@socketsecurity/lib 6.0.9 → 6.0.10
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/CHANGELOG.md +6 -0
- package/README.md +8 -9
- package/dist/abort/signal.d.ts +1 -1
- package/dist/abort/signal.js +1 -1
- package/dist/ai/agent-context.d.mts +1 -1
- package/dist/ai/agent-context.js +3 -2
- package/dist/ai/backends.d.mts +3 -3
- package/dist/ai/backends.js +2 -2
- package/dist/ai/billing-context.d.mts +74 -0
- package/dist/ai/billing-context.js +129 -0
- package/dist/ai/credentials.d.mts +39 -5
- package/dist/ai/credentials.js +61 -6
- package/dist/ai/discover.d.mts +4 -0
- package/dist/ai/discover.js +4 -0
- package/dist/ai/exec.d.mts +1 -1
- package/dist/ai/exec.js +1 -1
- package/dist/ai/http.d.mts +8 -8
- package/dist/ai/http.js +6 -6
- package/dist/ai/profiles.d.mts +9 -10
- package/dist/ai/profiles.js +0 -5
- package/dist/ai/role.d.mts +58 -0
- package/dist/ai/role.js +96 -0
- package/dist/ai/route-heuristic.d.mts +177 -0
- package/dist/ai/route-heuristic.js +194 -0
- package/dist/ai/route.d.mts +10 -9
- package/dist/ai/route.js +14 -13
- package/dist/ai/spawn.d.mts +2 -1
- package/dist/ai/spawn.js +25 -2
- package/dist/ai/subagent-status.d.mts +2 -0
- package/dist/ai/subagent-status.js +2 -0
- package/dist/ai/tier.d.mts +1 -1
- package/dist/ai/types.d.mts +9 -2
- package/dist/ai/worktree.d.mts +1 -1
- package/dist/ai/worktree.js +3 -2
- package/dist/argv/parse.d.ts +2 -0
- package/dist/argv/parse.js +2 -0
- package/dist/bin/_internal.d.ts +1 -1
- package/dist/bin/_internal.js +1 -1
- package/dist/bin/prim.cjs +446 -300
- package/dist/bin/shadow.js +2 -1
- package/dist/bin/which.d.ts +28 -3
- package/dist/bin/which.js +45 -3
- package/dist/cacache/_internal.d.ts +10 -2
- package/dist/cacache/_internal.js +6 -10
- package/dist/cache/ttl/_internal.d.ts +33 -0
- package/dist/cache/ttl/_internal.js +68 -0
- package/dist/cache/ttl/browser.d.ts +56 -0
- package/dist/cache/ttl/browser.js +257 -0
- package/dist/cache/ttl/store.js +10 -33
- package/dist/cache/ttl/types.d.ts +46 -3
- package/dist/checks/primordials-defaults.d.ts +5 -5
- package/dist/checks/primordials-defaults.js +5 -5
- package/dist/checks/primordials.d.ts +1 -1
- package/dist/checks/primordials.js +25 -17
- package/dist/cli/check-primordials.d.ts +6 -1
- package/dist/cli/check-primordials.js +14 -5
- package/dist/cli/check.js +1 -1
- package/dist/cli/socket-lib.d.ts +1 -1
- package/dist/cli/socket-lib.js +3 -3
- package/dist/colors/socket-palette.d.ts +1 -1
- package/dist/compression/brotli.d.ts +6 -2
- package/dist/compression/brotli.js +4 -0
- package/dist/compression/gzip.d.ts +6 -2
- package/dist/compression/gzip.js +6 -1
- package/dist/config/layers.d.ts +4 -4
- package/dist/config/layers.js +4 -4
- package/dist/constants/agents.d.ts +3 -0
- package/dist/constants/agents.js +3 -0
- package/dist/constants/node.d.ts +14 -0
- package/dist/constants/node.js +14 -0
- package/dist/constants/package-default-node-range.js +1 -5
- package/dist/constants/packages.d.ts +5 -0
- package/dist/constants/packages.js +5 -0
- package/dist/constants/platform.d.ts +1 -1
- package/dist/constants/platform.js +1 -1
- package/dist/constants/socket.js +1 -1
- package/dist/constants/typescript.d.ts +5 -0
- package/dist/constants/typescript.js +5 -0
- package/dist/debug/_internal.d.ts +22 -7
- package/dist/debug/_internal.js +33 -15
- package/dist/debug/namespace.js +11 -8
- package/dist/debug/output.d.ts +12 -1
- package/dist/debug/output.js +33 -16
- package/dist/dlx/binary-resolution.js +7 -4
- package/dist/eco/npm/npm/parse-lockfile.js +2 -1
- package/dist/eco/npm/vlt/exec.d.ts +1 -1
- package/dist/eco/npm/vlt/exec.js +1 -1
- package/dist/env/agents.d.ts +6 -0
- package/dist/env/agents.js +29 -0
- package/dist/env/flags.d.ts +12 -0
- package/dist/env/flags.js +23 -0
- package/dist/env/github-status.js +2 -2
- package/dist/env/providers.d.ts +6 -0
- package/dist/env/providers.js +23 -0
- package/dist/env/proxy.js +1 -1
- package/dist/env/rewire.d.ts +32 -0
- package/dist/env/rewire.js +55 -23
- package/dist/env/runtimes.d.ts +9 -0
- package/dist/env/runtimes.js +53 -0
- package/dist/env/socket-cli.d.ts +5 -2
- package/dist/env/socket-cli.js +6 -3
- package/dist/errors/predicates.d.ts +3 -2
- package/dist/errors/predicates.js +5 -3
- package/dist/errors/stack.js +2 -1
- package/dist/events/exit/_internal.d.ts +1 -23
- package/dist/external/@npmcli/package-json.js +179 -88
- package/dist/external/@npmcli/promise-spawn.js +2 -2
- package/dist/external/@sinclair/typebox/value.js +5 -4
- package/dist/external/@socketregistry/yocto-spinner.js +3 -3
- package/dist/external/adm-zip.d.ts +82 -0
- package/dist/external/adm-zip.js +2 -2
- package/dist/external/cacache.d.ts +87 -0
- package/dist/external/debug.d.ts +22 -0
- package/dist/external/debug.js +11 -4
- package/dist/external/del.d.ts +1 -0
- package/dist/external/external-pack.d.ts +12 -0
- package/dist/external/external-pack.js +41 -34
- package/dist/external/fast-glob.d.ts +8 -0
- package/dist/external/fast-sort.d.ts +1 -0
- package/dist/external/get-east-asian-width.d.ts +5 -0
- package/dist/external/get-east-asian-width.js +8 -1
- package/dist/external/has-flag.d.ts +1 -0
- package/dist/external/inquirer-pack.d.ts +18 -0
- package/dist/external/libnpmexec.d.ts +35 -0
- package/dist/external/libnpmpack.d.ts +1 -0
- package/dist/external/make-fetch-happen.d.ts +13 -0
- package/dist/external/normalize-package-data.d.ts +4 -0
- package/dist/external/npm-core.d.ts +14 -0
- package/dist/external/npm-pack.d.ts +24 -0
- package/dist/external/npm-pack.js +1551 -1867
- package/dist/external/npm-package-arg.d.ts +4 -0
- package/dist/external/p-map.js +8 -1
- package/dist/external/pacote.d.ts +15 -0
- package/dist/external/pico-pack.d.ts +16 -0
- package/dist/external/pico-pack.js +38 -23
- package/dist/external/picomatch.d.ts +96 -0
- package/dist/external/pony-cause.d.ts +14 -0
- package/dist/external/semver.d.ts +60 -0
- package/dist/external/semver.js +1459 -4
- package/dist/external/shell-quote.d.ts +51 -0
- package/dist/external/shell-quote.js +55 -15
- package/dist/external/signal-exit.d.ts +1 -0
- package/dist/external/spdx-correct.d.ts +4 -0
- package/dist/external/spdx-expression-parse.d.ts +4 -0
