diff --git a/.claude/skills/quality-scan/SKILL.md b/.claude/skills/quality-scan/SKILL.md
new file mode 100644
index 000000000..9c6319326
--- /dev/null
+++ b/.claude/skills/quality-scan/SKILL.md
@@ -0,0 +1,554 @@
+---
+name: quality-scan
+description: Cleans up junk files (SCREAMING_TEXT.md, temp files) and performs comprehensive quality scans across codebase to identify critical bugs, logic errors, caching issues, and workflow problems. Spawns specialized agents for targeted analysis and generates prioritized improvement tasks. Use when improving code quality, before releases, or investigating issues.
+---
+
+# quality-scan
+
+
+Your task is to perform comprehensive quality scans across the socket-btm codebase using specialized agents to identify critical bugs, logic errors, caching issues, and workflow problems. Before scanning, clean up junk files (SCREAMING_TEXT.md files, temporary test files, etc.) to ensure a clean and organized repository. Generate a prioritized report with actionable improvement tasks.
+
+
+
+**What is Quality Scanning?**
+Quality scanning uses specialized AI agents to systematically analyze code for different categories of issues. Each agent type focuses on specific problem domains and reports findings with severity levels and actionable fixes.
+
+**socket-btm Architecture:**
+This is Socket Security's binary tooling manager (BTM) that:
+- Builds custom Node.js binaries with Socket Security patches
+- Manages Node.js versions and patch synchronization
+- Produces minimal Node.js builds (node-smol-builder)
+- Processes upstream Node.js source code and applies security patches
+- Supports production deployments with patched Node.js
+
+**Scan Types Available:**
+1. **critical** - Crashes, security vulnerabilities, resource leaks, data corruption
+2. **logic** - Algorithm errors, edge cases, type guards, off-by-one errors
+3. **cache** - Cache staleness, race conditions, invalidation bugs
+4. **workflow** - Build scripts, CI issues, cross-platform compatibility
+5. **security** - GitHub Actions workflow security (zizmor scanner)
+6. **documentation** - README accuracy, outdated docs, missing documentation
+
+**Why Quality Scanning Matters:**
+- Catches bugs before they reach production
+- Identifies security vulnerabilities early
+- Improves code quality systematically
+- Provides actionable fixes with file:line references
+- Prioritizes issues by severity for efficient remediation
+- Cleans up junk files for a well-organized repository
+
+**Agent Prompts:**
+All agent prompts are embedded in `reference.md` with structured , , , and tags following Claude best practices.
+
+
+
+**CRITICAL Requirements:**
+- Read-only analysis (no code changes during scan)
+- Must complete all enabled scans before reporting
+- Findings must be prioritized by severity (Critical → High → Medium → Low)
+- Must generate actionable tasks with file:line references
+- All findings must include suggested fixes
+
+**Do NOT:**
+- Fix issues during scan (analysis only - report findings)
+- Skip critical scan types without user permission
+- Report findings without file/line references
+- Proceed if codebase has uncommitted changes (warn but continue)
+
+**Do ONLY:**
+- Run enabled scan types in priority order (critical → logic → cache → workflow)
+- Generate structured findings with severity levels
+- Provide actionable improvement tasks with specific code changes
+- Report statistics and coverage metrics
+- Deduplicate findings across scans
+
+
+
+
+## Process
+
+Execute the following phases sequentially to perform comprehensive quality analysis.
+
+### Phase 1: Validate Environment
+
+
+Verify the environment before starting scans:
+
+
+```bash
+git status
+```
+
+
+**Expected State:**
+- Working directory should be clean (warn if dirty but continue)
+- On a valid branch
+- Node modules installed
+
+**If working directory dirty:**
+- Warn user: "Working directory has uncommitted changes - continuing with scan"
+- Continue with scans (quality scanning is read-only)
+
+
+
+---
+
+### Phase 2: Update Dependencies
+
+
+Update dependencies across Socket Security repositories to ensure latest versions:
+
+
+**Target Repositories:**
+1. **socket-cli** (current repository)
+2. **socket-btm** (`../socket-btm/`)
+3. **socket-sbom-generator** (`../socket-sbom-generator/`)
+4. **ultrathink** (`../ultrathink/`)
+
+**Update Process:**
+
+For each repository, run dependency updates:
+
+```bash
+# socket-cli (current repo)
+pnpm run update
+
+# socket-btm
+cd ../socket-btm && pnpm run update && cd -
+
+# socket-sbom-generator
+cd ../socket-sbom-generator && pnpm run update && cd -
+
+# ultrathink
+cd ../ultrathink && pnpm run update && cd -
+```
+
+
+**For each repository:**
+1. Check if directory exists (skip if not found)
+2. Run `pnpm run update` command
+3. Report success or failure
+4. Track updated packages count
+5. Continue even if some repos fail
+
+**Expected Results:**
+- Dependencies updated in available repositories
+- Report number of packages updated per repository
+- Note any repositories that were skipped (not found)
+- Continue with scan even if updates fail
+
+**Track for reporting:**
+- Repositories updated: N/4
+- Total packages updated: N
+- Failed updates: N (continue with warnings)
+- Skipped repositories: [list]
+
+
+
+---
+
+### Phase 3: Repository Cleanup
+
+
+Clean up junk files and organize the repository before scanning:
+
+
+**Cleanup Tasks:**
+
+1. **Remove SCREAMING_TEXT.md files** (all-caps .md files) that are NOT:
+ - Inside `.claude/` directory
+ - Inside `docs/` directory
+ - Named `README.md`, `LICENSE`, or `SECURITY.md`
+
+2. **Remove temporary test files** in wrong locations:
+ - `.test.mjs` or `.test.mts` files outside `test/` or `__tests__/` directories
+ - Temp files: `*.tmp`, `*.temp`, `.DS_Store`, `Thumbs.db`
+ - Editor backups: `*~`, `*.swp`, `*.swo`, `*.bak`
+ - Test artifacts: `*.log` files in root or package directories (not logs/)
+
+```bash
+# Find SCREAMING_TEXT.md files (all caps with .md extension)
+find . -type f -name '*.md' \
+ ! -path './.claude/*' \
+ ! -path './docs/*' \
+ ! -name 'README.md' \
+ ! -name 'LICENSE' \
+ ! -name 'SECURITY.md' \
+ | grep -E '/[A-Z_]+\.md$'
+
+# Find test files in wrong locations
+find . -type f \( -name '*.test.mjs' -o -name '*.test.mts' \) \
+ ! -path '*/test/*' \
+ ! -path '*/__tests__/*' \
+ ! -path '*/node_modules/*'
+
+# Find temp files
+find . -type f \( \
+ -name '*.tmp' -o \
+ -name '*.temp' -o \
+ -name '.DS_Store' -o \
+ -name 'Thumbs.db' -o \
+ -name '*~' -o \
+ -name '*.swp' -o \
+ -name '*.swo' -o \
+ -name '*.bak' \
+\) ! -path '*/node_modules/*'
+
+# Find log files in wrong places (not in logs/ or build/ directories)
+find . -type f -name '*.log' \
+ ! -path '*/logs/*' \
+ ! -path '*/build/*' \
+ ! -path '*/node_modules/*' \
+ ! -path '*/.git/*'
+```
+
+
+**For each file found:**
+1. Show the file path to user
+2. Explain why it's considered junk
+3. Ask user for confirmation before deleting (use AskUserQuestion)
+4. Delete confirmed files: `git rm` if tracked, `rm` if untracked
+5. Report files removed
+
+**If no junk files found:**
+- Report: "✓ Repository is clean - no junk files found"
+
+**Important:**
+- Always get user confirmation before deleting
+- Show file contents if user is unsure
+- Track deleted files for reporting
+
+
+
+---
+
+### Phase 4: Determine Scan Scope
+
+
+Ask user which scans to run:
+
+
+**Default Scan Types** (run all unless user specifies):
+1. **critical** - Critical bugs (crashes, security, resource leaks)
+2. **logic** - Logic errors (algorithms, edge cases, type guards)
+3. **cache** - Caching issues (staleness, races, invalidation)
+4. **workflow** - Workflow problems (scripts, CI, git hooks)
+5. **security** - GitHub Actions security (template injection, cache poisoning, etc.)
+6. **documentation** - Documentation accuracy (README errors, outdated docs)
+
+**User Interaction:**
+Use AskUserQuestion tool:
+- Question: "Which quality scans would you like to run?"
+- Header: "Scan Types"
+- multiSelect: true
+- Options:
+ - "All scans (recommended)" → Run all 4 scan types
+ - "Critical only" → Run critical scan only
+ - "Critical + Logic" → Run critical and logic scans
+ - "Custom selection" → Ask user to specify which scans
+
+**Default:** If user doesn't specify, run all scans.
+
+
+Validate selected scan types exist in reference.md:
+- critical-scan → reference.md line ~5
+- logic-scan → reference.md line ~100
+- cache-scan → reference.md line ~200
+- workflow-scan → reference.md line ~300
+- security-scan → reference.md line ~400
+- documentation-scan → reference.md line ~810
+
+If user requests non-existent scan type, report error and suggest valid types.
+
+
+---
+
+### Phase 5: Execute Scans
+
+
+For each enabled scan type, spawn a specialized agent using Task tool:
+
+
+```typescript
+// Example: Critical scan
+Task({
+ subagent_type: "general-purpose",
+ description: "Critical bugs scan",
+ prompt: `${CRITICAL_SCAN_PROMPT_FROM_REFERENCE_MD}
+
+Focus on packages/node-smol-builder/ directory and root-level scripts/.
+
+Report findings in this format:
+- File: path/to/file.mts:lineNumber
+- Issue: Brief description
+- Severity: Critical/High/Medium/Low
+- Pattern: Code snippet
+- Trigger: What input triggers this
+- Fix: Suggested fix
+- Impact: What happens if triggered
+
+Scan systematically and report all findings. If no issues found, state that explicitly.`
+})
+```
+
+**For each scan:**
+1. Load agent prompt template from `reference.md`
+2. Customize for socket-btm context (focus on packages/node-smol-builder/, scripts/, patches/)
+3. Spawn agent with Task tool using "general-purpose" subagent_type
+4. Capture findings from agent response
+5. Parse and categorize results
+
+**Execution Order:** Run scans sequentially in priority order:
+- critical (highest priority)
+- logic
+- cache
+- workflow (lowest priority)
+
+**Agent Prompt Sources:**
+- Critical scan: reference.md starting at line ~12
+- Logic scan: reference.md starting at line ~100
+- Cache scan: reference.md starting at line ~200
+- Workflow scan: reference.md starting at line ~300
+- Security scan: reference.md starting at line ~400
+- Documentation scan: reference.md starting at line ~810
+
+
+**Structured Output Validation:**
+
+After each agent returns, validate output structure before parsing:
+
+```bash
+# 1. Verify agent completed successfully
+if [ -z "$AGENT_OUTPUT" ]; then
+ echo "ERROR: Agent returned no output"
+ exit 1
+fi
+
+# 2. Check for findings or clean report
+if ! echo "$AGENT_OUTPUT" | grep -qE '(File:.*Issue:|No .* issues found|✓ Clean)'; then
+ echo "WARNING: Agent output missing expected format"
+ echo "Agent may have encountered an error or found no issues"
+fi
+
+# 3. Verify severity levels if findings exist
+if echo "$AGENT_OUTPUT" | grep -q "File:"; then
+ if ! echo "$AGENT_OUTPUT" | grep -qE 'Severity: (Critical|High|Medium|Low)'; then
+ echo "WARNING: Findings missing severity classification"
+ fi
+fi
+
+# 4. Verify fix suggestions if findings exist
+if echo "$AGENT_OUTPUT" | grep -q "File:"; then
+ if ! echo "$AGENT_OUTPUT" | grep -q "Fix:"; then
+ echo "WARNING: Findings missing suggested fixes"
+ fi
+fi
+```
+
+**Manual Verification Checklist:**
+- [ ] Agent output includes findings OR explicit "No issues found" statement
+- [ ] All findings include file:line references
+- [ ] All findings include severity level (Critical/High/Medium/Low)
+- [ ] All findings include suggested fixes
+- [ ] Agent output is parseable and structured
+
+**For each scan completion:**
+- Verify agent completed without errors
+- Extract findings from agent output (or confirm "No issues found")
+- Parse into structured format (file, issue, severity, fix)
+- Track scan coverage (files analyzed)
+- Log any validation warnings for debugging
+
+
+---
+
+### Phase 6: Aggregate Findings
+
+
+Collect all findings from agents and aggregate:
+
+
+```typescript
+interface Finding {
+ file: string // "packages/node-smol-builder/src/patcher.mts:89"
+ issue: string // "Potential null pointer access"
+ severity: "Critical" | "High" | "Medium" | "Low"
+ scanType: string // "critical"
+ pattern: string // Code snippet showing the issue
+ trigger: string // What causes this issue
+ fix: string // Suggested code change
+ impact: string // What happens if triggered
+}
+```
+
+**Deduplication:**
+- Remove duplicate findings across scans (same file:line, same issue)
+- Keep the finding from the highest priority scan
+- Track which scans found the same issue
+
+**Prioritization:**
+- Sort by severity: Critical → High → Medium → Low
+- Within same severity, sort by scanType priority
+- Within same severity+scanType, sort alphabetically by file path
+
+
+**Checkpoint:** Verify aggregation:
+- Total findings count
+- Breakdown by severity (N critical, N high, N medium, N low)
+- Breakdown by scan type
+- Duplicate removal count (if any)
+
+
+---
+
+### Phase 7: Generate Report
+
+
+Create structured quality report with all findings:
+
+
+```markdown
+# Quality Scan Report
+
+**Date:** YYYY-MM-DD
+**Repository:** socket-btm
+**Scans:** [list of scan types run]
+**Files Scanned:** N
+**Findings:** N critical, N high, N medium, N low
+
+## Critical Issues (Priority 1) - N found
+
+### packages/node-smol-builder/src/patcher.mts:89
+- **Issue**: Potential null pointer access when applying patches
+- **Pattern**: `const result = patches[index].apply()`
+- **Trigger**: When patch array has fewer elements than expected
+- **Fix**: `const patch = patches[index]; if (!patch) throw new Error('Patch not found'); const result = patch.apply()`
+- **Impact**: Crashes patch application process, build fails
+- **Scan**: critical
+
+## High Issues (Priority 2) - N found
+
+[Similar format for high severity issues]
+
+## Medium Issues (Priority 3) - N found
+
+[Similar format for medium severity issues]
+
+## Low Issues (Priority 4) - N found
+
+[Similar format for low severity issues]
+
+## Scan Coverage
+
+- **Critical scan**: N files analyzed in packages/node-smol-builder/, scripts/
+- **Logic scan**: N files analyzed (patch logic, build scripts)
+- **Cache scan**: N files analyzed (if applicable)
+- **Workflow scan**: N files analyzed (package.json, scripts/, .github/)
+
+## Recommendations
+
+1. Address N critical issues immediately before next release
+2. Review N high-severity logic errors in patch application
+3. Schedule N medium issues for next sprint
+4. Low-priority items can be addressed during refactoring
+
+## No Findings
+
+[If a scan found no issues, list it here:]
+- Critical scan: ✓ Clean
+- Logic scan: ✓ Clean
+```
+
+**Output Report:**
+1. Display report to console (user sees it)
+2. Offer to save to file (optional): `reports/quality-scan-YYYY-MM-DD.md`
+
+
+**Report Quality Checks:**
+- All findings include file:line references
+- All findings include suggested fixes
+- Findings are grouped by severity
+- Scan coverage statistics included
+- Recommendations are actionable
+
+
+---
+
+### Phase 8: Complete
+
+
+```xml
+QUALITY_SCAN_COMPLETE
+```
+
+
+
+Report these final metrics to the user:
+
+**Quality Scan Complete**
+========================
+✓ Repository cleanup: N junk files removed
+✓ Scans completed: [list of scan types]
+✓ Total findings: N (N critical, N high, N medium, N low)
+✓ Files scanned: N
+✓ Report generated: Yes
+✓ Scan duration: [calculated from start to end]
+
+**Repository Cleanup Summary:**
+- SCREAMING_TEXT.md files removed: N
+- Temporary test files removed: N
+- Temp/backup files removed: N
+- Log files cleaned up: N
+
+**Critical Issues Requiring Immediate Attention:**
+- N critical issues found
+- Review report above for details and fixes
+
+**Next Steps:**
+1. Address critical issues immediately
+2. Review high-severity findings
+3. Schedule medium/low issues appropriately
+4. Re-run scans after fixes to verify
+
+All findings include file:line references and suggested fixes.
+
+
+
+
+## Success Criteria
+
+- ✅ `QUALITY_SCAN_COMPLETE` output
+- ✅ All enabled scans completed without errors
+- ✅ Findings prioritized by severity (Critical → Low)
+- ✅ All findings include file:line references
+- ✅ Actionable suggestions provided for all findings
+- ✅ Report generated with statistics and coverage metrics
+- ✅ Duplicate findings removed
+
+## Scan Types
+
+See `reference.md` for detailed agent prompts with structured tags:
+
+- **critical-scan** - Null access, promise rejections, race conditions, resource leaks
+- **logic-scan** - Off-by-one errors, type guards, edge cases, algorithm correctness
+- **cache-scan** - Invalidation, key generation, memory management, concurrency
+- **workflow-scan** - Scripts, package.json, git hooks, CI configuration
+- **security-scan** - GitHub Actions workflow security (runs zizmor scanner)
+- **documentation-scan** - README accuracy, outdated examples, incorrect package names, missing documentation
+
+All agent prompts follow Claude best practices with , , , , and tags.
+
+## Commands
+
+This skill is self-contained. No external commands needed.
+
+## Context
+
+This skill provides systematic code quality analysis for socket-btm by:
+- Spawning specialized agents for targeted analysis
+- Using Task tool to run agents autonomously
+- Embedding agent prompts in reference.md following best practices
+- Generating prioritized, actionable reports
+- Supporting partial scans (user can select specific scan types)
+
+For detailed agent prompts with best practices structure, see `reference.md`.
diff --git a/.claude/skills/quality-scan/reference.md b/.claude/skills/quality-scan/reference.md
new file mode 100644
index 000000000..d64410fcb
--- /dev/null
+++ b/.claude/skills/quality-scan/reference.md
@@ -0,0 +1,990 @@
+# quality-scan Reference Documentation
+
+## Agent Prompts
+
+### Critical Scan Agent
+
+**Mission**: Identify critical bugs that could cause crashes, data corruption, or security vulnerabilities.
+
+**Scan Targets**: All `.mts` files in `packages/cli/src/`
+
+**Prompt Template:**
+```
+Your task is to perform a critical bug scan on socket-cli, Socket Security's CLI tool written in TypeScript (.mts extension). Identify bugs that could cause crashes, data corruption, or security vulnerabilities.
+
+
+This is Socket Security's CLI tool:
+- **@socketsecurity/cli**: Main CLI package in `packages/cli/`
+- TypeScript codebase with .mts extensions
+- Commands for security scanning, package analysis, npm wrapping
+- Integrates with Socket API for vulnerability data
+- Wraps npm/npx/pnpm/yarn with security checks
+- VFS extraction for external tools (cdxgen, coana, synp, socket-patch)
+- Handles GitHub integration, pull requests, CI workflows
+- React/Ink for terminal UI components
+- Recently updated VFS extraction to use process.smol.mount()
+
+Key characteristics:
+- Uses meow for CLI parsing
+- Extensive test coverage with Vitest
+- Socket API integration for security data
+- GitHub API integration for PR/issue management
+- File system operations for npm package analysis
+- Telemetry with Sentry (optional build variant)
+
+
+
+Scan code files in packages/cli/src/ for these critical bug patterns:
+
+
+- Property access without optional chaining when value might be null/undefined
+- Array access without length validation (arr[0], arr[arr.length-1])
+- JSON.parse() without try-catch
+- Object destructuring without null checks
+- Socket API responses assumed to have data without null checks
+
+
+
+- Async function calls without await or .catch()
+- Promise.then() chains without .catch() handlers
+- Fire-and-forget promises that could reject
+- Missing error handling in async/await blocks
+- GitHub API calls without error handling
+- Socket API calls without error handling
+
+
+
+- Concurrent file system operations without coordination
+- Check-then-act patterns without atomic operations
+- Shared state modifications in Promise.all()
+- VFS extraction race conditions
+- Cache access without synchronization
+
+
+
+- Equality comparisons using == instead of ===
+- Implicit type conversions that could fail silently
+- Truthy/falsy checks where explicit null/undefined checks needed
+- typeof checks that miss edge cases (typeof null === 'object')
+
+
+
+- File handles opened but not closed
+- Timers created but not cleared (setTimeout/setInterval)
+- Event listeners added but not removed
+- React/Ink component unmount issues
+- Process spawning without cleanup
+
+
+
+- String slicing without bounds validation
+- Array indexing beyond length
+- Buffer operations without size checks
+
+
+
+For each potential issue found, use explicit chain-of-thought reasoning with `` tags:
+
+
+1. Can this actually crash/fail in production?
+ - Code path analysis: [describe the execution flow]
+ - Production scenarios: [real-world conditions]
+ - Result: [yes/no with justification]
+
+2. What input would trigger this issue?
+ - Trigger conditions: [specific inputs/states]
+ - Edge cases: [boundary conditions]
+ - Likelihood: [HIGH/MEDIUM/LOW]
+
+3. Are there existing safeguards I'm missing?
+ - Defensive code: [try-catch, validation, guards]
+ - Framework protections: [built-in safety]
+ - Result: [SAFEGUARDED/VULNERABLE]
+
+Overall assessment: [REPORT/SKIP]
+Decision: [If REPORT, include in findings. If SKIP, explain why it's a false positive]
+
+
+Only report issues that pass all three checks. Use `` tags to show your reasoning explicitly.
+
+
+
+
+For each finding, report:
+
+File: packages/cli/src/path/to/file.mts:lineNumber
+Issue: [One-line description of the bug]
+Severity: Critical
+Pattern: [The problematic code snippet]
+Trigger: [What input/condition causes the bug]
+Fix: [Specific code change to fix it]
+Impact: [What happens if this bug is triggered]
+
+Example:
+File: packages/cli/src/commands/scan/fetch-scan.mts:145
+Issue: Unhandled promise rejection in Socket API call
+Severity: Critical
+Pattern: `fetchScanData(scanId)`
+Trigger: When Socket API returns 500 error or network timeout
+Fix: `await fetchScanData(scanId).catch(err => { logger.error(err); throw new InputError(\`Failed to fetch scan: \${err.message}\`) })`
+Impact: Uncaught exception crashes CLI process, leaving user without error message
+
+Example:
+File: packages/cli/src/utils/dlx/vfs-extract.mts:234
+Issue: Potential null pointer access when extracting VFS tools
+Severity: Critical
+Pattern: `const packageDir = process.smol.mount(vfsPath); const toolPath = path.join(packageDir, 'bin/tool')`
+Trigger: When process.smol.mount() returns undefined (not in SEA mode)
+Fix: `if (!processWithSmol.smol?.mount) throw new Error('VFS mount not available'); const packageDir = processWithSmol.smol.mount(vfsPath); if (!packageDir) throw new Error('Failed to mount VFS path');`
+Impact: TypeError crashes CLI when running outside SEA binary
+
+
+
+- Only report actual bugs, not style issues or minor improvements
+- Verify bugs are not already handled by surrounding code
+- Prioritize bugs affecting CLI reliability and user data integrity
+- Focus on promise handling, type guards, external API validation
+- Skip false positives (TypeScript type guards are sufficient in many cases)
+- Pay special attention to Socket API and GitHub API error handling
+- VFS extraction code is recently updated - check process.smol.mount() usage
+
+
+Scan systematically through packages/cli/src/ and report all critical bugs found. If no critical bugs are found, state that explicitly with "✓ No critical issues found".
+```
+
+---
+
+### Logic Scan Agent
+
+**Mission**: Detect logical errors in CLI commands, parsers, and data processing that could produce incorrect output or unexpected behavior.
+
+**Scan Targets**: packages/cli/src/
+
+**Prompt Template:**
+```
+Your task is to detect logic errors in socket-cli's command handling, data parsing, and API integration that could produce incorrect output or unexpected behavior.
+
+
+socket-cli is Socket Security's CLI tool:
+- **Commands**: scan, npm, npx, pnpm, yarn, optimize, fix, wrapper, package, organization, repository
+- **Parsers**: Package manifests (package.json, package-lock.json, pnpm-lock.yaml, yarn.lock)
+- **API Integration**: Socket API for security data, GitHub API for PR/issue management
+- **Data Processing**: SBOM generation, dependency analysis, vulnerability scoring
+- **Output Formats**: Terminal (React/Ink), JSON, Markdown
+
+Critical operations:
+- Package manifest parsing and validation
+- Dependency resolution and analysis
+- Security score calculation
+- GitHub PR creation and management
+- Socket registry override application
+- VFS tool extraction and execution
+
+
+
+Analyze packages/cli/src/ for these logic error patterns:
+
+
+Off-by-one errors in loops and slicing:
+- Loop bounds: `i <= arr.length` should be `i < arr.length`
+- Slice operations: `arr.slice(0, len-1)` when full array needed
+- String indexing missing first/last character
+- lastIndexOf() checks that miss position 0
+
+
+
+Insufficient type validation:
+- `if (obj)` allows 0, "", false - use `obj != null` or explicit checks
+- `if (arr.length)` crashes if arr is undefined - check existence first
+- `typeof x === 'object'` true for null and arrays - use Array.isArray() or null check
+- Missing validation before destructuring or property access
+- Socket API responses assumed to match TypeScript types without runtime validation
+
+
+
+Unhandled edge cases in string/array operations:
+- `str.split('.')[0]` when delimiter might not exist
+- `parseInt(str)` without NaN validation
+- `lastIndexOf('@')` returns -1 if not found, === 0 is valid (e.g., '@package')
+- Empty strings, empty arrays, single-element arrays
+- Malformed input handling (missing try-catch, no fallback)
+
+
+
+Algorithm implementation issues:
+- Dependency resolution: Missing transitive dependencies
+- Version comparison: Failing on semver edge cases (prerelease, build metadata)
+- Path resolution: Symlink handling, relative vs absolute path logic
+- Deduplication: Missing deduplication of duplicate packages/dependencies
+- Score calculation: Incorrect weighting or aggregation
+
+
+
+Socket API and GitHub API integration errors:
+- Pagination: Not handling paginated responses correctly
+- Rate limiting: Not respecting rate limit headers
+- Error codes: Not handling all error response codes
+- Data transformation: Incorrect mapping between API response and CLI data model
+- Authentication: Token validation missing or incorrect
+
+
+
+CLI argument parsing errors:
+- Flag validation: Accepting invalid flag combinations
+- Required flags: Not enforcing required flags
+- Flag types: Not validating flag value types (number, boolean, string)
+- Default values: Incorrect or missing defaults
+- Help text: Mismatched help text and actual behavior
+
+
+
+For each potential issue found, use explicit chain-of-thought reasoning with `` tags:
+
+
+1. Can this actually produce wrong output in production?
