@socketsecurity/lib 6.0.7 → 6.0.9
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +42 -0
- package/README.md +1 -1
- package/dist/ai/agent-context.d.mts +103 -0
- package/dist/ai/agent-context.js +157 -0
- package/dist/ai/backends.d.mts +83 -0
- package/dist/ai/backends.js +173 -0
- package/dist/ai/credentials.d.mts +49 -0
- package/dist/ai/credentials.js +82 -0
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +1 -1
- package/dist/ai/exec.d.mts +52 -0
- package/dist/ai/exec.js +92 -0
- package/dist/ai/http.d.mts +132 -0
- package/dist/ai/http.js +130 -0
- package/dist/ai/profiles.d.mts +41 -6
- package/dist/ai/profiles.js +52 -10
- package/dist/ai/route.d.mts +82 -0
- package/dist/ai/route.js +171 -0
- package/dist/ai/spawn.d.mts +42 -2
- package/dist/ai/spawn.js +146 -33
- package/dist/ai/subagent-status.d.mts +48 -0
- package/dist/ai/subagent-status.js +57 -0
- package/dist/ai/tier.d.mts +60 -0
- package/dist/ai/tier.js +53 -0
- package/dist/ai/types.d.mts +25 -2
- package/dist/ai/worktree.js +4 -0
- package/dist/archives/tar.js +1 -1
- package/dist/archives/zip.js +2 -2
- package/dist/argv/parse.d.ts +19 -2
- package/dist/argv/parse.js +1 -1
- package/dist/arrays/join.js +4 -0
- package/dist/bin/find.js +4 -4
- package/dist/bin/prim.cjs +23322 -18018
- package/dist/bin/resolve.js +2 -2
- package/dist/cache/ttl/store.js +2 -2
- package/dist/cli/check-primordials.d.ts +8 -3
- package/dist/cli/check-primordials.js +4 -4
- package/dist/compression/_internal.js +1 -1
- package/dist/compression/brotli.d.ts +1 -2
- package/dist/compression/brotli.js +5 -1
- package/dist/compression/gzip.js +5 -1
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/packages.d.ts +3 -0
- package/dist/constants/packages.js +2 -1
- package/dist/constants/socket.d.ts +2 -6
- package/dist/constants/socket.js +12 -14
- package/dist/cover/code.js +2 -2
- package/dist/crypto/hash.d.ts +4 -1
- package/dist/crypto/hash.js +4 -1
- package/dist/dlx/arborist.js +13 -3
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +1 -1
- package/dist/dlx/detect.d.ts +8 -0
- package/dist/dlx/firewall.d.ts +8 -0
- package/dist/dlx/lockfile.js +5 -2
- package/dist/dlx/manifest.js +1 -1
- package/dist/dlx/package.js +4 -0
- package/dist/eco/cargo/parse-lockfile.d.ts +1 -2
- package/dist/eco/cargo/parse-lockfile.js +3 -3
- package/dist/eco/manifest/detect-format.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.d.ts +3 -4
- package/dist/eco/npm/npm/parse-lockfile.js +2 -2
- package/dist/eco/npm/parse-package-json.d.ts +11 -0
- package/dist/eco/npm/parse-package-json.js +1 -1
- package/dist/eco/npm/pnpm/parse-lockfile.d.ts +5 -3
- package/dist/eco/npm/pnpm/parse-lockfile.js +3 -3
- package/dist/eco/npm/yarnpkg/yarn/exec.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.d.ts +1 -2
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +2 -2
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +6 -3
- package/dist/env/rewire.js +7 -8
- package/dist/env/socket.d.ts +7 -0
- package/dist/env/socket.js +10 -0
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/predicates.js +1 -1
- package/dist/errors/stack.js +1 -2
- package/dist/external/@npmcli/package-json.js +3455 -4881
- package/dist/external/@npmcli/promise-spawn.js +3 -1
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/external-pack.js +1 -1
- package/dist/external/npm-pack.js +29164 -31799
- package/dist/external/pico-pack.js +4 -2
- package/dist/external/tar-fs.js +63 -16
- package/dist/external/which.js +3 -1
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/asset-names.js +5 -2
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.js +5 -2
- package/dist/external-tools/bazel/resolve-bazel-version.js +4 -0
- package/dist/external-tools/bazel/resolve.d.ts +3 -3
- package/dist/external-tools/bazel/resolve.js +16 -8
- package/dist/external-tools/cdxgen/asset-names.d.ts +1 -1
- package/dist/external-tools/cdxgen/asset-names.js +5 -2
- package/dist/external-tools/cdxgen/from-download.d.ts +1 -1
- package/dist/external-tools/cdxgen/from-download.js +7 -4
- package/dist/external-tools/cdxgen/resolve.d.ts +3 -3
- package/dist/external-tools/cdxgen/resolve.js +16 -8
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +11 -5
- package/dist/external-tools/from-pip-venv.d.ts +1 -1
- package/dist/external-tools/from-pip-venv.js +12 -5
- package/dist/external-tools/janus/asset-names.d.ts +1 -1
- package/dist/external-tools/janus/asset-names.js +5 -2
- package/dist/external-tools/janus/from-download.d.ts +1 -1
- package/dist/external-tools/janus/from-download.js +5 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -3
- package/dist/external-tools/janus/resolve.js +16 -8
- package/dist/external-tools/jre/asset-names.d.ts +1 -1
- package/dist/external-tools/jre/asset-names.js +5 -2
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/jre/from-download.js +7 -4
- package/dist/external-tools/jre/from-java-home.js +2 -2
- package/dist/external-tools/jre/from-vfs.js +2 -2
- package/dist/external-tools/jre/resolve.d.ts +3 -3
- package/dist/external-tools/jre/resolve.js +16 -8
- package/dist/external-tools/manifest.d.ts +18 -0
- package/dist/external-tools/manifest.js +2 -2
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/asset-names.js +5 -2
- package/dist/external-tools/opengrep/from-download.d.ts +1 -1
- package/dist/external-tools/opengrep/from-download.js +5 -2
- package/dist/external-tools/opengrep/resolve.d.ts +3 -3
- package/dist/external-tools/opengrep/resolve.js +16 -8
- package/dist/external-tools/python/asset-names.d.ts +1 -1
- package/dist/external-tools/python/asset-names.js +11 -4
- package/dist/external-tools/python/dlx.d.ts +3 -3
- package/dist/external-tools/python/dlx.js +20 -9
- package/dist/external-tools/python/from-download.d.ts +1 -1
- package/dist/external-tools/python/from-download.js +12 -5
- package/dist/external-tools/python/pin.js +6 -3
- package/dist/external-tools/python/pip-install.js +6 -3
- package/dist/external-tools/python/resolve.d.ts +3 -3
- package/dist/external-tools/python/resolve.js +19 -11
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/sbt/asset-names.d.ts +1 -1
- package/dist/external-tools/sbt/asset-names.js +5 -2
- package/dist/external-tools/sbt/from-download.d.ts +1 -1
- package/dist/external-tools/sbt/from-download.js +5 -2
- package/dist/external-tools/sbt/resolve.d.ts +3 -3
- package/dist/external-tools/sbt/resolve.js +16 -8
- package/dist/external-tools/skillspector/from-dlx.d.ts +1 -1
- package/dist/external-tools/skillspector/from-dlx.js +10 -3
