@socketsecurity/lib 6.0.8 → 6.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (396) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/README.md +8 -9
  3. package/dist/abort/signal.d.ts +1 -1
  4. package/dist/abort/signal.js +1 -1
  5. package/dist/ai/agent-context.d.mts +1 -1
  6. package/dist/ai/agent-context.js +3 -2
  7. package/dist/ai/backends.d.mts +3 -3
  8. package/dist/ai/backends.js +2 -2
  9. package/dist/ai/billing-context.d.mts +74 -0
  10. package/dist/ai/billing-context.js +129 -0
  11. package/dist/ai/credentials.d.mts +39 -5
  12. package/dist/ai/credentials.js +61 -6
  13. package/dist/ai/discover.d.mts +4 -0
  14. package/dist/ai/discover.js +4 -0
  15. package/dist/ai/exec.d.mts +1 -1
  16. package/dist/ai/exec.js +1 -1
  17. package/dist/ai/http.d.mts +8 -8
  18. package/dist/ai/http.js +6 -6
  19. package/dist/ai/profiles.d.mts +9 -10
  20. package/dist/ai/profiles.js +0 -5
  21. package/dist/ai/role.d.mts +58 -0
  22. package/dist/ai/role.js +96 -0
  23. package/dist/ai/route-heuristic.d.mts +177 -0
  24. package/dist/ai/route-heuristic.js +194 -0
  25. package/dist/ai/route.d.mts +31 -17
  26. package/dist/ai/route.js +35 -19
  27. package/dist/ai/spawn.d.mts +34 -1
  28. package/dist/ai/spawn.js +115 -3
  29. package/dist/ai/subagent-status.d.mts +2 -0
  30. package/dist/ai/subagent-status.js +2 -0
  31. package/dist/ai/tier.d.mts +1 -1
  32. package/dist/ai/types.d.mts +19 -2
  33. package/dist/ai/worktree.d.mts +1 -1
  34. package/dist/ai/worktree.js +3 -2
  35. package/dist/argv/parse.d.ts +2 -0
  36. package/dist/argv/parse.js +2 -0
  37. package/dist/bin/_internal.d.ts +1 -1
  38. package/dist/bin/_internal.js +1 -1
  39. package/dist/bin/prim.cjs +19253 -13937
  40. package/dist/bin/resolve.js +1 -1
  41. package/dist/bin/shadow.js +2 -1
  42. package/dist/bin/which.d.ts +28 -3
  43. package/dist/bin/which.js +45 -3
  44. package/dist/cacache/_internal.d.ts +10 -2
  45. package/dist/cacache/_internal.js +6 -10
  46. package/dist/cache/ttl/_internal.d.ts +33 -0
  47. package/dist/cache/ttl/_internal.js +68 -0
  48. package/dist/cache/ttl/browser.d.ts +56 -0
  49. package/dist/cache/ttl/browser.js +257 -0
  50. package/dist/cache/ttl/store.js +11 -34
  51. package/dist/cache/ttl/types.d.ts +46 -3
  52. package/dist/checks/primordials-defaults.d.ts +5 -5
  53. package/dist/checks/primordials-defaults.js +5 -5
  54. package/dist/checks/primordials.d.ts +1 -1
  55. package/dist/checks/primordials.js +25 -17
  56. package/dist/cli/check-primordials.d.ts +6 -1
  57. package/dist/cli/check-primordials.js +14 -5
  58. package/dist/cli/check.js +1 -1
  59. package/dist/cli/socket-lib.d.ts +1 -1
  60. package/dist/cli/socket-lib.js +3 -3
  61. package/dist/colors/socket-palette.d.ts +1 -1
  62. package/dist/compression/brotli.d.ts +6 -2
  63. package/dist/compression/brotli.js +5 -1
  64. package/dist/compression/gzip.d.ts +6 -2
  65. package/dist/compression/gzip.js +7 -2
  66. package/dist/config/layers.d.ts +53 -0
  67. package/dist/config/layers.js +83 -0
  68. package/dist/constants/agents.d.ts +3 -0
  69. package/dist/constants/agents.js +3 -0
  70. package/dist/constants/node.d.ts +14 -0
  71. package/dist/constants/node.js +14 -0
  72. package/dist/constants/package-default-node-range.js +1 -5
  73. package/dist/constants/packages.d.ts +5 -0
  74. package/dist/constants/packages.js +5 -0
  75. package/dist/constants/platform.d.ts +1 -1
  76. package/dist/constants/platform.js +1 -1
  77. package/dist/constants/socket.js +1 -1
  78. package/dist/constants/typescript.d.ts +5 -0
  79. package/dist/constants/typescript.js +5 -0
  80. package/dist/debug/_internal.d.ts +22 -7
  81. package/dist/debug/_internal.js +33 -15
  82. package/dist/debug/caller-info.js +1 -1
  83. package/dist/debug/namespace.js +11 -8
  84. package/dist/debug/output.d.ts +12 -1
  85. package/dist/debug/output.js +33 -16
  86. package/dist/dlx/binary-cache.js +1 -1
  87. package/dist/dlx/binary-resolution.js +8 -5
  88. package/dist/dlx/firewall.js +1 -1
  89. package/dist/dlx/lockfile.js +1 -1
  90. package/dist/eco/npm/npm/parse-lockfile.js +3 -2
  91. package/dist/eco/npm/vlt/exec.d.ts +1 -1
  92. package/dist/eco/npm/vlt/exec.js +1 -1
  93. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
  94. package/dist/env/agents.d.ts +6 -0
  95. package/dist/env/agents.js +29 -0
  96. package/dist/env/flags.d.ts +12 -0
  97. package/dist/env/flags.js +23 -0
  98. package/dist/env/github-status.js +2 -2
  99. package/dist/env/providers.d.ts +6 -0
  100. package/dist/env/providers.js +23 -0
  101. package/dist/env/proxy.js +1 -1
  102. package/dist/env/rewire.d.ts +37 -3
  103. package/dist/env/rewire.js +60 -29
  104. package/dist/env/runtimes.d.ts +9 -0
  105. package/dist/env/runtimes.js +53 -0
  106. package/dist/env/socket-cli.d.ts +5 -2
  107. package/dist/env/socket-cli.js +6 -3
  108. package/dist/env/xdg.d.ts +17 -0
  109. package/dist/env/xdg.js +21 -1
  110. package/dist/errors/predicates.d.ts +3 -2
  111. package/dist/errors/predicates.js +5 -3
  112. package/dist/events/exit/_internal.d.ts +1 -23
  113. package/dist/external/@npmcli/package-json.js +3570 -4905
  114. package/dist/external/@npmcli/promise-spawn.js +2 -2
  115. package/dist/external/@sinclair/typebox/value.js +5 -4
  116. package/dist/external/@socketregistry/yocto-spinner.js +3 -3
  117. package/dist/external/@yarnpkg/extensions.js +1 -1
  118. package/dist/external/adm-zip.d.ts +82 -0
  119. package/dist/external/adm-zip.js +2 -2
  120. package/dist/external/cacache.d.ts +87 -0
  121. package/dist/external/debug.d.ts +22 -0
  122. package/dist/external/debug.js +11 -4
  123. package/dist/external/del.d.ts +1 -0
  124. package/dist/external/external-pack.d.ts +12 -0
  125. package/dist/external/external-pack.js +42 -35
  126. package/dist/external/fast-glob.d.ts +8 -0
  127. package/dist/external/fast-sort.d.ts +1 -0
  128. package/dist/external/get-east-asian-width.d.ts +5 -0
  129. package/dist/external/get-east-asian-width.js +8 -1
  130. package/dist/external/has-flag.d.ts +1 -0
  131. package/dist/external/inquirer-pack.d.ts +18 -0
  132. package/dist/external/libnpmexec.d.ts +35 -0
  133. package/dist/external/libnpmpack.d.ts +1 -0
  134. package/dist/external/make-fetch-happen.d.ts +13 -0
  135. package/dist/external/normalize-package-data.d.ts +4 -0
  136. package/dist/external/npm-core.d.ts +14 -0
  137. package/dist/external/npm-pack.d.ts +24 -0
  138. package/dist/external/npm-pack.js +28934 -31885
  139. package/dist/external/npm-package-arg.d.ts +4 -0
  140. package/dist/external/p-map.js +8 -1
  141. package/dist/external/pacote.d.ts +15 -0
  142. package/dist/external/pico-pack.d.ts +16 -0
  143. package/dist/external/pico-pack.js +38 -23
