feat: Rust rewrite with cross-compilation and npm distribution (#30)

* feat: add cross-compilation, npm distribution, and release workflows

- Add release.yml workflow triggered by v* tags: builds 5 targets
  (darwin-arm64, darwin-x64, linux-x64-musl, linux-arm64, win32-x64),
  creates GitHub Release, publishes npm platform packages
- Add ci.yml workflow for PRs/pushes: cargo clippy + cargo test
- Add npm/ directory with esbuild-style optionalDependencies pattern
  (root wrapper + 5 platform packages with os/cpu fields)
- Add scripts/version-sync.sh to propagate versions across Cargo.toml
  and all npm package.json files
- Update publish.yml to bump version, sync, and push tag to trigger
  release pipeline
- Add rust-toolchain.toml pinning stable channel
- Update .gitignore for Rust target/ and npm platform binaries

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: pin all GitHub Actions to full commit SHAs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: add explicit toolchain input for pinned rust-toolchain action

When dtolnay/rust-toolchain is pinned to a SHA instead of a branch
name, the toolchain version can't be inferred from the ref and must
be passed explicitly.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* refactor: consolidate npm distribution into single package with bundled binaries

Delete all TypeScript source, configs, and platform-specific npm packages.
The single @socketsecurity/socket-patch package now ships all 5 platform
binaries (~20MB total) instead of using optionalDependencies with 6 packages.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add Windows support for Python crawler and CI test matrix

Resolve runtime gaps on Windows: use find_python_command() to discover
python3/python/py, add USERPROFILE fallback for home dir, gate Unix-only
paths and add Windows Python install locations (APPDATA, LOCALAPPDATA,
Program Files), and add Windows uv tools path. CI now runs tests on both
ubuntu-latest and windows-latest.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add cargo publish, install script, clippy fixes, and expanded tests

Add crates.io publishing to release workflow, a one-line install script,
and README installation docs. Fix UTF-8 truncation bug in API client,
apply clippy suggestions (is_some_and, strip_prefix, div_ceil, derive
Default), and add comprehensive tests across API, package_json, and
blob_fetcher modules.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: fix Windows CI test failures for telemetry and Python crawler

Use home_dir_string() helper (which checks USERPROFILE on Windows) in
the sanitize_error_message test instead of only checking HOME. Use
platform-appropriate venv directory layout in test_crawl_all_python.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: merge telemetry env-var tests to prevent parallel race condition

The two tests (test_is_telemetry_disabled_default and
test_is_telemetry_disabled_when_set) mutated shared env vars and raced
when run in parallel on Windows CI. Merge them into a single test that
saves/restores the original values.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: add e2e tests for npm and PyPI patch lifecycles

Add full end-to-end tests that exercise the CLI against the public
Socket API:

- npm: minimist@1.2.2 patch (CVE-2021-44906, prototype pollution)
- PyPI: pydantic-ai@0.0.36 patch (CVE-2026-25580, SSRF)

Each test covers the complete lifecycle: get → list → rollback → apply
→ remove, plus a dry-run test per ecosystem. Tests are gated with
#[ignore] and run in CI via a dedicated e2e job on ubuntu and macos.

Also fixes a bug where patches with no beforeHash (new files added by a
patch) were silently dropped from the manifest. The apply and rollback
engines now handle empty beforeHash correctly:

- apply: creates new files, skips beforeHash verification
- rollback: deletes patch-created files instead of restoring from blob
- get: includes files in manifest even when beforeHash is absent

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* feat: use crates.io trusted publishing via OIDC instead of static token

Replace CRATES_IO_TOKEN secret with rust-lang/crates-io-auth-action,
which exchanges a GitHub OIDC token for a short-lived crates.io publish
token. This eliminates the need to manage long-lived API secrets.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

