@socketsecurity/lib 6.0.5 → 6.0.7

package/dist/secrets/compare.js

@@ -0,0 +1,61 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
+let node_crypto = require("node:crypto");
+node_crypto = require_runtime.__toESM(node_crypto);
+
+//#region src/secrets/compare.ts
+/**
+* @file Constant-time secret comparison. Wraps Node's `crypto.timingSafeEqual`
+*   so every secret comparison in the codebase runs through one helper that
+*   refuses to short-circuit on the first mismatched byte. Why this matters:
+*
+*   - `===` / `!==` on JS strings short-circuits at the first byte mismatch. An
+*     attacker who can measure server response time can binary-search the
+*     secret one byte at a time: `'a000...'`, `'b000...'`, … until the response
+*     slows down at the right first byte, then on to byte 2. Same trap for
+*     `Buffer.compare` and `==`.
+*   - `crypto.timingSafeEqual` runs in O(n) regardless of where the first
+*     mismatch is. Each iteration is the same cost so the timing channel
+*     carries no information about which byte mismatched. Use whenever
+*     comparing two values that include a secret (session token, API key, MAC,
+*     expected-hash). Don't use for path strings or other non-secret
+*     comparisons — `===` is fine there and faster. Patterned after pilcrow's
+*     `crypto.go::constantTimeCompare`, the canonical shape in
+*     passwordless-example.auth.pilcrowonpaper.com — wrap once, use everywhere,
+*     never byte-compare a secret directly.
+*/
+/**
+* Compare two secrets in constant time. Returns `true` when the inputs are
+* byte-equal. Returns `false` when they differ **or** when the byte-lengths
+* differ. Never throws.
+*
+* Length mismatch handling: `timingSafeEqual` itself throws on length mismatch
+* (it can't preserve the timing-safety contract across differently- sized
+* buffers). We catch that and return `false` so callers don't need a length
+* pre-check.
+*
+* @example
+*   ;```typescript
+*   import { compareSecrets } from '@socketsecurity/lib/secrets/compare'
+*
+*   if (!compareSecrets(presentedToken, storedToken)) {
+*     throw new Error('invalid token')
+*   }
+*   ```
+*
+* @param a - First secret (string or Buffer).
+* @param b - Second secret (string or Buffer).
+*
+* @returns `true` when `a` and `b` are byte-equal; `false` otherwise.
+*/
+function compareSecrets(a, b) {
+	const ab = typeof a === "string" ? Buffer.from(a, "utf8") : a;
+	const bb = typeof b === "string" ? Buffer.from(b, "utf8") : b;
+	if (ab.length !== bb.length) return false;
+	return node_crypto.default.timingSafeEqual(ab, bb);
+}
+
+//#endregion
+exports.compareSecrets = compareSecrets;

package/dist/secrets/keychain.js

@@ -1,11 +1,14 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_error = require('../primordials/error.js');
 const require_secrets__internal = require('./_internal.js');
 const require_secrets_macos = require('./macos.js');
 const require_secrets_linux = require('./linux.js');
 const require_secrets_windows = require('./windows.js');
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 
 //#region src/secrets/keychain.ts
 /**
@@ -117,7 +120,7 @@ function deleteSecretSync({ service, account }) {
 * @internal
 */
 function detectPlatform() {
-	const p = (0, node_os.platform)();
+	const p = node_os.default.platform();
 	if (p === "darwin" || p === "linux" || p === "win32") return p;
 	return "other";
 }
@@ -149,7 +152,7 @@ function getBackendAvailability() {
 		default: return {
 			available: false,
 			toolName: "n/a",
-			installHint: `Platform ${(0, node_os.platform)()} is not supported.`
+			installHint: `Platform ${node_os.default.platform()} is not supported.`
 		};
 	}
 }
@@ -228,9 +231,9 @@ function readSecretSync({ service, account }) {
 * shouldn't show "rewrote N secrets" when nothing actually changed).
 */
 async function writeSecret({ service, account, value, label }) {
-	if (!value || typeof value !== "string") throw new TypeError("writeSecret: value must be a non-empty string");
+	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new Error(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${node_os.default.platform()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (await readSecret({
 		service,
 		account
@@ -251,9 +254,9 @@ async function writeSecret({ service, account, value, label }) {
 	return "written";
 }
 function writeSecretSync({ service, account, value, label }) {
-	if (!value || typeof value !== "string") throw new TypeError("writeSecret: value must be a non-empty string");
+	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new Error(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${node_os.default.platform()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (readSecretSync({
 		service,
 		account

