens match `prefix` (e.g. `['sudo']`, `['gh', 'auth', 'refresh']`).
+ * Returns an empty array when no call matches.
+ *
+ * Segments split at op tokens (`&&`, `;`, `||`, `|`) so each chained command is
+ * scanned independently. Each match's args are returned as a `string[]` slice
+ * positioned after the matched prefix — useful for caller-side `.some(...)`
+ * over flag/value pairs.
+ *
+ * The AST walk means embedded args (`echo "sudo foo"`), variable substitutions
+ * (`$gh`), and command substitution (`$(...)`) don't trip the matcher — only
+ * actual calls do.
+ *
+ * @example
+ *   findBinCalls('sudo apt update && sudo -k', ['sudo'])
+ *   // → [['apt', 'update'], ['-k']]
+ *
+ *   findBinCalls('gh auth refresh -s workflow', ['gh', 'auth', 'refresh'])
+ *   // → [['-s', 'workflow']]
+ *
+ *   findBinCalls('echo "sudo foo"', ['sudo'])
+ *   // → []
+ */
+export declare function findBinCalls(cmd: string, prefix: readonly string[]): readonly string[][];
+/**
+ * Convenience: does `cmd` contain at least one binary call matching the
+ * leading-tokens `prefix`? The most common audit-pattern shape.
+ *
+ * Short-circuits on the first match — walks the parsed entries once and returns
+ * `true` as soon as a simple command matches. No intermediate match list or
+ * args slices are allocated.
+ *
+ * @example
+ *   hasBinCall('echo hi && sudo rm', ['sudo']) // → true
+ *   hasBinCall('echo "sudo foo"', ['sudo']) // → false
+ *   hasBinCall('gh auth refresh -s workflow', ['gh', 'auth', 'refresh']) // → true
+ */
+export declare function hasBinCall(cmd: string, prefix: readonly string[]): boolean;
 export type { ParseEntry, ShellComment, ShellGlob, ShellOp, } from '../external/shell-quote';
 /**
  * Tokenize `cmd` into `ParseEntry` items, preserving operators and comments.
- * Throws on unterminated quotes.
+ * `shell-quote` is permissive — an unterminated quote does not throw; the
+ * parser drops the opening quote and returns the rest as plain tokens.
  *
  * @example
  *   parseShell('git commit -m "hello world"')
@@ -24,3 +114,20 @@ export type { ParseEntry, ShellComment, ShellGlob, ShellOp, } from '../external/
  *   // → ['echo', '/root']
  */
 export declare function parseShell(cmd: string, env?: Record<string, string> | ((key: string) => string | undefined) | undefined): ParseEntry[];
+/**
+ * Does the simple command represented by `tokens` start with `prefix`? The
+ * natural companion to `eachSimpleCommand` — the visitor callback uses this to
+ * test whether a simple command is a call to a specific binary or command-line
+ * prefix.
+ *
+ * @example
+ *   simpleCommandStartsWith(['sudo', 'apt', 'update'], ['sudo'])
+ *   // → true
+ *
+ *   simpleCommandStartsWith(
+ *     ['gh', 'auth', 'status'],
+ *     ['gh', 'auth', 'refresh'],
+ *   )
+ *   // → false
+ */
+export declare function simpleCommandStartsWith(tokens: readonly string[], prefix: readonly string[]): boolean;