@socketsecurity/lib 6.0.5 → 6.0.7

package/dist/releases/socket-btm-binary-naming.js

@@ -0,0 +1,155 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_error = require('../primordials/error.js');
+
+//#region src/releases/socket-btm-binary-naming.ts
+/**
+* Map Node.js platform to socket-btm asset platform naming. Identity mapping:
+* asset names use `process.platform` verbatim (`darwin`, `linux`, `win32`) to
+* align with pnpm's pack-app, the `--os` / `supportedArchitectures.os` config
+* keys, and the `@pnpm/exe.<os>-<arch>` package convention.
+*/
+const PLATFORM_MAP = {
+	__proto__: null,
+	darwin: "darwin",
+	linux: "linux",
+	win32: "win32"
+};
+/**
+* Map Node.js arch to socket-btm asset arch naming.
+*/
+const ARCH_MAP = {
+	__proto__: null,
+	arm64: "arm64",
+	x64: "x64"
+};
+/**
+* Get asset name for a socket-btm binary.
+*
+* @example
+*   ;```typescript
+*   getBinaryAssetName('lief', 'linux', 'x64', 'musl')
+*   // 'lief-linux-x64-musl'
+*   ```
+*
+* @param binaryBaseName - Binary basename (e.g., 'binject', 'node')
+* @param platform - Target platform.
+* @param arch - Target architecture.
+* @param libc - Linux libc variant (optional)
+*
+* @returns Asset name (e.g., 'binject-darwin-arm64', 'node-linux-x64-musl')
+*/
+function getBinaryAssetName(binaryBaseName, platform, arch, libc) {
+	const mappedArch = ARCH_MAP[arch];
+	if (!mappedArch) throw new require_primordials_error.ErrorCtor(`Unsupported architecture: ${arch}`);
+	const muslSuffix = platform === "linux" && libc === "musl" ? "-musl" : "";
+	const ext = platform === "win32" ? ".exe" : "";
+	if (platform === "darwin") return `${binaryBaseName}-darwin-${mappedArch}${ext}`;
+	if (platform === "linux") return `${binaryBaseName}-linux-${mappedArch}${muslSuffix}${ext}`;
+	if (platform === "win32") return `${binaryBaseName}-win32-${mappedArch}${ext}`;
+	throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${platform}`);
+}
+/**
+* Get binary filename for output.
+*
+* @example
+*   ;```typescript
+*   getBinaryName('node', 'win32') // 'node.exe'
+*   getBinaryName('node', 'linux') // 'node'
+*   ```
+*
+* @param binaryBaseName - Binary basename (e.g., 'node', 'binject')
+* @param platform - Target platform.
+*
+* @returns Binary filename (e.g., 'node', 'node.exe')
+*/
+function getBinaryName(binaryBaseName, platform) {
+	return platform === "win32" ? `${binaryBaseName}.exe` : binaryBaseName;
+}
+/**
+* Get platform-arch identifier for directory structure and asset names.
+*
+* # Format: `<os>-<arch>[-<libc>]`
+*
+* The OS segment is `process.platform` verbatim: `darwin` / `linux` / `win32`.
+* The arch segment is `process.arch` verbatim: `x64` / `arm64`. The optional
+* libc suffix is `-musl` (Linux only; the glibc default is unsuffixed to match
+* Node.js's own linuxstatic convention).
+*
+* # Why these specific conventions
+*
+* ## Why `win32`, not `win`
+*
+* `win32` is what `process.platform` returns on every Windows host. Every npm
+* package whose install-time platform filter uses the standard `os` / `cpu` /
+* `libc` manifest fields must match `process.platform` strings exactly (npm
+* compares them verbatim — there's no shorthand layer). Using `win` internally
+* here would have forced a translation every time we constructed an install
