@socketsecurity/lib 6.0.8 → 6.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (396) hide show
  1. package/CHANGELOG.md +28 -0
  2. package/README.md +8 -9
  3. package/dist/abort/signal.d.ts +1 -1
  4. package/dist/abort/signal.js +1 -1
  5. package/dist/ai/agent-context.d.mts +1 -1
  6. package/dist/ai/agent-context.js +3 -2
  7. package/dist/ai/backends.d.mts +3 -3
  8. package/dist/ai/backends.js +2 -2
  9. package/dist/ai/billing-context.d.mts +74 -0
  10. package/dist/ai/billing-context.js +129 -0
  11. package/dist/ai/credentials.d.mts +39 -5
  12. package/dist/ai/credentials.js +61 -6
  13. package/dist/ai/discover.d.mts +4 -0
  14. package/dist/ai/discover.js +4 -0
  15. package/dist/ai/exec.d.mts +1 -1
  16. package/dist/ai/exec.js +1 -1
  17. package/dist/ai/http.d.mts +8 -8
  18. package/dist/ai/http.js +6 -6
  19. package/dist/ai/profiles.d.mts +9 -10
  20. package/dist/ai/profiles.js +0 -5
  21. package/dist/ai/role.d.mts +58 -0
  22. package/dist/ai/role.js +96 -0
  23. package/dist/ai/route-heuristic.d.mts +177 -0
  24. package/dist/ai/route-heuristic.js +194 -0
  25. package/dist/ai/route.d.mts +31 -17
  26. package/dist/ai/route.js +35 -19
  27. package/dist/ai/spawn.d.mts +34 -1
  28. package/dist/ai/spawn.js +115 -3
  29. package/dist/ai/subagent-status.d.mts +2 -0
  30. package/dist/ai/subagent-status.js +2 -0
  31. package/dist/ai/tier.d.mts +1 -1
  32. package/dist/ai/types.d.mts +19 -2
  33. package/dist/ai/worktree.d.mts +1 -1
  34. package/dist/ai/worktree.js +3 -2
  35. package/dist/argv/parse.d.ts +2 -0
  36. package/dist/argv/parse.js +2 -0
  37. package/dist/bin/_internal.d.ts +1 -1
  38. package/dist/bin/_internal.js +1 -1
  39. package/dist/bin/prim.cjs +19253 -13937
  40. package/dist/bin/resolve.js +1 -1
  41. package/dist/bin/shadow.js +2 -1
  42. package/dist/bin/which.d.ts +28 -3
  43. package/dist/bin/which.js +45 -3
  44. package/dist/cacache/_internal.d.ts +10 -2
  45. package/dist/cacache/_internal.js +6 -10
  46. package/dist/cache/ttl/_internal.d.ts +33 -0
  47. package/dist/cache/ttl/_internal.js +68 -0
  48. package/dist/cache/ttl/browser.d.ts +56 -0
  49. package/dist/cache/ttl/browser.js +257 -0
  50. package/dist/cache/ttl/store.js +11 -34
  51. package/dist/cache/ttl/types.d.ts +46 -3
  52. package/dist/checks/primordials-defaults.d.ts +5 -5
  53. package/dist/checks/primordials-defaults.js +5 -5
  54. package/dist/checks/primordials.d.ts +1 -1
  55. package/dist/checks/primordials.js +25 -17
  56. package/dist/cli/check-primordials.d.ts +6 -1
  57. package/dist/cli/check-primordials.js +14 -5
  58. package/dist/cli/check.js +1 -1
  59. package/dist/cli/socket-lib.d.ts +1 -1
  60. package/dist/cli/socket-lib.js +3 -3
  61. package/dist/colors/socket-palette.d.ts +1 -1
  62. package/dist/compression/brotli.d.ts +6 -2
  63. package/dist/compression/brotli.js +5 -1
  64. package/dist/compression/gzip.d.ts +6 -2
  65. package/dist/compression/gzip.js +7 -2
  66. package/dist/config/layers.d.ts +53 -0
  67. package/dist/config/layers.js +83 -0
  68. package/dist/constants/agents.d.ts +3 -0
  69. package/dist/constants/agents.js +3 -0
  70. package/dist/constants/node.d.ts +14 -0
  71. package/dist/constants/node.js +14 -0
  72. package/dist/constants/package-default-node-range.js +1 -5
  73. package/dist/constants/packages.d.ts +5 -0
  74. package/dist/constants/packages.js +5 -0
  75. package/dist/constants/platform.d.ts +1 -1
  76. package/dist/constants/platform.js +1 -1
  77. package/dist/constants/socket.js +1 -1
  78. package/dist/constants/typescript.d.ts +5 -0
  79. package/dist/constants/typescript.js +5 -0
  80. package/dist/debug/_internal.d.ts +22 -7
  81. package/dist/debug/_internal.js +33 -15
  82. package/dist/debug/caller-info.js +1 -1
  83. package/dist/debug/namespace.js +11 -8
  84. package/dist/debug/output.d.ts +12 -1
  85. package/dist/debug/output.js +33 -16
  86. package/dist/dlx/binary-cache.js +1 -1
  87. package/dist/dlx/binary-resolution.js +8 -5
  88. package/dist/dlx/firewall.js +1 -1
  89. package/dist/dlx/lockfile.js +1 -1
  90. package/dist/eco/npm/npm/parse-lockfile.js +3 -2
  91. package/dist/eco/npm/vlt/exec.d.ts +1 -1
  92. package/dist/eco/npm/vlt/exec.js +1 -1
  93. package/dist/eco/npm/yarnpkg/yarn/parse-lockfile.js +1 -1
  94. package/dist/env/agents.d.ts +6 -0
  95. package/dist/env/agents.js +29 -0
  96. package/dist/env/flags.d.ts +12 -0
  97. package/dist/env/flags.js +23 -0
  98. package/dist/env/github-status.js +2 -2
  99. package/dist/env/providers.d.ts +6 -0
  100. package/dist/env/providers.js +23 -0
  101. package/dist/env/proxy.js +1 -1
  102. package/dist/env/rewire.d.ts +37 -3
  103. package/dist/env/rewire.js +60 -29
  104. package/dist/env/runtimes.d.ts +9 -0
  105. package/dist/env/runtimes.js +53 -0
  106. package/dist/env/socket-cli.d.ts +5 -2
  107. package/dist/env/socket-cli.js +6 -3
  108. package/dist/env/xdg.d.ts +17 -0
  109. package/dist/env/xdg.js +21 -1
  110. package/dist/errors/predicates.d.ts +3 -2
  111. package/dist/errors/predicates.js +5 -3
  112. package/dist/events/exit/_internal.d.ts +1 -23
  113. package/dist/external/@npmcli/package-json.js +3570 -4905
  114. package/dist/external/@npmcli/promise-spawn.js +2 -2
  115. package/dist/external/@sinclair/typebox/value.js +5 -4
  116. package/dist/external/@socketregistry/yocto-spinner.js +3 -3
  117. package/dist/external/@yarnpkg/extensions.js +1 -1
  118. package/dist/external/adm-zip.d.ts +82 -0
