npm - @socketsecurity/lib - Versions diffs - 6.0.6 → 6.0.8 - Mend

@socketsecurity/lib 6.0.6 → 6.0.8

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (619) hide show

package/CHANGELOG.md +46 -1
package/README.md +1 -1
package/dist/ai/agent-context.d.mts +103 -0
package/dist/ai/agent-context.js +157 -0
package/dist/ai/backends.d.mts +83 -0
package/dist/ai/backends.js +173 -0
package/dist/ai/credentials.d.mts +49 -0
package/dist/ai/credentials.js +82 -0
package/dist/ai/discover.d.mts +6 -2
package/dist/ai/discover.js +4 -3
package/dist/ai/exec.d.mts +52 -0
package/dist/ai/exec.js +92 -0
package/dist/ai/http.d.mts +132 -0
package/dist/ai/http.js +130 -0
package/dist/ai/profiles.d.mts +41 -6
package/dist/ai/profiles.js +52 -10
package/dist/ai/route.d.mts +69 -0
package/dist/ai/route.js +156 -0
package/dist/ai/spawn.d.mts +10 -2
package/dist/ai/spawn.js +56 -31
package/dist/ai/subagent-status.d.mts +48 -0
package/dist/ai/subagent-status.js +57 -0
package/dist/ai/tier.d.mts +60 -0
package/dist/ai/tier.js +53 -0
package/dist/ai/types.d.mts +31 -6
package/dist/ai/worktree.d.mts +6 -6
package/dist/ai/worktree.js +5 -1
package/dist/ansi/strip.d.ts +1 -1
package/dist/ansi/strip.js +0 -2
package/dist/archives/_internal.js +7 -9
package/dist/archives/extract.js +1 -1
package/dist/archives/tar.js +7 -7
package/dist/archives/zip.js +5 -7
package/dist/argv/flag-predicates.d.ts +12 -12
package/dist/argv/flag-predicates.js +17 -17
package/dist/argv/flag-types.d.ts +18 -18
package/dist/argv/flag-types.js +4 -4
package/dist/argv/parse.d.ts +20 -3
package/dist/argv/parse.js +1 -1
package/dist/arrays/_internal.js +11 -12
package/dist/arrays/chunk.js +0 -1
package/dist/arrays/join.d.ts +37 -3
package/dist/arrays/join.js +47 -7
package/dist/arrays/unique.js +0 -1
package/dist/bin/_internal.d.ts +1 -1
package/dist/bin/_internal.js +1 -1
package/dist/bin/exec.js +2 -3
package/dist/bin/find.js +17 -17
package/dist/bin/prim.cjs +36175 -35861
package/dist/bin/resolve.js +13 -14
package/dist/bin/which.js +8 -8
package/dist/cache/ttl/store.js +6 -6
package/dist/checks/primordials-defaults.d.ts +3 -3
package/dist/checks/primordials-defaults.js +3 -3
package/dist/checks/primordials.js +4 -3
package/dist/{bin → cli}/check-primordials.d.ts +18 -13
package/dist/{bin → cli}/check-primordials.js +58 -55
package/dist/{bin → cli}/check.js +3 -3
package/dist/{bin → cli}/socket-lib.d.ts +1 -1
package/dist/{bin → cli}/socket-lib.js +4 -4
package/dist/colors/socket-palette.js +7 -9
package/dist/compression/_internal.d.ts +12 -12
package/dist/compression/_internal.js +18 -18
package/dist/compression/brotli.d.ts +26 -27
package/dist/compression/brotli.js +39 -35
package/dist/compression/gzip.d.ts +23 -23
package/dist/compression/gzip.js +46 -42
package/dist/constants/agents.d.ts +3 -1
package/dist/constants/agents.js +15 -11
package/dist/constants/licenses.js +3 -3
package/dist/constants/node.d.ts +23 -0
package/dist/constants/node.js +47 -15
package/dist/constants/packages.d.ts +3 -0
package/dist/constants/packages.js +24 -29
package/dist/constants/platform.d.ts +30 -3
package/dist/constants/platform.js +72 -12
package/dist/constants/runtime.d.ts +22 -0
package/dist/constants/runtime.js +32 -0
package/dist/constants/socket.d.ts +2 -6
package/dist/constants/socket.js +12 -14
package/dist/cover/code.js +10 -10
package/dist/cover/formatters.js +5 -5
package/dist/crypto/hash.d.ts +30 -2
package/dist/crypto/hash.js +47 -13
package/dist/debug/_internal.js +4 -6
package/dist/debug/caller-info.js +3 -4
package/dist/debug/namespace.d.ts +7 -0
package/dist/debug/namespace.js +21 -12
package/dist/debug/output.js +21 -24
package/dist/debug/types.d.ts +4 -4
package/dist/dlx/arborist.js +18 -8
package/dist/dlx/binary-cache.js +15 -15
package/dist/dlx/binary-download.d.ts +1 -1
package/dist/dlx/binary-download.js +11 -11
package/dist/dlx/binary-resolution.js +17 -15
package/dist/dlx/binary-types.d.ts +5 -5
package/dist/dlx/binary.js +5 -5
package/dist/dlx/cache.js +1 -1
package/dist/dlx/detect.d.ts +42 -25
package/dist/dlx/detect.js +86 -77
package/dist/dlx/dir.js +2 -2
package/dist/dlx/firewall.d.ts +9 -1
package/dist/dlx/firewall.js +1 -1
package/dist/dlx/lockfile.d.ts +19 -18
package/dist/dlx/lockfile.js +19 -16
package/dist/dlx/manifest.d.ts +6 -6
package/dist/dlx/manifest.js +5 -5
package/dist/dlx/package.d.ts +10 -10
package/dist/dlx/package.js +20 -16
package/dist/dlx/packages.js +4 -4
package/dist/dlx/paths.js +7 -7
package/dist/dlx/spec.js +1 -1
package/dist/dlx/types.d.ts +28 -27
package/dist/eco/cargo/parse-lockfile.d.ts +2 -3
package/dist/eco/cargo/parse-lockfile.js +5 -5
package/dist/eco/manifest/analyze-lockfile.js +2 -2
package/dist/eco/manifest/detect-format.js +5 -5
package/dist/eco/manifest/find-packages.js +2 -2
package/dist/eco/manifest/get-package-versions.js +2 -2
package/dist/eco/manifest/get-package.js +2 -2
package/dist/eco/manifest/parse-lockfile.js +2 -2
package/dist/eco/manifest/parse-manifest.js +2 -2
package/dist/eco/manifest/parse.js +2 -2
package/dist/eco/npm/npm/exec.js +2 -2
package/dist/eco/npm/npm/flags.js +7 -12
package/dist/eco/npm/npm/parse-lockfile.d.ts +17 -18
package/dist/eco/npm/npm/parse-lockfile.js +4 -4
package/dist/eco/npm/parse-package-json.d.ts +11 -0
package/dist/eco/npm/parse-package-json.js +3 -3
package/dist/eco/npm/pnpm/exec.d.ts +1 -1
package/dist/eco/npm/pnpm/exec.js +5 -5
package/dist/eco/npm/pnpm/flags.js +0 -3
package/dist/eco/npm/pnpm/parse-lockfile.d.ts +6 -4
package/dist/eco/npm/pnpm/parse-lockfile.js +7 -7
package/dist/eco/npm/script.js +9 -6
package/dist/eco/npm/yarnpkg/yarn/exec.js +4 -4
package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.d.ts +3 -4
package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +9 -9
package/dist/effects/pulse-frames.d.ts +3 -1
package/dist/effects/shimmer-keyframes.d.ts +1 -1
package/dist/effects/shimmer-terminal.d.ts +1 -1
package/dist/env/boolean.js +0 -1
package/dist/env/ci.js +0 -1
package/dist/env/debug.js +0 -1
package/dist/env/github-status.d.ts +51 -0
package/dist/env/github-status.js +90 -0
package/dist/env/github.js +0 -8
package/dist/env/home.js +0 -1
package/dist/env/locale.js +0 -3
package/dist/env/node-auth-token.js +0 -1
package/dist/env/node-env.js +0 -1
package/dist/env/node-version-managers.d.ts +53 -0
package/dist/env/node-version-managers.js +90 -0
package/dist/env/npm.js +0 -5
package/dist/env/number.js +0 -1
package/dist/env/package-manager.js +3 -6
package/dist/env/path.js +0 -1
package/dist/env/pre-commit.js +1 -2
package/dist/env/proxy.js +1 -1
package/dist/env/rewire.d.ts +8 -6
package/dist/env/rewire.js +16 -17
package/dist/env/shell.js +0 -1
package/dist/env/socket-cli.js +5 -18
