Add TypeScript schema library to npm wrapper (#35)

* feat: add TypeScript schema library to npm wrapper package

Add pared-down TypeScript library to npm/socket-patch/ for use by
depscan. Includes schema validation (zod), git-compatible hashing,
manifest operations, recovery, and package-json postinstall helpers.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: normalize path separators in Go crawler PURLs on Windows

On Windows, `Path::strip_prefix` + `to_string_lossy()` produces
backslashes in the relative path, which get embedded in the PURL
(e.g., `pkg:golang/github.com\\gin-gonic\\gin@v1.9.1`). Replace
backslashes with forward slashes to produce correct PURLs on all
platforms.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* refactor: remove depscan-specific TS utilities, keep only schema

Move operational code (constants, hashing, manifest operations,
recovery, postinstall detection) back to depscan. Only the Zod
schema and its tests remain in the npm wrapper package.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

crates/socket-patch-core/src/crawlers/go_crawler.rs

@@ -276,9 +276,10 @@ impl GoCrawler {
         _dir_name: &str,
         seen: &mut HashSet<String>,
     ) -> Option<CrawledPackage> {
-        // Get the relative path from the cache root
+        // Get the relative path from the cache root.
+        // Normalize to forward slashes so PURLs are correct on Windows.
         let rel_path = dir_path.strip_prefix(base_path).ok()?;
-        let rel_str = rel_path.to_string_lossy();
+        let rel_str = rel_path.to_string_lossy().replace('\\', "/");
 
         // Find the last `@` to split module path and version
         let at_idx = rel_str.rfind('@')?;

npm/socket-patch/package.json

@@ -1,13 +1,24 @@
 {
   "name": "@socketsecurity/socket-patch",
   "version": "1.6.3",
-  "description": "CLI tool for applying security patches to dependencies",
+  "description": "CLI tool and schema library for applying security patches to dependencies",
   "bin": {
     "socket-patch": "bin/socket-patch"
   },
+  "exports": {
+    "./schema": {
+      "types": "./dist/schema/manifest-schema.d.ts",
+      "import": "./dist/schema/manifest-schema.js",
+      "require": "./dist/schema/manifest-schema.js"
+    }
+  },
   "publishConfig": {
     "access": "public"
   },
+  "scripts": {
+    "build": "tsc",
+    "test": "pnpm run build && node --test dist/**/*.test.js"
+  },
   "keywords": [
     "security",
     "patch",
@@ -23,6 +34,13 @@
   "engines": {
     "node": ">=18.0.0"
   },
+  "dependencies": {
+    "zod": "^3.24.4"
+  },
+  "devDependencies": {
+    "typescript": "^5.3.0",
+    "@types/node": "^20.0.0"
+  },
   "optionalDependencies": {
     "@socketsecurity/socket-patch-android-arm64": "1.6.3",
     "@socketsecurity/socket-patch-darwin-arm64": "1.6.3",

