@socketsecurity/lib 6.0.8 → 6.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +28 -0
- package/README.md +8 -9
- package/dist/abort/signal.d.ts +1 -1
- package/dist/abort/signal.js +1 -1
- package/dist/ai/agent-context.d.mts +1 -1
- package/dist/ai/agent-context.js +3 -2
- package/dist/ai/backends.d.mts +3 -3
- package/dist/ai/backends.js +2 -2
- package/dist/ai/billing-context.d.mts +74 -0
- package/dist/ai/billing-context.js +129 -0
- package/dist/ai/credentials.d.mts +39 -5
- package/dist/ai/credentials.js +61 -6
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +4 -0
- package/dist/ai/exec.d.mts +1 -1
- package/dist/ai/exec.js +1 -1
- package/dist/ai/http.d.mts +8 -8
- package/dist/ai/http.js +6 -6
- package/dist/ai/profiles.d.mts +9 -10
- package/dist/ai/profiles.js +0 -5
- package/dist/ai/role.d.mts +58 -0
- package/dist/ai/role.js +96 -0
- package/dist/ai/route-heuristic.d.mts +177 -0
- package/dist/ai/route-heuristic.js +194 -0
- package/dist/ai/route.d.mts +31 -17
- package/dist/ai/route.js +35 -19
- package/dist/ai/spawn.d.mts +34 -1
- package/dist/ai/spawn.js +115 -3
- package/dist/ai/subagent-status.d.mts +2 -0
- package/dist/ai/subagent-status.js +2 -0
- package/dist/ai/tier.d.mts +1 -1
- package/dist/ai/types.d.mts +19 -2
- package/dist/ai/worktree.d.mts +1 -1
- package/dist/ai/worktree.js +3 -2
- package/dist/argv/parse.d.ts +2 -0
- package/dist/argv/parse.js +2 -0
- package/dist/bin/_internal.d.ts +1 -1
- package/dist/bin/_internal.js +1 -1
- package/dist/bin/prim.cjs +19253 -13937
- package/dist/bin/resolve.js +1 -1
- package/dist/bin/shadow.js +2 -1
- package/dist/bin/which.d.ts +28 -3
- package/dist/bin/which.js +45 -3
- package/dist/cacache/_internal.d.ts +10 -2
- package/dist/cacache/_internal.js +6 -10
- package/dist/cache/ttl/_internal.d.ts +33 -0
- package/dist/cache/ttl/_internal.js +68 -0
- package/dist/cache/ttl/browser.d.ts +56 -0
- package/dist/cache/ttl/browser.js +257 -0
- package/dist/cache/ttl/store.js +11 -34
- package/dist/cache/ttl/types.d.ts +46 -3
- package/dist/checks/primordials-defaults.d.ts +5 -5
- package/dist/checks/primordials-defaults.js +5 -5
- package/dist/checks/primordials.d.ts +1 -1
- package/dist/checks/primordials.js +25 -17
- package/dist/cli/check-primordials.d.ts +6 -1
- package/dist/cli/check-primordials.js +14 -5
- package/dist/cli/check.js +1 -1
- package/dist/cli/socket-lib.d.ts +1 -1
- package/dist/cli/socket-lib.js +3 -3
- package/dist/colors/socket-palette.d.ts +1 -1
- package/dist/compression/brotli.d.ts +6 -2
- package/dist/compression/brotli.js +5 -1
- package/dist/compression/gzip.d.ts +6 -2
- package/dist/compression/gzip.js +7 -2
- package/dist/config/layers.d.ts +53 -0
- package/dist/config/layers.js +83 -0
- package/dist/constants/agents.d.ts +3 -0
- package/dist/constants/agents.js +3 -0
- package/dist/constants/node.d.ts +14 -0
- package/dist/constants/node.js +14 -0
- package/dist/constants/package-default-node-range.js +1 -5
- package/dist/constants/packages.d.ts +5 -0
- package/dist/constants/packages.js +5 -0
- package/dist/constants/platform.d.ts +1 -1
- package/dist/constants/platform.js +1 -1
- package/dist/constants/socket.js +1 -1
- package/dist/constants/typescript.d.ts +5 -0
- package/dist/constants/typescript.js +5 -0
- package/dist/debug/_internal.d.ts +22 -7
- package/dist/debug/_internal.js +33 -15
- package/dist/debug/caller-info.js +1 -1
- package/dist/debug/namespace.js +11 -8
- package/dist/debug/output.d.ts +12 -1
- package/dist/debug/output.js +33 -16
- package/dist/dlx/binary-cache.js +1 -1
- package/dist/dlx/binary-resolution.js +8 -5
- package/dist/dlx/firewall.js +1 -1
- package/dist/dlx/lockfile.js +1 -1
- package/dist/eco/npm/npm/parse-lockfile.js +3 -2
- package/dist/eco/npm/vlt/exec.d.ts +1 -1
- package/dist/eco/npm/vlt/exec.js +1 -1
- package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
- package/dist/env/agents.d.ts +6 -0
- package/dist/env/agents.js +29 -0
- package/dist/env/flags.d.ts +12 -0
- package/dist/env/flags.js +23 -0
- package/dist/env/github-status.js +2 -2
- package/dist/env/providers.d.ts +6 -0
- package/dist/env/providers.js +23 -0
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +37 -3
- package/dist/env/rewire.js +60 -29
- package/dist/env/runtimes.d.ts +9 -0
- package/dist/env/runtimes.js +53 -0
- package/dist/env/socket-cli.d.ts +5 -2
- package/dist/env/socket-cli.js +6 -3
- package/dist/env/xdg.d.ts +17 -0
- package/dist/env/xdg.js +21 -1
- package/dist/errors/predicates.d.ts +3 -2
- package/dist/errors/predicates.js +5 -3
- package/dist/events/exit/_internal.d.ts +1 -23
- package/dist/external/@npmcli/package-json.js +3570 -4905
- package/dist/external/@npmcli/promise-spawn.js +2 -2
- package/dist/external/@sinclair/typebox/value.js +5 -4
- package/dist/external/@socketregistry/yocto-spinner.js +3 -3
- package/dist/external/@yarnpkg/extensions.js +1 -1
- package/dist/external/adm-zip.d.ts +82 -0
- package/dist/external/adm-zip.js +2 -2
- package/dist/external/cacache.d.ts +87 -0
- package/dist/external/debug.d.ts +22 -0
- package/dist/external/debug.js +11 -4
- package/dist/external/del.d.ts +1 -0
- package/dist/external/external-pack.d.ts +12 -0
- package/dist/external/external-pack.js +42 -35
- package/dist/external/fast-glob.d.ts +8 -0
- package/dist/external/fast-sort.d.ts +1 -0
- package/dist/external/get-east-asian-width.d.ts +5 -0
- package/dist/external/get-east-asian-width.js +8 -1
- package/dist/external/has-flag.d.ts +1 -0
- package/dist/external/inquirer-pack.d.ts +18 -0
- package/dist/external/libnpmexec.d.ts +35 -0
- package/dist/external/libnpmpack.d.ts +1 -0
- package/dist/external/make-fetch-happen.d.ts +13 -0
- package/dist/external/normalize-package-data.d.ts +4 -0
- package/dist/external/npm-core.d.ts +14 -0
- package/dist/external/npm-pack.d.ts +24 -0
- package/dist/external/npm-pack.js +28934 -31885
- package/dist/external/npm-package-arg.d.ts +4 -0
- package/dist/external/p-map.js +8 -1
- package/dist/external/pacote.d.ts +15 -0
- package/dist/external/pico-pack.d.ts +16 -0
- package/dist/external/pico-pack.js +38 -23
- package/dist/external/picomatch.d.ts +96 -0
- package/dist/external/pony-cause.d.ts +14 -0
- package/dist/external/semver.d.ts +60 -0
- package/dist/external/semver.js +1459 -4
- package/dist/external/shell-quote.d.ts +51 -0
- package/dist/external/shell-quote.js +55 -15
- package/dist/external/signal-exit.d.ts +1 -0
- package/dist/external/spdx-correct.d.ts +4 -0
- package/dist/external/spdx-expression-parse.d.ts +4 -0
- package/dist/external/spdx-pack.d.ts +10 -0
- package/dist/external/std-env.d.ts +284 -0
- package/dist/external/std-env.js +323 -0
- package/dist/external/streaming-iterables.d.ts +11 -0
- package/dist/external/supports-color.d.ts +1 -0
- package/dist/external/tar-fs.d.ts +31 -0
