fix(test): replace vi.mock('node:fs') with vi.spyOn for thread-safe tests

vi.mock('node:fs') auto-mocking fails intermittently with vitest's
threads pool + sharding. Switch source files to namespace fs imports
and tests to vi.spyOn so mocks intercept at runtime without module
replacement.

Also remove dead processAsset function and unused computeFileHash
import from download-assets.mjs.

Author: jdalton

packages/cli/scripts/download-assets.mjs

@@ -25,11 +25,6 @@ import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { downloadSocketBtmRelease } from '@socketsecurity/lib/releases/socket-btm'
 import { spawn } from '@socketsecurity/lib/spawn'
 
-import {
-  computeFileHash,
-  generateHeader,
-} from './utils/socket-btm-releases.mjs'
-
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
 const rootPath = path.join(__dirname, '..')
 const logger = getDefaultLogger()
@@ -99,14 +94,7 @@ const ASSETS = {
  * Download a single asset.
  */
 async function downloadAsset(config) {
-  const {
-    description,
-    download,
-    extract,
-    name,
-    process: processConfig,
-    type,
-  } = config
+  const { description, download, extract, name, type } = config
 
   try {
     logger.group(`Extracting ${name} from socket-btm releases...`)
@@ -132,8 +120,6 @@ async function downloadAsset(config) {
     // Process based on asset type.
     if (type === 'archive' && extract) {
       await extractArchive(assetPath, extract, name)
-    } else if (type === 'processed' && processConfig) {
-      await processAsset(assetPath, processConfig, name)
     }
 
     logger.groupEnd()
@@ -204,78 +190,6 @@ async function extractArchive(tarGzPath, extractConfig, assetName) {
   await fs.writeFile(versionPath, tag, 'utf-8')
 }
 
-/**
- * Process and transform asset (e.g., add header to JS file).
- */
-async function processAsset(assetPath, processConfig, assetName) {
-  const { outputPath } = processConfig
-
-  // Check if extraction needed by comparing version.
-  const assetDir = path.dirname(assetPath)
-  const sourceVersionPath = path.join(assetDir, '.version')
-  const outputVersionPath = path.join(
-    path.dirname(outputPath),
-    `${path.basename(outputPath, path.extname(outputPath))}.version`,
-  )
-
-  if (
-    existsSync(outputVersionPath) &&
-    existsSync(outputPath) &&
-    existsSync(sourceVersionPath)
-  ) {
-    const cachedVersion = (await fs.readFile(outputVersionPath, 'utf8')).trim()
-    const sourceVersion = (await fs.readFile(sourceVersionPath, 'utf8')).trim()
-    if (cachedVersion === sourceVersion) {
-      logger.info(`${assetName} already up to date`)
-      return
-    }
-
-    logger.info(`${assetName} version changed, re-extracting...`)
-  }
-
-  // Read the downloaded asset.
-  let content = await fs.readFile(assetPath, 'utf-8')
-
-  // Compute source hash for cache validation.
-  const sourceHash = await computeFileHash(assetPath)
-
-  // Get tag from source version file.
-  if (!existsSync(sourceVersionPath)) {
-    throw new Error(
-      `Source version file not found: ${sourceVersionPath}. ` +
-        'Please download assets first using the build system.',
-    )
-  }
-
-  const tag = (await fs.readFile(sourceVersionPath, 'utf8')).trim()
-  if (!tag || tag.length === 0) {
-    throw new Error(
-      `Invalid version file content at ${sourceVersionPath}. ` +
-        'Please re-download assets.',
-    )
-  }
-
-  // Generate output file with header.
-  const header = generateHeader({
-    assetName: path.basename(assetPath),
-    scriptName: 'scripts/download-assets.mjs',
-    sourceHash,
-    tag,
-  })
-
-  const output = `${header}
-
-${content}
-`
-
-  // Ensure build directory exists before writing.
-  await fs.mkdir(path.dirname(outputPath), { recursive: true })
-  await fs.writeFile(outputPath, output, 'utf-8')
-
-  // Write version file.
-  await fs.writeFile(outputVersionPath, tag, 'utf-8')
-}
-
 /**
  * Download multiple assets (parallel by default, sequential opt-in).
  *

packages/cli/src/constants/agents.mts

@@ -3,7 +3,7 @@
  * Functions for package manager version requirements and execution paths.
  */
 