  144. package/dist/external/picomatch.d.ts +96 -0
  145. package/dist/external/pony-cause.d.ts +14 -0
  146. package/dist/external/semver.d.ts +60 -0
  147. package/dist/external/semver.js +1459 -4
  148. package/dist/external/shell-quote.d.ts +51 -0
  149. package/dist/external/shell-quote.js +55 -15
  150. package/dist/external/signal-exit.d.ts +1 -0
  151. package/dist/external/spdx-correct.d.ts +4 -0
  152. package/dist/external/spdx-expression-parse.d.ts +4 -0
  153. package/dist/external/spdx-pack.d.ts +10 -0
  154. package/dist/external/std-env.d.ts +284 -0
  155. package/dist/external/std-env.js +323 -0
  156. package/dist/external/streaming-iterables.d.ts +11 -0
  157. package/dist/external/supports-color.d.ts +1 -0
  158. package/dist/external/tar-fs.d.ts +31 -0
  159. package/dist/external/tar-fs.js +63 -16
  160. package/dist/external/validate-npm-package-name.d.ts +4 -0
  161. package/dist/external/which.d.ts +25 -0
  162. package/dist/external/which.js +2 -2
  163. package/dist/external/yargs-parser.d.ts +2 -0
  164. package/dist/external/yargs-parser.js +11 -3
  165. package/dist/external/yoctocolors-cjs.d.ts +51 -0
  166. package/dist/external-tools/bazel/asset-names.d.ts +1 -1
  167. package/dist/external-tools/bazel/from-download.d.ts +1 -1
  168. package/dist/external-tools/bazel/resolve.d.ts +3 -0
  169. package/dist/external-tools/bazel/resolve.js +3 -0
  170. package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
  171. package/dist/external-tools/cdxgen/asset-names.js +3 -3
  172. package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
  173. package/dist/external-tools/cdxgen/from-download.js +1 -1
  174. package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
  175. package/dist/external-tools/cdxgen/resolve.js +4 -1
  176. package/dist/external-tools/cdxgen/types.d.ts +1 -1
  177. package/dist/external-tools/from-download.d.ts +2 -2
  178. package/dist/external-tools/from-download.js +1 -1
  179. package/dist/external-tools/janus/asset-names.d.ts +4 -1
  180. package/dist/external-tools/janus/asset-names.js +3 -0
  181. package/dist/external-tools/janus/from-download.d.ts +3 -3
  182. package/dist/external-tools/janus/from-download.js +2 -2
  183. package/dist/external-tools/janus/resolve.d.ts +3 -0
  184. package/dist/external-tools/janus/resolve.js +3 -0
  185. package/dist/external-tools/jre/asset-names.d.ts +3 -1
  186. package/dist/external-tools/jre/asset-names.js +2 -0
  187. package/dist/external-tools/jre/detect-platform-arch.js +1 -1
  188. package/dist/external-tools/jre/from-download.d.ts +1 -1
  189. package/dist/external-tools/manifest.d.ts +5 -3
  190. package/dist/external-tools/manifest.js +5 -3
  191. package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
  192. package/dist/external-tools/opengrep/resolve.d.ts +3 -0
  193. package/dist/external-tools/opengrep/resolve.js +3 -0
  194. package/dist/external-tools/python/asset-names.d.ts +3 -1
  195. package/dist/external-tools/python/asset-names.js +8 -4
  196. package/dist/external-tools/python/pin.js +3 -1
  197. package/dist/external-tools/python/resolve.d.ts +3 -0
  198. package/dist/external-tools/python/resolve.js +3 -0
  199. package/dist/external-tools/python/uv-install.d.ts +89 -0
  200. package/dist/external-tools/python/uv-install.js +165 -0
  201. package/dist/external-tools/sbt/resolve.d.ts +3 -0
  202. package/dist/external-tools/sbt/resolve.js +3 -0
  203. package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
  204. package/dist/external-tools/skillspector/from-uv.js +56 -0
  205. package/dist/external-tools/skillspector/resolve.d.ts +18 -3
  206. package/dist/external-tools/skillspector/resolve.js +21 -8
  207. package/dist/external-tools/skillspector/types.d.ts +3 -1
  208. package/dist/external-tools/synp/resolve.d.ts +3 -0
  209. package/dist/external-tools/synp/resolve.js +3 -0
  210. package/dist/external-tools/trivy/asset-names.d.ts +1 -1
  211. package/dist/external-tools/trivy/resolve.d.ts +3 -0
  212. package/dist/external-tools/trivy/resolve.js +3 -0
  213. package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
  214. package/dist/external-tools/trufflehog/asset-names.js +3 -0
  215. package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
  216. package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
  217. package/dist/external-tools/trufflehog/resolve.js +3 -0
  218. package/dist/external-tools/uv/asset-names.d.ts +36 -0
  219. package/dist/external-tools/uv/asset-names.js +73 -0
  220. package/dist/external-tools/uv/from-download.d.ts +17 -0
  221. package/dist/external-tools/uv/from-download.js +50 -0
  222. package/dist/external-tools/uv/from-path.d.ts +5 -0
  223. package/dist/external-tools/uv/from-path.js +22 -0
  224. package/dist/external-tools/uv/from-vfs.d.ts +7 -0
  225. package/dist/external-tools/uv/from-vfs.js +26 -0
  226. package/dist/external-tools/uv/resolve.d.ts +28 -0
  227. package/dist/external-tools/uv/resolve.js +64 -0
  228. package/dist/external-tools/uv/types.d.ts +24 -0
  229. package/dist/external-tools/uv/types.js +2 -0
  230. package/dist/fleet/repo-config.d.ts +55 -0
  231. package/dist/fleet/repo-config.js +81 -0
  232. package/dist/fs/_internal.d.ts +1 -1
  233. package/dist/fs/_internal.js +1 -1
  234. package/dist/fs/access.d.ts +2 -0
  235. package/dist/fs/access.js +2 -0
  236. package/dist/fs/copy.d.ts +88 -0
  237. package/dist/fs/copy.js +89 -0
  238. package/dist/fs/find.js +1 -2
  239. package/dist/fs/inspect.d.ts +2 -2
  240. package/dist/fs/read-file.js +3 -4
  241. package/dist/fs/safe.js +2 -2
  242. package/dist/git/_internal.js +7 -3
  243. package/dist/github/commit.d.ts +92 -0
  244. package/dist/github/commit.js +113 -0
  245. package/dist/github/ghsa.js +1 -1
  246. package/dist/github/refs-graphql.js +1 -1
  247. package/dist/github/refs.js +10 -15
  248. package/dist/github/request.js +1 -1
  249. package/dist/github/token.d.ts +5 -2
  250. package/dist/github/token.js +6 -4
  251. package/dist/github/workflow-runs.d.ts +107 -0
  252. package/dist/github/workflow-runs.js +98 -0
  253. package/dist/globs/_internal.js +1 -1
  254. package/dist/http-request/_internal.d.ts +1 -1
  255. package/dist/http-request/browser.d.ts +6 -0
  256. package/dist/http-request/browser.js +4 -3
  257. package/dist/http-request/checksum-file.js +1 -1
  258. package/dist/http-request/download.js +2 -0
  259. package/dist/http-request/headers.d.ts +1 -1
  260. package/dist/http-request/headers.js +2 -2
  261. package/dist/http-request/request-attempt.js +6 -3
  262. package/dist/http-request/request-types.d.ts +10 -1
  263. package/dist/http-request/request.js +2 -2
  264. package/dist/http-request/user-agent.d.ts +23 -2
  265. package/dist/http-request/user-agent.js +48 -6