- package/dist/external/spdx-pack.d.ts +10 -0
- package/dist/external/std-env.d.ts +284 -0
- package/dist/external/std-env.js +323 -0
- package/dist/external/streaming-iterables.d.ts +11 -0
- package/dist/external/supports-color.d.ts +1 -0
- package/dist/external/tar-fs.d.ts +31 -0
- package/dist/external/validate-npm-package-name.d.ts +4 -0
- package/dist/external/which.d.ts +25 -0
- package/dist/external/which.js +2 -2
- package/dist/external/yargs-parser.d.ts +2 -0
- package/dist/external/yargs-parser.js +11 -3
- package/dist/external/yoctocolors-cjs.d.ts +51 -0
- package/dist/external-tools/bazel/asset-names.d.ts +1 -1
- package/dist/external-tools/bazel/from-download.d.ts +1 -1
- package/dist/external-tools/bazel/resolve.d.ts +3 -0
- package/dist/external-tools/bazel/resolve.js +3 -0
- package/dist/external-tools/cdxgen/asset-names.d.ts +5 -5
- package/dist/external-tools/cdxgen/asset-names.js +3 -3
- package/dist/external-tools/cdxgen/from-download.d.ts +2 -2
- package/dist/external-tools/cdxgen/from-download.js +1 -1
- package/dist/external-tools/cdxgen/resolve.d.ts +4 -1
- package/dist/external-tools/cdxgen/resolve.js +4 -1
- package/dist/external-tools/cdxgen/types.d.ts +1 -1
- package/dist/external-tools/from-download.d.ts +2 -2
- package/dist/external-tools/from-download.js +1 -1
- package/dist/external-tools/janus/asset-names.d.ts +4 -1
- package/dist/external-tools/janus/asset-names.js +3 -0
- package/dist/external-tools/janus/from-download.d.ts +3 -3
- package/dist/external-tools/janus/from-download.js +2 -2
- package/dist/external-tools/janus/resolve.d.ts +3 -0
- package/dist/external-tools/janus/resolve.js +3 -0
- package/dist/external-tools/jre/asset-names.d.ts +3 -1
- package/dist/external-tools/jre/asset-names.js +2 -0
- package/dist/external-tools/jre/from-download.d.ts +1 -1
- package/dist/external-tools/manifest.d.ts +5 -3
- package/dist/external-tools/manifest.js +4 -2
- package/dist/external-tools/opengrep/asset-names.d.ts +1 -1
- package/dist/external-tools/opengrep/resolve.d.ts +3 -0
- package/dist/external-tools/opengrep/resolve.js +3 -0
- package/dist/external-tools/python/asset-names.d.ts +3 -1
- package/dist/external-tools/python/asset-names.js +7 -3
- package/dist/external-tools/python/pin.js +3 -1
- package/dist/external-tools/python/resolve.d.ts +3 -0
- package/dist/external-tools/python/resolve.js +3 -0
- package/dist/external-tools/sbt/resolve.d.ts +3 -0
- package/dist/external-tools/sbt/resolve.js +3 -0
- package/dist/external-tools/skillspector/from-uv.d.ts +1 -1
- package/dist/external-tools/synp/resolve.d.ts +3 -0
- package/dist/external-tools/synp/resolve.js +3 -0
- package/dist/external-tools/trivy/asset-names.d.ts +1 -1
- package/dist/external-tools/trivy/resolve.d.ts +3 -0
- package/dist/external-tools/trivy/resolve.js +3 -0
- package/dist/external-tools/trufflehog/asset-names.d.ts +4 -1
- package/dist/external-tools/trufflehog/asset-names.js +3 -0
- package/dist/external-tools/trufflehog/from-download.d.ts +1 -1
- package/dist/external-tools/trufflehog/resolve.d.ts +3 -0
- package/dist/external-tools/trufflehog/resolve.js +3 -0
- package/dist/external-tools/uv/asset-names.d.ts +1 -1
- package/dist/external-tools/uv/resolve.d.ts +3 -0
- package/dist/external-tools/uv/resolve.js +3 -0
- package/dist/fleet/repo-config.d.ts +8 -6
- package/dist/fleet/repo-config.js +8 -6
- package/dist/fs/_internal.d.ts +1 -1
- package/dist/fs/_internal.js +1 -1
- package/dist/fs/access.d.ts +2 -0
- package/dist/fs/access.js +2 -0
- package/dist/fs/allowed-dirs-cache.js +5 -3
- package/dist/fs/find.js +1 -2
- package/dist/fs/inspect.d.ts +2 -2
- package/dist/fs/read-file.js +3 -4
- package/dist/fs/safe.js +1 -1
- package/dist/git/_internal.js +5 -1
- package/dist/github/commit.d.ts +92 -0
- package/dist/github/commit.js +113 -0
- package/dist/github/ghsa.js +1 -1
- package/dist/github/refs-graphql.js +1 -1
- package/dist/github/request.js +1 -1
- package/dist/github/token.d.ts +5 -2
- package/dist/github/token.js +6 -4
- package/dist/github/workflow-runs.d.ts +107 -0
- package/dist/github/workflow-runs.js +98 -0
- package/dist/http-request/_internal.d.ts +1 -1
- package/dist/http-request/browser.d.ts +6 -0
- package/dist/http-request/browser.js +3 -2
- package/dist/http-request/download.js +2 -0
- package/dist/http-request/headers.d.ts +1 -1
- package/dist/http-request/headers.js +1 -1
- package/dist/http-request/request-attempt.js +6 -3
- package/dist/http-request/request-types.d.ts +10 -1
- package/dist/http-request/request.js +2 -2
- package/dist/http-request/user-agent.d.ts +23 -2
- package/dist/http-request/user-agent.js +48 -6
- package/dist/integrity.d.ts +3 -1
- package/dist/integrity.js +3 -1
- package/dist/json/format.js +4 -1
- package/dist/logger/_internal.d.ts +13 -15
- package/dist/logger/_internal.js +21 -21
- package/dist/logger/colors.d.ts +9 -3
- package/dist/logger/colors.js +6 -13
- package/dist/logger/console-methods.js +2 -2
- package/dist/logger/console.d.ts +1 -0
- package/dist/logger/console.js +9 -9
- package/dist/logger/node.js +2 -1
- package/dist/native-messaging/install.js +1 -1
- package/dist/native-messaging/rate-limit.d.ts +4 -1
- package/dist/native-messaging/rate-limit.js +4 -1
- package/dist/node/events.d.ts +3 -0
- package/dist/node/events.js +3 -0
- package/dist/node/fs.d.ts +1 -1
- package/dist/node/timers-promises.d.ts +3 -0
- package/dist/node/timers-promises.js +3 -0
- package/dist/node/url.d.ts +3 -0
- package/dist/node/url.js +3 -0
- package/dist/npm/meta-cache.d.ts +183 -0
- package/dist/npm/meta-cache.js +318 -0
- package/dist/npm/meta-slice.d.ts +27 -0
- package/dist/npm/meta-slice.js +68 -0
- package/dist/npm/meta-types.d.ts +282 -0
- package/dist/npm/meta-types.js +2 -0
- package/dist/npm/meta.d.ts +125 -0
- package/dist/npm/meta.js +347 -0
- package/dist/npm/registry.d.ts +212 -0
- package/dist/npm/registry.js +284 -0
- package/dist/objects/getters.d.ts +1 -1
- package/dist/objects/getters.js +1 -1
- package/dist/packages/manifest.js +6 -7
- package/dist/packages/metadata-extensions.js +2 -4
- package/dist/packages/provenance.d.ts +8 -0
- package/dist/packages/provenance.js +8 -0
