@socketsecurity/lib 6.0.6 → 6.0.8

package/dist/releases/socket-btm.js

@@ -7,6 +7,7 @@ const require_node_fs = require('../node/fs.js');
 const require_releases_github_asset_url = require('./github-asset-url.js');
 const require_releases_github_listing = require('./github-listing.js');
 const require_releases_github_downloads = require('./github-downloads.js');
+const require_releases_socket_btm_binary_naming = require('./socket-btm-binary-naming.js');
 
 //#region src/releases/socket-btm.ts
 /**
@@ -20,26 +21,6 @@ const SOCKET_BTM_REPO = {
 	repo: "socket-btm"
 };
 /**
-* Map Node.js platform to socket-btm asset platform naming. Identity mapping:
-* asset names use `process.platform` verbatim (`darwin`, `linux`, `win32`) to
-* align with pnpm's pack-app, the `--os` / `supportedArchitectures.os` config
-* keys, and the `@pnpm/exe.<os>-<arch>` package convention.
-*/
-const PLATFORM_MAP = {
-	__proto__: null,
-	darwin: "darwin",
-	linux: "linux",
-	win32: "win32"
-};
-/**
-* Map Node.js arch to socket-btm asset arch naming.
-*/
-const ARCH_MAP = {
-	__proto__: null,
-	arm64: "arm64",
-	x64: "x64"
-};
-/**
 * Detect the libc variant (musl or glibc) on Linux systems. Returns undefined
 * for non-Linux platforms.
 *
@@ -53,17 +34,21 @@ const ARCH_MAP = {
 */
 function detectLibc() {
 	/* c8 ignore next 3 */
-	if (require_constants_platform.getPlatform() !== "linux") return;
+	if (require_constants_platform.getOs() !== "linux") return;
 	/* c8 ignore start - Linux-only musl/glibc detection; tested on
 	Linux runners. macOS/Windows runners take the early-return above. */
 	try {
-		const fs = /* @__PURE__ */ require_node_fs.getNodeFs();
-		for (const path of [
+		const fs = require_node_fs.getNodeFs();
+		const muslPaths = [
 			"/lib/ld-musl-x86_64.so.1",
 			"/lib/ld-musl-aarch64.so.1",
 			"/usr/lib/ld-musl-x86_64.so.1",
 			"/usr/lib/ld-musl-aarch64.so.1"
-		]) if (fs.existsSync(path)) return "musl";
+		];
+		for (let i = 0, { length } = muslPaths; i < length; i += 1) {
+			const path = muslPaths[i];
+			if (fs.existsSync(path)) return "musl";
+		}
 		return "glibc";
 	} catch {
 		return "glibc";
@@ -127,14 +112,14 @@ async function downloadSocketBtmRelease(tool, options) {
 			removeMacOSQuarantine
 		};
 	} else {
-		const { bin, libc = detectLibc(), removeMacOSQuarantine = true, targetArch = require_constants_platform.getArch(), targetPlatform = require_constants_platform.getPlatform() } = {
+		const { bin, libc = detectLibc(), removeMacOSQuarantine = true, targetArch = require_constants_platform.getArch(), targetPlatform = require_constants_platform.getOs() } = {
 			__proto__: null,
 			...options
 		};
 		const baseName = bin || tool;
-		const assetName = getBinaryAssetName(baseName, targetPlatform, targetArch, libc);
-		const platformArch = getPlatformArch(targetPlatform, targetArch, libc);
-		const binaryName = getBinaryName(baseName, targetPlatform);
+		const assetName = require_releases_socket_btm_binary_naming.getBinaryAssetName(baseName, targetPlatform, targetArch, libc);
+		const platformArch = require_releases_socket_btm_binary_naming.getPlatformArch(targetPlatform, targetArch, libc);
+		const binaryName = require_releases_socket_btm_binary_naming.getBinaryName(baseName, targetPlatform);
 		downloadConfig = {
 			owner: SOCKET_BTM_REPO.owner,
 			repo: SOCKET_BTM_REPO.repo,
@@ -152,139 +137,11 @@ async function downloadSocketBtmRelease(tool, options) {
 	}
 	return await require_releases_github_downloads.downloadGitHubRelease(downloadConfig);
 }
-/**
-* Get asset name for a socket-btm binary.
-*
-* @example
-*   ;```typescript
-*   getBinaryAssetName('lief', 'linux', 'x64', 'musl')
-*   // 'lief-linux-x64-musl'
-*   ```
-*
-* @param binaryBaseName - Binary basename (e.g., 'binject', 'node')
-* @param platform - Target platform.
-* @param arch - Target architecture.
-* @param libc - Linux libc variant (optional)
-*
-* @returns Asset name (e.g., 'binject-darwin-arm64', 'node-linux-x64-musl')
-*/
-function getBinaryAssetName(binaryBaseName, platform, arch, libc) {
-	const mappedArch = ARCH_MAP[arch];
-	if (!mappedArch) throw new require_primordials_error.ErrorCtor(`Unsupported architecture: ${arch}`);
-	const muslSuffix = platform === "linux" && libc === "musl" ? "-musl" : "";
-	const ext = platform === "win32" ? ".exe" : "";
-	if (platform === "darwin") return `${binaryBaseName}-darwin-${mappedArch}${ext}`;
-	if (platform === "linux") return `${binaryBaseName}-linux-${mappedArch}${muslSuffix}${ext}`;
-	if (platform === "win32") return `${binaryBaseName}-win32-${mappedArch}${ext}`;