  266. package/dist/integrity.d.ts +127 -78
  267. package/dist/integrity.js +170 -84
  268. package/dist/json/format.js +4 -1
  269. package/dist/logger/_internal.d.ts +13 -15
  270. package/dist/logger/_internal.js +21 -21
  271. package/dist/logger/colors.d.ts +10 -5
  272. package/dist/logger/colors.js +7 -14
  273. package/dist/logger/console-methods.js +2 -2
  274. package/dist/logger/console.d.ts +1 -0
  275. package/dist/logger/console.js +9 -9
  276. package/dist/logger/node.js +2 -1
  277. package/dist/logger/symbols-builder.js +7 -8
  278. package/dist/logger/symbols.js +8 -8
  279. package/dist/native-messaging/install.js +1 -1
  280. package/dist/native-messaging/rate-limit.d.ts +4 -1
  281. package/dist/native-messaging/rate-limit.js +4 -1
  282. package/dist/node/events.d.ts +3 -0
  283. package/dist/node/events.js +3 -0
  284. package/dist/node/fs.d.ts +1 -1
  285. package/dist/node/module.d.ts +73 -2
  286. package/dist/node/module.js +97 -12
  287. package/dist/node/timers-promises.d.ts +3 -0
  288. package/dist/node/timers-promises.js +3 -0
  289. package/dist/node/url.d.ts +3 -0
  290. package/dist/node/url.js +3 -0
  291. package/dist/npm/meta-cache.d.ts +183 -0
  292. package/dist/npm/meta-cache.js +318 -0
  293. package/dist/npm/meta-slice.d.ts +27 -0
  294. package/dist/npm/meta-slice.js +68 -0
  295. package/dist/npm/meta-types.d.ts +282 -0
  296. package/dist/npm/meta-types.js +2 -0
  297. package/dist/npm/meta.d.ts +125 -0
  298. package/dist/npm/meta.js +347 -0
  299. package/dist/npm/registry.d.ts +212 -0
  300. package/dist/npm/registry.js +284 -0
  301. package/dist/objects/getters.d.ts +1 -1
  302. package/dist/objects/getters.js +1 -1
  303. package/dist/objects/predicates.js +1 -1
  304. package/dist/packages/exports.js +2 -2
  305. package/dist/packages/isolation.js +1 -1
  306. package/dist/packages/manifest.d.ts +29 -0
  307. package/dist/packages/manifest.js +44 -9
  308. package/dist/packages/metadata-extensions.js +2 -4
  309. package/dist/packages/normalize.js +1 -1
  310. package/dist/packages/provenance.d.ts +8 -0
  311. package/dist/packages/provenance.js +10 -2
  312. package/dist/packages/specs.js +1 -1
  313. package/dist/packages/tarball.js +1 -2
  314. package/dist/packages/validation.d.ts +0 -10
  315. package/dist/packages/validation.js +0 -14
  316. package/dist/paths/_internal.d.ts +1 -7
  317. package/dist/paths/_internal.js +9 -15
  318. package/dist/paths/conversion.js +1 -1
  319. package/dist/paths/exts.d.ts +30 -0
  320. package/dist/paths/exts.js +30 -0
  321. package/dist/paths/filenames.d.ts +6 -0
  322. package/dist/paths/filenames.js +6 -0
  323. package/dist/paths/globs.d.ts +6 -0
  324. package/dist/paths/globs.js +6 -0
  325. package/dist/paths/normalize.js +1 -1
  326. package/dist/paths/predicates.js +2 -1
  327. package/dist/paths/resolve.js +19 -14
  328. package/dist/paths/socket.d.ts +81 -30
  329. package/dist/paths/socket.js +102 -28
  330. package/dist/perf/metrics.js +1 -1
  331. package/dist/perf/report.js +5 -3
  332. package/dist/pkg-ext/data.js +0 -2
  333. package/dist/primordials/globals.d.ts +1 -1
  334. package/dist/primordials/globals.js +1 -1
  335. package/dist/primordials/headers.d.ts +13 -1
  336. package/dist/primordials/headers.js +13 -1
  337. package/dist/primordials/process.d.ts +1 -1
  338. package/dist/primordials/process.js +1 -1
  339. package/dist/primordials/url.d.ts +18 -0
  340. package/dist/primordials/url.js +18 -0
  341. package/dist/process/spawn/child.js +3 -5
  342. package/dist/promises/_internal.d.ts +1 -1
  343. package/dist/promises/_internal.js +1 -2
  344. package/dist/promises/options.js +3 -3
  345. package/dist/regexps/spec.js +1 -1
  346. package/dist/releases/socket-btm-binary-naming.js +12 -1
  347. package/dist/schema/validate.js +1 -1
  348. package/dist/secrets/_internal.d.ts +1 -1
  349. package/dist/secrets/_internal.js +1 -1
  350. package/dist/secrets/broker.d.ts +35 -0
  351. package/dist/secrets/broker.js +72 -0
  352. package/dist/secrets/find.d.ts +8 -6
  353. package/dist/secrets/find.js +17 -3
  354. package/dist/secrets/keychain.d.ts +10 -1
  355. package/dist/secrets/keychain.js +10 -1
  356. package/dist/secrets/rc.js +1 -1
  357. package/dist/secrets/socket-api-token.d.ts +1 -1
  358. package/dist/secrets/socket-api-token.js +1 -1
  359. package/dist/secrets/types.d.ts +1 -1
  360. package/dist/smol/detect.js +1 -1
  361. package/dist/smol/http.d.ts +2 -0
  362. package/dist/smol/http.js +3 -1
  363. package/dist/smol/https.d.ts +2 -0
  364. package/dist/smol/https.js +3 -1
  365. package/dist/smol/manifest.js +1 -1
  366. package/dist/smol/path.js +1 -1
  367. package/dist/smol/primordial.js +1 -1
  368. package/dist/smol/purl.js +1 -1
  369. package/dist/smol/versions.js +1 -1
  370. package/dist/smol/vfs.js +1 -1
  371. package/dist/sorts/_internal.d.ts +2 -4
  372. package/dist/sorts/_internal.js +1 -7
  373. package/dist/sorts/semver.js +2 -2
  374. package/dist/spinner/create-spinner-class.js +1 -1
  375. package/dist/spinner/format.js +2 -4
  376. package/dist/stdio/footer.js +8 -7
  377. package/dist/stdio/progress.js +1 -1
  378. package/dist/stdio/prompts.d.ts +8 -23
  379. package/dist/stdio/prompts.js +28 -52
  380. package/dist/strings/format.js +1 -1
  381. package/dist/strings/predicates.d.ts +2 -2
  382. package/dist/strings/search.js +2 -2
  383. package/dist/strings/types.d.ts +4 -0
  384. package/dist/strings/width.d.ts +1 -0
  385. package/dist/strings/width.js +17 -8
  386. package/dist/themes/context.d.ts +18 -3
  387. package/dist/themes/context.js +28 -14
  388. package/dist/versions/_internal.d.ts +43 -13
  389. package/dist/versions/_internal.js +27 -15
  390. package/dist/versions/compare.d.ts +16 -10
  391. package/dist/versions/compare.js +36 -16
  392. package/dist/versions/parse.js +1 -1
  393. package/dist/versions/range.js +3 -2
  394. package/dist/words/pluralize.js +4 -1
  395. package/llms.txt +63 -0
  396. package/package.json +271 -40
package/CHANGELOG.md CHANGED
@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [6.0.10](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.10) - 2026-07-13
9
+
10
+ ### Fixed
11
+
12
+ - **`stdio/footer`** — lazy-load colors so import survives --build-snapshot
13
+
14
+ ## [6.0.9](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.9) - 2026-06-18
15
+
16
+ ### Added
17
+
18
+ - **`external-tools/uv` — uv resolver.** Resolves Astral's `uv` Python package manager across three tiers (embedded VFS, then system PATH, then a downloaded GitHub release), matching the shape of the other `external-tools/*` tool resolvers. Exports `resolveUv`, `ResolvedUv`, `UvSource`, plus the per-platform asset map and download helpers.