+* filter or a target triple, and reviewers would have to remember "we
+* abbreviate on disk but not in package filters." Since the two now match,
+* there's no translation step to get wrong.
+*
+* Pnpm's pack-app (v11+) accepts `<os>-<arch>[-<libc>]` target strings and its
+* shards are `@pnpm/exe.<os>-<arch>` (with `win32`, not `win` — see
+* pnpm#11314). Our naming matches so asset names we emit can flow directly into
+* pack-app's `--target` arg, `pnpm.app.targets` config, and
+* sibling-package-name construction without a translation map.
+*
+* ## Why `-musl` is the suffix (and glibc is unsuffixed)
+*
+* Node.js's own linuxstatic tarballs historically used the unqualified `linux`
+* for glibc and a separate download channel for musl. The pnpm ecosystem
+* codified that as `linux-<arch>` (glibc, default) and `linux-<arch>-musl` (the
+* libc outlier), matching the asymmetric reality of Linux distros — glibc is
+* the majority case, musl is Alpine-and-similar. Adding `-glibc` for the
+* default would be redundant noise in the name.
+*
+* ## Why libc is only appended for Linux
+*
+* MacOS and Windows have exactly one system libc each (Apple libSystem,
+* Microsoft UCRT). A hypothetical `darwin-arm64-libsystem` conveys no
+* information. Node.js, npm, and pnpm all treat libc as a Linux-only axis; we
+* follow the same convention so callers don't have to special- case
+* `'darwin-arm64'.startsWith('darwin-arm64')` style matches.
+*
+* ## Why this function exists at all (vs. inlining)
+*
+* Two upstream APIs that socket-btm consumers end up calling — the npm manifest
+* filter (`os`/`cpu`/`libc`) and pnpm's pack-app `--target` — both need the
+* exact same triple format. Centralizing the construction here means a future
+* schema change (e.g. Node introducing `riscv64`) gets one edit, and the error
+* message for an unsupported platform is uniform across downloaders, pack-app
+* invocations, and the `@socketbin/*` resolver logic.
+*
+* @example
+*   ;```typescript
+*   getPlatformArch('linux', 'x64', 'musl') // 'linux-x64-musl'
+*   getPlatformArch('darwin', 'arm64') // 'darwin-arm64'
+*   getPlatformArch('win32', 'x64') // 'win32-x64'
+*   getPlatformArch('darwin', 'x64', 'musl') // 'darwin-x64' — libc ignored
+*   ```
+*
+* @param platform - Target platform.
+* @param arch - Target architecture.
+* @param libc - Linux libc variant (optional; non-linux platforms ignore)
+*
+* @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl',
+*   'win32-x64')
+*/
+function getPlatformArch(platform, arch, libc) {
+	/* c8 ignore start - Unsupported-platform/arch arms fire only on inputs
+	outside the PLATFORM_MAP / ARCH_MAP keysets; the musl-suffix arm fires
+	only on linux+musl combos. */
+	const mappedPlatform = PLATFORM_MAP[platform];
+	if (!mappedPlatform) throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${platform}`);
+	const mappedArch = ARCH_MAP[arch];
+	if (!mappedArch) throw new require_primordials_error.ErrorCtor(`Unsupported architecture: ${arch}`);
+	return `${mappedPlatform}-${mappedArch}${platform === "linux" && libc === "musl" ? "-musl" : ""}`;
+	/* c8 ignore stop */
+}
+
+//#endregion
+exports.getBinaryAssetName = getBinaryAssetName;
+exports.getBinaryName = getBinaryName;
+exports.getPlatformArch = getPlatformArch;