  119. package/dist/external/adm-zip.js +2 -2
  120. package/dist/external/cacache.d.ts +87 -0
  121. package/dist/external/debug.d.ts +22 -0
  122. package/dist/external/debug.js +11 -4
  123. package/dist/external/del.d.ts +1 -0
  124. package/dist/external/external-pack.d.ts +12 -0
  125. package/dist/external/external-pack.js +42 -35
  126. package/dist/external/fast-glob.d.ts +8 -0
  127. package/dist/external/fast-sort.d.ts +1 -0
  128. package/dist/external/get-east-asian-width.d.ts +5 -0
  129. package/dist/external/get-east-asian-width.js +8 -1
  130. package/dist/external/has-flag.d.ts +1 -0
  131. package/dist/external/inquirer-pack.d.ts +18 -0
  132. package/dist/external/libnpmexec.d.ts +35 -0
  133. package/dist/external/libnpmpack.d.ts +1 -0
  134. package/dist/external/make-fetch-happen.d.ts +13 -0
  135. package/dist/external/normalize-package-data.d.ts +4 -0
  136. package/dist/external/npm-core.d.ts +14 -0
  137. package/dist/external/npm-pack.d.ts +24 -0
  138. package/dist/external/npm-pack.js +28934 -31885
  139. package/dist/external/npm-package-arg.d.ts +4 -0
  140. package/dist/external/p-map.js +8 -1
  141. package/dist/external/pacote.d.ts +15 -0
  142. package/dist/external/pico-pack.d.ts +16 -0
  143. package/dist/external/pico-pack.js +38 -23
  144. package/dist/external/picomatch.d.ts +96 -0
  145. package/dist/external/pony-cause.d.ts +14 -0
  146. package/dist/external/semver.d.ts +60 -0
  147. package/dist/external/semver.js +1459 -4
  148. package/dist/external/shell-quote.d.ts +51 -0
  149. package/dist/external/shell-quote.js +55 -15
  150. package/dist/external/signal-exit.d.ts +1 -0
  151. package/dist/external/spdx-correct.d.ts +4 -0
  152. package/dist/external/spdx-expression-parse.d.ts +4 -0
  153. package/dist/external/spdx-pack.d.ts +10 -0
  154. package/dist/external/std-env.d.ts +284 -0
  155. package/dist/external/std-env.js +323 -0
  156. package/dist/external/streaming-iterables.d.ts +11 -0
  157. package/dist/external/supports-color.d.ts +1 -0
  158. package/dist/external/tar-fs.d.ts +31 -0
  159. package/dist/external/tar-fs.js +63 -16
  160. package/dist/external/validate-npm-package-name.d.ts +4 -0
  161. package/dist/external/which.d.ts +25 -0
  162. package/dist/external/which.js +2 -2
  163. package/dist/external/yargs-parser.d.ts +2 -0
  164. package/dist/external/yargs-parser.js +11 -3
  165. package/dist/external/yoctocolors-cjs.d.ts +51 -0
  166. package/dist/external-tools/bazel/asset-names.d.ts +1 -1
  167. package/dist/external-tools/bazel/from-download.d.ts +1 -1
  168. package/dist/external-tools/bazel/resolve.d.ts +3 -0
  169. package/dist/external-tools/bazel/resolve.js +3 -0
  170. package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
  171. package/dist/external-tools/cdxgen/asset-names.js +3 -3
  172. package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
  173. package/dist/external-tools/cdxgen/from-download.js +1 -1
  174. package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
  175. package/dist/external-tools/cdxgen/resolve.js +4 -1
  176. package/dist/external-tools/cdxgen/types.d.ts +1 -1
  177. package/dist/external-tools/from-download.d.ts +2 -2
  178. package/dist/external-tools/from-download.js +1 -1
  179. package/dist/external-tools/janus/asset-names.d.ts +4 -1
  180. package/dist/external-tools/janus/asset-names.js +3 -0
  181. package/dist/external-tools/janus/from-download.d.ts +3 -3
  182. package/dist/external-tools/janus/from-download.js +2 -2
  183. package/dist/external-tools/janus/resolve.d.ts +3 -0
  184. package/dist/external-tools/janus/resolve.js +3 -0
  185. package/dist/external-tools/jre/asset-names.d.ts +3 -1
  186. package/dist/external-tools/jre/asset-names.js +2 -0
  187. package/dist/external-tools/jre/detect-platform-arch.js +1 -1
  188. package/dist/external-tools/jre/from-download.d.ts +1 -1
  189. package/dist/external-tools/manifest.d.ts +5 -3
  190. package/dist/external-tools/manifest.js +5 -3
  191. package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
  192. package/dist/external-tools/opengrep/resolve.d.ts +3 -0
  193. package/dist/external-tools/opengrep/resolve.js +3 -0
  194. package/dist/external-tools/python/asset-names.d.ts +3 -1
  195. package/dist/external-tools/python/asset-names.js +8 -4
  196. package/dist/external-tools/python/pin.js +3 -1
  197. package/dist/external-tools/python/resolve.d.ts +3 -0
  198. package/dist/external-tools/python/resolve.js +3 -0
  199. package/dist/external-tools/python/uv-install.d.ts +89 -0
  200. package/dist/external-tools/python/uv-install.js +165 -0
  201. package/dist/external-tools/sbt/resolve.d.ts +3 -0
  202. package/dist/external-tools/sbt/resolve.js +3 -0
  203. package/dist/external-tools/skillspector/from-uv.d.ts +30 -0
  204. package/dist/external-tools/skillspector/from-uv.js +56 -0
  205. package/dist/external-tools/skillspector/resolve.d.ts +18 -3
  206. package/dist/external-tools/skillspector/resolve.js +21 -8
  207. package/dist/external-tools/skillspector/types.d.ts +3 -1
  208. package/dist/external-tools/synp/resolve.d.ts +3 -0
  209. package/dist/external-tools/synp/resolve.js +3 -0
  210. package/dist/external-tools/trivy/asset-names.d.ts +1 -1
  211. package/dist/external-tools/trivy/resolve.d.ts +3 -0
  212. package/dist/external-tools/trivy/resolve.js +3 -0
  213. package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