- package/dist/external/tar-fs.js +63 -16
- package/dist/external/validate-npm-package-name.d.ts +4 -0
- package/dist/external/which.d.ts +25 -0
- package/dist/external/which.js +2 -2
- package/dist/external/yargs-parser.d.ts +2 -0
- package/dist/external/yargs-parser.js +11 -3
- package/dist/external/yoctocolors-cjs.d.ts +51 -0
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/resolve.d.ts +3 -0
- package/dist/external-tools/bazel/resolve.js +3 -0
- package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
- package/dist/external-tools/cdxgen/asset-names.js +3 -3
- package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
- package/dist/external-tools/cdxgen/from-download.js +1 -1
- package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
- package/dist/external-tools/cdxgen/resolve.js +4 -1
- package/dist/external-tools/cdxgen/types.d.ts +1 -1
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +1 -1
- package/dist/external-tools/janus/asset-names.d.ts +4 -1
- package/dist/external-tools/janus/asset-names.js +3 -0
- package/dist/external-tools/janus/from-download.d.ts +3 -3
- package/dist/external-tools/janus/from-download.js +2 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -0
- package/dist/external-tools/janus/resolve.js +3 -0
- package/dist/external-tools/jre/asset-names.d.ts +3 -1
- package/dist/external-tools/jre/asset-names.js +2 -0
- package/dist/external-tools/jre/detect-platform-arch.js +1 -1
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/manifest.d.ts +5 -3
- package/dist/external-tools/manifest.js +5 -3
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/resolve.d.ts +3 -0
- package/dist/external-tools/opengrep/resolve.js +3 -0
- package/dist/external-tools/python/asset-names.d.ts +3 -1
- package/dist/external-tools/python/asset-names.js +8 -4
- package/dist/external-tools/python/pin.js +3 -1
- package/dist/external-tools/python/resolve.d.ts +3 -0
- package/dist/external-tools/python/resolve.js +3 -0
- package/dist/external-tools/python/uv-install.d.ts +89 -0
- package/dist/external-tools/python/uv-install.js +165 -0
- package/dist/external-tools/sbt/resolve.d.ts +3 -0
- package/dist/external-tools/sbt/resolve.js +3 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
- package/dist/external-tools/skillspector/from-uv.js +56 -0
- package/dist/external-tools/skillspector/resolve.d.ts +18 -3
- package/dist/external-tools/skillspector/resolve.js +21 -8
- package/dist/external-tools/skillspector/types.d.ts +3 -1
- package/dist/external-tools/synp/resolve.d.ts +3 -0
- package/dist/external-tools/synp/resolve.js +3 -0
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/resolve.d.ts +3 -0
- package/dist/external-tools/trivy/resolve.js +3 -0
- package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
- package/dist/external-tools/trufflehog/asset-names.js +3 -0
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
- package/dist/external-tools/trufflehog/resolve.js +3 -0
- package/dist/external-tools/uv/asset-names.d.ts +36 -0
- package/dist/external-tools/uv/asset-names.js +73 -0
- package/dist/external-tools/uv/from-download.d.ts +17 -0
- package/dist/external-tools/uv/from-download.js +50 -0
- package/dist/external-tools/uv/from-path.d.ts +5 -0
- package/dist/external-tools/uv/from-path.js +22 -0
- package/dist/external-tools/uv/from-vfs.d.ts +7 -0
- package/dist/external-tools/uv/from-vfs.js +26 -0
- package/dist/external-tools/uv/resolve.d.ts +28 -0
- package/dist/external-tools/uv/resolve.js +64 -0
- package/dist/external-tools/uv/types.d.ts +24 -0
- package/dist/external-tools/uv/types.js +2 -0
- package/dist/fleet/repo-config.d.ts +55 -0
- package/dist/fleet/repo-config.js +81 -0
- package/dist/fs/_internal.d.ts +1 -1
- package/dist/fs/_internal.js +1 -1
- package/dist/fs/access.d.ts +2 -0
- package/dist/fs/access.js +2 -0
- package/dist/fs/copy.d.ts +88 -0
- package/dist/fs/copy.js +89 -0
- package/dist/fs/find.js +1 -2
- package/dist/fs/inspect.d.ts +2 -2
- package/dist/fs/read-file.js +3 -4
- package/dist/fs/safe.js +2 -2
- package/dist/git/_internal.js +7 -3
- package/dist/github/commit.d.ts +92 -0
- package/dist/github/commit.js +113 -0
- package/dist/github/ghsa.js +1 -1
- package/dist/github/refs-graphql.js +1 -1
- package/dist/github/refs.js +10 -15
- package/dist/github/request.js +1 -1
- package/dist/github/token.d.ts +5 -2
- package/dist/github/token.js +6 -4
- package/dist/github/workflow-runs.d.ts +107 -0
- package/dist/github/workflow-runs.js +98 -0
- package/dist/globs/_internal.js +1 -1
- package/dist/http-request/_internal.d.ts +1 -1
- package/dist/http-request/browser.d.ts +6 -0
- package/dist/http-request/browser.js +4 -3
- package/dist/http-request/checksum-file.js +1 -1
- package/dist/http-request/download.js +2 -0
- package/dist/http-request/headers.d.ts +1 -1
- package/dist/http-request/headers.js +2 -2
- package/dist/http-request/request-attempt.js +6 -3
- package/dist/http-request/request-types.d.ts +10 -1
- package/dist/http-request/request.js +2 -2
- package/dist/http-request/user-agent.d.ts +23 -2
- package/dist/http-request/user-agent.js +48 -6
- package/dist/integrity.d.ts +127 -78
- package/dist/integrity.js +170 -84
- package/dist/json/format.js +4 -1
- package/dist/logger/_internal.d.ts +13 -15
- package/dist/logger/_internal.js +21 -21
- package/dist/logger/colors.d.ts +10 -5
- package/dist/logger/colors.js +7 -14
- package/dist/logger/console-methods.js +2 -2
- package/dist/logger/console.d.ts +1 -0
- package/dist/logger/console.js +9 -9
- package/dist/logger/node.js +2 -1
- package/dist/logger/symbols-builder.js +7 -8
- package/dist/logger/symbols.js +8 -8
- package/dist/native-messaging/install.js +1 -1
- package/dist/native-messaging/rate-limit.d.ts +4 -1
- package/dist/native-messaging/rate-limit.js +4 -1
- package/dist/node/events.d.ts +3 -0
- package/dist/node/events.js +3 -0
- package/dist/node/fs.d.ts +1 -1
- package/dist/node/module.d.ts +73 -2
- package/dist/node/module.js +97 -12
- package/dist/node/timers-promises.d.ts +3 -0
- package/dist/node/timers-promises.js +3 -0
- package/dist/node/url.d.ts +3 -0
- package/dist/node/url.js +3 -0
- package/dist/npm/meta-cache.d.ts +183 -0
- package/dist/npm/meta-cache.js +318 -0
- package/dist/npm/meta-slice.d.ts +27 -0
- package/dist/npm/meta-slice.js +68 -0
- package/dist/npm/meta-types.d.ts +282 -0
- package/dist/npm/meta-types.js +2 -0
- package/dist/npm/meta.d.ts +125 -0
- package/dist/npm/meta.js +347 -0
- package/dist/npm/registry.d.ts +212 -0
- package/dist/npm/registry.js +284 -0
- package/dist/objects/getters.d.ts +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/objects/predicates.js +1 -1
- package/dist/packages/exports.js +2 -2
- package/dist/packages/isolation.js +1 -1
- package/dist/packages/manifest.d.ts +29 -0
- package/dist/packages/manifest.js +44 -9
