@socketsecurity/lib 6.0.5 → 6.0.7

package/dist/http-request/download.js

@@ -7,8 +7,8 @@ const require_primordials_error = require('../primordials/error.js');
 const require_primordials_math = require('../primordials/math.js');
 const require_primordials_number = require('../primordials/number.js');
 const require_node_fs = require('../node/fs.js');
-const require_fs_safe = require('../fs/safe.js');
 const require_primordials_promise = require('../primordials/promise.js');
+const require_fs_safe = require('../fs/safe.js');
 const require_http_request_request_attempt = require('./request-attempt.js');
 const require_http_request_response_types = require('./response-types.js');
 let node_timers_promises = require("node:timers/promises");
@@ -98,8 +98,8 @@ async function httpDownload(url, destPath, options) {
 		};
 	}
 	/* c8 ignore stop */
-	const crypto = /* @__PURE__ */ require_node_crypto.getNodeCrypto();
-	const fs = /* @__PURE__ */ require_node_fs.getNodeFs();
+	const crypto = require_node_crypto.getNodeCrypto();
+	const fs = require_node_fs.getNodeFs();
 	const tempPath = `${destPath}.${crypto.randomBytes(6).toString("hex")}.download`;
 	if (fs.existsSync(tempPath)) await require_fs_safe.safeDelete(tempPath);
 	let lastError;
@@ -155,7 +155,7 @@ async function httpDownloadAttempt(url, destPath, options) {
 	const res = response.rawResponse;
 	/* c8 ignore next 3 */
 	if (!res) throw new require_primordials_error.ErrorCtor("Stream response missing rawResponse");
-	const { createWriteStream } = /* @__PURE__ */ require_node_fs.getNodeFs();
+	const { createWriteStream } = require_node_fs.getNodeFs();
 	const totalSize = require_primordials_number.NumberParseInt(response.headers["content-length"] || "0", 10);
 	return await new require_primordials_promise.PromiseCtor((resolve, reject) => {
 		let downloadedSize = 0;

package/dist/http-request/headers.d.ts

@@ -9,6 +9,34 @@
  *     payload. No I/O — these can be imported anywhere without dragging the
  *     Node.js `http`/`https` modules into the bundle.
  */
+/**
+ * Build an HTTP Basic `Authorization` header value from a Socket API token.
+ *
+ * The Socket API uses the token as the username with an empty password, so the
+ * credential pair is `<token>:`. Centralized here so every fleet caller emits
+ * the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
+ *
+ * @example
+ *   ;```ts
+ *   const headers = { Authorization: basicAuthHeader(apiToken) }
+ *   // { Authorization: 'Basic c2t0X3h4eHg6' }
+ *   ```
+ *
+ * @param token - The Socket API token (used as the Basic-auth username).
+ *
+ * @returns The `Authorization` header value, e.g. `Basic <base64>`.
+ */
+export declare function basicAuthHeader(token: string): string;
+/**
+ * Whether a header name looks credential-bearing and should be redacted from
+ * logs and telemetry. Case-insensitive substring match on the name only — the
+ * value is never inspected.
+ *
+ * @param name - The header name (e.g. `Authorization`, `x-api-key`).
+ *
+ * @returns `true` when the value should be replaced with `[REDACTED]`.
+ */
+export declare function isSensitiveHeaderName(name: string): boolean;
 /**
  * Parse a `Retry-After` HTTP header value into milliseconds.
  *
@@ -37,9 +65,10 @@ export declare function parseRetryAfterHeader(value: string | string[] | undefin
 /**
  * Redact sensitive HTTP headers for safe logging and telemetry.
  *
- * Replaces values of sensitive headers (Authorization, Cookie, etc.) with
- * `[REDACTED]`. Non-sensitive headers are passed through unchanged. Array
- * values are joined with `', '`.
+ * Replaces values of credential-bearing headers with `[REDACTED]`, matching the
+ * header name by shape (see `isSensitiveHeaderName`) so custom token headers
+ * are covered without an enumerated list. Non-sensitive headers pass through
+ * unchanged. Array values are joined with `', '`.
  *
  * @example
  *   ;```ts

package/dist/http-request/headers.js

@@ -3,9 +3,9 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_number = require('../primordials/number.js');
 const require_primordials_array = require('../primordials/array.js');
-const require_primordials_map_set = require('../primordials/map-set.js');
 const require_primordials_date = require('../primordials/date.js');
 const require_primordials_object = require('../primordials/object.js');
+const require_primordials_globals = require('../primordials/globals.js');
 
