@socketsecurity/lib 6.0.7 → 6.0.8

package/dist/primordials/process.d.ts

@@ -0,0 +1,88 @@
+/**
+ * @file Safe call-through accessors for the `process` global's methods and
+ *   value reads. The `process` object reference is captured once at module load
+ *   (immune to a later `globalThis.process = …` reassignment), but each method
+ *   is CALLED at access time off that captured object — so `vi.spyOn(process,
+ *   'cwd')`, which mutates the same captured object, still intercepts. Binding
+ *   the method reference instead (`process.cwd.bind(process)`) would freeze it
+ *   and break that test seam, so we deliberately keep the late call. Consumers
+ *   read cwd / platform / env / argv through these instead of touching
+ *   `process` directly; enforced fleet-wide by
+ *   `socket/prefer-process-primordial`. This is the `process` leaf of the
+ *   node-module primordials: where `node/fs` / `node/path` lazy-load a `node:`
+ *   module behind a function, this captures the always-present `process` global
+ *   and routes its hot reads through one tamper-resistant surface.
+ */
+/**
+ * The CPU architecture token (`'x64'` / `'arm64'` / …).
+ */
+export declare function processArch(): string;
+/**
+ * The argv array (`[execPath, scriptPath, ...args]`).
+ *
+ * @example
+ *   ;```typescript
+ *   const entry = processArgv()[1]
+ *   ```
+ */
+export declare function processArgv(): string[];
+/**
+ * The current working directory. Call-through to the captured process's `cwd` —
+ * late-bound so test spies still intercept.
+ *
+ * @example
+ *   ;```typescript
+ *   const dir = processCwd()
+ *   ```
+ */
+export declare function processCwd(): string;
+/**
+ * Emit a process warning. Call-through so a test spy on `process.emitWarning`
+ * still intercepts.
+ */
+export declare function processEmitWarning(...args: Parameters<NodeJS.Process['emitWarning']>): void;
+/**
+ * The process environment object. Returns the live `process.env` off the
+ * captured process (call-through, so a test that swaps `process.env` is seen).
+ *
+ * @example
+ *   ;```typescript
+ *   const token = processEnv()['SOCKET_API_TOKEN']
+ *   ```
+ */
+export declare function processEnv(): NodeJS.ProcessEnv;
+/**
+ * The absolute path to the Node executable (`process.execPath`).
+ */
+export declare function processExecPath(): string;
+/**
+ * Schedule a callback on the next tick. Call-through (late-bound).
+ */
+export declare function processNextTick(...args: Parameters<NodeJS.Process['nextTick']>): void;
+/**
+ * The process id.
+ */
+export declare function processPid(): number;
+/**
+ * The OS platform token (`'darwin'` / `'linux'` / `'win32'` / …).
+ *
+ * @example
+ *   ;```typescript
+ *   if (processPlatform() === 'win32') { … }
+ *   ```
+ */
+export declare function processPlatform(): NodeJS.Platform;
+/**
+ * The standard error stream. Returned off the captured process so a test that
+ * spies on `process.stderr.write` still intercepts.
+ */
+export declare function processStderr(): NodeJS.WriteStream;
+/**
+ * The standard output stream. Returned off the captured process so a test that
+ * spies on `process.stdout.write` still intercepts.
+ */
+export declare function processStdout(): NodeJS.WriteStream;
+/**
+ * The Node version string (`process.version`, e.g. `'v26.2.0'`).
+ */
+export declare function processVersion(): string;