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +20 -5
- package/dist/external-tools/skillspector/resolve.js +27 -6
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/synp/asset-names.d.ts +1 -1
- package/dist/external-tools/synp/asset-names.js +6 -2
- package/dist/external-tools/synp/from-download.d.ts +1 -1
- package/dist/external-tools/synp/from-download.js +5 -2
- package/dist/external-tools/synp/resolve.d.ts +3 -3
- package/dist/external-tools/synp/resolve.js +16 -8
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/asset-names.js +5 -2
- package/dist/external-tools/trivy/from-download.d.ts +1 -1
- package/dist/external-tools/trivy/from-download.js +7 -4
- package/dist/external-tools/trivy/resolve.d.ts +3 -3
- package/dist/external-tools/trivy/resolve.js +16 -8
- package/dist/external-tools/trufflehog/asset-names.d.ts +1 -1
- package/dist/external-tools/trufflehog/asset-names.js +5 -2
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/from-download.js +7 -4
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -3
- package/dist/external-tools/trufflehog/resolve.js +16 -8
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +25 -0
- package/dist/external-tools/uv/resolve.js +61 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +53 -0
- package/dist/fleet/repo-config.js +79 -0
- package/dist/fs/allowed-dirs-cache.d.ts +27 -1
- package/dist/fs/allowed-dirs-cache.js +39 -6
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/find.js +1 -1
- package/dist/fs/read-json-cache.d.ts +7 -0
- package/dist/fs/resolve-module.js +6 -2
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +3 -3
- package/dist/git/repo.js +2 -4
- package/dist/git/staged.js +8 -0
- package/dist/git/tracked.d.ts +84 -0
- package/dist/git/tracked.js +163 -0
- package/dist/git/unstaged.js +8 -0
- package/dist/github/refs-graphql.js +4 -0
- package/dist/github/refs-rest.js +4 -0
- package/dist/globs/_internal.js +1 -1
- package/dist/globs/match.js +9 -1
- package/dist/globs/matcher.js +5 -1
- package/dist/http-request/browser.js +7 -3
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/{browser-fetch.d.ts → fetch/browser.d.ts} +2 -2
- package/dist/http-request/{browser-fetch.js → fetch/browser.js} +4 -4
- package/dist/http-request/headers.js +1 -1
- package/dist/http-request/request-attempt.js +2 -2
- package/dist/http-request/user-agent.js +1 -1
- package/dist/integrity.d.ts +124 -71
- package/dist/integrity.js +168 -78
- package/dist/json/edit.js +38 -30
- package/dist/json/format.js +1 -1
- package/dist/logger/colors.d.ts +1 -2
- package/dist/logger/colors.js +2 -2
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/native-messaging/install.d.ts +1 -1
- package/dist/native-messaging/install.js +7 -4
- package/dist/native-messaging/rate-limit.d.ts +7 -0
- package/dist/native-messaging/rate-limit.js +4 -0
- package/dist/node/async-hooks.js +1 -1
- package/dist/node/child-process.js +1 -1
- package/dist/node/crypto.js +1 -1
- package/dist/node/events.js +1 -1
- package/dist/node/fs-promises.js +1 -1
- package/dist/node/fs.d.ts +22 -6
- package/dist/node/fs.js +16 -3
- package/dist/node/http.js +1 -1
- package/dist/node/https.js +1 -1
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/node/os.d.ts +10 -2
- package/dist/node/os.js +11 -4
- package/dist/node/path.d.ts +11 -2
- package/dist/node/path.js +17 -4
- package/dist/node/timers-promises.js +1 -1
- package/dist/node/url.js +1 -1
- package/dist/node/util.js +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/objects/mutate.js +2 -2
- package/dist/packages/edit-class.d.ts +2 -3
- package/dist/packages/edit-class.js +41 -35
- package/dist/packages/exports.js +4 -4
- package/dist/packages/fetch.js +1 -1
- package/dist/packages/isolation.js +2 -2
- package/dist/packages/licenses.js +2 -2
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +40 -4
- package/dist/packages/normalize.js +2 -2
- package/dist/packages/provenance.js +3 -3
- package/dist/packages/specs.js +1 -1
- package/dist/packages/tarball.js +4 -2
- package/dist/packages/types.d.ts +1 -2
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/dirnames.d.ts +1 -0
- package/dist/paths/dirnames.js +2 -0
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/resolve.js +14 -19
- package/dist/paths/rewire.d.ts +5 -0
- package/dist/paths/socket.d.ts +137 -123
- package/dist/paths/socket.js +172 -131
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +1 -1
- package/dist/primordials/process.d.ts +88 -0
- package/dist/primordials/process.js +132 -0
- package/dist/primordials/uncurry.d.ts +1 -2
- package/dist/process/spawn/child.js +8 -2
- package/dist/process/spawn/errors.js +1 -1
- package/dist/releases/github-archives.js +1 -1
- package/dist/releases/github-listing.d.ts +1 -2
- package/dist/schema/types.d.ts +3 -4
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +8 -6
- package/dist/secrets/find.js +25 -5
- package/dist/secrets/keychain.d.ts +1 -1
- package/dist/secrets/linux.js +32 -44
- package/dist/secrets/macos.d.ts +1 -2
- package/dist/secrets/macos.js +20 -29
- package/dist/secrets/rc.d.ts +2 -2
- package/dist/secrets/rc.js +21 -13
- package/dist/secrets/socket-api-token.js +8 -0
- package/dist/secrets/windows.js +27 -33
- package/dist/shell/parse.d.ts +32 -0
- package/dist/shell/parse.js +60 -0
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.js +1 -1
- package/dist/smol/https.js +1 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +1 -2
- package/dist/sorts/_internal.js +2 -6
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +2 -2
- package/dist/spinner/spinner-internals.d.ts +1 -1
- package/dist/spinner/spinner-internals.js +9 -5
- package/dist/spinner/spinner.d.ts +4 -0
- package/dist/spinner/spinner.js +1 -1
- package/dist/stdio/progress.js +6 -2
- package/dist/stdio/prompts.d.ts +2 -10
- package/dist/stdio/prompts.js +11 -24
- package/dist/strings/format.js +1 -1
- package/dist/strings/search.js +1 -1
- package/dist/temporal/instant.js +2 -2
- package/dist/themes/context.d.ts +5 -3
- package/dist/themes/context.js +5 -6
- package/dist/url/assert-safe.d.ts +29 -0
- package/dist/url/assert-safe.js +54 -0
- package/dist/url/predicates.d.ts +31 -1
- package/dist/url/predicates.js +42 -1
- package/dist/url/types.d.ts +4 -0
- package/llms.txt +750 -0
- package/package.json +253 -125
|
@@ -0,0 +1,89 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Uv project install helpers — the locked-source-of-truth half of the
|
|
3
|
+
* "uv project + dlx materialize" model.
