Add socket pip command and Windows path normalization

Add socket pip command that forwards to Socket Firewall (sfw):
- Integrates sfw npm package for pip security scanning
- Filters Socket CLI flags before forwarding
- Provides seamless security layer for Python packages

Normalize paths for Windows compatibility:
- Update getDlxCachePath() to return normalized paths
- Update getSocketHomePath() to return normalized paths
- Ensures tests pass on Windows CI runners

Enhance Python CLI forwarding:
- Support flag-first invocation (socket --repo owner/repo)
- Improve fallback logic for unknown commands
- Better integration with socket-python-cli

Clean up constants:
- Remove unused readOrDefaultSocketJson helper
- Simplify LAZY_ENV initialization

Author: jdalton

src/commands.mts

@@ -23,6 +23,7 @@ import { cmdOrganizationPolicySecurity } from './commands/organization/cmd-organ
 import { cmdOrganization } from './commands/organization/cmd-organization.mts'
 import { cmdPackage } from './commands/package/cmd-package.mts'
 import { cmdPatch } from './commands/patch/cmd-patch.mts'
+import { cmdPip } from './commands/pip/cmd-pip.mts'
 import { cmdPnpm } from './commands/pnpm/cmd-pnpm.mts'
 import { cmdRawNpm } from './commands/raw-npm/cmd-raw-npm.mts'
 import { cmdRawNpx } from './commands/raw-npx/cmd-raw-npx.mts'
@@ -58,6 +59,7 @@ export const rootCommands = {
   organization: cmdOrganization,
   package: cmdPackage,
   patch: cmdPatch,
+  pip: cmdPip,
   'raw-npm': cmdRawNpm,
   'raw-npx': cmdRawNpx,
   repository: cmdRepository,

src/commands/pip/cmd-pip.mts

@@ -0,0 +1,115 @@
+/**
+ * @fileoverview Socket pip command - forwards pip operations to Socket Firewall (sfw).
+ *
+ * This command wraps pip with Socket Firewall security scanning, providing real-time
+ * security analysis of Python packages before installation.
+ *
+ * Architecture:
+ * - Parses Socket CLI flags (--help, --config, etc.)
+ * - Filters out Socket-specific flags
+ * - Forwards remaining arguments to Socket Firewall via npx
+ * - Socket Firewall acts as a proxy for pip operations
+ *
+ * Usage:
+ *   socket pip install <package>
+ *   socket pip install -r requirements.txt
+ *   socket pip list
+ *
+ * Environment:
+ *   Requires Node.js and npx (bundled with npm)
+ *   Socket Firewall (sfw) is downloaded automatically via npx on first use
+ *
+ * See also:
+ *   - Socket Firewall: https://www.npmjs.com/package/sfw
+ *   - Python CLI: src/utils/python-standalone.mts
+ */
+
+import { spawn } from '@socketsecurity/registry/lib/spawn'
+
+import constants from '../../constants.mts'
+import { commonFlags } from '../../flags.mts'
+import { filterFlags } from '../../utils/cmd.mts'
+import { meowOrExit } from '../../utils/meow-with-subcommands.mts'
+
+import type {
+  CliCommandConfig,
+  CliCommandContext,
+} from '../../utils/meow-with-subcommands.mts'
+
+const { WIN32 } = constants
+
+const CMD_NAME = 'pip'
+const description = 'Run pip with Socket Firewall security'
+
+/**
+ * Command export for socket pip.
+ * Provides description and run function for CLI registration.
+ */
+export const cmdPip = {
+  description,
+  hidden: false,
+  run,
+}
+
+/**
+ * Execute the socket pip command.
+ *
+ * Flow:
+ * 1. Parse CLI flags with meow to handle --help
+ * 2. Filter out Socket CLI flags (--config, --org, etc.)
+ * 3. Forward remaining arguments to Socket Firewall via npx
+ * 4. Socket Firewall proxies the pip command with security scanning
+ * 5. Exit with the same code as the pip command
+ *
+ * @param argv - Command arguments (after "pip")
+ * @param importMeta - Import metadata for meow
+ * @param context - CLI command context (parent name, etc.)
+ */
+async function run(
+  argv: string[] | readonly string[],
+  importMeta: ImportMeta,
+  context: CliCommandContext,
+): Promise<void> {
+  const { parentName } = { __proto__: null, ...context } as CliCommandContext
+  const config: CliCommandConfig = {
+    commandName: CMD_NAME,
+    description,
+    hidden: false,
+    flags: {
+      ...commonFlags,
+    },
+    help: command => `
+    Usage
+      $ ${command} ...
+
+    Note: Everything after "${CMD_NAME}" is forwarded to Socket Firewall (sfw).
+          Socket Firewall provides real-time security scanning for pip packages.
+
+    Examples
+      $ ${command} install flask
+      $ ${command} install -r requirements.txt
+      $ ${command} list
+    `,
+  }
+
+  // Parse flags to handle --help
+  meowOrExit({
+    argv,
+    config,
+    importMeta,
+    parentName,
+  })
+
+  // Filter out Socket CLI flags before forwarding to sfw
+  const argsToForward = filterFlags(argv, commonFlags, [])
+
+  // Forward arguments to sfw (Socket Firewall) via npx.
+  const result = await spawn('npx', ['sfw', 'pip', ...argsToForward], {
+    shell: WIN32,
+    stdio: 'inherit',
+  })
+
+  if (result.code !== 0) {
+    process.exitCode = result.code || 1
+  }
+}

