@socketsecurity/lib 6.0.9 → 6.0.10

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (335) hide show
  1. package/CHANGELOG.md +6 -0
  2. package/README.md +8 -9
  3. package/dist/abort/signal.d.ts +1 -1
  4. package/dist/abort/signal.js +1 -1
  5. package/dist/ai/agent-context.d.mts +1 -1
  6. package/dist/ai/agent-context.js +3 -2
  7. package/dist/ai/backends.d.mts +3 -3
  8. package/dist/ai/backends.js +2 -2
  9. package/dist/ai/billing-context.d.mts +74 -0
  10. package/dist/ai/billing-context.js +129 -0
  11. package/dist/ai/credentials.d.mts +39 -5
  12. package/dist/ai/credentials.js +61 -6
  13. package/dist/ai/discover.d.mts +4 -0
  14. package/dist/ai/discover.js +4 -0
  15. package/dist/ai/exec.d.mts +1 -1
  16. package/dist/ai/exec.js +1 -1
  17. package/dist/ai/http.d.mts +8 -8
  18. package/dist/ai/http.js +6 -6
  19. package/dist/ai/profiles.d.mts +9 -10
  20. package/dist/ai/profiles.js +0 -5
  21. package/dist/ai/role.d.mts +58 -0
  22. package/dist/ai/role.js +96 -0
  23. package/dist/ai/route-heuristic.d.mts +177 -0
  24. package/dist/ai/route-heuristic.js +194 -0
  25. package/dist/ai/route.d.mts +10 -9
  26. package/dist/ai/route.js +14 -13
  27. package/dist/ai/spawn.d.mts +2 -1
  28. package/dist/ai/spawn.js +25 -2
  29. package/dist/ai/subagent-status.d.mts +2 -0
  30. package/dist/ai/subagent-status.js +2 -0
  31. package/dist/ai/tier.d.mts +1 -1
  32. package/dist/ai/types.d.mts +9 -2
  33. package/dist/ai/worktree.d.mts +1 -1
  34. package/dist/ai/worktree.js +3 -2
  35. package/dist/argv/parse.d.ts +2 -0
  36. package/dist/argv/parse.js +2 -0
  37. package/dist/bin/_internal.d.ts +1 -1
  38. package/dist/bin/_internal.js +1 -1
  39. package/dist/bin/prim.cjs +446 -300
  40. package/dist/bin/shadow.js +2 -1
  41. package/dist/bin/which.d.ts +28 -3
  42. package/dist/bin/which.js +45 -3
  43. package/dist/cacache/_internal.d.ts +10 -2
  44. package/dist/cacache/_internal.js +6 -10
  45. package/dist/cache/ttl/_internal.d.ts +33 -0
  46. package/dist/cache/ttl/_internal.js +68 -0
  47. package/dist/cache/ttl/browser.d.ts +56 -0
  48. package/dist/cache/ttl/browser.js +257 -0
  49. package/dist/cache/ttl/store.js +10 -33
  50. package/dist/cache/ttl/types.d.ts +46 -3
  51. package/dist/checks/primordials-defaults.d.ts +5 -5
  52. package/dist/checks/primordials-defaults.js +5 -5
  53. package/dist/checks/primordials.d.ts +1 -1
  54. package/dist/checks/primordials.js +25 -17
  55. package/dist/cli/check-primordials.d.ts +6 -1
  56. package/dist/cli/check-primordials.js +14 -5
  57. package/dist/cli/check.js +1 -1
  58. package/dist/cli/socket-lib.d.ts +1 -1
  59. package/dist/cli/socket-lib.js +3 -3
  60. package/dist/colors/socket-palette.d.ts +1 -1
  61. package/dist/compression/brotli.d.ts +6 -2
  62. package/dist/compression/brotli.js +4 -0
  63. package/dist/compression/gzip.d.ts +6 -2
  64. package/dist/compression/gzip.js +6 -1
  65. package/dist/config/layers.d.ts +4 -4
  66. package/dist/config/layers.js +4 -4
  67. package/dist/constants/agents.d.ts +3 -0
  68. package/dist/constants/agents.js +3 -0
  69. package/dist/constants/node.d.ts +14 -0
  70. package/dist/constants/node.js +14 -0
  71. package/dist/constants/package-default-node-range.js +1 -5
  72. package/dist/constants/packages.d.ts +5 -0
  73. package/dist/constants/packages.js +5 -0
  74. package/dist/constants/platform.d.ts +1 -1
  75. package/dist/constants/platform.js +1 -1
  76. package/dist/constants/socket.js +1 -1
  77. package/dist/constants/typescript.d.ts +5 -0
  78. package/dist/constants/typescript.js +5 -0
  79. package/dist/debug/_internal.d.ts +22 -7
  80. package/dist/debug/_internal.js +33 -15
  81. package/dist/debug/namespace.js +11 -8
  82. package/dist/debug/output.d.ts +12 -1
  83. package/dist/debug/output.js +33 -16
  84. package/dist/dlx/binary-resolution.js +7 -4
  85. package/dist/eco/npm/npm/parse-lockfile.js +2 -1
  86. package/dist/eco/npm/vlt/exec.d.ts +1 -1
  87. package/dist/eco/npm/vlt/exec.js +1 -1
  88. package/dist/env/agents.d.ts +6 -0
  89. package/dist/env/agents.js +29 -0
  90. package/dist/env/flags.d.ts +12 -0
  91. package/dist/env/flags.js +23 -0
  92. package/dist/env/github-status.js +2 -2
  93. package/dist/env/providers.d.ts +6 -0
  94. package/dist/env/providers.js +23 -0
  95. package/dist/env/proxy.js +1 -1
  96. package/dist/env/rewire.d.ts +32 -0
  97. package/dist/env/rewire.js +55 -23
  98. package/dist/env/runtimes.d.ts +9 -0
  99. package/dist/env/runtimes.js +53 -0
  100. package/dist/env/socket-cli.d.ts +5 -2
  101. package/dist/env/socket-cli.js +6 -3
  102. package/dist/errors/predicates.d.ts +3 -2
  103. package/dist/errors/predicates.js +5 -3
  104. package/dist/errors/stack.js +2 -1
  105. package/dist/events/exit/_internal.d.ts +1 -23
  106. package/dist/external/@npmcli/package-json.js +179 -88
  107. package/dist/external/@npmcli/promise-spawn.js +2 -2
  108. package/dist/external/@sinclair/typebox/value.js +5 -4
  109. package/dist/external/@socketregistry/yocto-spinner.js +3 -3
  110. package/dist/external/adm-zip.d.ts +82 -0
  111. package/dist/external/adm-zip.js +2 -2
  112. package/dist/external/cacache.d.ts +87 -0
  113. package/dist/external/debug.d.ts +22 -0
  114. package/dist/external/debug.js +11 -4
  115. package/dist/external/del.d.ts +1 -0
  116. package/dist/external/external-pack.d.ts +12 -0
  117. package/dist/external/external-pack.js +41 -34
  118. package/dist/external/fast-glob.d.ts +8 -0
  119. package/dist/external/fast-sort.d.ts +1 -0
  120. package/dist/external/get-east-asian-width.d.ts +5 -0
  121. package/dist/external/get-east-asian-width.js +8 -1