npm/socket-patch/src/schema/manifest-schema.test.ts

@@ -0,0 +1,131 @@
+import { describe, it } from 'node:test'
+import * as assert from 'node:assert/strict'
+import { PatchManifestSchema, PatchRecordSchema } from './manifest-schema.js'
+
+describe('PatchManifestSchema', () => {
+  it('should validate a well-formed manifest', () => {
+    const manifest = {
+      patches: {
+        'npm:simplehttpserver@0.0.6': {
+          uuid: '550e8400-e29b-41d4-a716-446655440000',
+          exportedAt: '2024-01-01T00:00:00Z',
+          files: {
+            'node_modules/simplehttpserver/index.js': {
+              beforeHash: 'abc123',
+              afterHash: 'def456',
+            },
+          },
+          vulnerabilities: {
+            'GHSA-jrhj-2j3q-xf3v': {
+              cves: ['CVE-2024-0001'],
+              summary: 'Path traversal vulnerability',
+              severity: 'high',
+              description: 'Allows reading arbitrary files',
+            },
+          },
+          description: 'Fix path traversal',
+          license: 'MIT',
+          tier: 'free',
+        },
+      },
+    }
+
+    const result = PatchManifestSchema.safeParse(manifest)
+    assert.ok(result.success, 'Valid manifest should parse successfully')
+    assert.equal(
+      Object.keys(result.data.patches).length,
+      1,
+      'Should have one patch entry',
+    )
+  })
+
+  it('should validate a manifest with multiple patches', () => {
+    const manifest = {
+      patches: {
+        'npm:pkg-a@1.0.0': {
+          uuid: '550e8400-e29b-41d4-a716-446655440001',
+          exportedAt: '2024-01-01T00:00:00Z',
+          files: {
+            'node_modules/pkg-a/lib/index.js': {
+              beforeHash: 'aaa',
+              afterHash: 'bbb',
+            },
+          },
+          vulnerabilities: {},
+          description: 'Patch A',
+          license: 'MIT',
+          tier: 'free',
+        },
+        'npm:pkg-b@2.0.0': {
+          uuid: '550e8400-e29b-41d4-a716-446655440002',
+          exportedAt: '2024-02-01T00:00:00Z',
+          files: {
+            'node_modules/pkg-b/src/main.js': {
+              beforeHash: 'ccc',
+              afterHash: 'ddd',
+            },
+          },
+          vulnerabilities: {
+            'GHSA-xxxx-yyyy-zzzz': {
+              cves: [],
+              summary: 'Some vuln',
+              severity: 'medium',
+              description: 'A medium severity vulnerability',
+            },
+          },
+          description: 'Patch B',
+          license: 'Apache-2.0',
+          tier: 'paid',
+        },
+      },
+    }
+
+    const result = PatchManifestSchema.safeParse(manifest)
+    assert.ok(result.success, 'Multi-patch manifest should parse successfully')
+    assert.equal(Object.keys(result.data.patches).length, 2)
+  })
+
+  it('should validate an empty manifest', () => {
+    const manifest = { patches: {} }
+    const result = PatchManifestSchema.safeParse(manifest)
+    assert.ok(result.success, 'Empty patches should be valid')
+  })
+
+  it('should reject a manifest missing the patches field', () => {
+    const result = PatchManifestSchema.safeParse({})
+    assert.ok(!result.success, 'Missing patches should fail')
+  })
+
+  it('should reject a manifest with invalid patch record', () => {
+    const manifest = {
+      patches: {
+        'npm:bad@1.0.0': {
+          // missing uuid, exportedAt, files, vulnerabilities, description, license, tier
+        },
+      },
+    }
+    const result = PatchManifestSchema.safeParse(manifest)
+    assert.ok(!result.success, 'Invalid patch record should fail')
+  })
+
+  it('should reject a patch with invalid uuid', () => {
+    const record = {
+      uuid: 'not-a-valid-uuid',
+      exportedAt: '2024-01-01T00:00:00Z',
+      files: {},
+      vulnerabilities: {},
+      description: 'Test',
+      license: 'MIT',
+      tier: 'free',
+    }
+    const result = PatchRecordSchema.safeParse(record)
+    assert.ok(!result.success, 'Invalid UUID should fail')
+  })
+
+  it('should reject non-object input', () => {
+    assert.ok(!PatchManifestSchema.safeParse(null).success)
+    assert.ok(!PatchManifestSchema.safeParse('string').success)
+    assert.ok(!PatchManifestSchema.safeParse(42).success)
+    assert.ok(!PatchManifestSchema.safeParse([]).success)
+  })
+})

npm/socket-patch/src/schema/manifest-schema.ts

@@ -0,0 +1,38 @@
+import { z } from 'zod'
+
+export const DEFAULT_PATCH_MANIFEST_PATH = '.socket/manifest.json'
+
+export const PatchRecordSchema = z.object({
+  uuid: z.string().uuid(),
+  exportedAt: z.string(),
+  files: z.record(
+    z.string(), // File path
+    z.object({
+      beforeHash: z.string(),
+      afterHash: z.string(),
+    }),
+  ),
+  vulnerabilities: z.record(
+    z.string(), // Vulnerability ID like "GHSA-jrhj-2j3q-xf3v"
+    z.object({
+      cves: z.array(z.string()),
+      summary: z.string(),
+      severity: z.string(),
+      description: z.string(),
+    }),
+  ),
+  description: z.string(),
+  license: z.string(),
+  tier: z.string(),
+})
+
+export type PatchRecord = z.infer<typeof PatchRecordSchema>
+
+export const PatchManifestSchema = z.object({
+  patches: z.record(
+    z.string(), // Package identifier like "npm:simplehttpserver@0.0.6"
+    PatchRecordSchema,
+  ),
+})
+
+export type PatchManifest = z.infer<typeof PatchManifestSchema>

npm/socket-patch/tsconfig.json

@@ -0,0 +1,15 @@
+{
+  "compilerOptions": {
+    "target": "ES2022",
+    "module": "Node16",
+    "moduleResolution": "Node16",
+    "declaration": true,
+    "composite": true,
+    "outDir": "dist",
+    "rootDir": "src",
+    "strict": true,
+    "skipLibCheck": true,
+    "esModuleInterop": true
+  },
+  "include": ["src"]
+}