package/dist/secrets/linux.js

@@ -1,7 +1,9 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-let node_child_process = require("node:child_process");
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_promise = require('../primordials/promise.js');
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/linux.ts
 /**
@@ -19,20 +21,20 @@ let node_child_process = require("node:child_process");
 */
 const SECRET_TOOL_BIN = "secret-tool";
 async function deleteLinux(service, account) {
-	return new Promise((resolve) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+	return new require_primordials_promise.PromiseCtor((resolve) => {
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"clear",
 			"service",
 			service,
 			"user",
 			account
 		], { stdio: "ignore" });
-		child.on("error", () => resolve("absent"));
-		child.on("close", (status) => resolve(status === 0 ? "removed" : "absent"));
+		cp.on("error", () => resolve("absent"));
+		cp.on("close", (status) => resolve(status === 0 ? "removed" : "absent"));
 	});
 }
 function deleteLinuxSync(service, account) {
-	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"clear",
 		"service",
 		service,
@@ -41,11 +43,11 @@ function deleteLinuxSync(service, account) {
 	], { stdio: "ignore" }).status === 0 ? "removed" : "absent";
 }
 function isLinuxBackendAvailable() {
-	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
 }
 async function readLinux(service, account) {
-	return new Promise((resolve) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+	return new require_primordials_promise.PromiseCtor((resolve) => {
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"lookup",
 			"service",
 			service,
@@ -57,12 +59,12 @@ async function readLinux(service, account) {
 			"pipe"
 		] });
 		let stdout = "";
-		child.stdout.setEncoding("utf8");
-		child.stdout.on("data", (chunk) => {
+		cp.stdout.setEncoding("utf8");
+		cp.stdout.on("data", (chunk) => {
 			stdout += chunk;
 		});
-		child.on("error", () => resolve(void 0));
-		child.on("close", (status) => {
+		cp.on("error", () => resolve(void 0));
+		cp.on("close", (status) => {
 			if (status !== 0) {
 				resolve(void 0);
 				return;
@@ -72,7 +74,7 @@ async function readLinux(service, account) {
 	});
 }
 function readLinuxSync(service, account) {
-	const r = (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"lookup",
 		"service",
 		service,
@@ -90,8 +92,8 @@ function readLinuxSync(service, account) {
 	return r.stdout.trim() || void 0;
 }
 async function writeLinux(service, account, value, label) {
-	return new Promise((resolve, reject) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+	return new require_primordials_promise.PromiseCtor((resolve, reject) => {
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"store",
 			`--label=${label}`,
 			"service",
@@ -104,23 +106,23 @@ async function writeLinux(service, account, value, label) {
 			"pipe"
 		] });
 		let stderr = "";
-		child.stderr.setEncoding("utf8");
-		child.stderr.on("data", (chunk) => {
+		cp.stderr.setEncoding("utf8");
+		cp.stderr.on("data", (chunk) => {
 			stderr += chunk;
 		});
-		child.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
-		child.on("close", (status) => {
+		cp.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
+		cp.on("close", (status) => {
 			if (status === 0) {
 				resolve();
 				return;
 			}
 			reject(/* @__PURE__ */ new Error(`secret-tool store failed (status=${status}, user=${account}): ${stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`));
 		});
-		child.stdin.end(value);
+		cp.stdin.end(value);
 	});
 }
 function writeLinuxSync(service, account, value, label) {
-	const r = (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"store",
 		`--label=${label}`,
 		"service",
@@ -136,7 +138,7 @@ function writeLinuxSync(service, account, value, label) {
 			"pipe"
 		]
 	});
-	if (r.status !== 0) throw new Error(`secret-tool store failed (status=${r.status}, user=${account}): ${r.stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`secret-tool store failed (status=${r.status}, user=${account}): ${r.stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`);
 }
 
