@socketsecurity/lib 6.0.6 → 6.0.8

package/dist/secrets/linux.js

@@ -3,7 +3,7 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_promise = require('../primordials/promise.js');
-let node_child_process = require("node:child_process");
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/linux.ts
 /**
@@ -22,19 +22,19 @@ let node_child_process = require("node:child_process");
 const SECRET_TOOL_BIN = "secret-tool";
 async function deleteLinux(service, account) {
 	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"clear",
 			"service",
 			service,
 			"user",
 			account
 		], { stdio: "ignore" });
-		child.on("error", () => resolve("absent"));
-		child.on("close", (status) => resolve(status === 0 ? "removed" : "absent"));
+		cp.on("error", () => resolve("absent"));
+		cp.on("close", (status) => resolve(status === 0 ? "removed" : "absent"));
 	});
 }
 function deleteLinuxSync(service, account) {
-	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"clear",
 		"service",
 		service,
@@ -43,38 +43,31 @@ function deleteLinuxSync(service, account) {
 	], { stdio: "ignore" }).status === 0 ? "removed" : "absent";
 }
 function isLinuxBackendAvailable() {
-	return (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
 }
 async function readLinux(service, account) {
-	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
+	try {
+		const r = await (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"lookup",
 			"service",
 			service,
 			"user",
 			account
-		], { stdio: [
-			"ignore",
-			"pipe",
-			"pipe"
-		] });
-		let stdout = "";
-		child.stdout.setEncoding("utf8");
-		child.stdout.on("data", (chunk) => {
-			stdout += chunk;
-		});
-		child.on("error", () => resolve(void 0));
-		child.on("close", (status) => {
-			if (status !== 0) {
-				resolve(void 0);
-				return;
-			}
-			resolve(stdout.trim() || void 0);
+		], {
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			],
+			stdioString: true
 		});
-	});
+		return String(r.stdout ?? "").trim() || void 0;
+	} catch {
+		return;
+	}
 }
 function readLinuxSync(service, account) {
-	const r = (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"lookup",
 		"service",
 		service,
@@ -92,37 +85,32 @@ function readLinuxSync(service, account) {
 	return r.stdout.trim() || void 0;
 }
 async function writeLinux(service, account, value, label) {
-	return new require_primordials_promise.PromiseCtor((resolve, reject) => {
-		const child = (0, node_child_process.spawn)(SECRET_TOOL_BIN, [
-			"store",
-			`--label=${label}`,
-			"service",
-			service,
-			"user",
-			account
-		], { stdio: [
+	const hint = "Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.";
+	const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
+		"store",
+		`--label=${label}`,
+		"service",
+		service,
+		"user",
+		account
+	], {
+		stdio: [
 			"pipe",
 			"pipe",
 			"pipe"
-		] });
-		let stderr = "";
-		child.stderr.setEncoding("utf8");
-		child.stderr.on("data", (chunk) => {
-			stderr += chunk;
-		});
-		child.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
-		child.on("close", (status) => {
-			if (status === 0) {
-				resolve();
-				return;
-			}
-			reject(/* @__PURE__ */ new Error(`secret-tool store failed (status=${status}, user=${account}): ${stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`));
-		});
-		child.stdin.end(value);
+		],
+		stdioString: true
 	});
+	child.process.stdin.end(value);
+	try {
+		await child;
+	} catch (e) {
+		const err = e;
+		throw new require_primordials_error.ErrorCtor(`secret-tool store failed (status=${typeof err?.code === "number" ? err.code : -1}, user=${account}): ${String(err?.stderr ?? err?.message ?? "").trim()}. ${hint}`);
+	}
 }
 function writeLinuxSync(service, account, value, label) {
-	const r = (0, node_child_process.spawnSync)(SECRET_TOOL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
 		"store",
 		`--label=${label}`,
 		"service",

