refactor(dlx): add binaryName support and rename to details

- Add binaryName field to DlxPackageSpec type
- Pass binaryName to dlxPackage() in spawnDlx()
- Specify binary names in resolve functions (coana, cdxgen, synp)
- Rename packageSpec property to details in BinaryResolution type for clarity

This fixes the issue where @coana-tech/cli was incorrectly resolved as
'coana-tech/cli' during scan reach command execution.

Author: jdalton

packages/cli/src/constants/env.mts

@@ -106,20 +106,20 @@ export {
 // IMPORTANT: esbuild's define plugin can only replace direct process.env['KEY'] references.
 // If we imported these from env modules, esbuild couldn't inline the values at build time.
 // This is critical for embedding version info, build tags, and feature flags into the binary.
-export function getCliVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_VERSION']
+export function getCliVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_VERSION']!
 }
 
-export function getCliVersionHash(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_VERSION_HASH']
+export function getCliVersionHash(): string {
+  return process.env['INLINED_SOCKET_CLI_VERSION_HASH']!
 }
 
-export function getCliHomepage(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_HOMEPAGE']
+export function getCliHomepage(): string {
+  return process.env['INLINED_SOCKET_CLI_HOMEPAGE']!
 }
 
-export function getCliName(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_NAME']
+export function getCliName(): string {
+  return process.env['INLINED_SOCKET_CLI_NAME']!
 }
 
 export function isPublishedBuild(): boolean {
@@ -134,32 +134,32 @@ export function isSentryBuild(): boolean {
   return envAsBoolean(process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'])
 }
 
-export function getCliAiVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_AI_VERSION']
+export function getCliAiVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_AI_VERSION']!
 }
 
-export function getCoanaVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_COANA_VERSION']
+export function getCoanaVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_COANA_VERSION']!
 }
 
-export function getCdxgenVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']
+export function getCdxgenVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']!
 }
 
-export function getSynpVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_SYNP_VERSION']
+export function getSynpVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_SYNP_VERSION']!
 }
 
-export function getPythonVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_PYTHON_VERSION']
+export function getPythonVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_PYTHON_VERSION']!
 }
 
-export function getPythonBuildTag(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_PYTHON_BUILD_TAG']
+export function getPythonBuildTag(): string {
+  return process.env['INLINED_SOCKET_CLI_PYTHON_BUILD_TAG']!
 }
 
-export function getPyCliVersion(): string | undefined {
-  return process.env['INLINED_SOCKET_CLI_PYCLI_VERSION']
+export function getPyCliVersion(): string {
+  return process.env['INLINED_SOCKET_CLI_PYCLI_VERSION']!
 }
 
 // Export processEnv for backward compatibility with shadow npm integration.
@@ -222,32 +222,32 @@ const envSnapshot = {
   GITHUB_REPOSITORY: env['GITHUB_REPOSITORY'],
   SOCKET_CLI_ORG_SLUG: env['SOCKET_CLI_ORG_SLUG'],
   // Build metadata (inlined by esbuild define).
-  INLINED_SOCKET_CLI_AI_VERSION: process.env['INLINED_SOCKET_CLI_AI_VERSION'],
+  INLINED_SOCKET_CLI_AI_VERSION: process.env['INLINED_SOCKET_CLI_AI_VERSION']!,
   INLINED_SOCKET_CLI_CDXGEN_VERSION:
-    process.env['INLINED_SOCKET_CLI_CDXGEN_VERSION'],
+    process.env['INLINED_SOCKET_CLI_CDXGEN_VERSION']!,
   INLINED_SOCKET_CLI_COANA_VERSION:
-    process.env['INLINED_SOCKET_CLI_COANA_VERSION'],
+    process.env['INLINED_SOCKET_CLI_COANA_VERSION']!,
   INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION:
-    process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION'],
-  INLINED_SOCKET_CLI_HOMEPAGE: process.env['INLINED_SOCKET_CLI_HOMEPAGE'],
+    process.env['INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION']!,
+  INLINED_SOCKET_CLI_HOMEPAGE: process.env['INLINED_SOCKET_CLI_HOMEPAGE']!,
   INLINED_SOCKET_CLI_LEGACY_BUILD:
-    process.env['INLINED_SOCKET_CLI_LEGACY_BUILD'],
-  INLINED_SOCKET_CLI_NAME: process.env['INLINED_SOCKET_CLI_NAME'],
+    process.env['INLINED_SOCKET_CLI_LEGACY_BUILD']!,
+  INLINED_SOCKET_CLI_NAME: process.env['INLINED_SOCKET_CLI_NAME']!,
   INLINED_SOCKET_CLI_PUBLISHED_BUILD:
-    process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],
+    process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']!,
   INLINED_SOCKET_CLI_PYTHON_BUILD_TAG:
-    process.env['INLINED_SOCKET_CLI_PYTHON_BUILD_TAG'],
+    process.env['INLINED_SOCKET_CLI_PYTHON_BUILD_TAG']!,
   INLINED_SOCKET_CLI_PYTHON_VERSION:
-    process.env['INLINED_SOCKET_CLI_PYTHON_VERSION'],
+    process.env['INLINED_SOCKET_CLI_PYTHON_VERSION']!,
   INLINED_SOCKET_CLI_PYCLI_VERSION:
-    process.env['INLINED_SOCKET_CLI_PYCLI_VERSION'],
+    process.env['INLINED_SOCKET_CLI_PYCLI_VERSION']!,
   INLINED_SOCKET_CLI_SENTRY_BUILD:
-    process.env['INLINED_SOCKET_CLI_SENTRY_BUILD'],
+    process.env['INLINED_SOCKET_CLI_SENTRY_BUILD']!,
   INLINED_SOCKET_CLI_SYNP_VERSION:
-    process.env['INLINED_SOCKET_CLI_SYNP_VERSION'],
-  INLINED_SOCKET_CLI_VERSION: process.env['INLINED_SOCKET_CLI_VERSION'],
+    process.env['INLINED_SOCKET_CLI_SYNP_VERSION']!,
+  INLINED_SOCKET_CLI_VERSION: process.env['INLINED_SOCKET_CLI_VERSION']!,
   INLINED_SOCKET_CLI_VERSION_HASH:
-    process.env['INLINED_SOCKET_CLI_VERSION_HASH'],
+    process.env['INLINED_SOCKET_CLI_VERSION_HASH']!,
 }
 