 //#endregion

package/dist/secrets/macos.d.ts

@@ -24,7 +24,7 @@ export declare function isMacOSBackendAvailable(): boolean;
 export declare function readMacOS(service: string, account: string): Promise<string | undefined>;
 export declare function readMacOSSync(service: string, account: string): string | undefined;
 interface SpawnOpts {
-    stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'];
+    stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'] | undefined;
 }
 export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Promise<{
     status: number | null;

package/dist/secrets/macos.js

@@ -1,7 +1,9 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-let node_child_process = require("node:child_process");
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_promise = require('../primordials/promise.js');
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/macos.ts
 /**
@@ -35,7 +37,7 @@ async function deleteMacOS(service, account) {
 	], { stdio: "ignore" })).status === 0 ? "removed" : "absent";
 }
 function deleteMacOSSync(service, account) {
-	return (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"delete-generic-password",
 		"-s",
 		service,
@@ -59,7 +61,7 @@ async function readMacOS(service, account) {
 	return r.stdout.trim() || void 0;
 }
 function readMacOSSync(service, account) {
-	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"find-generic-password",
 		"-s",
 		service,
@@ -78,32 +80,32 @@ function readMacOSSync(service, account) {
 	return r.stdout.trim() || void 0;
 }
 function runAsync(args, opts = {}) {
-	return new Promise((resolve) => {
-		const child = (0, node_child_process.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
+	return new require_primordials_promise.PromiseCtor((resolve) => {
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
 			"ignore",
 			"pipe",
 			"pipe"
 		] });
 		let stdout = "";
 		let stderr = "";
-		if (child.stdout) {
-			child.stdout.setEncoding("utf8");
-			child.stdout.on("data", (chunk) => {
+		if (cp.stdout) {
+			cp.stdout.setEncoding("utf8");
+			cp.stdout.on("data", (chunk) => {
 				stdout += chunk;
 			});
 		}
-		if (child.stderr) {
-			child.stderr.setEncoding("utf8");
-			child.stderr.on("data", (chunk) => {
+		if (cp.stderr) {
+			cp.stderr.setEncoding("utf8");
+			cp.stderr.on("data", (chunk) => {
 				stderr += chunk;
 			});
 		}
-		child.on("error", () => resolve({
+		cp.on("error", () => resolve({
 			status: -1,
 			stdout,
 			stderr
 		}));
-		child.on("close", (status) => resolve({
+		cp.on("close", (status) => resolve({
 			status,
 			stdout,
 			stderr
@@ -128,10 +130,10 @@ async function writeMacOS(service, account, value, label) {
 		"-l",
 		label
 	]);
-	if (r.status !== 0) throw new Error(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
 }
 function writeMacOSSync(service, account, value, label) {
-	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"add-generic-password",
 		"-U",
 		"-A",
@@ -155,7 +157,7 @@ function writeMacOSSync(service, account, value, label) {
 			"pipe"
 		]
 	});
-	if (r.status !== 0) throw new Error(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
 }
 