- package/dist/packages/metadata-extensions.js +2 -4
- package/dist/packages/normalize.js +1 -1
- package/dist/packages/provenance.d.ts +8 -0
- package/dist/packages/provenance.js +10 -2
- package/dist/packages/specs.js +1 -1
- package/dist/packages/tarball.js +1 -2
- package/dist/packages/validation.d.ts +0 -10
- package/dist/packages/validation.js +0 -14
- package/dist/paths/_internal.d.ts +1 -7
- package/dist/paths/_internal.js +9 -15
- package/dist/paths/conversion.js +1 -1
- package/dist/paths/exts.d.ts +30 -0
- package/dist/paths/exts.js +30 -0
- package/dist/paths/filenames.d.ts +6 -0
- package/dist/paths/filenames.js +6 -0
- package/dist/paths/globs.d.ts +6 -0
- package/dist/paths/globs.js +6 -0
- package/dist/paths/normalize.js +1 -1
- package/dist/paths/predicates.js +2 -1
- package/dist/paths/resolve.js +19 -14
- package/dist/paths/socket.d.ts +81 -30
- package/dist/paths/socket.js +102 -28
- package/dist/perf/metrics.js +1 -1
- package/dist/perf/report.js +5 -3
- package/dist/pkg-ext/data.js +0 -2
- package/dist/primordials/globals.d.ts +1 -1
- package/dist/primordials/globals.js +1 -1
- package/dist/primordials/headers.d.ts +13 -1
- package/dist/primordials/headers.js +13 -1
- package/dist/primordials/process.d.ts +1 -1
- package/dist/primordials/process.js +1 -1
- package/dist/primordials/url.d.ts +18 -0
- package/dist/primordials/url.js +18 -0
- package/dist/process/spawn/child.js +3 -5
- package/dist/promises/_internal.d.ts +1 -1
- package/dist/promises/_internal.js +1 -2
- package/dist/promises/options.js +3 -3
- package/dist/regexps/spec.js +1 -1
- package/dist/releases/socket-btm-binary-naming.js +12 -1
- package/dist/schema/validate.js +1 -1
- package/dist/secrets/_internal.d.ts +1 -1
- package/dist/secrets/_internal.js +1 -1
- package/dist/secrets/broker.d.ts +35 -0
- package/dist/secrets/broker.js +72 -0
- package/dist/secrets/find.d.ts +8 -6
- package/dist/secrets/find.js +17 -3
- package/dist/secrets/keychain.d.ts +10 -1
- package/dist/secrets/keychain.js +10 -1
- package/dist/secrets/rc.js +1 -1
- package/dist/secrets/socket-api-token.d.ts +1 -1
- package/dist/secrets/socket-api-token.js +1 -1
- package/dist/secrets/types.d.ts +1 -1
- package/dist/smol/detect.js +1 -1
- package/dist/smol/http.d.ts +2 -0
- package/dist/smol/http.js +3 -1
- package/dist/smol/https.d.ts +2 -0
- package/dist/smol/https.js +3 -1
- package/dist/smol/manifest.js +1 -1
- package/dist/smol/path.js +1 -1
- package/dist/smol/primordial.js +1 -1
- package/dist/smol/purl.js +1 -1
- package/dist/smol/versions.js +1 -1
- package/dist/smol/vfs.js +1 -1
- package/dist/sorts/_internal.d.ts +2 -4
- package/dist/sorts/_internal.js +1 -7
- package/dist/sorts/semver.js +2 -2
- package/dist/spinner/create-spinner-class.js +1 -1
- package/dist/spinner/format.js +2 -4
- package/dist/stdio/footer.js +8 -7
- package/dist/stdio/progress.js +1 -1
- package/dist/stdio/prompts.d.ts +8 -23
- package/dist/stdio/prompts.js +28 -52
- package/dist/strings/format.js +1 -1
- package/dist/strings/predicates.d.ts +2 -2
- package/dist/strings/search.js +2 -2
- package/dist/strings/types.d.ts +4 -0
- package/dist/strings/width.d.ts +1 -0
- package/dist/strings/width.js +17 -8
- package/dist/themes/context.d.ts +18 -3
- package/dist/themes/context.js +28 -14
- package/dist/versions/_internal.d.ts +43 -13
- package/dist/versions/_internal.js +27 -15
- package/dist/versions/compare.d.ts +16 -10
- package/dist/versions/compare.js +36 -16
- package/dist/versions/parse.js +1 -1
- package/dist/versions/range.js +3 -2
- package/dist/words/pluralize.js +4 -1
- package/llms.txt +63 -0
- package/package.json +271 -40
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,34 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [6.0.10](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.10) - 2026-07-13
|
|
9
|
+
|
|
10
|
+
### Fixed
|
|
11
|
+
|
|
12
|
+
- **`stdio/footer`** — lazy-load colors so import survives --build-snapshot
|
|
13
|
+
|
|
14
|
+
## [6.0.9](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.9) - 2026-06-18
|
|
15
|
+
|
|
16
|
+
### Added
|
|
17
|
+
|
|
18
|
+
- **`external-tools/uv` — uv resolver.** Resolves Astral's `uv` Python package manager across three tiers (embedded VFS, then system PATH, then a downloaded GitHub release), matching the shape of the other `external-tools/*` tool resolvers. Exports `resolveUv`, `ResolvedUv`, `UvSource`, plus the per-platform asset map and download helpers.
|
|
19
|
+
- **`external-tools/python/uv-install` — reproducible uv-project install helpers.** `uvSyncProject` installs a uv project at its exact pinned versions and refuses to proceed when those have drifted, so every machine gets the same result. `uvExportMaterialize` installs the same pinned versions into a content-addressed directory with no virtualenv, so the result is relocatable and embeddable in a single-file build. Concurrent callers serialize so two installs can't collide. The Python analog of the npm dlx install model.
|
|
20
|
+
- **`external-tools/skillspector` — pinned-project resolution tier.** `skillspectorFromUv` installs SkillSpector from a fully pinned uv project (every version fixed) and returns its entry point, resolved ahead of the existing git-SHA fallback when a project directory and `uv` binary are supplied. Adds a `'uv'` source to the resolution result.
|
|
21
|
+
- **`config/layers` — generic layered-config reader.** `readConfigLayers(name, { dirs })` reads a named config file from an ordered list of layer directories (lowest precedence first) and returns the layers that exist; absent or unparseable layers are skipped. `mergeConfigArray` concatenates one array-valued key across all layers, for lists that higher layers extend rather than replace. It carries no project-convention knowledge: the caller supplies the directories and the merge policy.
|
|
22
|
+
- **`paths` — `_wheelhouse` tool-layout dirs and the agent-clone dir.** `getSocketRackDir` and `getSocketRackToolDir` locate the racked tool store, `getSocketWheelhouseBinDir` the PATH-handle directory that points into it, and `getSocketRepoClonesDir` the directory where agents clone external repos for reference (kept out of the projects tree so sibling-walking tooling never treats a clone as a fleet member).
|
|
23
|
+
- **`ai` — offline/gated-model detection and fall-over.** `spawnTierWithFallback` walks a tier's cross-engine equivalence chain and runs the first engine that is both installed and authenticated, so a request still completes when the preferred model is down, gated, or unkeyed. `isModelUnavailable` recognizes a down-or-gated model from the engine's actual output rather than a brittle literal-string match. The `ai/route` resolver and `ai/subagent-status` reader are exposed as their own entry points.