package/dist/releases/socket-btm.d.ts

@@ -1,9 +1,11 @@
 /**
  * @file Socket-btm release download utilities.
  */
-import { type Arch, type Libc, type Platform } from '../constants/platform';
+import type { Arch, Libc, Platform } from '../constants/platform';
+import { getBinaryAssetName, getBinaryName, getPlatformArch } from './socket-btm-binary-naming';
 import type { AssetPattern } from './github-types';
 export type { Arch, Libc, Platform };
+export { getBinaryAssetName, getBinaryName, getPlatformArch };
 /**
  * Socket-btm GitHub repository configuration.
  */
@@ -22,7 +24,7 @@ export interface SocketBtmAssetConfig {
     /**
      * @internal Discriminator fields
      */
-    bin?: never;
+    bin?: never | undefined;
     /**
      * Working directory (defaults to process.cwd()).
      */
@@ -34,7 +36,7 @@ export interface SocketBtmAssetConfig {
     /**
      * @internal Discriminator fields
      */
-    libc?: never;
+    libc?: never | undefined;
     /**
      * Output filename. @default resolved asset name.
      */
@@ -54,11 +56,11 @@ export interface SocketBtmAssetConfig {
     /**
      * @internal Discriminator fields
      */
-    targetArch?: never;
+    targetArch?: never | undefined;
     /**
      * @internal Discriminator fields
      */
-    targetPlatform?: never;
+    targetPlatform?: never | undefined;
 }
 /**
  * Configuration for downloading socket-btm binary releases.
@@ -67,7 +69,7 @@ export interface SocketBtmBinaryConfig {
     /**
      * @internal Discriminator field
      */
-    asset?: never;
+    asset?: never | undefined;
     /**
      * Binary/executable name (without extension). @default tool.
      */
@@ -138,112 +140,3 @@ export declare function detectLibc(): Libc | undefined;
  * @returns Path to the downloaded file
  */
 export declare function downloadSocketBtmRelease(tool: string, options: SocketBtmReleaseConfig | undefined): Promise<string>;
-/**
- * Get asset name for a socket-btm binary.
- *
- * @example
- *   ;```typescript
- *   getBinaryAssetName('lief', 'linux', 'x64', 'musl')
- *   // 'lief-linux-x64-musl'
- *   ```
- *
- * @param binaryBaseName - Binary basename (e.g., 'binject', 'node')
- * @param platform - Target platform.
- * @param arch - Target architecture.
- * @param libc - Linux libc variant (optional)
- *
- * @returns Asset name (e.g., 'binject-darwin-arm64', 'node-linux-x64-musl')
- */
-export declare function getBinaryAssetName(binaryBaseName: string, platform: Platform, arch: Arch, libc?: Libc | undefined): string;
-/**
- * Get binary filename for output.
- *
- * @example
- *   ;```typescript
- *   getBinaryName('node', 'win32') // 'node.exe'
- *   getBinaryName('node', 'linux') // 'node'
- *   ```
- *
- * @param binaryBaseName - Binary basename (e.g., 'node', 'binject')
- * @param platform - Target platform.
- *
- * @returns Binary filename (e.g., 'node', 'node.exe')
- */
-export declare function getBinaryName(binaryBaseName: string, platform: Platform): string;
-/**
- * Lazily load the fs module to avoid Webpack errors. Uses non-'node:' prefixed
- * require to prevent Webpack bundling issues.
- *
- * @private
- */
-/**
- * Get platform-arch identifier for directory structure and asset names.
- *
- * # Format: `<os>-<arch>[-<libc>]`
- *
- * The OS segment is `process.platform` verbatim: `darwin` / `linux` / `win32`.