  122. package/dist/external/has-flag.d.ts +1 -0
  123. package/dist/external/inquirer-pack.d.ts +18 -0
  124. package/dist/external/libnpmexec.d.ts +35 -0
  125. package/dist/external/libnpmpack.d.ts +1 -0
  126. package/dist/external/make-fetch-happen.d.ts +13 -0
  127. package/dist/external/normalize-package-data.d.ts +4 -0
  128. package/dist/external/npm-core.d.ts +14 -0
  129. package/dist/external/npm-pack.d.ts +24 -0
  130. package/dist/external/npm-pack.js +1551 -1867
  131. package/dist/external/npm-package-arg.d.ts +4 -0
  132. package/dist/external/p-map.js +8 -1
  133. package/dist/external/pacote.d.ts +15 -0
  134. package/dist/external/pico-pack.d.ts +16 -0
  135. package/dist/external/pico-pack.js +38 -23
  136. package/dist/external/picomatch.d.ts +96 -0
  137. package/dist/external/pony-cause.d.ts +14 -0
  138. package/dist/external/semver.d.ts +60 -0
  139. package/dist/external/semver.js +1459 -4
  140. package/dist/external/shell-quote.d.ts +51 -0
  141. package/dist/external/shell-quote.js +55 -15
  142. package/dist/external/signal-exit.d.ts +1 -0
  143. package/dist/external/spdx-correct.d.ts +4 -0
  144. package/dist/external/spdx-expression-parse.d.ts +4 -0
  145. package/dist/external/spdx-pack.d.ts +10 -0
  146. package/dist/external/std-env.d.ts +284 -0
  147. package/dist/external/std-env.js +323 -0
  148. package/dist/external/streaming-iterables.d.ts +11 -0
  149. package/dist/external/supports-color.d.ts +1 -0
  150. package/dist/external/tar-fs.d.ts +31 -0
  151. package/dist/external/validate-npm-package-name.d.ts +4 -0
  152. package/dist/external/which.d.ts +25 -0
  153. package/dist/external/which.js +2 -2
  154. package/dist/external/yargs-parser.d.ts +2 -0
  155. package/dist/external/yargs-parser.js +11 -3
  156. package/dist/external/yoctocolors-cjs.d.ts +51 -0
  157. package/dist/external-tools/bazel/asset-names.d.ts +1 -1
  158. package/dist/external-tools/bazel/from-download.d.ts +1 -1
  159. package/dist/external-tools/bazel/resolve.d.ts +3 -0
  160. package/dist/external-tools/bazel/resolve.js +3 -0
  161. package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
  162. package/dist/external-tools/cdxgen/asset-names.js +3 -3
  163. package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
  164. package/dist/external-tools/cdxgen/from-download.js +1 -1
  165. package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
  166. package/dist/external-tools/cdxgen/resolve.js +4 -1
  167. package/dist/external-tools/cdxgen/types.d.ts +1 -1
  168. package/dist/external-tools/from-download.d.ts +2 -2
  169. package/dist/external-tools/from-download.js +1 -1
  170. package/dist/external-tools/janus/asset-names.d.ts +4 -1
  171. package/dist/external-tools/janus/asset-names.js +3 -0
  172. package/dist/external-tools/janus/from-download.d.ts +3 -3
  173. package/dist/external-tools/janus/from-download.js +2 -2
  174. package/dist/external-tools/janus/resolve.d.ts +3 -0
  175. package/dist/external-tools/janus/resolve.js +3 -0
  176. package/dist/external-tools/jre/asset-names.d.ts +3 -1
  177. package/dist/external-tools/jre/asset-names.js +2 -0
  178. package/dist/external-tools/jre/from-download.d.ts +1 -1
  179. package/dist/external-tools/manifest.d.ts +5 -3
  180. package/dist/external-tools/manifest.js +4 -2
  181. package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
  182. package/dist/external-tools/opengrep/resolve.d.ts +3 -0
  183. package/dist/external-tools/opengrep/resolve.js +3 -0
  184. package/dist/external-tools/python/asset-names.d.ts +3 -1
  185. package/dist/external-tools/python/asset-names.js +7 -3
  186. package/dist/external-tools/python/pin.js +3 -1
  187. package/dist/external-tools/python/resolve.d.ts +3 -0
  188. package/dist/external-tools/python/resolve.js +3 -0
  189. package/dist/external-tools/sbt/resolve.d.ts +3 -0
  190. package/dist/external-tools/sbt/resolve.js +3 -0
  191. package/dist/external-tools/skillspector/from-uv.d.ts +1 -1
  192. package/dist/external-tools/synp/resolve.d.ts +3 -0
  193. package/dist/external-tools/synp/resolve.js +3 -0
  194. package/dist/external-tools/trivy/asset-names.d.ts +1 -1
  195. package/dist/external-tools/trivy/resolve.d.ts +3 -0
  196. package/dist/external-tools/trivy/resolve.js +3 -0
  197. package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
  198. package/dist/external-tools/trufflehog/asset-names.js +3 -0
  199. package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
  200. package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
  201. package/dist/external-tools/trufflehog/resolve.js +3 -0
  202. package/dist/external-tools/uv/asset-names.d.ts +1 -1
  203. package/dist/external-tools/uv/resolve.d.ts +3 -0
  204. package/dist/external-tools/uv/resolve.js +3 -0
  205. package/dist/fleet/repo-config.d.ts +8 -6
  206. package/dist/fleet/repo-config.js +8 -6
  207. package/dist/fs/_internal.d.ts +1 -1
  208. package/dist/fs/_internal.js +1 -1
  209. package/dist/fs/access.d.ts +2 -0
  210. package/dist/fs/access.js +2 -0
  211. package/dist/fs/allowed-dirs-cache.js +5 -3
  212. package/dist/fs/find.js +1 -2
  213. package/dist/fs/inspect.d.ts +2 -2
  214. package/dist/fs/read-file.js +3 -4
  215. package/dist/fs/safe.js +1 -1
  216. package/dist/git/_internal.js +5 -1
  217. package/dist/github/commit.d.ts +92 -0
  218. package/dist/github/commit.js +113 -0
  219. package/dist/github/ghsa.js +1 -1
  220. package/dist/github/refs-graphql.js +1 -1
  221. package/dist/github/request.js +1 -1
  222. package/dist/github/token.d.ts +5 -2
  223. package/dist/github/token.js +6 -4