- package/dist/packages/tarball.js +1 -2
- package/dist/packages/validation.d.ts +0 -10
- package/dist/packages/validation.js +0 -14
- package/dist/paths/exts.d.ts +30 -0
- package/dist/paths/exts.js +30 -0
- package/dist/paths/filenames.d.ts +6 -0
- package/dist/paths/filenames.js +6 -0
- package/dist/paths/globs.d.ts +6 -0
- package/dist/paths/globs.js +6 -0
- package/dist/paths/resolve.js +19 -14
- package/dist/paths/socket.d.ts +8 -8
- package/dist/paths/socket.js +8 -8
- package/dist/perf/report.js +4 -2
- package/dist/pkg-ext/data.js +0 -2
- package/dist/primordials/globals.d.ts +1 -1
- package/dist/primordials/globals.js +1 -1
- package/dist/primordials/headers.d.ts +13 -1
- package/dist/primordials/headers.js +13 -1
- package/dist/primordials/process.d.ts +1 -1
- package/dist/primordials/process.js +1 -1
- package/dist/primordials/url.d.ts +18 -0
- package/dist/primordials/url.js +18 -0
- package/dist/process/spawn/child.js +3 -5
- package/dist/promises/_internal.d.ts +1 -1
- package/dist/promises/_internal.js +1 -2
- package/dist/promises/options.js +3 -3
- package/dist/releases/socket-btm-binary-naming.js +12 -1
- package/dist/secrets/_internal.d.ts +1 -1
- package/dist/secrets/_internal.js +1 -1
- package/dist/secrets/find.d.ts +2 -2
- package/dist/secrets/find.js +2 -2
- package/dist/secrets/keychain.d.ts +10 -1
- package/dist/secrets/keychain.js +10 -1
- package/dist/secrets/socket-api-token.d.ts +1 -1
- package/dist/secrets/socket-api-token.js +1 -1
- package/dist/secrets/types.d.ts +1 -1
- package/dist/smol/http.d.ts +2 -0
- package/dist/smol/http.js +2 -0
- package/dist/smol/https.d.ts +2 -0
- package/dist/smol/https.js +2 -0
- package/dist/sorts/_internal.d.ts +2 -3
- package/dist/sorts/_internal.js +1 -3
- package/dist/spinner/format.js +2 -4
- package/dist/stdio/footer.js +8 -7
- package/dist/stdio/prompts.d.ts +8 -15
- package/dist/stdio/prompts.js +18 -29
- package/dist/strings/predicates.d.ts +2 -2
- package/dist/strings/search.js +1 -1
- package/dist/strings/types.d.ts +4 -0
- package/dist/strings/width.d.ts +1 -0
- package/dist/strings/width.js +17 -8
- package/dist/themes/context.d.ts +13 -0
- package/dist/themes/context.js +23 -8
- package/dist/versions/_internal.d.ts +43 -13
- package/dist/versions/_internal.js +27 -15
- package/dist/versions/compare.d.ts +16 -10
- package/dist/versions/compare.js +36 -16
- package/dist/versions/parse.js +1 -1
- package/dist/versions/range.js +3 -2
- package/dist/words/pluralize.js +4 -1
- package/llms.txt +63 -750
- package/package.json +200 -35
package/CHANGELOG.md
CHANGED
|
@@ -5,6 +5,12 @@ All notable changes to this project will be documented in this file.
|
|
|
5
5
|
The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
|
|
6
6
|
and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
|
|
7
7
|
|
|
8
|
+
## [6.0.10](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.10) - 2026-07-13
|
|
9
|
+
|
|
10
|
+
### Fixed
|
|
11
|
+
|
|
12
|
+
- **`stdio/footer`** — lazy-load colors so import survives --build-snapshot
|
|
13
|
+
|
|
8
14
|
## [6.0.9](https://github.com/SocketDev/socket-lib/releases/tag/v6.0.9) - 2026-06-18
|
|
9
15
|
|
|
10
16
|
### Added
|
package/README.md
CHANGED
|
@@ -1,11 +1,10 @@
|
|
|
1
1
|
# @socketsecurity/lib
|
|
2
2
|
|
|
3
|
-
|
|
4
|
-
|
|
5
|
-

|
|
3
|
+
<a href="https://socket.dev/npm/package/@socketsecurity/lib"><img src="https://socket.dev/api/badge/npm/package/@socketsecurity/lib" alt="Socket Badge" height="20"></a>
|
|
4
|
+

|
|
6
5
|
|
|
7
|
-
[](https://twitter.com/SocketSecurity)
|
|
7
|
+
[](https://bsky.app/profile/socket.dev)
|
|
9
8
|
|
|
10
9
|
Core utilities for [Socket.dev](https://socket.dev/) tools: file system, processes, HTTP, env detection, logging, spinners, and more. Tree-shakeable, TypeScript-first, cross-platform.
|
|
11
10
|
|
|
@@ -22,8 +21,8 @@ pnpm add @socketsecurity/lib
|
|
|
22
21
|
## Usage
|
|
23
22
|
|
|
24
23
|
```typescript
|
|
25
|
-
import { Spinner } from '@socketsecurity/lib/spinner'
|
|
26
|
-
import { readJson } from '@socketsecurity/lib/fs'
|
|
24
|
+
import { Spinner } from '@socketsecurity/lib/spinner/spinner'
|
|
25
|
+
import { readJson } from '@socketsecurity/lib/fs/read-json'
|
|
27
26
|
|
|
28
27
|
const spinner = Spinner({ text: 'Loading…' })
|
|
29
28
|
spinner.start()
|
|
@@ -34,9 +33,9 @@ spinner.successAndStop(`Loaded ${pkg.name}@${pkg.version}`)
|
|
|
34
33
|
Every export lives under a subpath — pick what you need:
|
|
35
34
|
|
|
36
35
|
```typescript
|
|
37
|
-
import { spawn } from '@socketsecurity/lib/spawn'
|
|
36
|
+
import { spawn } from '@socketsecurity/lib/process/spawn/child'
|
|
38
37
|
import { httpJson } from '@socketsecurity/lib/http-request'
|
|
39
|
-
import { safeDelete } from '@socketsecurity/lib/fs'
|
|
38
|
+
import { safeDelete } from '@socketsecurity/lib/fs/safe'
|
|
40
39
|
```
|
|
41
40
|
|
|
42
41
|
Start with the [API reference](./docs/api.md) — every subpath export with a one-line description.
|
package/dist/abort/signal.d.ts
CHANGED
|
@@ -19,7 +19,7 @@ export declare function createCompositeAbortSignal(...signals: Array<AbortSignal
|
|
|
19
19
|
* @example
|
|
20
20
|
* ;```typescript
|
|
21
21
|
* const signal = createTimeoutSignal(5000) // aborts after 5 seconds
|
|
22
|
-
*
|
|
22
|
+
* httpJson(url, { signal })
|
|
23
23
|
* ```
|
|
24
24
|
*
|
|
25
25
|
* @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
|
package/dist/abort/signal.js
CHANGED
|
@@ -40,7 +40,7 @@ function createCompositeAbortSignal(...signals) {
|
|
|
40
40
|
* @example
|
|
41
41
|
* ;```typescript
|
|
42
42
|
* const signal = createTimeoutSignal(5000) // aborts after 5 seconds
|
|
43
|
-
*
|
|
43
|
+
* httpJson(url, { signal })
|
|
44
44
|
* ```
|
|
45
45
|
*
|
|
46
46
|
* @throws {TypeError} If `ms` is not a number, is NaN, is not finite, or is not
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
* the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
|
|
23
23
|
* only for `claude`; for the others it is `undefined` (there is no memory
|
|
24
24
|
* dir to point at), and the shared cross-tool memory surface is the
|
|
25
|
-
* committed AGENTS.md (which
|
|
25
|
+
* committed AGENTS.md (which Socket symlinks to CLAUDE.md).