- * The arch segment is `process.arch` verbatim: `x64` / `arm64`. The optional
- * libc suffix is `-musl` (Linux only; the glibc default is unsuffixed to match
- * Node.js's own linuxstatic convention).
- *
- * # Why these specific conventions
- *
- * ## Why `win32`, not `win`
- *
- * `win32` is what `process.platform` returns on every Windows host. Every npm
- * package whose install-time platform filter uses the standard `os` / `cpu` /
- * `libc` manifest fields must match `process.platform` strings exactly (npm
- * compares them verbatim — there's no shorthand layer). Using `win` internally
- * here would have forced a translation every time we constructed an install
- * filter or a target triple, and reviewers would have to remember "we
- * abbreviate on disk but not in package filters." Since the two now match,
- * there's no translation step to get wrong.
- *
- * Pnpm's pack-app (v11+) accepts `<os>-<arch>[-<libc>]` target strings and its
- * shards are `@pnpm/exe.<os>-<arch>` (with `win32`, not `win` — see
- * pnpm#11314). Our naming matches so asset names we emit can flow directly into
- * pack-app's `--target` arg, `pnpm.app.targets` config, and
- * sibling-package-name construction without a translation map.
- *
- * ## Why `-musl` is the suffix (and glibc is unsuffixed)
- *
- * Node.js's own linuxstatic tarballs historically used the unqualified `linux`
- * for glibc and a separate download channel for musl. The pnpm ecosystem
- * codified that as `linux-<arch>` (glibc, default) and `linux-<arch>-musl` (the
- * libc outlier), matching the asymmetric reality of Linux distros — glibc is
- * the majority case, musl is Alpine-and-similar. Adding `-glibc` for the
- * default would be redundant noise in the name.
- *
- * ## Why libc is only appended for Linux
- *
- * MacOS and Windows have exactly one system libc each (Apple libSystem,
- * Microsoft UCRT). A hypothetical `darwin-arm64-libsystem` conveys no
- * information. Node.js, npm, and pnpm all treat libc as a Linux-only axis; we
- * follow the same convention so callers don't have to special- case
- * `'darwin-arm64'.startsWith('darwin-arm64')` style matches.
- *
- * ## Why this function exists at all (vs. inlining)
- *
- * Two upstream APIs that socket-btm consumers end up calling — the npm manifest
- * filter (`os`/`cpu`/`libc`) and pnpm's pack-app `--target` — both need the
- * exact same triple format. Centralizing the construction here means a future
- * schema change (e.g. Node introducing `riscv64`) gets one edit, and the error
- * message for an unsupported platform is uniform across downloaders, pack-app
- * invocations, and the `@socketbin/*` resolver logic.
- *
- * @example
- *   ;```typescript
- *   getPlatformArch('linux', 'x64', 'musl') // 'linux-x64-musl'
- *   getPlatformArch('darwin', 'arm64') // 'darwin-arm64'
- *   getPlatformArch('win32', 'x64') // 'win32-x64'
- *   getPlatformArch('darwin', 'x64', 'musl') // 'darwin-x64' — libc ignored
- *   ```
- *
- * @param platform - Target platform.
- * @param arch - Target architecture.
- * @param libc - Linux libc variant (optional; non-linux platforms ignore)
- *
- * @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl',
- *   'win32-x64')
- */
-export declare function getPlatformArch(platform: Platform, arch: Arch, libc?: Libc | undefined): string;