package/dist/primordials/process.js

@@ -0,0 +1,132 @@
+"use strict";
+/* Socket Lib - Built with rolldown */
+Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
+
+//#region src/primordials/process.ts
+/**
+* @file Safe call-through accessors for the `process` global's methods and
+*   value reads. The `process` object reference is captured once at module load
+*   (immune to a later `globalThis.process = …` reassignment), but each method
+*   is CALLED at access time off that captured object — so `vi.spyOn(process,
+*   'cwd')`, which mutates the same captured object, still intercepts. Binding
+*   the method reference instead (`process.cwd.bind(process)`) would freeze it
+*   and break that test seam, so we deliberately keep the late call. Consumers
+*   read cwd / platform / env / argv through these instead of touching
+*   `process` directly; enforced fleet-wide by
+*   `socket/prefer-process-primordial`. This is the `process` leaf of the
+*   node-module primordials: where `node/fs` / `node/path` lazy-load a `node:`
+*   module behind a function, this captures the always-present `process` global
+*   and routes its hot reads through one tamper-resistant surface.
+*/
+const SafeProcess = process;
+/**
+* The CPU architecture token (`'x64'` / `'arm64'` / …).
+*/
+function processArch() {
+	return SafeProcess.arch;
+}
+/**
+* The argv array (`[execPath, scriptPath, ...args]`).
+*
+* @example
+*   ;```typescript
+*   const entry = processArgv()[1]
+*   ```
+*/
+function processArgv() {
+	return SafeProcess.argv;
+}
+/**
+* The current working directory. Call-through to the captured process's `cwd` —
+* late-bound so test spies still intercept.
+*
+* @example
+*   ;```typescript
+*   const dir = processCwd()
+*   ```
+*/
+function processCwd() {
+	return SafeProcess.cwd();
+}
+/**
+* Emit a process warning. Call-through so a test spy on `process.emitWarning`
+* still intercepts.
+*/
+function processEmitWarning(...args) {
+	SafeProcess.emitWarning(...args);
+}
+/**
+* The process environment object. Returns the live `process.env` off the
+* captured process (call-through, so a test that swaps `process.env` is seen).
+*
+* @example
+*   ;```typescript
+*   const token = processEnv()['SOCKET_API_TOKEN']
+*   ```
+*/
+function processEnv() {
+	return SafeProcess.env;
+}
+/**
+* The absolute path to the Node executable (`process.execPath`).
+*/
+function processExecPath() {
+	return SafeProcess.execPath;
+}
+/**
+* Schedule a callback on the next tick. Call-through (late-bound).
+*/
+function processNextTick(...args) {
+	SafeProcess.nextTick(...args);
+}
+/**
+* The process id.
+*/
+function processPid() {
+	return SafeProcess.pid;
+}
+/**
+* The OS platform token (`'darwin'` / `'linux'` / `'win32'` / …).
+*
+* @example
+*   ;```typescript
+*   if (processPlatform() === 'win32') { … }
+*   ```
+*/
+function processPlatform() {
+	return SafeProcess.platform;
+}
+/**
+* The standard error stream. Returned off the captured process so a test that
+* spies on `process.stderr.write` still intercepts.
+*/
+function processStderr() {
+	return SafeProcess.stderr;
+}
+/**
+* The standard output stream. Returned off the captured process so a test that
+* spies on `process.stdout.write` still intercepts.
+*/
+function processStdout() {
+	return SafeProcess.stdout;
+}
+/**
+* The Node version string (`process.version`, e.g. `'v26.2.0'`).
+*/
+function processVersion() {
+	return SafeProcess.version;
+}
+
+//#endregion
+exports.processArch = processArch;
+exports.processArgv = processArgv;
+exports.processCwd = processCwd;
+exports.processEmitWarning = processEmitWarning;
+exports.processEnv = processEnv;
+exports.processExecPath = processExecPath;
+exports.processNextTick = processNextTick;
+exports.processPid = processPid;
+exports.processPlatform = processPlatform;
+exports.processStderr = processStderr;
+exports.processStdout = processStdout;
+exports.processVersion = processVersion;