package/dist/env/socket-mcp.d.ts +114 -0
package/dist/env/socket-mcp.js +146 -0
package/dist/env/socket.d.ts +8 -109
package/dist/env/socket.js +22 -167
package/dist/env/string.js +0 -1
package/dist/env/temp-dir.js +0 -3
package/dist/env/term.js +0 -1
package/dist/env/test.js +3 -6
package/dist/env/windows.js +0 -4
package/dist/env/xdg.js +0 -3
package/dist/errors/predicates.js +1 -1
package/dist/events/exit/_internal.d.ts +11 -9
package/dist/events/exit/_internal.js +31 -35
package/dist/events/exit/handler.js +3 -4
package/dist/events/exit/intercept.js +4 -6
package/dist/events/exit/lifecycle.js +16 -18
package/dist/events/exit/signals.js +1 -2
package/dist/events/exit/types.d.ts +6 -5
package/dist/external/@npmcli/package-json.js +2 -2
package/dist/external/@npmcli/promise-spawn.js +3 -1
package/dist/external/npm-pack.js +2 -2
package/dist/external/pico-pack.js +4 -2
package/dist/external/which.js +3 -1
package/dist/external-tools/bazel/asset-names.d.ts +1 -1
package/dist/external-tools/bazel/asset-names.js +5 -2
package/dist/external-tools/bazel/from-download.d.ts +1 -1
package/dist/external-tools/bazel/from-download.js +5 -2
package/dist/external-tools/bazel/read-bazel-version-file.js +1 -1
package/dist/external-tools/bazel/resolve-bazel-version.js +4 -0
package/dist/external-tools/bazel/resolve.d.ts +3 -3
package/dist/external-tools/bazel/resolve.js +16 -8
package/dist/external-tools/bazel/types.d.ts +1 -1
package/dist/external-tools/cdxgen/asset-names.d.ts +1 -1
package/dist/external-tools/cdxgen/asset-names.js +5 -2
package/dist/external-tools/cdxgen/from-download.d.ts +1 -1
package/dist/external-tools/cdxgen/from-download.js +7 -4
package/dist/external-tools/cdxgen/from-vfs.js +1 -1
package/dist/external-tools/cdxgen/resolve.d.ts +3 -3
package/dist/external-tools/cdxgen/resolve.js +16 -8
package/dist/external-tools/cdxgen/types.d.ts +1 -1
package/dist/external-tools/from-download.d.ts +3 -3
package/dist/external-tools/from-download.js +12 -6
package/dist/external-tools/from-pip-venv.d.ts +1 -1
package/dist/external-tools/from-pip-venv.js +12 -5
package/dist/external-tools/janus/asset-names.d.ts +1 -1
package/dist/external-tools/janus/asset-names.js +5 -2
package/dist/external-tools/janus/from-download.d.ts +1 -1
package/dist/external-tools/janus/from-download.js +5 -2
package/dist/external-tools/janus/from-vfs.js +1 -1
package/dist/external-tools/janus/resolve.d.ts +3 -3
package/dist/external-tools/janus/resolve.js +16 -8
package/dist/external-tools/janus/types.d.ts +1 -1
package/dist/external-tools/jre/asset-names.d.ts +1 -1
package/dist/external-tools/jre/asset-names.js +5 -2
package/dist/external-tools/jre/detect-platform-arch.d.ts +10 -6
package/dist/external-tools/jre/detect-platform-arch.js +29 -14
package/dist/external-tools/jre/from-download.d.ts +1 -1
package/dist/external-tools/jre/from-download.js +7 -4
package/dist/external-tools/jre/from-java-home.js +2 -2
package/dist/external-tools/jre/from-vfs.js +3 -3
package/dist/external-tools/jre/resolve.d.ts +3 -3
package/dist/external-tools/jre/resolve.js +16 -8
package/dist/external-tools/jre/types.d.ts +1 -1
package/dist/external-tools/manifest.d.ts +25 -7
package/dist/external-tools/manifest.js +13 -13
package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
package/dist/external-tools/opengrep/asset-names.js +5 -2
package/dist/external-tools/opengrep/from-download.d.ts +1 -1
package/dist/external-tools/opengrep/from-download.js +5 -2
package/dist/external-tools/opengrep/from-vfs.js +1 -1
package/dist/external-tools/opengrep/resolve.d.ts +3 -3
package/dist/external-tools/opengrep/resolve.js +16 -8
package/dist/external-tools/opengrep/types.d.ts +1 -1
package/dist/external-tools/python/asset-names.d.ts +76 -0
package/dist/external-tools/python/asset-names.js +111 -0
package/dist/external-tools/python/dlx.d.ts +80 -0
package/dist/external-tools/python/dlx.js +98 -0
package/dist/external-tools/python/from-download.d.ts +53 -0
package/dist/external-tools/python/from-download.js +75 -0
package/dist/external-tools/python/from-path.d.ts +7 -0
package/dist/external-tools/python/from-path.js +23 -0
package/dist/external-tools/python/pin.d.ts +121 -0
package/dist/external-tools/python/pin.js +176 -0
package/dist/external-tools/python/pip-install.d.ts +75 -0
package/dist/external-tools/python/pip-install.js +142 -0
package/dist/external-tools/python/resolve.d.ts +42 -0
package/dist/external-tools/python/resolve.js +66 -0
package/dist/external-tools/python/types.d.ts +49 -0
package/dist/external-tools/sbt/asset-names.d.ts +1 -1
package/dist/external-tools/sbt/asset-names.js +5 -2
package/dist/external-tools/sbt/from-download.d.ts +1 -1
package/dist/external-tools/sbt/from-download.js +5 -2
package/dist/external-tools/sbt/from-vfs.js +1 -1
package/dist/external-tools/sbt/resolve.d.ts +3 -3
package/dist/external-tools/sbt/resolve.js +16 -8
package/dist/external-tools/sbt/types.d.ts +1 -1
package/dist/external-tools/skillspector/from-dlx.d.ts +1 -1
package/dist/external-tools/skillspector/from-dlx.js +10 -3
package/dist/external-tools/skillspector/from-path.js +3 -5
package/dist/external-tools/skillspector/from-vfs.js +1 -1
package/dist/external-tools/skillspector/resolve.d.ts +2 -2
package/dist/external-tools/skillspector/resolve.js +14 -6
package/dist/external-tools/synp/asset-names.d.ts +1 -1
package/dist/external-tools/synp/asset-names.js +6 -2
package/dist/external-tools/synp/from-download.d.ts +1 -1
package/dist/external-tools/synp/from-download.js +7 -4
package/dist/external-tools/synp/from-vfs.js +1 -1
package/dist/external-tools/synp/resolve.d.ts +3 -3
package/dist/external-tools/synp/resolve.js +16 -8
package/dist/external-tools/trivy/asset-names.d.ts +1 -1
package/dist/external-tools/trivy/asset-names.js +5 -2
package/dist/external-tools/trivy/from-download.d.ts +1 -1
package/dist/external-tools/trivy/from-download.js +7 -4
package/dist/external-tools/trivy/from-vfs.js +1 -1
package/dist/external-tools/trivy/resolve.d.ts +3 -3
package/dist/external-tools/trivy/resolve.js +16 -8
package/dist/external-tools/trivy/types.d.ts +1 -1
package/dist/external-tools/trufflehog/asset-names.d.ts +1 -1
package/dist/external-tools/trufflehog/asset-names.js +5 -2
package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
package/dist/external-tools/trufflehog/from-download.js +7 -4
package/dist/external-tools/trufflehog/from-vfs.js +1 -1
package/dist/external-tools/trufflehog/resolve.d.ts +3 -3
package/dist/external-tools/trufflehog/resolve.js +16 -8
package/dist/external-tools/trufflehog/types.d.ts +1 -1
package/dist/fs/_internal.d.ts +1 -1
package/dist/fs/_internal.js +7 -7
package/dist/fs/access.js +5 -9
package/dist/fs/allowed-dirs-cache.d.ts +47 -0