-	throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${platform}`);
-}
-/**
-* Get binary filename for output.
-*
-* @example
-*   ;```typescript
-*   getBinaryName('node', 'win32') // 'node.exe'
-*   getBinaryName('node', 'linux') // 'node'
-*   ```
-*
-* @param binaryBaseName - Binary basename (e.g., 'node', 'binject')
-* @param platform - Target platform.
-*
-* @returns Binary filename (e.g., 'node', 'node.exe')
-*/
-function getBinaryName(binaryBaseName, platform) {
-	return platform === "win32" ? `${binaryBaseName}.exe` : binaryBaseName;
-}
-/**
-* Lazily load the fs module to avoid Webpack errors. Uses non-'node:' prefixed
-* require to prevent Webpack bundling issues.
-*
-* @private
-*/
-/**
-* Get platform-arch identifier for directory structure and asset names.
-*
-* # Format: `<os>-<arch>[-<libc>]`
-*
-* The OS segment is `process.platform` verbatim: `darwin` / `linux` / `win32`.
-* The arch segment is `process.arch` verbatim: `x64` / `arm64`. The optional
-* libc suffix is `-musl` (Linux only; the glibc default is unsuffixed to match
-* Node.js's own linuxstatic convention).
-*
-* # Why these specific conventions
-*
-* ## Why `win32`, not `win`
-*
-* `win32` is what `process.platform` returns on every Windows host. Every npm
-* package whose install-time platform filter uses the standard `os` / `cpu` /
-* `libc` manifest fields must match `process.platform` strings exactly (npm
-* compares them verbatim — there's no shorthand layer). Using `win` internally
-* here would have forced a translation every time we constructed an install
-* filter or a target triple, and reviewers would have to remember "we
-* abbreviate on disk but not in package filters." Since the two now match,
-* there's no translation step to get wrong.
-*
-* Pnpm's pack-app (v11+) accepts `<os>-<arch>[-<libc>]` target strings and its
-* shards are `@pnpm/exe.<os>-<arch>` (with `win32`, not `win` — see
-* pnpm#11314). Our naming matches so asset names we emit can flow directly into
-* pack-app's `--target` arg, `pnpm.app.targets` config, and
-* sibling-package-name construction without a translation map.
-*
-* ## Why `-musl` is the suffix (and glibc is unsuffixed)
-*
-* Node.js's own linuxstatic tarballs historically used the unqualified `linux`
-* for glibc and a separate download channel for musl. The pnpm ecosystem
-* codified that as `linux-<arch>` (glibc, default) and `linux-<arch>-musl` (the
-* libc outlier), matching the asymmetric reality of Linux distros — glibc is
-* the majority case, musl is Alpine-and-similar. Adding `-glibc` for the
-* default would be redundant noise in the name.
-*
-* ## Why libc is only appended for Linux
-*
-* MacOS and Windows have exactly one system libc each (Apple libSystem,
-* Microsoft UCRT). A hypothetical `darwin-arm64-libsystem` conveys no
-* information. Node.js, npm, and pnpm all treat libc as a Linux-only axis; we
-* follow the same convention so callers don't have to special- case
-* `'darwin-arm64'.startsWith('darwin-arm64')` style matches.
-*
-* ## Why this function exists at all (vs. inlining)
-*
-* Two upstream APIs that socket-btm consumers end up calling — the npm manifest
-* filter (`os`/`cpu`/`libc`) and pnpm's pack-app `--target` — both need the
-* exact same triple format. Centralizing the construction here means a future
-* schema change (e.g. Node introducing `riscv64`) gets one edit, and the error
-* message for an unsupported platform is uniform across downloaders, pack-app
-* invocations, and the `@socketbin/*` resolver logic.
-*
-* @example
-*   ;```typescript
-*   getPlatformArch('linux', 'x64', 'musl') // 'linux-x64-musl'
-*   getPlatformArch('darwin', 'arm64') // 'darwin-arm64'
-*   getPlatformArch('win32', 'x64') // 'win32-x64'
-*   getPlatformArch('darwin', 'x64', 'musl') // 'darwin-x64' — libc ignored
-*   ```
-*
-* @param platform - Target platform.
-* @param arch - Target architecture.
-* @param libc - Linux libc variant (optional; non-linux platforms ignore)
-*
-* @returns Platform-arch identifier (e.g., 'darwin-arm64', 'linux-x64-musl',
-*   'win32-x64')
-*/
-function getPlatformArch(platform, arch, libc) {
-	/* c8 ignore start */
-	const mappedPlatform = PLATFORM_MAP[platform];
-	if (!mappedPlatform) throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${platform}`);
-	const mappedArch = ARCH_MAP[arch];
-	if (!mappedArch) throw new require_primordials_error.ErrorCtor(`Unsupported architecture: ${arch}`);
-	return `${mappedPlatform}-${mappedArch}${platform === "linux" && libc === "musl" ? "-musl" : ""}`;
-	/* c8 ignore stop */
-}
 