|
|
4
|
+
* uv (Astral's Python package manager) drives a uv PROJECT — a directory with
|
|
5
|
+
* `pyproject.toml` + `uv.lock` (+ optional `[tool.uv] exclude-newer`). The
|
|
6
|
+
* lock manifests every transitive version, so the project is the most
|
|
7
|
+
* locked-down, most-version-pinned form a Python tool install can take.
|
|
8
|
+
* Two entry points, used together:
|
|
9
|
+
*
|
|
10
|
+
* 1. `uvSyncProject` — `uv sync --locked --project <dir>`. Installs the lock's
|
|
11
|
+
* exact closure into the project's own `.venv` and FAILS if `uv.lock` is
|
|
12
|
+
* out of date vs `pyproject.toml` (the `--locked` gate). This is the
|
|
13
|
+
* verification-grade install: it proves the lock resolves.
|
|
14
|
+
* 2. `uvExportMaterialize` — `uv export --locked` → a flat, hash-pinned
|
|
15
|
+
* requirements list, then `uv pip install --target <dir>` into a
|
|
16
|
+
* content-addressed dlx dir (no venv → no symlinks / absolute `home=`, so
|
|
17
|
+
* the result is relocatable + SEA-VFS-embeddable). Mirrors
|
|
18
|
+
* `downloadPipPackage`'s lock-guarded, idempotent shape. Both take an
|
|
19
|
+
* explicit `uvBin` (typically `resolveUv().path`) and never mutate a
|
|
20
|
+
* shared interpreter — the project venv and the dlx target are
|
|
21
|
+
* self-contained.
|
|
22
|
+
*/
|
|
23
|
+
/**
|
|
24
|
+
* Export a uv project's locked closure to a flat requirements list, then
|
|
25
|
+
* `uv pip install --target` it into a content-addressed dlx dir. The dlx dir
|
|
26
|
+
* holds plain files (no venv), so it is relocatable and embeddable in a smol
|
|
27
|
+
* binary's VFS — the bundle-safe analog of `uvSyncProject`'s `.venv`.
|
|
28
|
+
*
|
|
29
|
+
* Lock-guarded + idempotent (reuses `pip-install`'s `isAlreadyInstalled` /
|
|
30
|
+
* `isStaleLock`): a non-empty target dir short-circuits, and concurrent callers
|
|
31
|
+
* serialize on a `.installing` sentinel one level up from the target. Throws on
|
|
32
|
+
* a failed uv command or if the lock can't be acquired after MAX_RETRIES.
|
|
33
|
+
*/
|
|
34
|
+
export declare function uvExportMaterialize(options: UvExportMaterializeOptions, retryCount?: number): Promise<UvExportMaterializeResult>;
|
|
35
|
+
/**
|
|
36
|
+
* Content-addressed dlx dir for a uv project's materialized closure:
|
|
37
|
+
* `~/.socket/_dlx/<cacheKey(projectDir)>/site-packages`. Keyed on the project
|
|
38
|
+
* dir so each project gets an isolated target; the analog of `pipPackageDir`.
|
|
39
|
+
*/
|
|
40
|
+
export declare function uvProjectTargetDir(projectDir: string): string;
|
|
41
|
+
/**
|
|
42
|
+
* Run `uv sync --locked` against a uv project. Installs the lock's exact
|
|
43
|
+
* dependency closure into the project's `.venv`; the `--locked` flag turns a
|
|
44
|
+
* lock-vs-manifest drift into a hard failure (uv exits non-zero) rather than a
|
|
45
|
+
* silent re-resolution — this is what makes it verification-grade. Throws when
|
|
46
|
+
* uv exits non-zero (drift, missing lock, or a resolution failure).
|
|
47
|
+
*/
|
|
48
|
+
export declare function uvSyncProject(options: UvSyncProjectOptions): Promise<void>;
|
|
49
|
+
export interface UvSyncProjectOptions {
|
|
50
|
+
/**
|
|
51
|
+
* Absolute path to the `uv` executable (typically `resolveUv().path`).
|
|
52
|
+
*/
|
|
53
|
+
readonly uvBin: string;
|
|
54
|
+
/**
|
|
55
|
+
* Absolute path to the uv project dir (holds `pyproject.toml` + `uv.lock`).
|
|
56
|
+
*/
|
|
57
|
+
readonly projectDir: string;
|
|
58
|
+
/**
|
|
59
|
+
* Default true — pass `--locked` so a lock-vs-manifest drift fails hard.
|
|
60
|
+
* Set false ONLY to bootstrap/refresh a lock (never in a verify path).
|
|
61
|
+
*/
|
|
62
|
+
readonly locked?: boolean | undefined;
|
|
63
|
+
}
|
|
64
|
+
export interface UvExportMaterializeOptions {
|
|
65
|
+
/**
|
|
66
|
+
* Absolute path to the `uv` executable.
|
|
67
|
+
*/
|
|
68
|
+
readonly uvBin: string;
|
|
69
|
+
/**
|
|
70
|
+
* Absolute path to the uv project dir to export from.
|
|
71
|
+
*/
|
|
72
|
+
readonly projectDir: string;
|
|
73
|
+
/**
|
|
74
|
+
* Override the content-addressed target dir. Defaults to
|
|
75
|
+
* `uvProjectTargetDir(projectDir)`.
|
|
76
|
+
*/
|
|
77
|
+
readonly targetDir?: string | undefined;
|
|
78
|
+
}
|
|
79
|
+
export interface UvExportMaterializeResult {
|
|
80
|
+
/**
|
|
81
|
+
* `true` when this call ran uv; `false` when an existing install was reused.
|
|
82
|
+
*/
|
|
83
|
+
readonly installed: boolean;
|
|
84
|
+
/**
|
|
85
|
+
* Directory the closure was installed into. Put this on `PYTHONPATH` to run
|
|
86
|
+
* the tool: `python -m <module>`.
|
|
87
|
+
*/
|
|
88
|
+
readonly targetDir: string;
|
|
89
|
+
}
|
|
@@ -0,0 +1,165 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_runtime = require('../../_virtual/_rolldown/runtime.js');
|
|
5
|
+
const require_constants_platform = require('../../constants/platform.js');
|
|
6
|
+
const require_process_spawn_child = require('../../process/spawn/child.js');
|
|
7
|
+
const require_paths_socket = require('../../paths/socket.js');
|
|
8
|
+
const require_fs_safe = require('../../fs/safe.js');
|
|
9
|
+
const require_dlx_cache = require('../../dlx/cache.js');
|
|
10
|
+
const require_external_tools_python_pip_install = require('./pip-install.js');
|
|
11
|
+
let node_fs = require("node:fs");
|
|
12
|
+
let node_process = require("node:process");
|
|
13
|
+
node_process = require_runtime.__toESM(node_process);
|
|
14
|
+
let node_path = require("node:path");
|
|
15
|
+
node_path = require_runtime.__toESM(node_path);
|
|
16
|
+
|
|
17
|
+
//#region src/external-tools/python/uv-install.ts
|
|
18
|
+
/**
|
|
19
|
+
* @file Uv project install helpers — the locked-source-of-truth half of the
|
|
20
|
+
* "uv project + dlx materialize" model.