package/dist/secrets/macos.d.ts

@@ -23,8 +23,8 @@ export declare function deleteMacOSSync(service: string, account: string): 'remo
 export declare function isMacOSBackendAvailable(): boolean;
 export declare function readMacOS(service: string, account: string): Promise<string | undefined>;
 export declare function readMacOSSync(service: string, account: string): string | undefined;
-interface SpawnOpts {
-    stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'];
+export interface SpawnOpts {
+    stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'] | undefined;
 }
 export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Promise<{
     status: number | null;
@@ -33,4 +33,3 @@ export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Pro
 }>;
 export declare function writeMacOS(service: string, account: string, value: string, label: string): Promise<void>;
 export declare function writeMacOSSync(service: string, account: string, value: string, label: string): void;
-export {};

package/dist/secrets/macos.js

@@ -2,8 +2,7 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
-const require_primordials_promise = require('../primordials/promise.js');
-let node_child_process = require("node:child_process");
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/macos.ts
 /**
@@ -37,7 +36,7 @@ async function deleteMacOS(service, account) {
 	], { stdio: "ignore" })).status === 0 ? "removed" : "absent";
 }
 function deleteMacOSSync(service, account) {
-	return (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"delete-generic-password",
 		"-s",
 		service,
@@ -61,7 +60,7 @@ async function readMacOS(service, account) {
 	return r.stdout.trim() || void 0;
 }
 function readMacOSSync(service, account) {
-	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"find-generic-password",
 		"-s",
 		service,
@@ -79,38 +78,30 @@ function readMacOSSync(service, account) {
 	if (r.status !== 0) return;
 	return r.stdout.trim() || void 0;
 }
-function runAsync(args, opts = {}) {
-	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
+async function runAsync(args, opts = {}) {
+	const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, {
+		stdio: opts.stdio ?? [
 			"ignore",
 			"pipe",
 			"pipe"
-		] });
-		let stdout = "";
-		let stderr = "";
-		if (child.stdout) {
-			child.stdout.setEncoding("utf8");
-			child.stdout.on("data", (chunk) => {
-				stdout += chunk;
-			});
-		}
-		if (child.stderr) {
-			child.stderr.setEncoding("utf8");
-			child.stderr.on("data", (chunk) => {
-				stderr += chunk;
-			});
-		}
-		child.on("error", () => resolve({
-			status: -1,
-			stdout,
-			stderr
-		}));
-		child.on("close", (status) => resolve({
-			status,
-			stdout,
-			stderr
-		}));
+		],
+		stdioString: true
 	});
+	try {
+		const r = await child;
+		return {
+			status: typeof r.code === "number" ? r.code : null,
+			stderr: String(r.stderr ?? ""),
+			stdout: String(r.stdout ?? "")
+		};
+	} catch (e) {
+		const err = e;
+		return {
+			status: typeof err?.code === "number" ? err.code : -1,
+			stderr: String(err?.stderr ?? ""),
+			stdout: String(err?.stdout ?? "")
+		};
+	}
 }
 async function writeMacOS(service, account, value, label) {
 	const r = await runAsync([
@@ -133,7 +124,7 @@ async function writeMacOS(service, account, value, label) {
 	if (r.status !== 0) throw new require_primordials_error.ErrorCtor(`security(1) add-generic-password failed (status=${r.status}, account=${account}): ${r.stderr.trim()}`);
 }
 function writeMacOSSync(service, account, value, label) {
-	const r = (0, node_child_process.spawnSync)(SECURITY_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECURITY_BIN, [
 		"add-generic-password",
 		"-U",
 		"-A",