 //#endregion

package/dist/secrets/rc.d.ts

@@ -67,7 +67,7 @@ export interface WriteOptions {
      * "Rotate via: my-installer --rotate"). Each entry is prefixed with `# `
      * automatically.
      */
-    notes?: readonly string[];
+    notes?: readonly string[] | undefined;
     /**
      * Legacy sentinel BEGIN strings to sweep before writing the new block. Used
      * during a rename/migration so an older managed block is removed rather than
@@ -75,7 +75,7 @@ export interface WriteOptions {
      * tolerates any line endings up to the matching END (same prefix with `END`
      * replacing `BEGIN`).
      */
-    legacySentinels?: readonly string[];
+    legacySentinels?: readonly string[] | undefined;
     /**
      * Override the auto-detected shell. By default the helper reads `$SHELL` and
      * targets the matching rc file:

package/dist/secrets/rc.js

@@ -2,11 +2,15 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_string = require('../primordials/string.js');
+const require_primordials_regexp = require('../primordials/regexp.js');
+const require_primordials_object = require('../primordials/object.js');
 const require_env_home = require('../env/home.js');
 let node_fs = require("node:fs");
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 let node_process = require("node:process");
 node_process = require_runtime.__toESM(node_process);
 
@@ -54,7 +58,7 @@ function buildBlock(opts) {
 	const begin = `# BEGIN ${opts.service} env (managed)`;
 	const end = `# END ${opts.service} env (managed)`;
 	const noteLines = (opts.notes ?? []).map((line) => `# ${line}`);
-	const exportLines = Object.entries(opts.exports).map(([name, value]) => `export ${name}=${shellSingleQuote(value)}`);
+	const exportLines = require_primordials_object.ObjectEntries(opts.exports).map(([name, value]) => `export ${name}=${shellSingleQuote(value)}`);
 	const body = [...noteLines, ...exportLines].join("\n");
 	return {
 		begin,
@@ -69,17 +73,18 @@ function buildBlock(opts) {
 * no block was present.
 */
 function clear(service, legacySentinels = []) {
-	if ((0, node_os.platform)() !== "darwin") return false;
+	if (node_os.default.platform() !== "darwin") return false;
 	const rcPath = pickRcFile();
 	if (!rcPath || !(0, node_fs.existsSync)(rcPath)) return false;
 	let existing = (0, node_fs.readFileSync)(rcPath, "utf8");
 	let removedAny = false;
 	const sentinelsToStrip = [`# BEGIN ${service} env (managed)`, ...legacySentinels];
-	for (const begin of sentinelsToStrip) {
+	for (let i = 0, { length } = sentinelsToStrip; i < length; i += 1) {
+		const begin = sentinelsToStrip[i];
 		const end = begin.replace(/\bBEGIN\b/, "END");
 		const endStripped = end.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = end === endStripped ? escapeRegExp(end) : `(?:${escapeRegExp(end)}|${escapeRegExp(endStripped)})`;
-		const re = new RegExp(`\n*${escapeRegExp(begin)}[\\s\\S]*?${endAlt}\n?`, "g");