-import { existsSync } from 'node:fs'
+import fs from 'node:fs'
 import path from 'node:path'
 
 import { whichReal } from '@socketsecurity/lib/bin'
@@ -63,7 +63,7 @@ export async function getNpmExecPath(): Promise<string> {
   // Check npm in the same directory as node.
   const nodeDir = path.dirname(process.execPath)
   const npmInNodeDir = path.join(nodeDir, NPM)
-  if (existsSync(npmInNodeDir)) {
+  if (fs.existsSync(npmInNodeDir)) {
     return npmInNodeDir
   }
   // Fall back to whichReal.

packages/cli/src/utils/ecosystem/environment.mts

@@ -24,7 +24,7 @@
  * - Configuring concurrent execution limits
  */
 
-import { existsSync, readFileSync } from 'node:fs'
+import fs from 'node:fs'
 import path from 'node:path'
 
 import browserslist from 'browserslist'
@@ -257,13 +257,13 @@ const LOCKS: Record<string, Agent> = {
 function resolveBinPathSync(binPath: string): string {
   // Simple implementation that tries to resolve a bin path to its actual entry point.
   // This is used on Windows to resolve shims like `npm` or `npm.cmd` to their .js entry point.
-  if (!existsSync(binPath)) {
+  if (!fs.existsSync(binPath)) {
     return binPath
   }
 
   try {
     // Try to read the file synchronously
-    const content = readFileSync(binPath, 'utf8')
+    const content = fs.readFileSync(binPath, 'utf8')
     // Look for common patterns in npm/node shims:
     // - node "C:\path\to\npm-cli.js" "$@"
     // - "%_prog%"  "%dp0%\node_modules\npm\bin\npm-cli.js" %*
@@ -309,28 +309,28 @@ function preferWindowsCmdShim(binPath: string, binName: string): string {
   const cmdShim = path.join(path.dirname(binPath), `${binName}.cmd`)
 
   // Ensure shim exists, otherwise fallback to binPath
-  return existsSync(cmdShim) ? cmdShim : binPath
+  return fs.existsSync(cmdShim) ? cmdShim : binPath
 }
 
 async function getAgentExecPath(agent: Agent): Promise<string> {
   const binName = binByAgent.get(agent)!
   if (binName === NPM) {
     // Try to use getNpmExecPath() first, but verify it exists.
     const npmPath = preferWindowsCmdShim(await getNpmExecPath(), NPM)
-    if (existsSync(npmPath)) {
+    if (fs.existsSync(npmPath)) {
       return npmPath
     }
     // If getNpmExecPath() doesn't exist, try common locations.
     // Check npm in the same directory as node.
     const nodeDir = path.dirname(process.execPath)
     if (WIN32) {
       const npmCmdInNodeDir = path.join(nodeDir, `${NPM}.cmd`)
-      if (existsSync(npmCmdInNodeDir)) {
+      if (fs.existsSync(npmCmdInNodeDir)) {
         return npmCmdInNodeDir
       }
     }
     const npmInNodeDir = path.join(nodeDir, NPM)
-    if (existsSync(npmInNodeDir)) {
+    if (fs.existsSync(npmInNodeDir)) {
       return preferWindowsCmdShim(npmInNodeDir, NPM)
     }
     // Fall back to which.
@@ -343,7 +343,7 @@ async function getAgentExecPath(agent: Agent): Promise<string> {
   if (binName === PNPM) {
     // Try to use getPnpmExecPath() first, but verify it exists.
     const pnpmPath = await getPnpmExecPath()
-    if (existsSync(pnpmPath)) {
+    if (fs.existsSync(pnpmPath)) {
       return pnpmPath
     }
     // Fall back to which.
@@ -452,7 +452,7 @@ export async function detectPackageEnvironment({
       )
     : await findUp(PACKAGE_JSON, { cwd })
   const pkgPath =
-    pkgJsonPath && existsSync(pkgJsonPath)
+    pkgJsonPath && fs.existsSync(pkgJsonPath)
       ? path.dirname(pkgJsonPath)
       : undefined
   const pkgJson = pkgPath ? await readPackageJson(pkgPath) : undefined