|
|
24
|
+
- **`fs/copy` — recursive copy with three destination modes.** `copy(from, to, { mode })` copies a file or directory tree. `CopyMode` chooses how an existing destination is treated: `'overlay'` (the default: overwrite collisions, keep destination-only files), `'pave'` (the destination becomes an exact mirror of the source via an atomic sibling-temp-then-rename swap, so no stale files survive and a partial tree is never observed), or `'fill'` (no-clobber: add only what is missing, never overwrite). Also accepts `filter`, `dereference`, and an abort `signal`.
|
|
25
|
+
- **`node/requireFrom` — relative `require` bound to the caller's directory.** `requireFrom(fromUrl, specifier)` resolves a relative specifier (`./x`, `../y`) from the caller's own directory, passed as `import.meta.url`, so relative loads bind to the right base when modules run unbundled (for example AOT-compiled from source, where each module sits at its own nested path). Builtins and bare packages resolve as before.
|
|
26
|
+
- **`secrets` — proteus broker credential tier.** The credential resolver gains a broker layer in the documented order (explicit, then env, then broker, then keychain): it connects to the broker's runtime socket, requests the value, and self-gates. No socket means no broker, so it returns `undefined` and falls through to the keychain. Async only (absent from `resolveSync`) and skipped under `allowEnvOnly`. Existing `resolveProviderCredential` call sites are unchanged.
|
|
27
|
+
- **`paths` — `getRuntimeSocketPath` and `getXdgRuntimeDir` for daemon sockets.** One resolver a daemon and its clients both call to locate a runtime socket: the XDG runtime dir when present, a `$TMPDIR/<name>-<uid>` fallback, or a named pipe on Windows.
|
|
28
|
+
- **`llms.txt` — discovery index for AI agents.** `pnpm run docs` now also emits a publish-safe `llms.txt` at the package root that links each export subpath to its shipped `.d.mts` declaration, giving an agent one file to read after installing. It ships in the published tarball.
|
|
29
|
+
- **`packages/manifest` — `trimPublishManifest`.** Returns a shallow copy of a `package.json` that omits dev/build-only top-level fields (`devDependencies`, `scripts` by default) so a published tarball and its npm metadata stay lean. `drop` overrides the field set; `keep` retains a field even when dropped (e.g. a runtime `postinstall`). The original object is left intact.
|
|
30
|
+
|
|
31
|
+
### Changed
|
|
32
|
+
|
|
33
|
+
- **`integrity` — one `Hash` currency (breaking).** Hashes are modeled as a single concept, a `Hash` carrying algorithm, hex, and sri, rather than an integrity-vs-checksum type duality, so the algorithm is explicit on every value. Adds `parseHash` (encoding- and length-aware), `computeHash` (sha512 default), `verifyHash(bytes, expected)` (verifies against the expected hash's declared algorithm), `equalHashes` (encoding-agnostic, and never equal across algorithms), `makeHash`, and `HashMismatchError`. Breaking: `verifyHash` now takes `(bytes, expected)`, not `(expected, computed)`, and `DlxHashMismatchError` is a deprecated alias of `HashMismatchError`. Back-compat shims remain: `checksumToIntegrity`, `integrityToChecksum`, `normalizeHash`, `computeHashes`, `isChecksum`, `isIntegrity`, `parseIntegrity`.
|
|
34
|
+
- **`fleet/repo-config` is now a thin wrapper over `config/layers`.** `resolveRepoConfig` (the fleet default layered under a per-repo override) and `mergeRepoConfigArray` stay at `fleet/repo-config`; the generic, convention-free primitives moved to the new `config/layers` entry. `resolveRepoConfig` callers see no behavior change.
|
|
35
|
+
|
|
8
36
|
## [6.0.8](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.8) - 2026-06-11
|
|
9
37
|
|
|
10
38
|
### Added
|
package/README.md
CHANGED
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
# @socketsecurity/lib
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-

|
|
3
|
+
<a href="https://socket.dev/npm/package/@socketsecurity/lib"><img src="https://socket.dev/api/badge/npm/package/@socketsecurity/lib" alt="Socket Badge" height="20"></a>
|
|
4
|
+

|
|
6
5
|
|
|
7
|
-
[](https://twitter.com/SocketSecurity)
|
|
7
|
+
[](https://bsky.app/profile/socket.dev)
|
|
9
8
|
|
|
10
9
|
Core utilities for [Socket.dev](https://socket.dev/) tools: file system, processes, HTTP, env detection, logging, spinners, and more. Tree-shakeable, TypeScript-first, cross-platform.
|
|
11
10
|
|
|
@@ -22,8 +21,8 @@ pnpm add @socketsecurity/lib
|
|
|
22
21
|
## Usage
|
|
23
22
|
|
|
24
23
|
```typescript
|
|
25
|
-
import { Spinner } from '@socketsecurity/lib/spinner'
|
|
26
|
-
import { readJson } from '@socketsecurity/lib/fs'
|
|
24
|
+
import { Spinner } from '@socketsecurity/lib/spinner/spinner'
|
|
25
|
+
import { readJson } from '@socketsecurity/lib/fs/read-json'
|
|
27
26
|
|
|
28
27
|
const spinner = Spinner({ text: 'Loading…' })
|
|
29
28
|
spinner.start()
|
|
@@ -34,9 +33,9 @@ spinner.successAndStop(`Loaded ${pkg.name}@${pkg.version}`)
|
|
|
34
33
|
Every export lives under a subpath — pick what you need:
|
|
35
34
|
|
|
36
35
|
```typescript
|
|
37
|
-
import { spawn } from '@socketsecurity/lib/spawn'
|
|
36
|
+
import { spawn } from '@socketsecurity/lib/process/spawn/child'
|
|
38
37
|
import { httpJson } from '@socketsecurity/lib/http-request'
|
|
39
|
-
import { safeDelete } from '@socketsecurity/lib/fs'
|
|
38
|
+
import { safeDelete } from '@socketsecurity/lib/fs/safe'
|
|
40
39
|
```
|
|
41
40
|
|
|
42
41
|
Start with the [API reference](./docs/api.md) — every subpath export with a one-line description.
|
package/dist/abort/signal.d.ts
CHANGED
|
@@ -19,7 +19,7 @@ export declare function createCompositeAbortSignal(...signals: Array<AbortSignal
|
|
|
19
19
|
* @example
|
|
20
20
|
* ;```typescript
|
|
21
21
|
* const signal = createTimeoutSignal(5000) // aborts after 5 seconds
|
|
22
|
-
*
|
|
22
|
+
* httpJson(url, { signal })
|
|
23
23
|
* ```
|
|
24
24
|
*
|
|
25
25
|
* @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
|
package/dist/abort/signal.js
CHANGED
|
@@ -40,7 +40,7 @@ function createCompositeAbortSignal(...signals) {
|
|
|
40
40
|
* @example
|
|
41
41
|
* ;```typescript
|
|
42
42
|
* const signal = createTimeoutSignal(5000) // aborts after 5 seconds
|
|
43
|
-
*
|
|
43
|
+
* httpJson(url, { signal })
|
|
44
44
|
* ```
|
|
45
45
|
*
|
|
46
46
|
* @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
* the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
|
|
23
23
|
* only for `claude`; for the others it is `undefined` (there is no memory
|
|
24
24
|
* dir to point at), and the shared cross-tool memory surface is the
|
|
25
|
-
* committed AGENTS.md (which
|
|
25
|
+
* committed AGENTS.md (which Socket symlinks to CLAUDE.md).