|
|
21
|
+
* uv (Astral's Python package manager) drives a uv PROJECT — a directory with
|
|
22
|
+
* `pyproject.toml` + `uv.lock` (+ optional `[tool.uv] exclude-newer`). The
|
|
23
|
+
* lock manifests every transitive version, so the project is the most
|
|
24
|
+
* locked-down, most-version-pinned form a Python tool install can take.
|
|
25
|
+
* Two entry points, used together:
|
|
26
|
+
*
|
|
27
|
+
* 1. `uvSyncProject` — `uv sync --locked --project <dir>`. Installs the lock's
|
|
28
|
+
* exact closure into the project's own `.venv` and FAILS if `uv.lock` is
|
|
29
|
+
* out of date vs `pyproject.toml` (the `--locked` gate). This is the
|
|
30
|
+
* verification-grade install: it proves the lock resolves.
|
|
31
|
+
* 2. `uvExportMaterialize` — `uv export --locked` → a flat, hash-pinned
|
|
32
|
+
* requirements list, then `uv pip install --target <dir>` into a
|
|
33
|
+
* content-addressed dlx dir (no venv → no symlinks / absolute `home=`, so
|
|
34
|
+
* the result is relocatable + SEA-VFS-embeddable). Mirrors
|
|
35
|
+
* `downloadPipPackage`'s lock-guarded, idempotent shape. Both take an
|
|
36
|
+
* explicit `uvBin` (typically `resolveUv().path`) and never mutate a
|
|
37
|
+
* shared interpreter — the project venv and the dlx target are
|
|
38
|
+
* self-contained.
|
|
39
|
+
*/
|
|
40
|
+
const MAX_RETRIES = 3;
|
|
41
|
+
const WAIT_TICKS = 30;
|
|
42
|
+
/**
|
|
43
|
+
* Export a uv project's locked closure to a flat requirements list, then
|
|
44
|
+
* `uv pip install --target` it into a content-addressed dlx dir. The dlx dir
|
|
45
|
+
* holds plain files (no venv), so it is relocatable and embeddable in a smol
|
|
46
|
+
* binary's VFS — the bundle-safe analog of `uvSyncProject`'s `.venv`.
|
|
47
|
+
*
|
|
48
|
+
* Lock-guarded + idempotent (reuses `pip-install`'s `isAlreadyInstalled` /
|
|
49
|
+
* `isStaleLock`): a non-empty target dir short-circuits, and concurrent callers
|
|
50
|
+
* serialize on a `.installing` sentinel one level up from the target. Throws on
|
|
51
|
+
* a failed uv command or if the lock can't be acquired after MAX_RETRIES.
|
|
52
|
+
*/
|
|
53
|
+
async function uvExportMaterialize(options, retryCount = 0) {
|
|
54
|
+
const opts = {
|
|
55
|
+
__proto__: null,
|
|
56
|
+
...options
|
|
57
|
+
};
|
|
58
|
+
const { projectDir, uvBin } = opts;
|
|
59
|
+
const targetDir = opts.targetDir ?? uvProjectTargetDir(projectDir);
|
|
60
|
+
if (retryCount >= MAX_RETRIES) throw new Error(`uvExportMaterialize: could not acquire install lock after ${MAX_RETRIES} retries for ${targetDir}; a peer may be stuck or the lock is stale — remove it and retry`);
|
|
61
|
+
if (await require_external_tools_python_pip_install.isAlreadyInstalled(targetDir)) return {
|
|
62
|
+
installed: false,
|
|
63
|
+
targetDir
|
|
64
|
+
};
|
|
65
|
+
const lockDir = node_path.default.dirname(targetDir);
|
|
66
|
+
await require_fs_safe.safeMkdir(lockDir, { recursive: true });
|
|
67
|
+
const lockFile = node_path.default.join(lockDir, ".installing");
|
|
68
|
+
try {
|
|
69
|
+
await node_fs.promises.writeFile(lockFile, node_process.default.pid.toString(), { flag: "wx" });
|
|
70
|
+
} catch (e) {
|
|
71
|
+
if (e.code !== "EEXIST") throw e;
|
|
72
|
+
let stale = false;
|
|
73
|
+
try {
|
|
74
|
+
stale = require_external_tools_python_pip_install.isStaleLock(Number.parseInt((await node_fs.promises.readFile(lockFile, "utf8")).trim(), 10));
|
|
75
|
+
} catch {
|
|
76
|
+
stale = true;
|
|
77
|
+
}
|
|
78
|
+
if (stale) {
|
|
79
|
+
await require_fs_safe.safeDelete(lockFile, { force: true });
|
|
80
|
+
return uvExportMaterialize(options, retryCount + 1);
|
|
81
|
+
}
|
|
82
|
+
for (let i = 0; i < WAIT_TICKS; i += 1) {
|
|
83
|
+
await new Promise((resolve) => {
|
|
84
|
+
setTimeout(resolve, 1e3);
|
|
85
|
+
});
|
|
86
|
+
if (await require_external_tools_python_pip_install.isAlreadyInstalled(targetDir)) return {
|
|
87
|
+
installed: false,
|
|
88
|
+
targetDir
|
|
89
|
+
};
|
|
90
|
+
}
|
|
91
|
+
return uvExportMaterialize(options, retryCount + 1);
|
|
92
|
+
}
|
|
93
|
+
try {
|
|
94
|
+
await require_fs_safe.safeMkdir(targetDir, { recursive: true });
|
|
95
|
+
const requirementsPath = node_path.default.join(lockDir, "requirements.locked.txt");
|
|
96
|
+
await require_process_spawn_child.spawn(uvBin, [
|
|
97
|
+
"export",
|
|
98
|
+
"--locked",
|
|
99
|
+
"--no-emit-project",
|
|
100
|
+
"--no-dev",
|
|
101
|
+
"--project",
|
|
102
|
+
projectDir,
|
|
103
|
+
"--output-file",
|
|
104
|
+
requirementsPath
|
|
105
|
+
], {
|
|
106
|
+
shell: require_constants_platform.WIN32,
|
|
107
|
+
stdio: "inherit"
|
|
108
|
+
});
|
|
109
|
+
await require_process_spawn_child.spawn(uvBin, [
|
|
110
|
+
"pip",
|
|
111
|
+
"install",
|
|
112
|
+
"--target",
|
|
113
|
+
targetDir,
|
|
114
|
+
"--requirement",
|
|
115
|
+
requirementsPath
|
|
116
|
+
], {
|
|
117
|
+
shell: require_constants_platform.WIN32,
|
|
118
|
+
stdio: "inherit"
|
|
119
|
+
});
|
|
120
|
+
await require_fs_safe.safeDelete(requirementsPath, { force: true });
|
|
121
|
+
if (!await require_external_tools_python_pip_install.isAlreadyInstalled(targetDir)) throw new Error(`uvExportMaterialize: uv pip install --target ${targetDir} reported success but the target is still empty`);
|
|
122
|
+
return {
|
|
123
|
+
installed: true,
|
|
124
|
+
targetDir
|
|
125
|
+
};
|
|
126
|
+
} finally {
|
|
127
|
+
await require_fs_safe.safeDelete(lockFile, { force: true });
|
|
128
|
+
}
|
|
129
|
+
}
|
|
130
|
+
/**
|
|
131
|
+
* Content-addressed dlx dir for a uv project's materialized closure:
|
|
132
|
+
* `~/.socket/_dlx/<cacheKey(projectDir)>/site-packages`. Keyed on the project
|
|
133
|
+
* dir so each project gets an isolated target; the analog of `pipPackageDir`.