|
|
26
26
|
*/
|
|
27
27
|
import type { AiAgentName } from './types.mts';
|
|
28
28
|
/**
|
package/dist/ai/agent-context.js
CHANGED
|
@@ -6,6 +6,7 @@ const require_constants_platform = require('../constants/platform.js');
|
|
|
6
6
|
const require_env_rewire = require('../env/rewire.js');
|
|
7
7
|
const require_env_home = require('../env/home.js');
|
|
8
8
|
const require_env_xdg = require('../env/xdg.js');
|
|
9
|
+
const require_paths_normalize = require('../paths/normalize.js');
|
|
9
10
|
let node_path = require("node:path");
|
|
10
11
|
node_path = require_runtime.__toESM(node_path, 1);
|
|
11
12
|
|
|
@@ -34,7 +35,7 @@ node_path = require_runtime.__toESM(node_path, 1);
|
|
|
34
35
|
* the human-authored AGENTS.md. So `agentPaths(...).memoryDir` is defined
|
|
35
36
|
* only for `claude`; for the others it is `undefined` (there is no memory
|
|
36
37
|
* dir to point at), and the shared cross-tool memory surface is the
|
|
37
|
-
* committed AGENTS.md (which
|
|
38
|
+
* committed AGENTS.md (which Socket symlinks to CLAUDE.md).
|
|
38
39
|
*/
|
|
39
40
|
function agentFromAiAgentEnv(value) {
|
|
40
41
|
const lower = value.toLowerCase();
|
|
@@ -76,7 +77,7 @@ function agentPaths(agent, options) {
|
|
|
76
77
|
return {
|
|
77
78
|
agent,
|
|
78
79
|
configDir,
|
|
79
|
-
memoryDir: cwd ? node_path.default.join(configDir, "projects", cwd.replace(
|
|
80
|
+
memoryDir: cwd ? node_path.default.join(configDir, "projects", require_paths_normalize.normalizePath(cwd).replace(/\//g, "-"), "memory") : void 0
|
|
80
81
|
};
|
|
81
82
|
}
|
|
82
83
|
case "codex": return {
|
package/dist/ai/backends.d.mts
CHANGED
|
@@ -1,5 +1,5 @@
|
|
|
1
1
|
/**
|
|
2
|
-
* @file Multi-agent CLI backend registry + role routing.
|
|
2
|
+
* @file Multi-agent CLI backend registry + role routing. Socket's review /
|
|
3
3
|
* scan / fix skills delegate work to whichever agent CLIs are installed
|
|
4
4
|
* (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
|
|
5
5
|
* preference order and skipping a pass when nothing usable is present. Before
|
|
@@ -22,7 +22,7 @@
|
|
|
22
22
|
* attribution accurate.
|
|
23
23
|
*/
|
|
24
24
|
/**
|
|
25
|
-
* A CLI backend
|
|
25
|
+
* A CLI backend Socket can delegate a pass to.
|
|
26
26
|
*/
|
|
27
27
|
export type BackendName = 'claude' | 'codex' | 'kimi' | 'opencode';
|
|
28
28
|
/**
|
|
@@ -73,7 +73,7 @@ export interface ResolveBackendOptions {
|
|
|
73
73
|
readonly override?: BackendName | undefined;
|
|
74
74
|
}
|
|
75
75
|
/**
|
|
76
|
-
* Resolve which backend runs a pass, encoding
|
|
76
|
+
* Resolve which backend runs a pass, encoding Socket's detection policy
|
|
77
77
|
* (`_shared/multi-agent-backends.md`): an installed explicit override wins;
|
|
78
78
|
* else the first installed non-hybrid entry in the preference order; else
|
|
79
79
|
* nothing (skip the pass). Pure — returns the decision + why, never logs. An
|
package/dist/ai/backends.js
CHANGED
|
@@ -6,7 +6,7 @@ const require_ai_spawn = require('./spawn.js');
|
|
|
6
6
|
|
|
7
7
|
//#region src/ai/backends.mts
|
|
8
8
|
/**
|
|
9
|
-
* @file Multi-agent CLI backend registry + role routing.
|
|
9
|
+
* @file Multi-agent CLI backend registry + role routing. Socket's review /
|
|
10
10
|
* scan / fix skills delegate work to whichever agent CLIs are installed
|
|
11
11
|
* (`codex`, `claude`, `kimi`, `opencode`), falling back through a per-role
|
|
12
12
|
* preference order and skipping a pass when nothing usable is present. Before
|
|
@@ -131,7 +131,7 @@ async function isCommandAvailable(bin) {
|
|
|
131
131
|
return await require_bin_which.which(bin) !== null;
|
|
132
132
|
}
|
|
133
133
|
/**
|
|
134
|
-
* Resolve which backend runs a pass, encoding
|
|
134
|
+
* Resolve which backend runs a pass, encoding Socket's detection policy
|
|
135
135
|
* (`_shared/multi-agent-backends.md`): an installed explicit override wins;
|
|
136
136
|
* else the first installed non-hybrid entry in the preference order; else
|
|
137
137
|
* nothing (skip the pass). Pure — returns the decision + why, never logs. An
|
|
@@ -0,0 +1,74 @@
|
|
|
1
|
+
/**
|
|
2
|
+
* @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
|
|
3
|
+
* lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
|
|
4
|
+
* read org spend / quota — the Anthropic Cost API is admin-gated — and that
|
|
5
|
+
* is an accepted limitation, not something to engineer around. So this layer
|
|
6
|
+
* does NO network call and NO privileged probe. It uses only what a user
|
|
7
|
+
* actually has: which provider credentials resolve (the same env → keychain
|
|
8
|
+
* check that builds `RouteContext.keyed`, non-admin), tags each with its
|
|
9
|
+
* INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
|
|
10
|
+
* — the provider's nature, overridable by config), and leaves `headroom`
|
|
11
|
+
* undefined. Undefined headroom means the heuristic routes REACTIVELY: it
|
|
12
|
+
* falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
|
|
13
|
+
* `spawn.mts`), rather than predicting a cap it has no privilege to read. A
|
|
14
|
+
* caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
|
|
15
|
+
* `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
|
|
16
|
+
* but nothing here requires it, and no privileged reader is built or wired.
|
|
17
|
+
*/
|
|
18
|
+
import type { CredentialProvider } from './credentials.mts';
|
|
19
|
+
import type { BillingContext, BillingHeadroom, BillingKind, RoutingEnv } from './route-heuristic.mts';
|
|
20
|
+
/**
|
|
21
|
+
* Inherent billing model per provider — the provider's NATURE, not anyone's
|
|
22
|
+
* account or limit. A metered pay-per-token API (`anthropic` with an API key,
|
|
23
|
+
* `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
|
|
24
|
+
* (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
|
|
25
|
+
* overrides per provider via the `kinds` option — e.g. a user whose Anthropic
|
|
26
|
+
* access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
|
|
27
|
+
* No dollar figures here; only the kind, which decides dollars-vs-headroom.