  214. package/dist/external-tools/trufflehog/asset-names.js +3 -0
  215. package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
  216. package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
  217. package/dist/external-tools/trufflehog/resolve.js +3 -0
  218. package/dist/external-tools/uv/asset-names.d.ts +36 -0
  219. package/dist/external-tools/uv/asset-names.js +73 -0
  220. package/dist/external-tools/uv/from-download.d.ts +17 -0
  221. package/dist/external-tools/uv/from-download.js +50 -0
  222. package/dist/external-tools/uv/from-path.d.ts +5 -0
  223. package/dist/external-tools/uv/from-path.js +22 -0
  224. package/dist/external-tools/uv/from-vfs.d.ts +7 -0
  225. package/dist/external-tools/uv/from-vfs.js +26 -0
  226. package/dist/external-tools/uv/resolve.d.ts +28 -0
  227. package/dist/external-tools/uv/resolve.js +64 -0
  228. package/dist/external-tools/uv/types.d.ts +24 -0
  229. package/dist/external-tools/uv/types.js +2 -0
  230. package/dist/fleet/repo-config.d.ts +55 -0
  231. package/dist/fleet/repo-config.js +81 -0
  232. package/dist/fs/_internal.d.ts +1 -1
  233. package/dist/fs/_internal.js +1 -1
  234. package/dist/fs/access.d.ts +2 -0
  235. package/dist/fs/access.js +2 -0
  236. package/dist/fs/copy.d.ts +88 -0
  237. package/dist/fs/copy.js +89 -0
  238. package/dist/fs/find.js +1 -2
  239. package/dist/fs/inspect.d.ts +2 -2
  240. package/dist/fs/read-file.js +3 -4
  241. package/dist/fs/safe.js +2 -2
  242. package/dist/git/_internal.js +7 -3
  243. package/dist/github/commit.d.ts +92 -0
  244. package/dist/github/commit.js +113 -0
  245. package/dist/github/ghsa.js +1 -1
  246. package/dist/github/refs-graphql.js +1 -1
  247. package/dist/github/refs.js +10 -15
  248. package/dist/github/request.js +1 -1
  249. package/dist/github/token.d.ts +5 -2
  250. package/dist/github/token.js +6 -4
  251. package/dist/github/workflow-runs.d.ts +107 -0
  252. package/dist/github/workflow-runs.js +98 -0
  253. package/dist/globs/_internal.js +1 -1
  254. package/dist/http-request/_internal.d.ts +1 -1
  255. package/dist/http-request/browser.d.ts +6 -0
  256. package/dist/http-request/browser.js +4 -3
  257. package/dist/http-request/checksum-file.js +1 -1
  258. package/dist/http-request/download.js +2 -0
  259. package/dist/http-request/headers.d.ts +1 -1
  260. package/dist/http-request/headers.js +2 -2
  261. package/dist/http-request/request-attempt.js +6 -3
  262. package/dist/http-request/request-types.d.ts +10 -1
  263. package/dist/http-request/request.js +2 -2
  264. package/dist/http-request/user-agent.d.ts +23 -2
  265. package/dist/http-request/user-agent.js +48 -6
  266. package/dist/integrity.d.ts +127 -78
  267. package/dist/integrity.js +170 -84
  268. package/dist/json/format.js +4 -1
  269. package/dist/logger/_internal.d.ts +13 -15
  270. package/dist/logger/_internal.js +21 -21
  271. package/dist/logger/colors.d.ts +10 -5
  272. package/dist/logger/colors.js +7 -14
  273. package/dist/logger/console-methods.js +2 -2
  274. package/dist/logger/console.d.ts +1 -0
  275. package/dist/logger/console.js +9 -9
  276. package/dist/logger/node.js +2 -1
  277. package/dist/logger/symbols-builder.js +7 -8
  278. package/dist/logger/symbols.js +8 -8
  279. package/dist/native-messaging/install.js +1 -1
  280. package/dist/native-messaging/rate-limit.d.ts +4 -1
  281. package/dist/native-messaging/rate-limit.js +4 -1
  282. package/dist/node/events.d.ts +3 -0
  283. package/dist/node/events.js +3 -0
  284. package/dist/node/fs.d.ts +1 -1
  285. package/dist/node/module.d.ts +73 -2
  286. package/dist/node/module.js +97 -12
  287. package/dist/node/timers-promises.d.ts +3 -0
  288. package/dist/node/timers-promises.js +3 -0
  289. package/dist/node/url.d.ts +3 -0
  290. package/dist/node/url.js +3 -0
  291. package/dist/npm/meta-cache.d.ts +183 -0
  292. package/dist/npm/meta-cache.js +318 -0
  293. package/dist/npm/meta-slice.d.ts +27 -0
  294. package/dist/npm/meta-slice.js +68 -0
  295. package/dist/npm/meta-types.d.ts +282 -0
  296. package/dist/npm/meta-types.js +2 -0
  297. package/dist/npm/meta.d.ts +125 -0
  298. package/dist/npm/meta.js +347 -0
  299. package/dist/npm/registry.d.ts +212 -0
  300. package/dist/npm/registry.js +284 -0
  301. package/dist/objects/getters.d.ts +1 -1
  302. package/dist/objects/getters.js +1 -1
  303. package/dist/objects/predicates.js +1 -1
  304. package/dist/packages/exports.js +2 -2
  305. package/dist/packages/isolation.js +1 -1
  306. package/dist/packages/manifest.d.ts +29 -0
  307. package/dist/packages/manifest.js +44 -9
  308. package/dist/packages/metadata-extensions.js +2 -4
  309. package/dist/packages/normalize.js +1 -1
  310. package/dist/packages/provenance.d.ts +8 -0
  311. package/dist/packages/provenance.js +10 -2
  312. package/dist/packages/specs.js +1 -1
  313. package/dist/packages/tarball.js +1 -2
  314. package/dist/packages/validation.d.ts +0 -10
  315. package/dist/packages/validation.js +0 -14
  316. package/dist/paths/_internal.d.ts +1 -7
  317. package/dist/paths/_internal.js +9 -15
  318. package/dist/paths/conversion.js +1 -1
  319. package/dist/paths/exts.d.ts +30 -0
  320. package/dist/paths/exts.js +30 -0
  321. package/dist/paths/filenames.d.ts +6 -0
  322. package/dist/paths/filenames.js +6 -0
  323. package/dist/paths/globs.d.ts +6 -0
  324. package/dist/paths/globs.js +6 -0
  325. package/dist/paths/normalize.js +1 -1
  326. package/dist/paths/predicates.js +2 -1