package/dist/releases/socket-btm.js

@@ -7,6 +7,7 @@ const require_node_fs = require('../node/fs.js');
 const require_releases_github_asset_url = require('./github-asset-url.js');
 const require_releases_github_listing = require('./github-listing.js');
 const require_releases_github_downloads = require('./github-downloads.js');
+const require_releases_socket_btm_binary_naming = require('./socket-btm-binary-naming.js');
 
 //#region src/releases/socket-btm.ts
 /**
@@ -20,26 +21,6 @@ const SOCKET_BTM_REPO = {
 	repo: "socket-btm"
 };
 /**
-* Map Node.js platform to socket-btm asset platform naming. Identity mapping:
-* asset names use `process.platform` verbatim (`darwin`, `linux`, `win32`) to
-* align with pnpm's pack-app, the `--os` / `supportedArchitectures.os` config
-* keys, and the `@pnpm/exe.<os>-<arch>` package convention.
-*/
-const PLATFORM_MAP = {
-	__proto__: null,
-	darwin: "darwin",
-	linux: "linux",
-	win32: "win32"
-};
-/**
-* Map Node.js arch to socket-btm asset arch naming.
-*/
-const ARCH_MAP = {
-	__proto__: null,
-	arm64: "arm64",
-	x64: "x64"
-};
-/**
 * Detect the libc variant (musl or glibc) on Linux systems. Returns undefined
 * for non-Linux platforms.
 *
@@ -53,17 +34,21 @@ const ARCH_MAP = {
 */
 function detectLibc() {
 	/* c8 ignore next 3 */
-	if (require_constants_platform.getPlatform() !== "linux") return;
+	if (require_constants_platform.getOs() !== "linux") return;
 	/* c8 ignore start - Linux-only musl/glibc detection; tested on
 	Linux runners. macOS/Windows runners take the early-return above. */
 	try {
-		const fs = /* @__PURE__ */ require_node_fs.getNodeFs();
-		for (const path of [
+		const fs = require_node_fs.getNodeFs();
+		const muslPaths = [
 			"/lib/ld-musl-x86_64.so.1",
 			"/lib/ld-musl-aarch64.so.1",
 			"/usr/lib/ld-musl-x86_64.so.1",
 			"/usr/lib/ld-musl-aarch64.so.1"
-		]) if (fs.existsSync(path)) return "musl";
+		];
+		for (let i = 0, { length } = muslPaths; i < length; i += 1) {
+			const path = muslPaths[i];
+			if (fs.existsSync(path)) return "musl";
+		}
 		return "glibc";
 	} catch {
 		return "glibc";
@@ -127,14 +112,14 @@ async function downloadSocketBtmRelease(tool, options) {
 			removeMacOSQuarantine
 		};
 	} else {
-		const { bin, libc = detectLibc(), removeMacOSQuarantine = true, targetArch = require_constants_platform.getArch(), targetPlatform = require_constants_platform.getPlatform() } = {
+		const { bin, libc = detectLibc(), removeMacOSQuarantine = true, targetArch = require_constants_platform.getArch(), targetPlatform = require_constants_platform.getOs() } = {
 			__proto__: null,
 			...options
 		};
 		const baseName = bin || tool;
-		const assetName = getBinaryAssetName(baseName, targetPlatform, targetArch, libc);
-		const platformArch = getPlatformArch(targetPlatform, targetArch, libc);
-		const binaryName = getBinaryName(baseName, targetPlatform);
+		const assetName = require_releases_socket_btm_binary_naming.getBinaryAssetName(baseName, targetPlatform, targetArch, libc);
+		const platformArch = require_releases_socket_btm_binary_naming.getPlatformArch(targetPlatform, targetArch, libc);
+		const binaryName = require_releases_socket_btm_binary_naming.getBinaryName(baseName, targetPlatform);
 		downloadConfig = {
 			owner: SOCKET_BTM_REPO.owner,
 			repo: SOCKET_BTM_REPO.repo,
@@ -152,139 +137,11 @@ async function downloadSocketBtmRelease(tool, options) {
 	}
 	return await require_releases_github_downloads.downloadGitHubRelease(downloadConfig);
 }
-/**
-* Get asset name for a socket-btm binary.
-*
-* @example
-*   ;```typescript
-*   getBinaryAssetName('lief', 'linux', 'x64', 'musl')
-*   // 'lief-linux-x64-musl'
-*   ```
-*
-* @param binaryBaseName - Binary basename (e.g., 'binject', 'node')
-* @param platform - Target platform.
-* @param arch - Target architecture.
-* @param libc - Linux libc variant (optional)
-*
-* @returns Asset name (e.g., 'binject-darwin-arm64', 'node-linux-x64-musl')
-*/
-function getBinaryAssetName(binaryBaseName, platform, arch, libc) {
-	const mappedArch = ARCH_MAP[arch];
-	if (!mappedArch) throw new require_primordials_error.ErrorCtor(`Unsupported architecture: ${arch}`);
-	const muslSuffix = platform === "linux" && libc === "musl" ? "-musl" : "";
-	const ext = platform === "win32" ? ".exe" : "";
-	if (platform === "darwin") return `${binaryBaseName}-darwin-${mappedArch}${ext}`;
-	if (platform === "linux") return `${binaryBaseName}-linux-${mappedArch}${muslSuffix}${ext}`;
-	if (platform === "win32") return `${binaryBaseName}-win32-${mappedArch}${ext}`;