package/dist/secrets/rc.d.ts

@@ -37,7 +37,7 @@
  *   non-interactive shells (Claude Code, IDE plugins, CI runners) skip .zshrc
  *   and would miss the export.
  */
-export declare function buildBlock(opts: WriteOptions): {
+export declare function buildBlock(options: WriteOptions): {
     begin: string;
     end: string;
     body: string;
@@ -67,7 +67,7 @@ export interface WriteOptions {
      * "Rotate via: my-installer --rotate"). Each entry is prefixed with `# `
      * automatically.
      */
-    notes?: readonly string[];
+    notes?: readonly string[] | undefined;
     /**
      * Legacy sentinel BEGIN strings to sweep before writing the new block. Used
      * during a rename/migration so an older managed block is removed rather than
@@ -75,7 +75,7 @@ export interface WriteOptions {
      * tolerates any line endings up to the matching END (same prefix with `END`
      * replacing `BEGIN`).
      */
-    legacySentinels?: readonly string[];
+    legacySentinels?: readonly string[] | undefined;
     /**
      * Override the auto-detected shell. By default the helper reads `$SHELL` and
      * targets the matching rc file:
@@ -126,7 +126,7 @@ export declare function shellSingleQuote(value: string): string;
  * `shell` and `rcPath` override the auto-detected target — useful for chezmoi /
  * dotfile-manager users or installers running under a non-default shell.
  */
-export declare function write(opts: WriteOptions): WriteResult;
+export declare function write(options: WriteOptions): WriteResult;
 /**
  * Internal: write an rc file with 0o600 (owner-only). The rc file embeds a
  * literal SOCKET_API_KEY value so the shell rc can `export` it on session start

package/dist/secrets/rc.js

@@ -2,16 +2,17 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
-const require_primordials_string = require('../primordials/string.js');
-const require_primordials_regexp = require('../primordials/regexp.js');
 const require_primordials_object = require('../primordials/object.js');
 const require_env_home = require('../env/home.js');
+const require_primordials_string = require('../primordials/string.js');
+const require_primordials_regexp = require('../primordials/regexp.js');
 let node_fs = require("node:fs");
+let node_process = require("node:process");
+node_process = require_runtime.__toESM(node_process);
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
 let node_os = require("node:os");
-let node_process = require("node:process");
-node_process = require_runtime.__toESM(node_process);
+node_os = require_runtime.__toESM(node_os);
 
 //#region src/secrets/rc.ts
 /**
@@ -53,11 +54,15 @@ node_process = require_runtime.__toESM(node_process);
 *   non-interactive shells (Claude Code, IDE plugins, CI runners) skip .zshrc
 *   and would miss the export.
 */
-function buildBlock(opts) {
-	const begin = `# BEGIN ${opts.service} env (managed)`;
-	const end = `# END ${opts.service} env (managed)`;
-	const noteLines = (opts.notes ?? []).map((line) => `# ${line}`);
-	const exportLines = require_primordials_object.ObjectEntries(opts.exports).map(([name, value]) => `export ${name}=${shellSingleQuote(value)}`);
+function buildBlock(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
+	const begin = `# BEGIN ${options.service} env (managed)`;