package/dist/fs/allowed-dirs-cache.js +69 -0
package/dist/fs/encoding.js +5 -7
package/dist/fs/{find-up.js → find.js} +12 -14
package/dist/fs/inspect.js +7 -13
package/dist/fs/read-dir.js +7 -10
package/dist/fs/read-file.js +8 -14
package/dist/fs/read-json-cache.d.ts +13 -4
package/dist/fs/read-json-cache.js +9 -6
package/dist/fs/read-json.js +4 -6
package/dist/fs/resolve-module.js +7 -3
package/dist/fs/safe.d.ts +1 -1
package/dist/fs/safe.js +13 -14
package/dist/fs/unique.js +4 -5
package/dist/fs/validate.js +1 -2
package/dist/fs/write-json.js +4 -5
package/dist/git/_internal.js +11 -11
package/dist/git/changed.js +4 -4
package/dist/git/repo.js +5 -7
package/dist/git/staged.js +12 -4
package/dist/git/tracked.d.ts +84 -0
package/dist/git/tracked.js +163 -0
package/dist/git/unstaged.js +12 -4
package/dist/github/ghsa.js +2 -2
package/dist/github/refs-cache.d.ts +1 -1
package/dist/github/refs-cache.js +5 -5
package/dist/github/refs-graphql.js +4 -0
package/dist/github/refs-rest.js +9 -5
package/dist/github/refs.js +15 -10
package/dist/github/{fetch.js → request.js} +13 -2
package/dist/github/token.js +1 -1
package/dist/github/types.d.ts +1 -1
package/dist/globs/_internal.js +8 -10
package/dist/globs/match.js +13 -7
package/dist/globs/matcher.d.ts +3 -3
package/dist/globs/matcher.js +16 -14
package/dist/globs/stream.js +1 -2
package/dist/globs/types.d.ts +24 -24
package/dist/http-request/_internal.d.ts +1 -1
package/dist/http-request/browser.js +10 -4
package/dist/http-request/checksum-file.d.ts +55 -0
package/dist/http-request/checksum-file.js +95 -0
package/dist/http-request/download-types.d.ts +15 -23
package/dist/http-request/download.js +3 -3
package/dist/http-request/{browser-fetch.d.ts → fetch/browser.d.ts} +2 -2
package/dist/http-request/{browser-fetch.js → fetch/browser.js} +4 -4
package/dist/http-request/headers.js +1 -2
package/dist/http-request/request-attempt.js +38 -34
package/dist/http-request/request-types.d.ts +2 -2
package/dist/http-request/request.js +1 -1
package/dist/http-request/user-agent.js +4 -5
package/dist/integrity.d.ts +92 -18
package/dist/integrity.js +125 -30
package/dist/ipc/directory.js +2 -2
package/dist/ipc/paths.js +1 -1
package/dist/ipc/write.js +1 -1
package/dist/ipc-cli/get.js +12 -12
package/dist/json/edit.js +51 -44
package/dist/json/format.js +1 -1
package/dist/json/parse.d.ts +1 -1
package/dist/json/parse.js +3 -7
package/dist/logger/_internal.d.ts +4 -4
package/dist/logger/_internal.js +3 -3
package/dist/logger/colors.js +4 -3
package/dist/logger/console-methods.d.ts +132 -0
package/dist/logger/console-methods.js +169 -0
package/dist/logger/console.d.ts +12 -0
package/dist/logger/console.js +42 -11
package/dist/logger/indentation-methods.d.ts +81 -0
package/dist/logger/indentation-methods.js +121 -0
package/dist/logger/node.d.ts +16 -338
package/dist/logger/node.js +75 -608
package/dist/logger/options.d.ts +39 -0
package/dist/logger/options.js +47 -0
package/dist/logger/semantic-methods.d.ts +63 -0
package/dist/logger/semantic-methods.js +108 -0
package/dist/logger/stream-methods.d.ts +63 -0
package/dist/logger/stream-methods.js +101 -0
package/dist/logger/stream.d.ts +37 -0
package/dist/logger/stream.js +42 -0
package/dist/logger/symbols-builder.js +9 -9
package/dist/logger/symbols.d.ts +2 -25
package/dist/logger/symbols.js +53 -74
package/dist/logger/types.d.ts +1 -1
package/dist/memo/types.d.ts +6 -6
package/dist/native-messaging/host.d.ts +20 -0
package/dist/native-messaging/host.js +120 -0
package/dist/native-messaging/index.d.ts +5 -0
package/dist/native-messaging/index.js +22 -0
package/dist/native-messaging/install.d.ts +60 -0
package/dist/native-messaging/install.js +144 -0
package/dist/native-messaging/rate-limit.d.ts +69 -0
package/dist/native-messaging/rate-limit.js +119 -0
package/dist/native-messaging/run.d.ts +10 -0
package/dist/native-messaging/run.js +17 -0
package/dist/node/async-hooks.js +4 -3
package/dist/node/child-process.js +4 -3
package/dist/node/crypto.js +4 -3
package/dist/node/events.js +4 -3
package/dist/node/fs-promises.js +4 -3
package/dist/node/fs.d.ts +22 -6
package/dist/node/fs.js +17 -3
package/dist/node/http.js +4 -3
package/dist/node/https.js +4 -3
package/dist/node/module.js +10 -6
package/dist/node/os.d.ts +10 -2
package/dist/node/os.js +12 -4
package/dist/node/path.d.ts +11 -2
package/dist/node/path.js +18 -4
package/dist/node/timers-promises.js +4 -3
package/dist/node/url.js +4 -3
package/dist/node/util.js +4 -3
package/dist/objects/getters.js +6 -8
package/dist/objects/inspect.js +1 -4
package/dist/objects/mutate.js +4 -5
package/dist/objects/predicates.js +1 -5
package/dist/objects/sort.js +3 -7
package/dist/packages/edit-class.d.ts +2 -3
package/dist/packages/edit-class.js +53 -48
package/dist/packages/edit.js +12 -14
package/dist/packages/exports.js +15 -21
package/dist/packages/fetch.d.ts +16 -0
package/dist/packages/fetch.js +81 -0
package/dist/packages/find.d.ts +55 -0
package/dist/packages/find.js +65 -0
package/dist/packages/isolation.js +14 -14
package/dist/packages/licenses.js +18 -18
package/dist/packages/manifest.js +16 -19
package/dist/packages/metadata-extensions.d.ts +14 -0
package/dist/packages/metadata-extensions.js +43 -0
package/dist/packages/normalize.js +6 -10
package/dist/packages/provenance.js +17 -19
package/dist/packages/read.d.ts +29 -0
package/dist/packages/read.js +66 -0
package/dist/packages/specs.d.ts +48 -1
package/dist/packages/specs.js +75 -12
package/dist/packages/tarball.d.ts +24 -0
package/dist/packages/tarball.js +81 -0
package/dist/packages/types.d.ts +22 -22
package/dist/packages/validation.js +0 -3
package/dist/paths/_internal.d.ts +2 -1
package/dist/paths/_internal.js +7 -19
package/dist/paths/conversion.js +5 -9
package/dist/paths/dirnames.d.ts +1 -0
package/dist/paths/dirnames.js +2 -0
package/dist/paths/filenames.d.ts +0 -1
package/dist/paths/filenames.js +0 -2
package/dist/paths/normalize.js +4 -5
package/dist/paths/packages.js +4 -7
package/dist/paths/predicates.js +9 -16
package/dist/paths/resolve.js +17 -25
package/dist/paths/rewire.d.ts +5 -0
package/dist/paths/rewire.js +3 -3
package/dist/paths/socket.d.ts +74 -111
package/dist/paths/socket.js +106 -139
package/dist/paths/walk.d.ts +1 -1
package/dist/paths/walk.js +4 -4
package/dist/perf/report.js +2 -2
package/dist/perf/types.d.ts +1 -1
package/dist/pkg-ext/data.js +1 -1
package/dist/primordials/array.js +9 -9
package/dist/primordials/date.js +2 -2
package/dist/primordials/error.js +3 -3
package/dist/primordials/headers.d.ts +10 -0
package/dist/primordials/headers.js +23 -0
package/dist/primordials/intl.d.ts +13 -0
package/dist/primordials/intl.js +26 -0
package/dist/primordials/math.js +33 -33