  327. package/dist/paths/resolve.js +19 -14
  328. package/dist/paths/socket.d.ts +81 -30
  329. package/dist/paths/socket.js +102 -28
  330. package/dist/perf/metrics.js +1 -1
  331. package/dist/perf/report.js +5 -3
  332. package/dist/pkg-ext/data.js +0 -2
  333. package/dist/primordials/globals.d.ts +1 -1
  334. package/dist/primordials/globals.js +1 -1
  335. package/dist/primordials/headers.d.ts +13 -1
  336. package/dist/primordials/headers.js +13 -1
  337. package/dist/primordials/process.d.ts +1 -1
  338. package/dist/primordials/process.js +1 -1
  339. package/dist/primordials/url.d.ts +18 -0
  340. package/dist/primordials/url.js +18 -0
  341. package/dist/process/spawn/child.js +3 -5
  342. package/dist/promises/_internal.d.ts +1 -1
  343. package/dist/promises/_internal.js +1 -2
  344. package/dist/promises/options.js +3 -3
  345. package/dist/regexps/spec.js +1 -1
  346. package/dist/releases/socket-btm-binary-naming.js +12 -1
  347. package/dist/schema/validate.js +1 -1
  348. package/dist/secrets/_internal.d.ts +1 -1
  349. package/dist/secrets/_internal.js +1 -1
  350. package/dist/secrets/broker.d.ts +35 -0
  351. package/dist/secrets/broker.js +72 -0
  352. package/dist/secrets/find.d.ts +8 -6
  353. package/dist/secrets/find.js +17 -3
  354. package/dist/secrets/keychain.d.ts +10 -1
  355. package/dist/secrets/keychain.js +10 -1
  356. package/dist/secrets/rc.js +1 -1
  357. package/dist/secrets/socket-api-token.d.ts +1 -1
  358. package/dist/secrets/socket-api-token.js +1 -1
  359. package/dist/secrets/types.d.ts +1 -1
  360. package/dist/smol/detect.js +1 -1
  361. package/dist/smol/http.d.ts +2 -0
  362. package/dist/smol/http.js +3 -1
  363. package/dist/smol/https.d.ts +2 -0
  364. package/dist/smol/https.js +3 -1
  365. package/dist/smol/manifest.js +1 -1
  366. package/dist/smol/path.js +1 -1
  367. package/dist/smol/primordial.js +1 -1
  368. package/dist/smol/purl.js +1 -1
  369. package/dist/smol/versions.js +1 -1
  370. package/dist/smol/vfs.js +1 -1
  371. package/dist/sorts/_internal.d.ts +2 -4
  372. package/dist/sorts/_internal.js +1 -7
  373. package/dist/sorts/semver.js +2 -2
  374. package/dist/spinner/create-spinner-class.js +1 -1
  375. package/dist/spinner/format.js +2 -4
  376. package/dist/stdio/footer.js +8 -7
  377. package/dist/stdio/progress.js +1 -1
  378. package/dist/stdio/prompts.d.ts +8 -23
  379. package/dist/stdio/prompts.js +28 -52
  380. package/dist/strings/format.js +1 -1
  381. package/dist/strings/predicates.d.ts +2 -2
  382. package/dist/strings/search.js +2 -2
  383. package/dist/strings/types.d.ts +4 -0
  384. package/dist/strings/width.d.ts +1 -0
  385. package/dist/strings/width.js +17 -8
  386. package/dist/themes/context.d.ts +18 -3
  387. package/dist/themes/context.js +28 -14
  388. package/dist/versions/_internal.d.ts +43 -13
  389. package/dist/versions/_internal.js +27 -15
  390. package/dist/versions/compare.d.ts +16 -10
  391. package/dist/versions/compare.js +36 -16
  392. package/dist/versions/parse.js +1 -1
  393. package/dist/versions/range.js +3 -2
  394. package/dist/words/pluralize.js +4 -1
  395. package/llms.txt +63 -0
  396. package/package.json +271 -40
@@ -2,8 +2,8 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_primordials_error = require('../primordials/error.js');
5
- const require_integrity = require('../integrity.js');
6
5
  const require_primordials_string = require('../primordials/string.js');
6
+ const require_integrity = require('../integrity.js');
7
7
  const require_http_request_request = require('./request.js');
8
8
 
9
9
  //#region src/http-request/checksum-file.ts
@@ -168,6 +168,8 @@ async function httpDownloadAttempt(url, destPath, options) {
168
168
  })();
169
169
  };
170
170
  fileStream.on("error", (error) => {
171
+ res.unpipe(fileStream);
172
+ res.destroy();
171
173
  fileStream.destroy();
172
174
  cleanupPartial();
173
175
  reject(new require_primordials_error.ErrorCtor(`Failed to write file: ${error.message}`, { cause: error }));
@@ -13,7 +13,7 @@
13
13
  * Build an HTTP Basic `Authorization` header value from a Socket API token.
14
14
  *
15
15
  * The Socket API uses the token as the username with an empty password, so the
16
- * credential pair is `<token>:`. Centralized here so every fleet caller emits
16
+ * credential pair is `<token>:`. Centralized here so every Socket caller emits
17
17
  * the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
18
18
  *
19
19
  * @example
@@ -1,8 +1,8 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
- const require_primordials_number = require('../primordials/number.js');
5
4
  const require_primordials_object = require('../primordials/object.js');
5
+ const require_primordials_number = require('../primordials/number.js');
6
6
  const require_primordials_array = require('../primordials/array.js');
7
7
  const require_primordials_date = require('../primordials/date.js');
8
8
  const require_primordials_globals = require('../primordials/globals.js');
@@ -24,7 +24,7 @@ const RETRY_AFTER_INT_RE = /^\d+$/;
24
24
  * Build an HTTP Basic `Authorization` header value from a Socket API token.
25
25
  *
26
26
  * The Socket API uses the token as the username with an empty password, so the
27
- * credential pair is `<token>:`. Centralized here so every fleet caller emits
27
+ * credential pair is `<token>:`. Centralized here so every Socket caller emits
28
28
  * the identical shape instead of hand-rolling `btoa(\`${token}:`)`.