-	throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${platform}`);
-}
-/**
-* Get binary filename for output.
-*
-* @example
-*   ;```typescript
-*   getBinaryName('node', 'win32') // 'node.exe'
-*   getBinaryName('node', 'linux') // 'node'
-*   ```
-*
-* @param binaryBaseName - Binary basename (e.g., 'node', 'binject')
-* @param platform - Target platform.
-*
-* @returns Binary filename (e.g., 'node', 'node.exe')
-*/
-function getBinaryName(binaryBaseName, platform) {
-	return platform === "win32" ? `${binaryBaseName}.exe` : binaryBaseName;
-}
-/**
-* Lazily load the fs module to avoid Webpack errors. Uses non-'node:' prefixed
-* require to prevent Webpack bundling issues.
-*
-* @private
-*/
-/**
-* Get platform-arch identifier for directory structure and asset names.
-*
-* # Format: `<os>-<arch>[-<libc>]`
-*
-* The OS segment is `process.platform` verbatim: `darwin` / `linux` / `win32`.
-* The arch segment is `process.arch` verbatim: `x64` / `arm64`. The optional
-* libc suffix is `-musl` (Linux only; the glibc default is unsuffixed to match
-* Node.js's own linuxstatic convention).
-*
-* # Why these specific conventions
-*
-* ## Why `win32`, not `win`
-*
-* `win32` is what `process.platform` returns on every Windows host. Every npm
-* package whose install-time platform filter uses the standard `os` / `cpu` /
-* `libc` manifest fields must match `process.platform` strings exactly (npm
-* compares them verbatim — there's no shorthand layer). Using `win` internally
-* here would have forced a translation every time we constructed an install
-* filter or a target triple, and reviewers would have to remember "we
-* abbreviate on disk but not in package filters." Since the two now match,
-* there's no translation step to get wrong.
-*
-* Pnpm's pack-app (v11+) accepts `<os>-<arch>[-<libc>]` target strings and its
-* shards are `@pnpm/exe.<os>-<arch>` (with `win32`, not `win` — see
-* pnpm#11314). Our naming matches so asset names we emit can flow directly into
-* pack-app's `--target` arg, `pnpm.app.targets` config, and
-* sibling-package-name construction without a translation map.
-*
-* ## Why `-musl` is the suffix (and glibc is unsuffixed)
-*
-* Node.js's own linuxstatic tarballs historically used the unqualified `linux`
-* for glibc and a separate download channel for musl. The pnpm ecosystem
-* codified that as `linux-<arch>` (glibc, default) and `linux-<arch>-musl` (the
-* libc outlier), matching the asymmetric reality of Linux distros — glibc is
-* the majority case, musl is Alpine-and-similar. Adding `-glibc` for the
-* default would be redundant noise in the name.
-*
-* ## Why libc is only appended for Linux
-*
-* MacOS and Windows have exactly one system libc each (Apple libSystem,
-* Microsoft UCRT). A hypothetical `darwin-arm64-libsystem` conveys no
-* information. Node.js, npm, and pnpm all treat libc as a Linux-only axis; we
-* follow the same convention so callers don't have to special- case
-* `'darwin-arm64'.startsWith('darwin-arm64')` style matches.
-*
-* ## Why this function exists at all (vs. inlining)
-*
-* Two upstream APIs that socket-btm consumers end up calling — the npm manifest
-* filter (`os`/`cpu`/`libc`) and pnpm's pack-app `--target` — both need the
-* exact same triple format. Centralizing the construction here means a future
-* schema change (e.g. Node introducing `riscv64`) gets one edit, and the error
-* message for an unsupported platform is uniform across downloaders, pack-app
-* invocations, and the `@socketbin/*` resolver logic.
-*
-* @example
-*   ;```typescript
-*   getPlatformArch('linux', 'x64', 'musl') // 'linux-x64-musl'
-*   getPlatformArch('darwin', 'arm64') // 'darwin-arm64'
-*   getPlatformArch('win32', 'x64') // 'win32-x64'
-*   getPlatformArch('darwin', 'x64', 'musl') // 'darwin-x64' — libc ignored
-*   ```
-*
-* @param platform - Target platform.
-* @param arch - Target architecture.
-* @param libc - Linux libc variant (optional; non-linux platforms ignore)
-*
-* @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl',
-*   'win32-x64')
-*/
-function getPlatformArch(platform, arch, libc) {
-	/* c8 ignore start */
-	const mappedPlatform = PLATFORM_MAP[platform];
-	if (!mappedPlatform) throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${platform}`);
-	const mappedArch = ARCH_MAP[arch];
-	if (!mappedArch) throw new require_primordials_error.ErrorCtor(`Unsupported architecture: ${arch}`);
-	return `${mappedPlatform}-${mappedArch}${platform === "linux" && libc === "musl" ? "-musl" : ""}`;
-	/* c8 ignore stop */
-}
 