|
|
134
|
+
*/
|
|
135
|
+
function uvProjectTargetDir(projectDir) {
|
|
136
|
+
return node_path.default.join(require_paths_socket.getSocketDlxDir(), require_dlx_cache.generateCacheKey(projectDir), "site-packages");
|
|
137
|
+
}
|
|
138
|
+
/**
|
|
139
|
+
* Run `uv sync --locked` against a uv project. Installs the lock's exact
|
|
140
|
+
* dependency closure into the project's `.venv`; the `--locked` flag turns a
|
|
141
|
+
* lock-vs-manifest drift into a hard failure (uv exits non-zero) rather than a
|
|
142
|
+
* silent re-resolution — this is what makes it verification-grade. Throws when
|
|
143
|
+
* uv exits non-zero (drift, missing lock, or a resolution failure).
|
|
144
|
+
*/
|
|
145
|
+
async function uvSyncProject(options) {
|
|
146
|
+
const opts = {
|
|
147
|
+
__proto__: null,
|
|
148
|
+
...options
|
|
149
|
+
};
|
|
150
|
+
const { projectDir, uvBin } = opts;
|
|
151
|
+
await require_process_spawn_child.spawn(uvBin, [
|
|
152
|
+
"sync",
|
|
153
|
+
...opts.locked === false ? [] : ["--locked"],
|
|
154
|
+
"--project",
|
|
155
|
+
projectDir
|
|
156
|
+
], {
|
|
157
|
+
shell: require_constants_platform.WIN32,
|
|
158
|
+
stdio: "inherit"
|
|
159
|
+
});
|
|
160
|
+
}
|
|
161
|
+
|
|
162
|
+
//#endregion
|
|
163
|
+
exports.uvExportMaterialize = uvExportMaterialize;
|
|
164
|
+
exports.uvProjectTargetDir = uvProjectTargetDir;
|
|
165
|
+
exports.uvSyncProject = uvSyncProject;
|
|
@@ -28,4 +28,4 @@ export interface SbtDownloadOptions {
|
|
|
28
28
|
* // → 'https://github.com/sbt/sbt/releases/download/v1.10.7/sbt-1.10.7.tgz'
|
|
29
29
|
* ```
|
|
30
30
|
*/
|
|
31
|
-
export declare function getSbtDownloadUrl(
|
|
31
|
+
export declare function getSbtDownloadUrl(options: SbtDownloadOptions): string;
|
|
@@ -15,8 +15,11 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
|
15
15
|
* // → 'https://github.com/sbt/sbt/releases/download/v1.10.7/sbt-1.10.7.tgz'
|
|
16
16
|
* ```
|
|
17
17
|
*/
|
|
18
|
-
function getSbtDownloadUrl(
|
|
19
|
-
const { version } =
|
|
18
|
+
function getSbtDownloadUrl(options) {
|
|
19
|
+
const { version } = {
|
|
20
|
+
__proto__: null,
|
|
21
|
+
...options
|
|
22
|
+
};
|
|
20
23
|
return `https://github.com/sbt/sbt/releases/download/v${version}/sbt-${version}.tgz`;
|
|
21
24
|
}
|
|
22
25
|
|
|
@@ -41,4 +41,4 @@ export interface SbtFromDownloadOptions {
|
|
|
41
41
|
* // → { path: '/.../bin/sbt', isJar: false, source: 'download' }
|
|
42
42
|
* ```
|
|
43
43
|
*/
|
|
44
|
-
export declare function sbtFromDownload(
|
|
44
|
+
export declare function sbtFromDownload(options: SbtFromDownloadOptions): Promise<ResolvedSbt | undefined>;
|
|
@@ -29,8 +29,11 @@ node_path = require_runtime.__toESM(node_path);
|
|
|
29
29
|
* // → { path: '/.../bin/sbt', isJar: false, source: 'download' }
|
|
30
30
|
* ```
|
|
31
31
|
*/
|
|
32
|
-
async function sbtFromDownload(
|
|
33
|
-
const { cacheDir, downloader, integrity, version } =
|
|
32
|
+
async function sbtFromDownload(options) {
|
|
33
|
+
const { cacheDir, downloader, integrity, version } = {
|
|
34
|
+
__proto__: null,
|
|
35
|
+
...options
|
|
36
|
+
};
|
|
34
37
|
const url = require_external_tools_sbt_asset_names.getSbtDownloadUrl({ version });
|
|
35
38
|
const extractedDir = cacheDir ?? node_path.default.join(require_paths_socket.getSocketDlxDir(), "sbt", version);
|
|
36
39
|
const archive = await require_external_tools_from_download.downloadAndExtractTool({
|
|
@@ -25,7 +25,7 @@ export interface ResolveSbtOptions {
|
|
|
25
25
|
downloader?: BinaryDownloader | undefined;
|
|
26
26
|
} | undefined;
|
|
27
27
|
}
|
|
28
|
-
export declare function cacheKey(
|
|
29
|
-
export declare function doResolveSbt(
|
|
28
|
+
export declare function cacheKey(options: ResolveSbtOptions | undefined): string;
|
|
29
|
+
export declare function doResolveSbt(options?: ResolveSbtOptions | undefined): Promise<ResolvedSbt | undefined>;
|
|
30
30
|
export declare function resetSbtResolution(): void;
|
|
31
|
-
export declare function resolveSbt(
|
|
31
|
+
export declare function resolveSbt(options?: ResolveSbtOptions | undefined): Promise<ResolvedSbt | undefined>;
|
|
@@ -20,30 +20,38 @@ const require_external_tools_sbt_from_vfs = require('./from-vfs.js');
|
|
|
20
20
|
* Memoized per option-shape.