 //#endregion
 exports.SOCKET_BTM_REPO = SOCKET_BTM_REPO;
 exports.detectLibc = detectLibc;
 exports.downloadSocketBtmRelease = downloadSocketBtmRelease;
-exports.getBinaryAssetName = getBinaryAssetName;
-exports.getBinaryName = getBinaryName;
-exports.getPlatformArch = getPlatformArch;
+exports.getBinaryAssetName = require_releases_socket_btm_binary_naming.getBinaryAssetName;
+exports.getBinaryName = require_releases_socket_btm_binary_naming.getBinaryName;
+exports.getPlatformArch = require_releases_socket_btm_binary_naming.getPlatformArch;

package/dist/schema/types.d.ts

@@ -24,7 +24,7 @@ export interface ParseResult<T> {
     /**
      * Error information (only present when `success` is `false`)
      */
-    error?: unknown;
+    error?: unknown | undefined;
 }
 /**
  * Zod-shaped duck-type for any validator exposing `safeParse` / `parse`.
@@ -62,7 +62,7 @@ export interface Schema<T = unknown> {
  *
  * @internal
  */
-interface ZodV4LikeSchema<O = unknown> {
+export interface ZodV4LikeSchema<O = unknown> {
     _zod: {
         output: O;
     };
@@ -74,7 +74,7 @@ interface ZodV4LikeSchema<O = unknown> {
  *
  * @internal
  */
-interface ZodV3LikeSchema<O = unknown> {
+export interface ZodV3LikeSchema<O = unknown> {
     _output: O;
     safeParse(data: unknown): unknown;
 }
@@ -85,7 +85,7 @@ interface ZodV3LikeSchema<O = unknown> {
  *
  * @internal
  */
-interface TypeBoxLikeSchema {
+export interface TypeBoxLikeSchema {
     static: unknown;
 }
 /**
@@ -130,4 +130,3 @@ export type ValidateResult<T> = {
     ok: false;
     errors: ValidationIssue[];
 };
-export {};

package/dist/schema/validate.js

@@ -3,8 +3,8 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_number = require('../primordials/number.js');
-const require_primordials_array = require('../primordials/array.js');
 const require_primordials_object = require('../primordials/object.js');
+const require_primordials_array = require('../primordials/array.js');
 