|
|
28
|
+
*/
|
|
29
|
+
export declare const DEFAULT_PROVIDER_KIND: Readonly<Record<CredentialProvider, BillingKind>>;
|
|
30
|
+
export interface BillingFromKeyedOptions {
|
|
31
|
+
readonly keyed: ReadonlySet<CredentialProvider>;
|
|
32
|
+
readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
|
|
33
|
+
readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
|
|
34
|
+
}
|
|
35
|
+
/**
|
|
36
|
+
* Turn an already-probed set of keyed providers into a `BillingContext`,
|
|
37
|
+
* tagging each with its kind (config override → inherent default) and any
|
|
38
|
+
* caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
|
|
39
|
+
* provider with no known kind is skipped rather than given an undefined kind.
|
|
40
|
+
*/
|
|
41
|
+
export declare function billingFromKeyed(options: BillingFromKeyedOptions): BillingContext;
|
|
42
|
+
/**
|
|
43
|
+
* Detect whether routing runs in locked-down CI (restricted to the secrets
|
|
44
|
+
* actually present, under the four-flag lockdown) or local dev (full freedom).
|
|
45
|
+
* CI when the standard `CI` env var is set; `local` otherwise.
|
|
46
|
+
*/
|
|
47
|
+
export declare function detectRoutingEnv(): RoutingEnv;
|
|
48
|
+
export interface DiscoverBillingOptions {
|
|
49
|
+
readonly allowEnvOnly?: boolean | undefined;
|
|
50
|
+
readonly env?: RoutingEnv | undefined;
|
|
51
|
+
readonly headroom?: Readonly<Partial<Record<CredentialProvider, BillingHeadroom>>> | undefined;
|
|
52
|
+
readonly kinds?: Readonly<Partial<Record<CredentialProvider, BillingKind>>> | undefined;
|
|
53
|
+
}
|
|
54
|
+
/**
|
|
55
|
+
* Discover a `BillingContext` end-to-end with no privileged lookup: probe which
|
|
56
|
+
* provider credentials resolve (env → keychain, the non-admin check), then tag
|
|
57
|
+
* them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
|
|
58
|
+
* the credential probe is env-only (no keychain prompt); locally it allows the
|
|
59
|
+
* keychain. Convenience over calling `discoverKeyedProviders` +
|
|
60
|
+
* `billingFromKeyed`.
|
|
61
|
+
*
|
|
62
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
63
|
+
*/
|
|
64
|
+
export declare function discoverBilling(options?: DiscoverBillingOptions | undefined): Promise<BillingContext>;
|
|
65
|
+
export interface DiscoverKeyedProvidersOptions {
|
|
66
|
+
readonly allowEnvOnly?: boolean | undefined;
|
|
67
|
+
}
|
|
68
|
+
/**
|
|
69
|
+
* The set of providers with a resolvable credential, probed via the same
|
|
70
|
+
* non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
|
|
71
|
+
* privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
|
|
72
|
+
* keychain entirely.
|
|
73
|
+
*/
|
|
74
|
+
export declare function discoverKeyedProviders(options?: DiscoverKeyedProvidersOptions | undefined): Promise<Set<CredentialProvider>>;
|
|
@@ -0,0 +1,129 @@
|
|
|
1
|
+
"use strict";
|
|
2
|
+
/* Socket Lib - Built with rolldown */
|
|
3
|
+
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_primordials_object = require('../primordials/object.js');
|
|
5
|
+
const require_env_rewire = require('../env/rewire.js');
|
|
6
|
+
const require_ai_credentials = require('./credentials.js');
|
|
7
|
+
|
|
8
|
+
//#region src/ai/billing-context.mts
|
|
9
|
+
/**
|
|
10
|
+
* @file Build a `BillingContext` for the route-heuristic WITHOUT privileged
|
|
11
|
+
* lookups. A normal user has no Admin key (`sk-ant-admin01-`), so we cannot
|
|
12
|
+
* read org spend / quota — the Anthropic Cost API is admin-gated — and that
|
|
13
|
+
* is an accepted limitation, not something to engineer around. So this layer
|
|
14
|
+
* does NO network call and NO privileged probe. It uses only what a user
|
|
15
|
+
* actually has: which provider credentials resolve (the same env → keychain
|
|
16
|
+
* check that builds `RouteContext.keyed`, non-admin), tags each with its
|
|
17
|
+
* INHERENT billing kind (a metered API, a flat-rate plan, a subscription seat
|
|
18
|
+
* — the provider's nature, overridable by config), and leaves `headroom`
|
|
19
|
+
* undefined. Undefined headroom means the heuristic routes REACTIVELY: it
|
|
20
|
+
* falls over on a 429 / quota error at spawn time (`isQuotaExhausted` in
|
|
21
|
+
* `spawn.mts`), rather than predicting a cap it has no privilege to read. A
|
|
22
|
+
* caller that DOES have a non-privileged quota endpoint (e.g. Synthetic
|
|
23
|
+
* `/v2/quotas` with the ordinary key) may pass best-effort `headroom` in —
|
|
24
|
+
* but nothing here requires it, and no privileged reader is built or wired.
|
|
25
|
+
*/
|
|
26
|
+
/**
|
|
27
|
+
* Inherent billing model per provider — the provider's NATURE, not anyone's
|
|
28
|
+
* account or limit. A metered pay-per-token API (`anthropic` with an API key,
|
|
29
|
+
* `fireworks`, `xai`), a flat-rate plan (`synthetic`), or a subscription seat
|
|
30
|
+
* (`openai` via a ChatGPT/Codex seat). These are DEFAULTS only: a caller
|
|
31
|
+
* overrides per provider via the `kinds` option — e.g. a user whose Anthropic
|
|
32
|
+
* access is a Claude Max seat (no API key) marks `anthropic` as `subscription`.
|
|
33
|
+
* No dollar figures here; only the kind, which decides dollars-vs-headroom.
|
|
34
|
+
*/
|
|
35
|
+
const DEFAULT_PROVIDER_KIND = {
|
|
36
|
+
__proto__: null,
|
|
37
|
+
anthropic: "metered",
|
|
38
|
+
fireworks: "metered",
|
|
39
|
+
openai: "subscription",
|
|
40
|
+
synthetic: "flat-rate",
|
|
41
|
+
xai: "metered"
|
|
42
|
+
};
|
|
43
|
+
/**
|
|
44
|
+
* Turn an already-probed set of keyed providers into a `BillingContext`,
|
|
45
|
+
* tagging each with its kind (config override → inherent default) and any
|
|
46
|
+
* caller-supplied best-effort headroom. Pure: no I/O, no privileged lookup. A
|
|
47
|
+
* provider with no known kind is skipped rather than given an undefined kind.
|
|
48
|
+
*/
|
|
49
|
+
function billingFromKeyed(options) {
|
|
50
|
+
const opts = {
|
|
51
|
+
__proto__: null,
|
|
52
|
+
...options
|
|
53
|
+
};
|
|
54
|
+
const out = { __proto__: null };
|
|
55
|
+
for (const provider of opts.keyed) {
|
|
56
|
+
const kind = opts.kinds?.[provider] ?? DEFAULT_PROVIDER_KIND[provider];
|
|
57
|
+
if (!kind) continue;
|
|
58
|
+
const headroom = opts.headroom?.[provider];
|
|
59
|
+
out[provider] = headroom ? {
|
|
60
|
+
headroom,
|
|
61
|
+
kind,
|
|
62
|
+
provider
|
|
63
|
+
} : {
|
|
64
|
+
kind,
|
|
65
|
+
provider
|
|
66
|
+
};
|
|
67
|
+
}
|
|
68
|
+
return out;
|
|
69
|
+
}
|
|
70
|
+
/**
|
|
71
|
+
* Detect whether routing runs in locked-down CI (restricted to the secrets
|
|
72
|
+
* actually present, under the four-flag lockdown) or local dev (full freedom).
