feat(self-update): improve package manager detection and error messages

Update self-update command to use socket-lib's package manager detection
utilities and provide clear, context-aware update instructions.

Changes:
- Use detectPackageManager() from @socketsecurity/lib/env/package-manager
- Show appropriate update command for npm, pnpm, yarn, or bun
- Update canSelfUpdate() to use isInSocketDlx() from @socketsecurity/lib/dlx
- Point to GitHub install script for manually installed binaries
- Clear messaging for each installation method

Author: jdalton

packages/cli/src/commands/self-update/handle-self-update.mts

@@ -11,14 +11,15 @@ import path from 'node:path'
 
 import colors from 'yoctocolors-cjs'
 
+import { detectPackageManager } from '@socketsecurity/lib/env/package-manager'
 import { getIpcStubPath } from '@socketsecurity/lib/ipc'
 import { logger } from '@socketsecurity/lib/logger'
 
 import { outputSelfUpdate } from './output-self-update.mts'
 import ENV from '../../constants/env.mts'
 import { commonFlags } from '../../flags.mts'
 import { meowOrExit } from '../../utils/cli/with-subcommands.mjs'
-import { isSeaBinary } from '../../utils/executable/detect.mjs'
+import { canSelfUpdate, isSeaBinary } from '../../utils/executable/detect.mjs'
 import {
   clearQuarantine,
   ensureExecutable,
@@ -236,10 +237,41 @@ export async function handleSelfUpdate(
   importMeta: ImportMeta,
   { parentName }: { parentName: string; rawArgv?: readonly string[] },
 ): Promise<void> {
-  // This command is only available when running as SEA binary.
-  if (!isSeaBinary()) {
+  // This command is only available for standalone SEA binaries in ~/.socket/_dlx/.
+  // Not available for npm/pnpm/yarn-installed packages.
+  if (!canSelfUpdate()) {
+    // Detect which package manager was used
+    const packageManager = detectPackageManager()
+
+    let updateCommand: string
+    let installedVia: string
+
+    if (packageManager === 'npm') {
+      updateCommand = 'npm update -g socket'
+      installedVia = 'npm'
+    } else if (packageManager === 'pnpm') {
+      updateCommand = 'pnpm update -g socket'
+      installedVia = 'pnpm'
+    } else if (packageManager === 'yarn') {
+      updateCommand = 'yarn global upgrade socket'
+      installedVia = 'yarn'
+    } else if (packageManager === 'bun') {
+      updateCommand = 'bun update -g socket'
+      installedVia = 'bun'
+    } else if (isSeaBinary()) {
+      // SEA binary but not in DLX (e.g., manually installed to /usr/local/bin)
+      updateCommand = 'curl -sSL https://raw.githubusercontent.com/SocketDev/socket-cli/main/install.sh | sh'
+      installedVia = 'manual installation'
+    } else {
+      // Bootstrap wrapper - unknown package manager
+      updateCommand = 'npm update -g socket'
+      installedVia = 'a package manager'
+    }
+
     throw new Error(
-      'self-update is only available when running as a SEA binary',
+      'self-update is only available for Socket CLI binaries managed by Socket.\n\n' +
+        `You installed Socket CLI via ${installedVia}. To update, run:\n` +
+        `  ${colors.cyan(updateCommand)}`,
     )
   }
 

packages/cli/src/utils/executable/detect.mts

@@ -6,6 +6,8 @@
  * Key Functions:
  * - isSeaBinary: Detect if running as SEA with caching
  * - getSeaBinaryPath: Get the current SEA binary path
+ * - isInSocketDlx: Check if binary is in Socket's managed DLX directory
+ * - canSelfUpdate: Check if self-update is allowed for current binary
  *
  * Detection Method:
  * - Uses Node.js 24+ native sea.isSea() API
@@ -25,6 +27,8 @@
 
 import { createRequire } from 'node:module'
 
+import { isInSocketDlx } from '@socketsecurity/lib/dlx'
+
 const require = createRequire(import.meta.url)
 
 /**
@@ -57,4 +61,19 @@ function getSeaBinaryPath(): string | undefined {
   return isSeaBinary() ? process.argv[0] : undefined
 }
 
-export { getSeaBinaryPath, isSeaBinary }
+/**
+ * Detect if self-update is allowed for the current binary.
+ * Self-update is ONLY allowed for SEA binaries running from Socket's
+ * managed DLX directory (~/.socket/_dlx/).
+ *
+ * Not allowed for:
+ * - npm/pnpm/yarn-installed packages (not in DLX directory)
+ * - Standalone binaries in system paths like /usr/local/bin (not in DLX directory)
+ * - Bootstrap wrappers (not SEA binaries)
+ */
+function canSelfUpdate(): boolean {
+  const binaryPath = process.argv[0]
+  return isSeaBinary() && !!binaryPath && isInSocketDlx(binaryPath)
+}
+
+export { canSelfUpdate, getSeaBinaryPath, isSeaBinary }