+ - Code path analysis: [describe the execution flow]
+ - Production scenarios: [real-world conditions]
+ - Result: [yes/no with justification]
+
+2. What input would trigger this issue?
+ - Trigger conditions: [specific inputs/states]
+ - Edge cases: [boundary conditions]
+ - Likelihood: [HIGH/MEDIUM/LOW]
+
+3. Are there existing safeguards I'm missing?
+ - Defensive code: [try-catch, validation, guards]
+ - Framework protections: [built-in safety]
+ - Result: [SAFEGUARDED/VULNERABLE]
+
+Overall assessment: [REPORT/SKIP]
+Decision: [If REPORT, include in findings. If SKIP, explain why it's a false positive]
+
+
+Only report issues that pass all three checks. Use `` tags to show your reasoning explicitly.
+
+
+
+
+For each finding, report:
+
+File: packages/cli/src/path/to/file.mts:lineNumber
+Issue: [One-line description]
+Severity: High | Medium
+Edge Case: [Specific input that triggers the error]
+Pattern: [The problematic code snippet]
+Fix: [Corrected code]
+Impact: [What incorrect output is produced]
+
+Example:
+File: packages/cli/src/commands/package/handle-purl-score.mts:89
+Issue: Off-by-one in vulnerability count aggregation
+Severity: High
+Edge Case: When package has exactly 1 vulnerability
+Pattern: `for (let i = 0; i < vulns.length - 1; i++)`
+Fix: `for (let i = 0; i < vulns.length; i++)`
+Impact: Last vulnerability is silently omitted from score calculation, producing incorrect security score
+
+Example:
+File: packages/cli/src/utils/socket/api.mts:234
+Issue: Incorrect pagination handling for Socket API
+Severity: High
+Edge Case: When response has more than 100 results requiring pagination
+Pattern: `const results = await fetchData(url); return results;`
+Fix: `const allResults = []; let nextUrl = url; while (nextUrl) { const { data, nextPage } = await fetchData(nextUrl); allResults.push(...data); nextUrl = nextPage; } return allResults;`
+Impact: Only first page of results returned, missing packages/vulnerabilities in subsequent pages
+
+
+
+- Prioritize code handling external data (Socket API, GitHub API, package manifests)
+- Focus on errors affecting CLI correctness and data accuracy
+- Verify logic errors aren't false alarms due to type narrowing
+- Consider real-world edge cases: malformed manifests, API errors, rate limits
+- Pay special attention to recently modified VFS extraction code
+
+
+Analyze systematically across packages/cli/src/ and report all logic errors found. If no errors are found, state that explicitly with "✓ No logic errors found".
+```
+
+---
+
+### Cache Scan Agent
+
+**Mission**: Identify caching bugs that cause stale data, race conditions, or incorrect behavior.
+
+**Scan Targets**: Caching logic in packages/cli/src/
+
+**Prompt Template:**
+```
+Your task is to analyze socket-cli's caching implementation for correctness, staleness bugs, and race conditions.
+
+
+socket-cli uses multiple caching layers:
+- **GitHub cache**: Caches GitHub API responses (5-minute TTL) in ~/.socket/_github/
+- **Update cache**: Caches npm registry version checks (24-hour TTL) in ~/.socket/_update/
+- **Config cache**: In-memory cache for config file (validated by mtime)
+- **VFS extraction cache**: Caches extracted tools in ~/.socket/_dlx/
+
+Caching locations:
+- packages/cli/src/utils/git/github.mts (GitHub API cache)
+- packages/cli/src/utils/update/checker.mts (update check cache)
+- packages/cli/src/utils/config.mts (config file cache)
+- packages/cli/src/utils/dlx/vfs-extract.mts (VFS extraction cache)
+
+
+
+Analyze caching implementation for these issue categories:
+
+
+Stale cache from incorrect invalidation:
+- GitHub cache: Are API response etags/timestamps properly checked?
+- Update cache: Is 24-hour TTL properly enforced?
+- Config cache: Is file mtime properly validated?
+- VFS cache: Is node-smol hash included in cache key?
+- Restoration: Is cache validated before use (corrupted files)?
+- Race: Cache modified/deleted between validation and use?
+
+
+
+Cache key generation correctness:
+- GitHub cache: Are org slug and endpoint properly separated?
+- Update cache: Is platform/arch included in cache key?
+- VFS cache: Are tool name and platform properly isolated?
+- Hash collisions: Is hash function sufficient?
+- Environment: Are env vars affecting cache included in key?
+
+
+
+Cache file corruption:
+- Partial writes: JSON file creation interrupted, incomplete data
+- Disk full: File truncated due to disk space issues
+- Concurrent writes: Multiple processes writing same cache file
+- Invalid JSON: Corrupted cache file not handled gracefully
+
+
+
+Race conditions in cache operations:
+- Creation races: Multiple processes creating same cache file simultaneously
+- TOCTOU: Cache validated then corrupted before use
+- In-flight deduplication: Multiple concurrent requests for same data
+- Lock files: Missing lock files allowing concurrent cache access
+
+
+
+Scenarios producing stale/incorrect caches:
+- GitHub data modified but cache not invalidated
+- Update check showing old version (24-hour delay)
+- Config file changed but in-memory cache not refreshed
+- VFS tools updated but cache not invalidated
+- Platform mismatch: Using wrong platform cache
+
+
+
+For each potential issue found, use explicit chain-of-thought reasoning with `` tags:
+
+
+1. Can this actually cause stale data in production?
+ - Code path analysis: [describe the execution flow]
+ - Production scenarios: [real-world conditions]
+ - Result: [yes/no with justification]
+
+2. What input would trigger this issue?
+ - Trigger conditions: [specific inputs/states]
+ - Edge cases: [boundary conditions]
+ - Likelihood: [HIGH/MEDIUM/LOW]
+
+3. Are there existing safeguards I'm missing?
+ - Defensive code: [try-catch, validation, guards]
+ - Framework protections: [built-in safety]
+ - Result: [SAFEGUARDED/VULNERABLE]
+
+Overall assessment: [REPORT/SKIP]
+Decision: [If REPORT, include in findings. If SKIP, explain why it's a false positive]
+
+
+Only report issues that pass all three checks. Use `` tags to show your reasoning explicitly.
+
+
+
+
+For each finding, report:
+
+File: packages/cli/src/utils/cache/file-cache.mts:lineNumber
+Issue: [One-line description]
+Severity: High | Medium
+Scenario: [Step-by-step sequence showing how bug manifests]
+Pattern: [The problematic code snippet]
+Fix: [Specific code change]
+Impact: [Observable effect - wrong output, performance, crash]
+
+Example:
+File: packages/cli/src/utils/update/checker.mts:145
+Issue: Cache key missing platform, causing cross-platform cache pollution
+Severity: High
+Scenario: 1) Check for updates on macOS, caches "1.2.3". 2) Run on Linux, reads macOS cache. 3) Shows "1.2.3" even though Linux latest is "1.2.4"
+Pattern: `const cacheKey = \`socket-cli-\${currentVersion}\``
+Fix: `const cacheKey = \`socket-cli-\${currentVersion}-\${process.platform}-\${process.arch}\``
+Impact: Cross-platform users see incorrect "no updates available" message
+
+Example:
+File: packages/cli/src/utils/git/github.mts:89
+Issue: TOCTOU race between cache validation and read
+Severity: Medium
+Scenario: 1) Check cache exists and is fresh. 2) Cache deleted/corrupted. 3) Read cache, throws error
+Pattern: `if (existsSync(cachePath) && isFresh(cachePath)) { return readCache(cachePath); }`
+Fix: `try { const data = readCache(cachePath); if (isFresh(data.timestamp)) return data; } catch { /* cache miss */ }`
+Impact: Rare race condition causes CLI to crash instead of gracefully fetching fresh data
+
+
+
+- Focus on correctness issues that produce stale or wrong data
+- Consider concurrent CLI invocations (multiple terminals)
+- Evaluate cache invalidation scenarios (data changed, files updated)
+- Prioritize issues causing silent incorrectness over performance
+- Verify issues aren't prevented by existing cache key generation
+- Known safe patterns: Config write batching with nextTick, GitHub cache TOCTOU double-check
+
+
+Analyze the caching implementation thoroughly and report all issues found. If the implementation is sound, state that explicitly with "✓ No cache issues found".
+```
+
+---
+
+### Workflow Scan Agent
+
+**Mission**: Detect problems in build scripts, CI configuration, git hooks, and developer workflows.
+
+**Scan Targets**: `scripts/`, `package.json`, `.husky/`, `.github/workflows/`
+
+**Prompt Template:**
+```
+Your task is to identify issues in socket-cli's development workflows, build scripts, and CI configuration that could cause build failures, test flakiness, or poor developer experience.
+
+
+socket-cli is a pnpm monorepo with:
+- **Build scripts**: scripts/*.mjs (ESM, cross-platform Node.js)
+- **Package manager**: pnpm workspaces with scripts in package.json
+- **Git hooks**: .husky/* for pre-commit, commit-msg, pre-push validation
+- **CI**: GitHub Actions (.github/workflows/)
+- **Platforms**: Must work on Windows, macOS, Linux (ARM64, x64)
+- **CLAUDE.md**: Defines conventions (no process.exit() in most code, no backward compat, etc.)
+
+Packages:
+- @socketsecurity/cli: Main CLI package in packages/cli/
+- build-infra: Build utilities for SEA binary generation
+- package-builder: Template-based package generation
+
+
+
+Analyze workflow files for these issue categories:
+
+
+Cross-platform compatibility in scripts/*.mjs:
+- Path separators: Hardcoded / or \ instead of path.join() or path.resolve()
+- Shell commands: Platform-specific (e.g., rm vs del, cp vs copy)
+- Line endings: \n vs \r\n handling in text processing
+- File paths: Case sensitivity differences (Windows vs Linux)
+- Environment variables: Different syntax (%VAR% vs $VAR)
+
+
+
+Error handling in scripts:
+- process.exit() usage: CLAUDE.md forbids this in most code - should throw errors instead
+- Missing try-catch: Async operations without error handling
+- Exit codes: Non-zero exit on failure for CI detection
+- Error messages: Are they helpful for debugging?
+- Dependency checks: Do scripts check for required tools before use?
+
+**Note on file existence checks**: existsSync() is ACCEPTABLE and PREFERRED over async fs.access() for synchronous file checks.
+
+**Exception**: Interactive test runner scripts/test.mjs intentionally uses process.exit() (documented exception).
+
+
+
+package.json script correctness:
+- Script chaining: Use && (fail fast) not ; (continue on error) when errors matter
+- Platform-specific: Commands that don't work cross-platform
+- Convention compliance: Match patterns in CLAUDE.md
+- Missing scripts: Standard scripts like build, test, lint documented?
+- Test file paths: Using -- before paths runs ALL tests (incorrect)
+
+
+
+Git hooks configuration in .husky/:
+- Pre-commit: Does it run linting/formatting? Is it fast (<10s)?
+- Commit-msg: Does it strip AI attribution?
+- Pre-push: Does it validate commits and secrets?
+- False positives: Do hooks block legitimate commits?
+- Error messages: Are hook failures clearly explained?
+- Syntax: Are hooks compatible with all shells (bash, zsh, etc.)?
+
+
+
+CI pipeline issues in .github/workflows/:
+- Build order: Are steps in correct sequence (install → build → test)?
+- Cross-platform: Are Windows/macOS/Linux builds all tested?
+- SEA binary: Are standalone executable builds tested?
+- Build artifacts: Are binaries uploaded for each platform?
+- Failure notifications: Are build failures clearly visible?
+- Security: Template injection vulnerabilities in workflows?
+
+
+
+Documentation and setup:
+- Common errors: Are frequent issues documented with solutions?
+- Environment variables: Are required env vars documented?
+- Setup instructions: Are they accurate and complete?
+
+
+
+For each potential issue found, use explicit chain-of-thought reasoning with `` tags:
+
+
+1. Can this actually cause build/test failures in production?
+ - Code path analysis: [describe the execution flow]
+ - Production scenarios: [real-world conditions]
+ - Result: [yes/no with justification]
+
+2. What input would trigger this issue?
+ - Trigger conditions: [specific inputs/states]
+ - Edge cases: [boundary conditions]
+ - Likelihood: [HIGH/MEDIUM/LOW]
+
+3. Are there existing safeguards I'm missing?
+ - Defensive code: [try-catch, validation, guards]
+ - Framework protections: [built-in safety]
+ - Result: [SAFEGUARDED/VULNERABLE]
+
+Overall assessment: [REPORT/SKIP]
+Decision: [If REPORT, include in findings. If SKIP, explain why it's a false positive]
+
+
+Only report issues that pass all three checks. Use `` tags to show your reasoning explicitly.
+
+
+
+
+For each finding, report:
+
+File: [scripts/foo.mjs:line OR package.json:scripts.build OR .husky/pre-push:line]
+Issue: [One-line description]
+Severity: Medium | Low
+Impact: [How this affects developers or CI]
+Pattern: [The problematic code or configuration]
+Fix: [Specific change to resolve]
+
+Example:
+File: scripts/build.mjs:23
+Issue: Uses process.exit() violating CLAUDE.md convention
+Severity: Medium
+Impact: Cannot be tested properly, unconventional error handling
+Pattern: `process.exit(1)`
+Fix: `throw new Error('Build failed: ...')`
+
+Example:
+File: package.json:scripts.test
+Issue: Script uses -- before file path, running ALL tests instead of specific file
+Severity: Medium
+Impact: "pnpm test:unit -- file.test.mts" runs entire test suite, not just one file
+Pattern: `"test:unit": "vitest run -- "`
+Fix: `"test:unit": "vitest run"` (no trailing -- needed)
+
+Example:
+File: .husky/pre-push:70
+Issue: Process substitution syntax not compatible with all shells
+Severity: Medium
+Impact: Hook fails on some systems with "syntax error near unexpected token"
+Pattern: `done < <(git rev-list "$range")`
+Fix: `git rev-list "$range" | while read; do ... done`
+
+
+
+- Focus on issues that cause actual build/test failures
+- Consider cross-platform scenarios (Windows, macOS, Linux)
+- Verify conventions match CLAUDE.md requirements
+- Prioritize developer experience issues (confusing errors, missing docs)
+- Note documented exceptions (test runner using process.exit)
+
+
+Analyze workflow files systematically and report all issues found. If workflows are well-configured, state that explicitly with "✓ No workflow issues found".
+```
+
+---
+
+### Security Scan Agent
+
+**Mission**: Scan GitHub Actions workflows for security vulnerabilities using zizmor.
+
+**Scan Targets**: All `.yml` files in `.github/workflows/`
+
+**Prompt Template:**
+```
+Your task is to run the zizmor security scanner on GitHub Actions workflows to identify security vulnerabilities such as template injection, cache poisoning, and other workflow security issues.
+
+
+Zizmor is a GitHub Actions workflow security scanner that detects:
+- Template injection vulnerabilities (code injection via template expansion)
+- Cache poisoning attacks (artifacts vulnerable to cache poisoning)
+- Credential exposure in workflow logs
+- Dangerous workflow patterns and misconfigurations
+- OIDC token abuse risks
+- Artipacked vulnerabilities
+
+This repository uses GitHub Actions for CI/CD with workflows in `.github/workflows/`.
+
+**Installation:**
+Zizmor is not available via npm. Install zizmor v1.22.0 using one of these methods:
+
+**GitHub Releases (Recommended):**
+```bash
+# Download from https://github.com/zizmorcore/zizmor/releases/tag/v1.22.0
+# macOS ARM64:
+curl -L https://github.com/zizmorcore/zizmor/releases/download/v1.22.0/zizmor-aarch64-apple-darwin -o /usr/local/bin/zizmor
+chmod +x /usr/local/bin/zizmor
+
+# macOS x64:
+curl -L https://github.com/zizmorcore/zizmor/releases/download/v1.22.0/zizmor-x86_64-apple-darwin -o /usr/local/bin/zizmor
+chmod +x /usr/local/bin/zizmor
+
+# Linux x64:
+curl -L https://github.com/zizmorcore/zizmor/releases/download/v1.22.0/zizmor-x86_64-unknown-linux-musl -o /usr/local/bin/zizmor
+chmod +x /usr/local/bin/zizmor
+```
+
+**Alternative Methods:**
+- Homebrew: `brew install zizmor@1.22.0`
+- Cargo: `cargo install zizmor --version 1.22.0`
+- See https://docs.zizmor.sh/installation/ for all options
+
+
+
+1. Run zizmor on all GitHub Actions workflow files:
+ ```bash
+ zizmor .github/workflows/
+ ```
+
+2. Parse the zizmor output and identify all findings:
+ - Extract severity level (info, low, medium, high, error)
+ - Extract vulnerability type (template-injection, cache-poisoning, etc.)
+ - Extract file path and line numbers
+ - Extract audit confidence level
+ - Note if auto-fix is available
+
+3. For each finding, report:
+ - File and line number
+ - Vulnerability type and severity
+ - Description of the security issue
+ - Why it's a problem (security impact)
+ - Suggested fix (use zizmor's suggestions if available)
+ - Whether auto-fix is available (`zizmor --fix`)
+
+4. If zizmor reports no findings, state explicitly: "✓ No security issues found in GitHub Actions workflows"
+
+5. Note any suppressed findings (shown by zizmor but marked as suppressed)
+
+
+
+Look for findings like:
+- `info[template-injection]` or `error[template-injection]`
+- Code injection via template expansion in run blocks
+- Unsanitized use of `\${{ }}` syntax in dangerous contexts
+- User-controlled input used in shell commands
+
+
+
+Look for findings like:
+- `error[cache-poisoning]` or `warning[cache-poisoning]`
+- Caching enabled when publishing artifacts
+- Vulnerable to cache poisoning attacks in release workflows
+- actions/setup-node or actions/setup-python with cache enabled during artifact publishing
+
+
+
+Look for findings like:
+- Secrets logged to console
+- Credentials passed in insecure ways
+- Token leakage through workflow logs
+
+
+
+For each finding, output in this structured format:
+
+File: .github/workflows/workflow-name.yml:123
+Issue: [Vulnerability description]
+Severity: High | Medium | Low
+Pattern: [The problematic code]
+Trigger: [What attack vector this enables]
+Fix: [Specific remediation]
+Impact: [Security consequences]
+Auto-fix: [Yes/No]
+Confidence: [High/Medium/Low from zizmor]
+
+Group findings by severity (Error → High → Medium → Low → Info)
+
+
+
+- Only report actual zizmor findings (don't invent issues)
+- Include all details from zizmor output
+- Note the audit confidence level for each finding
+- Indicate if auto-fix is available
+- If no findings, explicitly state the workflows are secure
+- Report suppressed findings separately
+
+
+Run zizmor scanner and report all findings. If zizmor is not installed, report that and provide installation instructions.
+```
+
+---
+
+### Documentation Scan Agent
+
+**Mission**: Verify documentation accuracy by checking README files against actual codebase implementation.
+
+**Scan Targets**: All README.md files
+
+**Prompt Template:**
+```
+Your task is to verify documentation accuracy across all README files by comparing documented behavior, examples, commands, and API descriptions against the actual codebase implementation.
+
+
+Documentation accuracy is critical for:
+- Developer onboarding and productivity
+- Preventing confusion from outdated examples
+- Maintaining trust in the project documentation
+- Reducing support burden from incorrect instructions
+
+Common documentation issues:
+- Package names that don't match package.json
+- Command examples with incorrect flags or options
+- File paths that are incorrect or outdated
+- Build outputs documented in wrong locations
+- Configuration examples using deprecated formats
+- Missing documentation for new features
+- Examples that would fail if run as-is
+
+
+
+Systematically verify all README files against the actual code:
+
+1. **Find all documentation files**:
+ ```bash
+ find . -name "README.md" -path "*/packages/*" -o -name "*.md" -path "*/docs/*"
+ ```
+
+2. **For each README, verify**:
+ - Package names match package.json "name" field
+ - Command examples use correct flags (check --help output or source)
+ - File paths exist and match actual structure
+ - Build output paths match actual build script outputs
+ - Configuration examples match actual schema/validation
+ - Version numbers are current (not outdated)
+
+3. **Check against actual code**:
+ - Read package.json to verify names, scripts, dependencies
+ - Read source files to verify CLI commands exist
+ - Check build scripts to verify output paths
+ - Verify CLI --help matches documented flags
+ - Check tests to see what's actually supported
+
+4. **Pattern categories to check**:
+
+
+Look for:
+- README showing @socketsecurity/cli when npm package is "socket"
+- Import examples using wrong package names
+- Installation instructions with wrong package names
+
+
+
+Look for:
+ - Commands with flags that don't exist (check --help)
+- Missing required flags in examples
+- Deprecated flags still documented
+- Examples that would error if run as-is
+- Wrong command names
+- Non-existent commands (e.g., "socket console")
+
+
+
+Look for:
+- Documented paths that don't exist in codebase
+- Output paths that don't match build script outputs
+- Config file locations that are incorrect
+- Source file references that are outdated
+
+
+
+Look for:
+- Config examples using wrong keys or structure
+- Documented options that aren't validated in code
+- Missing required config fields
+- Wrong default values documented
+
+
+
+Look for:
+- Build output paths that don't match actual outputs
+- SEA binary names that are incorrect
+- Missing build artifacts
+
+
+
+Look for:
+- Public commands not documented in README
+- Important environment variables not documented
+- New features added but not documented
+
+
+
+For each potential issue found, use explicit chain-of-thought reasoning with `` tags:
+
+
+1. Is this actually incorrect documentation?
+ - Verification: [check against code/package.json/--help]
+ - Evidence: [what the actual code shows]
+ - Result: [INCORRECT/CORRECT]
+
+2. What confusion would this cause?
+ - User impact: [what happens if user follows docs]
+ - Severity: [HIGH/MEDIUM/LOW]
+
+3. Is there a reason for the discrepancy?
+ - Legacy reasons: [historical context]
+ - Multiple packages: [scoped vs unscoped names]
+ - Result: [REPORT/SKIP]
+
+Overall assessment: [REPORT/SKIP]
+Decision: [If REPORT, include in findings. If SKIP, explain why]
+
+
+Only report issues that are actual documentation errors.
+
+
+
+
+For each finding, report:
+
+File: path/to/README.md:lineNumber
+Issue: [One-line description of the documentation error]
+Severity: High/Medium/Low
+Pattern: [The incorrect documentation text]
+Actual: [What the correct information should be]
+Fix: [Exact documentation correction needed]
+Impact: [Why this matters - confusion, errors, etc.]
+
+Severity Guidelines:
+- High: Critical inaccuracies that would cause errors if followed (wrong commands, non-existent APIs)
+- Medium: Outdated information that misleads but doesn't immediately break (wrong paths, old examples)
+- Low: Minor inaccuracies or missing non-critical information
+
+Example:
+File: packages/cli/README.md:25
+Issue: Incorrect package name in installation command
+Severity: High
+Pattern: "npm install -g @socketsecurity/cli"
+Actual: Package name is "socket" (not "@socketsecurity/cli")
+Fix: Change to: "npm install -g socket"
+Impact: Installation command will fail with "package not found" error
+
+Example:
+File: README.md:89
+Issue: Documents non-existent "socket console" command
+Severity: High
+Pattern: "socket console - Interactive console for Socket API"
+Actual: No "console" command exists in packages/cli/src/commands/
+Fix: Remove "socket console" from command list
+Impact: Users will get "unknown command" error when trying to use it
+
+Example:
+File: docs/build-guide.md:45
+Issue: Incorrect SEA binary output path
+Severity: Medium
+Pattern: "Outputs to dist/socket-darwin-arm64"
+Actual: SEA binaries output to packages/cli/dist/sea/socket-darwin-arm64
+Fix: Change to: "packages/cli/dist/sea/socket-darwin-arm64"
+Impact: Developers won't find built binaries at documented location
+
+
+
+- Verify every claim against actual code - don't assume documentation is correct
+- Read package.json files to check names, scripts, versions
+- Check src/commands/ to verify CLI commands exist
+- Look at build script outputs to verify paths
+- Focus on high-impact errors first (wrong commands, non-existent APIs)
+- Provide exact fixes, not vague suggestions
+- Known facts:
+ - npm package name is "socket", NOT "@socketsecurity/cli"
+ - "socket console" command does NOT exist
+ - Interactive test runner using process.exit() is a documented exception
+
+
+Scan all README.md files in the repository and report all documentation inaccuracies found. If documentation is accurate, state that explicitly with "✓ No documentation issues found".