29
29
  *
30
30
  * @example
@@ -118,7 +118,7 @@ async function httpRequestAttempt(url, options) {
118
118
  let redirectHeaders = headers;
119
119
  if (new require_primordials_url.URLCtor(url).origin !== redirectParsed.origin) {
120
120
  redirectHeaders = { __proto__: null };
121
- const stripped = new Set([
121
+ const stripped = /* @__PURE__ */ new Set([
122
122
  "authorization",
123
123
  "cookie",
124
124
  "proxy-authenticate",
@@ -173,7 +173,9 @@ async function httpRequestAttempt(url, options) {
173
173
  if (maxResponseSize && totalBytes > maxResponseSize) {
174
174
  res.destroy();
175
175
  request.destroy();
176
- rejectOnce(new require_primordials_error.ErrorCtor(`Response exceeds maximum size limit (${(totalBytes / (1024 * 1024)).toFixed(2)}MB > ${(maxResponseSize / (1024 * 1024)).toFixed(2)}MB)`));
176
+ const sizeMB = (totalBytes / (1024 * 1024)).toFixed(2);
177
+ const maxMB = (maxResponseSize / (1024 * 1024)).toFixed(2);
178
+ rejectOnce(new require_primordials_error.ErrorCtor(`Response exceeds maximum size limit (${sizeMB}MB > ${maxMB}MB)`));
177
179
  return;
178
180
  }
179
181
  chunks.push(chunk);
@@ -213,7 +215,8 @@ async function httpRequestAttempt(url, options) {
213
215
  });
214
216
  });
215
217
  request.on("error", (error) => {
216
- rejectOnce(new require_primordials_error.ErrorCtor(require_http_request_errors.enrichErrorMessage(url, method, error), { cause: error }));
218
+ const message = require_http_request_errors.enrichErrorMessage(url, method, error);
219
+ rejectOnce(new require_primordials_error.ErrorCtor(message, { cause: error }));
217
220
  });
218
221
  request.on("timeout", () => {
219
222
  request.destroy();
@@ -199,7 +199,7 @@ export interface HttpRequestOptions {
199
199
  onRetry?: ((attempt: number, error: unknown, delay: number) => boolean | number | undefined) | undefined;
200
200
  /**
201
201
  * Number of retry attempts for failed requests. Uses exponential backoff:
202
- * delay = `retryDelay` * 2^attempt.
202
+ * delay = min(`retryDelay` * 2^attempt, `retryDelayMax`).
203
203
  *
204
204
  * @default 0
205
205
  */
@@ -211,6 +211,15 @@ export interface HttpRequestOptions {
211
211
  * @default 1000
212
212
  */
213
213
  retryDelay?: number | undefined;
214
+ /**
215
+ * Maximum delay in milliseconds for a single backoff wait. Caps the
216
+ * exponential growth (`retryDelay` * 2^attempt) so a high `retries` count
217
+ * can't produce multi-minute waits. An explicit `onRetry`-returned delay is
218
+ * not capped — that is the caller's deliberate choice.
219
+ *
220
+ * @default 30000
221
+ */
222
+ retryDelayMax?: number | undefined;
214
223
  /**
215
224
  * AbortSignal forwarded to the underlying `http.request` / `https.request`
216
225
  * call. Supported in Node 22+ via `node:http` request options. When both
@@ -65,7 +65,7 @@ let node_timers_promises = require("node:timers/promises");
65
65
  * non-retryable error happens.
66
66
  */
67
67
  async function httpRequest(url, options) {
68
- const { body, ca, followRedirects = true, headers = {}, hooks, maxRedirects = 5, maxResponseSize, method = "GET", onRetry, retries = 0, retryDelay = 1e3, signal, stream = false, throwOnError = false, timeout = 3e4 } = {
68
+ const { body, ca, followRedirects = true, headers = {}, hooks, maxRedirects = 5, maxResponseSize, method = "GET", onRetry, retries = 0, retryDelay = 1e3, retryDelayMax = 3e4, signal, stream = false, throwOnError = false, timeout = 3e4 } = {
69
69
  __proto__: null,
70
70
  ...options
71
71
  };
@@ -104,7 +104,7 @@ async function httpRequest(url, options) {
104
104
  lastError = e;
105
105
  if (attempt === retries) break;
106
106
  if (signal?.aborted) break;
107
- const delayMs = retryDelay * 2 ** attempt;
107
+ const delayMs = require_primordials_math.MathMin(retryDelay * 2 ** attempt, retryDelayMax);
108
108
  if (onRetry) {
109
109
  const retryResult = onRetry(attempt + 1, e, delayMs);
110
110
  if (retryResult === false) break;
@@ -3,7 +3,7 @@
3
3
  * Three-token format aligned with socket-cli's `getCliUserAgent` and
4
4
  * coana-tech-cli's `configureAxiosUserAgent`: `<slug>/<version>
5
5
  * node/<node-version> <platform>/<arch>` e.g. `socketsecurity-lib/6.0.0
6
- * node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary, fleet
6
+ * node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary, Socket
7
7
  * CLIs, etc.) can identify themselves via the `SOCKET_CALLER_USER_AGENT` env
8
8
  * var, which is appended to the lib's own UA so the server still sees the lib
9
9
  * identifier. @example import { getSocketCallerUserAgent } from
@@ -16,7 +16,7 @@
16
16
  *
17
17
  * Used directly by socket-lib's own outbound requests (via
18
18
  * `getSocketCallerUserAgent`) and exported for sibling packages (socket-cli,
19
- * socket-sdk-js) so the fleet emits one canonical UA shape.
19
+ * socket-sdk-js) so Socket emits one canonical UA shape.
20
20
  *
21
21
  * @example
22
22
  * ;```typescript
@@ -31,6 +31,18 @@ export declare function buildUserAgent(pkg: {
31
31
  name: string;
32
32
  version: string;
33
33
  }, caller?: string | undefined): string;
34
+ /**
35
+ * Chain User-Agent fragments into a breadcrumb trail, ordered identity → hop
36
+ * (the immediate agent first, each forwarded caller after) so it reads
37
+ * left-to-right and a server's UA parser buckets by the immediate agent. Each
38
+ * fragment is sanitized; empties are dropped; an immediately-repeated fragment
39
+ * is collapsed so re-proxying doesn't stutter the same hop twice.
40
+ *
41
+ * @example
42
+ * chainUserAgents(['socketsecurity-firewall-api-proxy/0.0.0', 'vlt/1.2.3'])
43
+ * // 'socketsecurity-firewall-api-proxy/0.0.0 vlt/1.2.3'
44
+ */
45
+ export declare function chainUserAgents(parts: ReadonlyArray<string | undefined>): string;
34
46
  /**
35
47
  * User-Agent header for socket-lib's own outbound HTTP requests.
36
48
  *
@@ -53,3 +65,12 @@ export declare function buildUserAgent(pkg: {
53
65
  * ```
54
66
  */
55
67
  export declare function getSocketCallerUserAgent(): string;
68
+ /**
69
+ * Sanitize a single User-Agent fragment for safe inclusion in an outgoing HTTP
70
+ * header. A caller identifier (`SOCKET_CALLER_USER_AGENT`, or a UA a proxy
71
+ * forwards on behalf of its client) is untrusted, so strip control chars (C0
72
+ * incl. CR/LF — the header- and log-injection vector — DEL, and C1), collapse
73
+ * internal whitespace to one space, trim, and cap length. Returns '' for
74
+ * nullish / blank / all-control input.