package/dist/primordials/uncurry.d.ts

@@ -12,7 +12,6 @@
 export declare const uncurryThis: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, ...args: A) => R;
 export declare const applyBind: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, args: A) => R;
 export declare const applySafe: <T, A extends readonly unknown[], R>(fn: (this: T, ...args: A) => R) => (self: T, args: A) => R | undefined;
-type BindCall = <T, P extends readonly unknown[], A extends readonly unknown[], R>(fn: (this: T, ...args: [...P, ...A]) => R, thisArg: T, ...presetArgs: P) => (...newArgs: A) => R;
+export type BindCall = <T, P extends readonly unknown[], A extends readonly unknown[], R>(fn: (this: T, ...args: [...P, ...A]) => R, thisArg: T, ...presetArgs: P) => (...newArgs: A) => R;
 export declare const bindCall: BindCall;
 export declare const weakRefSafe: <T extends object | symbol>(target: T) => WeakRef<T> | undefined;
-export {};

package/dist/process/spawn/child.js

@@ -72,7 +72,10 @@ function spawn(cmd, args, options, extra) {
 	/* c8 ignore start - Windows-only cmd.exe extension stripping for
 	.cmd/.bat/.ps1 shell-true execution. Tested on Windows runners. */
 	if (node_process.default.platform === "win32" && shell && require_primordials_regexp.RegExpPrototypeTest(require_process_spawn__internal.windowsScriptExtRegExp, actualCmd)) {
-		if (!require_paths_predicates.isPath(actualCmd)) actualCmd = require_node_path.getNodePath().basename(actualCmd, require_node_path.getNodePath().extname(actualCmd));
+		if (!require_paths_predicates.isPath(actualCmd)) {
+			const path = require_node_path.getNodePath();
+			actualCmd = path.basename(actualCmd, path.extname(actualCmd));
+		}
 	}
 	const shouldStopSpinner = !!spinnerInstance?.isSpinning && !require_process_spawn_stdio.isStdioType(stdio, "ignore") && !require_process_spawn_stdio.isStdioType(stdio, "pipe");
 	const shouldRestartSpinner = shouldStopSpinner;
@@ -150,7 +153,10 @@ function spawnSync(cmd, args, options) {
 	/* c8 ignore start - Windows-only cmd.exe extension stripping for
 	.cmd/.bat/.ps1 shell-true execution. Tested on Windows runners. */
 	if (node_process.default.platform === "win32" && shell && require_primordials_regexp.RegExpPrototypeTest(require_process_spawn__internal.windowsScriptExtRegExp, actualCmd)) {
-		if (!require_paths_predicates.isPath(actualCmd)) actualCmd = require_node_path.getNodePath().basename(actualCmd, require_node_path.getNodePath().extname(actualCmd));
+		if (!require_paths_predicates.isPath(actualCmd)) {
+			const path = require_node_path.getNodePath();
+			actualCmd = path.basename(actualCmd, path.extname(actualCmd));
+		}
 	}
 	/* c8 ignore stop */
 	const { stripAnsi: shouldStripAnsi = true, ...rawSpawnOptions } = {

package/dist/process/spawn/errors.js

@@ -3,8 +3,8 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../../primordials/error.js');
 const require_primordials_object = require('../../primordials/object.js');
-const require_primordials_reflect = require('../../primordials/reflect.js');
 const require_objects_predicates = require('../../objects/predicates.js');
+const require_primordials_reflect = require('../../primordials/reflect.js');
 const require_process_spawn__internal = require('./_internal.js');
 let src_external_pony_cause = require("../../external/pony-cause");
 

package/dist/regexps/spec.js

@@ -1,8 +1,8 @@
 "use strict";
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
-const require_primordials_string = require('../primordials/string.js');
 const require_primordials_map_set = require('../primordials/map-set.js');
+const require_primordials_string = require('../primordials/string.js');
 const require_regexps_hex = require('./hex.js');
 