 //#endregion
 exports.SOCKET_BTM_REPO = SOCKET_BTM_REPO;
 exports.detectLibc = detectLibc;
 exports.downloadSocketBtmRelease = downloadSocketBtmRelease;
-exports.getBinaryAssetName = getBinaryAssetName;
-exports.getBinaryName = getBinaryName;
-exports.getPlatformArch = getPlatformArch;
+exports.getBinaryAssetName = require_releases_socket_btm_binary_naming.getBinaryAssetName;
+exports.getBinaryName = require_releases_socket_btm_binary_naming.getBinaryName;
+exports.getPlatformArch = require_releases_socket_btm_binary_naming.getPlatformArch;

package/dist/schema/types.d.ts

@@ -24,7 +24,7 @@ export interface ParseResult<T> {
     /**
      * Error information (only present when `success` is `false`)
      */
-    error?: unknown;
+    error?: unknown | undefined;
 }
 /**
  * Zod-shaped duck-type for any validator exposing `safeParse` / `parse`.

package/dist/sea/detect.js

@@ -23,7 +23,7 @@ node_process = require_runtime.__toESM(node_process);
 /**
 * Cached SEA detection result.
 */
-let _isSea;
+let isSeaCache;
 /**
 * Get the current SEA binary path. Only valid when running as a SEA binary.
 *
@@ -36,7 +36,7 @@ let _isSea;
 *   ```
 */
 function getSeaBinaryPath() {
-	return isSeaBinary() && node_process.default.argv[0] ? /* @__PURE__ */ require_paths_normalize.normalizePath(node_process.default.argv[0]) : void 0;
+	return isSeaBinary() && node_process.default.argv[0] ? require_paths_normalize.normalizePath(node_process.default.argv[0]) : void 0;
 }
 /**
 * Detect if the current process is running as a SEA binary. Uses Node.js 24+
@@ -50,12 +50,12 @@ function getSeaBinaryPath() {
 *   ```
 */
 function isSeaBinary() {
-	if (_isSea === void 0) try {
-		_isSea = require("node:sea").isSea();
+	if (isSeaCache === void 0) try {
+		isSeaCache = require("node:sea").isSea();
 	} catch {
-		_isSea = false;
+		isSeaCache = false;
 	}
-	return _isSea ?? false;
+	return isSeaCache ?? false;
 }
 
 //#endregion

package/dist/secrets/_internal.d.ts

@@ -2,8 +2,8 @@
  * @file Private internals for `secrets/` — process-scoped read cache for the
  *   keychain backend. Underscore-prefixed and skipped by the export generator
  *   (`dist/**\/_*` ignore pattern in
- *   `scripts/fix/generate-package-exports.mts`) so this module is NOT part of
- *   the public API surface. Imported by `./keychain.ts`. Every `readSecret`
+ *   `scripts/post-build/make-package-exports.mts`) so this module is NOT part
+ *   of the public API surface. Imported by `./keychain.ts`. Every `readSecret`
  *   call shells out to the OS credential CLI (`security`, `secret-tool`,
  *   PowerShell). On macOS, the first read of a given entry by a new binary path
  *   triggers a Keychain auth prompt unless the entry was written with `-A -T

package/dist/secrets/_internal.js

@@ -1,14 +1,15 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_primordials_map_set = require('../primordials/map-set.js');
 