|
|
26
26
|
*/
|
|
27
27
|
import type { AiAgentName } from './types.mts';
|
|
28
28
|
/**
|
package/dist/ai/agent-context.js
CHANGED
|
@@ -6,6 +6,7 @@ const require_constants_platform = require('../constants/platform.js');
|
|
|
6
6
|
const require_env_rewire = require('../env/rewire.js');
|
|
7
7
|
const require_env_home = require('../env/home.js');
|
|
8
8
|
const require_env_xdg = require('../env/xdg.js');
|
|
9
|
+
const require_paths_normalize = require('../paths/normalize.js');
|
|
9
10
|
let node_path = require("node:path");
|
|
10
11
|
node_path = require_runtime.__toESM(node_path, 1);
|
|
11
12
|
|
|
@@ -34,7 +35,7 @@ node_path = require_runtime.__toESM(node_path, 1);
|
|
|
34
35
|
* the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
|
|
35
36
|
* only for `claude`; for the others it is `undefined` (there is no memory
|
|
36
37
|
* dir to point at), and the shared cross-tool memory surface is the
|
|
37
|
-
* committed AGENTS.md (which
|
|
38
|
+
* committed AGENTS.md (which Socket symlinks to CLAUDE.md).
|
|
38
39
|
*/
|
|
39
40
|
function agentFromAiAgentEnv(value) {
|
|
40
41
|
const lower = value.toLowerCase();
|
|
@@ -76,7 +77,7 @@ function agentPaths(agent, options) {
|
|
|
76
77
|
return {
|
|
77
78
|
agent,
|
|
78
79
|
configDir,
|
|
79
|
-
memoryDir: cwd ? node_path.default.join(configDir, "projects", cwd.replace(
|
|
80
|
+
memoryDir: cwd ? node_path.default.join(configDir, "projects", require_paths_normalize.normalizePath(cwd).replace(/\//g, "-"), "memory") : void 0
|
|
80
81
|
};
|
|
81
82
|
}
|
|
82
83
|
case "codex": return {
|
package/dist/ai/backends.d.mts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* @file Multi-agent CLI backend registry + role routing.
|
|
2
|
+
* @file Multi-agent CLI backend registry + role routing. Socket's review /
|
|
3
3
|
* scan / fix skills delegate work to whichever agent CLIs are installed
|
|
4
4
|
* (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
|
|
5
5
|
* preference order and skipping a pass when nothing usable is present. Before
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
* attribution accurate.
|
|
23
23
|
*/
|
|
24
24
|
/**
|
|
25
|
-
* A CLI backend
|
|
25
|
+
* A CLI backend Socket can delegate a pass to.
|
|
26
26
|
*/
|
|
27
27
|
export type BackendName = 'claude' | 'codex' | 'kimi' | 'opencode';
|
|
28
28
|
/**
|
|
@@ -73,7 +73,7 @@ export interface ResolveBackendOptions {
|
|
|
73
73
|
readonly override?: BackendName | undefined;
|
|
74
74
|
}
|
|
75
75
|
/**
|
|
76
|
-
* Resolve which backend runs a pass, encoding
|
|
76
|
+
* Resolve which backend runs a pass, encoding Socket's detection policy
|
|
77
77
|
* (`_shared/multi-agent-backends.md`): an installed explicit override wins;
|
|
78
78
|
* else the first installed non-hybrid entry in the preference order; else
|
|
79
79
|
* nothing (skip the pass). Pure — returns the decision + why, never logs. An
|
package/dist/ai/backends.js
CHANGED
|
@@ -6,7 +6,7 @@ const require_ai_spawn = require('./spawn.js');
|
|
|
6
6
|
|
|
7
7
|
//#region src/ai/backends.mts
|
|
8
8
|
/**
|
|
9
|
-
* @file Multi-agent CLI backend registry + role routing.
|
|
9
|
+
* @file Multi-agent CLI backend registry + role routing. Socket's review /
|
|
10
10
|
* scan / fix skills delegate work to whichever agent CLIs are installed
|
|
11
11
|
* (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
|
|
12
12
|
* preference order and skipping a pass when nothing usable is present. Before
|
|
@@ -131,7 +131,7 @@ async function isCommandAvailable(bin) {
|
|
|
131
131
|
return await require_bin_which.which(bin) !== null;
|
|
132
132
|
}
|
|
133
133
|
/**
|
|
134
|
-
* Resolve which backend runs a pass, encoding
|
|
134
|
+
* Resolve which backend runs a pass, encoding Socket's detection policy
|
|
135
135
|
* (`_shared/multi-agent-backends.md`): an installed explicit override wins;
|
|
136
136
|
* else the first installed non-hybrid entry in the preference order; else
|
|
137
137
|
* nothing (skip the pass). Pure — returns the decision + why, never logs. An
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
|
|
3
|
+
* lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
|
|
4
|
+
* read org spend / quota — the Anthropic Cost API is admin-gated — and that
|
|
5
|
+
* is an accepted limitation, not something to engineer around. So this layer
|
|
6
|
+
* does NO network call and NO privileged probe. It uses only what a user
|
|
7
|
+
* actually has: which provider credentials resolve (the same env → keychain
|
|
8
|
+
* check that builds `RouteContext.keyed`, non-admin), tags each with its
|
|
9
|
+
* INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
|
|
10
|
+
* — the provider's nature, overridable by config), and leaves `headroom`
|
|
11
|
+
* undefined. Undefined headroom means the heuristic routes REACTIVELY: it
|
|
12
|
+
* falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
|
|
13
|
+
* `spawn.mts`), rather than predicting a cap it has no privilege to read. A
|
|
14
|
+
* caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
|
|
15
|
+
* `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
|
|
16
|
+
* but nothing here requires it, and no privileged reader is built or wired.
|
|
17
|
+
*/
|
|
18
|
+
import type { CredentialProvider } from './credentials.mts';
|
|
19
|
+
import type { BillingContext, BillingHeadroom, BillingKind, RoutingEnv } from './route-heuristic.mts';
|
|
20
|
+
/**
|
|
21
|
+
* Inherent billing model per provider — the provider's NATURE, not anyone's
|
|
22
|
+
* account or limit. A metered pay-per-token API (`anthropic` with an API key,
|
|
23
|
+
* `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
|
|
24
|
+
* (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
|
|
25
|
+
* overrides per provider via the `kinds` option — e.g. a user whose Anthropic
|
|
26
|
+
* access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
|
|
27
|
+
* No dollar figures here; only the kind, which decides dollars-vs-headroom.
|
|
28
|
+
*/
|
|
29
|
+
export declare const DEFAULT_PROVIDER_KIND: Readonly<Record<CredentialProvider, BillingKind>>;
|
|
30
|
+
export interface BillingFromKeyedOptions {
|
|
31
|
+
readonly keyed: ReadonlySet<CredentialProvider>;
|
|
32
|
+
readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
|
|
33
|
+
readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Turn an already-probed set of keyed providers into a `BillingContext`,
|
|
37
|
+
* tagging each with its kind (config override → inherent default) and any
|
|
38
|
+
* caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
|
|
39
|
+
* provider with no known kind is skipped rather than given an undefined kind.
|
|
40
|
+
*/
|
|
41
|
+
export declare function billingFromKeyed(options: BillingFromKeyedOptions): BillingContext;
|
|
42
|
+
/**
|
|
43
|
+
* Detect whether routing runs in locked-down CI (restricted to the secrets
|
|
44
|
+
* actually present, under the four-flag lockdown) or local dev (full freedom).
|
|
45
|
+
* CI when the standard `CI` env var is set; `local` otherwise.