package/dist/primordials/number.js +9 -9
package/dist/primordials/object.js +5 -5
package/dist/primordials/process.d.ts +88 -0
package/dist/primordials/process.js +132 -0
package/dist/primordials/string.d.ts +2 -2
package/dist/primordials/string.js +6 -6
package/dist/primordials/symbol.js +3 -3
package/dist/primordials/uncurry.d.ts +1 -2
package/dist/primordials/uncurry.js +9 -9
package/dist/process/abort.js +3 -3
package/dist/process/lock-manager.js +8 -8
package/dist/process/spawn/_internal.js +6 -8
package/dist/process/spawn/child.js +20 -14
package/dist/process/spawn/errors.js +3 -5
package/dist/process/spawn/kill-tree.d.ts +53 -0
package/dist/process/spawn/kill-tree.js +85 -0
package/dist/process/spawn/stdio.js +0 -1
package/dist/process/spawn/types.d.ts +5 -5
package/dist/process/transient.js +2 -2
package/dist/promises/_internal.d.ts +2 -1
package/dist/promises/_internal.js +2 -6
package/dist/promises/iterate.js +11 -15
package/dist/promises/options.js +3 -6
package/dist/promises/retry.js +4 -5
package/dist/promises/timers.d.ts +30 -0
package/dist/promises/timers.js +48 -0
package/dist/regexps/spec.js +1 -1
package/dist/releases/github-archives.d.ts +6 -6
package/dist/releases/github-archives.js +3 -3
package/dist/releases/github-asset-url.d.ts +1 -1
package/dist/releases/github-asset-url.js +5 -5
package/dist/releases/github-downloads.d.ts +1 -1
package/dist/releases/github-downloads.js +3 -3
package/dist/releases/github-listing.d.ts +12 -4
package/dist/releases/github-listing.js +20 -7
package/dist/releases/github-retry-config.js +1 -1
package/dist/releases/github-types.d.ts +6 -6
package/dist/releases/socket-btm-binary-naming.d.ts +107 -0
package/dist/releases/socket-btm-binary-naming.js +155 -0
package/dist/releases/socket-btm.d.ts +8 -115
package/dist/releases/socket-btm.js +16 -159
package/dist/schema/types.d.ts +4 -5
package/dist/schema/validate.js +1 -1
package/dist/sea/detect.js +6 -6
package/dist/secrets/_internal.d.ts +2 -2
package/dist/secrets/_internal.js +2 -2
package/dist/secrets/compare.d.ts +45 -0
package/dist/secrets/compare.js +61 -0
package/dist/secrets/find.d.ts +2 -2
package/dist/secrets/find.js +10 -4
package/dist/secrets/keychain.d.ts +1 -1
package/dist/secrets/keychain.js +6 -4
package/dist/secrets/linux.js +40 -52
package/dist/secrets/macos.d.ts +2 -3
package/dist/secrets/macos.js +24 -33
package/dist/secrets/rc.d.ts +4 -4
package/dist/secrets/rc.js +27 -17
package/dist/secrets/socket-api-token.d.ts +4 -4
package/dist/secrets/socket-api-token.js +26 -9
package/dist/secrets/windows.js +32 -37
package/dist/shadow/skip.js +2 -2
package/dist/shell/parse.d.ts +32 -0
package/dist/shell/parse.js +60 -0
package/dist/smol/detect.js +9 -10
package/dist/smol/http.js +6 -7
package/dist/smol/https.js +6 -7
package/dist/smol/manifest.d.ts +1 -1
package/dist/smol/manifest.js +6 -7
package/dist/smol/path.d.ts +1 -1
package/dist/smol/path.js +7 -8
package/dist/smol/primordial.d.ts +4 -0
package/dist/smol/primordial.js +6 -7
package/dist/smol/purl.d.ts +1 -1
package/dist/smol/purl.js +7 -8
package/dist/smol/versions.js +6 -7
package/dist/smol/vfs.js +6 -7
package/dist/sorts/_internal.js +6 -8
package/dist/sorts/natural.js +10 -12
package/dist/sorts/semver.js +1 -2
package/dist/sorts/strings.js +0 -1
package/dist/sorts/types.d.ts +1 -1
package/dist/spinner/create-spinner-class.d.ts +38 -0
package/dist/spinner/create-spinner-class.js +302 -0
package/dist/spinner/default.js +8 -9
package/dist/spinner/spinner-internals.d.ts +36 -0
package/dist/spinner/spinner-internals.js +105 -0
package/dist/spinner/spinner-shimmer-methods.d.ts +54 -0
package/dist/spinner/spinner-shimmer-methods.js +143 -0
package/dist/spinner/spinner-status-methods.d.ts +40 -0
package/dist/spinner/spinner-status-methods.js +133 -0
package/dist/spinner/spinner.d.ts +8 -5
package/dist/spinner/spinner.js +19 -706
package/dist/spinner/types.d.ts +3 -1
package/dist/spinner/with.d.ts +10 -0
package/dist/spinner/with.js +16 -2
package/dist/stdio/divider.js +1 -1
package/dist/stdio/footer.js +3 -3
package/dist/stdio/header.js +4 -4
package/dist/stdio/progress.js +10 -6
package/dist/stdio/prompts.d.ts +7 -5
package/dist/stdio/prompts.js +7 -8
package/dist/stdio/stdout.js +3 -3
package/dist/streams/parallel.js +3 -5
package/dist/streams/transform.js +2 -3
package/dist/strings/format.js +2 -6
package/dist/strings/predicates.js +0 -2
package/dist/strings/search.js +1 -2
package/dist/strings/transform.js +0 -3
package/dist/strings/width.js +9 -10
package/dist/tables/bordered.js +4 -3
package/dist/tables/padding.js +1 -1
package/dist/tables/simple.js +8 -5
package/dist/temporal/instant.js +1 -1
package/dist/temporal/slots.js +6 -6
package/dist/temporal/system.js +9 -9
package/dist/themes/context.d.ts +3 -2
package/dist/themes/context.js +4 -5
package/dist/themes/themes.js +15 -15
package/dist/themes/types.d.ts +3 -3
package/dist/url/assert-safe.d.ts +29 -0
package/dist/url/assert-safe.js +54 -0
package/dist/url/parse.js +0 -2
package/dist/url/predicates.d.ts +31 -1
package/dist/url/predicates.js +43 -3
package/dist/url/search-params.js +3 -9
package/dist/url/types.d.ts +9 -5
package/dist/versions/_internal.js +3 -3
package/dist/words/article.js +0 -1
package/dist/words/capitalize.js +0 -1
package/dist/words/pluralize.js +15 -5
package/package.json +419 -216
package/dist/external-tools/uv/asset-names.d.ts +0 -36
package/dist/external-tools/uv/asset-names.js +0 -70
package/dist/external-tools/uv/from-download.d.ts +0 -17
package/dist/external-tools/uv/from-download.js +0 -47
package/dist/external-tools/uv/from-path.d.ts +0 -5
package/dist/external-tools/uv/from-path.js +0 -22
package/dist/external-tools/uv/from-vfs.d.ts +0 -7
package/dist/external-tools/uv/from-vfs.js +0 -26
package/dist/external-tools/uv/resolve.d.ts +0 -25
package/dist/external-tools/uv/resolve.js +0 -53
package/dist/external-tools/uv/types.d.ts +0 -24
package/dist/fs/path-cache.d.ts +0 -21
package/dist/fs/path-cache.js +0 -34
package/dist/http-request/checksums.d.ts +0 -69
package/dist/http-request/checksums.js +0 -108
package/dist/http-request/http-request.d.ts +0 -12
package/dist/http-request/http-request.js +0 -11
package/dist/packages/operations.d.ts +0 -113
package/dist/packages/operations.js +0 -304
package/dist/ssri/convert.d.ts +0 -48
package/dist/ssri/convert.js +0 -69
package/dist/ssri/parse.d.ts +0 -27
package/dist/ssri/parse.js +0 -41
package/dist/ssri/validate.d.ts +0 -41
package/dist/ssri/validate.js +0 -56
/package/dist/{bin → cli}/check.d.ts +0 -0
/package/dist/external-tools/{uv → python}/types.js +0 -0
/package/dist/fs/{find-up.d.ts → find.d.ts} +0 -0
/package/dist/github/{fetch.d.ts → request.d.ts} +0 -0