 //#region src/http-request/headers.ts
 /**
@@ -21,6 +21,39 @@ const require_primordials_object = require('../primordials/object.js');
 */
 const RETRY_AFTER_INT_RE = /^\d+$/;
 /**
+* Build an HTTP Basic `Authorization` header value from a Socket API token.
+*
+* The Socket API uses the token as the username with an empty password, so the
+* credential pair is `<token>:`. Centralized here so every fleet caller emits
+* the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
+*
+* @example
+*   ;```ts
+*   const headers = { Authorization: basicAuthHeader(apiToken) }
+*   // { Authorization: 'Basic c2t0X3h4eHg6' }
+*   ```
+*
+* @param token - The Socket API token (used as the Basic-auth username).
+*
+* @returns The `Authorization` header value, e.g. `Basic <base64>`.
+*/
+function basicAuthHeader(token) {
+	return `Basic ${require_primordials_globals.btoa(`${token}:`)}`;
+}
+const SENSITIVE_HEADER_NAME_RE = /auth|cookie|credential|key|password|secret|token/i;
+/**
+* Whether a header name looks credential-bearing and should be redacted from
+* logs and telemetry. Case-insensitive substring match on the name only — the
+* value is never inspected.
+*
+* @param name - The header name (e.g. `Authorization`, `x-api-key`).
+*
+* @returns `true` when the value should be replaced with `[REDACTED]`.
+*/
+function isSensitiveHeaderName(name) {
+	return SENSITIVE_HEADER_NAME_RE.test(name);
+}
+/**
 * Parse a `Retry-After` HTTP header value into milliseconds.
 *
 * Supports both formats defined in RFC 7231 §7.1.3:
@@ -59,9 +92,10 @@ function parseRetryAfterHeader(value) {
 /**
 * Redact sensitive HTTP headers for safe logging and telemetry.
 *
-* Replaces values of sensitive headers (Authorization, Cookie, etc.) with
-* `[REDACTED]`. Non-sensitive headers are passed through unchanged. Array
-* values are joined with `', '`.
+* Replaces values of credential-bearing headers with `[REDACTED]`, matching the
+* header name by shape (see `isSensitiveHeaderName`) so custom token headers
+* are covered without an enumerated list. Non-sensitive headers pass through
+* unchanged. Array values are joined with `', '`.
 *
 * @example
 *   ;```ts
@@ -78,18 +112,10 @@ function parseRetryAfterHeader(value) {
 */
 function sanitizeHeaders(headers) {
 	if (!headers) return {};
-	const sensitiveHeaders = new require_primordials_map_set.SetCtor([
-		"authorization",
-		"cookie",
-		"proxy-authorization",
-		"proxy-authenticate",
-		"set-cookie",
-		"www-authenticate"
-	]);
 	const result = { __proto__: null };
 	for (const key of require_primordials_object.ObjectKeys(headers)) {
 		const value = headers[key];
-		if (sensitiveHeaders.has(key.toLowerCase())) result[key] = "[REDACTED]";
+		if (isSensitiveHeaderName(key)) result[key] = "[REDACTED]";
 		else if (require_primordials_array.ArrayIsArray(value)) result[key] = value.join(", ");
 		else if (value !== void 0 && value !== null) result[key] = String(value);
 	}
@@ -97,5 +123,7 @@ function sanitizeHeaders(headers) {
 }
 
 //#endregion
+exports.basicAuthHeader = basicAuthHeader;
+exports.isSensitiveHeaderName = isSensitiveHeaderName;
 exports.parseRetryAfterHeader = parseRetryAfterHeader;
 exports.sanitizeHeaders = sanitizeHeaders;

package/dist/http-request/request-attempt.js

@@ -1,15 +1,17 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_buffer = require('../primordials/buffer.js');
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_date = require('../primordials/date.js');
-const require_primordials_object = require('../primordials/object.js');
 const require_primordials_json = require('../primordials/json.js');
+const require_primordials_object = require('../primordials/object.js');
 const require_primordials_promise = require('../primordials/promise.js');
 const require_node_http = require('../node/http.js');
 const require_node_https = require('../node/https.js');
 const require_primordials_url = require('../primordials/url.js');
 const require_http_request_errors = require('./errors.js');
+const require_http_request_response_reader = require('./response-reader.js');
 const require_http_request_user_agent = require('./user-agent.js');
 