75
+ */
76
+ export declare function sanitizeUserAgent(value: string | undefined): string;
@@ -2,7 +2,9 @@
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
4
  const require_runtime = require('../_virtual/_rolldown/runtime.js');
5
+ const require_primordials_string = require('../primordials/string.js');
5
6
  const require_env_rewire = require('../env/rewire.js');
7
+ const require_primordials_array = require('../primordials/array.js');
6
8
  const require_constants_socket = require('../constants/socket.js');
7
9
  const require_packages_specs = require('../packages/specs.js');
8
10
  let node_process = require("node:process");
@@ -14,20 +16,22 @@ node_process = require_runtime.__toESM(node_process);
14
16
  * Three-token format aligned with socket-cli's `getCliUserAgent` and
15
17
  * coana-tech-cli's `configureAxiosUserAgent`: `<slug>/<version>
16
18
  * node/<node-version> <platform>/<arch>` e.g. `socketsecurity-lib/6.0.0
17
- * node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary, fleet
19
+ * node/v22.10.0 darwin/arm64` Downstream callers (sdxgen SEA binary, Socket
18
20
  * CLIs, etc.) can identify themselves via the `SOCKET_CALLER_USER_AGENT` env
19
21
  * var, which is appended to the lib's own UA so the server still sees the lib
20
22
  * identifier. @example import { getSocketCallerUserAgent } from
21
23
  * '@socketsecurity/lib/http-request/user-agent'
22
24
  * request.setHeader('User-Agent', getSocketCallerUserAgent())
23
25
  */
26
+ const MAX_USER_AGENT_LENGTH = 256;
27
+ let cachedBaseUserAgent;
24
28
  /**
25
29
  * Compose a three-token User-Agent string from a `{ name, version }` pair,
26
30
  * optionally appending a caller-supplied identifier.
27
31
  *
28
32
  * Used directly by socket-lib's own outbound requests (via
29
33
  * `getSocketCallerUserAgent`) and exported for sibling packages (socket-cli,
30
- * socket-sdk-js) so the fleet emits one canonical UA shape.
34
+ * socket-sdk-js) so Socket emits one canonical UA shape.
31
35
  *
32
36
  * @example
33
37
  * ;```typescript
@@ -40,9 +44,27 @@ node_process = require_runtime.__toESM(node_process);
40
44
  */
41
45
  function buildUserAgent(pkg, caller) {
42
46
  const base = `${require_packages_specs.pkgNameToSlug(pkg.name)}/${pkg.version} node/${node_process.default.version} ${node_process.default.platform}/${node_process.default.arch}`;
43
- return caller ? `${base} ${caller}` : base;
47
+ return caller ? chainUserAgents([base, caller]) : base;
48
+ }
49
+ /**
50
+ * Chain User-Agent fragments into a breadcrumb trail, ordered identity → hop
51
+ * (the immediate agent first, each forwarded caller after) so it reads
52
+ * left-to-right and a server's UA parser buckets by the immediate agent. Each
53
+ * fragment is sanitized; empties are dropped; an immediately-repeated fragment
54
+ * is collapsed so re-proxying doesn't stutter the same hop twice.
55
+ *
56
+ * @example
57
+ * chainUserAgents(['socketsecurity-firewall-api-proxy/0.0.0', 'vlt/1.2.3'])
58
+ * // 'socketsecurity-firewall-api-proxy/0.0.0 vlt/1.2.3'
59
+ */
60
+ function chainUserAgents(parts) {
61
+ const trail = [];
62
+ for (let i = 0, { length } = parts; i < length; i += 1) {
63
+ const clean = sanitizeUserAgent(parts[i]);
64
+ if (clean && trail[trail.length - 1] !== clean) require_primordials_array.ArrayPrototypePush(trail, clean);
65
+ }
66
+ return require_primordials_array.ArrayPrototypeJoin(trail, " ");
44
67
  }
45
- let cachedBaseUserAgent;
46
68
  /**
47
69
  * User-Agent header for socket-lib's own outbound HTTP requests.
48
70
  *
@@ -70,9 +92,29 @@ function getSocketCallerUserAgent() {
70
92
  version: require_constants_socket.SOCKET_LIB_VERSION
71
93
  });
72
94
  const caller = require_env_rewire.getEnvValue("SOCKET_CALLER_USER_AGENT");
73
- return caller?.trim() ? `${cachedBaseUserAgent} ${caller}` : cachedBaseUserAgent;
95
+ return chainUserAgents([cachedBaseUserAgent, caller]);
96
+ }
97
+ /**
98
+ * Sanitize a single User-Agent fragment for safe inclusion in an outgoing HTTP
99
+ * header. A caller identifier (`SOCKET_CALLER_USER_AGENT`, or a UA a proxy
100
+ * forwards on behalf of its client) is untrusted, so strip control chars (C0
101
+ * incl. CR/LF — the header- and log-injection vector — DEL, and C1), collapse
102
+ * internal whitespace to one space, trim, and cap length. Returns '' for
103
+ * nullish / blank / all-control input.
104
+ */
105
+ function sanitizeUserAgent(value) {
106
+ if (!value) return "";
107
+ let cleaned = "";
108
+ for (let i = 0, { length } = value; i < length; i += 1) {
109
+ const code = require_primordials_string.StringPrototypeCharCodeAt(value, i);
110
+ cleaned += code < 32 || code >= 127 && code <= 159 ? " " : require_primordials_string.StringPrototypeCharAt(value, i);
111
+ }
112
+ cleaned = require_primordials_string.StringPrototypeTrim(require_primordials_string.StringPrototypeReplace(cleaned, /\s+/g, " "));
113
+ return cleaned.length > MAX_USER_AGENT_LENGTH ? require_primordials_string.StringPrototypeTrim(require_primordials_string.StringPrototypeSlice(cleaned, 0, MAX_USER_AGENT_LENGTH)) : cleaned;
74
114
  }
75
115
 
76
116
  //#endregion
77
117
  exports.buildUserAgent = buildUserAgent;
78
- exports.getSocketCallerUserAgent = getSocketCallerUserAgent;
118
+ exports.chainUserAgents = chainUserAgents;
119
+ exports.getSocketCallerUserAgent = getSocketCallerUserAgent;
120
+ exports.sanitizeUserAgent = sanitizeUserAgent;
@@ -1,18 +1,36 @@
1
+ /**
2
+ * SRI-blessed hash algorithms. The W3C set; the prefix is part of the wire
3
+ * format, not a Socket convention.
4
+ */
5
+ export type HashAlgorithm = 'sha256' | 'sha384' | 'sha512';
6
+ /**
7
+ * A cryptographic hash: an algorithm plus the digest in both encodings. Frozen,
8
+ * plain, self-describing — `h.algorithm` removes every "is this 256 or 512?"
9
+ * guess, and `h.hex` / `h.sri` are precomputed views (cheap transcodes of the
10
+ * digest, eager so the value stays serializable and structurally comparable).