+```
+
+---
+
+## Known False Positives
+
+These patterns should NOT be flagged as issues - they have been verified as correct:
+
+### Array Access After Length Check
+
+**Pattern:** `if (arr.length === 1) { const item = arr[0]! }`
+
+**Why it's safe:** When `arr.length === 1`, `arr[0]` is guaranteed to exist. The non-null assertion is valid.
+
+### Split After StartsWith Check
+
+**Pattern:** `if (str.startsWith('-')) { indent = str.split('-')[0] }`
+
+**Why it's safe:** If `startsWith('-')` is true, `split('-')[0]` returns the prefix before the first '-' (possibly empty string, but never undefined).
+
+### Package Name "socket"
+
+**Fact:** The npm package name is `socket`, NOT `@socketsecurity/cli`. The scoped name is used internally but the published package is `socket`.
+
+**Correct installation:**
+```bash
+npm install -g socket
+pnpm install -g socket
+```
+
+### Non-Existent Commands
+
+**Fact:** There is NO `socket console` command. Do not flag it as missing documentation.
+
+### Interactive Test Runner Exception
+
+**Fact:** The `scripts/test.mjs` file uses `process.exit()` intentionally.
+
+This is an exception to the CLAUDE.md convention because:
+- Interactive test runner spawns child processes that keep the event loop alive
+- Explicit exit is required to prevent hanging after tests complete
+- The code includes comments documenting this exception
+
+### Config Write Mechanism
+
+**Fact:** The config write using `process.nextTick` in `config.mts` is NOT a race condition.
+
+Why it's safe:
+- `localConfig` (which IS `_cachedConfig`) is always updated synchronously
+- `process.nextTick` only batches the disk write operation
+- If multiple updates happen before nextTick fires, all values are already in `_cachedConfig`
+- The single pending write persists all accumulated changes correctly
+
+### VFS Extraction Using process.smol.mount()
+
+**Fact:** VFS extraction was recently updated to use `process.smol.mount()` for full directory extraction.
+
+The code correctly:
+- Checks if `process.smol.mount` is available
+- Mounts entire npm package directories with dependencies
+- Mounts standalone binaries from VFS root
+- No longer needs manual getAsset() + fs.writeFile() pattern
+
+### GitHub Cache Implementation
+
+**Fact:** GitHub cache using file mtime for TTL is acceptable for 5-minute TTL use case. TOCTOU race is mitigated with double-check pattern.
+
+### Update Cache Platform Independence
+
+**Fact:** npm registry returns the same latest version regardless of platform. Platform-specific binaries are handled via optionalDependencies, so update cache doesn't need platform in key.
diff --git a/.config/eslint.config.mjs b/.config/eslint.config.mjs
new file mode 100644
index 000000000..92fccede7
--- /dev/null
+++ b/.config/eslint.config.mjs
@@ -0,0 +1,402 @@
+import { createRequire } from 'node:module'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+import {
+ convertIgnorePatternToMinimatch,
+ includeIgnoreFile,
+} from '@eslint/compat'
+import js from '@eslint/js'
+import tsParser from '@typescript-eslint/parser'
+import { createTypeScriptImportResolver } from 'eslint-import-resolver-typescript'
+import importXPlugin from 'eslint-plugin-import-x'
+import nodePlugin from 'eslint-plugin-n'
+import sortDestructureKeysPlugin from 'eslint-plugin-sort-destructure-keys'
+import unicornPlugin from 'eslint-plugin-unicorn'
+import globals from 'globals'
+import tsEslint from 'typescript-eslint'
+
+import { TSCONFIG_JSON } from '../scripts/constants/build.mjs'
+import { GITIGNORE } from '../scripts/constants/packages.mjs'
+import {
+ LATEST,
+ maintainedNodeVersions,
+} from '../scripts/constants/versions.mjs'
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+const require = createRequire(import.meta.url)
+
+const { flatConfigs: origImportXFlatConfigs } = importXPlugin
+
+const rootPath = path.dirname(__dirname)
+const rootTsConfigPath = path.join(rootPath, TSCONFIG_JSON)
+
+const nodeGlobalsConfig = Object.fromEntries(
+ Object.entries(globals.node).map(([k]) => [k, 'readonly']),
+)
+
+const biomeConfigPath = path.join(rootPath, 'biome.json')
+const biomeConfig = require(biomeConfigPath)
+const biomeIgnores = {
+ name: 'Imported biome.json ignore patterns',
+ ignores: biomeConfig.files.includes
+ .filter(p => p.startsWith('!'))
+ .map(p => convertIgnorePatternToMinimatch(p.slice(1))),
+}
+
+const gitignorePath = path.join(rootPath, GITIGNORE)
+const gitIgnores = {
+ ...includeIgnoreFile(gitignorePath),
+ name: 'Imported .gitignore ignore patterns',
+}
+
+if (process.env.LINT_DIST) {
+ const isNotDistGlobPattern = p => !/(?:^|[\\/])dist/.test(p)
+ biomeIgnores.ignores = biomeIgnores.ignores?.filter(isNotDistGlobPattern)
+ gitIgnores.ignores = gitIgnores.ignores?.filter(isNotDistGlobPattern)
+}
+
+if (process.env.LINT_EXTERNAL) {
+ const isNotExternalGlobPattern = p => !/(?:^|[\\/])external/.test(p)
+ biomeIgnores.ignores = biomeIgnores.ignores?.filter(isNotExternalGlobPattern)
+ gitIgnores.ignores = gitIgnores.ignores?.filter(isNotExternalGlobPattern)
+}
+
+const sharedPlugins = {
+ 'sort-destructure-keys': sortDestructureKeysPlugin,
+ unicorn: unicornPlugin,
+}
+
+const sharedRules = {
+ 'unicorn/consistent-function-scoping': 'error',
+ curly: 'error',
+ 'no-await-in-loop': 'error',
+ 'no-control-regex': 'off',
+ 'no-empty': ['error', { allowEmptyCatch: true }],
+ 'no-new': 'error',
+ 'no-proto': 'error',
+ 'no-undef': 'error',
+ 'no-unexpected-multiline': 'off',
+ 'no-unused-vars': [
+ 'error',
+ {
+ argsIgnorePattern: '^_|^this$',
+ ignoreRestSiblings: true,
+ varsIgnorePattern: '^_',
+ },
+ ],
+ 'no-var': 'error',
+ 'no-warning-comments': ['warn', { terms: ['fixme'] }],
+ 'prefer-const': 'error',
+ 'sort-destructure-keys/sort-destructure-keys': 'error',
+ 'sort-imports': 'off',
+}
+
+const sharedRulesForImportX = {
+ ...origImportXFlatConfigs.recommended.rules,
+ 'import-x/extensions': [
+ 'error',
+ 'never',
+ {
+ cjs: 'ignorePackages',
+ js: 'ignorePackages',
+ json: 'always',
+ mjs: 'ignorePackages',
+ mts: 'ignorePackages',
+ ts: 'ignorePackages',
+ },
+ ],
+ 'import-x/order': [
+ 'warn',
+ {
+ groups: [
+ 'builtin',
+ 'external',
+ 'internal',
+ ['parent', 'sibling', 'index'],
+ 'type',
+ ],
+ pathGroups: [
+ {
+ pattern: '@socket{registry,security}/**',
+ group: 'internal',
+ },
+ ],
+ pathGroupsExcludedImportTypes: ['type'],
+ 'newlines-between': 'always',
+ alphabetize: {
+ order: 'asc',
+ },
+ },
+ ],
+}
+
+const sharedRulesForNode = {
+ 'n/exports-style': ['error', 'module.exports'],
+ 'n/no-missing-require': ['off'],
+ // The n/no-unpublished-bin rule does does not support non-trivial glob
+ // patterns used in package.json "files" fields. In those cases we simplify
+ // the glob patterns used.
+ 'n/no-unpublished-bin': 'error',
+ 'n/no-unsupported-features/es-builtins': 'error',
+ 'n/no-unsupported-features/es-syntax': 'error',
+ 'n/no-unsupported-features/node-builtins': [
+ 'error',
+ {
+ ignores: [
+ 'fetch',
+ 'fs.promises.cp',
+ 'module.enableCompileCache',
+ 'readline/promises',
+ 'test',
+ 'test.describe',
+ ],
+ version: String(
+ maintainedNodeVersions[maintainedNodeVersions.length - 1],
+ ),
+ },
+ ],
+ 'n/prefer-node-protocol': 'error',
+}
+
+function getImportXFlatConfigs(isEsm) {
+ return {
+ recommended: {
+ ...origImportXFlatConfigs.recommended,
+ languageOptions: {
+ ...origImportXFlatConfigs.recommended.languageOptions,
+ ecmaVersion: LATEST,
+ sourceType: isEsm ? 'module' : 'script',
+ },
+ rules: {
+ ...sharedRulesForImportX,
+ 'import-x/no-named-as-default-member': 'off',
+ },
+ },
+ typescript: {
+ ...origImportXFlatConfigs.typescript,
+ plugins: origImportXFlatConfigs.recommended.plugins,
+ settings: {
+ ...origImportXFlatConfigs.typescript.settings,
+ 'import-x/resolver-next': [
+ createTypeScriptImportResolver({
+ project: rootTsConfigPath,
+ }),
+ ],
+ },
+ rules: {
+ ...sharedRulesForImportX,
+ // TypeScript compilation already ensures that named imports exist in
+ // the referenced module.
+ 'import-x/named': 'off',
+ 'import-x/no-named-as-default-member': 'off',
+ 'import-x/no-unresolved': 'off',
+ },
+ },
+ }
+}
+
+const importFlatConfigsForScript = getImportXFlatConfigs(false)
+const importFlatConfigsForModule = getImportXFlatConfigs(true)
+
+export default [
+ gitIgnores,
+ biomeIgnores,
+ {
+ name: 'Build directories and generated files to ignore',
+ ignores: [
+ // Specific dot folders to ignore.
+ '.cache/**',
+ '.claude/**',
+ '.git/**',
+ '.github/**',
+ '.vscode/**',
+ // Nested directories.
+ '**/binaries/**',
+ '**/build/**',
+ '**/coverage/**',
+ '**/dist/**',
+ '**/external/**',
+ '**/node_modules/**',
+ '**/pkg-binaries/**',
+ // Test fixtures (may contain invalid code samples).
+ 'test/fixtures/**',
+ 'test/**/fixtures/**',
+ // Generated TypeScript files.
+ '**/*.d.ts',
+ '**/*.d.ts.map',
+ '**/*.tsbuildinfo',
+ ],
+ },
+ {
+ files: ['**/*.{cts,mts,ts}'],
+ ...js.configs.recommended,
+ ...importFlatConfigsForModule.typescript,
+ languageOptions: {
+ ...js.configs.recommended.languageOptions,
+ ...importFlatConfigsForModule.typescript.languageOptions,
+ globals: {
+ ...js.configs.recommended.languageOptions?.globals,
+ ...importFlatConfigsForModule.typescript.languageOptions?.globals,
+ ...nodeGlobalsConfig,
+ BufferConstructor: 'readonly',
+ BufferEncoding: 'readonly',
+ NodeJS: 'readonly',
+ },
+ parser: tsParser,
+ parserOptions: {
+ ...js.configs.recommended.languageOptions?.parserOptions,
+ ...importFlatConfigsForModule.typescript.languageOptions?.parserOptions,
+ // Disable project service to prevent performance issues with type-aware linting.
+ // This means some type-aware rules like @typescript-eslint/return-await won't work,
+ // but linting will be much faster and won't hang on large codebases.
+ project: null,
+ },
+ },
+ linterOptions: {
+ ...js.configs.recommended.linterOptions,
+ ...importFlatConfigsForModule.typescript.linterOptions,
+ reportUnusedDisableDirectives: 'off',
+ },
+ plugins: {
+ ...js.configs.recommended.plugins,
+ ...importFlatConfigsForModule.typescript.plugins,
+ ...nodePlugin.configs['flat/recommended-module'].plugins,
+ ...sharedPlugins,
+ '@typescript-eslint': tsEslint.plugin,
+ },
+ rules: {
+ ...js.configs.recommended.rules,
+ ...importFlatConfigsForModule.typescript.rules,
+ ...nodePlugin.configs['flat/recommended-module'].rules,
+ ...sharedRulesForNode,
+ ...sharedRules,
+ '@typescript-eslint/array-type': ['error', { default: 'array-simple' }],
+ '@typescript-eslint/consistent-type-assertions': [
+ 'error',
+ { assertionStyle: 'as' },
+ ],
+ '@typescript-eslint/no-misused-new': 'error',
+ '@typescript-eslint/no-this-alias': [
+ 'error',
+ { allowDestructuring: true },
+ ],
+ // Returning unawaited promises in a try/catch/finally is dangerous
+ // (the `catch` won't catch if the promise is rejected, and the `finally`
+ // won't wait for the promise to resolve). Returning unawaited promises
+ // elsewhere is probably fine, but this lint rule doesn't have a way
+ // to only apply to try/catch/finally (the 'in-try-catch' option *enforces*
+ // not awaiting promises *outside* of try/catch/finally, which is not what
+ // we want), and it's nice to await before returning anyways, since you get
+ // a slightly more comprehensive stack trace upon promise rejection.
+ // DISABLED: Requires type-aware linting which causes performance issues.
+ // '@typescript-eslint/return-await': ['error', 'always'],
+ // Disable the following rules because they don't play well with TypeScript.
+ 'dot-notation': 'off',
+ 'n/hashbang': 'off',
+ 'n/no-extraneous-import': 'off',
+ 'n/no-missing-import': 'off',
+ 'no-redeclare': 'off',
+ 'no-unused-vars': 'off',
+ },
+ },
+ {
+ files: ['**/*.{cjs,js}'],
+ ...js.configs.recommended,
+ ...importFlatConfigsForScript.recommended,
+ ...nodePlugin.configs['flat/recommended-script'],
+ languageOptions: {
+ ...js.configs.recommended.languageOptions,
+ ...importFlatConfigsForModule.recommended.languageOptions,
+ ...nodePlugin.configs['flat/recommended-script'].languageOptions,
+ globals: {
+ ...js.configs.recommended.languageOptions?.globals,
+ ...importFlatConfigsForModule.recommended.languageOptions?.globals,
+ ...nodePlugin.configs['flat/recommended-script'].languageOptions
+ ?.globals,
+ ...nodeGlobalsConfig,
+ },
+ },
+ plugins: {
+ ...js.configs.recommended.plugins,
+ ...importFlatConfigsForScript.recommended.plugins,
+ ...nodePlugin.configs['flat/recommended-script'].plugins,
+ ...sharedPlugins,
+ },
+ rules: {
+ ...js.configs.recommended.rules,
+ ...importFlatConfigsForScript.recommended.rules,
+ ...nodePlugin.configs['flat/recommended-script'].rules,
+ ...sharedRulesForNode,
+ ...sharedRules,
+ },
+ },
+ {
+ files: ['**/*.mjs'],
+ ...js.configs.recommended,
+ ...importFlatConfigsForModule.recommended,
+ ...nodePlugin.configs['flat/recommended-module'],
+ languageOptions: {
+ ...js.configs.recommended.languageOptions,
+ ...importFlatConfigsForModule.recommended.languageOptions,
+ ...nodePlugin.configs['flat/recommended-module'].languageOptions,
+ globals: {
+ ...js.configs.recommended.languageOptions?.globals,
+ ...importFlatConfigsForModule.recommended.languageOptions?.globals,
+ ...nodePlugin.configs['flat/recommended-module'].languageOptions
+ ?.globals,
+ ...nodeGlobalsConfig,
+ },
+ },
+ plugins: {
+ ...js.configs.recommended.plugins,
+ ...importFlatConfigsForModule.recommended.plugins,
+ ...nodePlugin.configs['flat/recommended-module'].plugins,
+ ...sharedPlugins,
+ },
+ rules: {
+ ...js.configs.recommended.rules,
+ ...importFlatConfigsForModule.recommended.rules,
+ ...nodePlugin.configs['flat/recommended-module'].rules,
+ ...sharedRulesForNode,
+ ...sharedRules,
+ },
+ },
+ {
+ // Relax rules for script files
+ files: ['scripts/**/*.{mjs,js}', 'bin/**/*.{mjs,js}'],
+ rules: {
+ 'n/no-process-exit': 'off',
+ 'n/no-unsupported-features/node-builtins': 'off',
+ 'n/no-missing-import': 'off',
+ 'import-x/no-unresolved': 'off',
+ 'no-await-in-loop': 'off',
+ 'no-unused-vars': 'off',
+ },
+ },
+ {
+ // Relax rules for test files
+ files: ['**/*.test.{mts,ts,mjs,js}', 'test/**/*.{mts,ts,mjs,js}'],
+ languageOptions: {
+ globals: {
+ // Vitest globals
+ afterAll: 'readonly',
+ afterEach: 'readonly',
+ beforeAll: 'readonly',
+ beforeEach: 'readonly',
+ describe: 'readonly',
+ expect: 'readonly',
+ it: 'readonly',
+ test: 'readonly',
+ vi: 'readonly',
+ },
+ },
+ rules: {
+ // Allow undefined variables in test files (mocked functions)
+ 'no-undef': 'off',
+ // Allow console in tests
+ 'no-console': 'off',
+ },
+ },
+]
diff --git a/.config/isolated-tests.json b/.config/isolated-tests.json
new file mode 100644
index 000000000..d60f62bce
--- /dev/null
+++ b/.config/isolated-tests.json
@@ -0,0 +1,17 @@
+{
+ "_comment": "Tests that require isolated module execution due to vi.mock(), vi.doMock(), or vi.resetModules() usage. These tests manipulate module state and need to run in isolation to avoid cross-test contamination.",
+ "tests": [
+ "packages/cli/src/flags.test.mts",
+ "packages/cli/src/npm-cli.test.mts",
+ "packages/cli/src/npx-cli.test.mts",
+ "packages/cli/src/pnpm-cli.test.mts",
+ "packages/cli/src/utils/alert/translations.test.mts",
+ "packages/cli/src/utils/dlx/detection.test.mts",
+ "packages/cli/src/utils/git/github.test.mts",
+ "packages/cli/src/utils/npm/paths.test.mts",
+ "packages/cli/src/utils/pnpm/paths.test.mts",
+ "packages/cli/src/utils/yarn/paths.test.mts",
+ "packages/cli/src/utils/yarn/version.test.mts",
+ "packages/cli/src/yarn-cli.test.mts"
+ ]
+}
diff --git a/.config/tsconfig.base.json b/.config/tsconfig.base.json
new file mode 100644
index 000000000..370220333
--- /dev/null
+++ b/.config/tsconfig.base.json
@@ -0,0 +1,38 @@
+{
+ "compilerOptions": {
+ // The following options are not supported by @typescript/native-preview.
+ // They are either ignored or throw an unknown option error:
+ //"importsNotUsedAsValues": "remove",
+ "allowImportingTsExtensions": false,
+ "allowJs": false,
+ "composite": false,
+ "declaration": false,
+ "declarationMap": false,
+ "erasableSyntaxOnly": true,
+ "esModuleInterop": true,
+ "exactOptionalPropertyTypes": true,
+ "forceConsistentCasingInFileNames": true,
+ "incremental": false,
+ "isolatedModules": true,
+ "jsx": "react-jsx",
+ "lib": ["ES2024"],
+ "module": "nodenext",
+ "noEmit": true,
+ "noEmitOnError": true,
+ "noFallthroughCasesInSwitch": true,
+ "noImplicitOverride": true,
+ "noPropertyAccessFromIndexSignature": true,
+ "noUncheckedIndexedAccess": true,
+ "noUnusedLocals": true,
+ "noUnusedParameters": true,
+ "resolveJsonModule": true,
+ "rewriteRelativeImportExtensions": true,
+ "skipLibCheck": true,
+ "sourceMap": true,
+ "strict": true,
+ "strictNullChecks": true,
+ "target": "ES2024",
+ "useUnknownInCatchVariables": true,
+ "verbatimModuleSyntax": true
+ }
+}
diff --git a/.config/tsconfig.build.json b/.config/tsconfig.build.json
new file mode 100644
index 000000000..ef48e00c6
--- /dev/null
+++ b/.config/tsconfig.build.json
@@ -0,0 +1,9 @@
+{
+ "extends": "./tsconfig.base.json",
+ "compilerOptions": {
+ "declaration": true,
+ "declarationMap": true,
+ "composite": true,
+ "incremental": true
+ }
+}
diff --git a/.config/tsconfig.check.json b/.config/tsconfig.check.json
new file mode 100644
index 000000000..e93c38c8d
--- /dev/null
+++ b/.config/tsconfig.check.json
@@ -0,0 +1,22 @@
+{
+ "extends": "./tsconfig.base.json",
+ "compilerOptions": {
+ "typeRoots": ["../node_modules/@types"]
+ },
+ "include": [
+ "../packages/cli/src/**/*.mts",
+ "../packages/cli/*.config.mts",
+ "../packages/cli/.config/*.mts"
+ ],
+ "exclude": [
+ "../packages/cli/**/*.tsx",
+ "../packages/cli/**/*.d.mts",
+ "../packages/cli/src/commands/analytics/output-analytics.mts",
+ "../packages/cli/src/commands/audit-log/output-audit-log.mts",
+ "../packages/cli/src/commands/threat-feed/output-threat-feed.mts",
+ "../packages/cli/**/*.test.mts",
+ "../packages/cli/src/test/**/*.mts",
+ "../packages/cli/src/utils/test-mocks.mts",
+ "../packages/cli/test/**/*.mts"
+ ]
+}
diff --git a/.config/tsconfig.external-aliases.json b/.config/tsconfig.external-aliases.json
new file mode 100644
index 000000000..e659d1976
--- /dev/null
+++ b/.config/tsconfig.external-aliases.json
@@ -0,0 +1,13 @@
+{
+ "extends": "./tsconfig.check.json",
+ "compilerOptions": {
+ "paths": {
+ "@socketsecurity/lib": ["../socket-lib/dist/index.d.ts"],
+ "@socketsecurity/lib/*": ["../socket-lib/dist/*"],
+ "@socketsecurity/registry": [
+ "../socket-registry/registry/dist/index.d.ts"
+ ],
+ "@socketsecurity/registry/*": ["../socket-registry/registry/dist/*"]
+ }
+ }
+}
diff --git a/.config/tsconfig.test.json b/.config/tsconfig.test.json
new file mode 100644
index 000000000..2c03aafcc
--- /dev/null
+++ b/.config/tsconfig.test.json
@@ -0,0 +1,7 @@
+{
+ "extends": "./tsconfig.base.json",
+ "compilerOptions": {
+ "noUnusedLocals": false,
+ "noUnusedParameters": false
+ }
+}
diff --git a/.config/vitest.config.base.mts b/.config/vitest.config.base.mts
new file mode 100644
index 000000000..8543c880b
--- /dev/null
+++ b/.config/vitest.config.base.mts
@@ -0,0 +1,106 @@
+import path from 'node:path'
+import { defineConfig } from 'vitest/config'
+
+/**
+ * Base Vitest configuration for socket-cli monorepo packages.
+ *
+ * Packages should extend this configuration and override as needed:
+ *
+ * ```typescript
+ * import { defineConfig, mergeConfig } from 'vitest/config'
+ * import baseConfig from '../../.config/vitest.config.base.mts'
+ *
+ * export default mergeConfig(
+ * baseConfig,
+ * defineConfig({
+ * test: {
+ * include: ['test/**\/*.test.{mts,ts}'],
+ * },
+ * })
+ * )
+ * ```
+ */
+
+const isCoverageEnabled =
+ process.env.npm_lifecycle_event === 'cover' ||
+ process.argv.includes('--coverage')
+
+const projectRoot = path.resolve(import.meta.dirname, '..')
+
+export default defineConfig({
+ cacheDir: path.resolve(projectRoot, '.cache/vitest'), // Explicit cache directory for consistent behavior.
+ test: {
+ globals: false,
+ environment: 'node',
+ exclude: [
+ '**/node_modules/**',
+ '**/dist/**',
+ '**/.{idea,git,cache,output,temp}/**',
+ '**/{karma,rollup,webpack,vite,vitest,jest,ava,babel,nyc,cypress,tsup,build,eslint,prettier}.config.*',
+ // Exclude E2E tests from regular test runs.
+ '**/*-e2e.test.mts',
+ ],
+ reporters: ['default'],
+ // Use threads for better performance
+ pool: 'threads',
+ poolOptions: {
+ threads: {
+ singleThread: false,
+ maxThreads: isCoverageEnabled ? 1 : 16,
+ minThreads: isCoverageEnabled ? 1 : 4,
+ // IMPORTANT: isolate: false for performance and test compatibility
+ //
+ // Tradeoff Analysis:
+ // - isolate: true = Full isolation, slower, breaks nock/module mocking
+ // - isolate: false = Shared worker context, faster, mocking works
+ //
+ // We choose isolate: false because:
+ // 1. Significant performance improvement (faster test runs)
+ // 2. Nock HTTP mocking works correctly across all test files
+ // 3. Vi.mock() module mocking functions properly
+ // 4. Test state pollution is prevented through proper beforeEach/afterEach
+ // 5. Our tests are designed to clean up after themselves
+ //
+ // Tests requiring true isolation should use pool: 'forks' or be marked
+ // with { pool: 'forks' } in the test file itself.