  224. package/dist/github/workflow-runs.d.ts +107 -0
  225. package/dist/github/workflow-runs.js +98 -0
  226. package/dist/http-request/_internal.d.ts +1 -1
  227. package/dist/http-request/browser.d.ts +6 -0
  228. package/dist/http-request/browser.js +3 -2
  229. package/dist/http-request/download.js +2 -0
  230. package/dist/http-request/headers.d.ts +1 -1
  231. package/dist/http-request/headers.js +1 -1
  232. package/dist/http-request/request-attempt.js +6 -3
  233. package/dist/http-request/request-types.d.ts +10 -1
  234. package/dist/http-request/request.js +2 -2
  235. package/dist/http-request/user-agent.d.ts +23 -2
  236. package/dist/http-request/user-agent.js +48 -6
  237. package/dist/integrity.d.ts +3 -1
  238. package/dist/integrity.js +3 -1
  239. package/dist/json/format.js +4 -1
  240. package/dist/logger/_internal.d.ts +13 -15
  241. package/dist/logger/_internal.js +21 -21
  242. package/dist/logger/colors.d.ts +9 -3
  243. package/dist/logger/colors.js +6 -13
  244. package/dist/logger/console-methods.js +2 -2
  245. package/dist/logger/console.d.ts +1 -0
  246. package/dist/logger/console.js +9 -9
  247. package/dist/logger/node.js +2 -1
  248. package/dist/native-messaging/install.js +1 -1
  249. package/dist/native-messaging/rate-limit.d.ts +4 -1
  250. package/dist/native-messaging/rate-limit.js +4 -1
  251. package/dist/node/events.d.ts +3 -0
  252. package/dist/node/events.js +3 -0
  253. package/dist/node/fs.d.ts +1 -1
  254. package/dist/node/timers-promises.d.ts +3 -0
  255. package/dist/node/timers-promises.js +3 -0
  256. package/dist/node/url.d.ts +3 -0
  257. package/dist/node/url.js +3 -0
  258. package/dist/npm/meta-cache.d.ts +183 -0
  259. package/dist/npm/meta-cache.js +318 -0
  260. package/dist/npm/meta-slice.d.ts +27 -0
  261. package/dist/npm/meta-slice.js +68 -0
  262. package/dist/npm/meta-types.d.ts +282 -0
  263. package/dist/npm/meta-types.js +2 -0
  264. package/dist/npm/meta.d.ts +125 -0
  265. package/dist/npm/meta.js +347 -0
  266. package/dist/npm/registry.d.ts +212 -0
  267. package/dist/npm/registry.js +284 -0
  268. package/dist/objects/getters.d.ts +1 -1
  269. package/dist/objects/getters.js +1 -1
  270. package/dist/packages/manifest.js +6 -7
  271. package/dist/packages/metadata-extensions.js +2 -4
  272. package/dist/packages/provenance.d.ts +8 -0
  273. package/dist/packages/provenance.js +8 -0
  274. package/dist/packages/tarball.js +1 -2
  275. package/dist/packages/validation.d.ts +0 -10
  276. package/dist/packages/validation.js +0 -14
  277. package/dist/paths/exts.d.ts +30 -0
  278. package/dist/paths/exts.js +30 -0
  279. package/dist/paths/filenames.d.ts +6 -0
  280. package/dist/paths/filenames.js +6 -0
  281. package/dist/paths/globs.d.ts +6 -0
  282. package/dist/paths/globs.js +6 -0
  283. package/dist/paths/resolve.js +19 -14
  284. package/dist/paths/socket.d.ts +8 -8
  285. package/dist/paths/socket.js +8 -8
  286. package/dist/perf/report.js +4 -2
  287. package/dist/pkg-ext/data.js +0 -2
  288. package/dist/primordials/globals.d.ts +1 -1
  289. package/dist/primordials/globals.js +1 -1
  290. package/dist/primordials/headers.d.ts +13 -1
  291. package/dist/primordials/headers.js +13 -1
  292. package/dist/primordials/process.d.ts +1 -1
  293. package/dist/primordials/process.js +1 -1
  294. package/dist/primordials/url.d.ts +18 -0
  295. package/dist/primordials/url.js +18 -0
  296. package/dist/process/spawn/child.js +3 -5
  297. package/dist/promises/_internal.d.ts +1 -1
  298. package/dist/promises/_internal.js +1 -2
  299. package/dist/promises/options.js +3 -3
  300. package/dist/releases/socket-btm-binary-naming.js +12 -1
  301. package/dist/secrets/_internal.d.ts +1 -1
  302. package/dist/secrets/_internal.js +1 -1
  303. package/dist/secrets/find.d.ts +2 -2
  304. package/dist/secrets/find.js +2 -2
  305. package/dist/secrets/keychain.d.ts +10 -1
  306. package/dist/secrets/keychain.js +10 -1
  307. package/dist/secrets/socket-api-token.d.ts +1 -1
  308. package/dist/secrets/socket-api-token.js +1 -1
  309. package/dist/secrets/types.d.ts +1 -1
  310. package/dist/smol/http.d.ts +2 -0
  311. package/dist/smol/http.js +2 -0
  312. package/dist/smol/https.d.ts +2 -0
  313. package/dist/smol/https.js +2 -0
  314. package/dist/sorts/_internal.d.ts +2 -3
  315. package/dist/sorts/_internal.js +1 -3
  316. package/dist/spinner/format.js +2 -4
  317. package/dist/stdio/footer.js +8 -7
  318. package/dist/stdio/prompts.d.ts +8 -15
  319. package/dist/stdio/prompts.js +18 -29
  320. package/dist/strings/predicates.d.ts +2 -2
  321. package/dist/strings/search.js +1 -1
  322. package/dist/strings/types.d.ts +4 -0
  323. package/dist/strings/width.d.ts +1 -0
  324. package/dist/strings/width.js +17 -8
  325. package/dist/themes/context.d.ts +13 -0
  326. package/dist/themes/context.js +23 -8
  327. package/dist/versions/_internal.d.ts +43 -13
  328. package/dist/versions/_internal.js +27 -15
  329. package/dist/versions/compare.d.ts +16 -10
  330. package/dist/versions/compare.js +36 -16
  331. package/dist/versions/parse.js +1 -1
  332. package/dist/versions/range.js +3 -2
  333. package/dist/words/pluralize.js +4 -1
  334. package/llms.txt +63 -750
  335. package/package.json +200 -35
package/CHANGELOG.md CHANGED
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
5
5
  The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
6
6
  and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
7
7
 
8
+ ## [6.0.10](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.10) - 2026-07-13
9
+
10
+ ### Fixed
11
+
12