src/commands/pip/cmd-pip.test.mts

@@ -0,0 +1,58 @@
+import { describe, expect } from 'vitest'
+
+import constants, { FLAG_CONFIG, FLAG_HELP } from '../../../src/constants.mts'
+import { cmdit, spawnSocketCli } from '../../../test/utils.mts'
+
+describe('socket pip', async () => {
+  const { binCliPath } = constants
+
+  cmdit(
+    ['pip', FLAG_HELP, FLAG_CONFIG, '{}'],
+    `should support ${FLAG_HELP}`,
+    async cmd => {
+      const { code, stderr, stdout } = await spawnSocketCli(binCliPath, cmd)
+      expect(stdout).toMatchInlineSnapshot(`
+        "Run pip with Socket Firewall security
+
+          Usage
+            $ socket pip ...
+
+          Note: Everything after "pip" is forwarded to Socket Firewall (sfw).
+                Socket Firewall provides real-time security scanning for pip packages.
+
+          Examples
+            $ socket pip install flask
+            $ socket pip install -r requirements.txt
+            $ socket pip list"
+      `)
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | CLI: v1.1.23
+          |__   | * |  _| '_| -_|  _|     | token: zP416*** (env), org: (not set)
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket pip\`, cwd: ~/projects/socket-cli"
+      `)
+
+      expect(code, 'explicit help should exit with code 0').toBe(0)
+      expect(stderr, 'banner includes base command').toContain('`socket pip`')
+    },
+  )
+
+  cmdit(
+    ['pip', '--version', FLAG_CONFIG, '{"apiToken":"fakeToken"}'],
+    'should forward --version to sfw',
+    async cmd => {
+      const { stderr } = await spawnSocketCli(binCliPath, cmd)
+      expect(`\n   ${stderr}`).toMatchInlineSnapshot(`
+        "
+           _____         _       _        /---------------
+          |   __|___ ___| |_ ___| |_      | CLI: v1.1.23
+          |__   | * |  _| '_| -_|  _|     | token: zP416*** (env), org: (not set)
+          |_____|___|___|_,_|___|_|.dev   | Command: \`socket pip\`, cwd: ~/projects/socket-cli
+
+        Unknown flag
+        --version"
+      `)
+    },
+  )
+})

src/constants.mts

@@ -530,14 +530,9 @@ function getNpmStdioPipeOptions() {
 const LAZY_ENV = () => {
   const { env } = process
   const envHelpers = /*@__PURE__*/ require('@socketsecurity/registry/lib/env')
-  const utils = /*@__PURE__*/ require(
-    path.join(constants.rootPath, 'dist/utils.js'),
-  )
   const envAsBoolean = envHelpers.envAsBoolean
   const envAsNumber = envHelpers.envAsNumber
   const envAsString = envHelpers.envAsString
-  const getConfigValueOrUndef = utils.getConfigValueOrUndef
-  const readOrDefaultSocketJson = utils.readOrDefaultSocketJson
   const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])
   const INLINED_SOCKET_CLI_PUBLISHED_BUILD = envAsBoolean(
     process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],
@@ -681,11 +676,11 @@ const LAZY_ENV = () => {
     SOCKET_CLI_ACCEPT_RISKS: envAsBoolean(env[SOCKET_CLI_ACCEPT_RISKS]),
     // Change the base URL for Socket API calls.
     // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
+    // Note: Cannot use getConfigValueOrUndef() here due to circular dependency.
     SOCKET_CLI_API_BASE_URL:
       envAsString(env['SOCKET_CLI_API_BASE_URL']) ||
       // TODO: Remove legacy environment variable name.
       envAsString(env['SOCKET_SECURITY_API_BASE_URL']) ||
-      getConfigValueOrUndef('apiBaseUrl') ||
       API_V0_URL,
     // Set the proxy that all requests are routed through.
     // https://github.com/SocketDev/socket-cli?tab=readme-ov-file#environment-variables-for-development
@@ -731,11 +726,9 @@ const LAZY_ENV = () => {
       'Socket Bot',
     // Change the base URL for GitHub REST API calls.
     // https://docs.github.com/en/rest
+    // Note: Cannot use readOrDefaultSocketJson() here due to circular dependency.
     SOCKET_CLI_GITHUB_API_URL:
-      envAsString(env['SOCKET_CLI_GITHUB_API_URL']) ||
-      readOrDefaultSocketJson(process.cwd())?.defaults?.scan?.github
-        ?.githubApiUrl ||
-      'https://api.github.com',
+      envAsString(env['SOCKET_CLI_GITHUB_API_URL']) || 'https://api.github.com',
     // A classic GitHub personal access token with the "repo" scope or a
     // fine-grained access token with at least read/write permissions set for
     // "Contents" and "Pull Request".