+ isolate: false,
+ // Use worker threads for better performance
+ useAtomics: true,
+ },
+ },
+ testTimeout: 30_000,
+ hookTimeout: 30_000,
+ coverage: {
+ provider: 'v8',
+ reporter: ['text', 'json', 'html', 'lcov', 'clover'],
+ exclude: [
+ '**/*.config.*',
+ '**/node_modules/**',
+ '**/[.]**',
+ '**/*.d.mts',
+ '**/*.d.ts',
+ '**/virtual:*',
+ 'bin/**',
+ 'coverage/**',
+ 'dist/**',
+ 'external/**',
+ 'pnpmfile.*',
+ 'scripts/**',
+ 'src/**/types.mts',
+ 'test/**',
+ 'perf/**',
+ ],
+ include: ['src/**/*.mts', 'src/**/*.ts'],
+ all: true,
+ clean: true,
+ skipFull: false,
+ ignoreClassMethods: ['constructor'],
+ thresholds: {
+ lines: 0,
+ functions: 0,
+ branches: 0,
+ statements: 0,
+ },
+ },
+ },
+})
diff --git a/.config/vitest.config.isolated.mts b/.config/vitest.config.isolated.mts
new file mode 100644
index 000000000..51cf0a9cf
--- /dev/null
+++ b/.config/vitest.config.isolated.mts
@@ -0,0 +1,74 @@
+/**
+ * @fileoverview Vitest configuration for tests requiring full isolation.
+ * Used for tests that need vi.doMock() or other module-level mocking that
+ * requires true module isolation. Use this config when tests need to mock
+ * modules differently in the same file or when isolate: false causes issues.
+ */
+import { defineConfig } from 'vitest/config'
+
+// Check if coverage is enabled via CLI flags or environment.
+const isCoverageEnabled =
+ process.env.COVERAGE === 'true' ||
+ process.env.npm_lifecycle_event?.includes('coverage') ||
+ process.argv.some(arg => arg.includes('coverage'))
+
+export default defineConfig({
+ test: {
+ globals: false,
+ environment: 'node',
+ exclude: [
+ '**/node_modules/**',
+ '**/dist/**',
+ '**/.{idea,git,cache,output,temp}/**',
+ '**/{karma,rollup,webpack,vite,vitest,jest,ava,babel,nyc,cypress,tsup,build,eslint,prettier}.config.*',
+ // Exclude E2E tests from regular test runs.
+ '**/*-e2e.test.mts',
+ ],
+ reporters: ['default'],
+ // Use forks for full isolation.
+ pool: 'forks',
+ poolOptions: {
+ forks: {
+ // True isolation for vi.doMock() and module-level mocking.
+ isolate: true,
+ singleFork: isCoverageEnabled,
+ maxForks: isCoverageEnabled ? 4 : 16,
+ minForks: isCoverageEnabled ? 1 : 2,
+ },
+ },
+ testTimeout: 30_000,
+ hookTimeout: 10_000,
+ coverage: {
+ provider: 'v8',
+ reporter: ['text', 'json', 'html', 'lcov', 'clover'],
+ exclude: [
+ '**/*.config.*',
+ '**/node_modules/**',
+ '**/[.]**',
+ '**/*.d.mts',
+ '**/*.d.ts',
+ '**/virtual:*',
+ 'bin/**',
+ 'coverage/**',
+ 'dist/**',
+ 'external/**',
+ 'pnpmfile.*',
+ 'scripts/**',
+ 'src/**/types.mts',
+ 'test/**',
+ 'perf/**',
+ ],
+ include: ['src/**/*.mts', 'src/**/*.ts'],
+ all: true,
+ clean: true,
+ skipFull: false,
+ ignoreClassMethods: ['constructor'],
+ thresholds: {
+ lines: 35,
+ functions: 60,
+ branches: 35,
+ statements: 35,
+ },
+ },
+ },
+})
diff --git a/.dockerignore b/.dockerignore
new file mode 100644
index 000000000..16fa02f63
--- /dev/null
+++ b/.dockerignore
@@ -0,0 +1,60 @@
+# Version control
+.git/
+.github/
+.gitignore
+.gitattributes
+
+# Dependencies
+node_modules/
+packages/*/node_modules/
+
+# Build artifacts
+dist/
+build/
+*.log
+*.tgz
+*.tar.gz
+
+# Testing
+coverage/
+.nyc_output/
+test-results/
+
+# Caches
+.cache/
+.eslintcache
+.tsbuildinfo
+.rollup.cache/
+pnpm-store/
+
+# IDEs and editors
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+.DS_Store
+
+# Environment files
+.env
+.env.local
+.env.*.local
+
+# Documentation
+*.md
+!README.md
+docs/
+
+# CI/CD
+.circleci/
+.travis.yml
+azure-pipelines.yml
+appveyor.yml
+
+# Temporary files
+tmp/
+temp/
+*.tmp
+
+# OS files
+Thumbs.db
diff --git a/.editorconfig b/.editorconfig
deleted file mode 100644
index a05749c25..000000000
--- a/.editorconfig
+++ /dev/null
@@ -1,9 +0,0 @@
-root = true
-
-[*]
-end_of_line = lf
-insert_final_newline = true
-indent_style = space
-indent_size = 2
-charset = utf-8
-trim_trailing_whitespace = true
diff --git a/.env.example b/.env.example
new file mode 100644
index 000000000..691c00890
--- /dev/null
+++ b/.env.example
@@ -0,0 +1,11 @@
+# Socket CLI Environment Configuration Example
+# Copy this file to .env.local and customize for your local environment.
+
+# Node.js Configuration (optional overrides).
+NODE_COMPILE_CACHE="./.cache"
+NODE_OPTIONS="--max-old-space-size=8192 --max-semi-space-size=1024"
+
+# Socket API Configuration (for e2e testing).
+# Get your API key from https://socket.dev/dashboard/settings
+SOCKET_SECURITY_API_KEY=your_api_key_here
+SOCKET_CLI_ORG_SLUG=your_org_slug_here
diff --git a/.env.precommit b/.env.precommit
new file mode 100644
index 000000000..706c58cb4
--- /dev/null
+++ b/.env.precommit
@@ -0,0 +1,12 @@
+# Socket CLI Pre-commit Test Environment
+# This file is loaded by dotenvx during pre-commit hooks.
+
+# Disable API token requirement for unit tests.
+SOCKET_CLI_NO_API_TOKEN=1
+
+# Indicate tests are running in Vitest.
+VITEST=1
+
+# Node.js optimization for test performance.
+NODE_COMPILE_CACHE="./.cache"
+NODE_OPTIONS="--max-old-space-size=8192"
diff --git a/.eslintignore b/.eslintignore
deleted file mode 100644
index 930e4c4f3..000000000
--- a/.eslintignore
+++ /dev/null
@@ -1,2 +0,0 @@
-/coverage/**/*
-/lib/types/api.d.ts
diff --git a/.eslintrc b/.eslintrc
deleted file mode 100644
index b95cab876..000000000
--- a/.eslintrc
+++ /dev/null
@@ -1,29 +0,0 @@
-{
- "root": true,
- "plugins": ["jsdoc"],
- "extends": [
- "@socketsecurity",
- "plugin:jsdoc/recommended"
- ],
- "settings": {
- "jsdoc": {
- "mode": "typescript"
- }
- },
- "parserOptions": {
- "project": "./tsconfig.json"
- },
- "rules": {
- "@typescript-eslint/quotes": ["error", "single", { "avoidEscape": true, "allowTemplateLiterals": false }],
- "no-console": "warn",
-
- "jsdoc/check-types": "off",
- "jsdoc/no-undefined-types": "off",
- "jsdoc/require-jsdoc": "warn",
- "jsdoc/require-param-description": "off",
- "jsdoc/require-property-description": "off",
- "jsdoc/require-returns-description": "off",
- "jsdoc/require-yields": "off",
- "jsdoc/valid-types": "off"
- }
-}
diff --git a/.git-hooks/commit-msg b/.git-hooks/commit-msg
new file mode 100755
index 000000000..92dcc04fa
--- /dev/null
+++ b/.git-hooks/commit-msg
@@ -0,0 +1,73 @@
+#!/bin/bash
+# Socket Security Commit-msg Hook
+# Additional security layer - validates commit even if pre-commit was bypassed.
+
+set -e
+
+# Colors for output.
+RED='\033[0;31m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+# Allowed public API key (used in socket-lib).
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+ERRORS=0
+
+# Get files in this commit (for security checks).
+COMMITTED_FILES=$(git diff --cached --name-only --diff-filter=ACM 2>/dev/null || printf "\n")
+
+# Quick checks for critical issues in committed files.
+if [ -n "$COMMITTED_FILES" ]; then
+ for file in $COMMITTED_FILES; do
+ if [ -f "$file" ]; then
+ # Check for Socket API keys (except allowed).
+ if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | grep -v '\.example' | grep -q .; then
+ echo "${RED}✗ SECURITY: Potential API key detected in commit!${NC}"
+ printf "File: %s\n" "$file"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for .env files.
+ if echo "$file" | grep -qE '^\.env(\.local)?$'; then
+ echo "${RED}✗ SECURITY: .env file in commit!${NC}"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+ done
+fi
+
+# Auto-strip AI attribution from commit message.
+COMMIT_MSG_FILE="$1"
+if [ -f "$COMMIT_MSG_FILE" ]; then
+ # Create a temporary file to store the cleaned message.
+ TEMP_FILE=$(mktemp)
+ REMOVED_LINES=0
+
+ # Read the commit message line by line and filter out AI attribution.
+ while IFS= read -r line || [ -n "$line" ]; do
+ # Check if this line contains AI attribution patterns.
+ if echo "$line" | grep -qiE "(Generated with|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|Claude Code|@anthropic|Assistant:|Generated by Claude|Machine generated)"; then
+ REMOVED_LINES=$((REMOVED_LINES + 1))
+ else
+ # Line doesn't contain AI attribution, keep it.
+ printf '%s\n' "$line" >> "$TEMP_FILE"
+ fi
+ done < "$COMMIT_MSG_FILE"
+
+ # Replace the original commit message with the cleaned version.
+ if [ $REMOVED_LINES -gt 0 ]; then
+ mv "$TEMP_FILE" "$COMMIT_MSG_FILE"
+ echo "${GREEN}✓ Auto-stripped${NC} $REMOVED_LINES AI attribution line(s) from commit message"
+ else
+ # No lines were removed, just clean up the temp file.
+ rm -f "$TEMP_FILE"
+ fi
+fi
+
+if [ $ERRORS -gt 0 ]; then
+ echo "${RED}✗ Commit blocked by security validation${NC}"
+ exit 1
+fi
+
+exit 0
diff --git a/.git-hooks/pre-commit b/.git-hooks/pre-commit
new file mode 100755
index 000000000..10d7ec777
--- /dev/null
+++ b/.git-hooks/pre-commit
@@ -0,0 +1,123 @@
+#!/bin/bash
+# Socket Security Checks
+# Prevents committing sensitive data and common mistakes.
+
+set -e
+
+# Colors for output.
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+# Allowed public API key (used in socket-lib).
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+echo "${GREEN}Running Socket Security checks...${NC}"
+
+# Get list of staged files.
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+ echo "${GREEN}✓ No files to check${NC}"
+ exit 0
+fi
+
+ERRORS=0
+
+# Check for .DS_Store files.
+printf "Checking for .DS_Store files...\n"
+if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
+ echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+ echo "$STAGED_FILES" | grep '\.DS_Store'
+ ERRORS=$((ERRORS + 1))
+fi
+
+# Check for log files.
+printf "Checking for log files...\n"
+if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
+ echo "${RED}✗ ERROR: Log file detected!${NC}"
+ echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
+ ERRORS=$((ERRORS + 1))
+fi
+
+# Check for .env files.
+printf "Checking for .env files...\n"
+if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
+ echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+ echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
+ printf "These files should never be committed. Use .env.example instead.\n"
+ ERRORS=$((ERRORS + 1))
+fi
+
+# Check for hardcoded user paths (generic detection).
+printf "Checking for hardcoded personal paths...\n"
+for file in $STAGED_FILES; do
+ if [ -f "$file" ]; then
+ # Skip test files and hook scripts.
+ if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+ continue
+ fi
+
+ # Check for common user path patterns.
+ if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+ grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+ printf "Replace with relative paths or environment variables.\n"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+done
+
+# Check for Socket API keys.
+printf "Checking for API keys...\n"
+for file in $STAGED_FILES; do
+ if [ -f "$file" ]; then
+ if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+ echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+ grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+ printf "If this is a real API key, DO NOT COMMIT IT.\n"
+ fi
+ fi
+done
+
+# Check for common secret patterns.
+printf "Checking for potential secrets...\n"
+for file in $STAGED_FILES; do
+ if [ -f "$file" ]; then
+ # Skip test files, example files, and hook scripts.
+ if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+ continue
+ fi
+
+ # Check for AWS keys.
+ if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+ grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for GitHub tokens.
+ if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+ grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for private keys.
+ if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+done
+
+if [ $ERRORS -gt 0 ]; then
+ printf "\n"
+ echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
+ printf "Fix the issues above and try again.\n"
+ exit 1
+fi
+
+echo "${GREEN}✓ All security checks passed!${NC}"
+exit 0
diff --git a/.git-hooks/pre-push b/.git-hooks/pre-push
new file mode 100755
index 000000000..76995ff87
--- /dev/null
+++ b/.git-hooks/pre-push
@@ -0,0 +1,169 @@
+#!/bin/bash
+# Socket Security Pre-push Hook
+# MANDATORY ENFORCEMENT LAYER - Cannot be bypassed with --no-verify.
+# Validates all commits being pushed for security issues and AI attribution.
+
+set -e
+
+# Colors for output.
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
+
+# Allowed public API key (used in socket-lib).
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+# Get the remote name and URL.
+remote="$1"
+url="$2"
+
+TOTAL_ERRORS=0
+
+# Read stdin for refs being pushed.
+while read local_ref local_sha remote_ref remote_sha; do
+ # Get the range of commits being pushed.
+ if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
+ # New branch - find the latest published release tag to limit scope.
+ latest_release=$(git tag --list 'v*' --sort=-version:refname --merged "$local_sha" | head -1)
+ if [ -n "$latest_release" ]; then
+ # Check commits since the latest published release.
+ range="$latest_release..$local_sha"
+ else
+ # No release tags found - check all commits.
+ range="$local_sha"
+ fi
+ else
+ # Existing branch - check new commits since remote.
+ # Limit scope to commits after the latest published release on this branch.
+ latest_release=$(git tag --list 'v*' --sort=-version:refname --merged "$remote_sha" | head -1)
+ if [ -n "$latest_release" ]; then
+ # Only check commits after the latest release that are being pushed.
+ range="$latest_release..$local_sha"
+ else
+ # No release tags found - check new commits only.
+ range="$remote_sha..$local_sha"
+ fi
+ fi
+
+ ERRORS=0
+
+ # ============================================================================
+ # CHECK 1: Scan commit messages for AI attribution
+ # ============================================================================
+ printf "Checking commit messages for AI attribution...\n"
+
+ # Check each commit in the range for AI patterns.
+ while IFS= read -r commit_sha; do
+ full_msg=$(git log -1 --format='%B' "$commit_sha")
+
+ if echo "$full_msg" | grep -qiE "(Generated with.*(Claude|AI)|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|@anthropic\.com|Assistant:|Generated by Claude|Machine generated)"; then
+ if [ $ERRORS -eq 0 ]; then
+ printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
+ printf "Commits with AI attribution:\n"
+ fi
+ echo " - $(git log -1 --oneline "$commit_sha")"
+ ERRORS=$((ERRORS + 1))
+ fi
+ done < <(git rev-list "$range")
+
+ if [ $ERRORS -gt 0 ]; then
+ printf "\n"
+ printf "These commits were likely created with --no-verify, bypassing the\n"
+ printf "commit-msg hook that strips AI attribution.\n"
+ printf "\n"
+ printf "To fix:\n"
+ printf " git rebase -i %s\n" "$remote_sha"
+ printf " Mark commits as .reword., remove AI attribution, save\n"
+ printf " git push\n"
+ fi
+
+ # ============================================================================
+ # CHECK 2: File content security checks
+ # ============================================================================
+ printf "Checking files for security issues...\n"
+
+ # Get all files changed in these commits.
+ CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || printf "\n")
+
+ if [ -n "$CHANGED_FILES" ]; then
+ # Check for sensitive files.
+ if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
+ printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
+ printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for .DS_Store.
+ if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
+ printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
+ printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for log files.
+ if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
+ printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
+ printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check file contents for secrets.
+ for file in $CHANGED_FILES; do
+ if [ -f "$file" ] && [ ! -d "$file" ]; then
+ # Skip test files, example files, and hook scripts.
+ if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+ continue
+ fi
+
+ # Check for hardcoded user paths.
+ if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
+ grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for Socket API keys.
+ if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+ printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
+ grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for AWS keys.
+ if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
+ grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for GitHub tokens.
+ if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
+ grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for private keys.
+ if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+ done
+ fi
+
+ TOTAL_ERRORS=$((TOTAL_ERRORS + ERRORS))
+done
+
+if [ $TOTAL_ERRORS -gt 0 ]; then
+ printf "\n"
+ printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
+ printf "Fix the issues above before pushing.\n"
+ exit 1
+fi
+
+printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
+exit 0
diff --git a/.gitattributes b/.gitattributes
new file mode 100644
index 000000000..6313b56c5
--- /dev/null
+++ b/.gitattributes
@@ -0,0 +1 @@
+* text=auto eol=lf
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
index ff58473a0..6840dc6d1 100644
--- a/.github/dependabot.yml
+++ b/.github/dependabot.yml
@@ -1,12 +1,16 @@
version: 2
updates:
- - package-ecosystem: "github-actions"
- directory: "/"
+ - package-ecosystem: 'github-actions'
+ directory: '/'
schedule:
- interval: "weekly"
- day: "monday"
- - package-ecosystem: "npm"
- directory: "/"
+ interval: 'weekly'
+ day: 'monday'
+ cooldown:
+ default-days: 7
+ - package-ecosystem: 'npm'
+ directory: '/'
schedule:
- interval: "weekly"
- day: "monday"
+ interval: 'weekly'
+ day: 'monday'
+ cooldown:
+ default-days: 7
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
new file mode 100644
index 000000000..edc855c2c
--- /dev/null
+++ b/.github/workflows/ci.yml
@@ -0,0 +1,414 @@
+name: 🚀 CI
+
+# Dependencies:
+# - SocketDev/socket-registry/.github/workflows/ci.yml
+
+concurrency:
+ group: ${{ github.workflow }}-${{ github.ref }}
+ cancel-in-progress: ${{ github.ref != 'refs/heads/main' }}
+
+on:
+ push:
+ branches: [main]
+ tags: ['*']
+ paths:
+ - 'packages/cli/**'
+ - 'pnpm-lock.yaml'
+ - 'package.json'
+ - '.github/workflows/ci.yml'
+ pull_request:
+ branches: [main]
+ paths:
+ - 'packages/cli/**'
+ - 'pnpm-lock.yaml'
+ - 'package.json'
+ - '.github/workflows/ci.yml'
+ workflow_dispatch:
+ inputs:
+ force:
+ description: 'Force rebuild (ignore cache)'
+ type: boolean
+ default: false
+ node-versions:
+ description: 'Node.js versions to test (JSON array)'
+ required: false
+ type: string
+ # Default should match .node-version file.
+ default: '["25"]'
+
+permissions: {}
+
+jobs:
+ versions:
+ name: Load Tool Versions
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read # Read .node-version file from repository.
+ outputs:
+ node: ${{ steps.versions.outputs.node }}
+ steps:
+ - name: Checkout repository
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ persist-credentials: false
+
+ - name: Load Node.js version from .node-version
+ id: versions
+ run: |
+ NODE_VERSION=$(cat .node-version)
+ echo "node=[\"$NODE_VERSION\"]" >> $GITHUB_OUTPUT
+ echo "Loaded Node.js: $NODE_VERSION"
+
+ ci:
+ name: Run CI Pipeline
+ needs: versions
+ permissions:
+ contents: read # Read repository contents for CI checks and build operations.
+ uses: SocketDev/socket-registry/.github/workflows/ci.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ with:
+ test-setup-script: 'pnpm --filter @socketsecurity/cli run build'
+ lint-script: 'pnpm --filter @socketsecurity/cli run check'
+ type-check-script: 'pnpm --filter @socketsecurity/cli run type'
+ run-test: false # Tests run in separate sharded job below.
+ node-versions: ${{ inputs.node-versions || needs.versions.outputs.node }}
+ os-versions: '["ubuntu-latest"]'
+ fail-fast: false
+ max-parallel: 4
+ test-timeout-minutes: 15
+
+ # Sharded unit tests for faster CI.
+ # Splits 2,819 tests across 3 shards (~16s per shard vs 48s monolithic).
+ # Runs on Linux only to optimize CI runtime and build requirements.
+ test-sharded:
+ name: Unit Tests (Shard ${{ matrix.shard }}/3)
+ needs: [ci, versions]
+ runs-on: ubuntu-latest
+ timeout-minutes: 10
+ permissions:
+ contents: read # Read repository contents for unit test execution.
+ strategy:
+ fail-fast: false
+ max-parallel: 4
+ matrix:
+ node-version: ${{ fromJSON(inputs.node-versions || needs.versions.outputs.node) }}
+ shard: [1, 2, 3]
+ steps:
+ - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Generate CLI build cache key
+ id: cli-cache-key
+ shell: bash
+ run: |
+ # Validate required files exist.
+ if [ ! -f pnpm-lock.yaml ]; then
+ echo "Error: pnpm-lock.yaml not found" >&2
+ exit 1
+ fi
+ if [ ! -d packages/cli/src ]; then
+ echo "Error: packages/cli/src directory not found" >&2
+ exit 1
+ fi
+
+ # Compute hashes with proper error handling.
+ PNPM_LOCK_HASH=$(shasum -a 256 pnpm-lock.yaml | cut -d' ' -f1)
+ CLI_SRC_HASH=$(find packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) -print0 | sort -z | xargs -0 shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ CLI_CONFIG_HASH=$(find packages/cli/.config packages/cli/scripts -type f -name "*.mjs" -print0 | sort -z | xargs -0 shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+
+ # Validate hashes were computed successfully.
+ if [ -z "$PNPM_LOCK_HASH" ] || [ -z "$CLI_SRC_HASH" ] || [ -z "$CLI_CONFIG_HASH" ]; then
+ echo "Error: Failed to compute one or more cache key hashes" >&2
+ exit 1
+ fi
+
+ CLI_COMBINED=$(echo "$PNPM_LOCK_HASH-$CLI_SRC_HASH-$CLI_CONFIG_HASH" | shasum -a 256 | cut -d' ' -f1)
+ echo "hash=$CLI_COMBINED" >> $GITHUB_OUTPUT
+
+ - name: Restore CLI build cache
+ id: cli-build-cache
+ uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: |
+ packages/cli/build/
+ packages/cli/dist/
+ key: cli-build-${{ runner.os }}-${{ steps.cli-cache-key.outputs.hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+ lookup-only: true
+
+ - name: Build CLI
+ working-directory: packages/cli
+ run: pnpm run build
+
+ - name: Run unit tests (shard ${{ matrix.shard }})
+ working-directory: packages/cli
+ run: pnpm test:unit --shard=${{ matrix.shard }}/3
+
+ # Binary distribution integration tests.
+ # Tests the JS distribution and optionally SEA/smol if cached binaries are available.
+ integration:
+ name: Integration Tests
+ needs: [ci, versions]
+ runs-on: ubuntu-latest
+ timeout-minutes: 15
+ permissions:
+ contents: read # Read repository contents for integration test execution.
+ strategy:
+ fail-fast: false
+ matrix:
+ node-version: ${{ fromJSON(inputs.node-versions || needs.versions.outputs.node) }}
+ steps:
+ - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Generate CLI build cache key
+ id: cli-cache-key
+ shell: bash
+ run: |
+ # Validate required files exist.
+ if [ ! -f pnpm-lock.yaml ]; then
+ echo "Error: pnpm-lock.yaml not found" >&2
+ exit 1
+ fi
+ if [ ! -d packages/cli/src ]; then
+ echo "Error: packages/cli/src directory not found" >&2
+ exit 1
+ fi
+
+ # Compute hashes with proper error handling.
+ PNPM_LOCK_HASH=$(shasum -a 256 pnpm-lock.yaml | cut -d' ' -f1)
+ CLI_SRC_HASH=$(find packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) -print0 | sort -z | xargs -0 shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ CLI_CONFIG_HASH=$(find packages/cli/.config packages/cli/scripts -type f -name "*.mjs" -print0 | sort -z | xargs -0 shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+
+ # Validate hashes were computed successfully.
+ if [ -z "$PNPM_LOCK_HASH" ] || [ -z "$CLI_SRC_HASH" ] || [ -z "$CLI_CONFIG_HASH" ]; then
+ echo "Error: Failed to compute one or more cache key hashes" >&2
+ exit 1
+ fi
+
+ CLI_COMBINED=$(echo "$PNPM_LOCK_HASH-$CLI_SRC_HASH-$CLI_CONFIG_HASH" | shasum -a 256 | cut -d' ' -f1)
+ echo "hash=$CLI_COMBINED" >> $GITHUB_OUTPUT
+
+ - name: Restore CLI build cache
+ id: cli-build-cache
+ uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: |
+ packages/cli/build/
+ packages/cli/dist/
+ key: cli-build-${{ runner.os }}-${{ steps.cli-cache-key.outputs.hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+ lookup-only: true
+
+ - name: Build CLI
+ working-directory: packages/cli
+ run: pnpm run build
+
+ - name: Generate cache keys for binary distributions
+ id: cache-keys
+ shell: bash
+ run: |
+ # Validate required files/directories exist.