|
|
73
|
+
* CI when the standard `CI` env var is set; `local` otherwise.
|
|
74
|
+
*/
|
|
75
|
+
function detectRoutingEnv() {
|
|
76
|
+
return require_env_rewire.getEnvValue("CI") ? "ci" : "local";
|
|
77
|
+
}
|
|
78
|
+
/**
|
|
79
|
+
* Discover a `BillingContext` end-to-end with no privileged lookup: probe which
|
|
80
|
+
* provider credentials resolve (env → keychain, the non-admin check), then tag
|
|
81
|
+
* them via `billingFromKeyed`. Headroom defaults to undefined (reactive). In CI
|
|
82
|
+
* the credential probe is env-only (no keychain prompt); locally it allows the
|
|
83
|
+
* keychain. Convenience over calling `discoverKeyedProviders` +
|
|
84
|
+
* `billingFromKeyed`.
|
|
85
|
+
*
|
|
86
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
87
|
+
*/
|
|
88
|
+
async function discoverBilling(options) {
|
|
89
|
+
const opts = {
|
|
90
|
+
__proto__: null,
|
|
91
|
+
...options
|
|
92
|
+
};
|
|
93
|
+
const env = opts.env ?? detectRoutingEnv();
|
|
94
|
+
const keyed = await discoverKeyedProviders({ allowEnvOnly: opts.allowEnvOnly ?? env === "ci" });
|
|
95
|
+
return billingFromKeyed({
|
|
96
|
+
headroom: opts.headroom,
|
|
97
|
+
keyed,
|
|
98
|
+
kinds: opts.kinds
|
|
99
|
+
});
|
|
100
|
+
}
|
|
101
|
+
/**
|
|
102
|
+
* The set of providers with a resolvable credential, probed via the same
|
|
103
|
+
* non-admin env → keychain resolver `RouteContext.keyed` uses. No network, no
|
|
104
|
+
* privilege. Pass `allowEnvOnly: true` in headless contexts to skip the
|
|
105
|
+
* keychain entirely.
|
|
106
|
+
*/
|
|
107
|
+
async function discoverKeyedProviders(options) {
|
|
108
|
+
const opts = {
|
|
109
|
+
__proto__: null,
|
|
110
|
+
...options
|
|
111
|
+
};
|
|
112
|
+
const providers = require_primordials_object.ObjectKeys(require_ai_credentials.PROVIDER_CREDENTIALS);
|
|
113
|
+
const keyed = /* @__PURE__ */ new Set();
|
|
114
|
+
for (let i = 0, { length } = providers; i < length; i += 1) {
|
|
115
|
+
const provider = providers[i];
|
|
116
|
+
if (await require_ai_credentials.resolveProviderCredential({
|
|
117
|
+
allowEnvOnly: opts.allowEnvOnly,
|
|
118
|
+
provider
|
|
119
|
+
})) keyed.add(provider);
|
|
120
|
+
}
|
|
121
|
+
return keyed;
|
|
122
|
+
}
|
|
123
|
+
|
|
124
|
+
//#endregion
|
|
125
|
+
exports.DEFAULT_PROVIDER_KIND = DEFAULT_PROVIDER_KIND;
|
|
126
|
+
exports.billingFromKeyed = billingFromKeyed;
|
|
127
|
+
exports.detectRoutingEnv = detectRoutingEnv;
|
|
128
|
+
exports.discoverBilling = discoverBilling;
|
|
129
|
+
exports.discoverKeyedProviders = discoverKeyedProviders;
|
|
@@ -14,11 +14,10 @@
|
|
|
14
14
|
* `undefined` immediately instead of triggering a keychain auth prompt. CI
|
|
15
15
|
* sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
|
|
16
16
|
* `resolveProviderCredential` call reads it there with no keychain. proteus
|
|
17
|
-
* hook-point: the forthcoming biometric credential daemon
|
|
18
|
-
*
|
|
19
|
-
*
|
|
20
|
-
*
|
|
21
|
-
* plan). This module is the stable seam.
|
|
17
|
+
* hook-point: the forthcoming biometric credential daemon slots in as a
|
|
18
|
+
* layer between the env check and the keychain read inside `resolve()`'s
|
|
19
|
+
* implementation — call sites here do not change when it lands. This module
|
|
20
|
+
* is the stable seam.
|
|
22
21
|
*/
|
|
23
22
|
/**
|
|
24
23
|
* A provider whose credential this module can resolve: the HTTP providers
|
|
@@ -31,6 +30,19 @@ export interface ProviderCredentialSpec {
|
|
|
31
30
|
readonly keychainService: string;
|
|
32
31
|
}
|
|
33
32
|
export declare const PROVIDER_CREDENTIALS: Readonly<Record<CredentialProvider, ProviderCredentialSpec>>;
|
|
33
|
+
export interface DeleteProviderCredentialOptions {
|
|
34
|
+
readonly provider: CredentialProvider;
|
|
35
|
+
}
|
|
36
|
+
/**
|
|
37
|
+
* Remove a provider's stored credential from the OS keychain — the same
|
|
38
|
+
* `{ service, account }` slot `resolveProviderCredential` reads. Returns
|
|
39
|
+
* `'removed'` when a value was deleted, `'absent'` when none was stored (or the
|
|
40
|
+
* platform has no keychain backend — delete degrades to a no-op rather than
|
|
41
|
+
* throwing, since "nothing to remove" is the same outcome either way).
|
|
42
|
+
*
|
|
43
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
44
|
+
*/
|
|
45
|
+
export declare function deleteProviderCredential(options: DeleteProviderCredentialOptions): Promise<'absent' | 'removed'>;
|
|
34
46
|
/**
|
|
35
47
|
* True when `value` names a provider with a resolvable credential.
|
|
36
48
|
*/
|
|
@@ -47,3 +59,25 @@ export interface ResolveProviderCredentialOptions {
|
|
|
47
59
|
* source has it (the caller decides whether that's fatal).
|
|
48
60
|
*/
|
|
49
61
|
export declare function resolveProviderCredential(options: ResolveProviderCredentialOptions): Promise<string | undefined>;
|
|
62
|
+
export interface WriteProviderCredentialOptions {
|
|
63
|
+
readonly provider: CredentialProvider;
|
|
64
|
+
readonly value: string;
|
|
65
|
+
}
|
|
66
|
+
/**
|
|
67
|
+
* Persist a provider's bearer token to the OS keychain — the SAME `{ service,
|
|
68
|
+
* account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
|
|
69
|
+
* service == the Socket-uniform `socketsecurity` scope), so a written token
|
|
70
|
+
* resolves on the next read without an env var.
|
|
71
|
+
*
|
|
72
|
+
* Keychain ONLY — this never writes a shell-rc export. That matters most for
|
|
73
|
+
* anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
|
|
74
|
+
* OAuth session and silently flips the user to metered billing, so its token
|
|
75
|
+
* must live only in the keychain (read on demand), never exported. A setup
|
|
76
|
+
* wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
|
|
77
|
+
* convenience must still route anthropic here, keychain-only.
|
|
78
|
+
*
|
|
79
|
+
* Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
|
|
80
|
+
* is a no-op). Throws when the OS has no keychain backend; a caller that wants
|
|
81
|
+
* to degrade gracefully should check `getBackendAvailability()` first.