package/dist/external-tools/python/from-download.js ADDED Viewed

@@ -0,0 +1,75 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../../_virtual/_rolldown/runtime.js');
+const require_paths_socket = require('../../paths/socket.js');
+const require_external_tools_from_download = require('../from-download.js');
+const require_external_tools_python_asset_names = require('./asset-names.js');
+let node_process = require("node:process");
+node_process = require_runtime.__toESM(node_process);
+let node_path = require("node:path");
+node_path = require_runtime.__toESM(node_path);
+//#region src/external-tools/python/from-download.ts
+/**
+* @file `pythonFromDownload()` — fetches a python-build-standalone CPython into
+*   the DLX cache and returns a `ResolvedPython` pointing at the interpreter.
+*   The `install_only` tarball extracts to a `python/` subdirectory, so the
+*   interpreter lands at `<extractedDir>/python/bin/python3` (or
+*   `python/python.exe` on Windows) — no strip.
+*/
+/**
+* Return the absolute path to the interpreter inside an extracted
+* python-build-standalone tree. The layout follows the TARGET arch, not the
+* host: a Windows target nests the interpreter at `python/python.exe`, every
+* other target at `python/bin/python3`. Keying off `process.platform` would be
+* wrong when cross-resolving (e.g. a Windows host downloading a linux-x64
+* build). `arch` is a platform-arch key like `win-x64` / `linux-x64`; omit it
+* to fall back to the host platform.
+*/
+function pythonBinPath(extractedDir, arch) {
+	if (arch ? arch.startsWith("win-") : node_process.default.platform === "win32") return node_path.default.join(extractedDir, "python", "python.exe");
+	return node_path.default.join(extractedDir, "python", "bin", "python3");
+}
+/**
+* Default DLX cache directory for a python build pin.
+*/
+function pythonCacheDir(version, tag, arch) {
+	return node_path.default.join(require_paths_socket.getSocketDlxDir(), "python", `${version}-${tag}-${arch}`);
+}
+async function pythonFromDownload(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
+	const { cacheDir, downloader, integrity, tag, version } = {
+		__proto__: null,
+		...options
+	};
+	const arch = options.arch ?? require_external_tools_python_asset_names.getPythonArch();
+	if (!arch) return;
+	const asset = require_external_tools_python_asset_names.pythonAsset({
+		version,
+		tag,
+		arch
+	});
+	if (!asset) return;
+	const extractedDir = cacheDir ?? pythonCacheDir(version, tag, arch);
+	const archive = await require_external_tools_from_download.downloadAndExtractTool({
+		url: asset.url,
+		name: `python-${version}-${tag}-${arch}.tar.gz`,
+		integrity,
+		extractedDir,
+		downloader
+	});
+	return {
+		path: pythonBinPath(extractedDir, arch),
+		source: "download",
+		integrity: archive.integrity
+	};
+}
+//#endregion
+exports.pythonBinPath = pythonBinPath;
+exports.pythonCacheDir = pythonCacheDir;
+exports.pythonFromDownload = pythonFromDownload;

package/dist/external-tools/python/from-path.d.ts ADDED Viewed

@@ -0,0 +1,7 @@
+/**
+ * @file `pythonFromPath()` — looks for a CPython interpreter on the system
+ *   PATH. Tries `python3` first (the POSIX convention), then `python` (the
+ *   Windows convention / some minimal images). Returns the first hit.
+ */
+import type { ResolvedPython } from './types';
+export declare function pythonFromPath(): Promise<ResolvedPython | undefined>;

package/dist/external-tools/python/from-path.js ADDED Viewed

@@ -0,0 +1,23 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_bin_which = require('../../bin/which.js');
+//#region src/external-tools/python/from-path.ts
+/**
+* @file `pythonFromPath()` — looks for a CPython interpreter on the system
+*   PATH. Tries `python3` first (the POSIX convention), then `python` (the
+*   Windows convention / some minimal images). Returns the first hit.
+*/
+async function pythonFromPath() {
+	for (const bin of ["python3", "python"]) {
+		const onPath = await require_bin_which.which(bin, { nothrow: true });
+		if (typeof onPath === "string") return {
+			path: onPath,
+			source: "path"
+		};
+	}
+}
+//#endregion
+exports.pythonFromPath = pythonFromPath;