+ if [ ! -f pnpm-lock.yaml ]; then
+ echo "Error: pnpm-lock.yaml not found" >&2
+ exit 1
+ fi
+ if [ ! -d packages/node-sea-builder ]; then
+ echo "Error: packages/node-sea-builder directory not found" >&2
+ exit 1
+ fi
+
+ # SEA cache key (matches build-sea.yml).
+ SEA_HASH=$(find packages/node-sea-builder packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ DEPS_HASH=$(find packages/bootstrap packages/socket -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" -o -name "*.json" \) ! -path "*/node_modules/*" ! -path "*/dist/*" ! -path "*/build/*" | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ LOCK_HASH=$(shasum -a 256 pnpm-lock.yaml | cut -d' ' -f1)
+
+ # Validate hashes were computed successfully.
+ if [ -z "$SEA_HASH" ] || [ -z "$DEPS_HASH" ] || [ -z "$LOCK_HASH" ]; then
+ echo "Error: Failed to compute one or more SEA cache key hashes" >&2
+ exit 1
+ fi
+
+ SEA_DEPS_HASH=$(echo "$DEPS_HASH-$LOCK_HASH" | shasum -a 256 | cut -d' ' -f1)
+ SEA_COMBINED=$(echo "$SEA_HASH-$SEA_DEPS_HASH" | shasum -a 256 | cut -d' ' -f1)
+ echo "sea-hash=$SEA_COMBINED" >> $GITHUB_OUTPUT
+
+ # Smol cache key (matches build-smol.yml).
+ SMOL_HASH=$(find patches packages/node-smol-builder/patches packages/node-smol-builder/additions scripts -type f \( -name "*.patch" -o -name "*.template.patch" -o -name "*.mjs" -o -name "*.template.mjs" -o -name "*.h" -o -name "*.c" -o -name "*.cc" \) | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+
+ # Validate smol hash was computed successfully.
+ if [ -z "$SMOL_HASH" ]; then
+ echo "Error: Failed to compute SMOL cache key hash" >&2
+ exit 1
+ fi
+
+ SMOL_DEPS_HASH=$(echo "$DEPS_HASH-$LOCK_HASH" | shasum -a 256 | cut -d' ' -f1)
+ SMOL_COMBINED=$(echo "$SMOL_HASH-$SMOL_DEPS_HASH" | shasum -a 256 | cut -d' ' -f1)
+ echo "smol-hash=$SMOL_COMBINED" >> $GITHUB_OUTPUT
+
+ - name: Restore SEA binary cache
+ id: sea-cache
+ uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: packages/node-sea-builder/dist/sea/
+ key: node-sea-linux-x64-${{ steps.cache-keys.outputs.sea-hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+
+ - name: Restore smol binary cache
+ id: smol-cache
+ uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: packages/node-smol-builder/dist/
+ key: node-smol-linux-x64-${{ steps.cache-keys.outputs.smol-hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+
+ - name: Setup cached binaries for testing
+ id: setup-binaries
+ shell: bash
+ run: |
+ echo "Setting up cached binaries for integration tests..."
+ echo ""
+ echo "Cache restoration status:"
+ echo " SEA cache hit: ${STEPS_SEA_CACHE_OUTPUTS_CACHE_HIT}"
+ echo " Smol cache hit: ${STEPS_SMOL_CACHE_OUTPUTS_CACHE_HIT}"
+ echo ""
+
+ # Debug: List cache directories.
+ echo "SEA dist directory contents:"
+ ls -lah packages/node-sea-builder/dist/ 2>/dev/null || echo " (directory does not exist)"
+ echo ""
+ echo "Smol dist directory contents:"
+ ls -lah packages/node-smol-builder/dist/ 2>/dev/null || echo " (directory does not exist)"
+ echo ""
+
+ # Copy SEA binary from cache to expected test location.
+ SEA_CACHED="packages/node-sea-builder/dist/sea/socket-linux-x64"
+ SEA_TARGET="packages/node-sea-builder/dist/socket-sea"
+ if [ -f "$SEA_CACHED" ]; then
+ mkdir -p "$(dirname "$SEA_TARGET")"
+ cp "$SEA_CACHED" "$SEA_TARGET"
+ chmod +x "$SEA_TARGET"
+ echo "✓ SEA binary restored from cache: $SEA_TARGET"
+ echo "sea=true" >> $GITHUB_OUTPUT
+ else
+ echo "✗ SEA binary not found in cache (expected: $SEA_CACHED)"
+ if [ "${STEPS_SEA_CACHE_OUTPUTS_CACHE_HIT}" = "true" ]; then
+ echo " Cache was restored but binary not at expected location"
+ echo " Available files in packages/node-sea-builder/dist/:"
+ find packages/node-sea-builder/dist/ -type f 2>/dev/null || echo " (no files found)"
+ else
+ echo " No cache available - binaries not built yet"
+ echo " Run build-sea.yml workflow to build and cache SEA binaries"
+ fi
+ echo "sea=false" >> $GITHUB_OUTPUT
+ fi
+
+ # Copy smol binary from cache to expected test location.
+ SMOL_CACHED="packages/node-smol-builder/dist/socket-smol-linux-x64"
+ SMOL_TARGET="packages/node-smol-builder/dist/socket-smol"
+ if [ -f "$SMOL_CACHED" ]; then
+ mkdir -p "$(dirname "$SMOL_TARGET")"
+ cp "$SMOL_CACHED" "$SMOL_TARGET"
+ chmod +x "$SMOL_TARGET"
+ echo "✓ Smol binary restored from cache: $SMOL_TARGET"
+ echo "smol=true" >> $GITHUB_OUTPUT
+ else
+ echo "✗ Smol binary not found in cache (expected: $SMOL_CACHED)"
+ if [ "${STEPS_SMOL_CACHE_OUTPUTS_CACHE_HIT}" = "true" ]; then
+ echo " Cache was restored but binary not at expected location"
+ echo " Available files in packages/node-smol-builder/dist/:"
+ find packages/node-smol-builder/dist/ -type f 2>/dev/null || echo " (no files found)"
+ else
+ echo " No cache available - binaries not built yet"
+ echo " Run build-smol.yml workflow to build and cache smol binaries"
+ fi
+ echo "smol=false" >> $GITHUB_OUTPUT
+ fi
+
+ # JS distribution (always available after build).
+ if [ -f "packages/cli/dist/index.js" ]; then
+ echo "✓ JS distribution: packages/cli/dist/index.js"
+ echo "js=true" >> $GITHUB_OUTPUT
+ else
+ echo "✗ JS distribution: not found"
+ echo "js=false" >> $GITHUB_OUTPUT
+ fi
+
+ echo ""
+ echo "Integration tests will run against all available distributions."
+ env:
+ STEPS_SEA_CACHE_OUTPUTS_CACHE_HIT: ${{ steps.sea-cache.outputs.cache-hit || 'false' }}
+ STEPS_SMOL_CACHE_OUTPUTS_CACHE_HIT: ${{ steps.smol-cache.outputs.cache-hit || 'false' }}
+
+ - name: Run integration tests (all available distributions)
+ working-directory: packages/cli
+ run: node scripts/integration.mjs --all
+
+ e2e:
+ name: E2E Tests (Shard ${{ matrix.shard }}/2)
+ needs: [ci, versions]
+ runs-on: ${{ matrix.os }}
+ timeout-minutes: 15
+ permissions:
+ contents: read # Read repository contents for e2e test execution.
+ strategy:
+ fail-fast: false
+ max-parallel: 4
+ matrix:
+ node-version: ${{ fromJSON(inputs.node-versions || needs.versions.outputs.node) }}
+ os: [ubuntu-latest]
+ shard: [1, 2]
+ steps:
+ - uses: SocketDev/socket-registry/.github/actions/setup-and-install@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ with:
+ node-version: ${{ matrix.node-version }}
+
+ - name: Generate CLI build cache key
+ id: cli-cache-key
+ shell: bash
+ run: |
+ # Validate required files exist.
+ if [ ! -f pnpm-lock.yaml ]; then
+ echo "Error: pnpm-lock.yaml not found" >&2
+ exit 1
+ fi
+ if [ ! -d packages/cli/src ]; then
+ echo "Error: packages/cli/src directory not found" >&2
+ exit 1
+ fi
+
+ # Compute hashes with proper error handling.
+ PNPM_LOCK_HASH=$(shasum -a 256 pnpm-lock.yaml | cut -d' ' -f1)
+ CLI_SRC_HASH=$(find packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) -print0 | sort -z | xargs -0 shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ CLI_CONFIG_HASH=$(find packages/cli/.config packages/cli/scripts -type f -name "*.mjs" -print0 | sort -z | xargs -0 shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+
+ # Validate hashes were computed successfully.
+ if [ -z "$PNPM_LOCK_HASH" ] || [ -z "$CLI_SRC_HASH" ] || [ -z "$CLI_CONFIG_HASH" ]; then
+ echo "Error: Failed to compute one or more cache key hashes" >&2
+ exit 1
+ fi
+
+ CLI_COMBINED=$(echo "$PNPM_LOCK_HASH-$CLI_SRC_HASH-$CLI_CONFIG_HASH" | shasum -a 256 | cut -d' ' -f1)
+ echo "hash=$CLI_COMBINED" >> $GITHUB_OUTPUT
+
+ - name: Restore CLI build cache
+ id: cli-build-cache
+ uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: |
+ packages/cli/build/
+ packages/cli/dist/
+ key: cli-build-${{ runner.os }}-${{ steps.cli-cache-key.outputs.hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+ lookup-only: true
+
+ - name: Build CLI
+ working-directory: packages/cli
+ run: pnpm run build
+
+ - name: Run e2e tests (shard ${{ matrix.shard }})
+ working-directory: packages/cli
+ env:
+ SOCKET_CLI_API_TOKEN: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+ run: pnpm run e2e-tests --shard=${{ matrix.shard }}/2
diff --git a/.github/workflows/claude-auto-review.yml b/.github/workflows/claude-auto-review.yml
new file mode 100644
index 000000000..d3bea4c13
--- /dev/null
+++ b/.github/workflows/claude-auto-review.yml
@@ -0,0 +1,23 @@
+name: 🤖 Claude Auto Review
+
+on:
+ pull_request:
+ types: [opened]
+ workflow_dispatch:
+ inputs:
+ force:
+ description: 'Force rebuild (ignore cache)'
+ type: boolean
+ default: false
+
+permissions: {}
+
+jobs:
+ auto-review:
+ permissions:
+ contents: read # Read repository contents for code review analysis.
+ id-token: write # Mint OIDC tokens for authentication with external services.
+ pull-requests: read # Read PR metadata and comments for review context.
+ uses: SocketDev/socket-registry/.github/workflows/claude-auto-review.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ secrets:
+ anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/.github/workflows/claude.yml b/.github/workflows/claude.yml
new file mode 100644
index 000000000..af3ee5d0f
--- /dev/null
+++ b/.github/workflows/claude.yml
@@ -0,0 +1,30 @@
+name: 🤖 Claude Code
+
+on:
+ issue_comment:
+ types: [created]
+ pull_request_review_comment:
+ types: [created]
+ issues:
+ types: [opened, assigned]
+ pull_request_review:
+ types: [submitted]
+ workflow_dispatch:
+ inputs:
+ force:
+ description: 'Force rebuild (ignore cache)'
+ type: boolean
+ default: false
+
+permissions: {}
+
+jobs:
+ claude:
+ permissions:
+ contents: read # Read repository contents for code analysis.
+ id-token: write # Mint OIDC tokens for authentication with external services.
+ issues: write # Create and update issue comments with Claude responses.
+ pull-requests: write # Create and update PR comments with Claude responses.
+ uses: SocketDev/socket-registry/.github/workflows/claude.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ secrets:
+ anthropic_api_key: ${{ secrets.ANTHROPIC_API_KEY }}
diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
deleted file mode 100644
index 32928eb42..000000000
--- a/.github/workflows/lint.yml
+++ /dev/null
@@ -1,26 +0,0 @@
-name: Linting
-
-on:
- push:
- branches:
- - master
- tags:
- - '*'
- pull_request:
- branches:
- - master
-
-permissions:
- contents: read
-
-concurrency:
- group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
- cancel-in-progress: true
-
-jobs:
- linting:
- name: "Linting"
- uses: SocketDev/workflows/.github/workflows/reusable-base.yml@master
- with:
- no-lockfile: true
- npm-test-script: 'check'
diff --git a/.github/workflows/nodejs.yml b/.github/workflows/nodejs.yml
deleted file mode 100644
index 13352d01a..000000000
--- a/.github/workflows/nodejs.yml
+++ /dev/null
@@ -1,28 +0,0 @@
-name: Node CI
-
-on:
- push:
- branches:
- - master
- tags:
- - '*'
- pull_request:
- branches:
- - master
-
-permissions:
- contents: read
-
-concurrency:
- group: ${{ github.workflow }}-${{ github.head_ref || github.run_id }}
- cancel-in-progress: true
-
-jobs:
- test:
- name: "Tests"
- uses: SocketDev/workflows/.github/workflows/reusable-base.yml@master
- with:
- no-lockfile: true
- npm-test-script: 'test-ci'
- node-versions: '14,16,18,19'
- os: 'ubuntu-latest,windows-latest'
diff --git a/.github/workflows/provenance.yml b/.github/workflows/provenance.yml
new file mode 100644
index 000000000..5f22332ce
--- /dev/null
+++ b/.github/workflows/provenance.yml
@@ -0,0 +1,202 @@
+name: 📦 Publish Bins
+
+concurrency:
+ group: publish-${{ github.ref }}
+ cancel-in-progress: false
+
+on:
+ workflow_dispatch:
+ inputs:
+ force:
+ description: 'Force rebuild (ignore cache)'
+ type: boolean
+ default: false
+ debug:
+ description: 'Enable debug output'
+ required: false
+ default: '0'
+ type: string
+ options:
+ - '0'
+ - '1'
+ publish-socket:
+ description: 'Publish socket package'
+ required: false
+ type: boolean
+ default: true
+ publish-cli:
+ description: 'Publish @socketsecurity/cli package'
+ required: false
+ type: boolean
+ default: true
+ publish-cli-sentry:
+ description: 'Publish @socketsecurity/cli-with-sentry package'
+ required: false
+ type: boolean
+ default: true
+ js-fallback:
+ description: 'Publish JS-only fallback version (no native binaries)'
+ required: false
+ type: boolean
+ default: false
+
+permissions: {}
+
+jobs:
+ build:
+ name: Build and Publish Package with Provenance
+ runs-on: ubuntu-latest
+
+ permissions:
+ contents: read
+ id-token: write # Required for npm provenance generation (OIDC token)
+
+ steps:
+ - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ autocrlf: false
+ persist-credentials: false
+
+ - name: Setup Node.js
+ uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+ with:
+ node-version-file: .node-version
+ cache: '' # Disable automatic caching to prevent cache poisoning.
+
+ - name: Setup pnpm
+ uses: pnpm/action-setup@41ff72655975bd51cab0327fa583b6e92b6d3061 # v4.2.0
+
+ - name: Install dependencies
+ run: pnpm install --frozen-lockfile
+
+ - uses: SocketDev/socket-registry/.github/actions/setup@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ with:
+ scope: '@socketsecurity'
+ - name: Cache yoga-layout WASM
+ id: cache-yoga
+ uses: actions/cache@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: packages/yoga-layout/build/wasm
+ key: yoga-wasm-${{ hashFiles('packages/yoga-layout/package.json', 'packages/yoga-layout/yoga/**') }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+ - name: Verify or build yoga-layout WASM
+ run: |
+ if [ ! -f packages/yoga-layout/build/wasm/yoga.wasm ]; then
+ echo "⚠️ yoga-layout WASM not found in cache - building locally"
+ pnpm --filter @socketsecurity/yoga-layout run build
+ echo "✓ yoga-layout WASM built successfully"
+ else
+ echo "✓ yoga-layout WASM found in cache"
+ fi
+ - run: npm install -g npm@latest
+
+ # Build and publish 'socket' package (default).
+ - name: Update socketbin versions in socket package
+ if: ${{ inputs.publish-socket != false }}
+ run: node scripts/update-socketbin-versions.mjs
+ - name: Prepare socket package for publishing
+ if: ${{ inputs.publish-socket != false }}
+ run: |
+ SOCKET_VERSION=$(node -p "require('./packages/socket/package.json').version")
+ echo "Socket version: $SOCKET_VERSION"
+ echo "SOCKET_VERSION=$SOCKET_VERSION" >> $GITHUB_ENV
+ node scripts/prepare-package-for-publish.mjs packages/socket
+ - name: Build socket package
+ if: ${{ inputs.publish-socket != false }}
+ run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 pnpm run build
+ - name: Validate socket package
+ if: ${{ inputs.publish-socket != false }}
+ run: pnpm --filter socket run verify
+ - name: Smoke test socket package
+ if: ${{ inputs.publish-socket != false }}
+ run: |
+ echo "Running smoke test on socket package..."
+ cd packages/socket
+
+ # Pack the package locally (doesn't publish).
+ npm pack
+
+ # Install it in a temp directory.
+ TEMP_DIR=$(mktemp -d)
+ cd "$TEMP_DIR"
+ npm install --no-save "$OLDPWD"/socket-*.tgz
+
+ # Test basic commands.
+ echo "Testing: socket --version"
+ npx socket --version || (echo "✗ socket --version failed" && exit 1)
+
+ echo "Testing: socket --help"
+ npx socket --help || (echo "✗ socket --help failed" && exit 1)
+
+ echo "✓ Smoke test passed"
+
+ # Cleanup.
+ if [ -n "$TEMP_DIR" ] && [ -d "$TEMP_DIR" ]; then
+ rm -rf "$TEMP_DIR"
+ fi
+ - name: Publish socket package
+ if: ${{ inputs.publish-socket != false }}
+ working-directory: packages/socket
+ run: npm publish --provenance --access public --no-git-checks
+ continue-on-error: true
+ env:
+ SOCKET_CLI_DEBUG: ${{ inputs.debug }}
+
+ # Build and publish '@socketsecurity/cli' package (legacy).
+ - name: Prepare @socketsecurity/cli package for publishing
+ if: ${{ inputs.publish-cli != false }}
+ run: node scripts/prepare-package-for-publish.mjs packages/cli "${SOCKET_VERSION}"
+ - name: Build @socketsecurity/cli package
+ if: ${{ inputs.publish-cli != false }}
+ run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 INLINED_SOCKET_CLI_LEGACY_BUILD=1 pnpm run build
+ env:
+ SOCKET_CLI_DEBUG: ${{ inputs.debug }}
+ - name: Validate @socketsecurity/cli package
+ if: ${{ inputs.publish-cli != false }}
+ run: pnpm --filter @socketsecurity/cli run verify
+ - name: Publish @socketsecurity/cli package
+ if: ${{ inputs.publish-cli != false }}
+ working-directory: packages/cli
+ run: npm publish --provenance --access public --no-git-checks
+ continue-on-error: true
+ env:
+ SOCKET_CLI_DEBUG: ${{ inputs.debug }}
+
+ # Build and publish '@socketsecurity/cli-with-sentry' package.
+ - name: Prepare @socketsecurity/cli-with-sentry package for publishing
+ if: ${{ inputs.publish-cli-sentry != false }}
+ run: node scripts/prepare-package-for-publish.mjs packages/cli-with-sentry "${SOCKET_VERSION}"
+ - name: Build @socketsecurity/cli-with-sentry package
+ if: ${{ inputs.publish-cli-sentry != false }}
+ run: INLINED_SOCKET_CLI_PUBLISHED_BUILD=1 INLINED_SOCKET_CLI_SENTRY_BUILD=1 pnpm run build --target cli-sentry
+ env:
+ SOCKET_CLI_DEBUG: ${{ inputs.debug }}
+ - name: Validate @socketsecurity/cli-with-sentry package
+ if: ${{ inputs.publish-cli-sentry != false }}
+ run: pnpm --filter @socketsecurity/cli-with-sentry run verify
+ - name: Publish @socketsecurity/cli-with-sentry package
+ if: ${{ inputs.publish-cli-sentry != false }}
+ working-directory: packages/cli-with-sentry
+ run: npm publish --provenance --access public --no-git-checks
+ continue-on-error: true
+ env:
+ SOCKET_CLI_DEBUG: ${{ inputs.debug }}
+
+ # Build and publish JS-only fallback version (when native binaries fail).
+ - name: Build JS-only fallback package
+ if: ${{ inputs.js-fallback }}
+ working-directory: packages/cli
+ run: pnpm run build:js
+ - name: Validate JS-only fallback package
+ if: ${{ inputs.js-fallback }}
+ working-directory: packages/cli
+ run: |
+ # Verify build artifacts exist
+ test -f dist/index.js || exit 1
+ test -f dist/cli.js.bz || exit 1
+ echo "✓ JS-only fallback package built successfully"
+ - name: Publish JS-only fallback package
+ if: ${{ inputs.js-fallback }}
+ working-directory: packages/cli
+ run: npm publish --provenance --access public --no-git-checks
+ continue-on-error: true
diff --git a/.github/workflows/publish-socketbin.yml b/.github/workflows/publish-socketbin.yml
new file mode 100644
index 000000000..0a87ce8fb
--- /dev/null
+++ b/.github/workflows/publish-socketbin.yml
@@ -0,0 +1,566 @@
+name: 📦 Publish CLIs
+
+concurrency:
+ group: publish-socketbin-${{ github.ref }}
+ cancel-in-progress: false
+
+on:
+ workflow_dispatch:
+ inputs:
+ force:
+ description: 'Force rebuild (ignore cache)'
+ type: boolean
+ default: false
+ version:
+ description: 'Version to publish (semver format: 0.0.0-20250122.143052, auto-generated if omitted)'
+ required: false
+ type: string
+ method:
+ description: 'Build method to use'
+ required: false
+ type: choice
+ options:
+ - sea
+ - smol
+ - smol-sea
+ default: sea
+ build-linux:
+ description: 'Build Linux binaries'
+ required: false
+ type: boolean
+ default: true
+ build-macos:
+ description: 'Build macOS binaries'
+ required: false
+ type: boolean
+ default: true
+ build-windows:
+ description: 'Build Windows binaries'
+ required: false
+ type: boolean
+ default: true
+ dry-run:
+ description: 'Dry run (build but do not publish) - primes cache for CI e2e tests'
+ required: false
+ type: boolean
+ default: false
+
+permissions:
+ contents: read
+
+jobs:
+ build-sea:
+ permissions:
+ contents: read
+ name: Build ${{ matrix.platform }}-${{ matrix.arch }}
+ runs-on: ${{ matrix.runner }}
+ strategy:
+ fail-fast: false
+ matrix:
+ include:
+ # Linux builds
+ - runner: ubuntu-latest
+ os: linux
+ platform: linux
+ arch: x64
+ - runner: ubuntu-latest
+ os: linux
+ platform: linux
+ arch: arm64
+
+ # Linux musl builds
+ - runner: ubuntu-latest
+ os: linux
+ platform: linux
+ libc: musl
+ arch: x64
+ - runner: ubuntu-latest
+ os: linux
+ platform: linux
+ libc: musl
+ arch: arm64
+
+ # macOS builds
+ - runner: macos-latest
+ os: darwin
+ platform: darwin
+ arch: x64
+ - runner: macos-latest
+ os: darwin
+ platform: darwin
+ arch: arm64
+
+ # Windows builds
+ - runner: windows-latest
+ os: windows
+ platform: win32
+ arch: x64
+ - runner: windows-latest
+ os: windows
+ platform: win32
+ arch: arm64
+
+ steps:
+ - name: Check if platform is enabled
+ id: check-platform
+ shell: bash
+ run: |
+ SHOULD_RUN="false"
+ if [ "$MATRIX_PLATFORM" = "linux" ]; then
+ if [ "$BUILD_LINUX" != "false" ]; then
+ SHOULD_RUN="true"
+ fi
+ elif [ "$MATRIX_PLATFORM" = "darwin" ]; then
+ if [ "$BUILD_MACOS" != "false" ]; then
+ SHOULD_RUN="true"
+ fi
+ elif [ "$MATRIX_PLATFORM" = "win32" ]; then
+ if [ "$BUILD_WINDOWS" != "false" ]; then
+ SHOULD_RUN="true"
+ fi
+ fi
+ echo "should-run=$SHOULD_RUN" >> $GITHUB_OUTPUT
+ if [ "$SHOULD_RUN" = "true" ]; then
+ echo "✓ Building ${MATRIX_PLATFORM}-${MATRIX_ARCH}"
+ else
+ echo "⊘ Skipping ${MATRIX_PLATFORM}-${MATRIX_ARCH} (disabled by inputs)"
+ fi
+ env:
+ MATRIX_PLATFORM: ${{ matrix.platform }}
+ MATRIX_ARCH: ${{ matrix.arch }}
+ BUILD_LINUX: ${{ inputs.build-linux }}
+ BUILD_MACOS: ${{ inputs.build-macos }}
+ BUILD_WINDOWS: ${{ inputs.build-windows }}
+
+ - name: Checkout
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ autocrlf: false
+ persist-credentials: false
+
+ - name: Setup Node.js
+ uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+ with:
+ node-version-file: .node-version
+ registry-url: 'https://registry.npmjs.org'
+ cache: '' # Disable automatic caching to prevent cache poisoning.
+
+ - name: Setup pnpm
+ uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+
+ - name: Install dependencies
+ run: pnpm install --frozen-lockfile
+
+ - name: Setup ccache (Linux/macOS)
+ if: matrix.os != 'windows'
+ uses: hendrikmuhs/ccache-action@ed74d11c0b343532753ecead8a951bb09bb34bc9 # v1.2.14
+ with:
+ key: build-${{ matrix.platform }}-${{ matrix.arch }}
+ max-size: 2G
+
+ - name: Generate build-deps cache key for smol
+ if: inputs.method == 'smol' || inputs.method == 'smol-sea'
+ id: smol-deps-cache-key
+ shell: bash
+ run: |
+ # Generate hash from bootstrap/socket packages (matches build-smol.yml).