 //#region src/schema/validate.ts
 /**

package/dist/sea/detect.js

@@ -23,7 +23,7 @@ node_process = require_runtime.__toESM(node_process);
 /**
 * Cached SEA detection result.
 */
-let _isSea;
+let isSeaCache;
 /**
 * Get the current SEA binary path. Only valid when running as a SEA binary.
 *
@@ -36,7 +36,7 @@ let _isSea;
 *   ```
 */
 function getSeaBinaryPath() {
-	return isSeaBinary() && node_process.default.argv[0] ? /* @__PURE__ */ require_paths_normalize.normalizePath(node_process.default.argv[0]) : void 0;
+	return isSeaBinary() && node_process.default.argv[0] ? require_paths_normalize.normalizePath(node_process.default.argv[0]) : void 0;
 }
 /**
 * Detect if the current process is running as a SEA binary. Uses Node.js 24+
@@ -50,12 +50,12 @@ function getSeaBinaryPath() {
 *   ```
 */
 function isSeaBinary() {
-	if (_isSea === void 0) try {
-		_isSea = require("node:sea").isSea();
+	if (isSeaCache === void 0) try {
+		isSeaCache = require("node:sea").isSea();
 	} catch {
-		_isSea = false;
+		isSeaCache = false;
 	}
-	return _isSea ?? false;
+	return isSeaCache ?? false;
 }
 
 //#endregion

package/dist/secrets/_internal.d.ts

@@ -2,8 +2,8 @@
  * @file Private internals for `secrets/` — process-scoped read cache for the
  *   keychain backend. Underscore-prefixed and skipped by the export generator
  *   (`dist/**\/_*` ignore pattern in
- *   `scripts/fix/generate-package-exports.mts`) so this module is NOT part of
- *   the public API surface. Imported by `./keychain.ts`. Every `readSecret`
+ *   `scripts/post-build/make-package-exports.mts`) so this module is NOT part
+ *   of the public API surface. Imported by `./keychain.ts`. Every `readSecret`
  *   call shells out to the OS credential CLI (`security`, `secret-tool`,
  *   PowerShell). On macOS, the first read of a given entry by a new binary path
  *   triggers a Keychain auth prompt unless the entry was written with `-A -T

package/dist/secrets/_internal.js

@@ -8,8 +8,8 @@ const require_primordials_map_set = require('../primordials/map-set.js');
 * @file Private internals for `secrets/` — process-scoped read cache for the
 *   keychain backend. Underscore-prefixed and skipped by the export generator
 *   (`dist/**\/_*` ignore pattern in
-*   `scripts/fix/generate-package-exports.mts`) so this module is NOT part of
-*   the public API surface. Imported by `./keychain.ts`. Every `readSecret`
+*   `scripts/post-build/make-package-exports.mts`) so this module is NOT part
+*   of the public API surface. Imported by `./keychain.ts`. Every `readSecret`
 *   call shells out to the OS credential CLI (`security`, `secret-tool`,
 *   PowerShell). On macOS, the first read of a given entry by a new binary path
 *   triggers a Keychain auth prompt unless the entry was written with `-A -T