package/dist/external-tools/python/pin.d.ts ADDED Viewed

@@ -0,0 +1,121 @@
+/**
+ * @file `resolvePipPackagePin()` — the Python mirror of
+ *   `resolveNpmPackagePin()` (dlx/lockfile). Resolves a pip spec and its full
+ *   dependency closure WITHOUT installing into the interpreter, then returns
+ *   everything needed to pin a reproducible, hash-verified install:
+ *
+ *   - the resolved top-level name + version,
+ *   - the top-level artifact's hashes (sha512 SRI + sha256 hex), and
+ *   - a fully-hashed `requirements.txt` body (`name==version --hash=sha256:<hex>`
+ *     for every artifact in the closure) ready to feed back to
+ *     `downloadPipPackage` / `pip install --require-hashes`. Engine: `pip
+ *     download --dest <scratch> <spec>` downloads the spec + its resolved
+ *     closure as wheels/sdists into a scratch dir (no install, no venv), each
+ *     file is hashed, then the scratch dir is torn down. This is pip's own
+ *     recipe for producing hashed requirements — `pip-tools` is NOT required.
+ *     Contrast `resolveNpmPackagePin` (dlx/lockfile): same contract, npm engine
+ *     (Arborist lockfile-only + pacote), emits a `package-lock.json`. The pip
+ *     side emits a hashed `requirements.txt` because that — not a lockfile — is
+ *     what `pip install --require-hashes` consumes. NOTE on the soak window:
+ *     `resolveNpmPackagePin` applies a min-release-age cutoff via Arborist's
+ *     `before` date. pip has no native release-age gate, so this generator does
+ *     NOT enforce one — callers that need a soak must vet the resolved versions
+ *     out of band. The spec itself remains the primary pin: `==<version>` (PyPI
+ *     is immutable per version) or `@<full-sha>` (git is content-addressed).
+ */
+import type { ComputedHashes } from '../../integrity';
+export interface ResolvePipPackagePinOptions {
+    /**
+     * Absolute path to the Python interpreter used to run `pip download`,
+     * typically from `resolvePython()`. The interpreter is NOT modified.
+     */
+    readonly pythonBin: string;
+    /**
+     * Directory `pip download` resolves the closure into. Defaults to a unique
+     * scratch dir under the OS temp dir, removed before returning.
+     */
+    readonly scratchDir?: string | undefined;
+    /**
+     * Pip spec to pin: `<pkg>==<version>` (PyPI exact pin) or
+     * `git+https://<url>@<sha>` (git-SHA pin).
+     */
+    readonly spec: string;
+}
+export interface PipArtifactPin {
+    /**
+     * Sha256 hex of the artifact, the `--hash=sha256:<hex>` value pip expects.
+     */
+    readonly checksum: string;
+    /**
+     * Downloaded artifact filename, e.g. `is_odd-3.0.1-py3-none-any.whl`.
+     */
+    readonly file: string;
+    /**
+     * Distribution name parsed from the filename, e.g. `is-odd`.
+     */
+    readonly name: string;
+    /**
+     * Distribution version parsed from the filename, e.g. `3.0.1`.
+     */
+    readonly version: string;
+}
+export interface PipPackagePin {
+    /**
+     * Per-artifact pins for the full resolved closure (top-level + transitive).
+     */
+    readonly artifacts: readonly PipArtifactPin[];
+    /**
+     * Hashes of the top-level artifact (sha512 SRI + sha256 hex). The Python
+     * analog of `NpmPackagePin.hash`.
+     */
+    readonly hash: ComputedHashes;
+    /**
+     * Resolved top-level distribution name.
+     */
+    readonly name: string;
+    /**
+     * Fully-hashed `requirements.txt` content, ready to write to disk and feed to
+     * `pip install --require-hashes -r <file>`. The Python analog of
+     * `NpmPackagePin.lockfile`.
+     */
+    readonly requirements: string;
+    /**
+     * Resolved top-level distribution version.
+     */
+    readonly version: string;
+}
+/**
+ * Thrown when `pip download` produces no artifacts or a filename can't be
+ * parsed into a name + version.
+ */
+export declare class PipPackagePinError extends Error {
+    constructor(message: string, options?: {
+        cause?: unknown | undefined;
+    } | undefined);
+}
+/**
+ * Normalize a PEP 503 distribution name: lowercase, runs of `_ . -` collapse to
+ * a single `-`. Wheel filenames use `_`; requirements/PyPI use `-`.
+ */
+export declare function normalizeDistName(name: string): string;
+/**
+ * Parse `<name>-<version>` out of a wheel (`name-ver-...whl`) or sdist
+ * (`name-ver.tar.gz` / `name-ver.zip`) filename. Returns undefined when the
+ * shape isn't recognized.
+ */
+export declare function parseArtifactFilename(file: string): {
+    name: string;
+    version: string;
+} | undefined;
+/**
+ * Generate a vendorable, hash-pinned closure for a pip spec without installing
+ * it. Mirrors `resolveNpmPackagePin`. Throws `PipPackagePinError` on an empty
+ * download or an unparseable artifact filename.
+ */
+export declare function resolvePipPackagePin(options: ResolvePipPackagePinOptions): Promise<PipPackagePin>;
+/**
+ * Best-effort distribution name from a pip spec for matching the top-level
+ * artifact: strips a `==`/`>=`/etc. version and a `git+...#egg=<name>`
+ * fragment. Falls back to the raw spec when neither is present.
+ */
+export declare function specDistName(spec: string): string;

package/dist/external-tools/python/pin.js ADDED Viewed

@@ -0,0 +1,176 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../../_virtual/_rolldown/runtime.js');
+const require_integrity = require('../../integrity.js');
+const require_constants_platform = require('../../constants/platform.js');
+const require_process_spawn_child = require('../../process/spawn/child.js');
+const require_fs_safe = require('../../fs/safe.js');
+let node_fs = require("node:fs");
+let node_process = require("node:process");
+node_process = require_runtime.__toESM(node_process);
+let node_path = require("node:path");
+node_path = require_runtime.__toESM(node_path);
+let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
+//#region src/external-tools/python/pin.ts
+/**
+* @file `resolvePipPackagePin()` — the Python mirror of
+*   `resolveNpmPackagePin()` (dlx/lockfile). Resolves a pip spec and its full
+*   dependency closure WITHOUT installing into the interpreter, then returns
+*   everything needed to pin a reproducible, hash-verified install:
+*
+*   - the resolved top-level name + version,
+*   - the top-level artifact's hashes (sha512 SRI + sha256 hex), and
+*   - a fully-hashed `requirements.txt` body (`name==version --hash=sha256:<hex>`
+*     for every artifact in the closure) ready to feed back to
+*     `downloadPipPackage` / `pip install --require-hashes`. Engine: `pip
+*     download --dest <scratch> <spec>` downloads the spec + its resolved
+*     closure as wheels/sdists into a scratch dir (no install, no venv), each
+*     file is hashed, then the scratch dir is torn down. This is pip's own
+*     recipe for producing hashed requirements — `pip-tools` is NOT required.
+*     Contrast `resolveNpmPackagePin` (dlx/lockfile): same contract, npm engine
+*     (Arborist lockfile-only + pacote), emits a `package-lock.json`. The pip
+*     side emits a hashed `requirements.txt` because that — not a lockfile — is
+*     what `pip install --require-hashes` consumes. NOTE on the soak window:
+*     `resolveNpmPackagePin` applies a min-release-age cutoff via Arborist's
+*     `before` date. pip has no native release-age gate, so this generator does
+*     NOT enforce one — callers that need a soak must vet the resolved versions
+*     out of band. The spec itself remains the primary pin: `==<version>` (PyPI
+*     is immutable per version) or `@<full-sha>` (git is content-addressed).
+*/
+/**
+* Thrown when `pip download` produces no artifacts or a filename can't be
+* parsed into a name + version.
+*/
+var PipPackagePinError = class extends Error {
+	constructor(message, options) {
+		super(message, options);
+		this.name = "PipPackagePinError";
+	}
+};
+/**
+* Normalize a PEP 503 distribution name: lowercase, runs of `_ . -` collapse to
+* a single `-`. Wheel filenames use `_`; requirements/PyPI use `-`.
+*/
+function normalizeDistName(name) {
+	return name.toLowerCase().replace(/[-_.]+/g, "-");
+}
+/**
+* Parse `<name>-<version>` out of a wheel (`name-ver-...whl`) or sdist
+* (`name-ver.tar.gz` / `name-ver.zip`) filename. Returns undefined when the
+* shape isn't recognized.
+*/
+function parseArtifactFilename(file) {
+	if (file.endsWith(".whl")) {
+		const parts = file.slice(0, -4).split("-");
+		if (parts.length < 2) return;
+		return {
+			name: normalizeDistName(parts[0]),
+			version: parts[1]
+		};
+	}
+	const ext = [
+		".tar.gz",
+		".tar.bz2",
+		".zip",
+		".tgz"
+	].find((e) => file.endsWith(e));
+	if (!ext) return;
+	const stem = file.slice(0, -ext.length);
+	const dashIdx = stem.lastIndexOf("-");
+	if (dashIdx <= 0) return;
+	return {
+		name: normalizeDistName(stem.slice(0, dashIdx)),
+		version: stem.slice(dashIdx + 1)
+	};
+}
+/**
+* Generate a vendorable, hash-pinned closure for a pip spec without installing
+* it. Mirrors `resolveNpmPackagePin`. Throws `PipPackagePinError` on an empty
+* download or an unparseable artifact filename.
+*/
+async function resolvePipPackagePin(options) {
+	const { pythonBin, spec } = {
+		__proto__: null,
+		...options
+	};
+	if (typeof spec !== "string" || spec.length === 0) throw new PipPackagePinError("resolvePipPackagePin requires a package spec");
+	const scratch = options.scratchDir ?? node_path.default.join(node_os.default.tmpdir(), `socket-lib-pip-pin-${node_process.default.pid}-${Date.now()}`);
+	await require_fs_safe.safeMkdir(scratch, { recursive: true });
+	try {
+		await require_process_spawn_child.spawn(pythonBin, [
+			"-m",
+			"pip",
+			"download",
+			"--no-input",
+			"--quiet",
+			"--dest",
+			scratch,
+			spec
+		], {
+			shell: require_constants_platform.WIN32,
+			stdio: "inherit"
+		});
+		const files = (await node_fs.promises.readdir(scratch)).filter((f) => f.endsWith(".whl") || f.endsWith(".tar.gz") || f.endsWith(".tar.bz2") || f.endsWith(".zip") || f.endsWith(".tgz"));
+		if (!files.length) throw new PipPackagePinError(`resolvePipPackagePin: pip download ${spec} produced no artifacts in ${scratch}`);
+		const artifacts = [];
+		const targetName = normalizeDistName(specDistName(spec));
+		let top;
+		for (const file of files.toSorted()) {
+			const hash = require_integrity.computeHashes(await node_fs.promises.readFile(node_path.default.join(scratch, file)));
+			const parsed = parseArtifactFilename(file);
+			if (!parsed) throw new PipPackagePinError(`resolvePipPackagePin: could not parse name/version from artifact ${file}`);
+			artifacts.push({
+				checksum: hash.checksum,
+				file,
+				name: parsed.name,
+				version: parsed.version
+			});
+			if (!top && parsed.name === targetName) top = {
+				hash,
+				name: parsed.name,
+				version: parsed.version
+			};
+		}
+		if (!top) {
+			const first = artifacts[0];
+			top = {
+				hash: require_integrity.computeHashes(await node_fs.promises.readFile(node_path.default.join(scratch, first.file))),
+				name: first.name,
+				version: first.version
+			};
+		}
+		const requirements = artifacts.map((a) => `${a.name}==${a.version} --hash=sha256:${a.checksum}`).join("\n") + "\n";
+		return {
+			artifacts,
+			hash: top.hash,
+			name: top.name,
+			requirements,
+			version: top.version
+		};
+	} finally {
+		try {
+			await require_fs_safe.safeDelete(scratch, { force: true });
+		} catch {}
+	}
+}
+/**
+* Best-effort distribution name from a pip spec for matching the top-level
+* artifact: strips a `==`/`>=`/etc. version and a `git+...#egg=<name>`
+* fragment. Falls back to the raw spec when neither is present.
+*/
+function specDistName(spec) {
+	const eggIdx = spec.indexOf("#egg=");
+	if (eggIdx !== -1) return spec.slice(eggIdx + 5);
+	const match = /^([A-Za-z0-9._-]+)\s*(?:@|[=<>!~]=?)/.exec(spec);
+	return match ? match[1] : spec;
+}
+//#endregion
+exports.PipPackagePinError = PipPackagePinError;
+exports.normalizeDistName = normalizeDistName;
+exports.parseArtifactFilename = parseArtifactFilename;
+exports.resolvePipPackagePin = resolvePipPackagePin;
+exports.specDistName = specDistName;