|
|
21
21
|
*/
|
|
22
22
|
const resolutionCache = new require_primordials_map_set.MapCtor();
|
|
23
|
-
function cacheKey(
|
|
24
|
-
|
|
25
|
-
|
|
23
|
+
function cacheKey(options) {
|
|
24
|
+
options = {
|
|
25
|
+
__proto__: null,
|
|
26
|
+
...options
|
|
27
|
+
};
|
|
28
|
+
if (!options?.downloadIfMissing) return "local-only";
|
|
29
|
+
const { cacheDir, integrity, version } = options.downloadIfMissing;
|
|
26
30
|
return `dl:${version}:${typeof integrity === "string" ? integrity : integrity ? `${integrity.type}:${integrity.value}` : ""}:${cacheDir ?? ""}`;
|
|
27
31
|
}
|
|
28
|
-
async function doResolveSbt(
|
|
32
|
+
async function doResolveSbt(options) {
|
|
33
|
+
options = {
|
|
34
|
+
__proto__: null,
|
|
35
|
+
...options
|
|
36
|
+
};
|
|
29
37
|
const fromVfs = await require_external_tools_sbt_from_vfs.sbtFromVfs();
|
|
30
38
|
/* c8 ignore start - smol Node binary only. */
|
|
31
39
|
if (fromVfs) return fromVfs;
|
|
32
40
|
/* c8 ignore stop */
|
|
33
41
|
const fromPath = await require_external_tools_sbt_from_path.sbtFromPath();
|
|
34
42
|
if (fromPath) return fromPath;
|
|
35
|
-
if (
|
|
43
|
+
if (options?.downloadIfMissing) return require_external_tools_sbt_from_download.sbtFromDownload(options.downloadIfMissing);
|
|
36
44
|
}
|
|
37
45
|
/* c8 ignore start - test-only escape hatch. */
|
|
38
46
|
function resetSbtResolution() {
|
|
39
47
|
resolutionCache.clear();
|
|
40
48
|
}
|
|
41
49
|
/* c8 ignore stop */
|
|
42
|
-
function resolveSbt(
|
|
43
|
-
const key = cacheKey(
|
|
50
|
+
function resolveSbt(options) {
|
|
51
|
+
const key = cacheKey(options);
|
|
44
52
|
let cached = resolutionCache.get(key);
|
|
45
53
|
if (!cached) {
|
|
46
|
-
cached = doResolveSbt(
|
|
54
|
+
cached = doResolveSbt(options);
|
|
47
55
|
resolutionCache.set(key, cached);
|
|
48
56
|
}
|
|
49
57
|
return cached;
|
|
@@ -21,4 +21,4 @@ export interface SkillSpectorFromDlxOptions {
|
|
|
21
21
|
*/
|
|
22
22
|
readonly cacheDir?: string | undefined;
|
|
23
23
|
}
|
|
24
|
-
export declare function skillspectorFromDlx(
|
|
24
|
+
export declare function skillspectorFromDlx(options: SkillSpectorFromDlxOptions): Promise<ResolvedSkillSpector | undefined>;
|
|
@@ -18,10 +18,17 @@ node_path = require_runtime.__toESM(node_path);
|
|
|
18
18
|
* venv when its `skillspector` entry-point already exists.
|
|
19
19
|
*/
|
|
20
20
|
const UPSTREAM_REPO = "https://github.com/NVIDIA/skillspector.git";
|
|
21
|
-
async function skillspectorFromDlx(
|
|
22
|
-
|
|
21
|
+
async function skillspectorFromDlx(options) {
|
|
22
|
+
options = {
|
|
23
|
+
__proto__: null,
|
|
24
|
+
...options
|
|
25
|
+
};
|
|
26
|
+
const { sha } = {
|
|
27
|
+
__proto__: null,
|
|
28
|
+
...options
|
|
29
|
+
};
|
|
23
30
|
if (!sha) return;
|
|
24
|
-
const cacheDir =
|
|
31
|
+
const cacheDir = options.cacheDir ?? node_path.default.join(require_paths_socket.getSocketDlxDir(), "skillspector", sha);
|
|
25
32
|
const installSpec = `git+${UPSTREAM_REPO}@${sha}`;
|
|
26
33
|
try {
|
|
27
34
|
return {
|
|
@@ -0,0 +1,30 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file `skillspectorFromUv()` — locked-uv-project tier of SkillSpector
|
|
3
|
+
* resolution. Given a uv project dir (a `pyproject.toml` + `uv.lock` that pin
|
|
4
|
+
* the upstream git SHA + its full transitive closure) and a resolved `uv`
|
|
5
|
+
* binary, runs `uv sync --locked` to install that exact closure into the
|
|
6
|
+
* project's `.venv` and returns the `skillspector` entry point. This is the
|
|
7
|
+
* most locked-down tier — every dependency version is manifested in uv.lock,
|
|
8
|
+
* and `--locked` hard-fails on lock drift (vs. `from-dlx`'s pip-from-git-SHA
|
|
9
|
+
* venv, which re-resolves the closure freshly). Returns `undefined` when:
|
|
10
|
+
*
|
|
11
|
+
* - No project dir / uv binary is supplied (the caller didn't opt in).
|
|
12
|
+
* - The project files are absent, or `uv sync --locked` fails (lock drift, no
|
|
13
|
+
* network, missing Python). Idempotent: a second call hits the synced venv
|
|
14
|
+
* (`uv sync` is a no-op when the venv already matches the lock).
|
|
15
|
+
*/
|
|
16
|
+
import type { ResolvedSkillSpector } from './types';
|
|
17
|
+
export interface SkillSpectorFromUvOptions {
|
|
18
|
+
/**
|
|
19
|
+
* Absolute path to the `uv` executable (typically `resolveUv().path`).
|
|
20
|
+
*/
|
|
21
|
+
readonly uvBin: string;
|
|
22
|
+
/**
|
|
23
|
+
* Absolute path to the SkillSpector uv project dir (holds `pyproject.toml` +
|
|
24
|
+
* `uv.lock`). The fleet ships this under
|
|
25
|
+
* `setup-security-tools/skillspector/`.
|
|
26
|
+
*/
|
|
27
|
+
readonly projectDir: string;
|
|
28
|
+
}
|
|
29
|
+
export declare function skillspectorFromUv(options: SkillSpectorFromUvOptions): Promise<ResolvedSkillSpector | undefined>;
|
|
30
|
+
export declare function venvEntryPoint(projectDir: string): string;
|
|
@@ -0,0 +1,56 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_runtime = require('../../_virtual/_rolldown/runtime.js');
|
|
5
|
+
const require_external_tools_python_uv_install = require('../python/uv-install.js');
|
|
6
|
+
let node_fs = require("node:fs");
|
|
7
|
+
let node_process = require("node:process");
|
|
8
|
+
node_process = require_runtime.__toESM(node_process);
|
|
9
|
+
let node_path = require("node:path");
|
|
10
|
+
node_path = require_runtime.__toESM(node_path);
|
|
11
|
+
|
|
12
|
+
//#region src/external-tools/skillspector/from-uv.ts
|
|
13
|
+
/**
|
|
14
|
+
* @file `skillspectorFromUv()` — locked-uv-project tier of SkillSpector
|
|
15
|
+
* resolution. Given a uv project dir (a `pyproject.toml` + `uv.lock` that pin
|
|
16
|
+
* the upstream git SHA + its full transitive closure) and a resolved `uv`
|
|
17
|
+
* binary, runs `uv sync --locked` to install that exact closure into the
|
|
18
|
+
* project's `.venv` and returns the `skillspector` entry point. This is the
|
|
19
|
+
* most locked-down tier — every dependency version is manifested in uv.lock,
|
|
20
|
+
* and `--locked` hard-fails on lock drift (vs. `from-dlx`'s pip-from-git-SHA
|
|
21
|
+
* venv, which re-resolves the closure freshly). Returns `undefined` when:
|
|
22
|
+
*
|
|
23
|
+
* - No project dir / uv binary is supplied (the caller didn't opt in).