|
|
46
|
+
*/
|
|
47
|
+
export declare function detectRoutingEnv(): RoutingEnv;
|
|
48
|
+
export interface DiscoverBillingOptions {
|
|
49
|
+
readonly allowEnvOnly?: boolean | undefined;
|
|
50
|
+
readonly env?: RoutingEnv | undefined;
|
|
51
|
+
readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
|
|
52
|
+
readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* Discover a `BillingContext` end-to-end with no privileged lookup: probe which
|
|
56
|
+
* provider credentials resolve (env → keychain, the non-admin check), then tag
|
|
57
|
+
* them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
|
|
58
|
+
* the credential probe is env-only (no keychain prompt); locally it allows the
|
|
59
|
+
* keychain. Convenience over calling `discoverKeyedProviders` +
|
|
60
|
+
* `billingFromKeyed`.
|
|
61
|
+
*
|
|
62
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
63
|
+
*/
|
|
64
|
+
export declare function discoverBilling(options?: DiscoverBillingOptions | undefined): Promise<BillingContext>;
|
|
65
|
+
export interface DiscoverKeyedProvidersOptions {
|
|
66
|
+
readonly allowEnvOnly?: boolean | undefined;
|
|
67
|
+
}
|
|
68
|
+
/**
|
|
69
|
+
* The set of providers with a resolvable credential, probed via the same
|
|
70
|
+
* non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
|
|
71
|
+
* privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
|
|
72
|
+
* keychain entirely.
|
|
73
|
+
*/
|
|
74
|
+
export declare function discoverKeyedProviders(options?: DiscoverKeyedProvidersOptions | undefined): Promise<Set<CredentialProvider>>;
|
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_object = require('../primordials/object.js');
|
|
5
|
+
const require_env_rewire = require('../env/rewire.js');
|
|
6
|
+
const require_ai_credentials = require('./credentials.js');
|
|
7
|
+
|
|
8
|
+
//#region src/ai/billing-context.mts
|
|
9
|
+
/**
|
|
10
|
+
* @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
|
|
11
|
+
* lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
|
|
12
|
+
* read org spend / quota — the Anthropic Cost API is admin-gated — and that
|
|
13
|
+
* is an accepted limitation, not something to engineer around. So this layer
|
|
14
|
+
* does NO network call and NO privileged probe. It uses only what a user
|
|
15
|
+
* actually has: which provider credentials resolve (the same env → keychain
|
|
16
|
+
* check that builds `RouteContext.keyed`, non-admin), tags each with its
|
|
17
|
+
* INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
|
|
18
|
+
* — the provider's nature, overridable by config), and leaves `headroom`
|
|
19
|
+
* undefined. Undefined headroom means the heuristic routes REACTIVELY: it
|
|
20
|
+
* falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
|
|
21
|
+
* `spawn.mts`), rather than predicting a cap it has no privilege to read. A
|
|
22
|
+
* caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
|
|
23
|
+
* `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
|
|
24
|
+
* but nothing here requires it, and no privileged reader is built or wired.
|
|
25
|
+
*/
|
|
26
|
+
/**
|
|
27
|
+
* Inherent billing model per provider — the provider's NATURE, not anyone's
|
|
28
|
+
* account or limit. A metered pay-per-token API (`anthropic` with an API key,
|
|
29
|
+
* `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
|
|
30
|
+
* (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
|
|
31
|
+
* overrides per provider via the `kinds` option — e.g. a user whose Anthropic
|
|
32
|
+
* access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
|
|
33
|
+
* No dollar figures here; only the kind, which decides dollars-vs-headroom.
|
|
34
|
+
*/
|
|
35
|
+
const DEFAULT_PROVIDER_KIND = {
|
|
36
|
+
__proto__: null,
|
|
37
|
+
anthropic: "metered",
|
|
38
|
+
fireworks: "metered",
|
|
39
|
+
openai: "subscription",
|
|
40
|
+
synthetic: "flat-rate",
|
|
41
|
+
xai: "metered"
|
|
42
|
+
};
|
|
43
|
+
/**
|
|
44
|
+
* Turn an already-probed set of keyed providers into a `BillingContext`,
|
|
45
|
+
* tagging each with its kind (config override → inherent default) and any
|
|
46
|
+
* caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
|
|
47
|
+
* provider with no known kind is skipped rather than given an undefined kind.
|
|
48
|
+
*/
|
|
49
|
+
function billingFromKeyed(options) {
|
|
50
|
+
const opts = {
|
|
51
|
+
__proto__: null,
|
|
52
|
+
...options
|
|
53
|
+
};
|
|
54
|
+
const out = { __proto__: null };
|
|
55
|
+
for (const provider of opts.keyed) {
|
|
56
|
+
const kind = opts.kinds?.[provider] ?? DEFAULT_PROVIDER_KIND[provider];
|
|
57
|
+
if (!kind) continue;
|
|
58
|
+
const headroom = opts.headroom?.[provider];
|
|
59
|
+
out[provider] = headroom ? {
|
|
60
|
+
headroom,
|
|
61
|
+
kind,
|
|
62
|
+
provider
|
|
63
|
+
} : {
|
|
64
|
+
kind,
|
|
65
|
+
provider
|
|
66
|
+
};
|
|
67
|
+
}
|
|
68
|
+
return out;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Detect whether routing runs in locked-down CI (restricted to the secrets
|
|
72
|
+
* actually present, under the four-flag lockdown) or local dev (full freedom).
|
|
73
|
+
* CI when the standard `CI` env var is set; `local` otherwise.
|
|
74
|
+
*/
|
|
75
|
+
function detectRoutingEnv() {
|
|
76
|
+
return require_env_rewire.getEnvValue("CI") ? "ci" : "local";
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Discover a `BillingContext` end-to-end with no privileged lookup: probe which
|
|
80
|
+
* provider credentials resolve (env → keychain, the non-admin check), then tag
|
|
81
|
+
* them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
|
|
82
|
+
* the credential probe is env-only (no keychain prompt); locally it allows the
|
|
83
|
+
* keychain. Convenience over calling `discoverKeyedProviders` +
|
|
84
|
+
* `billingFromKeyed`.
|
|
85
|
+
*
|
|
86
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
87
|
+
*/
|
|
88
|
+
async function discoverBilling(options) {
|
|
89
|
+
const opts = {
|
|
90
|
+
__proto__: null,
|
|
91
|
+
...options
|
|
92
|
+
};
|
|
93
|
+
const env = opts.env ?? detectRoutingEnv();
|
|
94
|
+
const keyed = await discoverKeyedProviders({ allowEnvOnly: opts.allowEnvOnly ?? env === "ci" });
|
|
95
|
+
return billingFromKeyed({
|
|
96
|
+
headroom: opts.headroom,
|
|
97
|
+
keyed,
|
|
98
|
+
kinds: opts.kinds
|
|
99
|
+
});
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* The set of providers with a resolvable credential, probed via the same
|
|
103
|
+
* non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
|
|
104
|
+
* privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
|
|
105
|
+
* keychain entirely.
|
|
106
|
+
*/
|
|
107
|
+
async function discoverKeyedProviders(options) {
|
|
108
|
+
const opts = {
|
|
109
|
+
__proto__: null,
|
|
110
|
+
...options
|
|
111
|
+
};
|
|
112
|
+
const providers = require_primordials_object.ObjectKeys(require_ai_credentials.PROVIDER_CREDENTIALS);
|
|
113
|
+
const keyed = /* @__PURE__ */ new Set();
|
|
114
|
+
for (let i = 0, { length } = providers; i < length; i += 1) {
|
|
115
|
+
const provider = providers[i];
|
|
116
|
+
if (await require_ai_credentials.resolveProviderCredential({
|
|
117
|
+
allowEnvOnly: opts.allowEnvOnly,
|
|
118
|
+
provider
|
|
119
|
+
})) keyed.add(provider);
|
|
120
|
+
}
|
|
121
|
+
return keyed;
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
//#endregion
|
|
125
|
+
exports.DEFAULT_PROVIDER_KIND = DEFAULT_PROVIDER_KIND;
|
|
126
|
+
exports.billingFromKeyed = billingFromKeyed;
|
|
127
|
+
exports.detectRoutingEnv = detectRoutingEnv;
|
|
128
|
+
exports.discoverBilling = discoverBilling;
|
|
129
|
+
exports.discoverKeyedProviders = discoverKeyedProviders;
|
|
@@ -14,11 +14,10 @@
|
|
|
14
14
|
* `undefined` immediately instead of triggering a keychain auth prompt. CI
|
|
15
15
|
* sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
|
|
16
16
|
* `resolveProviderCredential` call reads it there with no keychain. proteus
|
|
17
|
-
* hook-point: the forthcoming biometric credential daemon
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
* plan). This module is the stable seam.