 //#region src/http-request/request-attempt.ts
@@ -39,6 +41,7 @@ async function httpRequestAttempt(url, options) {
 	const startTime = require_primordials_date.DateNow();
 	const streamHeaders = body && typeof body === "object" && "getHeaders" in body && typeof body.getHeaders === "function" ? body.getHeaders() : void 0;
 	const mergedHeaders = {
+		...stream ? void 0 : { "Accept-Encoding": "gzip, br" },
 		"User-Agent": require_http_request_user_agent.getSocketCallerUserAgent(),
 		...streamHeaders,
 		...headers
@@ -69,7 +72,7 @@ async function httpRequestAttempt(url, options) {
 		};
 		const parsedUrl = new require_primordials_url.URLCtor(url);
 		const isHttps = parsedUrl.protocol === "https:";
-		const httpModule = isHttps ? /* @__PURE__ */ require_node_https.getNodeHttps() : /* @__PURE__ */ require_node_http.getNodeHttp();
+		const httpModule = isHttps ? require_node_https.getNodeHttps() : require_node_http.getNodeHttp();
 		const requestOptions = {
 			headers: mergedHeaders,
 			hostname: parsedUrl.hostname,
@@ -105,15 +108,15 @@ async function httpRequestAttempt(url, options) {
 					reject(new require_primordials_error.ErrorCtor(`Too many redirects (exceeded maximum: ${maxRedirects})`));
 					return;
 				}
-				const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new URL(res.headers.location, url).toString();
-				const redirectParsed = new URL(redirectUrl);
+				const redirectUrl = res.headers.location.startsWith("http") ? res.headers.location : new require_primordials_url.URLCtor(res.headers.location, url).toString();
+				const redirectParsed = new require_primordials_url.URLCtor(redirectUrl);
 				if (isHttps && redirectParsed.protocol !== "https:") {
 					settled = true;
 					reject(new require_primordials_error.ErrorCtor(`Redirect from HTTPS to HTTP is not allowed: ${redirectUrl}`));
 					return;
 				}
 				let redirectHeaders = headers;
-				if (new URL(url).origin !== redirectParsed.origin) {
+				if (new require_primordials_url.URLCtor(url).origin !== redirectParsed.origin) {
 					redirectHeaders = { __proto__: null };
 					const stripped = new Set([
 						"authorization",
@@ -147,7 +150,7 @@ async function httpRequestAttempt(url, options) {
 					status,
 					statusText
 				});
-				const emptyBody = Buffer.alloc(0);
+				const emptyBody = require_primordials_buffer.BufferAlloc(0);
 				resolveOnce({
 					arrayBuffer: () => emptyBody.buffer,
 					body: emptyBody,
@@ -177,31 +180,33 @@ async function httpRequestAttempt(url, options) {
 			});
 			res.on("end", () => {
 				if (settled) return;
-				const responseBody = Buffer.concat(chunks);
-				const ok = res.statusCode !== void 0 && res.statusCode >= 200 && res.statusCode < 300;
-				const response = {
-					arrayBuffer() {
-						return responseBody.buffer.slice(responseBody.byteOffset, responseBody.byteOffset + responseBody.byteLength);
-					},
-					body: responseBody,
-					headers: res.headers,
-					json() {
-						return require_primordials_json.JSONParse(responseBody.toString("utf8"));
-					},
-					ok,
-					rawResponse: res,
-					status: res.statusCode || 0,
-					statusText: res.statusMessage || "",
-					text() {
-						return responseBody.toString("utf8");
-					}
-				};
-				emitResponse({
-					headers: res.headers,
-					status: res.statusCode,
-					statusText: res.statusMessage
+				const rawBody = require_primordials_buffer.BufferConcat(chunks);
+				require_http_request_response_reader.decodeBody(rawBody, res.headers["content-encoding"]).catch(() => rawBody).then((responseBody) => {
+					const ok = res.statusCode !== void 0 && res.statusCode >= 200 && res.statusCode < 300;
+					const response = {
+						arrayBuffer() {
+							return responseBody.buffer.slice(responseBody.byteOffset, responseBody.byteOffset + responseBody.byteLength);
+						},
+						body: responseBody,
+						headers: res.headers,
+						json() {
+							return require_primordials_json.JSONParse(responseBody.toString("utf8"));
+						},
+						ok,
+						rawResponse: res,
+						status: res.statusCode || 0,
+						statusText: res.statusMessage || "",
+						text() {
+							return responseBody.toString("utf8");
+						}
+					};
+					emitResponse({
+						headers: res.headers,
+						status: res.statusCode,
+						statusText: res.statusMessage
+					});
+					resolveOnce(response);
 				});
-				resolveOnce(response);
 			});
 			res.on("error", (error) => {
 				rejectOnce(error);
@@ -216,12 +221,12 @@ async function httpRequestAttempt(url, options) {
 		});
 		if (body) {
 			if (typeof body === "object" && typeof body.pipe === "function") {
-				const stream = body;
-				stream.on("error", (err) => {
+				const bodyStream = body;
+				bodyStream.on("error", (err) => {
 					request.destroy();
 					rejectOnce(err);
 				});
-				stream.pipe(request);
+				bodyStream.pipe(request);
 				return;
 			}
 			request.write(body);