 //#region src/regexps/spec.ts

package/dist/releases/github-archives.js

@@ -4,8 +4,8 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_node_path = require('../node/path.js');
 const require_logger_default = require('../logger/default.js');
-const require_archives_detect = require('../archives/detect.js');
 const require_fs_safe = require('../fs/safe.js');
+const require_archives_detect = require('../archives/detect.js');
 const require_archives_extract = require('../archives/extract.js');
 const require_releases_github_downloads = require('./github-downloads.js');
 

package/dist/releases/github-listing.d.ts

@@ -17,7 +17,7 @@ import type { AssetPattern, RepoConfig } from './github-types';
  * output to this shape so downstream code is unaware of which transport
  * produced the data.
  */
-interface ReleaseRow {
+export interface ReleaseRow {
     tag_name: string;
     published_at: string;
     assets: Array<{
@@ -111,4 +111,3 @@ export declare function getLatestRelease(toolPrefix: string, repoConfig: RepoCon
  * non-string/Buffer bodies; parse the rest. Throws on genuine parse failure.
  */
 export declare function parseResponseBody(body: unknown): unknown;
-export {};

package/dist/schema/types.d.ts

@@ -62,7 +62,7 @@ export interface Schema<T = unknown> {
  *
  * @internal
  */
-interface ZodV4LikeSchema<O = unknown> {
+export interface ZodV4LikeSchema<O = unknown> {
     _zod: {
         output: O;
     };
@@ -74,7 +74,7 @@ interface ZodV4LikeSchema<O = unknown> {
  *
  * @internal
  */
-interface ZodV3LikeSchema<O = unknown> {
+export interface ZodV3LikeSchema<O = unknown> {
     _output: O;
     safeParse(data: unknown): unknown;
 }
@@ -85,7 +85,7 @@ interface ZodV3LikeSchema<O = unknown> {
  *
  * @internal
  */
-interface TypeBoxLikeSchema {
+export interface TypeBoxLikeSchema {
     static: unknown;
 }
 /**
@@ -130,4 +130,3 @@ export type ValidateResult<T> = {
     ok: false;
     errors: ValidationIssue[];
 };
-export {};

package/dist/schema/validate.js

@@ -3,8 +3,8 @@
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
 const require_primordials_number = require('../primordials/number.js');
-const require_primordials_array = require('../primordials/array.js');
 const require_primordials_object = require('../primordials/object.js');
+const require_primordials_array = require('../primordials/array.js');
 
 //#region src/schema/validate.ts
 /**

package/dist/secrets/find.d.ts

@@ -71,9 +71,9 @@ export declare function readEnv(name: string): string | undefined;
  * `undefined` when neither source has the value — the caller's signal to prompt
  * the user or surface a setup hint.
  */
-export declare function resolve(opts: ResolveOptions): Promise<ResolveResult | undefined>;
+export declare function resolve(options: ResolveOptions): Promise<ResolveResult | undefined>;
 /**
  * Sync variant for non-async callers (hook initializers, schema validators that
  * run before any `await` machinery exists).
  */
-export declare function resolveSync(opts: ResolveOptions): ResolveResult | undefined;
+export declare function resolveSync(options: ResolveOptions): ResolveResult | undefined;

package/dist/secrets/find.js

@@ -42,8 +42,11 @@ function readEnv(name) {
 * `undefined` when neither source has the value — the caller's signal to prompt
 * the user or surface a setup hint.
 */
-async function resolve(opts) {
-	const { accounts, allowEnvOnly, service } = opts;
+async function resolve(options) {
+	const { accounts, allowEnvOnly, service } = {
+		__proto__: null,
+		...options
+	};
 	for (let i = 0, { length } = accounts; i < length; i += 1) {
 		const account = accounts[i];
 		const fromEnv = readEnv(account);
@@ -71,8 +74,11 @@ async function resolve(opts) {
 * Sync variant for non-async callers (hook initializers, schema validators that
 * run before any `await` machinery exists).
 */
-function resolveSync(opts) {
-	const { accounts, allowEnvOnly, service } = opts;
+function resolveSync(options) {
+	const { accounts, allowEnvOnly, service } = {
+		__proto__: null,
+		...options
+	};
 	for (let i = 0, { length } = accounts; i < length; i += 1) {
 		const account = accounts[i];
 		const fromEnv = readEnv(account);