11
+ */
12
+ export interface Hash {
13
+ readonly algorithm: HashAlgorithm;
14
+ /**
15
+ * Lowercase hex digest (64 chars sha256, 96 sha384, 128 sha512).
16
+ */
17
+ readonly hex: string;
18
+ /**
19
+ * W3C SRI string: `<algorithm>-<base64>`.
20
+ */
21
+ readonly sri: string;
22
+ }
23
+ /**
24
+ * Anything a caller can hand verify/convert as "the expected hash": a parsed
25
+ * {@link Hash}, an SRI string, or a bare hex digest (algorithm inferred by
26
+ * length).
27
+ */
28
+ export type HashInput = string | Hash;
1
29
  /**
2
30
  * Tagged union representing an expected hash.
3
31
  *
4
- * @example
5
- * // Bare SRI (sniffed as integrity):
6
- * 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
7
- *
8
- * @example
9
- * // Bare sha256 hex (sniffed as checksum):
10
- * 'a1b2c3...'
11
- *
12
- * @example
13
- * // Explicit:
14
- * { type: 'integrity', value: 'sha512-...' }
15
- * { type: 'checksum', value: 'a1b2c3...' }
32
+ * @deprecated Prefer {@link HashInput} + {@link parseHash}. Kept for the
33
+ * `integrity?: HashSpec` option fields across dlx / external-tools.
16
34
  */
17
35
  export type HashSpec = string | {
18
36
  type: 'integrity';
@@ -22,15 +40,16 @@ export type HashSpec = string | {
22
40
  value: string;
23
41
  };
24
42
  /**
25
- * Normalized internal form. Always an object.
43
+ * Normalized internal form of a {@link HashSpec}. Always an object.
26
44
  */
27
45
  export interface NormalizedHash {
28
46
  type: 'integrity' | 'checksum';
29
47
  value: string;
30
48
  }
31
49
  /**
32
- * Both hash formats for the same bytes. Returned from downloads so callers can
33
- * record whichever format their config uses.
50
+ * Both pinned hash formats for the same bytes: the sha512 SRI we pin against
51
+ * and the sha256 hex upstream tools emit. Returned from downloads so callers
52
+ * record whichever their config uses.
34
53
  */
35
54
  export interface ComputedHashes {
36
55
  /**
@@ -43,7 +62,7 @@ export interface ComputedHashes {
43
62
  checksum: string;
44
63
  }
45
64
  /**
46
- * Parsed components of an integrity string.
65
+ * Parsed components of an SRI integrity string.
47
66
  */
48
67
  export interface ParsedIntegrity {
49
68
  /**
@@ -56,60 +75,64 @@ export interface ParsedIntegrity {
56
75
  body: string;
57
76
  }
58
77
  /**
59
- * Convert a sha256 hex checksum to its SRI integrity form (`sha256-<base64>`).
60
- * Idempotent on integrity input — call this on user-supplied data without first
61
- * sniffing the format.
62
- *
63
- * The default algorithm is `'sha256'` because this converts a _checksum_, and
64
- * checksums are sha256 by fleet convention (the GitHub-SHA256SUMS interop shape
65
- * its only caller, `checksum-file.ts`, parses). Do NOT flip this default to
66
- * sha512: this function only relabels the hex bytes, it does not re-hash, so a
67
- * sha512 label on a 256-bit digest would be a lie. The canonical algorithm for
68
- * OUR-side integrity values is sha512 — emitted by `computeHashes` as the
69
- * `integrity` (`sha512-<base64>`) field; sha256 is reserved for
70
- * upstream-SHASUMS interop and content addressing. Pass an explicit algorithm
71
- * if you have a hex digest from `sha384` or `sha512` (the function does not
72
- * verify hex length against the algorithm — caller's responsibility).
78
+ * Convert a hex checksum to its SRI integrity form.
73
79
  *
74
- * @example
75
- * ;```typescript
76
- * checksumToIntegrity(
77
- * '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
78
- * )
79
- * // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs='
80
- *
81
- * checksumToIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
82
- * // 'sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' (idempotent)
83
- * ```
80
+ * @deprecated Prefer `parseHash(x).sri`, which is total across all algorithms
81
+ * and infers the algorithm from a bare hex digest. This shim defaults to
82
+ * `'sha256'` because it only relabels the hex bytes — it does NOT re-hash, so
83
+ * a sha512 label on a 256-bit digest would be a lie. Idempotent on SRI input.
84
84
  *
85
85
  * @throws TypeError when the input is neither a recognized SRI nor a hex
86
86
  * digest.
87
87
  */
88
- export declare function checksumToIntegrity(input: string, algorithm?: string): string;
88
+ export declare function checksumToIntegrity(input: string, algorithm?: HashAlgorithm): string;
89
+ /**
90
+ * Compute a single {@link Hash} of `bytes`. Defaults to sha512 — the canonical
91
+ * trust string we pin against. Pass `'sha256'` for the upstream-interop digest.
92
+ *
93
+ * @example
94
+ * ;```typescript
95
+ * computeHash(bytes).sri // 'sha512-…' (pin this)
96
+ * computeHash(bytes, 'sha256').hex // '3620a0…' (compare to SHA256SUMS)
97
+ * ```
98
+ */
99
+ export declare function computeHash(bytes: NodeJS.ArrayBufferView, algorithm?: HashAlgorithm): Hash;
89
100
  /**
90
- * Compute both integrity (sha512 SRI) and checksum (sha256 hex) for a buffer of
91
- * bytes.
101
+ * Compute both pinned formats for `bytes`: the sha512 SRI integrity and the
102
+ * sha256 hex checksum. Use when a config records both (e.g.
103
+ * `external-tools.json`, dlx lockfiles).
92
104
  */
93
105
  export declare function computeHashes(bytes: Buffer): ComputedHashes;
94
106
  /**
95
- * Convert a sha256 SRI integrity string to its hex checksum form (64 lowercase
96
- * chars). Idempotent on checksum input.
107
+ * Compare two hashes for equality, ENCODING-agnostically. Parses both and
108
+ * only when they share an algorithm — timing-safe compares the digests.
97
109
  *
98
- * Throws on `sha384` and `sha512` SRI checksums are sha256-only by fleet
99
- * convention. Callers that need a hex digest for those algorithms can call
100
- * `parseIntegrity(sri)` and decode `.body` manually.
110
+ * Returns false when the algorithms differ. A sha512 and a sha256 are different
111
+ * functions of the same bytes: their digests are unrelated values, so they can
112
+ * never be "equal", and you CANNOT derive or check one against the other
113
+ * without the original bytes. To confirm a sha256 and a sha512 describe the
114
+ * same content, hash the bytes both ways (`computeHashes`) or `verifyHash` the
115
+ * bytes against each — there is no hash-to-hash shortcut across algorithms.