19
+ - **`external-tools/python/uv-install` — reproducible uv-project install helpers.** `uvSyncProject` installs a uv project at its exact pinned versions and refuses to proceed when those have drifted, so every machine gets the same result. `uvExportMaterialize` installs the same pinned versions into a content-addressed directory with no virtualenv, so the result is relocatable and embeddable in a single-file build. Concurrent callers serialize so two installs can't collide. The Python analog of the npm dlx install model.
20
+ - **`external-tools/skillspector` — pinned-project resolution tier.** `skillspectorFromUv` installs SkillSpector from a fully pinned uv project (every version fixed) and returns its entry point, resolved ahead of the existing git-SHA fallback when a project directory and `uv` binary are supplied. Adds a `'uv'` source to the resolution result.
21
+ - **`config/layers` — generic layered-config reader.** `readConfigLayers(name, { dirs })` reads a named config file from an ordered list of layer directories (lowest precedence first) and returns the layers that exist; absent or unparseable layers are skipped. `mergeConfigArray` concatenates one array-valued key across all layers, for lists that higher layers extend rather than replace. It carries no project-convention knowledge: the caller supplies the directories and the merge policy.
22
+ - **`paths` — `_wheelhouse` tool-layout dirs and the agent-clone dir.** `getSocketRackDir` and `getSocketRackToolDir` locate the racked tool store, `getSocketWheelhouseBinDir` the PATH-handle directory that points into it, and `getSocketRepoClonesDir` the directory where agents clone external repos for reference (kept out of the projects tree so sibling-walking tooling never treats a clone as a fleet member).
23
+ - **`ai` — offline/gated-model detection and fall-over.** `spawnTierWithFallback` walks a tier's cross-engine equivalence chain and runs the first engine that is both installed and authenticated, so a request still completes when the preferred model is down, gated, or unkeyed. `isModelUnavailable` recognizes a down-or-gated model from the engine's actual output rather than a brittle literal-string match. The `ai/route` resolver and `ai/subagent-status` reader are exposed as their own entry points.
24
+ - **`fs/copy` — recursive copy with three destination modes.** `copy(from, to, { mode })` copies a file or directory tree. `CopyMode` chooses how an existing destination is treated: `'overlay'` (the default: overwrite collisions, keep destination-only files), `'pave'` (the destination becomes an exact mirror of the source via an atomic sibling-temp-then-rename swap, so no stale files survive and a partial tree is never observed), or `'fill'` (no-clobber: add only what is missing, never overwrite). Also accepts `filter`, `dereference`, and an abort `signal`.
25
+ - **`node/requireFrom` — relative `require` bound to the caller's directory.** `requireFrom(fromUrl, specifier)` resolves a relative specifier (`./x`, `../y`) from the caller's own directory, passed as `import.meta.url`, so relative loads bind to the right base when modules run unbundled (for example AOT-compiled from source, where each module sits at its own nested path). Builtins and bare packages resolve as before.
26
+ - **`secrets` — proteus broker credential tier.** The credential resolver gains a broker layer in the documented order (explicit, then env, then broker, then keychain): it connects to the broker's runtime socket, requests the value, and self-gates. No socket means no broker, so it returns `undefined` and falls through to the keychain. Async only (absent from `resolveSync`) and skipped under `allowEnvOnly`. Existing `resolveProviderCredential` call sites are unchanged.
27
+ - **`paths` — `getRuntimeSocketPath` and `getXdgRuntimeDir` for daemon sockets.** One resolver a daemon and its clients both call to locate a runtime socket: the XDG runtime dir when present, a `$TMPDIR/<name>-<uid>` fallback, or a named pipe on Windows.
28
+ - **`llms.txt` — discovery index for AI agents.** `pnpm run docs` now also emits a publish-safe `llms.txt` at the package root that links each export subpath to its shipped `.d.mts` declaration, giving an agent one file to read after installing. It ships in the published tarball.
29
+ - **`packages/manifest` — `trimPublishManifest`.** Returns a shallow copy of a `package.json` that omits dev/build-only top-level fields (`devDependencies`, `scripts` by default) so a published tarball and its npm metadata stay lean. `drop` overrides the field set; `keep` retains a field even when dropped (e.g. a runtime `postinstall`). The original object is left intact.
30
+
31
+ ### Changed
32
+
33
+ - **`integrity` — one `Hash` currency (breaking).** Hashes are modeled as a single concept, a `Hash` carrying algorithm, hex, and sri, rather than an integrity-vs-checksum type duality, so the algorithm is explicit on every value. Adds `parseHash` (encoding- and length-aware), `computeHash` (sha512 default), `verifyHash(bytes, expected)` (verifies against the expected hash's declared algorithm), `equalHashes` (encoding-agnostic, and never equal across algorithms), `makeHash`, and `HashMismatchError`. Breaking: `verifyHash` now takes `(bytes, expected)`, not `(expected, computed)`, and `DlxHashMismatchError` is a deprecated alias of `HashMismatchError`. Back-compat shims remain: `checksumToIntegrity`, `integrityToChecksum`, `normalizeHash`, `computeHashes`, `isChecksum`, `isIntegrity`, `parseIntegrity`.
34
+ - **`fleet/repo-config` is now a thin wrapper over `config/layers`.** `resolveRepoConfig` (the fleet default layered under a per-repo override) and `mergeRepoConfigArray` stay at `fleet/repo-config`; the generic, convention-free primitives moved to the new `config/layers` entry. `resolveRepoConfig` callers see no behavior change.