|
|
24
|
+
* - The project files are absent, or `uv sync --locked` fails (lock drift, no
|
|
25
|
+
* network, missing Python). Idempotent: a second call hits the synced venv
|
|
26
|
+
* (`uv sync` is a no-op when the venv already matches the lock).
|
|
27
|
+
*/
|
|
28
|
+
async function skillspectorFromUv(options) {
|
|
29
|
+
const { projectDir, uvBin } = {
|
|
30
|
+
__proto__: null,
|
|
31
|
+
...options
|
|
32
|
+
};
|
|
33
|
+
if (!projectDir || !uvBin) return;
|
|
34
|
+
if (!(0, node_fs.existsSync)(node_path.default.join(projectDir, "pyproject.toml")) || !(0, node_fs.existsSync)(node_path.default.join(projectDir, "uv.lock"))) return;
|
|
35
|
+
try {
|
|
36
|
+
await require_external_tools_python_uv_install.uvSyncProject({
|
|
37
|
+
projectDir,
|
|
38
|
+
uvBin
|
|
39
|
+
});
|
|
40
|
+
} catch {
|
|
41
|
+
return;
|
|
42
|
+
}
|
|
43
|
+
const entry = venvEntryPoint(projectDir);
|
|
44
|
+
if (!(0, node_fs.existsSync)(entry)) return;
|
|
45
|
+
return {
|
|
46
|
+
path: entry,
|
|
47
|
+
source: "uv"
|
|
48
|
+
};
|
|
49
|
+
}
|
|
50
|
+
function venvEntryPoint(projectDir) {
|
|
51
|
+
return node_process.default.platform === "win32" ? node_path.default.join(projectDir, ".venv", "Scripts", "skillspector.exe") : node_path.default.join(projectDir, ".venv", "bin", "skillspector");
|
|
52
|
+
}
|
|
53
|
+
|
|
54
|
+
//#endregion
|
|
55
|
+
exports.skillspectorFromUv = skillspectorFromUv;
|
|
56
|
+
exports.venvEntryPoint = venvEntryPoint;
|
|
@@ -5,9 +5,13 @@
|
|
|
5
5
|
* 1. VFS — smol binary's embedded skillspector (if packed)
|
|
6
6
|
* 2. PATH — `which skillspector` (pipx-installed binaries land here too; the
|
|
7
7
|
* source field distinguishes `'pipx'` vs `'path'`)
|
|
8
|
-
* 3.
|
|
8
|
+
* 3. UV-project — `uv sync --locked` against a uv project (the most locked-down
|
|
9
|
+
* tier; every transitive version pinned in uv.lock). Only runs when
|
|
10
|
+
* `uvProjectDir` + `uvBin` are supplied.
|
|
11
|
+
* 4. DLX-venv — `~/.socket/_dlx/skillspector/<sha>/` with the pinned SHA (the
|
|
12
|
+
* pip-from-git-SHA fallback when no uv project is available). Returns
|
|
9
13
|
* `undefined` when all enabled sources miss. Memoized per
|
|
10
|
-
* sha+cacheDir+localOnly tuple.
|
|
14
|
+
* sha+cacheDir+uvProjectDir+localOnly tuple.
|
|
11
15
|
*/
|
|
12
16
|
import type { ResolvedSkillSpector } from './types';
|
|
13
17
|
export interface ResolveSkillSpectorOptions {
|
|
@@ -17,17 +21,28 @@ export interface ResolveSkillSpectorOptions {
|
|
|
17
21
|
*/
|
|
18
22
|
readonly sha?: string | undefined;
|
|
19
23
|
/**
|
|
20
|
-
*
|
|
24
|
+
* DLX cache override. Defaults to `~/.socket/_dlx/skillspector/<sha>`.
|
|
21
25
|
*/
|
|
22
26
|
readonly cacheDir?: string | undefined;
|
|
27
|
+
/**
|
|
28
|
+
* UV-project tier: absolute path to a uv project dir (a `pyproject.toml` +
|
|
29
|
+
* `uv.lock` pinning the SHA + its closure). When set together with `uvBin`,
|
|
30
|
+
* the locked-uv tier runs ahead of the DLX-venv tier.
|
|
31
|
+
*/
|
|
32
|
+
readonly uvProjectDir?: string | undefined;
|
|
33
|
+
/**
|
|
34
|
+
* UV-project tier: absolute path to the `uv` executable
|
|
35
|
+
* (typically `resolveUv().path`). Required to run the locked-uv tier.
|
|
36
|
+
*/
|
|
37
|
+
readonly uvBin?: string | undefined;
|
|
23
38
|
/**
|
|
24
39
|
* When true, only the VFS + PATH tiers run. Use for check-mode invocations
|
|
25
40
|
* that want to fail-fast if the tool isn't already installed.
|
|
26
41
|
*/
|
|
27
42
|
readonly localOnly?: boolean | undefined;
|
|
28
43
|
}
|
|
29
|
-
export declare function cacheKey(
|
|
30
|
-
export declare function doResolveSkillSpector(
|
|
44
|
+
export declare function cacheKey(options: ResolveSkillSpectorOptions): string;
|
|
45
|
+
export declare function doResolveSkillSpector(options: ResolveSkillSpectorOptions): Promise<ResolvedSkillSpector | undefined>;
|
|
31
46
|
/**
|
|
32
47
|
* Memoizing wrapper around {@link doResolveSkillSpector}.
|
|
33
48
|
*/
|
|
@@ -4,6 +4,7 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
|
4
4
|
const require_primordials_map_set = require('../../primordials/map-set.js');
|
|
5
5
|
const require_external_tools_skillspector_from_dlx = require('./from-dlx.js');
|
|
6
6
|
const require_external_tools_skillspector_from_path = require('./from-path.js');
|
|
7
|
+
const require_external_tools_skillspector_from_uv = require('./from-uv.js');
|
|
7
8
|
const require_external_tools_skillspector_from_vfs = require('./from-vfs.js');
|
|
8
9
|
|
|
9
10
|
//#region src/external-tools/skillspector/resolve.ts
|
|
@@ -14,22 +15,42 @@ const require_external_tools_skillspector_from_vfs = require('./from-vfs.js');
|
|
|
14
15
|
* 1. VFS — smol binary's embedded skillspector (if packed)
|
|
15
16
|
* 2. PATH — `which skillspector` (pipx-installed binaries land here too; the
|
|
16
17
|
* source field distinguishes `'pipx'` vs `'path'`)
|
|
17
|
-
* 3.
|
|
18
|
+
* 3. UV-project — `uv sync --locked` against a uv project (the most locked-down
|
|
19
|
+
* tier; every transitive version pinned in uv.lock). Only runs when
|
|
20
|
+
* `uvProjectDir` + `uvBin` are supplied.