+ - **`stdio/footer`** — lazy-load colors so import survives --build-snapshot
13
+
8
14
  ## [6.0.9](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.9) - 2026-06-18
9
15
 
10
16
  ### Added
package/README.md CHANGED
@@ -1,11 +1,10 @@
1
1
  # @socketsecurity/lib
2
2
 
3
- [![Socket Badge](https://socket.dev/api/badge/npm/package/@socketsecurity/lib)](https://socket.dev/npm/package/@socketsecurity/lib)
4
- [![CI](https://github.com/SocketDev/socket-lib/actions/workflows/ci.yml/badge.svg)](https://github.com/SocketDev/socket-lib/actions/workflows/ci.yml)
5
- ![Coverage](https://img.shields.io/badge/coverage-99%25-brightgreen)
3
+ <a href="https://socket.dev/npm/package/@socketsecurity/lib"><img src="https://socket.dev/api/badge/npm/package/@socketsecurity/lib" alt="Socket Badge" height="20"></a>
4
+ ![Coverage](assets/repo/coverage.svg)
6
5
 
7
- [![Follow @SocketSecurity](https://img.shields.io/twitter/follow/SocketSecurity?style=social)](https://twitter.com/SocketSecurity)
8
- [![Follow @socket.dev on Bluesky](https://img.shields.io/badge/Follow-@socket.dev-1DA1F2?style=social&logo=bluesky)](https://bsky.app/profile/socket.dev)
6
+ [![Follow @SocketSecurity](assets/fleet/badge-follow-x.svg)](https://twitter.com/SocketSecurity)
7
+ [![Follow @socket.dev on Bluesky](assets/fleet/badge-follow-bluesky.svg)](https://bsky.app/profile/socket.dev)
9
8
 
10
9
  Core utilities for [Socket.dev](https://socket.dev/) tools: file system, processes, HTTP, env detection, logging, spinners, and more. Tree-shakeable, TypeScript-first, cross-platform.
11
10
 
@@ -22,8 +21,8 @@ pnpm add @socketsecurity/lib
22
21
  ## Usage
23
22
 
24
23
  ```typescript
25
- import { Spinner } from '@socketsecurity/lib/spinner'
26
- import { readJson } from '@socketsecurity/lib/fs'
24
+ import { Spinner } from '@socketsecurity/lib/spinner/spinner'
25
+ import { readJson } from '@socketsecurity/lib/fs/read-json'
27
26
 
28
27
  const spinner = Spinner({ text: 'Loading…' })
29
28
  spinner.start()
@@ -34,9 +33,9 @@ spinner.successAndStop(`Loaded ${pkg.name}@${pkg.version}`)
34
33
  Every export lives under a subpath — pick what you need:
35
34
 
36
35
  ```typescript
37
- import { spawn } from '@socketsecurity/lib/spawn'
36
+ import { spawn } from '@socketsecurity/lib/process/spawn/child'
38
37
  import { httpJson } from '@socketsecurity/lib/http-request'
39
- import { safeDelete } from '@socketsecurity/lib/fs'
38
+ import { safeDelete } from '@socketsecurity/lib/fs/safe'
40
39
  ```
41
40
 
42
41
  Start with the [API reference](./docs/api.md) — every subpath export with a one-line description.
@@ -19,7 +19,7 @@ export declare function createCompositeAbortSignal(...signals: Array<AbortSignal
19
19
  * @example
20
20
  * ;```typescript
21
21
  * const signal = createTimeoutSignal(5000) // aborts after 5 seconds
22
- * fetch('https://example.com', { signal })
22
+ * httpJson(url, { signal })
23
23
  * ```
24
24
  *
25
25
  * @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
@@ -40,7 +40,7 @@ function createCompositeAbortSignal(...signals) {
40
40
  * @example
41
41
  * ;```typescript
42
42
  * const signal = createTimeoutSignal(5000) // aborts after 5 seconds
43
- * fetch('https://example.com', { signal })
43
+ * httpJson(url, { signal })
44
44
  * ```
45
45
  *
46
46
  * @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
@@ -22,7 +22,7 @@
22
22
  * the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
23
23
  * only for `claude`; for the others it is `undefined` (there is no memory
24
24
  * dir to point at), and the shared cross-tool memory surface is the
25
- * committed AGENTS.md (which the fleet symlinks to CLAUDE.md).
25
+ * committed AGENTS.md (which Socket symlinks to CLAUDE.md).
26
26
  */
27
27
  import type { AiAgentName } from './types.mts';
28
28
  /**
@@ -6,6 +6,7 @@ const require_constants_platform = require('../constants/platform.js');
6
6
  const require_env_rewire = require('../env/rewire.js');
7
7
  const require_env_home = require('../env/home.js');
8
8
  const require_env_xdg = require('../env/xdg.js');
9
+ const require_paths_normalize = require('../paths/normalize.js');
9
10
  let node_path = require("node:path");
10
11
  node_path = require_runtime.__toESM(node_path, 1);
11
12
 
@@ -34,7 +35,7 @@ node_path = require_runtime.__toESM(node_path, 1);
34
35
  * the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
35
36
  * only for `claude`; for the others it is `undefined` (there is no memory
36
37
  * dir to point at), and the shared cross-tool memory surface is the
37
- * committed AGENTS.md (which the fleet symlinks to CLAUDE.md).
38
+ * committed AGENTS.md (which Socket symlinks to CLAUDE.md).
38
39
  */
39
40
  function agentFromAiAgentEnv(value) {
40
41
  const lower = value.toLowerCase();
@@ -76,7 +77,7 @@ function agentPaths(agent, options) {
76
77
  return {
77
78
  agent,
78
79
  configDir,
79
- memoryDir: cwd ? node_path.default.join(configDir, "projects", cwd.replace(/[/\\]/g, "-"), "memory") : void 0
80
+ memoryDir: cwd ? node_path.default.join(configDir, "projects", require_paths_normalize.normalizePath(cwd).replace(/\//g, "-"), "memory") : void 0
80
81
  };
81
82
  }
82
83
  case "codex": return {
@@ -1,5 +1,5 @@
1
1
  /**
2
- * @file Multi-agent CLI backend registry + role routing. The fleet's review /
2
+ * @file Multi-agent CLI backend registry + role routing. Socket's review /
3
3
  * scan / fix skills delegate work to whichever agent CLIs are installed
4
4
  * (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
5
5
  * preference order and skipping a pass when nothing usable is present. Before
@@ -22,7 +22,7 @@
22
22
  * attribution accurate.
