refactor: rename bootstrap to stub for clarity

- Rename bootstrap.mts to stub.mts (more accurate name)
- Update rollup config to build stub.cjs instead of bootstrap.cjs
- Rename npm script from build:sea:internal:bootstrap to build:sea:stub
- Update build-sea.mjs to reference stub instead of bootstrap
- Clarify in comments that we use yao-pkg, not Node 24 native SEA

Author: jdalton

.config/rollup.sea.config.mjs

@@ -1,6 +1,6 @@
 /**
- * Rollup configuration for building SEA bootstrap thin wrapper.
- * Compiles TypeScript bootstrap to CommonJS for Node.js SEA compatibility.
+ * Rollup configuration for building SEA stub thin wrapper.
+ * Compiles TypeScript stub to CommonJS for Node.js SEA compatibility.
  */
 
 import path from 'node:path'
@@ -25,10 +25,10 @@ const MIN_NODE_VERSION = semver.major(maintainedNodeVersions[2])
 
 export default {
   input:
-    process.env.SEA_BOOTSTRAP || path.join(rootDir, 'src/sea/bootstrap.mts'),
+    process.env.SEA_STUB || path.join(rootDir, 'src/sea/stub.mts'),
   output: {
     file:
-      process.env.SEA_OUTPUT || path.join(rootDir, 'dist/sea/bootstrap.cjs'),
+      process.env.SEA_OUTPUT || path.join(rootDir, 'dist/sea/stub.cjs'),
     format: 'cjs',
     interop: 'auto',
   },

package.json

@@ -39,7 +39,7 @@
     "build:dist:types": "node scripts/build.mjs --types-only",
     "build:ink": "node scripts/build.mjs --ink-only",
     "build:sea": "node scripts/build-sea.mjs",
-    "build:sea:internal:bootstrap": "rollup -c .config/rollup.sea.config.mjs",
+    "build:sea:stub": "rollup -c .config/rollup.sea.config.mjs",
     "publish:sea": "node scripts/publish-sea.mjs",
     "publish:sea:github": "node scripts/publish-sea.mjs --skip-npm",
     "publish:sea:npm": "node scripts/publish-sea.mjs --skip-github",

scripts/build-sea.mjs

@@ -1,11 +1,14 @@
 /**
  * Build script for creating self-executable Socket CLI applications.
- * Uses Node.js Single Executable Application (SEA) feature.
+ * Uses yao-pkg (enhanced fork of vercel/pkg) to create single executables.
  *
- * IMPORTANT: This builds a THIN WRAPPER that downloads @socketsecurity/cli on first use.
+ * NOTE: We use "SEA" as a general term for single executable applications,
+ * but this uses yao-pkg, not Node.js 24's native SEA feature.
+ *
+ * IMPORTANT: This builds a THIN STUB that downloads @socketsecurity/cli on first use.
  * The binary contains only:
- * - Node.js runtime
- * - Bootstrap code to download/execute @socketsecurity/cli
+ * - Node.js runtime (embedded by yao-pkg)
+ * - Stub code to download/execute @socketsecurity/cli
  * - No actual CLI implementation
  *
  * The real Socket CLI code lives in the @socketsecurity/cli npm package,
@@ -19,7 +22,7 @@
  * Usage:
  * - Build all platforms: npm run build:sea
  * - Build specific platform: npm run build:sea -- --platform=darwin --arch=x64
- * - Use advanced bootstrap: npm run build:sea -- --advanced
+ * - Use advanced stub: npm run build:sea -- --advanced
  */
 
 import crypto from 'node:crypto'
@@ -464,23 +467,23 @@ async function buildTarget(target, options) {
   )
   console.log('(Actual CLI will be downloaded from npm on first use)')
 
-  // Use the thin bootstrap for minimal size.
+  // Use the thin stub for minimal size.
   const tsEntryPoint = normalizePath(
-    path.join(__dirname, '..', 'src', 'sea', 'bootstrap.mts'),
+    path.join(__dirname, '..', 'src', 'sea', 'stub.mts'),
   )
 
   // Ensure output directory exists.
   await fs.mkdir(outputDir, { recursive: true })
 
-  // Build the bootstrap with Rollup to CommonJS for SEA.
-  const entryPoint = normalizePath(path.join(outputDir, 'bootstrap.cjs'))
-  console.log('Building bootstrap...')
+  // Build the stub with Rollup to CommonJS for yao-pkg.
+  const entryPoint = normalizePath(path.join(outputDir, 'stub.cjs'))
+  console.log('Building stub...')
 
   // Set environment variables for the rollup config.
-  process.env['SEA_BOOTSTRAP'] = tsEntryPoint
+  process.env['SEA_STUB'] = tsEntryPoint
   process.env['SEA_OUTPUT'] = entryPoint
 
-  await spawn('pnpm', ['run', 'build:sea:internal:bootstrap'], {
+  await spawn('pnpm', ['run', 'build:sea:stub'], {
     stdio: 'inherit',
   })
 