 // Create a Proxy that uses live process.env in VITEST mode and snapshot in production.

packages/cli/src/utils/dlx/resolve-binary.mts

@@ -13,7 +13,7 @@ import type { DlxPackageSpec } from './spawn.mjs'
  */
 export type BinaryResolution =
   | { type: 'local'; path: string }
-  | { type: 'dlx'; packageSpec: DlxPackageSpec }
+  | { type: 'dlx'; details: DlxPackageSpec }
 
 /**
  * Resolve path for Coana CLI binary.
@@ -27,9 +27,10 @@ export function resolveCoana(): BinaryResolution {
 
   return {
     type: 'dlx',
-    packageSpec: {
+    details: {
       name: '@coana-tech/cli',
       version: `~${ENV.INLINED_SOCKET_CLI_COANA_VERSION}`,
+      binaryName: 'coana',
     },
   }
 }
@@ -46,9 +47,10 @@ export function resolveCdxgen(): BinaryResolution {
 
   return {
     type: 'dlx',
-    packageSpec: {
+    details: {
       name: '@cyclonedx/cdxgen',
-      version: `${ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION}`,
+      version: ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION,
+      binaryName: 'cdxgen',
     },
   }
 }
@@ -88,9 +90,10 @@ export function resolveSfw(): BinaryResolution | { type: 'npx' } {
 export function resolveSynp(): BinaryResolution {
   return {
     type: 'dlx',
-    packageSpec: {
+    details: {
       name: 'synp',
-      version: `${ENV.INLINED_SOCKET_CLI_SYNP_VERSION}`,
+      version: ENV.INLINED_SOCKET_CLI_SYNP_VERSION,
+      binaryName: 'synp',
     },
   }
 }

packages/cli/src/utils/dlx/spawn.mts

@@ -43,6 +43,7 @@ export type DlxOptions = ShadowBinOptions & {
 }
 
 export type DlxPackageSpec = {
+  binaryName?: string | undefined
   name: string
   version: string
 }
@@ -65,8 +66,9 @@ export async function spawnDlx(
   const result = await dlxPackage(
     args,
     {
-      force,
       package: packageString,
+      binaryName: packageSpec.binaryName,
+      force,
       spawnOptions: shadowOptions,
     },
     spawnExtra,
@@ -78,7 +80,7 @@ export async function spawnDlx(
 }
 
 /**
- * Helper to spawn coana with dlx.
+ * Helper to spawn Coana with dlx.
  * Returns a CResult with stdout extraction for backward compatibility.
  *
  * If SOCKET_CLI_COANA_LOCAL_PATH environment variable is set, uses the local
@@ -148,7 +150,7 @@ export async function spawnCoanaDlx(
 