35
+
8
36
  ## [6.0.8](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.8) - 2026-06-11
9
37
 
10
38
  ### Added
package/README.md CHANGED
@@ -1,11 +1,10 @@
1
1
  # @socketsecurity/lib
2
2
 
3
- [![Socket Badge](https://socket.dev/api/badge/npm/package/@socketsecurity/lib)](https://socket.dev/npm/package/@socketsecurity/lib)
4
- [![CI](https://github.com/SocketDev/socket-lib/actions/workflows/ci.yml/badge.svg)](https://github.com/SocketDev/socket-lib/actions/workflows/ci.yml)
5
- ![Coverage](https://img.shields.io/badge/coverage-99%25-brightgreen)
3
+ <a href="https://socket.dev/npm/package/@socketsecurity/lib"><img src="https://socket.dev/api/badge/npm/package/@socketsecurity/lib" alt="Socket Badge" height="20"></a>
4
+ ![Coverage](assets/repo/coverage.svg)
6
5
 
7
- [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
8
- [![Follow @socket.dev on Bluesky](https://img.shields.io/badge/Follow-@socket.dev-1DA1F2?style=social&logo=bluesky)](https://bsky.app/profile/socket.dev)
6
+ [![Follow @SocketSecurity](assets/fleet/badge-follow-x.svg)](https://twitter.com/SocketSecurity)
7
+ [![Follow @socket.dev on Bluesky](assets/fleet/badge-follow-bluesky.svg)](https://bsky.app/profile/socket.dev)
9
8
 
10
9
  Core utilities for [Socket.dev](https://socket.dev/) tools: file system, processes, HTTP, env detection, logging, spinners, and more. Tree-shakeable, TypeScript-first, cross-platform.
11
10
 
@@ -22,8 +21,8 @@ pnpm add @socketsecurity/lib
22
21
  ## Usage
23
22
 
24
23
  ```typescript
25
- import { Spinner } from '@socketsecurity/lib/spinner'
26
- import { readJson } from '@socketsecurity/lib/fs'
24
+ import { Spinner } from '@socketsecurity/lib/spinner/spinner'
25
+ import { readJson } from '@socketsecurity/lib/fs/read-json'
27
26
 
28
27
  const spinner = Spinner({ text: 'Loading…' })
29
28
  spinner.start()
@@ -34,9 +33,9 @@ spinner.successAndStop(`Loaded ${pkg.name}@${pkg.version}`)
34
33
  Every export lives under a subpath — pick what you need:
35
34
 
36
35
  ```typescript
37
- import { spawn } from '@socketsecurity/lib/spawn'
36
+ import { spawn } from '@socketsecurity/lib/process/spawn/child'
38
37
  import { httpJson } from '@socketsecurity/lib/http-request'
39
- import { safeDelete } from '@socketsecurity/lib/fs'
38
+ import { safeDelete } from '@socketsecurity/lib/fs/safe'
40
39
  ```
41
40
 
42
41
  Start with the [API reference](./docs/api.md) — every subpath export with a one-line description.
@@ -19,7 +19,7 @@ export declare function createCompositeAbortSignal(...signals: Array<AbortSignal
19
19
  * @example
20
20
  * ;```typescript
21
21
  * const signal = createTimeoutSignal(5000) // aborts after 5 seconds
22
- * fetch('https://example.com', { signal })
22
+ * httpJson(url, { signal })
23
23
  * ```
24
24
  *
25
25
  * @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
@@ -40,7 +40,7 @@ function createCompositeAbortSignal(...signals) {
40
40
  * @example
41
41
  * ;```typescript
42
42
  * const signal = createTimeoutSignal(5000) // aborts after 5 seconds
43
- * fetch('https://example.com', { signal })
43
+ * httpJson(url, { signal })
44
44
  * ```
45
45
  *
46
46
  * @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
@@ -22,7 +22,7 @@
22
22
  * the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
23
23
  * only for `claude`; for the others it is `undefined` (there is no memory
24
24
  * dir to point at), and the shared cross-tool memory surface is the
25
- * committed AGENTS.md (which the fleet symlinks to CLAUDE.md).
25
+ * committed AGENTS.md (which Socket symlinks to CLAUDE.md).
26
26
  */
27
27
  import type { AiAgentName } from './types.mts';
28
28
  /**
@@ -6,6 +6,7 @@ const require_constants_platform = require('../constants/platform.js');
6
6
  const require_env_rewire = require('../env/rewire.js');
7
7
  const require_env_home = require('../env/home.js');
8
8
  const require_env_xdg = require('../env/xdg.js');
9
+ const require_paths_normalize = require('../paths/normalize.js');
9
10
  let node_path = require("node:path");
10
11
  node_path = require_runtime.__toESM(node_path, 1);
11
12
 
@@ -34,7 +35,7 @@ node_path = require_runtime.__toESM(node_path, 1);
34
35
  * the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
35
36
  * only for `claude`; for the others it is `undefined` (there is no memory
36
37
  * dir to point at), and the shared cross-tool memory surface is the
37
- * committed AGENTS.md (which the fleet symlinks to CLAUDE.md).
38
+ * committed AGENTS.md (which Socket symlinks to CLAUDE.md).
38
39
  */
39
40
  function agentFromAiAgentEnv(value) {
40
41
  const lower = value.toLowerCase();
@@ -76,7 +77,7 @@ function agentPaths(agent, options) {
76
77
  return {
77
78
  agent,
78
79
  configDir,
79
- memoryDir: cwd ? node_path.default.join(configDir, "projects", cwd.replace(/[/\\]/g, "-"), "memory") : void 0
80
+ memoryDir: cwd ? node_path.default.join(configDir, "projects", require_paths_normalize.normalizePath(cwd).replace(/\//g, "-"), "memory") : void 0
80
81
  };
81
82
  }
82
83
  case "codex": return {
@@ -1,5 +1,5 @@
1
1
  /**
2
- * @file Multi-agent CLI backend registry + role routing. The fleet's review /
2
+ * @file Multi-agent CLI backend registry + role routing. Socket's review /
3
3
  * scan / fix skills delegate work to whichever agent CLIs are installed
4
4
  * (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
5
5
  * preference order and skipping a pass when nothing usable is present. Before
@@ -22,7 +22,7 @@
22
22
  * attribution accurate.
23
23
  */
24
24
  /**
25
- * A CLI backend the fleet can delegate a pass to.
25
+ * A CLI backend Socket can delegate a pass to.