23
23
  */
24
24
  /**
25
- * A CLI backend the fleet can delegate a pass to.
25
+ * A CLI backend Socket can delegate a pass to.
26
26
  */
27
27
  export type BackendName = 'claude' | 'codex' | 'kimi' | 'opencode';
28
28
  /**
@@ -73,7 +73,7 @@ export interface ResolveBackendOptions {
73
73
  readonly override?: BackendName | undefined;
74
74
  }
75
75
  /**
76
- * Resolve which backend runs a pass, encoding the fleet detection policy
76
+ * Resolve which backend runs a pass, encoding Socket's detection policy
77
77
  * (`_shared/multi-agent-backends.md`): an installed explicit override wins;
78
78
  * else the first installed non-hybrid entry in the preference order; else
79
79
  * nothing (skip the pass). Pure — returns the decision + why, never logs. An
@@ -6,7 +6,7 @@ const require_ai_spawn = require('./spawn.js');
6
6
 
7
7
  //#region src/ai/backends.mts
8
8
  /**
9
- * @file Multi-agent CLI backend registry + role routing. The fleet's review /
9
+ * @file Multi-agent CLI backend registry + role routing. Socket's review /
10
10
  * scan / fix skills delegate work to whichever agent CLIs are installed
11
11
  * (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
12
12
  * preference order and skipping a pass when nothing usable is present. Before
@@ -131,7 +131,7 @@ async function isCommandAvailable(bin) {
131
131
  return await require_bin_which.which(bin) !== null;
132
132
  }
133
133
  /**
134
- * Resolve which backend runs a pass, encoding the fleet detection policy
134
+ * Resolve which backend runs a pass, encoding Socket's detection policy
135
135
  * (`_shared/multi-agent-backends.md`): an installed explicit override wins;
136
136
  * else the first installed non-hybrid entry in the preference order; else
137
137
  * nothing (skip the pass). Pure — returns the decision + why, never logs. An
@@ -0,0 +1,74 @@
1
+ /**
2
+ * @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
3
+ * lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
4
+ * read org spend / quota — the Anthropic Cost API is admin-gated — and that
5
+ * is an accepted limitation, not something to engineer around. So this layer
6
+ * does NO network call and NO privileged probe. It uses only what a user
7
+ * actually has: which provider credentials resolve (the same env → keychain
8
+ * check that builds `RouteContext.keyed`, non-admin), tags each with its
9
+ * INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
10
+ * — the provider's nature, overridable by config), and leaves `headroom`
11
+ * undefined. Undefined headroom means the heuristic routes REACTIVELY: it
12
+ * falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
13
+ * `spawn.mts`), rather than predicting a cap it has no privilege to read. A
14
+ * caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
15
+ * `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
16
+ * but nothing here requires it, and no privileged reader is built or wired.
17
+ */
18
+ import type { CredentialProvider } from './credentials.mts';
19
+ import type { BillingContext, BillingHeadroom, BillingKind, RoutingEnv } from './route-heuristic.mts';
20
+ /**
21
+ * Inherent billing model per provider — the provider's NATURE, not anyone's
22
+ * account or limit. A metered pay-per-token API (`anthropic` with an API key,
23
+ * `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
24
+ * (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
25
+ * overrides per provider via the `kinds` option — e.g. a user whose Anthropic
26
+ * access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
27
+ * No dollar figures here; only the kind, which decides dollars-vs-headroom.
28
+ */
29
+ export declare const DEFAULT_PROVIDER_KIND: Readonly<Record<CredentialProvider, BillingKind>>;
30
+ export interface BillingFromKeyedOptions {
31
+ readonly keyed: ReadonlySet<CredentialProvider>;
32
+ readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
33
+ readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
34
+ }
35
+ /**
36
+ * Turn an already-probed set of keyed providers into a `BillingContext`,
37
+ * tagging each with its kind (config override → inherent default) and any
38
+ * caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
39
+ * provider with no known kind is skipped rather than given an undefined kind.
40
+ */
41
+ export declare function billingFromKeyed(options: BillingFromKeyedOptions): BillingContext;
42
+ /**
43
+ * Detect whether routing runs in locked-down CI (restricted to the secrets
44
+ * actually present, under the four-flag lockdown) or local dev (full freedom).
45
+ * CI when the standard `CI` env var is set; `local` otherwise.
46
+ */
47
+ export declare function detectRoutingEnv(): RoutingEnv;
48
+ export interface DiscoverBillingOptions {
49
+ readonly allowEnvOnly?: boolean | undefined;
50
+ readonly env?: RoutingEnv | undefined;
51
+ readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
52
+ readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
53
+ }
54
+ /**
55
+ * Discover a `BillingContext` end-to-end with no privileged lookup: probe which
56
+ * provider credentials resolve (env → keychain, the non-admin check), then tag
57
+ * them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
58
+ * the credential probe is env-only (no keychain prompt); locally it allows the
59
+ * keychain. Convenience over calling `discoverKeyedProviders` +
60
+ * `billingFromKeyed`.
61
+ *
62
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
63
+ */
64
+ export declare function discoverBilling(options?: DiscoverBillingOptions | undefined): Promise<BillingContext>;
65
+ export interface DiscoverKeyedProvidersOptions {
66
+ readonly allowEnvOnly?: boolean | undefined;
67
+ }
68
+ /**
69
+ * The set of providers with a resolvable credential, probed via the same
70
+ * non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
71
+ * privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
72
+ * keychain entirely.
73
+ */
74
+ export declare function discoverKeyedProviders(options?: DiscoverKeyedProvidersOptions | undefined): Promise<Set<CredentialProvider>>;
@@ -0,0 +1,129 @@
1
+ "use strict";
2
+ /* Socket Lib - Built with rolldown */
3
+ Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_primordials_object = require('../primordials/object.js');
5
+ const require_env_rewire = require('../env/rewire.js');
6
+ const require_ai_credentials = require('./credentials.js');
7
+
8
+ //#region src/ai/billing-context.mts
9
+ /**
10
+ * @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
11
+ * lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
12
+ * read org spend / quota — the Anthropic Cost API is admin-gated — and that
13
+ * is an accepted limitation, not something to engineer around. So this layer
14
+ * does NO network call and NO privileged probe. It uses only what a user
15
+ * actually has: which provider credentials resolve (the same env → keychain
16
+ * check that builds `RouteContext.keyed`, non-admin), tags each with its
17
+ * INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
18
+ * — the provider's nature, overridable by config), and leaves `headroom`
19
+ * undefined. Undefined headroom means the heuristic routes REACTIVELY: it
20
+ * falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
21
+ * `spawn.mts`), rather than predicting a cap it has no privilege to read. A
22
+ * caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
23
+ * `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
24
+ * but nothing here requires it, and no privileged reader is built or wired.