     // Use dlx version.
     const result = await spawnDlx(
-      resolution.packageSpec,
+      resolution.details,
       args,
       {
         force: true,
@@ -222,7 +224,7 @@ export async function spawnCdxgenDlx(
 
   // Use dlx version.
   return await spawnDlx(
-    resolution.packageSpec,
+    resolution.details,
     args,
     { force: false, ...options },
     spawnExtra,

packages/cli/src/utils/preflight/downloads.mts

@@ -7,14 +7,13 @@
  * This runs asynchronously and never blocks the main CLI execution.
  */
 
-import { existsSync, promises as fs } from 'node:fs'
+import { existsSync } from 'node:fs'
 import path from 'node:path'
 
-import { spawn } from '@socketsecurity/lib/spawn'
+import { downloadPackage } from '@socketsecurity/lib/dlx-package'
 
 import ENV from '../../constants/env.mts'
 import { getSocketHomePath } from '../dlx/binary.mts'
-import { detectPackageManager } from '../shadow/runner.mts'
 
 /**
  * Check if a package is already cached by the package manager.
@@ -32,60 +31,6 @@ function isPackageCached(packageName: string): boolean {
   return existsSync(cacheMarker)
 }
 
-/**
- * Mark a package as cached to avoid redundant downloads.
- */
-async function markPackageCached(packageName: string): Promise<void> {
-  const socketHome = getSocketHomePath()
-  const cacheDir = path.join(socketHome, 'cache', 'preflight')
-  const cacheMarker = path.join(cacheDir, packageName.replace(/[/@]/g, '-'))
-
-  try {
-    await fs.mkdir(cacheDir, { recursive: true })
-    await fs.writeFile(cacheMarker, new Date().toISOString())
-  } catch {
-    // Silently fail - not critical.
-  }
-}
-
-/**
- * Download a package via package manager dlx in the background.
- */
-async function downloadPackage(packageSpec: string): Promise<void> {
-  try {
-    const agent = await detectPackageManager()
-
-    let dlxCommand: string
-    let dlxArgs: string[]
-
-    switch (agent) {
-      case 'pnpm':
-        dlxCommand = 'pnpm'
-        dlxArgs = ['dlx', packageSpec, '--help']
-        break
-      case 'yarn':
-        dlxCommand = 'yarn'
-        dlxArgs = ['dlx', packageSpec, '--help']
-        break
-      default:
-        dlxCommand = 'npx'
-        dlxArgs = [packageSpec, '--help']
-        break
-    }
-
-    // Run in background with output discarded.
-    await spawn(dlxCommand, dlxArgs, {
-      stdio: 'ignore',
-      timeout: 30_000, // 30 second timeout.
-    })
-
-    // Mark as cached.
-    await markPackageCached(packageSpec)
-  } catch {
-    // Silently fail - downloads will happen on-demand if needed.
-  }
-}
-
 /**
  * Run preflight downloads in the background.
  * This never blocks or throws errors.
@@ -98,14 +43,14 @@ export function runPreflightDownloads(): void {
 
   // Run asynchronously in the background.
   void (async () => {
-    const downloads: Array<{ name: string; spec: string }> = []
+    const downloads: Array<{ packageSpec: string; binaryName?: string }> = []
 
     // @coana-tech/cli preflight.
     const coanaVersion = ENV.INLINED_SOCKET_CLI_COANA_VERSION
     if (coanaVersion) {
       const coanaSpec = `@coana-tech/cli@~${coanaVersion}`
       if (!isPackageCached(coanaSpec)) {
-        downloads.push({ name: '@coana-tech/cli', spec: coanaSpec })
+        downloads.push({ packageSpec: coanaSpec, binaryName: 'coana' })
       }
     }
 
@@ -114,13 +59,21 @@ export function runPreflightDownloads(): void {
     if (cliAiVersion) {
       const cliAiSpec = `@socketbin/cli-ai@^${cliAiVersion}`
       if (!isPackageCached(cliAiSpec)) {
-        downloads.push({ name: '@socketbin/cli-ai', spec: cliAiSpec })
+        downloads.push({ packageSpec: cliAiSpec, binaryName: 'cli-ai' })
       }
     }
 
-    // Download in background (fire and forget).
-    for (const pkg of downloads) {
-      void downloadPackage(pkg.spec)
-    }
+    try {
+      // Download in background (fire and forget).
+      await Promise.all(
+        downloads.map(p => 
+          downloadPackage({
+            package: p.packageSpec,
+            binaryName: p.binaryName,
+            force: false,
+          })
+        )
+      )
+    } catch {}
   })()
 }