package/dist/secrets/keychain.d.ts

@@ -46,7 +46,7 @@ export declare function deleteSecretFromSlotsSync({ service, accounts, }: Delete
 export declare function deleteSecretSync({ service, account, }: DeleteOptions): 'removed' | 'absent';
 export type { BackendAvailability, SecretDeleteResult, SecretWriteResult, } from './types';
 export type { SecretSlot } from './types';
-type Platform = 'darwin' | 'linux' | 'win32' | 'other';
+export type Platform = 'darwin' | 'linux' | 'win32' | 'other';
 /**
  * Resolve the current OS to one of our four backend categories.
  *

package/dist/secrets/linux.js

@@ -46,32 +46,25 @@ function isLinuxBackendAvailable() {
 	return (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, ["--version"], { stdio: "ignore" }).status === 0;
 }
 async function readLinux(service, account) {
-	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
+	try {
+		const r = await (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
 			"lookup",
 			"service",
 			service,
 			"user",
 			account
-		], { stdio: [
-			"ignore",
-			"pipe",
-			"pipe"
-		] });
-		let stdout = "";
-		cp.stdout.setEncoding("utf8");
-		cp.stdout.on("data", (chunk) => {
-			stdout += chunk;
-		});
-		cp.on("error", () => resolve(void 0));
-		cp.on("close", (status) => {
-			if (status !== 0) {
-				resolve(void 0);
-				return;
-			}
-			resolve(stdout.trim() || void 0);
+		], {
+			stdio: [
+				"ignore",
+				"pipe",
+				"pipe"
+			],
+			stdioString: true
 		});
-	});
+		return String(r.stdout ?? "").trim() || void 0;
+	} catch {
+		return;
+	}
 }
 function readLinuxSync(service, account) {
 	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [
@@ -92,34 +85,29 @@ function readLinuxSync(service, account) {
 	return r.stdout.trim() || void 0;
 }
 async function writeLinux(service, account, value, label) {
-	return new require_primordials_promise.PromiseCtor((resolve, reject) => {
-		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
-			"store",
-			`--label=${label}`,
-			"service",
-			service,
-			"user",
-			account
-		], { stdio: [
+	const hint = "Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.";
+	const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECRET_TOOL_BIN, [
+		"store",
+		`--label=${label}`,
+		"service",
+		service,
+		"user",
+		account
+	], {
+		stdio: [
 			"pipe",
 			"pipe",
 			"pipe"
-		] });
-		let stderr = "";
-		cp.stderr.setEncoding("utf8");
-		cp.stderr.on("data", (chunk) => {
-			stderr += chunk;
-		});
-		cp.on("error", (err) => reject(/* @__PURE__ */ new Error(`secret-tool store failed: ${err.message}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`)));
-		cp.on("close", (status) => {
-			if (status === 0) {
-				resolve();
-				return;
-			}
-			reject(/* @__PURE__ */ new Error(`secret-tool store failed (status=${status}, user=${account}): ${stderr.trim()}. Install libsecret-tools (apt install libsecret-tools / dnf install libsecret) or ensure a Secret Service provider (gnome-keyring, kwallet) is running.`));
-		});
-		cp.stdin.end(value);
+		],
+		stdioString: true
 	});
+	child.process.stdin.end(value);
+	try {
+		await child;
+	} catch (e) {
+		const err = e;
+		throw new require_primordials_error.ErrorCtor(`secret-tool store failed (status=${typeof err?.code === "number" ? err.code : -1}, user=${account}): ${String(err?.stderr ?? err?.message ?? "").trim()}. ${hint}`);
+	}
 }
 function writeLinuxSync(service, account, value, label) {
 	const r = (0, _socketsecurity_lib_stable_process_spawn_child.spawnSync)(SECRET_TOOL_BIN, [