25
+ */
26
+ /**
27
+ * Inherent billing model per provider — the provider's NATURE, not anyone's
28
+ * account or limit. A metered pay-per-token API (`anthropic` with an API key,
29
+ * `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
30
+ * (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
31
+ * overrides per provider via the `kinds` option — e.g. a user whose Anthropic
32
+ * access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
33
+ * No dollar figures here; only the kind, which decides dollars-vs-headroom.
34
+ */
35
+ const DEFAULT_PROVIDER_KIND = {
36
+ __proto__: null,
37
+ anthropic: "metered",
38
+ fireworks: "metered",
39
+ openai: "subscription",
40
+ synthetic: "flat-rate",
41
+ xai: "metered"
42
+ };
43
+ /**
44
+ * Turn an already-probed set of keyed providers into a `BillingContext`,
45
+ * tagging each with its kind (config override → inherent default) and any
46
+ * caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
47
+ * provider with no known kind is skipped rather than given an undefined kind.
48
+ */
49
+ function billingFromKeyed(options) {
50
+ const opts = {
51
+ __proto__: null,
52
+ ...options
53
+ };
54
+ const out = { __proto__: null };
55
+ for (const provider of opts.keyed) {
56
+ const kind = opts.kinds?.[provider] ?? DEFAULT_PROVIDER_KIND[provider];
57
+ if (!kind) continue;
58
+ const headroom = opts.headroom?.[provider];
59
+ out[provider] = headroom ? {
60
+ headroom,
61
+ kind,
62
+ provider
63
+ } : {
64
+ kind,
65
+ provider
66
+ };
67
+ }
68
+ return out;
69
+ }
70
+ /**
71
+ * Detect whether routing runs in locked-down CI (restricted to the secrets
72
+ * actually present, under the four-flag lockdown) or local dev (full freedom).
73
+ * CI when the standard `CI` env var is set; `local` otherwise.
74
+ */
75
+ function detectRoutingEnv() {
76
+ return require_env_rewire.getEnvValue("CI") ? "ci" : "local";
77
+ }
78
+ /**
79
+ * Discover a `BillingContext` end-to-end with no privileged lookup: probe which
80
+ * provider credentials resolve (env → keychain, the non-admin check), then tag
81
+ * them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
82
+ * the credential probe is env-only (no keychain prompt); locally it allows the
83
+ * keychain. Convenience over calling `discoverKeyedProviders` +
84
+ * `billingFromKeyed`.
85
+ *
86
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
87
+ */
88
+ async function discoverBilling(options) {
89
+ const opts = {
90
+ __proto__: null,
91
+ ...options
92
+ };
93
+ const env = opts.env ?? detectRoutingEnv();
94
+ const keyed = await discoverKeyedProviders({ allowEnvOnly: opts.allowEnvOnly ?? env === "ci" });
95
+ return billingFromKeyed({
96
+ headroom: opts.headroom,
97
+ keyed,
98
+ kinds: opts.kinds
99
+ });
100
+ }
101
+ /**
102
+ * The set of providers with a resolvable credential, probed via the same
103
+ * non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
104
+ * privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
105
+ * keychain entirely.
106
+ */
107
+ async function discoverKeyedProviders(options) {
108
+ const opts = {
109
+ __proto__: null,
110
+ ...options
111
+ };
112
+ const providers = require_primordials_object.ObjectKeys(require_ai_credentials.PROVIDER_CREDENTIALS);
113
+ const keyed = /* @__PURE__ */ new Set();
114
+ for (let i = 0, { length } = providers; i < length; i += 1) {
115
+ const provider = providers[i];
116
+ if (await require_ai_credentials.resolveProviderCredential({
117
+ allowEnvOnly: opts.allowEnvOnly,
118
+ provider
119
+ })) keyed.add(provider);
120
+ }
121
+ return keyed;
122
+ }
123
+
124
+ //#endregion
125
+ exports.DEFAULT_PROVIDER_KIND = DEFAULT_PROVIDER_KIND;
126
+ exports.billingFromKeyed = billingFromKeyed;
127
+ exports.detectRoutingEnv = detectRoutingEnv;
128
+ exports.discoverBilling = discoverBilling;
129
+ exports.discoverKeyedProviders = discoverKeyedProviders;
@@ -14,11 +14,10 @@
14
14
  * `undefined` immediately instead of triggering a keychain auth prompt. CI
15
15
  * sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
16
16
  * `resolveProviderCredential` call reads it there with no keychain. proteus
17
- * hook-point: the forthcoming biometric credential daemon
18
- * (`.claude/plans/proteus-credential-broker.md`) slots in as a layer between
19
- * the env check and the keychain read inside `resolve()`'s implementation
20
- * call sites here do not change when it lands (resolver decision #4 in that
21
- * plan). This module is the stable seam.
17
+ * hook-point: the forthcoming biometric credential daemon slots in as a
18
+ * layer between the env check and the keychain read inside `resolve()`'s
19
+ * implementation call sites here do not change when it lands. This module
20
+ * is the stable seam.
22
21
  */
23
22
  /**
24
23
  * A provider whose credential this module can resolve: the HTTP providers
@@ -31,6 +30,19 @@ export interface ProviderCredentialSpec {
31
30
  readonly keychainService: string;
32
31
  }
33
32
  export declare const PROVIDER_CREDENTIALS: Readonly<Record<CredentialProvider, ProviderCredentialSpec>>;
33
+ export interface DeleteProviderCredentialOptions {
34
+ readonly provider: CredentialProvider;
35
+ }
36
+ /**
37
+ * Remove a provider's stored credential from the OS keychain — the same
38
+ * `{ service, account }` slot `resolveProviderCredential` reads. Returns
39
+ * `'removed'` when a value was deleted, `'absent'` when none was stored (or the
40
+ * platform has no keychain backend — delete degrades to a no-op rather than
41
+ * throwing, since "nothing to remove" is the same outcome either way).