|
|
82
|
+
*/
|
|
83
|
+
export declare function writeProviderCredential(options: WriteProviderCredentialOptions): Promise<'unchanged' | 'written'>;
|
package/dist/ai/credentials.js
CHANGED
|
@@ -1,6 +1,7 @@
|
|
|
1
1
|
"use strict";
|
|
2
2
|
/* Socket Lib - Built with rolldown */
|
|
3
3
|
Object.defineProperty(exports, Symbol.toStringTag, { value: 'Module' });
|
|
4
|
+
const require_secrets_keychain = require('../secrets/keychain.js');
|
|
4
5
|
const require_secrets_find = require('../secrets/find.js');
|
|
5
6
|
|
|
6
7
|
//#region src/ai/credentials.mts
|
|
@@ -20,11 +21,10 @@ const require_secrets_find = require('../secrets/find.js');
|
|
|
20
21
|
* `undefined` immediately instead of triggering a keychain auth prompt. CI
|
|
21
22
|
* sets the token as a GH-secret env var (e.g. `ANTHROPIC_API_KEY`); the same
|
|
22
23
|
* `resolveProviderCredential` call reads it there with no keychain. proteus
|
|
23
|
-
* hook-point: the forthcoming biometric credential daemon
|
|
24
|
-
*
|
|
25
|
-
*
|
|
26
|
-
*
|
|
27
|
-
* plan). This module is the stable seam.
|
|
24
|
+
* hook-point: the forthcoming biometric credential daemon slots in as a
|
|
25
|
+
* layer between the env check and the keychain read inside `resolve()`'s
|
|
26
|
+
* implementation — call sites here do not change when it lands. This module
|
|
27
|
+
* is the stable seam.
|
|
28
28
|
*/
|
|
29
29
|
const PROVIDER_CREDENTIALS = {
|
|
30
30
|
__proto__: null,
|
|
@@ -50,6 +50,27 @@ const PROVIDER_CREDENTIALS = {
|
|
|
50
50
|
}
|
|
51
51
|
};
|
|
52
52
|
/**
|
|
53
|
+
* Remove a provider's stored credential from the OS keychain — the same
|
|
54
|
+
* `{ service, account }` slot `resolveProviderCredential` reads. Returns
|
|
55
|
+
* `'removed'` when a value was deleted, `'absent'` when none was stored (or the
|
|
56
|
+
* platform has no keychain backend — delete degrades to a no-op rather than
|
|
57
|
+
* throwing, since "nothing to remove" is the same outcome either way).
|
|
58
|
+
*
|
|
59
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
60
|
+
*/
|
|
61
|
+
async function deleteProviderCredential(options) {
|
|
62
|
+
const opts = {
|
|
63
|
+
__proto__: null,
|
|
64
|
+
...options
|
|
65
|
+
};
|
|
66
|
+
const spec = PROVIDER_CREDENTIALS[opts.provider];
|
|
67
|
+
if (!spec) return "absent";
|
|
68
|
+
return await require_secrets_keychain.deleteSecret({
|
|
69
|
+
account: spec.tokenEnv,
|
|
70
|
+
service: spec.keychainService
|
|
71
|
+
});
|
|
72
|
+
}
|
|
73
|
+
/**
|
|
53
74
|
* True when `value` names a provider with a resolvable credential.
|
|
54
75
|
*/
|
|
55
76
|
function isCredentialProvider(value) {
|
|
@@ -75,8 +96,42 @@ async function resolveProviderCredential(options) {
|
|
|
75
96
|
service: spec.keychainService
|
|
76
97
|
}))?.value;
|
|
77
98
|
}
|
|
99
|
+
/**
|
|
100
|
+
* Persist a provider's bearer token to the OS keychain — the SAME `{ service,
|
|
101
|
+
* account }` slot `resolveProviderCredential` reads (account == `tokenEnv`,
|
|
102
|
+
* service == the Socket-uniform `socketsecurity` scope), so a written token
|
|
103
|
+
* resolves on the next read without an env var.
|
|
104
|
+
*
|
|
105
|
+
* Keychain ONLY — this never writes a shell-rc export. That matters most for
|
|
106
|
+
* anthropic: a live `ANTHROPIC_API_KEY` env var overrides a Claude Max-seat
|
|
107
|
+
* OAuth session and silently flips the user to metered billing, so its token
|
|
108
|
+
* must live only in the keychain (read on demand), never exported. A setup
|
|
109
|
+
* wizard that rc-exports `FIREWORKS_API_KEY`/`SYNTHETIC_API_KEY` for
|
|
110
|
+
* convenience must still route anthropic here, keychain-only.
|
|
111
|
+
*
|
|
112
|
+
* Returns `'written'` | `'unchanged'` (idempotent — an identical stored value
|
|
113
|
+
* is a no-op). Throws when the OS has no keychain backend; a caller that wants
|
|
114
|
+
* to degrade gracefully should check `getBackendAvailability()` first.
|
|
115
|
+
*/
|
|
116
|
+
async function writeProviderCredential(options) {
|
|
117
|
+
const opts = {
|
|
118
|
+
__proto__: null,
|
|
119
|
+
...options
|
|
120
|
+
};
|
|
121
|
+
const spec = PROVIDER_CREDENTIALS[opts.provider];
|
|
122
|
+
if (!spec) throw new Error(`writeProviderCredential: unknown provider "${opts.provider}".`);
|
|
123
|
+
const backend = require_secrets_keychain.getBackendAvailability();
|
|
124
|
+
if (!backend.available) throw new Error(`writeProviderCredential: no OS keychain backend (${backend.toolName}) available to store the ${opts.provider} credential.` + (backend.installHint ? ` ${backend.installHint}` : ""));
|
|
125
|
+
return await require_secrets_keychain.writeSecret({
|
|
126
|
+
account: spec.tokenEnv,
|
|
127
|
+
service: spec.keychainService,
|
|
128
|
+
value: opts.value
|
|
129
|
+
});
|
|
130
|
+
}
|
|
78
131
|
|
|
79
132
|
//#endregion
|
|
80
133
|
exports.PROVIDER_CREDENTIALS = PROVIDER_CREDENTIALS;
|
|
134
|
+
exports.deleteProviderCredential = deleteProviderCredential;
|
|
81
135
|
exports.isCredentialProvider = isCredentialProvider;
|
|
82
|
-
exports.resolveProviderCredential = resolveProviderCredential;
|
|
136
|
+
exports.resolveProviderCredential = resolveProviderCredential;
|
|
137
|
+
exports.writeProviderCredential = writeProviderCredential;
|
package/dist/ai/discover.d.mts
CHANGED
|
@@ -43,12 +43,16 @@ export declare function discoverFresh(): DiscoveredAgents;
|
|
|
43
43
|
*
|
|
44
44
|
* Useful in fast paths where the caller has already populated the cache and
|
|
45
45
|
* just wants to read it back.
|
|
46
|
+
*
|
|
47
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
46
48
|
*/
|
|
47
49
|
export declare function getDiscoveredAiAgents(): DiscoveredAgents | undefined;
|
|
48
50
|
export declare function readDiskCache(cachePath: string): DiscoveredAgents | undefined;
|
|
49
51
|
/**
|
|
50
52
|
* Reset the in-process cache. Tests use this; production callers shouldn't need
|
|
51
53
|
* it (use `refresh: true` on discoverAiAgents()).
|
|
54
|
+
*
|
|
55
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
52
56
|
*/
|
|
53
57
|
export declare function resetAiAgentDiscoveryCache(): void;
|
|
54
58
|
export declare function writeDiskCache(cachePath: string, agents: DiscoveredAgents): Promise<void>;
|
package/dist/ai/discover.js
CHANGED
|
@@ -87,6 +87,8 @@ function discoverFresh() {
|
|
|
87
87
|
*
|
|
88
88
|
* Useful in fast paths where the caller has already populated the cache and
|
|
89
89
|
* just wants to read it back.