+		const re = new require_primordials_regexp.RegExpCtor(`\n*${escapeRegExp(begin)}[\\s\\S]*?${endAlt}\n?`, "g");
 		const next = existing.replace(re, "\n");
 		if (next !== existing) {
 			removedAny = true;
@@ -93,10 +98,10 @@ function escapeRegExp(s) {
 	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function pickRcFile(shellOverride) {
-	const home = /* @__PURE__ */ require_env_home.getHome();
+	const home = require_env_home.getHome();
 	if (!home) return;
 	const shellPath = node_process.default.env["SHELL"] ?? "";
-	const shell = shellOverride ?? (shellPath.endsWith("zsh") ? "zsh" : shellPath.endsWith("bash") ? "bash" : shellPath.endsWith("fish") ? "fish" : void 0);
+	const shell = shellOverride ?? (require_primordials_string.StringPrototypeEndsWith(shellPath, "zsh") ? "zsh" : require_primordials_string.StringPrototypeEndsWith(shellPath, "bash") ? "bash" : require_primordials_string.StringPrototypeEndsWith(shellPath, "fish") ? "fish" : void 0);
 	if (shell === "zsh") return node_path.default.join(home, ".zshenv");
 	if (shell === "bash") {
 		const bashrc = node_path.default.join(home, ".bashrc");
@@ -130,7 +135,7 @@ function shellSingleQuote(value) {
 * dotfile-manager users or installers running under a non-default shell.
 */
 function write(opts) {
-	if ((0, node_os.platform)() !== "darwin") return {
+	if (node_os.default.platform() !== "darwin") return {
 		rcPath: void 0,
 		outcome: "skipped",
 		reason: "unsupported-platform"
@@ -149,10 +154,10 @@ function write(opts) {
 		const legacyEnd = legacyBegin.replace(/\bBEGIN\b/, "END");
 		const legacyEndStripped = legacyEnd.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = legacyEnd === legacyEndStripped ? escapeRegExp(legacyEnd) : `(?:${escapeRegExp(legacyEnd)}|${escapeRegExp(legacyEndStripped)})`;
-		const legacyRe = new RegExp(`\n*${escapeRegExp(legacyBegin)}[\\s\\S]*?${endAlt}\n?`, "g");
+		const legacyRe = new require_primordials_regexp.RegExpCtor(`\n*${escapeRegExp(legacyBegin)}[\\s\\S]*?${endAlt}\n?`, "g");
 		working = working.replace(legacyRe, "\n");
 	}
-	const match = new RegExp(`${escapeRegExp(begin)}[\\s\\S]*?${escapeRegExp(end)}`).exec(working);
+	const match = new require_primordials_regexp.RegExpCtor(`${escapeRegExp(begin)}[\\s\\S]*?${escapeRegExp(end)}`).exec(working);
 	if (match) {
 		if (match[0] === desiredBlock && working === onDisk) return {
 			rcPath,
@@ -164,7 +169,7 @@ function write(opts) {
 			outcome: "updated"
 		};
 	}
-	const prefix = working.length > 0 && !working.endsWith("\n\n") ? working.endsWith("\n") ? "\n" : "\n\n" : "";
+	const prefix = working.length > 0 && !require_primordials_string.StringPrototypeEndsWith(working, "\n\n") ? require_primordials_string.StringPrototypeEndsWith(working, "\n") ? "\n" : "\n\n" : "";
 	writeRcFile(rcPath, `${working}${prefix}${desiredBlock}\n`.replace(/\n{3,}/g, "\n\n"));
 	return {
 		rcPath,