42
+ *
43
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
44
+ */
45
+ export declare function deleteProviderCredential(options: DeleteProviderCredentialOptions): Promise<'absent' | 'removed'>;
34
46
  /**
35
47
  * True when `value` names a provider with a resolvable credential.
36
48
  */
@@ -47,3 +59,25 @@ export interface ResolveProviderCredentialOptions {
47
59
  * source has it (the caller decides whether that's fatal).
48
60
  */
49
61
  export declare function resolveProviderCredential(options: ResolveProviderCredentialOptions): Promise<string | undefined>;
62
+ export interface WriteProviderCredentialOptions {
63
+ readonly provider: CredentialProvider;
64
+ readonly value: string;
65
+ }
66
+ /**
67
+ * Persist a provider's bearer token to the OS keychain — the SAME `{ service,
68
+ * account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
69
+ * service == the Socket-uniform `socketsecurity` scope), so a written token
70
+ * resolves on the next read without an env var.
71
+ *
72
+ * Keychain ONLY — this never writes a shell-rc export. That matters most for
73
+ * anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
74
+ * OAuth session and silently flips the user to metered billing, so its token
75
+ * must live only in the keychain (read on demand), never exported. A setup
76
+ * wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
77
+ * convenience must still route anthropic here, keychain-only.
78
+ *
79
+ * Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
80
+ * is a no-op). Throws when the OS has no keychain backend; a caller that wants
81
+ * to degrade gracefully should check `getBackendAvailability()` first.
82
+ */
83
+ export declare function writeProviderCredential(options: WriteProviderCredentialOptions): Promise<'unchanged' | 'written'>;
@@ -1,6 +1,7 @@
1
1
  "use strict";
2
2
  /* Socket Lib - Built with rolldown */
3
3
  Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
4
+ const require_secrets_keychain = require('../secrets/keychain.js');
4
5
  const require_secrets_find = require('../secrets/find.js');
5
6
 
6
7
  //#region src/ai/credentials.mts
@@ -20,11 +21,10 @@ const require_secrets_find = require('../secrets/find.js');
20
21
  * `undefined` immediately instead of triggering a keychain auth prompt. CI
21
22
  * sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
22
23
  * `resolveProviderCredential` call reads it there with no keychain. proteus
23
- * hook-point: the forthcoming biometric credential daemon
24
- * (`.claude/plans/proteus-credential-broker.md`) slots in as a layer between
25
- * the env check and the keychain read inside `resolve()`'s implementation
26
- * call sites here do not change when it lands (resolver decision #4 in that
27
- * plan). This module is the stable seam.
24
+ * hook-point: the forthcoming biometric credential daemon slots in as a
25
+ * layer between the env check and the keychain read inside `resolve()`'s
26
+ * implementation call sites here do not change when it lands. This module
27
+ * is the stable seam.
28
28
  */
29
29
  const PROVIDER_CREDENTIALS = {
30
30
  __proto__: null,
@@ -50,6 +50,27 @@ const PROVIDER_CREDENTIALS = {
50
50
  }
51
51
  };
52
52
  /**
53
+ * Remove a provider's stored credential from the OS keychain — the same
54
+ * `{ service, account }` slot `resolveProviderCredential` reads. Returns
55
+ * `'removed'` when a value was deleted, `'absent'` when none was stored (or the
56
+ * platform has no keychain backend — delete degrades to a no-op rather than
57
+ * throwing, since "nothing to remove" is the same outcome either way).
58
+ *
59
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
60
+ */
61
+ async function deleteProviderCredential(options) {
62
+ const opts = {
63
+ __proto__: null,
64
+ ...options
65
+ };
66
+ const spec = PROVIDER_CREDENTIALS[opts.provider];
67
+ if (!spec) return "absent";
68
+ return await require_secrets_keychain.deleteSecret({
69
+ account: spec.tokenEnv,
70
+ service: spec.keychainService
71
+ });
72
+ }
73
+ /**
53
74
  * True when `value` names a provider with a resolvable credential.
54
75
  */
55
76
  function isCredentialProvider(value) {
@@ -75,8 +96,42 @@ async function resolveProviderCredential(options) {
75
96
  service: spec.keychainService
76
97
  }))?.value;
77
98
  }
99
+ /**
100
+ * Persist a provider's bearer token to the OS keychain — the SAME `{ service,
101
+ * account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
102
+ * service == the Socket-uniform `socketsecurity` scope), so a written token
103
+ * resolves on the next read without an env var.
104
+ *
105
+ * Keychain ONLY — this never writes a shell-rc export. That matters most for
106
+ * anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
107
+ * OAuth session and silently flips the user to metered billing, so its token
108
+ * must live only in the keychain (read on demand), never exported. A setup
109
+ * wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
110
+ * convenience must still route anthropic here, keychain-only.
111
+ *
112
+ * Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
113
+ * is a no-op). Throws when the OS has no keychain backend; a caller that wants
114
+ * to degrade gracefully should check `getBackendAvailability()` first.
115
+ */
116
+ async function writeProviderCredential(options) {
117
+ const opts = {
118
+ __proto__: null,
119
+ ...options
120
+ };
121
+ const spec = PROVIDER_CREDENTIALS[opts.provider];
122
+ if (!spec) throw new Error(`writeProviderCredential: unknown provider "${opts.provider}".`);
123
+ const backend = require_secrets_keychain.getBackendAvailability();
124
+ if (!backend.available) throw new Error(`writeProviderCredential: no OS keychain backend (${backend.toolName}) available to store the ${opts.provider} credential.` + (backend.installHint ? ` ${backend.installHint}` : ""));
125
+ return await require_secrets_keychain.writeSecret({
126
+ account: spec.tokenEnv,
127
+ service: spec.keychainService,
128
+ value: opts.value
129
+ });
130
+ }
78
131
 
79
132
  //#endregion
80
133
  exports.PROVIDER_CREDENTIALS = PROVIDER_CREDENTIALS;
134
+ exports.deleteProviderCredential = deleteProviderCredential;
81
135
  exports.isCredentialProvider = isCredentialProvider;
82
- exports.resolveProviderCredential = resolveProviderCredential;
136
+ exports.resolveProviderCredential = resolveProviderCredential;
137
+ exports.writeProviderCredential = writeProviderCredential;
@@ -43,12 +43,16 @@ export declare function discoverFresh(): DiscoveredAgents;
43
43
  *
44
44
  * Useful in fast paths where the caller has already populated the cache and
45
45
  * just wants to read it back.
46
+ *
47
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
46
48
  */
47
49
  export declare function getDiscoveredAiAgents(): DiscoveredAgents | undefined;
48
50
  export declare function readDiskCache(cachePath: string): DiscoveredAgents | undefined;
49
51
  /**
50
52
  * Reset the in-process cache. Tests use this; production callers shouldn't need
51
53
  * it (use `refresh: true` on discoverAiAgents()).