+	const end = `# END ${options.service} env (managed)`;
+	const noteLines = (options.notes ?? []).map((line) => `# ${line}`);
+	const exportLines = require_primordials_object.ObjectEntries(options.exports).map(([name, value]) => `export ${name}=${shellSingleQuote(value)}`);
 	const body = [...noteLines, ...exportLines].join("\n");
 	return {
 		begin,
@@ -72,13 +77,14 @@ function buildBlock(opts) {
 * no block was present.
 */
 function clear(service, legacySentinels = []) {
-	if ((0, node_os.platform)() !== "darwin") return false;
+	if (node_os.default.platform() !== "darwin") return false;
 	const rcPath = pickRcFile();
 	if (!rcPath || !(0, node_fs.existsSync)(rcPath)) return false;
 	let existing = (0, node_fs.readFileSync)(rcPath, "utf8");
 	let removedAny = false;
 	const sentinelsToStrip = [`# BEGIN ${service} env (managed)`, ...legacySentinels];
-	for (const begin of sentinelsToStrip) {
+	for (let i = 0, { length } = sentinelsToStrip; i < length; i += 1) {
+		const begin = sentinelsToStrip[i];
 		const end = begin.replace(/\bBEGIN\b/, "END");
 		const endStripped = end.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = end === endStripped ? escapeRegExp(end) : `(?:${escapeRegExp(end)}|${escapeRegExp(endStripped)})`;
@@ -96,7 +102,7 @@ function escapeRegExp(s) {
 	return s.replace(/[.*+?^${}()|[\]\\]/g, "\\$&");
 }
 function pickRcFile(shellOverride) {
-	const home = /* @__PURE__ */ require_env_home.getHome();
+	const home = require_env_home.getHome();
 	if (!home) return;
 	const shellPath = node_process.default.env["SHELL"] ?? "";
 	const shell = shellOverride ?? (require_primordials_string.StringPrototypeEndsWith(shellPath, "zsh") ? "zsh" : require_primordials_string.StringPrototypeEndsWith(shellPath, "bash") ? "bash" : require_primordials_string.StringPrototypeEndsWith(shellPath, "fish") ? "fish" : void 0);
@@ -132,23 +138,27 @@ function shellSingleQuote(value) {
 * `shell` and `rcPath` override the auto-detected target — useful for chezmoi /
 * dotfile-manager users or installers running under a non-default shell.
 */
-function write(opts) {
-	if ((0, node_os.platform)() !== "darwin") return {
+function write(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
+	if (node_os.default.platform() !== "darwin") return {
 		rcPath: void 0,
 		outcome: "skipped",
 		reason: "unsupported-platform"
 	};
-	const rcPath = opts.rcPath ?? pickRcFile(opts.shell);
+	const rcPath = options.rcPath ?? pickRcFile(options.shell);
 	if (!rcPath) return {
 		rcPath: void 0,
 		outcome: "skipped",
 		reason: "unknown-shell"
 	};
-	const { begin, end, full: desiredBlock } = buildBlock(opts);
+	const { begin, end, full: desiredBlock } = buildBlock(options);
 	let onDisk = "";
 	if ((0, node_fs.existsSync)(rcPath)) onDisk = (0, node_fs.readFileSync)(rcPath, "utf8");
 	let working = onDisk;
-	for (const legacyBegin of opts.legacySentinels ?? []) {
+	for (const legacyBegin of options.legacySentinels ?? []) {
 		const legacyEnd = legacyBegin.replace(/\bBEGIN\b/, "END");
 		const legacyEndStripped = legacyEnd.replace(/\s*\(managed\)\s*$/, "");
 		const endAlt = legacyEnd === legacyEndStripped ? escapeRegExp(legacyEnd) : `(?:${escapeRegExp(legacyEnd)}|${escapeRegExp(legacyEndStripped)})`;