package/dist/external-tools/python/pip-install.d.ts ADDED Viewed

@@ -0,0 +1,75 @@
+/**
+ * @file `downloadPipPackage()` — the Python mirror of `dlx/package.ts`'s
+ *   `downloadNpmPackage()`. Installs a pip spec into a content-addressed dlx
+ *   directory (`pip install --target <dir>`), leaving the interpreter pristine:
+ *   the package + its deps land in
+ *   `~/.socket/_dlx/<cacheKey(spec)>/site-packages`, the exact analog of how
+ *   `downloadNpmPackage` installs npm deps into
+ *   `<dlxDir>/<hash>/node_modules/`. This is the bundle-safe / SEA-VFS-safe
+ *   model:
+ *
+ *   - No venv → no symlinks, no `pyvenv.cfg` with an absolute `home=`.
+ *   - The target dir is plain files → embeddable in a SEA's VFS, relocatable at
+ *     runtime.
+ *   - One shared Python serves N isolated package dirs (true per-tool isolation
+ *     without a venv) — exactly the `node_modules`-per-cacheKey shape. Run the
+ *     installed tool with the package dir on `PYTHONPATH`: spawn(pythonBin,
+ *     ['-m', '<module>', ...args], { env: { ...process.env, PYTHONPATH:
+ *     packageDir } }) `spec` is a PyPI pin (`<pkg>==<version>`) or a git-SHA
+ *     pin (`git+https://…@<sha>`). A TOCTOU lock guards concurrent installs; an
+ *     existing non-empty package dir makes the call idempotent. Contrast
+ *     `createPipVenv` (external-tools/from-pip-venv): venv with a
+ *     `bin/<entryPoint>` — convenient but symlink + absolute-`home`-dependent,
+ *     so DLX-only and NOT bundleable.
+ */
+/**
+ * Install `spec` into a content-addressed dlx dir via `pip install --target`.
+ * Lock-guarded + idempotent. Throws on a failed pip install or if the lock
+ * can't be acquired after MAX_RETRIES. Mirrors `downloadNpmPackage`.
+ */
+export declare function downloadPipPackage(options: DownloadPipPackageOptions, retryCount?: number): Promise<DownloadPipPackageResult>;
+export declare function isAlreadyInstalled(packageDir: string): Promise<boolean>;
+export declare function isStaleLock(pid: number): boolean;
+export interface DownloadPipPackageOptions {
+    /**
+     * Optional sha256 hash (`sha256:<hex>` or bare `<hex>`) of the top-level
+     * artifact, the Python analog of `downloadNpmPackage`'s `hash`. When set, pip
+     * runs with `--require-hashes` and `--hash=sha256:<hex>`, which fails closed
+     * unless EVERY resolved artifact (the spec and its full dependency closure)
+     * carries a matching hash — so it only fits specs pip can hash-verify (a
+     * pinned `==<version>` or a direct wheel/sdist URL) with a hash-pinned
+     * closure. Omit it and rely on the immutable spec as the pin: `==<version>`
+     * (PyPI is immutable per version) or `@<full-sha>` (git is
+     * content-addressed).
+     */
+    readonly hash?: string | undefined;
+    /**
+     * Absolute path to the Python interpreter used to run pip (and later the
+     * tool). The interpreter is NOT modified — packages go to the dlx package
+     * dir. Typically from `resolvePython()`.
+     */
+    readonly pythonBin: string;
+    /**
+     * Pip install spec: `<pkg>==<version>` (PyPI exact pin) or
+     * `git+https://<url>@<sha>` (git-SHA pin).
+     */
+    readonly spec: string;
+}
+export interface DownloadPipPackageResult {
+    /**
+     * `true` when this call ran pip; `false` when an existing install was reused.
+     */
+    readonly installed: boolean;
+    /**
+     * Directory the package was installed into. Put this on `PYTHONPATH` to run
+     * the tool: `python -m <module>`. The Python analog of
+     * `DownloadNpmPackageResult.packageDir`.
+     */
+    readonly packageDir: string;
+}
+/**
+ * Content-addressed install dir for a spec:
+ * `~/.socket/_dlx/<cacheKey>/site-packages`. The Python analog of
+ * `downloadNpmPackage`'s `<hash>/node_modules`.
+ */
+export declare function pipPackageDir(spec: string): string;