|
|
17
|
+
* hook-point: the forthcoming biometric credential daemon slots in as a
|
|
18
|
+
* layer between the env check and the keychain read inside `resolve()`'s
|
|
19
|
+
* implementation — call sites here do not change when it lands. This module
|
|
20
|
+
* is the stable seam.
|
|
22
21
|
*/
|
|
23
22
|
/**
|
|
24
23
|
* A provider whose credential this module can resolve: the HTTP providers
|
|
@@ -31,6 +30,19 @@ export interface ProviderCredentialSpec {
|
|
|
31
30
|
readonly keychainService: string;
|
|
32
31
|
}
|
|
33
32
|
export declare const PROVIDER_CREDENTIALS: Readonly<Record<CredentialProvider, ProviderCredentialSpec>>;
|
|
33
|
+
export interface DeleteProviderCredentialOptions {
|
|
34
|
+
readonly provider: CredentialProvider;
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Remove a provider's stored credential from the OS keychain — the same
|
|
38
|
+
* `{ service, account }` slot `resolveProviderCredential` reads. Returns
|
|
39
|
+
* `'removed'` when a value was deleted, `'absent'` when none was stored (or the
|
|
40
|
+
* platform has no keychain backend — delete degrades to a no-op rather than
|
|
41
|
+
* throwing, since "nothing to remove" is the same outcome either way).
|
|
42
|
+
*
|
|
43
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
44
|
+
*/
|
|
45
|
+
export declare function deleteProviderCredential(options: DeleteProviderCredentialOptions): Promise<'absent' | 'removed'>;
|
|
34
46
|
/**
|
|
35
47
|
* True when `value` names a provider with a resolvable credential.
|
|
36
48
|
*/
|
|
@@ -47,3 +59,25 @@ export interface ResolveProviderCredentialOptions {
|
|
|
47
59
|
* source has it (the caller decides whether that's fatal).
|
|
48
60
|
*/
|
|
49
61
|
export declare function resolveProviderCredential(options: ResolveProviderCredentialOptions): Promise<string | undefined>;
|
|
62
|
+
export interface WriteProviderCredentialOptions {
|
|
63
|
+
readonly provider: CredentialProvider;
|
|
64
|
+
readonly value: string;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Persist a provider's bearer token to the OS keychain — the SAME `{ service,
|
|
68
|
+
* account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
|
|
69
|
+
* service == the Socket-uniform `socketsecurity` scope), so a written token
|
|
70
|
+
* resolves on the next read without an env var.
|
|
71
|
+
*
|
|
72
|
+
* Keychain ONLY — this never writes a shell-rc export. That matters most for
|
|
73
|
+
* anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
|
|
74
|
+
* OAuth session and silently flips the user to metered billing, so its token
|
|
75
|
+
* must live only in the keychain (read on demand), never exported. A setup
|
|
76
|
+
* wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
|
|
77
|
+
* convenience must still route anthropic here, keychain-only.
|
|
78
|
+
*
|
|
79
|
+
* Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
|
|
80
|
+
* is a no-op). Throws when the OS has no keychain backend; a caller that wants
|
|
81
|
+
* to degrade gracefully should check `getBackendAvailability()` first.
|
|
82
|
+
*/
|
|
83
|
+
export declare function writeProviderCredential(options: WriteProviderCredentialOptions): Promise<'unchanged' | 'written'>;
|
package/dist/ai/credentials.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_secrets_keychain = require('../secrets/keychain.js');
|
|
4
5
|
const require_secrets_find = require('../secrets/find.js');
|
|
5
6
|
|
|
6
7
|
//#region src/ai/credentials.mts
|
|
@@ -20,11 +21,10 @@ const require_secrets_find = require('../secrets/find.js');
|
|
|
20
21
|
* `undefined` immediately instead of triggering a keychain auth prompt. CI
|
|
21
22
|
* sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
|
|
22
23
|
* `resolveProviderCredential` call reads it there with no keychain. proteus
|
|
23
|
-
* hook-point: the forthcoming biometric credential daemon
|
|
24
|
-
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
27
|
-
* plan). This module is the stable seam.
|
|
24
|
+
* hook-point: the forthcoming biometric credential daemon slots in as a
|
|
25
|
+
* layer between the env check and the keychain read inside `resolve()`'s
|
|
26
|
+
* implementation — call sites here do not change when it lands. This module
|
|
27
|
+
* is the stable seam.
|
|
28
28
|
*/
|
|
29
29
|
const PROVIDER_CREDENTIALS = {
|
|
30
30
|
__proto__: null,
|
|
@@ -50,6 +50,27 @@ const PROVIDER_CREDENTIALS = {
|
|
|
50
50
|
}
|
|
51
51
|
};
|
|
52
52
|
/**
|
|
53
|
+
* Remove a provider's stored credential from the OS keychain — the same
|
|
54
|
+
* `{ service, account }` slot `resolveProviderCredential` reads. Returns
|
|
55
|
+
* `'removed'` when a value was deleted, `'absent'` when none was stored (or the
|
|
56
|
+
* platform has no keychain backend — delete degrades to a no-op rather than
|
|
57
|
+
* throwing, since "nothing to remove" is the same outcome either way).
|
|
58
|
+
*
|
|
59
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
60
|
+
*/
|
|
61
|
+
async function deleteProviderCredential(options) {
|
|
62
|
+
const opts = {
|
|
63
|
+
__proto__: null,
|
|
64
|
+
...options
|
|
65
|
+
};
|
|
66
|
+
const spec = PROVIDER_CREDENTIALS[opts.provider];
|
|
67
|
+
if (!spec) return "absent";
|
|
68
|
+
return await require_secrets_keychain.deleteSecret({
|
|
69
|
+
account: spec.tokenEnv,
|
|
70
|
+
service: spec.keychainService
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
53
74
|
* True when `value` names a provider with a resolvable credential.
|
|
54
75
|
*/
|
|
55
76
|
function isCredentialProvider(value) {
|
|
@@ -75,8 +96,42 @@ async function resolveProviderCredential(options) {
|
|
|
75
96
|
service: spec.keychainService
|
|
76
97
|
}))?.value;
|
|
77
98
|
}
|
|
99
|
+
/**
|
|
100
|
+
* Persist a provider's bearer token to the OS keychain — the SAME `{ service,
|
|
101
|
+
* account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
|
|
102
|
+
* service == the Socket-uniform `socketsecurity` scope), so a written token
|
|
103
|
+
* resolves on the next read without an env var.
|
|
104
|
+
*
|
|
105
|
+
* Keychain ONLY — this never writes a shell-rc export. That matters most for
|
|
106
|
+
* anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
|
|
107
|
+
* OAuth session and silently flips the user to metered billing, so its token
|
|
108
|
+
* must live only in the keychain (read on demand), never exported. A setup
|
|
109
|
+
* wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
|
|
110
|
+
* convenience must still route anthropic here, keychain-only.