+ if [ "${{ matrix.os }}" = "windows" ]; then
+ HASH=$(find packages/bootstrap packages/socket -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" -o -name "*.json" \) ! -path "*/node_modules/*" ! -path "*/dist/*" ! -path "*/build/*" | sort | xargs sha256sum | sha256sum | cut -d' ' -f1)
+ else
+ HASH=$(find packages/bootstrap packages/socket -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" -o -name "*.json" \) ! -path "*/node_modules/*" ! -path "*/dist/*" ! -path "*/build/*" | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ fi
+ echo "deps-hash=$HASH" >> $GITHUB_OUTPUT
+
+ - name: Restore build-deps cache for smol
+ if: inputs.method == 'smol' || inputs.method == 'smol-sea'
+ id: smol-deps-cache
+ uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: |
+ packages/bootstrap/dist/
+ packages/socket/dist/
+ key: build-deps-smol-${{ steps.smol-deps-cache-key.outputs.deps-hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+
+ - name: Build bootstrap package for smol
+ if: (inputs.method == 'smol' || inputs.method == 'smol-sea') && steps.smol-deps-cache.outputs.cache-hit != 'true'
+ run: pnpm --filter @socketsecurity/bootstrap run build
+
+ - name: Build socket package bootstrap for smol
+ if: (inputs.method == 'smol' || inputs.method == 'smol-sea') && steps.smol-deps-cache.outputs.cache-hit != 'true'
+ run: pnpm --filter socket run build
+
+ - name: Generate smol build cache key
+ if: inputs.method == 'smol' || inputs.method == 'smol-sea'
+ id: smol-cache-key
+ shell: bash
+ run: |
+ # Generate hash from patches and build scripts (matches build-smol.yml).
+ if [ "${{ matrix.os }}" = "windows" ]; then
+ PATCHES_HASH=$(find patches packages/node-smol-builder/patches packages/node-smol-builder/additions scripts -type f \( -name "*.patch" -o -name "*.mjs" -o -name "*.h" -o -name "*.c" -o -name "*.cc" \) | sort | xargs sha256sum | sha256sum | cut -d' ' -f1)
+ COMBINED_HASH=$(echo "$PATCHES_HASH-${STEPS_SMOL_DEPS_CACHE_KEY_OUTPUTS_DEPS_HASH}" | sha256sum | cut -d' ' -f1)
+ else
+ PATCHES_HASH=$(find patches packages/node-smol-builder/patches packages/node-smol-builder/additions scripts -type f \( -name "*.patch" -o -name "*.mjs" -o -name "*.h" -o -name "*.c" -o -name "*.cc" \) | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ COMBINED_HASH=$(echo "$PATCHES_HASH-${STEPS_SMOL_DEPS_CACHE_KEY_OUTPUTS_DEPS_HASH}" | shasum -a 256 | cut -d' ' -f1)
+ fi
+ echo "hash=$COMBINED_HASH" >> $GITHUB_OUTPUT
+ env:
+ STEPS_SMOL_DEPS_CACHE_KEY_OUTPUTS_DEPS_HASH: ${{ steps.smol-deps-cache-key.outputs.deps-hash }}
+
+ - name: Restore smol binary cache
+ if: inputs.method == 'smol' || inputs.method == 'smol-sea'
+ id: smol-cache
+ uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: packages/node-smol-builder/dist/socket-smol-${{ matrix.platform }}-${{ matrix.arch }}${{ matrix.os == 'windows' && '.exe' || '' }}
+ key: node-smol-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.smol-cache-key.outputs.hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+
+ - name: Build smol Node.js binary
+ id: build-smol
+ if: (inputs.method == 'smol' || inputs.method == 'smol-sea') && steps.smol-cache.outputs.cache-hit != 'true'
+ continue-on-error: true
+ shell: bash
+ run: |
+ echo "Building smol Node.js binary..."
+ pnpm --filter @socketsecurity/node-smol-builder run build -- \
+ --platform=${{ matrix.platform }} \
+ --arch=${{ matrix.arch }}
+
+ - name: Build smol binary (fallback with clean rebuild)
+ if: (inputs.method == 'smol' || inputs.method == 'smol-sea') && steps.smol-cache.outputs.cache-hit != 'true' && steps.build-smol.outcome == 'failure'
+ shell: bash
+ run: |
+ echo "Initial smol build failed, attempting clean rebuild..."
+ pnpm --filter @socketsecurity/node-smol-builder run build -- \
+ --platform=${{ matrix.platform }} \
+ --arch=${{ matrix.arch }} \
+ --clean
+
+ - name: Generate build-deps cache key
+ if: inputs.method == 'sea' || inputs.method == 'smol-sea'
+ id: deps-cache-key
+ shell: bash
+ run: |
+ # Include pnpm-lock.yaml to detect dependency changes (matches build-sea.yml).
+ if [ "${{ matrix.os }}" = "windows" ]; then
+ HASH=$(find packages/bootstrap packages/socket -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" -o -name "*.json" \) ! -path "*/node_modules/*" ! -path "*/dist/*" ! -path "*/build/*" | sort | xargs sha256sum | sha256sum | cut -d' ' -f1)
+ LOCK_HASH=$(sha256sum pnpm-lock.yaml | cut -d' ' -f1)
+ COMBINED_HASH=$(echo "$HASH-$LOCK_HASH" | sha256sum | cut -d' ' -f1)
+ else
+ HASH=$(find packages/bootstrap packages/socket -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" -o -name "*.json" \) ! -path "*/node_modules/*" ! -path "*/dist/*" ! -path "*/build/*" | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ LOCK_HASH=$(shasum -a 256 pnpm-lock.yaml | cut -d' ' -f1)
+ COMBINED_HASH=$(echo "$HASH-$LOCK_HASH" | shasum -a 256 | cut -d' ' -f1)
+ fi
+ echo "deps-hash=$COMBINED_HASH" >> $GITHUB_OUTPUT
+
+ - name: Restore build-deps cache
+ if: inputs.method == 'sea' || inputs.method == 'smol-sea'
+ id: deps-cache
+ uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: |
+ packages/bootstrap/dist/
+ packages/socket/dist/
+ key: build-deps-sea-${{ steps.deps-cache-key.outputs.deps-hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+
+ - name: Build bootstrap package
+ if: (inputs.method == 'sea' || inputs.method == 'smol-sea') && steps.deps-cache.outputs.cache-hit != 'true'
+ run: pnpm --filter @socketsecurity/bootstrap run build
+
+ - name: Build socket package bootstrap
+ if: (inputs.method == 'sea' || inputs.method == 'smol-sea') && steps.deps-cache.outputs.cache-hit != 'true'
+ run: pnpm --filter socket run build
+
+ - name: Generate SEA build cache key
+ if: inputs.method == 'sea' || inputs.method == 'smol-sea'
+ id: sea-cache-key
+ shell: bash
+ run: |
+ # Include bootstrap/socket/cli dependencies in cache key (matches build-sea.yml).
+ if [ "${{ matrix.os }}" = "windows" ]; then
+ SEA_HASH=$(find packages/node-sea-builder packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) | sort | xargs sha256sum | sha256sum | cut -d' ' -f1)
+ COMBINED_HASH=$(echo "$SEA_HASH-${STEPS_DEPS_CACHE_KEY_OUTPUTS_DEPS_HASH}" | sha256sum | cut -d' ' -f1)
+ else
+ SEA_HASH=$(find packages/node-sea-builder packages/cli/src -type f \( -name "*.mts" -o -name "*.ts" -o -name "*.mjs" -o -name "*.js" \) | sort | xargs shasum -a 256 | shasum -a 256 | cut -d' ' -f1)
+ COMBINED_HASH=$(echo "$SEA_HASH-${STEPS_DEPS_CACHE_KEY_OUTPUTS_DEPS_HASH}" | shasum -a 256 | cut -d' ' -f1)
+ fi
+ echo "hash=$COMBINED_HASH" >> $GITHUB_OUTPUT
+ env:
+ STEPS_DEPS_CACHE_KEY_OUTPUTS_DEPS_HASH: ${{ steps.deps-cache-key.outputs.deps-hash }}
+
+ - name: Restore SEA binary cache
+ if: inputs.method == 'sea' || inputs.method == 'smol-sea'
+ id: sea-cache
+ uses: actions/cache/restore@8b402f58fbc84540c8b491a91e594a4576fec3d7 # v5.0.2
+ with:
+ path: packages/node-sea-builder/dist/sea/
+ key: node-sea-${{ matrix.platform }}-${{ matrix.arch }}-${{ steps.sea-cache-key.outputs.hash }}
+ # Note: restore-keys removed to prevent cache poisoning attacks.
+
+ - name: Build CLI (required for SEA)
+ if: (inputs.method == 'sea' || inputs.method == 'smol-sea') && steps.sea-cache.outputs.cache-hit != 'true'
+ shell: bash
+ run: pnpm --filter @socketsecurity/cli run build
+
+ - name: Build SEA binary
+ id: build-sea
+ if: (inputs.method == 'sea' || inputs.method == 'smol-sea') && steps.sea-cache.outputs.cache-hit != 'true'
+ shell: bash
+ run: |
+ echo "Building SEA binary..."
+
+ LIBC_FLAG=""
+ if [ "${{ matrix.libc }}" = "musl" ]; then
+ LIBC_FLAG="--libc=musl"
+ fi
+
+ pnpm --filter @socketbin/node-sea-builder run build -- \
+ --platform=${{ matrix.platform }} \
+ --arch=${{ matrix.arch }} \
+ ${LIBC_FLAG}
+
+ - name: Copy binary to dist/sea for prepublish script
+ shell: bash
+ run: |
+ mkdir -p dist/sea
+
+ # Determine musl suffix
+ MUSL_SUFFIX=""
+ if [ "${{ matrix.libc }}" = "musl" ]; then
+ MUSL_SUFFIX="-musl"
+ fi
+
+ # Determine source binary name (from build-sea.yml naming).
+ if [ "${{ matrix.platform }}" = "win32" ]; then
+ SOURCE_BINARY="packages/node-sea-builder/dist/sea/socket-win-${{ matrix.arch }}.exe"
+ TARGET_BINARY="dist/sea/socket-${{ matrix.platform }}-${{ matrix.arch }}.exe"
+ elif [ "${{ matrix.platform }}" = "darwin" ]; then
+ SOURCE_BINARY="packages/node-sea-builder/dist/sea/socket-macos-${{ matrix.arch }}"
+ TARGET_BINARY="dist/sea/socket-${{ matrix.platform }}-${{ matrix.arch }}"
+ else
+ SOURCE_BINARY="packages/node-sea-builder/dist/sea/socket-${{ matrix.platform }}-${{ matrix.arch }}${MUSL_SUFFIX}"
+ TARGET_BINARY="dist/sea/socket-${{ matrix.platform }}-${{ matrix.arch }}${MUSL_SUFFIX}"
+ fi
+
+ cp "$SOURCE_BINARY" "$TARGET_BINARY"
+ echo "Copied $SOURCE_BINARY -> $TARGET_BINARY"
+
+ - name: Verify binary
+ shell: bash
+ run: |
+ ls -la dist/sea/socket-*
+ file dist/sea/socket-* || true
+
+ - name: Upload binary artifact
+ uses: actions/upload-artifact@330a01c490aca151604b8cf639adc76d48f6c5d4 # v5.0.0
+ with:
+ name: binary-${{ matrix.platform }}-${{ matrix.arch }}
+ path: dist/sea/socket-*
+ retention-days: 1
+
+ publish-packages:
+ name: Publish to npm
+ needs: build-sea
+ runs-on: ubuntu-latest
+ permissions:
+ contents: read
+ id-token: write # For provenance
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+ with:
+ autocrlf: false
+ persist-credentials: false
+
+ - name: Setup Node.js
+ uses: actions/setup-node@6044e13b5dc448c55e2357c09f80417699197238 # v6.2.0
+ with:
+ node-version-file: .node-version
+ registry-url: 'https://registry.npmjs.org'
+ cache: '' # Disable automatic caching to prevent cache poisoning.
+
+ - name: Setup pnpm
+ uses: pnpm/action-setup@fe02b34f77f8bc703788d5817da081398fad5dd2 # v4.0.0
+
+ - name: Install latest npm
+ run: npm install -g npm@latest
+
+ - name: Install dependencies
+ run: pnpm install --frozen-lockfile
+
+ - name: Determine version
+ id: version
+ run: |
+ VERSION="${INPUTS_VERSION}"
+ if [ -z "$VERSION" ]; then
+ # Read base version from socketbin package using Node.js directly (avoids shell injection).
+ BASE_VERSION=$(node -e "const pkg = require('./packages/socketbin-cli-linux-x64/package.json'); const semver = require('semver'); const v = semver.parse(pkg.version); console.log(v ? \`\${v.major}.\${v.minor}.\${v.patch}\` : '0.0.0');")
+ # Auto-generate version in semver format: X.Y.Z-YYYYMMDD.HHmmss.
+ VERSION="${BASE_VERSION}-$(date -u +'%Y%m%d.%H%M%S')"
+ echo "Generated version: $VERSION"
+ else
+ # Remove 'v' prefix if present.
+ VERSION="${VERSION#v}"
+ # Validate user-provided version is valid semver (pass as argv to avoid injection).
+ VALID=$(node -e "const semver = require('semver'); console.log(semver.valid(process.argv[1]) ? 'true' : 'false');" "$VERSION")
+ if [ "$VALID" != "true" ]; then
+ echo "::error::Invalid version format: $VERSION (must be valid semver)"
+ exit 1
+ fi
+ echo "Using provided version: $VERSION"
+ fi
+ echo "version=${VERSION}" >> $GITHUB_OUTPUT
+ env:
+ INPUTS_VERSION: ${{ inputs.version }}
+
+ - name: Check version consistency
+ run: |
+ echo "🔍 Checking version consistency for v$STEPS_VERSION_OUTPUTS_VERSION..."
+ node scripts/check-version-consistency.mjs "$STEPS_VERSION_OUTPUTS_VERSION"
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+
+ - name: Download all binaries
+ uses: actions/download-artifact@018cc2cf5baa6db3ef3c5f8a56943fffe632ef53 # v6.0.0
+ with:
+ path: dist/sea
+ pattern: binary-*
+ merge-multiple: true
+
+ - name: Verify downloaded binaries
+ run: |
+ echo "Downloaded binaries:"
+ ls -la dist/sea/
+
+ - name: Prepare and validate Linux x64
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=linux --arch=x64 \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Publish Linux x64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ cd packages/socketbin-cli-linux-x64
+ npm publish --provenance --access public --tag latest
+
+ - name: Prepare and publish Linux ARM64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=linux --arch=arm64 \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-linux-arm64
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prepare and publish Linux musl x64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=linux --arch=x64 --libc=musl \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-linux-x64-musl
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prepare and publish Linux musl ARM64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=linux --arch=arm64 --libc=musl \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-linux-arm64-musl
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prepare and publish macOS x64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=darwin --arch=x64 \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-darwin-x64
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prepare and publish macOS ARM64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=darwin --arch=arm64 \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-darwin-arm64
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prepare and publish Windows x64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=win32 --arch=x64 \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-win32-x64
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prepare and publish Windows ARM64
+ if: ${{ !inputs.dry-run }}
+ run: |
+ node scripts/prepublish-socketbin.mjs \
+ --platform=win32 --arch=arm64 \
+ --version="$STEPS_VERSION_OUTPUTS_VERSION" \
+ --method="$INPUTS_METHOD"
+
+ cd packages/socketbin-cli-win32-arm64
+ npm publish --provenance --access public --tag latest
+ env:
+ STEPS_VERSION_OUTPUTS_VERSION: ${{ steps.version.outputs.version }}
+ INPUTS_METHOD: ${{ inputs.method }}
+
+ - name: Prime npm cache for CI (dry-run)
+ if: ${{ inputs.dry-run }}
+ run: |
+ echo "🔄 Priming npm cache for CI e2e tests..."
+ echo "✓ Cache priming complete"
+
+ - name: Dry run summary
+ if: ${{ inputs.dry-run }}
+ run: |
+ echo "🚫 Dry run mode - packages were NOT published"
+ echo ""
+ echo "Generated packages:"
+ find packages/binaries -name package.json -exec echo {} \; -exec jq -r '.name + "@" + .version' {} \;
+ echo ""
+ echo "💾 Cache primed for CI e2e tests"
\ No newline at end of file
diff --git a/.github/workflows/socket-auto-pr.yml b/.github/workflows/socket-auto-pr.yml
new file mode 100644
index 000000000..ca957dddf
--- /dev/null
+++ b/.github/workflows/socket-auto-pr.yml
@@ -0,0 +1,35 @@
+name: ⚡ Fix PR
+
+on:
+ schedule:
+ - cron: '0 0 * * *' # Run daily at midnight UTC
+ - cron: '0 12 * * *' # Run daily at noon UTC
+ workflow_dispatch:
+ inputs:
+ force:
+ description: 'Force rebuild (ignore cache)'
+ type: boolean
+ default: false
+ debug:
+ description: 'Enable debug output'
+ required: false
+ default: '0'
+ type: string
+ options:
+ - '0'
+ - '1'
+
+permissions: {}
+
+jobs:
+ socket-auto-pr:
+ permissions:
+ contents: write # Push commits and create branches for automated fixes.
+ pull-requests: write # Create and update PRs with automated security fixes.
+ uses: SocketDev/socket-registry/.github/workflows/socket-auto-pr.yml@4709a2443e5a036bb0cd94e5d1559f138f05994c # main
+ with:
+ debug: ${{ inputs.debug }}
+ autopilot: true
+ secrets:
+ socket_cli_api_token: ${{ secrets.SOCKET_CLI_API_TOKEN }}
+ gh_token: ${{ secrets.GITHUB_TOKEN }}
diff --git a/.gitignore b/.gitignore
index 8165f5307..e333a91e4 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,17 +1,132 @@
-# Basic ones
-/coverage
-/coverage-ts
-/node_modules
-/.env
-/.nyc_output
-
-# We're a library, so please, no lock files
-/package-lock.json
+# ============================================================================
+# OS-specific files
+# ============================================================================
+.*.sw?
+._.DS_Store
+.DS_Store
+Thumbs.db
+
+# ============================================================================
+# Environment and secrets
+# ============================================================================
+.env
+.env.*
+!.env.example
+/.env.local
+
+# ============================================================================
+# Node.js dependencies and configuration
+# ============================================================================
+.node-version
+/.nvm
+/.pnpmfile.cjs
+.npmrc.local
+**/node_modules/
+/npm-debug.log
+pnpm-debug.log*
/yarn.lock
+/yarn.log
+yarn-error.log*
+/.yarnrc.yml
-# Generated types
+# ============================================================================
+# Build outputs and artifacts
+# ============================================================================
+**/.build-checkpoints
+**/.cache/
+/.rollup.cache
+**/.type-coverage/
+**/build/
+!docs/build/
+**/coverage/
+**/dist/
+/external/
+**/html/
*.d.ts
*.d.ts.map
-!/lib/types/**/*.d.ts
+*.tsbuildinfo
+**/*.tmp
+*.tmp
+
+# ============================================================================
+# Language-specific build artifacts
+# ============================================================================
+
+## Rust builds
+**/target/
+
+## WASM builds
+**/wasm-bundle/
+
+# ============================================================================
+# Editor and IDE files
+# ============================================================================
+.idea/
+/.vscode/
+*.old
+*.sw?
+*.swo
+*.swp
+*~
+
+# ============================================================================
+# Development and debugging
+# ============================================================================
+*.log
+**/build/*.log
+**/.claude/*
+!**/.claude/skills/
+
+# ============================================================================
+# Backup and temporary files
+# ============================================================================
+*.backup
+*.bak
+**/*.tmp.bak*
+*.old
+*~
+
+# ============================================================================
+# Yarn PnP files
+# ============================================================================
+/.pnp.cjs
+/.pnp.loader.mjs
+/.yarn/
+
+# ============================================================================
+# Archive directories
+# ============================================================================
+**/docs/archive/
+
+# ============================================================================
+# Workspace-specific patterns
+# ============================================================================
+
+## Generated packages (from templates/)
+packages/package-builder/build/
+
+## Downloaded build sources
+packages/*/.minilm-source/
+packages/*/.onnx-source/
+packages/*/.yoga-source/
+packages/*/.yoga-tests/
+
+## Workspace-generated files
+packages/cli/CHANGELOG.md
+packages/cli/LICENSE
+packages/cli/*.png
+packages/cli-with-sentry/CHANGELOG.md
+packages/cli-with-sentry/data/
+packages/cli-with-sentry/LICENSE
+packages/cli-with-sentry/*.png
+packages/socket/CHANGELOG.md
+packages/socket/LICENSE
+packages/socket/*.png
-# Library specific ones
+# ============================================================================
+# Allow specific files (negation patterns)
+# ============================================================================
+!.env.example
+!/.vscode/extensions.json
+!docs/build/
+!src/types/**/*.d.ts
diff --git a/.husky/commit-msg b/.husky/commit-msg
new file mode 100755
index 000000000..09dec27aa
--- /dev/null
+++ b/.husky/commit-msg
@@ -0,0 +1,2 @@
+# Run commit message validation and auto-strip AI attribution.
+.git-hooks/commit-msg "$1"
diff --git a/.husky/pre-commit b/.husky/pre-commit
new file mode 100755
index 000000000..d6bf323f9
--- /dev/null
+++ b/.husky/pre-commit
@@ -0,0 +1,29 @@
+# Optional checks - can be bypassed with --no-verify for fast local commits.
+# Mandatory security checks run in pre-push hook.
+
+# Check prerequisites.
+if ! command -v pnpm >/dev/null 2>&1; then
+ printf "Error: pnpm not found in PATH\n" >&2
+ printf "Install from: https://pnpm.io/installation\n" >&2
+ exit 1
+fi
+
+if [ -z "${DISABLE_PRECOMMIT_LINT}" ]; then
+ pnpm lint --staged
+else
+ printf "Skipping lint due to DISABLE_PRECOMMIT_LINT env var\n"
+fi
+
+if [ -z "${DISABLE_PRECOMMIT_TEST}" ]; then
+ if ! command -v dotenvx >/dev/null 2>&1; then
+ printf "Error: dotenvx not found in PATH\n" >&2
+ printf "Install with: pnpm i\n" >&2
+ exit 1
+ fi
+ # Note: .env.precommit is optional and not tracked in git (contains local test config).
+ # If missing, dotenvx will continue without it. Create .env.precommit with test
+ # environment variables to optimize pre-commit test performance.
+ dotenvx -q run -f .env.precommit -- pnpm test --staged
+else
+ printf "Skipping testing due to DISABLE_PRECOMMIT_TEST env var\n"
+fi
diff --git a/.husky/pre-push b/.husky/pre-push
index 610c2a54f..f607f954d 100755
--- a/.husky/pre-push
+++ b/.husky/pre-push
@@ -1,4 +1,162 @@
-#!/usr/bin/env sh
-. "$(dirname -- "$0")/_/husky.sh"
+#!/bin/bash
+# Socket Security Pre-push Hook
+# MANDATORY ENFORCEMENT LAYER - Cannot be bypassed with --no-verify.
+# Validates all commits being pushed for security issues and AI attribution.
-npm test
+set -e
+
+# Colors for output.
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0;m'
+
+printf "${GREEN}Running mandatory pre-push validation...${NC}\n"
+
+# Allowed public API key (used in socket-lib).
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+# Get the remote name and URL.
+remote="$1"
+url="$2"
+
+TOTAL_ERRORS=0
+
+# Read stdin for refs being pushed.
+while read local_ref local_sha remote_ref remote_sha; do
+ # Get the range of commits being pushed.
+ if [ "$remote_sha" = "0000000000000000000000000000000000000000" ]; then
+ # New branch - find the latest published release tag to limit scope.
+ latest_release=$(git tag --list 'v*' --sort=-version:refname --merged "$local_sha" | head -1)
+ if [ -n "$latest_release" ]; then
+ # Check commits since the latest published release.
+ range="$latest_release..$local_sha"
+ else
+ # No release tags found - check all commits.
+ range="$local_sha"
+ fi
+ else
+ # Existing branch - check only new commits being pushed.
+ range="$remote_sha..$local_sha"
+ fi
+
+ ERRORS=0
+
+ # ============================================================================
+ # CHECK 1: Scan commit messages for AI attribution
+ # ============================================================================
+ printf "Checking commit messages for AI attribution...\n"
+
+ # Check each commit in the range for AI patterns.
+ # Use for loop instead of while to avoid subshell (pipe) or bash-only syntax (process substitution).
+ for commit_sha in $(git rev-list "$range"); do
+ full_msg=$(git log -1 --format='%B' "$commit_sha")
+
+ if echo "$full_msg" | grep -qiE "(Generated with.*(Claude|AI)|Co-Authored-By: Claude|Co-Authored-By: AI|🤖 Generated|AI generated|@anthropic\.com|Assistant:|Generated by Claude|Machine generated)"; then
+ if [ $ERRORS -eq 0 ]; then
+ printf "${RED}✗ BLOCKED: AI attribution found in commit messages!${NC}\n"
+ printf "Commits with AI attribution:\n"
+ fi
+ echo " - $(git log -1 --oneline "$commit_sha")"
+ ERRORS=$((ERRORS + 1))
+ fi
+ done
+
+ if [ $ERRORS -gt 0 ]; then
+ printf "\n"
+ printf "These commits were likely created with --no-verify, bypassing the\n"
+ printf "commit-msg hook that strips AI attribution.\n"
+ printf "\n"
+ printf "To fix:\n"
+ printf " git rebase -i %s\n" "$remote_sha"
+ printf " Mark commits as .reword., remove AI attribution, save\n"
+ printf " git push\n"
+ fi
+
+ # ============================================================================
+ # CHECK 2: File content security checks
+ # ============================================================================
+ printf "Checking files for security issues...\n"
+
+ # Get all files changed in these commits.