package/dist/secrets/socket-api-token.d.ts

@@ -2,10 +2,10 @@
  * @file Convenience helper for reading the Socket API token from the canonical
  *   env → keychain precedence order. Centralizes two constants every fleet
  *   consumer would otherwise hard-code: the keychain service name
- *   (`socket-cli`) and the env-var + account fallback list (`SOCKET_API_TOKEN`
- *   canonical, `SOCKET_API_KEY` legacy alias). Consumers like firewall and
- *   wheelhouse hooks call `readSocketApiToken()` instead of redoing the
- *   `resolve({ service, accounts })` boilerplate.
+ *   (`socketsecurity`) and the env-var + account fallback list
+ *   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
+ *   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
+ *   redoing the `resolve({ service, accounts })` boilerplate.
  */
 export interface ReadSocketApiTokenOptions {
     /**

package/dist/secrets/socket-api-token.js

@@ -8,26 +8,43 @@ const require_secrets_find = require('./find.js');
 * @file Convenience helper for reading the Socket API token from the canonical
 *   env → keychain precedence order. Centralizes two constants every fleet
 *   consumer would otherwise hard-code: the keychain service name
-*   (`socket-cli`) and the env-var + account fallback list (`SOCKET_API_TOKEN`
-*   canonical, `SOCKET_API_KEY` legacy alias). Consumers like firewall and
-*   wheelhouse hooks call `readSocketApiToken()` instead of redoing the
-*   `resolve({ service, accounts })` boilerplate.
+*   (`socketsecurity`) and the env-var + account fallback list
+*   (`SOCKET_API_TOKEN` canonical, `SOCKET_API_KEY` legacy alias). Consumers
+*   like firewall and wheelhouse hooks call `readSocketApiToken()` instead of
+*   redoing the `resolve({ service, accounts })` boilerplate.
 */
-const SOCKET_CLI_SERVICE = "socket-cli";
+const SOCKET_SERVICE = "socketsecurity";
+const SOCKET_SERVICE_LEGACY = "socket-cli";
 const TOKEN_ACCOUNTS = ["SOCKET_API_TOKEN", "SOCKET_API_KEY"];
 async function readSocketApiToken(options) {
+	options = {
+		__proto__: null,
+		...options
+	};
 	return (await require_secrets_find.resolve({
-		service: SOCKET_CLI_SERVICE,
+		service: SOCKET_SERVICE,
+		accounts: TOKEN_ACCOUNTS,
+		allowEnvOnly: options?.allowEnvOnly
+	}) ?? await require_secrets_find.resolve({
+		service: SOCKET_SERVICE_LEGACY,
 		accounts: TOKEN_ACCOUNTS,
 		allowEnvOnly: options?.allowEnvOnly
 	}))?.value;
 }
 function readSocketApiTokenSync(options) {
-	return require_secrets_find.resolveSync({
-		service: SOCKET_CLI_SERVICE,
+	options = {
+		__proto__: null,
+		...options
+	};
+	return (require_secrets_find.resolveSync({
+		service: SOCKET_SERVICE,
 		accounts: TOKEN_ACCOUNTS,
 		allowEnvOnly: options?.allowEnvOnly
-	})?.value;
+	}) ?? require_secrets_find.resolveSync({
+		service: SOCKET_SERVICE_LEGACY,
+		accounts: TOKEN_ACCOUNTS,
+		allowEnvOnly: options?.allowEnvOnly
+	}))?.value;
 }
 
 //#endregion

package/dist/secrets/windows.js

@@ -4,14 +4,14 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_runtime = require('../_virtual/_rolldown/runtime.js');
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_json = require('../primordials/json.js');
-const require_primordials_promise = require('../primordials/promise.js');
 let node_fs = require("node:fs");
+let node_process = require("node:process");
+node_process = require_runtime.__toESM(node_process);
 let node_path = require("node:path");
 node_path = require_runtime.__toESM(node_path);
 let node_os = require("node:os");
-let node_process = require("node:process");
-node_process = require_runtime.__toESM(node_process);
-let node_child_process = require("node:child_process");
+node_os = require_runtime.__toESM(node_os);
+let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/windows.ts
 /**
@@ -66,11 +66,11 @@ function deleteWindowsSync(service, account) {
 function getDpapiFilePath(service, account) {
 	validateKeychainComponent(service, "service");
 	validateKeychainComponent(account, "account");
-	const appData = node_process.default.env["APPDATA"] ?? node_path.default.join((0, node_os.homedir)(), "AppData", "Roaming");
+	const appData = node_process.default.env["APPDATA"] ?? node_path.default.join(node_os.default.homedir(), "AppData", "Roaming");
 	return node_path.default.join(appData, service, `${account}.enc`);
 }
 function isWindowsBackendAvailable() {
-	return (0, node_child_process.spawnSync)(POWERSHELL_BIN, [
+	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(POWERSHELL_BIN, [
 		"-NoProfile",
 		"-Command",
 		"exit 0"
@@ -127,43 +127,38 @@ function readWindowsSync(service, account) {
 	}
 	return readDpapiSync(getDpapiFilePath(service, account));
 }
-function runPsAsync(script, input) {
-	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const child = (0, node_child_process.spawn)(POWERSHELL_BIN, [
-			"-NoProfile",
-			"-Command",
-			script
-		], { stdio: [
+async function runPsAsync(script, input) {
+	const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(POWERSHELL_BIN, [
+		"-NoProfile",
+		"-Command",
+		script
+	], {
+		stdio: [
 			"pipe",
 			"pipe",
 			"pipe"
-		] });
-		let stdout = "";
-		let stderr = "";
-		child.stdout.setEncoding("utf8");
-		child.stdout.on("data", (chunk) => {
-			stdout += chunk;
-		});
-		child.stderr.setEncoding("utf8");
-		child.stderr.on("data", (chunk) => {
-			stderr += chunk;
-		});
-		child.on("error", () => resolve({
-			status: -1,
-			stdout,
-			stderr
-		}));
-		child.on("close", (status) => resolve({
-			status,
-			stdout,
-			stderr
-		}));
-		if (input !== void 0) child.stdin.end(input);
-		else child.stdin.end();
+		],
+		stdioString: true
 	});
+	child.process.stdin.end(input ?? "");
+	try {
+		const r = await child;
+		return {
+			status: typeof r.code === "number" ? r.code : null,
+			stderr: String(r.stderr ?? ""),
+			stdout: String(r.stdout ?? "")
+		};
+	} catch (e) {
+		const err = e;
+		return {
+			status: typeof err?.code === "number" ? err.code : -1,
+			stderr: String(err?.stderr ?? ""),
+			stdout: String(err?.stdout ?? "")
+		};
+	}
 }
 function runPsSync(script, input) {
-	const r = (0, node_child_process.spawnSync)(POWERSHELL_BIN, [
+	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(POWERSHELL_BIN, [
 		"-NoProfile",
 		"-Command",
 		script