|
|
111
|
+
*
|
|
112
|
+
* Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
|
|
113
|
+
* is a no-op). Throws when the OS has no keychain backend; a caller that wants
|
|
114
|
+
* to degrade gracefully should check `getBackendAvailability()` first.
|
|
115
|
+
*/
|
|
116
|
+
async function writeProviderCredential(options) {
|
|
117
|
+
const opts = {
|
|
118
|
+
__proto__: null,
|
|
119
|
+
...options
|
|
120
|
+
};
|
|
121
|
+
const spec = PROVIDER_CREDENTIALS[opts.provider];
|
|
122
|
+
if (!spec) throw new Error(`writeProviderCredential: unknown provider "${opts.provider}".`);
|
|
123
|
+
const backend = require_secrets_keychain.getBackendAvailability();
|
|
124
|
+
if (!backend.available) throw new Error(`writeProviderCredential: no OS keychain backend (${backend.toolName}) available to store the ${opts.provider} credential.` + (backend.installHint ? ` ${backend.installHint}` : ""));
|
|
125
|
+
return await require_secrets_keychain.writeSecret({
|
|
126
|
+
account: spec.tokenEnv,
|
|
127
|
+
service: spec.keychainService,
|
|
128
|
+
value: opts.value
|
|
129
|
+
});
|
|
130
|
+
}
|
|
78
131
|
|
|
79
132
|
//#endregion
|
|
80
133
|
exports.PROVIDER_CREDENTIALS = PROVIDER_CREDENTIALS;
|
|
134
|
+
exports.deleteProviderCredential = deleteProviderCredential;
|
|
81
135
|
exports.isCredentialProvider = isCredentialProvider;
|
|
82
|
-
exports.resolveProviderCredential = resolveProviderCredential;
|
|
136
|
+
exports.resolveProviderCredential = resolveProviderCredential;
|
|
137
|
+
exports.writeProviderCredential = writeProviderCredential;
|
package/dist/ai/discover.d.mts
CHANGED
|
@@ -43,12 +43,16 @@ export declare function discoverFresh(): DiscoveredAgents;
|
|
|
43
43
|
*
|
|
44
44
|
* Useful in fast paths where the caller has already populated the cache and
|
|
45
45
|
* just wants to read it back.
|
|
46
|
+
*
|
|
47
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
46
48
|
*/
|
|
47
49
|
export declare function getDiscoveredAiAgents(): DiscoveredAgents | undefined;
|
|
48
50
|
export declare function readDiskCache(cachePath: string): DiscoveredAgents | undefined;
|
|
49
51
|
/**
|
|
50
52
|
* Reset the in-process cache. Tests use this; production callers shouldn't need
|
|
51
53
|
* it (use `refresh: true` on discoverAiAgents()).
|
|
54
|
+
*
|
|
55
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
52
56
|
*/
|
|
53
57
|
export declare function resetAiAgentDiscoveryCache(): void;
|
|
54
58
|
export declare function writeDiskCache(cachePath: string, agents: DiscoveredAgents): Promise<void>;
|
package/dist/ai/discover.js
CHANGED
|
@@ -87,6 +87,8 @@ function discoverFresh() {
|
|
|
87
87
|
*
|
|
88
88
|
* Useful in fast paths where the caller has already populated the cache and
|
|
89
89
|
* just wants to read it back.
|
|
90
|
+
*
|
|
91
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
90
92
|
*/
|
|
91
93
|
function getDiscoveredAiAgents() {
|
|
92
94
|
return inProcessCache;
|
|
@@ -104,6 +106,8 @@ function readDiskCache(cachePath) {
|
|
|
104
106
|
/**
|
|
105
107
|
* Reset the in-process cache. Tests use this; production callers shouldn't need
|
|
106
108
|
* it (use `refresh: true` on discoverAiAgents()).
|
|
109
|
+
*
|
|
110
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
107
111
|
*/
|
|
108
112
|
function resetAiAgentDiscoveryCache() {
|
|
109
113
|
inProcessCache = void 0;
|
package/dist/ai/exec.d.mts
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
* WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
|
|
4
4
|
* the cheap built-in `real` runner (the host shell via lib `spawn`); a
|
|
5
5
|
* SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
|
|
6
|
-
* the small-dist lib free of a heavy sandbox dependency —
|
|
6
|
+
* the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
|
|
7
7
|
* of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
|
|
8
8
|
* CI tooling and passed in, so a lib consumer that never sandboxes pays
|
|
9
9
|
* nothing. Layering: ExecRunner.run() — the injectable primitive (real |
|
package/dist/ai/exec.js
CHANGED
|
@@ -10,7 +10,7 @@ const require_process_spawn_child = require('../process/spawn/child.js');
|
|
|
10
10
|
* WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
|
|
11
11
|
* the cheap built-in `real` runner (the host shell via lib `spawn`); a
|
|
12
12
|
* SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
|
|
13
|
-
* the small-dist lib free of a heavy sandbox dependency —
|
|
13
|
+
* the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
|
|
14
14
|
* of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
|
|
15
15
|
* CI tooling and passed in, so a lib consumer that never sandboxes pays
|
|
16
16
|
* nothing. Layering: ExecRunner.run() — the injectable primitive (real |
|
package/dist/ai/http.d.mts
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
|
|
5
5
|
* (`spawn.mts`) drives an interactive agent binary; this path is for a
|
|
6
6
|
* script/hook that needs a single completion from a model without an agent
|
|
7
|
-
* harness (the way the local OpenCode setup reaches GLM-5.
|
|
7
|
+
* harness (the way the local OpenCode setup reaches GLM-5.2 / Kimi-K2.6). Why
|
|
8
8
|
* a separate module from `spawn.mts`: those are different surfaces. A CLI
|
|
9
9
|
* agent gets tools + a permission mode + a working dir; an HTTP completion
|
|
10
10
|
* gets a prompt + a model + (optionally) a reasoning effort and returns text.
|
|
@@ -13,10 +13,10 @@
|
|
|
13
13
|
* function-calling surface — they're plain completions, so there's no agentic
|
|
14
14
|
* capability to constrain. The token is read from the env var the provider
|
|
15
15
|
* config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
|
|
16
|
-
* inline, and never logged — same token-hygiene rule as the rest of
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
16
|
+
* inline, and never logged — same token-hygiene rule as the rest of Socket. A
|
|
17
|
+
* missing token throws with the exact env var to set. Wire format is the
|
|
18
|
+
* OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which both
|
|
19
|
+
* providers implement.
|
|
20
20
|
*/
|
|
21
21
|
import type { AiEffort } from './types.mts';
|
|
22
22
|
/**
|
|
@@ -47,8 +47,8 @@ export interface AiHttpCallOptions {
|
|
|
47
47
|
*/
|
|
48
48
|
readonly provider: string | AiHttpProvider;
|
|
49
49
|
/**
|
|
50
|
-
* The provider's model id (e.g. `accounts/fireworks/models/glm-
|
|
51
|
-
* `hf:moonshotai/Kimi-K2.
|
|
50
|
+
* The provider's model id (e.g. `accounts/fireworks/models/glm-5p2`,
|
|
51
|
+
* `hf:moonshotai/Kimi-K2.6`).
|
|
52
52
|
*/
|
|
53
53
|
readonly model: string;
|
|
54
54
|
/**
|
|
@@ -118,7 +118,7 @@ export declare function buildChatRequestBody(options: AiHttpCallOptions): string
|
|
|
118
118
|
* ;```ts
|
|
119
119
|
* const { text } = await callAiHttpModel({
|
|
120
120
|
* provider: 'fireworks',
|
|
121
|
-
* model: 'accounts/fireworks/models/glm-
|
|
121
|
+
* model: 'accounts/fireworks/models/glm-5p2',
|
|
122
122
|
* prompt: 'Summarize this diff: …',
|
|
123
123
|
* effort: 'high',
|
|
124
124
|
* })
|