|
|
21
|
+
* 4. DLX-venv — `~/.socket/_dlx/skillspector/<sha>/` with the pinned SHA (the
|
|
22
|
+
* pip-from-git-SHA fallback when no uv project is available). Returns
|
|
18
23
|
* `undefined` when all enabled sources miss. Memoized per
|
|
19
|
-
* sha+cacheDir+localOnly tuple.
|
|
24
|
+
* sha+cacheDir+uvProjectDir+localOnly tuple.
|
|
20
25
|
*/
|
|
21
26
|
const resolutionCache = new require_primordials_map_set.MapCtor();
|
|
22
|
-
function cacheKey(
|
|
23
|
-
|
|
27
|
+
function cacheKey(options) {
|
|
28
|
+
const opts = {
|
|
29
|
+
__proto__: null,
|
|
30
|
+
...options
|
|
31
|
+
};
|
|
32
|
+
return `${opts.sha ?? ""}|${opts.cacheDir ?? ""}|${opts.uvProjectDir ?? ""}|${opts.localOnly ? "local" : "full"}`;
|
|
24
33
|
}
|
|
25
|
-
async function doResolveSkillSpector(
|
|
34
|
+
async function doResolveSkillSpector(options) {
|
|
35
|
+
const opts = {
|
|
36
|
+
__proto__: null,
|
|
37
|
+
...options
|
|
38
|
+
};
|
|
26
39
|
const fromVfs = await require_external_tools_skillspector_from_vfs.skillspectorFromVfs();
|
|
27
40
|
/* c8 ignore start - smol Node binary only. */
|
|
28
41
|
if (fromVfs) return fromVfs;
|
|
29
42
|
/* c8 ignore stop */
|
|
30
43
|
const fromPath = await require_external_tools_skillspector_from_path.skillspectorFromPath();
|
|
31
44
|
if (fromPath) return fromPath;
|
|
32
|
-
if (opts.localOnly
|
|
45
|
+
if (opts.localOnly) return;
|
|
46
|
+
if (opts.uvProjectDir && opts.uvBin) {
|
|
47
|
+
const fromUv = await require_external_tools_skillspector_from_uv.skillspectorFromUv({
|
|
48
|
+
projectDir: opts.uvProjectDir,
|
|
49
|
+
uvBin: opts.uvBin
|
|
50
|
+
});
|
|
51
|
+
if (fromUv) return fromUv;
|
|
52
|
+
}
|
|
53
|
+
if (!opts.sha) return;
|
|
33
54
|
return require_external_tools_skillspector_from_dlx.skillspectorFromDlx({
|
|
34
55
|
sha: opts.sha,
|
|
35
56
|
cacheDir: opts.cacheDir
|
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
* third-party-skill scanner (sibling to AgentShield); pinned to a git SHA
|
|
4
4
|
* because upstream has no PyPI release or GH tags as of 2026-06-01.
|
|
5
5
|
*/
|
|
6
|
-
export type SkillSpectorSource = 'vfs' | 'pipx' | 'path' | 'dlx';
|
|
6
|
+
export type SkillSpectorSource = 'vfs' | 'pipx' | 'path' | 'uv' | 'dlx';
|
|
7
7
|
/**
|
|
8
8
|
* A resolved SkillSpector installation.
|
|
9
9
|
*/
|
|
@@ -18,6 +18,8 @@ export interface ResolvedSkillSpector {
|
|
|
18
18
|
* - 'vfs' — extracted from the SEA binary's VFS
|
|
19
19
|
* - 'pipx' — `which skillspector` returned a pipx-installed venv binary
|
|
20
20
|
* - 'path' — `which skillspector` returned a non-pipx binary on PATH
|
|
21
|
+
* - 'uv' — `uv sync --locked` against a uv project's .venv (the most
|
|
22
|
+
* locked-down tier; every transitive version pinned in uv.lock)
|
|
21
23
|
* - 'dlx' — created a venv under ~/.socket/_dlx/skillspector/<sha>/
|
|
22
24
|
*/
|
|
23
25
|
readonly source: SkillSpectorSource;
|
|
@@ -11,4 +11,4 @@ export interface SynpPackageOptions {
|
|
|
11
11
|
/**
|
|
12
12
|
* Build the npm package spec string for the requested synp version.
|
|
13
13
|
*/
|
|
14
|
-
export declare function getSynpPackageSpec(
|
|
14
|
+
export declare function getSynpPackageSpec(options: SynpPackageOptions): string;
|
|
@@ -6,8 +6,12 @@ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
|
6
6
|
/**
|
|
7
7
|
* Build the npm package spec string for the requested synp version.
|
|
8
8
|
*/
|
|
9
|
-
function getSynpPackageSpec(
|
|
10
|
-
|
|
9
|
+
function getSynpPackageSpec(options) {
|
|
10
|
+
options = {
|
|
11
|
+
__proto__: null,
|
|
12
|
+
...options
|
|
13
|
+
};
|
|
14
|
+
return `synp@${options.version}`;
|
|
11
15
|
}
|
|
12
16
|
|
|
13
17
|
//#endregion
|
|
@@ -15,4 +15,4 @@ export interface SynpFromDownloadOptions {
|
|
|
15
15
|
*/
|
|
16
16
|
integrity?: string | undefined;
|
|
17
17
|
}
|
|
18
|
-
export declare function synpFromDownload(
|
|
18
|
+
export declare function synpFromDownload(options: SynpFromDownloadOptions): Promise<ResolvedSynp>;
|
|
@@ -10,8 +10,11 @@ const require_external_tools_synp_asset_names = require('./asset-names.js');
|
|
|
10
10
|
* `dlx/package` and returns a `ResolvedSynp` pointing at the resolved bin
|
|
11
11
|
* shim.
|
|
12
12
|
*/
|
|
13
|
-
async function synpFromDownload(
|
|
14
|
-
const { integrity, version } =
|
|
13
|
+
async function synpFromDownload(options) {
|
|
14
|
+
const { integrity, version } = {
|
|
15
|
+
__proto__: null,
|
|
16
|
+
...options
|
|
17
|
+
};
|
|
15
18
|
const { binaryPath } = await require_dlx_package.downloadNpmPackage({
|
|
16
19
|
spec: require_external_tools_synp_asset_names.getSynpPackageSpec({ version }),
|
|
17
20
|
binaryName: "synp",
|
|
@@ -15,7 +15,7 @@ export interface ResolveSynpOptions {
|
|
|
15
15
|
integrity?: string | undefined;
|
|
16
16
|
} | undefined;
|
|
17
17
|
}
|
|
18
|
-
export declare function cacheKey(
|
|
19
|
-
export declare function doResolveSynp(
|
|
18
|
+
export declare function cacheKey(options: ResolveSynpOptions | undefined): string;
|
|
19
|
+
export declare function doResolveSynp(options?: ResolveSynpOptions | undefined): Promise<ResolvedSynp | undefined>;
|
|
20
20
|
export declare function resetSynpResolution(): void;
|
|
21
|
-
export declare function resolveSynp(
|
|
21
|
+
export declare function resolveSynp(options?: ResolveSynpOptions | undefined): Promise<ResolvedSynp | undefined>;
|