package/dist/secrets/compare.d.ts

@@ -0,0 +1,45 @@
+/**
+ * @file Constant-time secret comparison. Wraps Node's `crypto.timingSafeEqual`
+ *   so every secret comparison in the codebase runs through one helper that
+ *   refuses to short-circuit on the first mismatched byte. Why this matters:
+ *
+ *   - `===` / `!==` on JS strings short-circuits at the first byte mismatch. An
+ *     attacker who can measure server response time can binary-search the
+ *     secret one byte at a time: `'a000...'`, `'b000...'`, … until the response
+ *     slows down at the right first byte, then on to byte 2. Same trap for
+ *     `Buffer.compare` and `==`.
+ *   - `crypto.timingSafeEqual` runs in O(n) regardless of where the first
+ *     mismatch is. Each iteration is the same cost so the timing channel
+ *     carries no information about which byte mismatched. Use whenever
+ *     comparing two values that include a secret (session token, API key, MAC,
+ *     expected-hash). Don't use for path strings or other non-secret
+ *     comparisons — `===` is fine there and faster. Patterned after pilcrow's
+ *     `crypto.go::constantTimeCompare`, the canonical shape in
+ *     passwordless-example.auth.pilcrowonpaper.com — wrap once, use everywhere,
+ *     never byte-compare a secret directly.
+ */
+/**
+ * Compare two secrets in constant time. Returns `true` when the inputs are
+ * byte-equal. Returns `false` when they differ **or** when the byte-lengths
+ * differ. Never throws.
+ *
+ * Length mismatch handling: `timingSafeEqual` itself throws on length mismatch
+ * (it can't preserve the timing-safety contract across differently- sized
+ * buffers). We catch that and return `false` so callers don't need a length
+ * pre-check.
+ *
+ * @example
+ *   ;```typescript
+ *   import { compareSecrets } from '@socketsecurity/lib/secrets/compare'
+ *
+ *   if (!compareSecrets(presentedToken, storedToken)) {
+ *     throw new Error('invalid token')
+ *   }
+ *   ```
+ *
+ * @param a - First secret (string or Buffer).
+ * @param b - Second secret (string or Buffer).
+ *
+ * @returns `true` when `a` and `b` are byte-equal; `false` otherwise.
+ */
+export declare function compareSecrets(a: Buffer | string, b: Buffer | string): boolean;

package/dist/secrets/compare.js

@@ -0,0 +1,61 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
+let node_crypto = require("node:crypto");
+node_crypto = require_runtime.__toESM(node_crypto);
+
+//#region src/secrets/compare.ts
+/**
+* @file Constant-time secret comparison. Wraps Node's `crypto.timingSafeEqual`
+*   so every secret comparison in the codebase runs through one helper that
+*   refuses to short-circuit on the first mismatched byte. Why this matters:
+*
+*   - `===` / `!==` on JS strings short-circuits at the first byte mismatch. An
+*     attacker who can measure server response time can binary-search the
+*     secret one byte at a time: `'a000...'`, `'b000...'`, … until the response
+*     slows down at the right first byte, then on to byte 2. Same trap for
+*     `Buffer.compare` and `==`.
+*   - `crypto.timingSafeEqual` runs in O(n) regardless of where the first
+*     mismatch is. Each iteration is the same cost so the timing channel
+*     carries no information about which byte mismatched. Use whenever
+*     comparing two values that include a secret (session token, API key, MAC,
+*     expected-hash). Don't use for path strings or other non-secret
+*     comparisons — `===` is fine there and faster. Patterned after pilcrow's
+*     `crypto.go::constantTimeCompare`, the canonical shape in
+*     passwordless-example.auth.pilcrowonpaper.com — wrap once, use everywhere,
+*     never byte-compare a secret directly.
+*/
+/**
+* Compare two secrets in constant time. Returns `true` when the inputs are
+* byte-equal. Returns `false` when they differ **or** when the byte-lengths
+* differ. Never throws.
+*
+* Length mismatch handling: `timingSafeEqual` itself throws on length mismatch
+* (it can't preserve the timing-safety contract across differently- sized
+* buffers). We catch that and return `false` so callers don't need a length
+* pre-check.
+*
+* @example
+*   ;```typescript
+*   import { compareSecrets } from '@socketsecurity/lib/secrets/compare'
+*
+*   if (!compareSecrets(presentedToken, storedToken)) {
+*     throw new Error('invalid token')
+*   }
+*   ```
+*
+* @param a - First secret (string or Buffer).
+* @param b - Second secret (string or Buffer).
+*
+* @returns `true` when `a` and `b` are byte-equal; `false` otherwise.
+*/
+function compareSecrets(a, b) {
+	const ab = typeof a === "string" ? Buffer.from(a, "utf8") : a;
+	const bb = typeof b === "string" ? Buffer.from(b, "utf8") : b;
+	if (ab.length !== bb.length) return false;
+	return node_crypto.default.timingSafeEqual(ab, bb);
+}
+
+//#endregion
+exports.compareSecrets = compareSecrets;