package/dist/http-request/request-types.d.ts

@@ -8,7 +8,7 @@
  *     observability
  *   - `HttpRequestOptions` — the main request configuration interface
  */
-import type { IncomingMessage } from 'node:http';
+import type { IncomingHttpHeaders, IncomingMessage } from 'node:http';
 import type { Readable } from 'node:stream';
 /**
  * IncomingMessage received as a response to a client request (http.request
@@ -35,7 +35,7 @@ export interface HttpHookRequestInfo {
 export interface HttpHookResponseInfo {
     duration: number;
     error?: Error | undefined;
-    headers?: import('node:http').IncomingHttpHeaders | undefined;
+    headers?: IncomingHttpHeaders | undefined;
     method: string;
     status?: number | undefined;
     statusText?: string | undefined;
@@ -138,6 +138,11 @@ export interface HttpRequestOptions {
      * HTTP headers to send with the request. A `User-Agent` header is
      * automatically added if not provided.
      *
+     * On retried attempts (when `retries` > 0), three telemetry headers are added
+     * automatically for server-side logging and are NOT removable here:
+     * `Retry-Attempt` (1-based retry number), `Retry-Max` (the `retries`
+     * ceiling), and `Retry-After` (seconds waited before this attempt).
+     *
      * @example
      *   ;```ts
      *   await httpRequest('https://api.example.com/data', {

package/dist/http-request/request.js

@@ -4,9 +4,9 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_math = require('../primordials/math.js');
 const require_primordials_number = require('../primordials/number.js');
+const require_http_request_response_reader = require('./response-reader.js');
 const require_http_request_request_attempt = require('./request-attempt.js');
 const require_http_request_response_types = require('./response-types.js');
-const require_http_request_response_reader = require('./response-reader.js');
 let node_timers_promises = require("node:timers/promises");
 