package/dist/external-tools/python/pip-install.js ADDED Viewed

@@ -0,0 +1,142 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../../_virtual/_rolldown/runtime.js');
+const require_constants_platform = require('../../constants/platform.js');
+const require_process_spawn_child = require('../../process/spawn/child.js');
+const require_paths_socket = require('../../paths/socket.js');
+const require_fs_safe = require('../../fs/safe.js');
+const require_dlx_cache = require('../../dlx/cache.js');
+let node_fs = require("node:fs");
+let node_process = require("node:process");
+node_process = require_runtime.__toESM(node_process);
+let node_path = require("node:path");
+node_path = require_runtime.__toESM(node_path);
+//#region src/external-tools/python/pip-install.ts
+/**
+* @file `downloadPipPackage()` — the Python mirror of `dlx/package.ts`'s
+*   `downloadNpmPackage()`. Installs a pip spec into a content-addressed dlx
+*   directory (`pip install --target <dir>`), leaving the interpreter pristine:
+*   the package + its deps land in
+*   `~/.socket/_dlx/<cacheKey(spec)>/site-packages`, the exact analog of how
+*   `downloadNpmPackage` installs npm deps into
+*   `<dlxDir>/<hash>/node_modules/`. This is the bundle-safe / SEA-VFS-safe
+*   model:
+*
+*   - No venv → no symlinks, no `pyvenv.cfg` with an absolute `home=`.
+*   - The target dir is plain files → embeddable in a SEA's VFS, relocatable at
+*     runtime.
+*   - One shared Python serves N isolated package dirs (true per-tool isolation
+*     without a venv) — exactly the `node_modules`-per-cacheKey shape. Run the
+*     installed tool with the package dir on `PYTHONPATH`: spawn(pythonBin,
+*     ['-m', '<module>', ...args], { env: { ...process.env, PYTHONPATH:
+*     packageDir } }) `spec` is a PyPI pin (`<pkg>==<version>`) or a git-SHA
+*     pin (`git+https://…@<sha>`). A TOCTOU lock guards concurrent installs; an
+*     existing non-empty package dir makes the call idempotent. Contrast
+*     `createPipVenv` (external-tools/from-pip-venv): venv with a
+*     `bin/<entryPoint>` — convenient but symlink + absolute-`home`-dependent,
+*     so DLX-only and NOT bundleable.
+*/
+const MAX_RETRIES = 3;
+const WAIT_TICKS = 30;
+/**
+* Install `spec` into a content-addressed dlx dir via `pip install --target`.
+* Lock-guarded + idempotent. Throws on a failed pip install or if the lock
+* can't be acquired after MAX_RETRIES. Mirrors `downloadNpmPackage`.
+*/
+async function downloadPipPackage(options, retryCount = 0) {
+	const { hash, pythonBin, spec } = {
+		__proto__: null,
+		...options
+	};
+	const packageDir = pipPackageDir(spec);
+	if (retryCount >= MAX_RETRIES) throw new Error(`downloadPipPackage: could not acquire install lock after ${MAX_RETRIES} retries for ${packageDir}; a peer may be stuck or the lock is stale — remove it and retry`);
+	if (await isAlreadyInstalled(packageDir)) return {
+		installed: false,
+		packageDir
+	};
+	const lockDir = node_path.default.dirname(packageDir);
+	await require_fs_safe.safeMkdir(lockDir, { recursive: true });
+	const lockFile = node_path.default.join(lockDir, ".installing");
+	try {
+		await node_fs.promises.writeFile(lockFile, node_process.default.pid.toString(), { flag: "wx" });
+	} catch (e) {
+		if (e.code !== "EEXIST") throw e;
+		let stale = false;
+		try {
+			stale = isStaleLock(Number.parseInt((await node_fs.promises.readFile(lockFile, "utf8")).trim(), 10));
+		} catch {
+			stale = true;
+		}
+		if (stale) {
+			await require_fs_safe.safeDelete(lockFile, { force: true });
+			return downloadPipPackage(options, retryCount + 1);
+		}
+		for (let i = 0; i < WAIT_TICKS; i += 1) {
+			await new Promise((resolve) => {
+				setTimeout(resolve, 1e3);
+			});
+			if (await isAlreadyInstalled(packageDir)) return {
+				installed: false,
+				packageDir
+			};
+		}
+		return downloadPipPackage(options, retryCount + 1);
+	}
+	try {
+		await require_fs_safe.safeMkdir(packageDir, { recursive: true });
+		const normalizedHash = hash ? hash.startsWith("sha256:") ? hash : `sha256:${hash}` : void 0;
+		await require_process_spawn_child.spawn(pythonBin, [
+			"-m",
+			"pip",
+			"install",
+			"--no-input",
+			"--quiet",
+			"--target",
+			packageDir,
+			...normalizedHash ? ["--require-hashes", `--hash=${normalizedHash}`] : [],
+			spec
+		], {
+			shell: require_constants_platform.WIN32,
+			stdio: "inherit"
+		});
+		if (!await isAlreadyInstalled(packageDir)) throw new Error(`downloadPipPackage: pip install --target ${packageDir} ${spec} reported success but the target is still empty`);
+		return {
+			installed: true,
+			packageDir
+		};
+	} finally {
+		await require_fs_safe.safeDelete(lockFile, { force: true });
+	}
+}
+async function isAlreadyInstalled(packageDir) {
+	try {
+		return (await node_fs.promises.readdir(packageDir)).length > 0;
+	} catch {
+		return false;
+	}
+}
+function isStaleLock(pid) {
+	if (Number.isNaN(pid) || pid <= 0) return true;
+	try {
+		node_process.default.kill(pid, 0);
+		return false;
+	} catch (e) {
+		return e.code !== "EPERM";
+	}
+}
+/**
+* Content-addressed install dir for a spec:
+* `~/.socket/_dlx/<cacheKey>/site-packages`. The Python analog of
+* `downloadNpmPackage`'s `<hash>/node_modules`.
+*/
+function pipPackageDir(spec) {
+	return node_path.default.join(require_paths_socket.getSocketDlxDir(), require_dlx_cache.generateCacheKey(spec), "site-packages");
+}
+//#endregion
+exports.downloadPipPackage = downloadPipPackage;
+exports.isAlreadyInstalled = isAlreadyInstalled;
+exports.isStaleLock = isStaleLock;
+exports.pipPackageDir = pipPackageDir;

package/dist/external-tools/python/resolve.d.ts ADDED Viewed

@@ -0,0 +1,42 @@
+/**
+ * @file `resolvePython()` — CPython resolution entry point. Tries each source
+ *   in order:
+ *
+ *   1. PATH — `python3` / `python` on the system PATH.
+ *   2. download — python-build-standalone CPython into the DLX cache (only when
+ *      `downloadIfMissing` is passed). Returns `undefined` if all enabled
+ *      sources miss. Memoized per option-shape so repeated calls in one process
+ *      don't re-probe / re-download. NOTE: unlike the JRE / removed-uv
+ *      resolvers there is no VFS tier here — a CPython runtime is not embedded
+ *      in the smol Node binary. Add a `from-vfs` tier here if that changes.
+ */
+import type { BinaryDownloader } from '../from-download';
+import type { HashSpec } from '../../integrity';
+import type { ResolvedPython } from './types';
+export interface ResolvePythonOptions {
+    /**
+     * Prefer a downloaded python-build-standalone over a PATH interpreter. Use
+     * when you need an exact, reproducible CPython (the host `python3` may be the
+     * wrong version). Default false: PATH wins when present.
+     */
+    preferDownload?: boolean | undefined;
+    /**
+     * When set, fall back to downloading python-build-standalone if no PATH
+     * interpreter is found (or always, with `preferDownload`).
+     */
+    downloadIfMissing?: {
+        version: string;
+        tag: string;
+        /**
+         * Omit to auto-detect the current host via {@link getPythonArch}.
+         */
+        arch?: string | undefined;
+        integrity?: HashSpec | undefined;
+        cacheDir?: string | undefined;
+        downloader?: BinaryDownloader | undefined;
+    } | undefined;
+}
+export declare function cacheKey(options: ResolvePythonOptions | undefined): string;
+export declare function doResolvePython(options?: ResolvePythonOptions | undefined): Promise<ResolvedPython | undefined>;
+export declare function resetPythonResolution(): void;
+export declare function resolvePython(options?: ResolvePythonOptions | undefined): Promise<ResolvedPython | undefined>;