116
+ *
117
+ * What this DOES solve is the cross-ENCODING case that bites string `===`: a
118
+ * sha256 SRI and the same sha256 hex compare equal here.
101
119
  *
102
120
  * @example
103
121
  * ;```typescript
104
- * integrityToChecksum('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
105
- * // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b'
106
- *
107
- * integrityToChecksum(
108
- * '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b',
109
- * )
110
- * // '3620a0fcaf81ecd3aaeccd5965919d90dbc913f4d07a96e11e7cafc2c785054b' (idempotent)
122
+ * equalHashes('sha256-NiCg', '3620a0fc…') // true (same digest, SRI vs hex)
123
+ * equalHashes('sha512-…', '3620a0fc…') // false (different algorithms)
111
124
  * ```
112
125
  *
126
+ * @throws TypeError when either input is not a recognized hash.
127
+ */
128
+ export declare function equalHashes(a: HashInput, b: HashInput): boolean;
129
+ /**
130
+ * Convert an SRI integrity string to its hex checksum form.
131
+ *
132
+ * @deprecated Prefer `parseHash(x).hex`, which is total across all algorithms.
133
+ * This shim is sha256-only (throws on sha384 / sha512) to preserve its
134
+ * historical "checksums are sha256" contract. Idempotent on hex input.
135
+ *
113
136
  * @throws TypeError when the input is neither a recognized SRI nor a hex
114
137
  * checksum, or when the input is a non-sha256 SRI.
115
138
  */
@@ -118,49 +141,75 @@ export declare function integrityToChecksum(input: string): string;
118
141
  * True when `s` is a sha256 hex checksum (exactly 64 hex chars).
119
142
  */
120
143
  export declare function isChecksum(s: string): boolean;
144
+ /**
145
+ * True when `s` is a bare hex digest of a recognized length (sha256 / sha384 /
146
+ * sha512).
147
+ */
148
+ export declare function isHex(s: string): boolean;
121
149
  /**
122
150
  * True when `s` is a W3C SRI integrity string: `sha(256|384|512)-<base64>`.
123
151
  */
124
152
  export declare function isIntegrity(s: string): boolean;
153
+ /**
154
+ * Build a frozen {@link Hash} from an algorithm and a hex digest. The internal
155
+ * constructor — trusts its inputs (lowercases the hex, computes the SRI view);
156
+ * use {@link parseHash} for untrusted strings, which validates first.
157
+ */
158
+ export declare function makeHash(algorithm: HashAlgorithm, hex: string): Hash;
125
159
  /**
126
160
  * Normalize a {@link HashSpec} to its canonical `{ type, value }` form.
127
161
  *
128
- * - Object form is trusted (its `value` is validated for shape).
129
- * - Bare string matching SRI integrity.
130
- * - Bare string of 64 hex chars → checksum.
131
- * - Anything else throws TypeError.
162
+ * @deprecated Prefer {@link parseHash}, which returns an algorithm-tagged
163
+ * {@link Hash}. Kept for callers that branch on integrity-vs-checksum type.
132
164
  *
133
165
  * @throws TypeError if the string is not a recognized format, or if an explicit
134
166
  * object's value doesn't match its declared type.
135
167
  */
136
168
  export declare function normalizeHash(spec: HashSpec): NormalizedHash;
137
169
  /**
138
- * Split an integrity string into its `{ algorithm, body }` components. `body`
139
- * is the base64-encoded digest (everything after the algorithm + dash).
170
+ * Parse any {@link HashInput} into a canonical {@link Hash}. The one entry
171
+ * point for untrusted input validates shape + length, then freezes.
140
172
  *
141
- * @example
142
- * ;```typescript
143
- * parseIntegrity('sha256-NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=')
144
- * // { algorithm: 'sha256', body: 'NiCg/K+B7NOq7M1ZZZGdkNvJE/TQepbhHnyvwseFBUs=' }
145
- * ```
173
+ * - A {@link Hash} object is re-canonicalized from its `algorithm` + `hex`.
174
+ * - An SRI string carries its algorithm in the prefix (the body length is checked
175
+ * against it).
176
+ * - A bare hex digest infers the algorithm from its length (64 / 96 / 128).
177
+ *
178
+ * @throws TypeError when the input is not a recognized SRI or hex digest, or
179
+ * when an SRI body's length doesn't match its declared algorithm.
180
+ */
181
+ export declare function parseHash(input: HashInput): Hash;
182
+ /**
183
+ * Split an SRI integrity string into its `{ algorithm, body }` components.
184
+ * `body` is the base64-encoded digest.
146
185
  *
147
186
  * @throws Error when the input is not a valid SRI integrity string.
148
187
  */
149
188
  export declare function parseIntegrity(sri: string): ParsedIntegrity;
150
189
  /**
151
- * Verify computed hashes against an expected {@link NormalizedHash}. Uses
152
- * `crypto.timingSafeEqual` for constant-time comparison.
153
- *
154
- * @throws DlxHashMismatchError when the hash of the matching type doesn't match
155
- * the expected value.
190
+ * Verify `bytes` against an expected hash. Reads the algorithm the expected
191
+ * hash declares, computes only that digest, and compares with
192
+ * `crypto.timingSafeEqual` — so any encoding (hex / SRI / {@link Hash}) and any
193
+ * algorithm (sha256 / sha384 / sha512) verifies without the caller reconciling
194
+ * formats first.
195
+ *
196
+ * @throws HashMismatchError when the recomputed digest doesn't match.
197
+ * @throws TypeError when `expected` is not a recognized hash.
156
198
  */
157
- export declare function verifyHash(expected: NormalizedHash, computed: ComputedHashes): void;
199
+ export declare function verifyHash(bytes: NodeJS.ArrayBufferView, expected: HashInput): void;
158
200
  /**
159
- * Thrown when an expected hash doesn't match the computed hash of the
160
- * downloaded bytes. Carries both sides for diagnostics.
201
+ * Thrown when an expected hash doesn't match the computed hash of the verified
202
+ * bytes. Carries both sides (as {@link Hash}) for diagnostics.
161
203
  */
162
- export declare class DlxHashMismatchError extends Error {
163
- readonly expected: NormalizedHash;
164
- readonly actual: ComputedHashes;
165
- constructor(expected: NormalizedHash, actual: ComputedHashes);
204
+ export declare class HashMismatchError extends Error {
205
+ readonly expected: Hash;
206
+ readonly actual: Hash;
207
+ constructor(expected: Hash, actual: Hash);
166
208
  }
209
+ /**
210
+ * @deprecated Renamed to {@link HashMismatchError}. Alias kept for callers that
211
+ * catch the old name.
212
+ *
213
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
214
+ */
215
+ export declare const DlxHashMismatchError: typeof HashMismatchError;