 //#region src/http-request/request.ts
@@ -71,7 +71,7 @@ async function httpRequest(url, options) {
 	};
 	const isStreamBody = body !== void 0 && typeof body === "object" && typeof body.pipe === "function";
 	if (isStreamBody && retries > 0) throw new require_primordials_error.ErrorCtor("Streaming body (Readable/FormData) cannot be used with retries. Streams are consumed on first attempt and cannot be replayed. Set retries: 0 or buffer the body as a string/Buffer.");
-	const attemptOpts = {
+	const baseAttemptOpts = {
 		body,
 		ca,
 		followRedirects: isStreamBody ? false : followRedirects,
@@ -85,20 +85,37 @@ async function httpRequest(url, options) {
 		timeout
 	};
 	let lastError;
-	for (let attempt = 0; attempt <= retries; attempt++) try {
-		const response = await require_http_request_request_attempt.httpRequestAttempt(url, attemptOpts);
-		if (throwOnError && !response.ok) throw new require_http_request_response_types.HttpResponseError(response);
-		return response;
-	} catch (e) {
-		lastError = e;
-		if (attempt === retries) break;
-		if (signal?.aborted) break;
-		const delayMs = retryDelay * 2 ** attempt;
-		if (onRetry) {
-			const retryResult = onRetry(attempt + 1, e, delayMs);
-			if (retryResult === false) break;
-			await (0, node_timers_promises.setTimeout)(typeof retryResult === "number" && !require_primordials_number.NumberIsNaN(retryResult) ? require_primordials_math.MathMax(0, retryResult) : delayMs);
-		} else await (0, node_timers_promises.setTimeout)(delayMs);
+	let lastDelaySeconds = 0;
+	for (let attempt = 0; attempt <= retries; attempt++) {
+		const attemptOpts = attempt > 0 ? {
+			...baseAttemptOpts,
+			headers: {
+				...headers,
+				"Retry-Attempt": `${attempt}`,
+				"Retry-Max": `${retries}`,
+				"Retry-After": `${lastDelaySeconds}`
+			}
+		} : baseAttemptOpts;
+		try {
+			const response = await require_http_request_request_attempt.httpRequestAttempt(url, attemptOpts);
+			if (throwOnError && !response.ok) throw new require_http_request_response_types.HttpResponseError(response);
+			return response;
+		} catch (e) {
+			lastError = e;
+			if (attempt === retries) break;
+			if (signal?.aborted) break;
+			const delayMs = retryDelay * 2 ** attempt;
+			if (onRetry) {
+				const retryResult = onRetry(attempt + 1, e, delayMs);
+				if (retryResult === false) break;
+				const actualDelay = typeof retryResult === "number" && !require_primordials_number.NumberIsNaN(retryResult) ? require_primordials_math.MathMax(0, retryResult) : delayMs;
+				lastDelaySeconds = require_primordials_math.MathRound(actualDelay / 1e3);
+				await (0, node_timers_promises.setTimeout)(actualDelay);
+			} else {
+				lastDelaySeconds = require_primordials_math.MathRound(delayMs / 1e3);
+				await (0, node_timers_promises.setTimeout)(delayMs);
+			}
+		}
 	}
 	throw lastError || new require_primordials_error.ErrorCtor("Request failed after retries");
 }

package/dist/http-request/response-reader.d.ts

@@ -3,10 +3,21 @@
  *   out of `http-request/request.ts` for size hygiene. Useful when a caller
  *   already has an `IncomingMessage` from code that bypasses `httpRequest()`
  *   (e.g., multipart uploads via `http.request()` directly, or third-party HTTP
- *   libraries) and wants the same fetch-like body accessors.
+ *   libraries) and wants the same fetch-like body accessors. The body is
+ *   transparently decompressed when the response carries a `Content-Encoding`
+ *   of `gzip` or `br` — the two encodings `httpRequest` advertises via
+ *   `Accept-Encoding`. Node's http client does not decompress on its own, so
+ *   without this step a compressed Socket API response would reach callers as
+ *   raw deflated bytes and fail JSON parsing.
  */
 import type { IncomingResponse } from './request-types';
 import type { HttpResponse } from './response-types';
+/**
+ * Decompress a response body per its `Content-Encoding`. Returns the input
+ * unchanged for `identity` or any unrecognized/absent encoding — we only
+ * decompress what `httpRequest` advertised support for (`gzip`, `br`).
+ */
+export declare function decodeBody(body: Buffer, contentEncoding: string | string[] | undefined): Promise<Buffer>;
 /**
  * Read and buffer a client-side IncomingResponse into an HttpResponse.
  *

package/dist/http-request/response-reader.js

@@ -3,6 +3,8 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_buffer = require('../primordials/buffer.js');
 const require_primordials_json = require('../primordials/json.js');
+const require_compression_brotli = require('../compression/brotli.js');
+const require_compression_gzip = require('../compression/gzip.js');
 