package/dist/secrets/socket-api-token.d.ts

@@ -2,10 +2,10 @@
  * @file Convenience helper for reading the Socket API token from the canonical
  *   env → keychain precedence order. Centralizes two constants every fleet
  *   consumer would otherwise hard-code: the keychain service name
- *   (`socket-cli`) and the env-var + account fallback list (`SOCKET_API_TOKEN`
- *   canonical, `SOCKET_API_KEY` legacy alias). Consumers like firewall and
- *   wheelhouse hooks call `readSocketApiToken()` instead of redoing the
- *   `resolve({ service, accounts })` boilerplate.
+ *   (`socketsecurity`) and the env-var + account fallback list
+ *   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
+ *   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
+ *   redoing the `resolve({ service, accounts })` boilerplate.
  */
 export interface ReadSocketApiTokenOptions {
     /**

package/dist/secrets/socket-api-token.js

@@ -8,26 +8,35 @@ const require_secrets_find = require('./find.js');
 * @file Convenience helper for reading the Socket API token from the canonical
 *   env → keychain precedence order. Centralizes two constants every fleet
 *   consumer would otherwise hard-code: the keychain service name
-*   (`socket-cli`) and the env-var + account fallback list (`SOCKET_API_TOKEN`
-*   canonical, `SOCKET_API_KEY` legacy alias). Consumers like firewall and
-*   wheelhouse hooks call `readSocketApiToken()` instead of redoing the
-*   `resolve({ service, accounts })` boilerplate.
+*   (`socketsecurity`) and the env-var + account fallback list
+*   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
+*   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
+*   redoing the `resolve({ service, accounts })` boilerplate.
 */
-const SOCKET_CLI_SERVICE = "socket-cli";
+const SOCKET_SERVICE = "socketsecurity";
+const SOCKET_SERVICE_LEGACY = "socket-cli";
 const TOKEN_ACCOUNTS = ["SOCKET_API_TOKEN", "SOCKET_API_KEY"];
 async function readSocketApiToken(options) {
 	return (await require_secrets_find.resolve({
-		service: SOCKET_CLI_SERVICE,
+		service: SOCKET_SERVICE,
+		accounts: TOKEN_ACCOUNTS,
+		allowEnvOnly: options?.allowEnvOnly
+	}) ?? await require_secrets_find.resolve({
+		service: SOCKET_SERVICE_LEGACY,
 		accounts: TOKEN_ACCOUNTS,
 		allowEnvOnly: options?.allowEnvOnly
 	}))?.value;
 }
 function readSocketApiTokenSync(options) {
-	return require_secrets_find.resolveSync({
-		service: SOCKET_CLI_SERVICE,
+	return (require_secrets_find.resolveSync({
+		service: SOCKET_SERVICE,
 		accounts: TOKEN_ACCOUNTS,
 		allowEnvOnly: options?.allowEnvOnly
-	})?.value;
+	}) ?? require_secrets_find.resolveSync({
+		service: SOCKET_SERVICE_LEGACY,
+		accounts: TOKEN_ACCOUNTS,
+		allowEnvOnly: options?.allowEnvOnly
+	}))?.value;
 }
 