+ CHANGED_FILES=$(git diff --name-only "$range" 2>/dev/null || printf "\n")
+
+ if [ -n "$CHANGED_FILES" ]; then
+ # Check for sensitive files.
+ if echo "$CHANGED_FILES" | grep -qE '^\.env(\.local)?$'; then
+ printf "${RED}✗ BLOCKED: Attempting to push .env file!${NC}\n"
+ printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '^\.env(\.local)?$')"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for .DS_Store.
+ if echo "$CHANGED_FILES" | grep -q '\.DS_Store'; then
+ printf "${RED}✗ BLOCKED: .DS_Store file in push!${NC}\n"
+ printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep '\.DS_Store')"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for log files.
+ if echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log' | grep -q .; then
+ printf "${RED}✗ BLOCKED: Log file in push!${NC}\n"
+ printf "Files: %s\n" "$(echo "$CHANGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log')"
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check file contents for secrets.
+ for file in $CHANGED_FILES; do
+ if [ -f "$file" ] && [ ! -d "$file" ]; then
+ # Skip test files, example files, and hook scripts.
+ if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+ continue
+ fi
+
+ # Check for hardcoded user paths.
+ if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Hardcoded personal path found in: $file${NC}\n"
+ grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for Socket API keys.
+ if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+ printf "${RED}✗ BLOCKED: Real API key detected in: $file${NC}\n"
+ grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for AWS keys.
+ if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Potential AWS credentials found in: $file${NC}\n"
+ grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for GitHub tokens.
+ if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Potential GitHub token found in: $file${NC}\n"
+ grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for private keys.
+ if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+ printf "${RED}✗ BLOCKED: Private key found in: $file${NC}\n"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+ done
+ fi
+
+ TOTAL_ERRORS=$((TOTAL_ERRORS + ERRORS))
+done
+
+if [ $TOTAL_ERRORS -gt 0 ]; then
+ printf "\n"
+ printf "${RED}✗ Push blocked by mandatory validation!${NC}\n"
+ printf "Fix the issues above before pushing.\n"
+ exit 1
+fi
+
+printf "${GREEN}✓ All mandatory validation passed!${NC}\n"
+exit 0
diff --git a/.husky/security-checks.sh b/.husky/security-checks.sh
new file mode 100755
index 000000000..ad4c03e47
--- /dev/null
+++ b/.husky/security-checks.sh
@@ -0,0 +1,125 @@
+#!/bin/bash
+# Socket Security Checks
+# Prevents committing sensitive data and common mistakes.
+
+set -e
+
+# Colors for output.
+RED='\033[0;31m'
+YELLOW='\033[1;33m'
+GREEN='\033[0;32m'
+NC='\033[0m'
+
+# Allowed public API key (used in socket-lib and across all Socket repos).
+# This is Socket's official public test API key - safe to commit.
+# NOTE: This value is intentionally identical across all Socket repos.
+ALLOWED_PUBLIC_KEY="sktsec_t_--RAN5U4ivauy4w37-6aoKyYPDt5ZbaT5JBVMqiwKo_api"
+
+echo "${GREEN}Running Socket Security checks...${NC}"
+
+# Get list of staged files.
+STAGED_FILES=$(git diff --cached --name-only --diff-filter=ACM)
+
+if [ -z "$STAGED_FILES" ]; then
+ echo "${GREEN}✓ No files to check${NC}"
+ exit 0
+fi
+
+ERRORS=0
+
+# Check for .DS_Store files.
+printf "Checking for .DS_Store files...\n"
+if echo "$STAGED_FILES" | grep -q '\.DS_Store'; then
+ echo "${RED}✗ ERROR: .DS_Store file detected!${NC}"
+ echo "$STAGED_FILES" | grep '\.DS_Store'
+ ERRORS=$((ERRORS + 1))
+fi
+
+# Check for log files.
+printf "Checking for log files...\n"
+if echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'; then
+ echo "${RED}✗ ERROR: Log file detected!${NC}"
+ echo "$STAGED_FILES" | grep -E '\.log$' | grep -v 'test.*\.log'
+ ERRORS=$((ERRORS + 1))
+fi
+
+# Check for .env files.
+printf "Checking for .env files...\n"
+if echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'; then
+ echo "${RED}✗ ERROR: .env or .env.local file detected!${NC}"
+ echo "$STAGED_FILES" | grep -E '^\.env(\.local)?$'
+ printf "These files should never be committed. Use .env.example instead.\n"
+ ERRORS=$((ERRORS + 1))
+fi
+
+# Check for hardcoded user paths (generic detection).
+printf "Checking for hardcoded personal paths...\n"
+for file in $STAGED_FILES; do
+ if [ -f "$file" ]; then
+ # Skip test files and hook scripts.
+ if echo "$file" | grep -qE '\.(test|spec)\.|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+ continue
+ fi
+
+ # Check for common user path patterns.
+ if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Hardcoded personal path found in: $file${NC}"
+ grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+ printf "Replace with relative paths or environment variables.\n"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+done
+
+# Check for Socket API keys.
+printf "Checking for API keys...\n"
+for file in $STAGED_FILES; do
+ if [ -f "$file" ]; then
+ if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+ echo "${YELLOW}⚠ WARNING: Potential API key found in: $file${NC}"
+ grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+ printf "If this is a real API key, DO NOT COMMIT IT.\n"
+ fi
+ fi
+done
+
+# Check for common secret patterns.
+printf "Checking for potential secrets...\n"
+for file in $STAGED_FILES; do
+ if [ -f "$file" ]; then
+ # Skip test files, example files, and hook scripts.
+ if echo "$file" | grep -qE '\.(test|spec)\.(m?[jt]s|tsx?)$|\.example$|/test/|/tests/|fixtures/|\.git-hooks/|\.husky/'; then
+ continue
+ fi
+
+ # Check for AWS keys.
+ if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Potential AWS credentials found in: $file${NC}"
+ grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for GitHub tokens.
+ if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Potential GitHub token found in: $file${NC}"
+ grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+ ERRORS=$((ERRORS + 1))
+ fi
+
+ # Check for private keys.
+ if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+ echo "${RED}✗ ERROR: Private key found in: $file${NC}"
+ ERRORS=$((ERRORS + 1))
+ fi
+ fi
+done
+
+if [ $ERRORS -gt 0 ]; then
+ printf "\n"
+ echo "${RED}✗ Security check failed with $ERRORS error(s).${NC}"
+ printf "Fix the issues above and try again.\n"
+ exit 1
+fi
+
+echo "${GREEN}✓ All security checks passed!${NC}"
+exit 0
diff --git a/.node-version b/.node-version
new file mode 100644
index 000000000..722c6899a
--- /dev/null
+++ b/.node-version
@@ -0,0 +1 @@
+25.5.0
diff --git a/.npmrc b/.npmrc
index 43c97e719..847970f8b 100644
--- a/.npmrc
+++ b/.npmrc
@@ -1 +1,11 @@
-package-lock=false
+# Suppress pnpm build script warnings.
+ignore-scripts=true
+
+# Suppress pnpm workspace warnings
+link-workspace-packages=false
+loglevel=error
+prefer-workspace-packages=false
+
+# Trust policy - prevent downgrade attacks
+trust-policy=no-downgrade
+trust-policy-exclude[]=undici@6.21.3
\ No newline at end of file
diff --git a/.pnpmrc b/.pnpmrc
new file mode 100644
index 000000000..41c177acb
--- /dev/null
+++ b/.pnpmrc
@@ -0,0 +1,11 @@
+# Delayed dependency updates - wait 7 days (10080 minutes) before allowing new packages.
+minimumReleaseAge=10080
+
+# Auto-install peers.
+auto-install-peers=true
+
+# Strict peer dependencies.
+strict-peer-dependencies=false
+
+# Save exact versions (like npm --save-exact).
+save-exact=true
\ No newline at end of file
diff --git a/.vscode/extensions.json b/.vscode/extensions.json
new file mode 100644
index 000000000..81f8b4772
--- /dev/null
+++ b/.vscode/extensions.json
@@ -0,0 +1,11 @@
+{
+ "recommendations": [
+ "ryanluker.vscode-coverage-gutters",
+ "hbenl.vscode-test-explorer",
+ "hbenl.vscode-mocha-test-adapter",
+ "dbaeumer.vscode-eslint",
+ "gruntfuggly.todo-tree",
+ "editorconfig.editorconfig",
+ "biomejs.biome"
+ ]
+}
diff --git a/CHANGELOG.md b/CHANGELOG.md
new file mode 100644
index 000000000..137e7c9a6
--- /dev/null
+++ b/CHANGELOG.md
@@ -0,0 +1,464 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/).
+
+## [Unreleased]
+
+### Changed
+- Updated to @socketsecurity/socket-patch@1.2.0.
+- Updated Coana CLI to v14.12.148.
+
+### Fixed
+- Prevent heap overflow in large monorepo scans by using streaming-based filtering to avoid accumulating all file paths in memory before filtering.
+
+## [2.1.0](https://github.com/SocketDev/socket-cli/releases/tag/v2.1.0) - 2025-11-02
+
+### Added
+- Unified DLX manifest storage for packages and binary downloads with persistent caching and TTL support
+- Progressive enhancement with ONNX Runtime stub for optional NLP features
+- SHA-256 checksum verification for Python build standalone downloads
+- Optional external alias detection for TypeScript configurations
+- `--reach-use-unreachable-from-precomputation` flag for `scan reach` and `scan create` commands
+ to use precomputed unreachable information for improved reachability analysis accuracy
+
+### Changed
+- DLX manifest now uses unified format supporting both npm packages and binary downloads
+- Standardized environment variable naming with SOCKET_CLI_ prefix
+- Preflight downloads now stagger with variable delays (1-3 seconds) to avoid resource contention
+
+### Fixed
+- Bootstrap stream/promises module path corrected for smol builds
+- Bootstrap error handling improved for clearer failure messages
+- Windows path handling now correctly processes UNC paths
+
+## [2.0.10](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.10) - 2025-10-31
+
+### Fixed
+- Tab completion script now resolves CLI package root correctly
+- SDK scan options flattened and repo parameter made conditional
+- Output handling now safely checks for null before calling toString()
+- Environment variable fallbacks from v1.x restored for backward compatibility
+- Directory creation EEXIST errors now handled gracefully
+
+## [2.0.9](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.9) - 2025-10-31
+
+### Fixed
+- Updated @socketsecurity/lib to v2.10.2 with critical DLX fixes for scoped package parsing
+
+## [2.0.8](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.8) - 2025-10-31
+
+### Fixed
+- Binary name resolution for external tools (@coana-tech/cli, @cyclonedx/cdxgen, synp) in dlx execution
+- Preflight downloads now correctly specify binary names for background package caching
+
+## [2.0.7](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.7) - 2025-10-31
+
+### Added
+- Shimmer effect to bootstrap spinner for enhanced visual feedback during CLI download
+
+### Changed
+- Consolidated SOCKET_CLI_ISSUES_URL constant to socket constants module for better organization
+
+## [2.0.6](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.6) - 2025-10-31
+
+### Fixed
+- Shadow npm spawn mechanism now properly uses spawnNode abstraction for SEA binary compatibility
+- IPC handshake structure for shadow npm processes with correct parent_pid and subprocess fields
+
+## [2.0.2](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.2) - 2025-10-30
+
+### Fixed
+- Fixed import from @socketsecurity/registry to @socketsecurity/lib
+
+## [2.0.1](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.1) - 2025-10-30
+
+### Changed
+- Updated @socketsecurity/lib to v2.9.0 with Socket.dev URL constants and enhanced error messages
+- Updated @socketsecurity/sdk to v3.0.21
+- Normalized lock behavior across codebase
+
+### Fixed
+- Bootstrap path resolution in binary builders to correct path
+
+## [2.0.0](https://github.com/SocketDev/socket-cli/releases/tag/v2.0.0) - 2025-10-29
+
+### Changed
+- **BREAKING**: CLI now ships as single executable binary requiring no external Node.js installation
+
+### Added
+- GitLab merge request support for `socket fix`
+- Persistent GHSA tracking to avoid duplicate fixes
+- Markdown output support for `socket fix` and `socket optimize`
+- `--reach-min-severity` flag to filter reachability analysis by vulnerability severity threshold
+
+### Fixed
+- Target directory handling in reachability analysis for scan commands
+
+## [1.1.25](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.25) - 2025-10-10
+
+### Added
+- `--no-major-updates` flag
+- `--show-affected-direct-dependencies` flag
+
+### Fixed
+- Provenance handling
+
+## [1.1.24](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.24) - 2025-10-10
+
+### Added
+- `--minimum-release-age` flag for `socket fix`
+- SOCKET_CLI_COANA_LOCAL_PATH environment variable
+
+### Fixed
+- Organization capabilities detection
+- Enterprise plan filtering
+
+## [1.1.23](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.23) - 2025-09-22
+
+### Changed
+- Renamed `--dont-apply-fixes` to `--no-apply-fixes` (old flag remains as alias)
+- pnpm dlx operations no longer use `--ignore-scripts`
+
+### Fixed
+- Error handling in optimize command for pnpm
+
+## [1.1.22](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.22) - 2025-09-20
+
+### Changed
+- Renamed `--only-compute` to `--dont-apply-fixes` for `socket fix` (old flag remains as alias)
+
+### Fixed
+- Interactive prompts in `socket optimize` with pnpm
+- Git repository name sanitization
+
+## [1.1.21](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.21) - 2025-09-20
+
+### Added
+- `--compact-header` flag
+
+### Fixed
+- Error handling in `socket optimize`
+
+## [1.1.20](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.20) - 2025-09-19
+
+### Added
+- Terminal link support
+
+### Fixed
+- Windows package manager execution
+
+## [1.1.13](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.13) - 2025-09-16
+
+### Added
+- `--output-file` flag for `socket fix`
+- `--only-compute` flag for `socket fix`
+
+## [1.1.9](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.9) - 2025-09-11
+
+### Added
+- `socket fix --id` now accepts CVE IDs and PURLs
+
+### Fixed
+- SOCKET_CLI_API_TIMEOUT environment variable lookup
+
+## [1.1.7](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.7) - 2025-09-11
+
+### Added
+- `--no-spinner` flag
+
+### Fixed
+- Proxy support
+
+## [1.1.4](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.4) - 2025-09-09
+
+### Added
+- `--report-level` flag for scan output control
+
+## [1.1.1](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.1) - 2025-09-04
+
+### Removed
+- Legacy `--test` and `--test-script` flags from `socket fix`
+
+## [1.1.0](https://github.com/SocketDev/socket-cli/releases/tag/v1.1.0) - 2025-09-03
+
+### Added
+- Package versions in `socket npm` security reports
+
+## [1.0.111](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.111) - 2025-09-03
+
+### Added
+- `--range-style` flag for `socket fix`
+
+## [1.0.106](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.106) - 2025-09-02
+
+### Added
+- `--reach-skip-cache` flag
+
+## [1.0.89](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.89) - 2025-08-15
+
+### Added
+- `socket scan create --reach` for manifest scanning
+
+## [1.0.85](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.85) - 2025-08-01
+
+### Added
+- SOCKET_CLI_NPM_PATH environment variable
+
+## [1.0.82](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.82) - 2025-07-30
+
+### Added
+- `--max-old-space-size` and `--max-semi-space-size` flags
+
+## [1.0.73](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.73) - 2025-07-14
+
+### Added
+- Automatic `.socket.facts.json` detection
+
+## [1.0.69](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.69) - 2025-07-10
+
+### Added
+- `--no-pr-check` flag for `socket fix`
+
+## [1.0.0](https://github.com/SocketDev/socket-cli/releases/tag/v1.0.0) - 2025-06-13
+
+### Added
+- Official v1.0.0 release
+- Added `socket org deps` alias command
+
+### Changed
+- Moved dependencies command to a subcommand of organization
+- Improved UX for threat-feed and audit-logs
+- Removed Node 18 deprecation warnings
+- Removed v1 preparation flags
+
+## [0.15.64](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.64) - 2025-06-13
+
+### Fixed
+- Improved `socket fix` error handling when server rejects request
+
+### Changed
+- Final pre-v1.0.0 stability improvements
+
+## [0.15.63](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.63) - 2025-06-12
+
+### Added
+- Enhanced debugging capabilities
+
+## [0.15.62](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.62) - 2025-06-12
+
+### Fixed
+- Avoided double installing during `socket fix` operations
+
+## [0.15.61](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.61) - 2025-06-11
+
+### Fixed
+- Memory management for `socket fix` with packument cache clearing
+
+## [0.15.60](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.60) - 2025-06-10
+
+### Changed
+- Widened Node.js test matrix
+- Removed Node 18 support due to native-ts compatibility
+
+## [0.15.59](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.59) - 2025-06-09
+
+### Changed
+- Reduced Node version restrictions on CLI
+
+## [0.15.57](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.57) - 2025-06-06
+
+### Added
+- Added `socket threat-feed` search flags
+
+## [0.15.56](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.56) - 2025-05-07
+
+### Added
+- `socket manifest setup` for project configuration
+- Enhanced debugging output and error handling
+
+## [0.15.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.15.0) - 2025-05-07
+
+### Added
+- Enhanced `socket threat-feed` with new API endpoints
+- `socket.json` configuration support
+- Improved `socket fix` error handling
+
+### Fixed
+- Avoid double installing with `socket fix`
+- CI/CD improvements reducing GitHub Action dependencies for `socket fix`
+
+## [0.14.155](https://github.com/SocketDev/socket-cli/releases/tag/v0.14.155) - 2025-05-07
+
+### Added
+- `SOCKET_CLI_API_BASE_URL` for base URL configuration
+- `DISABLE_GITHUB_CACHE` environment variable
+- `cdxgen` lifecycle logging and documentation hyperlinks
+
+### Fixed
+- Set `exitCode=1` when login steps fail
+- Fixed Socket package URLs
+- Band-aid fix for `socket analytics`
+- Improved handling of non-SDK API calls
+
+### Changed
+- Enhanced JSON-safe API handling
+- Updated `cdxgen` flags and configuration
+
+## [0.14.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.14.0) - 2024-10-10
+
+### Added
+- `socket optimize` to apply Socket registry overrides
+- Suggestion flows to `socket scan create`
+- JSON/markdown output support for `socket repos list`
+- Enhanced organization command with `--json` and `--markdown` flags
+- `SOCKET_CLI_NO_API_TOKEN` environment variable support
+- Improved test snapshot updating
+
+### Fixed
+- Spinner management in report flow and after API errors
+- API error handling for non-SDK calls
+- Package URL corrections
+
+### Changed
+- Added Node permissions for shadow-bin
+
+## [0.13.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.13.0) - 2024-09-06
+
+### Added
+- `socket threat-feed` for security threat information
+
+## [0.12.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.12.0) - 2024-08-30
+
+### Added
+- Diff Scan command for comparing scan results
+- Analytics enhancements and data visualization
+- Feature to save analytics data to local files
+
+## [0.11.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.11.0) - 2024-08-05
+
+### Added
+- Organization listing capability
+
+## [0.10.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.10.0) - 2024-07-17
+
+### Added
+- Analytics command with graphical data visualization
+- Interactive charts and graphs
+
+## [0.9.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.9.0) - 2023-12-01
+
+### Added
+- Automatic latest version fetching for `socket info`
+- Package scoring integration
+- Human-readable issue rendering with clickable links
+- Enhanced package analysis with scores
+
+### Changed
+- Smart defaults for package version resolution
+- Improved issue visualization and reporting
+
+## [0.8.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.8.0) - 2023-08-10
+
+### Added
+- Configuration-based warnings from settings
+- Enhanced `socket npm` installation safety checks
+
+### Changed
+- Dropped Node 14 support (EOL April 2023)
+- Added Node 16 manual testing due to c8 segfault issues
+
+## [0.7.1](https://github.com/SocketDev/socket-cli/releases/tag/v0.7.1) - 2023-06-13
+
+### Added
+- Python report creation capabilities
+- CLI login/logout functionality
+
+### Fixed
+- Lockfile handling to ensure saves on `socket npm install`
+- Report creation issues
+- Python uploads via CLI
+
+### Changed
+- Switched to base64 encoding for certain operations
+
+## [0.6.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.6.0) - 2023-04-11
+
+### Added
+- Enhanced update notifier for npm wrapper
+- TTY IPC to mitigate sub-shell prompts
+
+## [0.5.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.5.0) - 2023-03-16
+
+### Added
+- npm/npx wrapper commands (`socket npm`, `socket npx`)
+- npm provenance and publish action support
+
+### Changed
+- Reusable consistent flags across commands
+
+## [0.4.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.4.0) - 2023-01-20
+
+### Added
+- Persistent authentication - CLI remembers API key for full duration
+- Comprehensive TypeScript integration and type checks
+- Enhanced development tooling and dependencies
+
+## [0.3.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.3.0) - 2022-12-13
+
+### Added
+- Support for globbed input and ignores for package scanning
+- `--strict` and `--all` flags to commands
+- Configuration support using `@socketsecurity/config`
+
+### Changed
+- Improved error handling and messaging
+- Stricter TypeScript configuration
+
+### Fixed
+- Improved tests
+
+## [0.2.1](https://github.com/SocketDev/socket-cli/releases/tag/v0.2.1) - 2022-11-23
+
+### Added
+- Update notifier to inform users of new CLI versions
+
+## [0.2.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.2.0) - 2022-11-23
+
+### Added
+- New `socket report view` for viewing existing reports
+- `--view` flag to `report create` for immediate viewing
+- Enhanced report creation and viewing capabilities
+
+### Changed
+- Synced up report create command with report view functionality
+- Synced up info command with report view
+- Improved examples in `--help` output
+
+### Fixed
+- Updated documentation and README with new features
+
+## [0.1.2](https://github.com/SocketDev/socket-cli/releases/tag/v0.1.2) - 2022-11-17
+
+### Added
+- Node 19 testing support
+
+### Changed
+- Improved documentation
+
+## [0.1.1](https://github.com/SocketDev/socket-cli/releases/tag/v0.1.1) - 2022-11-07
+
+### Changed
+- Extended README documentation
+
+### Fixed
+- Removed accidental debug code
+
+## [0.1.0](https://github.com/SocketDev/socket-cli/releases/tag/v0.1.0) - 2022-11-07
+
+### Added
+- Initial Socket CLI release
+- `socket info` for package security information
+- `socket report create` for generating security reports
+- Basic CLI infrastructure and configuration
diff --git a/CLAUDE.md b/CLAUDE.md
new file mode 100644
index 000000000..ea1afe576
--- /dev/null
+++ b/CLAUDE.md
@@ -0,0 +1,364 @@
+# CLAUDE.md
+
+**MANDATORY**: Act as principal-level engineer. Follow these guidelines exactly.
+
+## CANONICAL REFERENCE
+
+This is a reference to shared Socket standards. See `../socket-registry/CLAUDE.md` for canonical source.
+
+## 👤 USER CONTEXT
+
+- **Identify users by git credentials**: Extract name from git commit author, GitHub account, or context
+- 🚨 **When identity is verified**: ALWAYS use their actual name - NEVER use "the user" or "user"
+- **Direct communication**: Use "you/your" when speaking directly to the verified user
+- **Discussing their work**: Use their actual name when referencing their commits/contributions
+- **Example**: If git shows "John-David Dalton ", refer to them as "John-David"
+- **Other contributors**: Use their actual names from commit history/context
+
+## PRE-ACTION PROTOCOL
+
+**MANDATORY**: Review CLAUDE.md before any action. No exceptions.
+
+## VERIFICATION PROTOCOL
+
+**MANDATORY**: Before claiming any task is complete:
+1. Test the solution end-to-end
+2. Verify all changes work as expected
+3. Run the actual commands to confirm functionality
+4. Never claim "Done" without verification
+
+## Critical Rules
+
+### Fix ALL Issues
+- **Fix ALL issues when asked** - Never dismiss issues as "pre-existing" or "not caused by my changes"
+- When asked to fix, lint, or check: fix everything found, regardless of who introduced it
+- Always address all issues found during lint/check operations
+
+## ABSOLUTE RULES
+
+- Never create files unless necessary
+- Always prefer editing existing files
+- Forbidden to create docs unless requested
+- Required to do exactly what was asked
+
+## ROLE
+
+Principal Software Engineer: production code, architecture, reliability, ownership.
+
+## EVOLUTION
+
+If user repeats instruction 2+ times, ask: "Should I add this to CLAUDE.md?"
+
+## 📚 SHARED STANDARDS
+
+**Canonical reference**: `../socket-registry/CLAUDE.md`
+
+All shared standards (git, testing, code style, cross-platform, CI) defined in socket-registry/CLAUDE.md.