 //#region src/http-request/response-reader.ts
 /**
@@ -10,9 +12,26 @@ const require_primordials_json = require('../primordials/json.js');
 *   out of `http-request/request.ts` for size hygiene. Useful when a caller
 *   already has an `IncomingMessage` from code that bypasses `httpRequest()`
 *   (e.g., multipart uploads via `http.request()` directly, or third-party HTTP
-*   libraries) and wants the same fetch-like body accessors.
+*   libraries) and wants the same fetch-like body accessors. The body is
+*   transparently decompressed when the response carries a `Content-Encoding`
+*   of `gzip` or `br` — the two encodings `httpRequest` advertises via
+*   `Accept-Encoding`. Node's http client does not decompress on its own, so
+*   without this step a compressed Socket API response would reach callers as
+*   raw deflated bytes and fail JSON parsing.
 */
 /**
+* Decompress a response body per its `Content-Encoding`. Returns the input
+* unchanged for `identity` or any unrecognized/absent encoding — we only
+* decompress what `httpRequest` advertised support for (`gzip`, `br`).
+*/
+async function decodeBody(body, contentEncoding) {
+	if (!contentEncoding || body.length === 0) return body;
+	const encoding = (Array.isArray(contentEncoding) ? contentEncoding[0] : contentEncoding).trim().toLowerCase();
+	if (encoding === "gzip") return await require_compression_gzip.decompressGzip(body);
+	if (encoding === "br") return await require_compression_brotli.decompressBrotli(body);
+	return body;
+}
+/**
 * Read and buffer a client-side IncomingResponse into an HttpResponse.
 *
 * Useful when you have a raw response from code that bypasses `httpRequest()`
@@ -30,7 +49,7 @@ const require_primordials_json = require('../primordials/json.js');
 async function readIncomingResponse(msg) {
 	const chunks = [];
 	for await (const chunk of msg) chunks.push(chunk);
-	const body = require_primordials_buffer.BufferConcat(chunks);
+	const body = await decodeBody(require_primordials_buffer.BufferConcat(chunks), msg.headers["content-encoding"]);
 	const status = msg.statusCode ?? 0;
 	const statusText = msg.statusMessage ?? "";
 	return {
@@ -47,4 +66,5 @@ async function readIncomingResponse(msg) {
 }
 
 //#endregion
+exports.decodeBody = decodeBody;
 exports.readIncomingResponse = readIncomingResponse;

package/dist/http-request/user-agent.js

@@ -4,7 +4,7 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
 const require_env_rewire = require('../env/rewire.js');
 const require_constants_socket = require('../constants/socket.js');
-const require_packages_operations = require('../packages/operations.js');
+const require_packages_specs = require('../packages/specs.js');
 let node_process = require("node:process");
 node_process = require_runtime.__toESM(node_process);
 
@@ -38,9 +38,8 @@ node_process = require_runtime.__toESM(node_process);
 *   // 'sdxgen/0.5.0 node/v22.10.0 darwin/arm64 embedded-by-foo/1'
 *   ```
 */
-/* @__NO_SIDE_EFFECTS__ */
 function buildUserAgent(pkg, caller) {
-	const base = `${/* @__PURE__ */ require_packages_operations.pkgNameToSlug(pkg.name)}/${pkg.version} node/${node_process.default.version} ${node_process.default.platform}/${node_process.default.arch}`;
+	const base = `${require_packages_specs.pkgNameToSlug(pkg.name)}/${pkg.version} node/${node_process.default.version} ${node_process.default.platform}/${node_process.default.arch}`;
 	return caller ? `${base} ${caller}` : base;
 }
 let cachedBaseUserAgent;
@@ -66,7 +65,7 @@ let cachedBaseUserAgent;
 *   ```
 */
 function getSocketCallerUserAgent() {
-	if (cachedBaseUserAgent === void 0) cachedBaseUserAgent = /* @__PURE__ */ buildUserAgent({
+	if (cachedBaseUserAgent === void 0) cachedBaseUserAgent = buildUserAgent({
 		name: require_constants_socket.SOCKET_LIB_NAME,
 		version: require_constants_socket.SOCKET_LIB_VERSION
 	});