packages/cli/src/utils/npm/paths.mts

@@ -1,4 +1,4 @@
-import { existsSync } from 'node:fs'
+import fs from 'node:fs'
 import Module from 'node:module'
 import path from 'node:path'
 
@@ -81,7 +81,7 @@ export function getNpmRequire(): NodeJS.Require {
     const npmNmPath = path.join(npmDirPath, `${NODE_MODULES}/npm`)
     _npmRequire = Module.createRequire(
       path.join(
-        existsSync(npmNmPath) ? npmNmPath : npmDirPath,
+        fs.existsSync(npmNmPath) ? npmNmPath : npmDirPath,
         '<dummy-basename>',
       ),
     )

packages/cli/src/utils/pnpm/lockfile.mts

@@ -1,4 +1,4 @@
-import { existsSync } from 'node:fs'
+import fs from 'node:fs'
 
 import yaml from 'js-yaml'
 import semver from 'semver'
@@ -88,7 +88,9 @@ export function parsePnpmLockfileVersion(version: unknown): SemVer | undefined {
 export async function readPnpmLockfile(
   lockfilePath: string,
 ): Promise<string | undefined> {
-  return existsSync(lockfilePath) ? await readFileUtf8(lockfilePath) : undefined
+  return fs.existsSync(lockfilePath)
+    ? await readFileUtf8(lockfilePath)
+    : undefined
 }
 
 export function stripLeadingPnpmDepPathSlash(depPath: string): string {

packages/cli/src/utils/process/os.mts

@@ -26,7 +26,7 @@
  * - File permission management
  */
 
-import { existsSync, promises as fs, readFileSync } from 'node:fs'
+import fs from 'node:fs'
 
 import { getDefaultLogger } from '@socketsecurity/lib/logger'
 import { spawn } from '@socketsecurity/lib/spawn'
@@ -142,8 +142,8 @@ function detectMusl(): boolean {
 
   // Method 1: Check /etc/os-release for Alpine.
   try {
-    if (existsSync('/etc/os-release')) {
-      const osRelease = readFileSync('/etc/os-release', 'utf8')
+    if (fs.existsSync('/etc/os-release')) {
+      const osRelease = fs.readFileSync('/etc/os-release', 'utf8')
       if (osRelease.includes('Alpine') || osRelease.includes('alpine')) {
         cachedLibc = 'musl'
         return true
@@ -156,8 +156,8 @@ function detectMusl(): boolean {
   // Method 2: Check if ldd references musl.
   try {
     if (
-      existsSync('/lib/ld-musl-x86_64.so.1') ||
-      existsSync('/lib/ld-musl-aarch64.so.1')
+      fs.existsSync('/lib/ld-musl-x86_64.so.1') ||
+      fs.existsSync('/lib/ld-musl-aarch64.so.1')
     ) {
       cachedLibc = 'musl'
       return true
@@ -168,8 +168,8 @@ function detectMusl(): boolean {
 