 //#endregion

package/dist/secrets/windows.js

@@ -2,13 +2,17 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
+const require_primordials_error = require('../primordials/error.js');
+const require_primordials_json = require('../primordials/json.js');
+const require_primordials_promise = require('../primordials/promise.js');
 let node_fs = require("node:fs");
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 let node_process = require("node:process");
 node_process = require_runtime.__toESM(node_process);
-let node_child_process = require("node:child_process");
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/windows.ts
 /**
@@ -63,11 +67,11 @@ function deleteWindowsSync(service, account) {
 function getDpapiFilePath(service, account) {
 	validateKeychainComponent(service, "service");
 	validateKeychainComponent(account, "account");
-	const appData = node_process.default.env["APPDATA"] ?? node_path.default.join((0, node_os.homedir)(), "AppData", "Roaming");
+	const appData = node_process.default.env["APPDATA"] ?? node_path.default.join(node_os.default.homedir(), "AppData", "Roaming");
 	return node_path.default.join(appData, service, `${account}.enc`);
 }
 function isWindowsBackendAvailable() {
-	return (0, node_child_process.spawnSync)(POWERSHELL_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(POWERSHELL_BIN, [
 		"-NoProfile",
 		"-Command",
 		"exit 0"
@@ -125,8 +129,8 @@ function readWindowsSync(service, account) {
 	return readDpapiSync(getDpapiFilePath(service, account));
 }
 function runPsAsync(script, input) {
-	return new Promise((resolve) => {
-		const child = (0, node_child_process.spawn)(POWERSHELL_BIN, [
+	return new require_primordials_promise.PromiseCtor((resolve) => {
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(POWERSHELL_BIN, [
 			"-NoProfile",
 			"-Command",
 			script
@@ -137,30 +141,30 @@ function runPsAsync(script, input) {
 		] });
 		let stdout = "";
 		let stderr = "";
-		child.stdout.setEncoding("utf8");
-		child.stdout.on("data", (chunk) => {
+		cp.stdout.setEncoding("utf8");
+		cp.stdout.on("data", (chunk) => {
 			stdout += chunk;
 		});
-		child.stderr.setEncoding("utf8");
-		child.stderr.on("data", (chunk) => {
+		cp.stderr.setEncoding("utf8");
+		cp.stderr.on("data", (chunk) => {
 			stderr += chunk;
 		});
-		child.on("error", () => resolve({
+		cp.on("error", () => resolve({
 			status: -1,
 			stdout,
 			stderr
 		}));
-		child.on("close", (status) => resolve({
+		cp.on("close", (status) => resolve({
 			status,
 			stdout,
 			stderr
 		}));
-		if (input !== void 0) child.stdin.end(input);
-		else child.stdin.end();
+		if (input !== void 0) cp.stdin.end(input);
+		else cp.stdin.end();
 	});
 }
 function runPsSync(script, input) {
-	const r = (0, node_child_process.spawnSync)(POWERSHELL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(POWERSHELL_BIN, [
 		"-NoProfile",
 		"-Command",
 		script
@@ -189,7 +193,7 @@ function runPsSync(script, input) {
 * identifiers (e.g. `socket-cli`, `SOCKET_API_KEY`), not paths.
 */
 function validateKeychainComponent(value, name) {
-	if (/[\\/]/.test(value) || value.includes("..") || value.includes("\0") || value === "" || value === ".") throw new Error(`secrets/windows: ${name} contains path-traversal characters: ${JSON.stringify(value)}. Use a plain identifier (no \\\\, /, .., or NUL).`);
+	if (/[\\/]/.test(value) || value.includes("..") || value.includes("\0") || value === "" || value === ".") throw new require_primordials_error.ErrorCtor(`secrets/windows: ${name} contains path-traversal characters: ${require_primordials_json.JSONStringify(value)}. Use a plain identifier (no \\\\, /, .., or NUL).`);
 }
 async function writeDpapi(filePath, value) {
 	const dir = node_path.default.dirname(filePath);
@@ -201,7 +205,7 @@ async function writeDpapi(filePath, value) {
     $protected = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, 'CurrentUser')
     [Convert]::ToBase64String($protected) | Set-Content -Path ${quotePs(filePath)} -NoNewline
   `, value);
-	if (r.status !== 0) throw new Error(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
 }
 function writeDpapiSync(filePath, value) {
 	const dir = node_path.default.dirname(filePath);
@@ -213,7 +217,7 @@ function writeDpapiSync(filePath, value) {
     $protected = [System.Security.Cryptography.ProtectedData]::Protect($bytes, $null, 'CurrentUser')
     [Convert]::ToBase64String($protected) | Set-Content -Path ${quotePs(filePath)} -NoNewline
   `, value);
-	if (r.status !== 0) throw new Error(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
+	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`DPAPI file write failed: ${r.stderr.trim()}. Install the CredentialManager PowerShell module (\`Install-Module CredentialManager -Scope CurrentUser\`) for a cleaner storage path.`);
 }
 async function writeWindows(service, account, value, _label) {
 	if ((await runPsAsync(`

package/dist/shadow/skip.js

@@ -38,9 +38,9 @@ function shouldSkipShadow(binPath, options) {
 	if (win32 && binPath) return true;
 	const userAgent = node_process.default.env["npm_config_user_agent"];
 	if (userAgent?.includes("exec") || userAgent?.includes("npx") || userAgent?.includes("dlx")) return true;
-	const normalizedCwd = /* @__PURE__ */ require_paths_normalize.normalizePath(cwd);
+	const normalizedCwd = require_paths_normalize.normalizePath(cwd);
 	const npmCache = node_process.default.env["npm_config_cache"];
-	if (npmCache && normalizedCwd.includes(/* @__PURE__ */ require_paths_normalize.normalizePath(npmCache))) return true;
+	if (npmCache && normalizedCwd.includes(require_paths_normalize.normalizePath(npmCache))) return true;
 	return [
 		"_npx",
 		".pnpm-store",