|
|
90
|
+
*
|
|
91
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
90
92
|
*/
|
|
91
93
|
function getDiscoveredAiAgents() {
|
|
92
94
|
return inProcessCache;
|
|
@@ -104,6 +106,8 @@ function readDiskCache(cachePath) {
|
|
|
104
106
|
/**
|
|
105
107
|
* Reset the in-process cache. Tests use this; production callers shouldn't need
|
|
106
108
|
* it (use `refresh: true` on discoverAiAgents()).
|
|
109
|
+
*
|
|
110
|
+
* @unused No internal or Socket consumers (exercised only by its unit tests).
|
|
107
111
|
*/
|
|
108
112
|
function resetAiAgentDiscoveryCache() {
|
|
109
113
|
inProcessCache = void 0;
|
package/dist/ai/exec.d.mts
CHANGED
|
@@ -3,7 +3,7 @@
|
|
|
3
3
|
* WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
|
|
4
4
|
* the cheap built-in `real` runner (the host shell via lib `spawn`); a
|
|
5
5
|
* SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
|
|
6
|
-
* the small-dist lib free of a heavy sandbox dependency —
|
|
6
|
+
* the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
|
|
7
7
|
* of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
|
|
8
8
|
* CI tooling and passed in, so a lib consumer that never sandboxes pays
|
|
9
9
|
* nothing. Layering: ExecRunner.run() — the injectable primitive (real |
|
package/dist/ai/exec.js
CHANGED
|
@@ -10,7 +10,7 @@ const require_process_spawn_child = require('../process/spawn/child.js');
|
|
|
10
10
|
* WHICH model produced it (`ai/backends`). The lib owns the INTERFACE plus
|
|
11
11
|
* the cheap built-in `real` runner (the host shell via lib `spawn`); a
|
|
12
12
|
* SANDBOXED runner is INJECTED by the caller, never imported here. That keeps
|
|
13
|
-
* the small-dist lib free of a heavy sandbox dependency —
|
|
13
|
+
* the small-dist lib free of a heavy sandbox dependency — Socket's sandbox
|
|
14
14
|
* of choice (`just-bash`, ~40MB incl. WASM) is owned by the wheelhouse hook /
|
|
15
15
|
* CI tooling and passed in, so a lib consumer that never sandboxes pays
|
|
16
16
|
* nothing. Layering: ExecRunner.run() — the injectable primitive (real |
|
package/dist/ai/http.d.mts
CHANGED
|
@@ -4,7 +4,7 @@
|
|
|
4
4
|
* (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
|
|
5
5
|
* (`spawn.mts`) drives an interactive agent binary; this path is for a
|
|
6
6
|
* script/hook that needs a single completion from a model without an agent
|
|
7
|
-
* harness (the way the local OpenCode setup reaches GLM-5.
|
|
7
|
+
* harness (the way the local OpenCode setup reaches GLM-5.2 / Kimi-K2.6). Why
|
|
8
8
|
* a separate module from `spawn.mts`: those are different surfaces. A CLI
|
|
9
9
|
* agent gets tools + a permission mode + a working dir; an HTTP completion
|
|
10
10
|
* gets a prompt + a model + (optionally) a reasoning effort and returns text.
|
|
@@ -13,10 +13,10 @@
|
|
|
13
13
|
* function-calling surface — they're plain completions, so there's no agentic
|
|
14
14
|
* capability to constrain. The token is read from the env var the provider
|
|
15
15
|
* config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
|
|
16
|
-
* inline, and never logged — same token-hygiene rule as the rest of
|
|
17
|
-
*
|
|
18
|
-
*
|
|
19
|
-
*
|
|
16
|
+
* inline, and never logged — same token-hygiene rule as the rest of Socket. A
|
|
17
|
+
* missing token throws with the exact env var to set. Wire format is the
|
|
18
|
+
* OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which both
|
|
19
|
+
* providers implement.
|
|
20
20
|
*/
|
|
21
21
|
import type { AiEffort } from './types.mts';
|
|
22
22
|
/**
|
|
@@ -47,8 +47,8 @@ export interface AiHttpCallOptions {
|
|
|
47
47
|
*/
|
|
48
48
|
readonly provider: string | AiHttpProvider;
|
|
49
49
|
/**
|
|
50
|
-
* The provider's model id (e.g. `accounts/fireworks/models/glm-
|
|
51
|
-
* `hf:moonshotai/Kimi-K2.
|
|
50
|
+
* The provider's model id (e.g. `accounts/fireworks/models/glm-5p2`,
|
|
51
|
+
* `hf:moonshotai/Kimi-K2.6`).
|
|
52
52
|
*/
|
|
53
53
|
readonly model: string;
|
|
54
54
|
/**
|
|
@@ -118,7 +118,7 @@ export declare function buildChatRequestBody(options: AiHttpCallOptions): string
|
|
|
118
118
|
* ;```ts
|
|
119
119
|
* const { text } = await callAiHttpModel({
|
|
120
120
|
* provider: 'fireworks',
|
|
121
|
-
* model: 'accounts/fireworks/models/glm-
|
|
121
|
+
* model: 'accounts/fireworks/models/glm-5p2',
|
|
122
122
|
* prompt: 'Summarize this diff: …',
|
|
123
123
|
* effort: 'high',
|
|
124
124
|
* })
|
package/dist/ai/http.js
CHANGED
|
@@ -12,7 +12,7 @@ const require_http_request_node = require('../http-request/node.js');
|
|
|
12
12
|
* (`api.fireworks.ai`) and Synthetic (`api.synthetic.new`). The CLI path
|
|
13
13
|
* (`spawn.mts`) drives an interactive agent binary; this path is for a
|
|
14
14
|
* script/hook that needs a single completion from a model without an agent
|
|
15
|
-
* harness (the way the local OpenCode setup reaches GLM-5.
|
|
15
|
+
* harness (the way the local OpenCode setup reaches GLM-5.2 / Kimi-K2.6). Why
|
|
16
16
|
* a separate module from `spawn.mts`: those are different surfaces. A CLI
|
|
17
17
|
* agent gets tools + a permission mode + a working dir; an HTTP completion
|
|
18
18
|
* gets a prompt + a model + (optionally) a reasoning effort and returns text.
|
|
@@ -21,10 +21,10 @@ const require_http_request_node = require('../http-request/node.js');
|
|
|
21
21
|
* function-calling surface — they're plain completions, so there's no agentic
|
|
22
22
|
* capability to constrain. The token is read from the env var the provider
|
|
23
23
|
* config names (`FIREWORKS_API_KEY` / `SYNTHETIC_API_KEY`), NEVER passed
|
|
24
|
-
* inline, and never logged — same token-hygiene rule as the rest of
|
|
25
|
-
*
|
|
26
|
-
*
|
|
27
|
-
*
|
|
24
|
+
* inline, and never logged — same token-hygiene rule as the rest of Socket. A
|
|
25
|
+
* missing token throws with the exact env var to set. Wire format is the
|
|
26
|
+
* OpenAI Chat Completions API (`POST {baseUrl}/chat/completions`), which both
|
|
27
|
+
* providers implement.
|
|
28
28
|
*/
|
|
29
29
|
/**
|
|
30
30
|
* Built-in OpenAI-compatible providers. Add an entry to support a new one — no
|
|
@@ -81,7 +81,7 @@ function buildChatRequestBody(options) {
|
|
|
81
81
|
* ;```ts
|
|
82
82
|
* const { text } = await callAiHttpModel({
|
|
83
83
|
* provider: 'fireworks',
|
|
84
|
-
* model: 'accounts/fireworks/models/glm-
|
|
84
|
+
* model: 'accounts/fireworks/models/glm-5p2',
|
|
85
85
|
* prompt: 'Summarize this diff: …',
|
|
86
86
|
* effort: 'high',
|
|
87
87
|
* })
|