package/dist/integrity.d.ts

@@ -1,21 +1,9 @@
-/**
- * @file Integrity specification helpers for downloads and file verification.
- *   Used by `dlx/binary-download` and external-tools resolvers; safe to consume
- *   from any module that needs to verify bytes against an expected hash. Single
- *   supported format per flavor:
- *
- *   - integrity: SRI with sha512 only (what npm registry returns)
- *   - checksum: sha256 hex (what `shasum -a 256` produces; common for binary
- *     release assets on GitHub) Callers may pass a {@link HashSpec} as a bare
- *     string (sniffed via format) or as an explicit `{ type, value }` object.
- *     The normalized form carried around internally is always the object.
- */
 /**
  * Tagged union representing an expected hash.
  *
  * @example
  *   // Bare SRI (sniffed as integrity):
- *   'sha512-abc...'
+ *   'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
  *
  * @example
  *   // Bare sha256 hex (sniffed as checksum):
@@ -23,7 +11,7 @@
  *
  * @example
  *   // Explicit:
- *   { type: 'integrity', value: 'sha512-abc...' }
+ *   { type: 'integrity', value: 'sha512-...' }
  *   { type: 'checksum', value: 'a1b2c3...' }
  */
 export type HashSpec = string | {
@@ -50,22 +38,89 @@ export interface ComputedHashes {
      */
     integrity: string;
     /**
-     * SHA-256 hex (64 chars). Matches `shasum -a 256`.
+     * Sha256 hex (64 chars). Matches `shasum -a 256`.
      */
     checksum: string;
 }
+/**
+ * Parsed components of an integrity string.
+ */
+export interface ParsedIntegrity {
+    /**
+     * SRI algorithm: `'sha256' | 'sha384' | 'sha512'`.
+     */
+    algorithm: string;
+    /**
+     * Base64-encoded digest body (everything after the `-`).
+     */
+    body: string;
+}
+/**
+ * Convert a sha256 hex checksum to its SRI integrity form (`sha256-<base64>`).
+ * Idempotent on integrity input — call this on user-supplied data without first
+ * sniffing the format.
+ *
+ * The default algorithm is `'sha256'` because that's the fleet's checksum
+ * convention; pass an explicit algorithm if you have a hex digest from `sha384`
+ * or `sha512` (the function does not verify hex length against the algorithm —
+ * caller's responsibility).
+ *
+ * @example
+ *   ;```typescript
+ *   checksumToIntegrity(
+ *     '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
+ *   )
+ *   // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
+ *
+ *   checksumToIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
+ *   // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' (idempotent)
+ *   ```
+ *
+ * @throws TypeError when the input is neither a recognized SRI nor a hex
+ *   digest.
+ */
+export declare function checksumToIntegrity(input: string, algorithm?: string): string;
 /**
  * Compute both integrity (sha512 SRI) and checksum (sha256 hex) for a buffer of
  * bytes.
  */
 export declare function computeHashes(bytes: Buffer): ComputedHashes;
-export declare function isChecksumString(s: string): boolean;
-export declare function isIntegrityString(s: string): boolean;
+/**
+ * Convert a sha256 SRI integrity string to its hex checksum form (64 lowercase
+ * chars). Idempotent on checksum input.
+ *
+ * Throws on `sha384` and `sha512` SRI — checksums are sha256-only by fleet
+ * convention. Callers that need a hex digest for those algorithms can call
+ * `parseIntegrity(sri)` and decode `.body` manually.
+ *
+ * @example
+ *   ;```typescript
+ *   integrityToChecksum('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
+ *   // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b'
+ *
+ *   integrityToChecksum(
+ *     '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
+ *   )
+ *   // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b' (idempotent)
+ *   ```
+ *
+ * @throws TypeError when the input is neither a recognized SRI nor a hex
+ *   checksum, or when the input is a non-sha256 SRI.
+ */
+export declare function integrityToChecksum(input: string): string;
+/**
+ * True when `s` is a sha256 hex checksum (exactly 64 hex chars).
+ */
+export declare function isChecksum(s: string): boolean;
+/**
+ * True when `s` is a W3C SRI integrity string: `sha(256|384|512)-<base64>`.
+ */
+export declare function isIntegrity(s: string): boolean;
 /**
  * Normalize a {@link HashSpec} to its canonical `{ type, value }` form.
  *
  * - Object form is trusted (its `value` is validated for shape).
- * - Bare string matching sha512 SRI → integrity.
+ * - Bare string matching SRI → integrity.
  * - Bare string of 64 hex chars → checksum.
  * - Anything else throws TypeError.
  *
@@ -73,6 +128,19 @@ export declare function isIntegrityString(s: string): boolean;
  *   object's value doesn't match its declared type.
  */
 export declare function normalizeHash(spec: HashSpec): NormalizedHash;
+/**
+ * Split an integrity string into its `{ algorithm, body }` components. `body`
+ * is the base64-encoded digest (everything after the algorithm + dash).
+ *
+ * @example
+ *   ;```typescript
+ *   parseIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
+ *   // { algorithm: 'sha256', body: 'NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' }
+ *   ```
+ *
+ * @throws Error when the input is not a valid SRI integrity string.
+ */
+export declare function parseIntegrity(sri: string): ParsedIntegrity;
 /**
  * Verify computed hashes against an expected {@link NormalizedHash}. Uses
  * `crypto.timingSafeEqual` for constant-time comparison.