 //#region src/secrets/_internal.ts
 /**
 * @file Private internals for `secrets/` — process-scoped read cache for the
 *   keychain backend. Underscore-prefixed and skipped by the export generator
 *   (`dist/**\/_*` ignore pattern in
-*   `scripts/fix/generate-package-exports.mts`) so this module is NOT part of
-*   the public API surface. Imported by `./keychain.ts`. Every `readSecret`
+*   `scripts/post-build/make-package-exports.mts`) so this module is NOT part
+*   of the public API surface. Imported by `./keychain.ts`. Every `readSecret`
 *   call shells out to the OS credential CLI (`security`, `secret-tool`,
 *   PowerShell). On macOS, the first read of a given entry by a new binary path
 *   triggers a Keychain auth prompt unless the entry was written with `-A -T
@@ -29,8 +30,8 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 *   undefined (entry missing), `undefined` is cached too — callers that want a
 *   re-check after creating the entry must call `invalidate`.
 */
-const valueCache = /* @__PURE__ */ new Map();
-const inflight = /* @__PURE__ */ new Map();
+const valueCache = new require_primordials_map_set.MapCtor();
+const inflight = new require_primordials_map_set.MapCtor();
 function cacheKey(service, account) {
 	return `${service} ${account}`;
 }

package/dist/secrets/compare.d.ts

@@ -0,0 +1,45 @@
+/**
+ * @file Constant-time secret comparison. Wraps Node's `crypto.timingSafeEqual`
+ *   so every secret comparison in the codebase runs through one helper that
+ *   refuses to short-circuit on the first mismatched byte. Why this matters:
+ *
+ *   - `===` / `!==` on JS strings short-circuits at the first byte mismatch. An
+ *     attacker who can measure server response time can binary-search the
+ *     secret one byte at a time: `'a000...'`, `'b000...'`, … until the response
+ *     slows down at the right first byte, then on to byte 2. Same trap for
+ *     `Buffer.compare` and `==`.
+ *   - `crypto.timingSafeEqual` runs in O(n) regardless of where the first
+ *     mismatch is. Each iteration is the same cost so the timing channel
+ *     carries no information about which byte mismatched. Use whenever
+ *     comparing two values that include a secret (session token, API key, MAC,
+ *     expected-hash). Don't use for path strings or other non-secret
+ *     comparisons — `===` is fine there and faster. Patterned after pilcrow's
+ *     `crypto.go::constantTimeCompare`, the canonical shape in
+ *     passwordless-example.auth.pilcrowonpaper.com — wrap once, use everywhere,
+ *     never byte-compare a secret directly.
+ */
+/**
+ * Compare two secrets in constant time. Returns `true` when the inputs are
+ * byte-equal. Returns `false` when they differ **or** when the byte-lengths
+ * differ. Never throws.
+ *
+ * Length mismatch handling: `timingSafeEqual` itself throws on length mismatch
+ * (it can't preserve the timing-safety contract across differently- sized
+ * buffers). We catch that and return `false` so callers don't need a length
+ * pre-check.
+ *
+ * @example
+ *   ;```typescript
+ *   import { compareSecrets } from '@socketsecurity/lib/secrets/compare'
+ *
+ *   if (!compareSecrets(presentedToken, storedToken)) {
+ *     throw new Error('invalid token')
+ *   }
+ *   ```
+ *
+ * @param a - First secret (string or Buffer).
+ * @param b - Second secret (string or Buffer).
+ *
+ * @returns `true` when `a` and `b` are byte-equal; `false` otherwise.
+ */
+export declare function compareSecrets(a: Buffer | string, b: Buffer | string): boolean;