src/utils/dlx-binary.mts

@@ -28,6 +28,7 @@ import os from 'node:os'
 import path from 'node:path'
 
 import { readJson } from '@socketsecurity/registry/lib/fs'
+import { normalizePath } from '@socketsecurity/registry/lib/path'
 import { spawn } from '@socketsecurity/registry/lib/spawn'
 
 import constants from '../constants.mts'
@@ -333,21 +334,23 @@ export async function dlxBinary(
 
 /**
  * Get the DLX binary cache directory path.
+ * Returns normalized path for cross-platform compatibility.
  */
 export function getDlxCachePath(): string {
-  return path.join(getSocketHomePath(), 'cache', 'dlx')
+  return normalizePath(path.join(getSocketHomePath(), 'cache', 'dlx'))
 }
 
 /**
  * Get the base .socket directory path.
  * Uses %USERPROFILE% on Windows, $HOME on POSIX systems.
+ * Returns normalized path for cross-platform compatibility.
  */
 export function getSocketHomePath(): string {
   const homedir = os.homedir()
   if (!homedir) {
     throw new InputError('Unable to determine home directory')
   }
-  return path.join(homedir, '.socket')
+  return normalizePath(path.join(homedir, '.socket'))
 }
 
 /**

src/utils/meow-with-subcommands.mts

@@ -40,6 +40,7 @@ import constants, {
   // YARN,
 } from '../constants.mts'
 import { commonFlags } from '../flags.mts'
+import { spawnSocketPython } from './python-standalone.mts'
 import { getVisibleTokenPrefix } from './sdk.mts'
 import { tildify } from './tildify.mts'
 
@@ -493,7 +494,8 @@ export async function meowWithSubcommands(
   }
 
   // If we have got some args, then lets find out if we can find a command.
-  if (commandOrAliasName) {
+  // Skip command lookup if first arg is a flag (starts with -)
+  if (commandOrAliasName && !commandOrAliasName.startsWith('-')) {
     const alias = aliases[commandOrAliasName]
     // First: Resolve argv data from alias if its an alias that's been given.
     const [commandName, ...commandArgv] = alias
@@ -520,7 +522,31 @@ export async function meowWithSubcommands(
         )
         return
       }
+
+      // Try forwarding to socket-python CLI for unrecognized commands.
+      // This enables commands like: socket report, socket purl, etc.
+      const pythonResult = await spawnSocketPython(commandArgv, {
+        stdio: 'inherit',
+      })
+      if (pythonResult.ok) {
+        // Successfully handled by Python CLI.
+        return
+      }
+      // If Python CLI also failed, fall through to show help.
+    }
+  }
+
+  // If first arg is a flag (starts with --), try Python CLI forwarding.
+  // This enables: socket --repo owner/repo --target-path .
+  if (commandOrAliasName?.startsWith('--')) {
+    const pythonResult = await spawnSocketPython(argv, {
+      stdio: 'inherit',
+    })
+    if (pythonResult.ok) {
+      // Successfully handled by Python CLI.
+      return
     }
+    // If Python CLI failed, fall through to show help.
   }
 
   const lines = ['', 'Usage', `  $ ${name} <command>`]
@@ -553,6 +579,7 @@ export async function meowWithSubcommands(
       'organization',
       'package',
       //'patch',
+      'pip',
       // PNPM,
       'raw-npm',
       'raw-npx',