26
26
  */
27
27
  export type BackendName = 'claude' | 'codex' | 'kimi' | 'opencode';
28
28
  /**
@@ -73,7 +73,7 @@ export interface ResolveBackendOptions {
73
73
  readonly override?: BackendName | undefined;
74
74
  }
75
75
  /**
76
- * Resolve which backend runs a pass, encoding the fleet detection policy
76
+ * Resolve which backend runs a pass, encoding Socket's detection policy
77
77
  * (`_shared/multi-agent-backends.md`): an installed explicit override wins;
78
78
  * else the first installed non-hybrid entry in the preference order; else
79
79
  * nothing (skip the pass). Pure — returns the decision + why, never logs. An
@@ -6,7 +6,7 @@ const require_ai_spawn = require('./spawn.js');
6
6
 
7
7
  //#region src/ai/backends.mts
8
8
  /**
9
- * @file Multi-agent CLI backend registry + role routing. The fleet's review /
9
+ * @file Multi-agent CLI backend registry + role routing. Socket's review /
10
10
  * scan / fix skills delegate work to whichever agent CLIs are installed
11
11
  * (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
12
12
  * preference order and skipping a pass when nothing usable is present. Before
@@ -131,7 +131,7 @@ async function isCommandAvailable(bin) {
131
131
  return await require_bin_which.which(bin) !== null;
132
132
  }
133
133
  /**
134
- * Resolve which backend runs a pass, encoding the fleet detection policy
134
+ * Resolve which backend runs a pass, encoding Socket's detection policy
135
135
  * (`_shared/multi-agent-backends.md`): an installed explicit override wins;
136
136
  * else the first installed non-hybrid entry in the preference order; else
137
137
  * nothing (skip the pass). Pure — returns the decision + why, never logs. An
@@ -0,0 +1,74 @@
1
+ /**
2
+ * @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
3
+ * lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
4
+ * read org spend / quota — the Anthropic Cost API is admin-gated — and that
5
+ * is an accepted limitation, not something to engineer around. So this layer
6
+ * does NO network call and NO privileged probe. It uses only what a user
7
+ * actually has: which provider credentials resolve (the same env → keychain
8
+ * check that builds `RouteContext.keyed`, non-admin), tags each with its
9
+ * INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
10
+ * — the provider's nature, overridable by config), and leaves `headroom`
11
+ * undefined. Undefined headroom means the heuristic routes REACTIVELY: it
12
+ * falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
13
+ * `spawn.mts`), rather than predicting a cap it has no privilege to read. A
14
+ * caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
15
+ * `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
16
+ * but nothing here requires it, and no privileged reader is built or wired.
17
+ */
18
+ import type { CredentialProvider } from './credentials.mts';
19
+ import type { BillingContext, BillingHeadroom, BillingKind, RoutingEnv } from './route-heuristic.mts';
20
+ /**
21
+ * Inherent billing model per provider — the provider's NATURE, not anyone's
22
+ * account or limit. A metered pay-per-token API (`anthropic` with an API key,
23
+ * `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
24
+ * (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
25
+ * overrides per provider via the `kinds` option — e.g. a user whose Anthropic
26
+ * access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
27
+ * No dollar figures here; only the kind, which decides dollars-vs-headroom.
28
+ */
29
+ export declare const DEFAULT_PROVIDER_KIND: Readonly<Record<CredentialProvider, BillingKind>>;
30
+ export interface BillingFromKeyedOptions {
31
+ readonly keyed: ReadonlySet<CredentialProvider>;
32
+ readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
33
+ readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
34
+ }
35
+ /**
36
+ * Turn an already-probed set of keyed providers into a `BillingContext`,
37
+ * tagging each with its kind (config override → inherent default) and any
38
+ * caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
39
+ * provider with no known kind is skipped rather than given an undefined kind.
40
+ */
41
+ export declare function billingFromKeyed(options: BillingFromKeyedOptions): BillingContext;
42
+ /**
43
+ * Detect whether routing runs in locked-down CI (restricted to the secrets
44
+ * actually present, under the four-flag lockdown) or local dev (full freedom).
45
+ * CI when the standard `CI` env var is set; `local` otherwise.
46
+ */
47
+ export declare function detectRoutingEnv(): RoutingEnv;
48
+ export interface DiscoverBillingOptions {
49
+ readonly allowEnvOnly?: boolean | undefined;
50
+ readonly env?: RoutingEnv | undefined;
51
+ readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
52
+ readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
53
+ }
54
+ /**
55
+ * Discover a `BillingContext` end-to-end with no privileged lookup: probe which
56
+ * provider credentials resolve (env → keychain, the non-admin check), then tag
57
+ * them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
58
+ * the credential probe is env-only (no keychain prompt); locally it allows the
59
+ * keychain. Convenience over calling `discoverKeyedProviders` +
60
+ * `billingFromKeyed`.
61
+ *
62
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
63
+ */
64
+ export declare function discoverBilling(options?: DiscoverBillingOptions | undefined): Promise<BillingContext>;
65
+ export interface DiscoverKeyedProvidersOptions {
66
+ readonly allowEnvOnly?: boolean | undefined;
67
+ }
68
+ /**
69
+ * The set of providers with a resolvable credential, probed via the same
70
+ * non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
71
+ * privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
72
+ * keychain entirely.
73
+ */
74
+ export declare function discoverKeyedProviders(options?: DiscoverKeyedProvidersOptions | undefined): Promise<Set<CredentialProvider>>;
@@ -0,0 +1,129 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_primordials_object = require('../primordials/object.js');
5
+ const require_env_rewire = require('../env/rewire.js');
6
+ const require_ai_credentials = require('./credentials.js');
7
+
8
+ //#region src/ai/billing-context.mts
9
+ /**
10
+ * @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
11
+ * lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
12
+ * read org spend / quota — the Anthropic Cost API is admin-gated — and that
13
+ * is an accepted limitation, not something to engineer around. So this layer
14
+ * does NO network call and NO privileged probe. It uses only what a user
15
+ * actually has: which provider credentials resolve (the same env → keychain
16
+ * check that builds `RouteContext.keyed`, non-admin), tags each with its
17
+ * INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
18
+ * — the provider's nature, overridable by config), and leaves `headroom`
19
+ * undefined. Undefined headroom means the heuristic routes REACTIVELY: it
20
+ * falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
21
+ * `spawn.mts`), rather than predicting a cap it has no privilege to read. A
22
+ * caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
23
+ * `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
24
+ * but nothing here requires it, and no privileged reader is built or wired.
25
+ */
26
+ /**
27
+ * Inherent billing model per provider — the provider's NATURE, not anyone's
28
+ * account or limit. A metered pay-per-token API (`anthropic` with an API key,
29
+ * `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
30
+ * (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
31
+ * overrides per provider via the `kinds` option — e.g. a user whose Anthropic
32
+ * access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
33
+ * No dollar figures here; only the kind, which decides dollars-vs-headroom.
34
+ */
35
+ const DEFAULT_PROVIDER_KIND = {
36
+ __proto__: null,
37
+ anthropic: "metered",
38
+ fireworks: "metered",
39
+ openai: "subscription",
40
+ synthetic: "flat-rate",
41
+ xai: "metered"
42
+ };
43
+ /**
44
+ * Turn an already-probed set of keyed providers into a `BillingContext`,
45
+ * tagging each with its kind (config override → inherent default) and any
46
+ * caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
47
+ * provider with no known kind is skipped rather than given an undefined kind.
48
+ */
49
+ function billingFromKeyed(options) {
50
+ const opts = {
51
+ __proto__: null,
52
+ ...options
53
+ };
54
+ const out = { __proto__: null };
55
+ for (const provider of opts.keyed) {
56
+ const kind = opts.kinds?.[provider] ?? DEFAULT_PROVIDER_KIND[provider];
57
+ if (!kind) continue;
58
+ const headroom = opts.headroom?.[provider];
59
+ out[provider] = headroom ? {
60
+ headroom,
61
+ kind,
62
+ provider
63
+ } : {
64
+ kind,
65
+ provider
66
+ };
67
+ }
68
+ return out;
69
+ }
70
+ /**
71
+ * Detect whether routing runs in locked-down CI (restricted to the secrets
72
+ * actually present, under the four-flag lockdown) or local dev (full freedom).
73
+ * CI when the standard `CI` env var is set; `local` otherwise.