src/sea/install.mts

@@ -0,0 +1,199 @@
+/**
+ * @fileoverview NPM postinstall script for Socket CLI binary distribution.
+ * Downloads the appropriate platform-specific binary from GitHub releases.
+ * This runs when users install the `socket` npm package.
+ */
+
+import { createWriteStream, existsSync } from 'node:fs'
+import { chmod, rename, unlink } from 'node:fs/promises'
+import https from 'node:https'
+import os from 'node:os'
+import path from 'node:path'
+import { fileURLToPath } from 'node:url'
+
+const __filename = fileURLToPath(import.meta.url)
+const __dirname = path.dirname(__filename)
+
+// Binary naming constants
+const BINARY_NAME = 'socket'
+const GITHUB_ORG = 'SocketDev'
+const GITHUB_REPO = 'socket-cli'
+
+// Map Node.js platform/arch to our binary naming convention
+const PLATFORM_MAP: Record<string, string> = {
+  darwin: 'darwin',  // macOS
+  linux: 'linux',
+  win32: 'win32'     // Windows
+}
+
+const ARCH_MAP: Record<string, string> = {
+  arm64: 'arm64',
+  x64: 'x64'
+}
+
+/**
+ * Get the binary filename for the current platform.
+ */
+function getBinaryName(): string {
+  const platform = PLATFORM_MAP[os.platform()]
+  const arch = ARCH_MAP[os.arch()]
+
+  if (!platform || !arch) {
+    throw new Error(
+      `Unsupported platform: ${os.platform()} ${os.arch()}. ` +
+      `Please install @socketsecurity/cli directly instead.`
+    )
+  }
+
+  const extension = os.platform() === 'win32' ? '.exe' : ''
+  return `socket-${platform}-${arch}${extension}`
+}
+
+/**
+ * Get package version from package.json.
+ */
+async function getPackageVersion(): Promise<string> {
+  // In production, this will be in npm-package/package.json
+  const packagePath = path.join(__dirname, '..', '..', 'npm-package', 'package.json')
+  if (existsSync(packagePath)) {
+    const { default: pkg } = await import(packagePath, { with: { type: 'json' } })
+    return pkg.version
+  }
+
+  // Fallback for development
+  const devPackagePath = path.join(__dirname, '..', '..', '..', 'package.json')
+  const { default: pkg } = await import(devPackagePath, { with: { type: 'json' } })
+  return pkg.version
+}
+
+/**
+ * Download a file from a URL with redirect handling.
+ */
+async function downloadFile(url: string, destPath: string): Promise<void> {
+  return new Promise((resolve, reject) => {
+    const file = createWriteStream(destPath)
+
+    const request = https.get(
+      url,
+      {
+        headers: {
+          'User-Agent': 'socket-cli-installer'
+        }
+      },
+      response => {
+        // Handle redirects
+        if (response.statusCode === 301 || response.statusCode === 302) {
+          const redirectUrl = response.headers.location
+          if (!redirectUrl) {
+            file.close()
+            unlink(destPath).catch(() => {})
+            reject(new Error('Redirect without location header'))
+            return
+          }
+
+          file.close()
+          downloadFile(redirectUrl, destPath).then(resolve, reject)
+          return
+        }
+
+        // Check for successful response
+        if (response.statusCode !== 200) {
+          file.close()
+          unlink(destPath).catch(() => {})
+          reject(new Error(
+            `Failed to download binary: HTTP ${response.statusCode}`
+          ))
+          return
+        }
+
+        // Pipe response to file
+        response.pipe(file)
+
+        file.on('finish', () => {
+          file.close(() => resolve())
+        })
+      }
+    )
+
+    request.on('error', err => {
+      file.close()
+      unlink(destPath).catch(() => {})
+      reject(err)
+    })
+  })
+}
+
+/**
+ * Get the download URL for the binary.
+ */
+async function getBinaryUrl(): Promise<string> {
+  const version = await getPackageVersion()
+  const binaryName = getBinaryName()
+
+  // GitHub releases URL pattern
+  return `https://github.com/${GITHUB_ORG}/${GITHUB_REPO}/releases/download/v${version}/${binaryName}`
+}
+
+/**
+ * Install the platform-specific binary.
+ */
+async function install(): Promise<void> {
+  try {
+    const binaryName = getBinaryName()
+    const targetName = BINARY_NAME + (os.platform() === 'win32' ? '.exe' : '')
+    const binaryPath = path.join(__dirname, '..', '..', 'npm-package', targetName)
+
+    // For development, use local path
+    const devBinaryPath = path.join(__dirname, targetName)
+    const finalPath = existsSync(path.dirname(binaryPath)) ? binaryPath : devBinaryPath
+
+    // Check if binary already exists
+    if (existsSync(finalPath)) {
+      console.log('Socket CLI binary already installed.')
+      return
+    }
+
+    console.log(`Downloading Socket CLI for ${os.platform()}-${os.arch()}...`)
+
+    const url = await getBinaryUrl()
+    const tempPath = `${finalPath}.download`
+
+    // Download the binary
+    await downloadFile(url, tempPath)
+
+    // Make executable on Unix-like systems
+    if (os.platform() !== 'win32') {
+      await chmod(tempPath, 0o755)
+    }
+
+    // Atomic rename to final location
+    await rename(tempPath, finalPath)
+
+    console.log('✓ Socket CLI installed successfully!')
+    console.log(`  Binary: ${finalPath}`)
+    console.log(`  Run 'socket --help' to get started.`)
+  } catch (error) {
+    const message = error instanceof Error ? error.message : String(error)
+
+    console.error(`Failed to install Socket CLI binary: ${message}`)
+    console.error('')
+    console.error('You can try:')
+    console.error('  1. Installing from source: npm install -g @socketsecurity/cli')
+    console.error('  2. Downloading manually from: https://github.com/SocketDev/socket-cli/releases')
+    console.error('')
+    console.error('For help, visit: https://github.com/SocketDev/socket-cli/issues')
+
+    // Don't fail the npm install - allow fallback to source
+    process.exitCode = 0
+  }
+}
+
+// Run if this is the main module
+if (import.meta.url === `file://${process.argv[1]}`) {
+  install().catch(error => {
+    console.error('Unexpected error:', error)
+    process.exitCode = 0  // Still don't fail npm install
+  })
+}
+
+export { install, getBinaryName, getBinaryUrl }