+
+**Quick references**:
+- Commits: [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) `(): ` - NO AI attribution
+- Scripts: Prefer `pnpm run foo --flag` over `foo:bar` scripts
+- Docs: Use `docs/` folder, lowercase-with-hyphens.md filenames, pithy writing with visuals
+- Dependencies: After `package.json` edits, run `pnpm install` to update `pnpm-lock.yaml`
+- Backward Compatibility: 🚨 FORBIDDEN to maintain - actively remove when encountered (see canonical CLAUDE.md)
+- Work Safeguards: MANDATORY commit + backup branch before bulk changes
+- Safe Deletion: Use `safeDelete()` from `@socketsecurity/lib/fs` (NEVER `fs.rm/rmSync` or `rm -rf`)
+
+---
+
+## CLI-SPECIFIC
+
+## Commands
+
+### Development Commands
+- **Build**: `pnpm run build` (smart build, skips unchanged)
+- **Build force**: `pnpm run build --force` (force rebuild CLI + SEA for current platform)
+- **Build SEA**: `pnpm run build:sea` (build SEA binaries for all platforms)
+- **Build CLI**: `pnpm run build:cli` (CLI package only)
+- **Test**: `pnpm test` (runs check + all tests from monorepo root)
+- **Test unit only**: `pnpm --filter @socketsecurity/cli run test:unit`
+- **Lint**: `pnpm run lint` (uses biome and eslint)
+- **Type check**: `pnpm run type` (uses tsc)
+- **Check all**: `pnpm run check` (lint + typecheck)
+- **Fix all issues**: `pnpm run fix` (auto-fix linting and formatting)
+- **Commit without tests**: `git commit --no-verify` (skips pre-commit hooks including tests)
+
+### Binary Build Notes
+- **Node-smol binaries**: Downloaded from socket-btm releases (not built locally)
+- **Yoga WASM**: Downloaded from socket-btm releases (not built locally)
+- **SEA binaries**: Built by injecting CLI blob into downloaded node-smol binaries
+- **Output location**: `packages/cli/dist/sea/socket--`
+- **Cache location**: Build assets in `packages/build-infra/build/downloaded/`, DLX packages and VFS-extracted tools in `~/.socket/_dlx/`
+
+### Testing Best Practices - CRITICAL: NO -- FOR FILE PATHS
+- **🚨 NEVER USE `--` BEFORE TEST FILE PATHS** - This runs ALL tests, not just your specified files!
+- **Always build before testing**: Run `pnpm run build:cli` before running tests to ensure dist files are up to date.
+- **Test all**: ✅ CORRECT: `pnpm test` (from monorepo root)
+- **Test single file**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts`
+ - ❌ WRONG: `pnpm test:unit src/commands/specific/cmd-file.test.mts` (command not found at root!)
+ - ❌ WRONG: `pnpm --filter @socketsecurity/cli run test:unit -- src/commands/specific/cmd-file.test.mts` (runs ALL tests!)
+- **Test multiple files**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit file1.test.mts file2.test.mts`
+- **Test with pattern**: ✅ CORRECT: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts -t "pattern"`
+ - ❌ WRONG: `pnpm --filter @socketsecurity/cli run test:unit -- src/commands/specific/cmd-file.test.mts -t "pattern"`
+- **Update snapshots**:
+ - All tests: `pnpm testu` (builds first, then updates all snapshots)
+ - Single file: ✅ CORRECT: `pnpm testu src/commands/specific/cmd-file.test.mts`
+ - ❌ WRONG: `pnpm testu -- src/commands/specific/cmd-file.test.mts` (updates ALL snapshots!)
+- **Update with --update flag**: `pnpm --filter @socketsecurity/cli run test:unit src/commands/specific/cmd-file.test.mts --update`
+- **Timeout for long tests**: Use `timeout` command or specify in test file.
+
+### Git Commit Guidelines
+- Follow [Conventional Commits](https://www.conventionalcommits.org/en/v1.0.0/) style
+- **🚨 FORBIDDEN**: NO AI attribution in commits (see SHARED STANDARDS)
+
+### Running the CLI locally
+- **Watch mode**: `pnpm dev` (auto-rebuilds on file changes)
+- **Build and run**: `pnpm build && pnpm exec socket`
+- **Run built version**: `pnpm exec socket ` (requires prior build)
+
+### Package Management
+- **Package Manager**: This project uses pnpm (v10.22+)
+- **Install dependencies**: `pnpm install`
+- **Add dependency**: `pnpm add `
+- **Add dev dependency**: `pnpm add -D `
+- **Update dependencies**: `pnpm update`
+- **Override behavior**: pnpm.overrides in package.json controls dependency versions across the entire project
+- **Using $ syntax**: `"$package-name"` in overrides means "use the version specified in dependencies"
+
+## Architecture
+
+This is a CLI tool for Socket.dev security analysis, built with TypeScript using .mts extensions.
+
+### Core Structure
+- **Entry point**: `src/cli.mts` - Main CLI entry with meow subcommands
+- **Commands**: `src/commands.mts` - Exports all command definitions
+- **Command modules**: `src/commands/*/` - Each feature has its own directory with cmd-*, handle-*, and output-* files
+- **Utilities**: `src/utils/` - Shared utilities for API, config, formatting, etc.
+- **Constants**: `src/constants.mts` - Application constants
+- **Types**: `src/types.mts` - TypeScript type definitions
+
+### Command Architecture Pattern
+
+**✅ PREFERRED: Consolidated Pattern for Simple Commands**
+
+For commands with straightforward logic (no subcommands, < 200 lines total), consolidate into a single `cmd-*.mts` file:
+
+```typescript
+// Single cmd-*.mts file structure:
+import { getDefaultLogger } from '@socketsecurity/lib/logger'
+// ... other imports
+
+const logger = getDefaultLogger()
+
+export const CMD_NAME = 'command-name'
+const description = 'Command description'
+const hidden = false
+
+// Types.
+interface CommandResult {
+ // Type definitions here.
+}
+
+// Helper functions.
+function helperFunction(): void {
+ // Helper logic here.
+}
+
+// Command handler.
+async function run(
+ argv: string[] | readonly string[],
+ importMeta: ImportMeta,
+ { parentName }: CliCommandContext,
+): Promise {
+ const config: CliCommandConfig = { /* ... */ }
+ const cli = meowOrExit({ argv, config, importMeta, parentName })
+
+ // Command logic here.
+}
+
+// Exported command.
+export const cmdCommandName = {
+ description,
+ hidden,
+ run,
+}
+```
+
+**Benefits**:
+- All command logic in one file for easy navigation
+- Clear sections: imports → constants → types → helpers → handler → export
+- Reduced file count (3 files → 1 file)
+- Maintained compatibility with existing meow-based CLI architecture
+
+**Examples**: `whoami`, `logout` (consolidated)
+
+**⚠️ Legacy Pattern for Complex Commands**
+
+Complex commands with subcommands or > 200 lines should keep the modular pattern:
+- `cmd-*.mts` - Command definition and CLI interface
+- `handle-*.mts` - Business logic and processing
+- `output-*.mts` - Output formatting (JSON, markdown, etc.)
+- `fetch-*.mts` - API calls (where applicable)
+
+**Examples**: `scan`, `organization`, `repository` (keep modular)
+
+### Key Command Categories
+- **npm/npx wrapping**: `socket npm`, `socket npx` - Wraps npm/npx with security scanning
+- **Scanning**: `socket scan` - Create and manage security scans
+- **Organization management**: `socket organization` - Manage org settings and policies
+- **Package analysis**: `socket package` - Analyze package scores
+- **Optimization**: `socket optimize` - Apply Socket registry overrides
+- **Configuration**: `socket config` - Manage CLI configuration
+
+### Update Mechanism
+
+Socket CLI has different update mechanisms depending on installation method:
+
+#### SEA Binaries (Standalone Executables)
+- **Update checking**: Handled by node-smol C stub via embedded `--update-config`
+- **Configuration**: Embedded during build in `packages/cli/scripts/sea-build-utils/builder.mjs`
+- **GitHub releases**: Checks `https://api.github.com/repos/SocketDev/socket-cli/releases`
+- **Tag pattern**: Matches `socket-cli-*` (e.g., `socket-cli-20260127-abc1234`)
+- **Notification**: Shown on CLI exit (non-blocking)
+- **Update command**: `socket self-update` (handled by node-smol, not TypeScript CLI)
+- **Environment variable**: `SOCKET_CLI_SKIP_UPDATE_CHECK=1` to disable
+
+#### npm/pnpm/yarn Installations
+- **Update checking**: TypeScript-based in `src/utils/update/manager.mts`
+- **Registry**: Checks npm registry for `socket` package
+- **Notification**: Shown on CLI exit (non-blocking)
+- **Update command**: Use package manager (e.g., `npm update -g socket`)
+- **Environment variable**: `SOCKET_CLI_SKIP_UPDATE_CHECK=1` to disable
+
+#### Key Implementation Details
+- `scheduleUpdateCheck()` in `manager.mts` skips when `isSeaBinary()` returns true
+- SEA binaries use embedded update-config.json (1112 bytes)
+- node-smol handles HTTP requests via embedded libcurl
+- Update checks respect CI/TTY detection and rate limiting
+
+### Build System
+- Uses esbuild for building distribution files
+- TypeScript compilation with tsgo
+- Environment config (.env.test for testing)
+- Dual linting with Biome and ESLint
+- Formatting with Biome
+
+### Testing
+- Vitest for unit testing
+- Test files use `.test.mts` extension
+- Fixtures in `test/fixtures/`
+- Coverage reporting available
+
+### External Dependencies
+- Vendored modules in `src/external/` (e.g., ink-table)
+- Dependencies bundled into `dist/cli.js` via esbuild
+- Uses Socket registry overrides for security
+- Custom patches applied to dependencies in `patches/`
+
+## Environment and Configuration
+
+### Environment Files
+- **`.env.test`** - Test environment configuration
+
+### Configuration Files
+- **`biome.json`** - Biome formatter and linter configuration
+- **`vitest.config.mts`** - Vitest test runner configuration
+- **`eslint.config.js`** - ESLint configuration
+- **`tsconfig.json`** - Main TypeScript configuration
+- **`tsconfig.dts.json`** - TypeScript configuration for type definitions
+
+### Package Structure
+- **Binary entries**: `socket`, `socket-npm`, `socket-npx` (defined in package.json `bin` field, pointing to `dist/index.js`)
+- **Distribution**: Built files go to `dist/` directory
+- **External dependencies**: Bundled into `dist/cli.js` via esbuild
+- **Test fixtures**: Located in `test/fixtures/`
+
+### Dependency Management
+- Uses Socket registry overrides for enhanced alternatives
+- Custom patches applied to dependencies via `custompatch`
+- Overrides specified in package.json for enhanced alternatives
+
+## Changelog Management
+
+Follow [Keep a Changelog](https://keepachangelog.com/en/1.1.0/) format. Include user-facing changes only: Added, Changed, Fixed, Removed. Exclude: dependency updates, refactoring, tests, CI/CD, formatting. Marketing voice, stay concise.
+
+### Third-Party Integrations
+
+Socket CLI integrates with various third-party tools and services:
+- **@coana-tech/cli**: Static analysis tool for reachability analysis and vulnerability detection
+- **cdxgen**: CycloneDX BOM generator for creating software bill of materials
+- **synp**: Tool for converting between yarn.lock and package-lock.json formats
+
+## 🔧 Code Style (MANDATORY)
+
+### 📁 File Organization
+- **File extensions**: Use `.mts` for TypeScript module files
+- **Import order**: Node.js built-ins first, then third-party packages, then local imports
+- **Import grouping**: Group imports by source (Node.js, external packages, local modules)
+- **Type imports**: 🚨 ALWAYS use separate `import type` statements for TypeScript types, NEVER mix runtime imports with type imports in the same statement
+ - ✅ CORRECT: `import { readPackageJson } from '@socketsecurity/registry/lib/packages'` followed by `import type { PackageJson } from '@socketsecurity/registry/lib/packages'`
+ - ❌ FORBIDDEN: `import { readPackageJson, type PackageJson } from '@socketsecurity/registry/lib/packages'`
+
+### Naming Conventions
+- **Constants**: Use `UPPER_SNAKE_CASE` for constants (e.g., `CMD_NAME`, `REPORT_LEVEL`)
+- **Files**: Use kebab-case for filenames (e.g., `cmd-scan-create.mts`, `handle-create-new-scan.mts`)
+- **Variables**: Use camelCase for variables and functions
+
+### 🏗️ Code Structure (CRITICAL PATTERNS)
+- **Command pattern**: Complex commands use modular pattern (`cmd-*.mts`, `handle-*.mts`, `output-*.mts`); simple commands use consolidated single `cmd-*.mts` file
+- **Type definitions**: 🚨 ALWAYS use `import type` for better tree-shaking
+- **Flags**: 🚨 MUST use `MeowFlags` type with descriptive help text
+- **Error handling**: 🚨 REQUIRED - Use custom error types `AuthError` and `InputError`
+- **Array destructuring**: Use object notation `{ 0: key, 1: data }` instead of array destructuring `[key, data]`
+- **Dynamic imports**: 🚨 FORBIDDEN - Never use dynamic imports (`await import()`). Always use static imports at the top of the file
+- **Sorting**: 🚨 MANDATORY - Always sort lists, exports, and items in documentation headers alphabetically/alphanumerically for consistency
+- **Comment placement**: Place comments on their own line, not to the right of code
+- **Comment formatting**: Use fewer hyphens/dashes and prefer commas, colons, or semicolons for better readability
+- **Await in loops**: When using `await` inside for-loops, add `// eslint-disable-next-line no-await-in-loop` to suppress the ESLint warning when sequential processing is intentional
+- **If statement returns**: Never use single-line return if statements; always use proper block syntax with braces
+- **List formatting**: Use `-` for bullet points in text output, not `•` or other Unicode characters, for better terminal compatibility
+- **Existence checks**: Perform simple existence checks first before complex operations
+- **Destructuring order**: Sort destructured properties alphabetically in const declarations
+- **Function ordering**: Place functions in alphabetical order, with private functions first, then exported functions
+- **GitHub API calls**: Use Octokit instances from `src/utils/github.mts` (`getOctokit()`, `getOctokitGraphql()`) instead of raw fetch calls for GitHub API interactions
+- **Object mappings**: Use objects with `__proto__: null` (not `undefined`) for static string-to-string mappings and lookup tables to prevent prototype pollution; use `Map` for dynamic collections that will be mutated
+- **Mapping constants**: Move static mapping objects outside functions as module-level constants with descriptive UPPER_SNAKE_CASE names
+- **Array length checks**: Use `!array.length` instead of `array.length === 0`. For `array.length > 0`, use `!!array.length` when function must return boolean, or `array.length` when used in conditional contexts
+- **Catch parameter naming**: Use `catch (e)` instead of `catch (error)` for consistency across the codebase
+- **Node.js fs imports**: 🚨 MANDATORY pattern - `import { someSyncThing, promises as fs } from 'node:fs'`
+- **Process spawning**: 🚨 FORBIDDEN to use Node.js built-in `child_process.spawn` - MUST use `spawn` from `@socketsecurity/registry/lib/spawn`
+- **Number formatting**: 🚨 REQUIRED - Use underscore separators (e.g., `20_000`) for large numeric literals. 🚨 FORBIDDEN - Do NOT modify number values inside strings
+
+### Error Handling
+- **Input validation errors**: Use `InputError` from `src/utils/errors.mts` for user input validation failures (missing files, invalid arguments, etc.)
+- **Authentication errors**: Use `AuthError` from `src/utils/errors.mts` for API authentication issues
+- **CResult pattern**: Use `CResult` type for functions that can fail, following the Result/Either pattern with `ok: true/false`
+- **Process exit**: Avoid `process.exit(1)` unless absolutely necessary; prefer throwing appropriate error types that the CLI framework handles
+- **Error messages**: Write clear, actionable error messages that help users understand what went wrong and how to fix it
+- **Examples**:
+ - ✅ `throw new InputError('No .socket directory found in current directory')`
+ - ✅ `throw new AuthError('Invalid API token')`
+ - ❌ `logger.error('Error occurred'); return` (doesn't set proper exit code)
+ - ❌ `process.exit(1)` (bypasses error handling framework)
+
+### Safe File Operations (SECURITY CRITICAL)
+- **File deletion**: See SHARED STANDARDS section
+- 🚨 Use `safeDelete()` from `@socketsecurity/lib/fs` (NEVER `fs.rm/rmSync` or `rm -rf`)
+
+### Debugging and Troubleshooting
+- **CI vs Local Differences**: CI uses published npm packages, not local versions. Be defensive when using @socketsecurity/registry features
+- **File Existence Checks**: ALWAYS use `existsSync()` from `node:fs`, NEVER use `fs.access()` or `fs.promises.access()` for file/directory existence checks. `existsSync()` is synchronous, more direct, and the established pattern in this codebase for consistency
+
+### Formatting
+- **Linting**: Uses ESLint with TypeScript support and import/export rules
+- **Formatting**: Uses Biome for code formatting with 2-space indentation
+- **Line length**: Target 80 character line width where practical
+
+---
+
+## Quality Standards
+
+- Code MUST pass all existing lints and type checks
+- All patterns MUST follow established codebase conventions
+- Error handling MUST be robust and user-friendly
+- Performance considerations MUST be evaluated for any changes
diff --git a/LICENSE b/LICENSE
index e4c00a21c..8895bac08 100644
--- a/LICENSE
+++ b/LICENSE
@@ -1,4 +1,4 @@
-The MIT License (MIT)
+MIT License
Copyright (c) 2022 Socket Inc
diff --git a/README.md b/README.md
index 1e75af1cf..804c04866 100644
--- a/README.md
+++ b/README.md
@@ -1,57 +1,163 @@
# Socket CLI
-[](https://www.npmjs.com/package/@socketsecurity/cli)
-[](https://github.com/SocketDev/eslint-config)
+[](https://socket.dev/npm/package/socket)
+[](https://github.com/SocketDev/socket-cli/actions/workflows/ci.yml)
+
+
[](https://twitter.com/SocketSecurity)
-CLI tool for [Socket.dev](https://socket.dev/)
+CLI for [Socket.dev] security analysis
+
+## Quick Start
-## Usage
+**Install via package manager:**
```bash
-npm install -g @socketsecurity/cli
+pnpm install -g socket
+socket --help
```
+**Or install via npm:**
+
```bash
+npm install -g socket
socket --help
-socket info webtorrent@1.9.1
-socket report create package.json
```
-## Commands
+## Core Commands
-* `socket info ` - looks up issues for a package
-* `socket report create` - uploads the specified `package.json` and/or `package-lock.json` to create a report on [socket.dev](https://socket.dev/). If only one of a `package.json`/`package-lock.json` has been specified, the other will be automatically found and uploaded if it exists
+- `socket npm [args...]` / `socket npx [args...]` - Wrap npm/npx with security scanning
+- `socket pnpm [args...]` / `socket yarn [args...]` - Wrap pnpm/yarn with security scanning
+- `socket pip [args...]` - Wrap pip with security scanning
+- `socket scan` - Create and manage security scans
+- `socket package ` - Analyze package security scores
+- `socket fix` - Fix CVEs in dependencies
+- `socket optimize` - Optimize dependencies with [`@socketregistry`](https://github.com/SocketDev/socket-registry) overrides
+- `socket manifest [command]` - Generate and manage SBOMs for multiple ecosystems
+ - `socket cdxgen [command]` - Alias for `socket manifest cdxgen` - Run [cdxgen](https://github.com/cdxgen/cdxgen) for SBOM generation
-## Flags
+## Organization & Repository Management
+
+- `socket organization` (alias: `org`) - Manage organization settings
+- `socket repository` (alias: `repo`) - Manage repositories
+- `socket dependencies` (alias: `deps`) - View organization dependencies
+- `socket audit-log` (alias: `audit`) - View audit logs
+- `socket analytics` - View organization analytics
+- `socket threat-feed` (alias: `feed`) - View threat intelligence
+
+## Authentication & Configuration
-### Action flags
+- `socket login` - Authenticate with Socket.dev
+- `socket logout` - Remove authentication
+- `socket whoami` - Show authenticated user
+- `socket config` - Manage CLI configuration
-* `--dry-run` - the `socket report create` supports running the command without actually uploading anything. All CLI tools that perform an action should have a dry run flag
+## Aliases
+
+All aliases support the flags and arguments of the commands they alias.
+
+- `socket ci` - Alias for `socket scan create --report` (creates report and exits with error if unhealthy)
+- `socket org` - Alias for `socket organization`
+- `socket repo` - Alias for `socket repository`
+- `socket pkg` - Alias for `socket package`
+- `socket deps` - Alias for `socket dependencies`
+- `socket audit` - Alias for `socket audit-log`
+- `socket feed` - Alias for `socket threat-feed`
+
+## Flags
### Output flags
-* `--json` - outputs result as json which you can then pipe into [`jq`](https://stedolan.github.io/jq/) and other tools
-* `--markdown` - outputs result as markdown which you can then copy into an issue, PR or even chat
+These flags are available on data-retrieval commands (scan, package, organization, etc.):
+
+- `--json` - Output as JSON
+- `--markdown` - Output as Markdown
### Other flags
-* `--debug` - outputs additional debug output. Great for debugging, geeks and us who develop. Hopefully you will never _need_ it, but it can still be fun, right?
-* `--help` - prints the help for the current command. All CLI tools should have this flag
-* `--version` - prints the version of the tool. All CLI tools should have this flag
+- `--dry-run` - Run without uploading
+- `--help` - Show help
+- `--version` - Show version
+
+## Configuration files
+
+Socket CLI reads [`socket.yml`](https://docs.socket.dev/docs/socket-yml) configuration files.
+Supports version 2 format with `projectIgnorePaths` for excluding files from reports.
## Environment variables
-* `SOCKET_SECURITY_API_KEY` - if set, this will be used as the API-key
+- `GITHUB_API_URL` - GitHub API base URL (default: `https://api.github.com`, set for GitHub Enterprise)
+- `SOCKET_CLI_ACCEPT_RISKS` - Accept npm/npx risks
+- `SOCKET_CLI_API_BASE_URL` - Override Socket API endpoint (default: `api.socket.dev`)
+- `SOCKET_CLI_API_PROXY` - HTTP proxy for API calls
+- `SOCKET_CLI_API_TIMEOUT` - API request timeout in milliseconds
+- `SOCKET_CLI_API_TOKEN` - Socket API token
+- `SOCKET_CLI_BIN_PATH` - Path to CLI binary
+- `SOCKET_CLI_BOOTSTRAP_CACHE_DIR` - Bootstrap cache directory
+- `SOCKET_CLI_BOOTSTRAP_SPEC` - Bootstrap specification
+- `SOCKET_CLI_CDXGEN_LOCAL_PATH` - Local path to cdxgen tool
+- `SOCKET_CLI_COANA_LOCAL_PATH` - Local path to Coana tool
+- `SOCKET_CLI_CONFIG` - JSON configuration object
+- `SOCKET_CLI_DEBUG` - Enable debug logging (set to `1`)
+- `SOCKET_CLI_FIX` - Enable fix mode
+- `SOCKET_CLI_GIT_USER_EMAIL` - Git user email (default: `github-actions[bot]@users.noreply.github.com`)
+- `SOCKET_CLI_GIT_USER_NAME` - Git user name (default: `github-actions[bot]`)
+- `SOCKET_CLI_GITHUB_TOKEN` - GitHub token with repo access (`GITHUB_TOKEN` and `GH_TOKEN` also recognized as fallbacks)
+- `SOCKET_CLI_JS_PATH` - Path to JavaScript runtime
+- `SOCKET_CLI_LOCAL_NODE_SMOL` - Path to local node-smol binary
+- `SOCKET_CLI_LOCAL_PATH` - Local CLI path
+- `SOCKET_CLI_MODE` - CLI operation mode
+- `SOCKET_CLI_MODELS_PATH` - Path to AI models
+- `SOCKET_CLI_NO_API_TOKEN` - Disable default API token
+- `SOCKET_CLI_NPM_PATH` - Path to npm directory
+- `SOCKET_CLI_OPTIMIZE` - Enable optimize mode
+- `SOCKET_CLI_ORG_SLUG` - Socket organization slug
+- `SOCKET_CLI_PYCLI_LOCAL_PATH` - Local path to Python CLI tool
+- `SOCKET_CLI_PYTHON_PATH` - Path to Python interpreter
+- `SOCKET_CLI_SEA_NODE_VERSION` - Node version for SEA builds
+- `SOCKET_CLI_SFW_LOCAL_PATH` - Local path to SFW tool
+- `SOCKET_CLI_SKIP_UPDATE_CHECK` - Disable update checking
+- `SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH` - Local path to socket-patch tool
+- `SOCKET_CLI_VIEW_ALL_RISKS` - Show all npm/npx risks
## Contributing
-### Environment variables for development
-* `SOCKET_SECURITY_API_BASE_URL` - if set, this will be the base for all API-calls. Defaults to `https://api.socket.dev/v0/`
-* `SOCKET_SECURITY_API_PROXY` - if set to something like [`http://127.0.0.1:9090`](https://docs.proxyman.io/troubleshooting/couldnt-see-any-requests-from-3rd-party-network-libraries), then all request will be proxied through that proxy
+**Setup instructions:**
+
+```bash
+git clone https://github.com/SocketDev/socket-cli.git
+cd socket-cli
+pnpm install
+pnpm run build
+pnpm test
+```
+
+**Development commands:**
+
+```bash
+pnpm run build # Smart build
+pnpm run build --force # Force rebuild
+```
+
+**Debug logging:**
+```bash
+SOCKET_CLI_DEBUG=1 socket # Enable debug output
+DEBUG=network socket # Specific category
+```
## See also
-* [`@socketsecurity/sdk`]('https://github.com/SocketDev/socket-sdk-js") - the SDK used in this CLI
-* [Socket API Reference](https://docs.socket.dev/reference) - the API used in this CLI
-* [Socket GitHub App](https://github.com/apps/socket-security) - the plug-and-play GitHub App
+- [Socket API Reference](https://docs.socket.dev/reference)
+- [Socket GitHub App](https://github.com/apps/socket-security)
+- [`@socketsecurity/sdk`](https://github.com/SocketDev/socket-sdk-js)
+
+[Socket.dev]: https://socket.dev/
+
+
+
+
+
+
+ 
+
+