package/dist/shadow/skip.js

@@ -38,9 +38,9 @@ function shouldSkipShadow(binPath, options) {
 	if (win32 && binPath) return true;
 	const userAgent = node_process.default.env["npm_config_user_agent"];
 	if (userAgent?.includes("exec") || userAgent?.includes("npx") || userAgent?.includes("dlx")) return true;
-	const normalizedCwd = /* @__PURE__ */ require_paths_normalize.normalizePath(cwd);
+	const normalizedCwd = require_paths_normalize.normalizePath(cwd);
 	const npmCache = node_process.default.env["npm_config_cache"];
-	if (npmCache && normalizedCwd.includes(/* @__PURE__ */ require_paths_normalize.normalizePath(npmCache))) return true;
+	if (npmCache && normalizedCwd.includes(require_paths_normalize.normalizePath(npmCache))) return true;
 	return [
 		"_npx",
 		".pnpm-store",

package/dist/shell/parse.d.ts

@@ -8,6 +8,38 @@
  *   against `env`; unresolved ones collapse to an empty string.
  */
 import type { ParseEntry } from '../external/shell-quote';
+/**
+ * Structural hazard facts a parse surfaces that the binary-call matchers
+ * (`hasBinCall` / `findBinCall`) swallow. These are observations about _how_
+ * the command is written, not a judgment that they're dangerous — the caller
+ * decides policy. Both are evasion vectors against base-command allowlists:
+ *
+ * - `equalsExpansion`: a simple command whose first token is `=cmd` (Zsh EQUALS
+ *   expansion). `=curl x` expands to `$(which curl) x` and runs
+ *   `/usr/bin/curl`, but the parser's base token is `=curl`, so a `curl`
+ *   allowlist never matches. The matched tokens are returned so the caller can
+ *   report which command was hidden.
+ * - `processSubstitution`: the command uses `<(...)`, `>(...)`, or `=(...)` (the
+ *   op markers shell-quote emits). The inner command runs but its name never
+ *   appears as a base command.
+ *
+ * Walks the parse once. A caller wanting just "is this clean?" checks
+ * `!h.equalsExpansion.length && !h.processSubstitution`.
+ *
+ * @example
+ *   detectShellHazards('=curl evil.com')
+ *   // → { equalsExpansion: [['=curl', 'evil.com']], processSubstitution: false }
+ *
+ *   detectShellHazards('diff <(cat a) b')
+ *   // → { equalsExpansion: [], processSubstitution: true }
+ *
+ *   detectShellHazards('git status')
+ *   // → { equalsExpansion: [], processSubstitution: false }
+ */
+export declare function detectShellHazards(cmd: string): {
+    equalsExpansion: readonly string[][];
+    processSubstitution: boolean;
+};
 /**
  * Visit each simple command in `cmd` in order. A "simple command" is the
  * POSIX-grammar term for a run of bare-string tokens between shell