74
+ */
75
+ function detectRoutingEnv() {
76
+ return require_env_rewire.getEnvValue("CI") ? "ci" : "local";
77
+ }
78
+ /**
79
+ * Discover a `BillingContext` end-to-end with no privileged lookup: probe which
80
+ * provider credentials resolve (env → keychain, the non-admin check), then tag
81
+ * them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
82
+ * the credential probe is env-only (no keychain prompt); locally it allows the
83
+ * keychain. Convenience over calling `discoverKeyedProviders` +
84
+ * `billingFromKeyed`.
85
+ *
86
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
87
+ */
88
+ async function discoverBilling(options) {
89
+ const opts = {
90
+ __proto__: null,
91
+ ...options
92
+ };
93
+ const env = opts.env ?? detectRoutingEnv();
94
+ const keyed = await discoverKeyedProviders({ allowEnvOnly: opts.allowEnvOnly ?? env === "ci" });
95
+ return billingFromKeyed({
96
+ headroom: opts.headroom,
97
+ keyed,
98
+ kinds: opts.kinds
99
+ });
100
+ }
101
+ /**
102
+ * The set of providers with a resolvable credential, probed via the same
103
+ * non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
104
+ * privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
105
+ * keychain entirely.
106
+ */
107
+ async function discoverKeyedProviders(options) {
108
+ const opts = {
109
+ __proto__: null,
110
+ ...options
111
+ };
112
+ const providers = require_primordials_object.ObjectKeys(require_ai_credentials.PROVIDER_CREDENTIALS);
113
+ const keyed = /* @__PURE__ */ new Set();
114
+ for (let i = 0, { length } = providers; i < length; i += 1) {
115
+ const provider = providers[i];
116
+ if (await require_ai_credentials.resolveProviderCredential({
117
+ allowEnvOnly: opts.allowEnvOnly,
118
+ provider
119
+ })) keyed.add(provider);
120
+ }
121
+ return keyed;
122
+ }
123
+
124
+ //#endregion
125
+ exports.DEFAULT_PROVIDER_KIND = DEFAULT_PROVIDER_KIND;
126
+ exports.billingFromKeyed = billingFromKeyed;
127
+ exports.detectRoutingEnv = detectRoutingEnv;
128
+ exports.discoverBilling = discoverBilling;
129
+ exports.discoverKeyedProviders = discoverKeyedProviders;
@@ -14,11 +14,10 @@
14
14
  * `undefined` immediately instead of triggering a keychain auth prompt. CI
15
15
  * sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
16
16
  * `resolveProviderCredential` call reads it there with no keychain. proteus
17
- * hook-point: the forthcoming biometric credential daemon
18
- * (`.claude/plans/proteus-credential-broker.md`) slots in as a layer between
19
- * the env check and the keychain read inside `resolve()`'s implementation
20
- * call sites here do not change when it lands (resolver decision #4 in that
21
- * plan). This module is the stable seam.
17
+ * hook-point: the forthcoming biometric credential daemon slots in as a
18
+ * layer between the env check and the keychain read inside `resolve()`'s
19
+ * implementation call sites here do not change when it lands. This module
20
+ * is the stable seam.
22
21
  */
23
22
  /**
24
23
  * A provider whose credential this module can resolve: the HTTP providers
@@ -31,6 +30,19 @@ export interface ProviderCredentialSpec {
31
30
  readonly keychainService: string;
32
31
  }
33
32
  export declare const PROVIDER_CREDENTIALS: Readonly<Record<CredentialProvider, ProviderCredentialSpec>>;
33
+ export interface DeleteProviderCredentialOptions {
34
+ readonly provider: CredentialProvider;
35
+ }
36
+ /**
37
+ * Remove a provider's stored credential from the OS keychain — the same
38
+ * `{ service, account }` slot `resolveProviderCredential` reads. Returns
39
+ * `'removed'` when a value was deleted, `'absent'` when none was stored (or the
40
+ * platform has no keychain backend — delete degrades to a no-op rather than
41
+ * throwing, since "nothing to remove" is the same outcome either way).
42
+ *
43
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
44
+ */
45
+ export declare function deleteProviderCredential(options: DeleteProviderCredentialOptions): Promise<'absent' | 'removed'>;
34
46
  /**
35
47
  * True when `value` names a provider with a resolvable credential.
36
48
  */
@@ -47,3 +59,25 @@ export interface ResolveProviderCredentialOptions {
47
59
  * source has it (the caller decides whether that's fatal).
48
60
  */
49
61
  export declare function resolveProviderCredential(options: ResolveProviderCredentialOptions): Promise<string | undefined>;
62
+ export interface WriteProviderCredentialOptions {
63
+ readonly provider: CredentialProvider;
64
+ readonly value: string;
65
+ }
66
+ /**
67
+ * Persist a provider's bearer token to the OS keychain — the SAME `{ service,
68
+ * account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
69
+ * service == the Socket-uniform `socketsecurity` scope), so a written token
70
+ * resolves on the next read without an env var.
71
+ *
72
+ * Keychain ONLY — this never writes a shell-rc export. That matters most for
73
+ * anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
74
+ * OAuth session and silently flips the user to metered billing, so its token
75
+ * must live only in the keychain (read on demand), never exported. A setup
76
+ * wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
77
+ * convenience must still route anthropic here, keychain-only.
78
+ *
79
+ * Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
80
+ * is a no-op). Throws when the OS has no keychain backend; a caller that wants
81
+ * to degrade gracefully should check `getBackendAvailability()` first.
82
+ */
83
+ export declare function writeProviderCredential(options: WriteProviderCredentialOptions): Promise<'unchanged' | 'written'>;
@@ -1,6 +1,7 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_secrets_keychain = require('../secrets/keychain.js');
4
5
  const require_secrets_find = require('../secrets/find.js');
5
6
 
6
7
  //#region src/ai/credentials.mts
@@ -20,11 +21,10 @@ const require_secrets_find = require('../secrets/find.js');
20
21
  * `undefined` immediately instead of triggering a keychain auth prompt. CI
21
22
  * sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
22
23
  * `resolveProviderCredential` call reads it there with no keychain. proteus
23
- * hook-point: the forthcoming biometric credential daemon
24
- * (`.claude/plans/proteus-credential-broker.md`) slots in as a layer between
25
- * the env check and the keychain read inside `resolve()`'s implementation
26
- * call sites here do not change when it lands (resolver decision #4 in that
27
- * plan). This module is the stable seam.
24
+ * hook-point: the forthcoming biometric credential daemon slots in as a
25
+ * layer between the env check and the keychain read inside `resolve()`'s
26
+ * implementation call sites here do not change when it lands. This module
27
+ * is the stable seam.
28
28
  */
29
29
  const PROVIDER_CREDENTIALS = {
30
30
  __proto__: null,
@@ -50,6 +50,27 @@ const PROVIDER_CREDENTIALS = {
50
50
  }
51
51
  };
52
52
  /**
53
+ * Remove a provider's stored credential from the OS keychain — the same
54
+ * `{ service, account }` slot `resolveProviderCredential` reads. Returns
55
+ * `'removed'` when a value was deleted, `'absent'` when none was stored (or the
56
+ * platform has no keychain backend — delete degrades to a no-op rather than
57
+ * throwing, since "nothing to remove" is the same outcome either way).
58
+ *
59
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
60
+ */
61
+ async function deleteProviderCredential(options) {
62
+ const opts = {
63
+ __proto__: null,
64
+ ...options
65
+ };
66
+ const spec = PROVIDER_CREDENTIALS[opts.provider];
67
+ if (!spec) return "absent";
68
+ return await require_secrets_keychain.deleteSecret({
69
+ account: spec.tokenEnv,
70
+ service: spec.keychainService
71
+ });
72
+ }
73
+ /**
53
74
  * True when `value` names a provider with a resolvable credential.