package/dist/secrets/macos.d.ts

@@ -23,7 +23,7 @@ export declare function deleteMacOSSync(service: string, account: string): 'remo
 export declare function isMacOSBackendAvailable(): boolean;
 export declare function readMacOS(service: string, account: string): Promise<string | undefined>;
 export declare function readMacOSSync(service: string, account: string): string | undefined;
-interface SpawnOpts {
+export interface SpawnOpts {
     stdio?: 'ignore' | 'pipe' | ['ignore', 'pipe', 'pipe'] | undefined;
 }
 export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Promise<{
@@ -33,4 +33,3 @@ export declare function runAsync(args: readonly string[], opts?: SpawnOpts): Pro
 }>;
 export declare function writeMacOS(service: string, account: string, value: string, label: string): Promise<void>;
 export declare function writeMacOSSync(service: string, account: string, value: string, label: string): void;
-export {};

package/dist/secrets/macos.js

@@ -2,7 +2,6 @@
 /* Socket Lib - Built with rolldown */
 Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
 const require_primordials_error = require('../primordials/error.js');
-const require_primordials_promise = require('../primordials/promise.js');
 let _socketsecurity_lib_stable_process_spawn_child = require("@socketsecurity/lib-stable/process/spawn/child");
 
 //#region src/secrets/macos.ts
@@ -79,38 +78,30 @@ function readMacOSSync(service, account) {
 	if (r.status !== 0) return;
 	return r.stdout.trim() || void 0;
 }
-function runAsync(args, opts = {}) {
-	return new require_primordials_promise.PromiseCtor((resolve) => {
-		const { process: cp } = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, { stdio: opts.stdio ?? [
+async function runAsync(args, opts = {}) {
+	const child = (0, _socketsecurity_lib_stable_process_spawn_child.spawn)(SECURITY_BIN, args, {
+		stdio: opts.stdio ?? [
 			"ignore",
 			"pipe",
 			"pipe"
-		] });
-		let stdout = "";
-		let stderr = "";
-		if (cp.stdout) {
-			cp.stdout.setEncoding("utf8");
-			cp.stdout.on("data", (chunk) => {
-				stdout += chunk;
-			});
-		}
-		if (cp.stderr) {
-			cp.stderr.setEncoding("utf8");
-			cp.stderr.on("data", (chunk) => {
-				stderr += chunk;
-			});
-		}
-		cp.on("error", () => resolve({
-			status: -1,
-			stdout,
-			stderr
-		}));
-		cp.on("close", (status) => resolve({
-			status,
-			stdout,
-			stderr
-		}));
+		],
+		stdioString: true
 	});
+	try {
+		const r = await child;
+		return {
+			status: typeof r.code === "number" ? r.code : null,
+			stderr: String(r.stderr ?? ""),
+			stdout: String(r.stdout ?? "")
+		};
+	} catch (e) {
+		const err = e;
+		return {
+			status: typeof err?.code === "number" ? err.code : -1,
+			stderr: String(err?.stderr ?? ""),
+			stdout: String(err?.stdout ?? "")
+		};
+	}
 }
 async function writeMacOS(service, account, value, label) {
 	const r = await runAsync([

package/dist/secrets/rc.d.ts

@@ -37,7 +37,7 @@
  *   non-interactive shells (Claude Code, IDE plugins, CI runners) skip .zshrc
  *   and would miss the export.
  */
-export declare function buildBlock(opts: WriteOptions): {
+export declare function buildBlock(options: WriteOptions): {
     begin: string;
     end: string;
     body: string;
@@ -126,7 +126,7 @@ export declare function shellSingleQuote(value: string): string;
  * `shell` and `rcPath` override the auto-detected target — useful for chezmoi /
  * dotfile-manager users or installers running under a non-default shell.
  */
-export declare function write(opts: WriteOptions): WriteResult;
+export declare function write(options: WriteOptions): WriteResult;
 /**
  * Internal: write an rc file with 0o600 (owner-only). The rc file embeds a
  * literal SOCKET_API_KEY value so the shell rc can `export` it on session start