package/dist/secrets/find.d.ts

@@ -71,9 +71,9 @@ export declare function readEnv(name: string): string | undefined;
  * `undefined` when neither source has the value — the caller's signal to prompt
  * the user or surface a setup hint.
  */
-export declare function resolve(opts: ResolveOptions): Promise<ResolveResult | undefined>;
+export declare function resolve(options: ResolveOptions): Promise<ResolveResult | undefined>;
 /**
  * Sync variant for non-async callers (hook initializers, schema validators that
  * run before any `await` machinery exists).
  */
-export declare function resolveSync(opts: ResolveOptions): ResolveResult | undefined;
+export declare function resolveSync(options: ResolveOptions): ResolveResult | undefined;

package/dist/secrets/find.js

@@ -42,8 +42,11 @@ function readEnv(name) {
 * `undefined` when neither source has the value — the caller's signal to prompt
 * the user or surface a setup hint.
 */
-async function resolve(opts) {
-	const { accounts, allowEnvOnly, service } = opts;
+async function resolve(options) {
+	const { accounts, allowEnvOnly, service } = {
+		__proto__: null,
+		...options
+	};
 	for (let i = 0, { length } = accounts; i < length; i += 1) {
 		const account = accounts[i];
 		const fromEnv = readEnv(account);
@@ -71,8 +74,11 @@ async function resolve(opts) {
 * Sync variant for non-async callers (hook initializers, schema validators that
 * run before any `await` machinery exists).
 */
-function resolveSync(opts) {
-	const { accounts, allowEnvOnly, service } = opts;
+function resolveSync(options) {
+	const { accounts, allowEnvOnly, service } = {
+		__proto__: null,
+		...options
+	};
 	for (let i = 0, { length } = accounts; i < length; i += 1) {
 		const account = accounts[i];
 		const fromEnv = readEnv(account);

package/dist/secrets/keychain.d.ts

@@ -46,7 +46,7 @@ export declare function deleteSecretFromSlotsSync({ service, accounts, }: Delete
 export declare function deleteSecretSync({ service, account, }: DeleteOptions): 'removed' | 'absent';
 export type { BackendAvailability, SecretDeleteResult, SecretWriteResult, } from './types';
 export type { SecretSlot } from './types';
-type Platform = 'darwin' | 'linux' | 'win32' | 'other';
+export type Platform = 'darwin' | 'linux' | 'win32' | 'other';
 /**
  * Resolve the current OS to one of our four backend categories.
  *

package/dist/secrets/keychain.js

@@ -1,12 +1,14 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+const require_runtime = require('../_virtual/_rolldown/runtime.js');
 const require_primordials_error = require('../primordials/error.js');
 const require_secrets__internal = require('./_internal.js');
 const require_secrets_macos = require('./macos.js');
 const require_secrets_linux = require('./linux.js');
 const require_secrets_windows = require('./windows.js');
 let node_os = require("node:os");
+node_os = require_runtime.__toESM(node_os);
 
 //#region src/secrets/keychain.ts
 /**
@@ -118,7 +120,7 @@ function deleteSecretSync({ service, account }) {
 * @internal
 */
 function detectPlatform() {
-	const p = (0, node_os.platform)();
+	const p = node_os.default.platform();
 	if (p === "darwin" || p === "linux" || p === "win32") return p;
 	return "other";
 }
@@ -150,7 +152,7 @@ function getBackendAvailability() {
 		default: return {
 			available: false,
 			toolName: "n/a",
-			installHint: `Platform ${(0, node_os.platform)()} is not supported.`
+			installHint: `Platform ${node_os.default.platform()} is not supported.`
 		};
 	}
 }
@@ -231,7 +233,7 @@ function readSecretSync({ service, account }) {
 async function writeSecret({ service, account, value, label }) {
 	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${node_os.default.platform()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (await readSecret({
 		service,
 		account
@@ -254,7 +256,7 @@ async function writeSecret({ service, account, value, label }) {
 function writeSecretSync({ service, account, value, label }) {
 	if (!value || typeof value !== "string") throw new require_primordials_error.TypeErrorCtor("writeSecret: value must be a non-empty string");
 	const platform_ = detectPlatform();
-	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${(0, node_os.platform)()}. Secret storage requires macOS, Linux, or Windows.`);
+	if (platform_ === "other") throw new require_primordials_error.ErrorCtor(`Unsupported platform: ${node_os.default.platform()}. Secret storage requires macOS, Linux, or Windows.`);
 	if (readSecretSync({
 		service,
 		account