54
75
  */
55
76
  function isCredentialProvider(value) {
@@ -75,8 +96,42 @@ async function resolveProviderCredential(options) {
75
96
  service: spec.keychainService
76
97
  }))?.value;
77
98
  }
99
+ /**
100
+ * Persist a provider's bearer token to the OS keychain — the SAME `{ service,
101
+ * account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
102
+ * service == the Socket-uniform `socketsecurity` scope), so a written token
103
+ * resolves on the next read without an env var.
104
+ *
105
+ * Keychain ONLY — this never writes a shell-rc export. That matters most for
106
+ * anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
107
+ * OAuth session and silently flips the user to metered billing, so its token
108
+ * must live only in the keychain (read on demand), never exported. A setup
109
+ * wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
110
+ * convenience must still route anthropic here, keychain-only.
111
+ *
112
+ * Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
113
+ * is a no-op). Throws when the OS has no keychain backend; a caller that wants
114
+ * to degrade gracefully should check `getBackendAvailability()` first.
115
+ */
116
+ async function writeProviderCredential(options) {
117
+ const opts = {
118
+ __proto__: null,
119
+ ...options
120
+ };
121
+ const spec = PROVIDER_CREDENTIALS[opts.provider];
122
+ if (!spec) throw new Error(`writeProviderCredential: unknown provider "${opts.provider}".`);
123
+ const backend = require_secrets_keychain.getBackendAvailability();
124
+ if (!backend.available) throw new Error(`writeProviderCredential: no OS keychain backend (${backend.toolName}) available to store the ${opts.provider} credential.` + (backend.installHint ? ` ${backend.installHint}` : ""));
125
+ return await require_secrets_keychain.writeSecret({
126
+ account: spec.tokenEnv,
127
+ service: spec.keychainService,
128
+ value: opts.value
129
+ });
130
+ }
78
131
 
79
132
  //#endregion
80
133
  exports.PROVIDER_CREDENTIALS = PROVIDER_CREDENTIALS;
134
+ exports.deleteProviderCredential = deleteProviderCredential;
81
135
  exports.isCredentialProvider = isCredentialProvider;
82
- exports.resolveProviderCredential = resolveProviderCredential;
136
+ exports.resolveProviderCredential = resolveProviderCredential;
137
+ exports.writeProviderCredential = writeProviderCredential;
@@ -43,12 +43,16 @@ export declare function discoverFresh(): DiscoveredAgents;
43
43
  *
44
44
  * Useful in fast paths where the caller has already populated the cache and
45
45
  * just wants to read it back.
46
+ *
47
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
46
48
  */
47
49
  export declare function getDiscoveredAiAgents(): DiscoveredAgents | undefined;
48
50
  export declare function readDiskCache(cachePath: string): DiscoveredAgents | undefined;
49
51
  /**
50
52
  * Reset the in-process cache. Tests use this; production callers shouldn't need
51
53
  * it (use `refresh: true` on discoverAiAgents()).
54
+ *
55
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
52
56
  */
53
57
  export declare function resetAiAgentDiscoveryCache(): void;
54
58
  export declare function writeDiskCache(cachePath: string, agents: DiscoveredAgents): Promise<void>;
@@ -87,6 +87,8 @@ function discoverFresh() {
87
87
  *
88
88
  * Useful in fast paths where the caller has already populated the cache and
89
89
  * just wants to read it back.
90
+ *
91
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
90
92
  */
91
93
  function getDiscoveredAiAgents() {
92
94
  return inProcessCache;
@@ -104,6 +106,8 @@ function readDiskCache(cachePath) {
104
106
  /**
105
107
  * Reset the in-process cache. Tests use this; production callers shouldn't need
106
108
  * it (use `refresh: true` on discoverAiAgents()).
109
+ *
110
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
107
111
  */
108
112
  function resetAiAgentDiscoveryCache() {
109
113
  inProcessCache = void 0;
@@ -3,7 +3,7 @@
3
3
  * WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
4
4
  * the cheap built-in `real` runner (the host shell via lib `spawn`); a
5
5
  * SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
6
- * the small-dist lib free of a heavy sandbox dependency — the fleet's sandbox
6
+ * the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
7
7
  * of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
8
8
  * CI tooling and passed in, so a lib consumer that never sandboxes pays
9
9
  * nothing. Layering: ExecRunner.run() — the injectable primitive (real |
package/dist/ai/exec.js CHANGED
@@ -10,7 +10,7 @@ const require_process_spawn_child = require('../process/spawn/child.js');
10
10
  * WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
11
11
  * the cheap built-in `real` runner (the host shell via lib `spawn`); a
12
12
  * SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
13
- * the small-dist lib free of a heavy sandbox dependency — the fleet's sandbox
13
+ * the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
14
14
  * of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
15
15
  * CI tooling and passed in, so a lib consumer that never sandboxes pays
16
16
  * nothing. Layering: ExecRunner.run() — the injectable primitive (real |
@@ -4,7 +4,7 @@
4
4
  * (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
5
5
  * (`spawn.mts`) drives an interactive agent binary; this path is for a
6
6
  * script/hook that needs a single completion from a model without an agent
7
- * harness (the way the local OpenCode setup reaches GLM-5.1 / Kimi-K2.5). Why
7
+ * harness (the way the local OpenCode setup reaches GLM-5.2 / Kimi-K2.6). Why
8
8
  * a separate module from `spawn.mts`: those are different surfaces. A CLI
9
9
  * agent gets tools + a permission mode + a working dir; an HTTP completion
10
10
  * gets a prompt + a model + (optionally) a reasoning effort and returns text.
@@ -13,10 +13,10 @@
13
13
  * function-calling surface — they're plain completions, so there's no agentic
14
14
  * capability to constrain. The token is read from the env var the provider
15
15
  * config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
16
- * inline, and never logged — same token-hygiene rule as the rest of the
17
- * fleet. A missing token throws with the exact env var to set. Wire format is
18
- * the OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which
19
- * both providers implement.
16
+ * inline, and never logged — same token-hygiene rule as the rest of Socket. A
17
+ * missing token throws with the exact env var to set. Wire format is the
18
+ * OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which both
19
+ * providers implement.
20
20
  */
21
21
  import type { AiEffort } from './types.mts';
22
22
  /**
@@ -47,8 +47,8 @@ export interface AiHttpCallOptions {
47
47
  */
48
48
  readonly provider: string | AiHttpProvider;
49
49
  /**
50
- * The provider's model id (e.g. `accounts/fireworks/models/glm-5p1`,
51
- * `hf:moonshotai/Kimi-K2.5`).
50
+ * The provider's model id (e.g. `accounts/fireworks/models/glm-5p2`,
51
+ * `hf:moonshotai/Kimi-K2.6`).
52
52
  */
53
53
  readonly model: string;
54
54
  /**
@@ -118,7 +118,7 @@ export declare function buildChatRequestBody(options: AiHttpCallOptions): string
118
118
  * ;```ts
119
119
  * const { text } = await callAiHttpModel({
120
120
  * provider: 'fireworks',
121
- * model: 'accounts/fireworks/models/glm-5p1',
121
+ * model: 'accounts/fireworks/models/glm-5p2',
122
122
  * prompt: 'Summarize this diff: …',
123
123
  * effort: 'high',
124
124
  * })