54
+ *
55
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
52
56
  */
53
57
  export declare function resetAiAgentDiscoveryCache(): void;
54
58
  export declare function writeDiskCache(cachePath: string, agents: DiscoveredAgents): Promise<void>;
@@ -87,6 +87,8 @@ function discoverFresh() {
87
87
  *
88
88
  * Useful in fast paths where the caller has already populated the cache and
89
89
  * just wants to read it back.
90
+ *
91
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
90
92
  */
91
93
  function getDiscoveredAiAgents() {
92
94
  return inProcessCache;
@@ -104,6 +106,8 @@ function readDiskCache(cachePath) {
104
106
  /**
105
107
  * Reset the in-process cache. Tests use this; production callers shouldn't need
106
108
  * it (use `refresh: true` on discoverAiAgents()).
109
+ *
110
+ * @unused No internal or Socket consumers (exercised only by its unit tests).
107
111
  */
108
112
  function resetAiAgentDiscoveryCache() {
109
113
  inProcessCache = void 0;
@@ -3,7 +3,7 @@
3
3
  * WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
4
4
  * the cheap built-in `real` runner (the host shell via lib `spawn`); a
5
5
  * SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
6
- * the small-dist lib free of a heavy sandbox dependency — the fleet's sandbox
6
+ * the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
7
7
  * of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
8
8
  * CI tooling and passed in, so a lib consumer that never sandboxes pays
9
9
  * nothing. Layering: ExecRunner.run() — the injectable primitive (real |
package/dist/ai/exec.js CHANGED
@@ -10,7 +10,7 @@ const require_process_spawn_child = require('../process/spawn/child.js');
10
10
  * WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
11
11
  * the cheap built-in `real` runner (the host shell via lib `spawn`); a
12
12
  * SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
13
- * the small-dist lib free of a heavy sandbox dependency — the fleet's sandbox
13
+ * the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
14
14
  * of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
15
15
  * CI tooling and passed in, so a lib consumer that never sandboxes pays
16
16
  * nothing. Layering: ExecRunner.run() — the injectable primitive (real |
@@ -4,7 +4,7 @@
4
4
  * (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
5
5
  * (`spawn.mts`) drives an interactive agent binary; this path is for a
6
6
  * script/hook that needs a single completion from a model without an agent
7
- * harness (the way the local OpenCode setup reaches GLM-5.1 / Kimi-K2.5). Why
7
+ * harness (the way the local OpenCode setup reaches GLM-5.2 / Kimi-K2.6). Why
8
8
  * a separate module from `spawn.mts`: those are different surfaces. A CLI
9
9
  * agent gets tools + a permission mode + a working dir; an HTTP completion
10
10
  * gets a prompt + a model + (optionally) a reasoning effort and returns text.
@@ -13,10 +13,10 @@
13
13
  * function-calling surface — they're plain completions, so there's no agentic
14
14
  * capability to constrain. The token is read from the env var the provider
15
15
  * config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
16
- * inline, and never logged — same token-hygiene rule as the rest of the
17
- * fleet. A missing token throws with the exact env var to set. Wire format is
18
- * the OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which
19
- * both providers implement.
16
+ * inline, and never logged — same token-hygiene rule as the rest of Socket. A
17
+ * missing token throws with the exact env var to set. Wire format is the
18
+ * OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which both
19
+ * providers implement.
20
20
  */
21
21
  import type { AiEffort } from './types.mts';
22
22
  /**
@@ -47,8 +47,8 @@ export interface AiHttpCallOptions {
47
47
  */
48
48
  readonly provider: string | AiHttpProvider;
49
49
  /**
50
- * The provider's model id (e.g. `accounts/fireworks/models/glm-5p1`,
51
- * `hf:moonshotai/Kimi-K2.5`).
50
+ * The provider's model id (e.g. `accounts/fireworks/models/glm-5p2`,
51
+ * `hf:moonshotai/Kimi-K2.6`).
52
52
  */
53
53
  readonly model: string;
54
54
  /**
@@ -118,7 +118,7 @@ export declare function buildChatRequestBody(options: AiHttpCallOptions): string
118
118
  * ;```ts
119
119
  * const { text } = await callAiHttpModel({
120
120
  * provider: 'fireworks',
121
- * model: 'accounts/fireworks/models/glm-5p1',
121
+ * model: 'accounts/fireworks/models/glm-5p2',
122
122
  * prompt: 'Summarize this diff: …',
123
123
  * effort: 'high',
124
124
  * })
package/dist/ai/http.js CHANGED
@@ -12,7 +12,7 @@ const require_http_request_node = require('../http-request/node.js');
12
12
  * (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
13
13
  * (`spawn.mts`) drives an interactive agent binary; this path is for a
14
14
  * script/hook that needs a single completion from a model without an agent
15
- * harness (the way the local OpenCode setup reaches GLM-5.1 / Kimi-K2.5). Why
15
+ * harness (the way the local OpenCode setup reaches GLM-5.2 / Kimi-K2.6). Why
16
16
  * a separate module from `spawn.mts`: those are different surfaces. A CLI
17
17
  * agent gets tools + a permission mode + a working dir; an HTTP completion
18
18
  * gets a prompt + a model + (optionally) a reasoning effort and returns text.
@@ -21,10 +21,10 @@ const require_http_request_node = require('../http-request/node.js');
21
21
  * function-calling surface — they're plain completions, so there's no agentic
22
22
  * capability to constrain. The token is read from the env var the provider
23
23
  * config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
24
- * inline, and never logged — same token-hygiene rule as the rest of the
25
- * fleet. A missing token throws with the exact env var to set. Wire format is
26
- * the OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which
27
- * both providers implement.
24
+ * inline, and never logged — same token-hygiene rule as the rest of Socket. A
25
+ * missing token throws with the exact env var to set. Wire format is the
26
+ * OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which both
27
+ * providers implement.
28
28
  */
29
29
  /**
30
30
  * Built-in OpenAI-compatible providers. Add an entry to support a new one — no
@@ -81,7 +81,7 @@ function buildChatRequestBody(options) {
81
81
  * ;```ts
82
82
  * const { text } = await callAiHttpModel({
83
83
  * provider: 'fireworks',
84
- * model: 'accounts/fireworks/models/glm-5p1',
84
+ * model: 'accounts/fireworks/models/glm-5p2',
85
85
  * prompt: 'Summarize this diff: …',
86
86
  * effort: 'high',
87
87
  * })