Improve test mode detection and build script organization

Author: jdalton

package.json

@@ -50,7 +50,7 @@
     "lint-ci": "pnpm run check:lint",
     "type-ci": "pnpm run check:tsc",
     "coverage": "run-s coverage:*",
-    "coverage:test": "run-s test:prepare test:unit:coverage",
+    "coverage:test": "run-s pretest:unit test:unit:coverage",
     "coverage:percent": "node scripts/get-coverage-percentage.mjs",
     "coverage:type": "type-coverage",
     "coverage:type:verbose": "type-coverage --detail",
@@ -76,18 +76,18 @@
     "lint-staged": "lint-staged",
     "precommit": "lint-staged",
     "prepare": "husky",
+    "pretest:unit": "dotenvx -q run -f .env.test -- pnpm run build",
     "bs": "pnpm run build:dist:src; pnpm exec socket --",
     "s": "pnpm exec socket --",
     "test": "run-s check test:*",
-    "test:prepare": "dotenvx -q run -f .env.test -- pnpm run build && del-cli 'test/**/node_modules'",
     "test:unit": "dotenvx -q run -f .env.test -- vitest run",
     "test:unit:update": "dotenvx -q run -f .env.test -- vitest run --update",
     "test:unit:coverage": "dotenvx -q run -f .env.test -- vitest run --coverage",
     "test:validate": "node scripts/validate-tests.mjs",
     "test:wrapper": "node scripts/test-wrapper.mjs",
     "test-ci": "run-s test:*",
     "test-pre-commit": "dotenvx -q run -f .env.precommit -- pnpm test",
-    "testu": "dotenvx -q run -f .env.test -- run-s test:prepare; pnpm run test:unit:update --",
+    "testu": "dotenvx -q run -f .env.test -- run-s pretest:unit; pnpm run test:unit:update --",
     "testuf": "dotenvx -q run -f .env.test -- pnpm run test:unit:update --",
     "update": "run-p --aggregate-output update:**",
     "update:deps": "node scripts/taze.mjs",

src/constants.mts

@@ -188,6 +188,7 @@ export type ENV = Remap<
       SOCKET_CLI_API_PROXY: string
       SOCKET_CLI_API_TIMEOUT: number
       SOCKET_CLI_API_TOKEN: string
+      SOCKET_CLI_BUN_PATH: string
       SOCKET_CLI_CDXGEN_LOCAL_PATH: string
       SOCKET_CLI_COANA_LOCAL_PATH: string
       SOCKET_CLI_CONFIG: string
@@ -196,9 +197,19 @@ export type ENV = Remap<
       SOCKET_CLI_GITHUB_TOKEN: string
       SOCKET_CLI_NO_API_TOKEN: boolean
       SOCKET_CLI_NPM_PATH: string
+      SOCKET_CLI_NPX_PATH: string
       SOCKET_CLI_ORG_SLUG: string
+      SOCKET_CLI_PNPM_PATH: string
+      SOCKET_CLI_PNPM_V8_PATH: string
+      SOCKET_CLI_PNPM_V9_PATH: string
+      SOCKET_CLI_PNPM_V10_PATH: string
+      SOCKET_CLI_PYTHON_PATH: string
       SOCKET_CLI_SFW_LOCAL_PATH: string
+      SOCKET_CLI_VLT_PATH: string
       SOCKET_CLI_VIEW_ALL_RISKS: boolean
+      SOCKET_CLI_YARN_BERRY_PATH: string
+      SOCKET_CLI_YARN_CLASSIC_PATH: string
+      SOCKET_CLI_YARN_PATH: string
       SOCKET_CLI_SEA_NODE_VERSION: string
       TERM: string
       XDG_DATA_HOME: string
@@ -536,12 +547,15 @@ const LAZY_ENV = () => {
   const envAsNumber = envHelpers.envAsNumber
   const envAsString = envHelpers.envAsString
   const GITHUB_TOKEN = envAsString(env['GITHUB_TOKEN'])
+  const INLINED_SOCKET_CLI_NAME = envAsString(
+    process.env['INLINED_SOCKET_CLI_NAME'],
+  )
   const INLINED_SOCKET_CLI_PUBLISHED_BUILD = envAsBoolean(
     process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD'],
   )
   // We inline some environment values so that they CANNOT be influenced by user
   // provided environment variables.
-  return Object.freeze({
+  const ENV = Object.freeze({
     __proto__: null,
     // Lazily access registryConstants.ENV.
     ...regConsts.ENV,
@@ -609,9 +623,7 @@ const LAZY_ENV = () => {
     ),
     // Comp-time inlined Socket package name.
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_NAME']".
-    INLINED_SOCKET_CLI_NAME: envAsString(
-      process.env['INLINED_SOCKET_CLI_NAME'],
-    ),
+    INLINED_SOCKET_CLI_NAME,
     // Comp-time inlined flag to determine if this is a published build.
     // The '@rollup/plugin-replace' will replace "process.env['INLINED_SOCKET_CLI_PUBLISHED_BUILD']".
     INLINED_SOCKET_CLI_PUBLISHED_BUILD,
@@ -783,6 +795,38 @@ const LAZY_ENV = () => {
       ? false
       : envAsBoolean(process.env['VITEST']),
   })
+
+  // Guard: Detect build/test mode mismatch.
+  // If the build was NOT made for testing (inlined VITEST is false) but we're
+  // running in test mode (process.env.VITEST is set), warn about the mismatch.
+  const runtimeVitestValue = envAsBoolean(env['VITEST'])
+  if (
+    INLINED_SOCKET_CLI_NAME === 'socket' &&
+    !INLINED_SOCKET_CLI_PUBLISHED_BUILD &&
+    runtimeVitestValue
+  ) {
+    // Check if running as SEA binary (inline to avoid require issues after bundling).
+    let isSea = false
+    try {
+      const seaModule = require('node:sea')
+      isSea = seaModule.isSea()
+    } catch {
+      // Node.js < 24 or SEA not available
+      isSea = false
+    }
+
+    if (!isSea) {
+      const { logger } = require('@socketsecurity/registry/lib/logger')
+      logger.warn(
+        'Build/test mode mismatch! Built without VITEST=1 but running in test mode.',
+      )
+      logger.warn(
+        'This causes snapshot failures. Rebuild with: pnpm run pretest:unit',
+      )
+    }
+  }
+
+  return ENV
 }
 
 const lazyBashRcPath = () => path.join(constants.homePath, '.bashrc')

src/utils/sdk.mts

@@ -63,6 +63,18 @@ export function getDefaultProxyUrl(): string | undefined {
 // This Socket API token should be stored globally for the duration of the CLI execution.
 let _defaultToken: string | undefined
 export function getDefaultApiToken(): string | undefined {
+  // In test mode: Ignore .env tokens and config file tokens to ensure
+  // consistent snapshots. Tests must explicitly pass tokens via --config flag.
+  // This prevents .env files from affecting test snapshots.
+  // Note: Use process.env directly (not constants.ENV) to check at runtime,
+  // since constants.ENV['VITEST'] is inlined at build time.
+  if (process.env['VITEST'] === '1') {
+    return undefined
+  }
+
+  // When SOCKET_CLI_NO_API_TOKEN=1: Ignore environment variable tokens and only
+  // check config file. This forces the token to be explicitly set via config.
+  // Otherwise: Check environment variables first, then config file.
   const key = constants.ENV['SOCKET_CLI_NO_API_TOKEN']
     ? getConfigValueOrUndef(CONFIG_KEY_API_TOKEN) || _defaultToken
     : constants.ENV['SOCKET_CLI_API_TOKEN'] ||