   // Method 3: Check /proc/version for musl indicators.
   try {
-    if (existsSync('/proc/version')) {
-      const version = readFileSync('/proc/version', 'utf8')
+    if (fs.existsSync('/proc/version')) {
+      const version = fs.readFileSync('/proc/version', 'utf8')
       if (version.includes('musl')) {
         cachedLibc = 'musl'
         return true
@@ -250,7 +250,7 @@ async function ensureExecutable(filePath: string): Promise<void> {
   }
 
   try {
-    await fs.chmod(filePath, 0o755)
+    await fs.promises.chmod(filePath, 0o755)
     logger.log('Set executable permissions')
   } catch (e) {
     logger.warn(

packages/cli/src/utils/socket/json.mts

@@ -18,7 +18,7 @@
  * - Supports both read and write operations
  */
 
-import { existsSync, promises as fs, readFileSync } from 'node:fs'
+import fs from 'node:fs'
 import path from 'node:path'
 
 import { debugDirNs, debugNs } from '@socketsecurity/lib/debug'
@@ -127,14 +127,14 @@ export async function readSocketJson(
   defaultOnError = false,
 ): Promise<CResult<SocketJson>> {
   const sockJsonPath = path.join(cwd, SOCKET_JSON)
-  if (!existsSync(sockJsonPath)) {
+  if (!fs.existsSync(sockJsonPath)) {
     debugNs('notice', `miss: ${SOCKET_JSON} not found at ${cwd}`)
     return { ok: true, data: getDefaultSocketJson() }
   }
 
   let json = null
   try {
-    json = await fs.readFile(sockJsonPath, 'utf8')
+    json = await fs.promises.readFile(sockJsonPath, 'utf8')
   } catch (e) {
     if (defaultOnError) {
       logger.warn(`Failed to read ${SOCKET_JSON}, using default`)
@@ -188,13 +188,13 @@ export function readSocketJsonSync(
   defaultOnError = false,
 ): CResult<SocketJson> {
   const sockJsonPath = path.join(cwd, SOCKET_JSON)
-  if (!existsSync(sockJsonPath)) {
+  if (!fs.existsSync(sockJsonPath)) {
     debugNs('notice', `miss: ${SOCKET_JSON} not found at ${cwd}`)
     return { ok: true, data: getDefaultSocketJson() }
   }
   let jsonContent = null
   try {
-    jsonContent = readFileSync(sockJsonPath, 'utf8')
+    jsonContent = fs.readFileSync(sockJsonPath, 'utf8')
   } catch (e) {
     if (defaultOnError) {
       logger.warn(`Failed to read ${SOCKET_JSON}, using default`)
@@ -262,7 +262,7 @@ export async function writeSocketJson(
   }
 
   const filepath = path.join(cwd, SOCKET_JSON)
-  await fs.writeFile(filepath, `${jsonContent}\n`, 'utf8')
+  await fs.promises.writeFile(filepath, `${jsonContent}\n`, 'utf8')
 
   return { ok: true, data: undefined }
 }

packages/cli/test/unit/constants/agents.test.mts

@@ -13,24 +13,17 @@
  * - constants/agents.mts (implementation)
  */
 
+import fs from 'node:fs'
+
 import { afterEach, beforeEach, describe, expect, it, vi } from 'vitest'
 
 // Mock dependencies using hoisted mocks.
 const mockWhichReal = vi.hoisted(() => vi.fn())
-const mockExistsSync = vi.hoisted(() => vi.fn())
 
 vi.mock('@socketsecurity/lib/bin', () => ({
   whichReal: mockWhichReal,
 }))
 
-vi.mock('node:fs', async () => {
-  const actual = await vi.importActual('node:fs')
-  return {
-    ...actual,
-    existsSync: mockExistsSync,
-  }
-})
-
 import {
   BUN,
   getMinimumVersionByAgent,
@@ -46,8 +39,11 @@ import {
 } from '../../../src/constants/agents.mts'
 
 describe('agents constants', () => {
+  let mockExistsSync: ReturnType<typeof vi.spyOn>
+
   beforeEach(() => {
     vi.clearAllMocks()
+    mockExistsSync = vi.spyOn(fs, 'existsSync')
   })
 
   afterEach(() => {