.github/workflows/ci.yml

@@ -0,0 +1,90 @@
+name: CI
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+
+permissions:
+  contents: read
+
+jobs:
+  test:
+    strategy:
+      matrix:
+        os: [ubuntu-latest, windows-latest]
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+          components: clippy
+
+      - name: Cache cargo
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ matrix.os }}-cargo-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ matrix.os }}-cargo-
+
+      - name: Run clippy
+        run: cargo clippy --workspace -- -D warnings
+
+      - name: Run tests
+        run: cargo test --workspace
+
+  e2e:
+    needs: test
+    strategy:
+      fail-fast: false
+      matrix:
+        include:
+          - os: ubuntu-latest
+            suite: e2e_npm
+          - os: ubuntu-latest
+            suite: e2e_pypi
+          - os: macos-latest
+            suite: e2e_npm
+          - os: macos-latest
+            suite: e2e_pypi
+    runs-on: ${{ matrix.os }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+
+      - name: Cache cargo
+        uses: actions/cache@0057852bfaa89a56745cba8c7296529d2fc39830 # v4
+        with:
+          path: |
+            ~/.cargo/registry
+            ~/.cargo/git
+            target
+          key: ${{ matrix.os }}-cargo-e2e-${{ hashFiles('**/Cargo.lock') }}
+          restore-keys: ${{ matrix.os }}-cargo-e2e-
+
+      - name: Setup Node.js
+        if: matrix.suite == 'e2e_npm'
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: 20
+
+      - name: Setup Python
+        if: matrix.suite == 'e2e_pypi'
+        uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065 # v5
+        with:
+          python-version: "3.12"
+
+      - name: Run e2e tests
+        run: cargo test -p socket-patch-cli --test ${{ matrix.suite }} -- --ignored

.github/workflows/publish.yml

@@ -1,4 +1,4 @@
-name: 📦 Publish
+name: Publish
 
 on:
   workflow_dispatch:
@@ -11,29 +11,13 @@ on:
           - patch
           - minor
           - major
-      dist-tag:
-        description: 'npm dist-tag (latest, next, beta, canary, backport, etc.)'
-        required: false
-        default: 'latest'
-        type: string
-      debug:
-        description: 'Enable debug output'
-        required: false
-        default: '0'
-        type: choice
-        options:
-          - '0'
-          - '1'
 
 permissions:
   contents: write
-  id-token: write
 
 jobs:
-  bump-version:
+  bump-and-tag:
     runs-on: ubuntu-latest
-    outputs:
-      new-tag: ${{ steps.bump.outputs.new-tag }}
     steps:
       - name: Checkout
         uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
@@ -48,23 +32,20 @@ jobs:
           git config user.name "github-actions[bot]"
           git config user.email "github-actions[bot]@users.noreply.github.com"
 
-      - name: Bump version
-        id: bump
+      - name: Bump version and sync
         run: |
-          npm version ${{ inputs.version-bump }} -m "v%s"
-          echo "new-tag=$(git describe --tags --abbrev=0)" >> "$GITHUB_OUTPUT"
-
-      - name: Push changes
+          CURRENT=$(node -p "require('./npm/socket-patch/package.json').version")
+          VERSION=$(node -e "
+            const [major, minor, patch] = '$CURRENT'.split('.').map(Number);
+            const bump = '${{ inputs.version-bump }}';
+            if (bump === 'major') console.log((major+1)+'.0.0');
+            else if (bump === 'minor') console.log(major+'.'+(minor+1)+'.0');
+            else console.log(major+'.'+minor+'.'+(patch+1));
+          ")
+          bash scripts/version-sync.sh "$VERSION"
+          git add Cargo.toml npm/
+          git commit -m "v$VERSION"
+          git tag "v$VERSION"
+
+      - name: Push changes and tag
         run: git push && git push --tags
-
-  publish:
-    needs: bump-version
-    uses: SocketDev/socket-registry/.github/workflows/provenance.yml@main
-    with:
-      debug: ${{ inputs.debug }}
-      dist-tag: ${{ inputs.dist-tag }}
-      package-name: '@socketsecurity/socket-patch'
-      publish-script: 'publish:ci'
-      ref: ${{ needs.bump-version.outputs.new-tag }}
-      setup-script: 'pnpm run build'
-      use-trusted-publishing: true

.github/workflows/release.yml

@@ -0,0 +1,177 @@
+name: Release
+
+on:
+  push:
+    tags:
+      - 'v*'
+
+permissions:
+  contents: write
+  id-token: write
+
+jobs:
+  build:
+    strategy:
+      matrix:
+        include:
+          - target: aarch64-apple-darwin
+            runner: macos-14
+            archive: tar.gz
+            build-tool: cargo
+          - target: x86_64-apple-darwin
+            runner: macos-13
+            archive: tar.gz
+            build-tool: cargo
+          - target: x86_64-unknown-linux-musl
+            runner: ubuntu-latest
+            archive: tar.gz
+            build-tool: cross
+          - target: aarch64-unknown-linux-gnu
+            runner: ubuntu-latest
+            archive: tar.gz
+            build-tool: cross
+          - target: x86_64-pc-windows-msvc
+            runner: windows-latest
+            archive: zip
+            build-tool: cargo
+    runs-on: ${{ matrix.runner }}
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+          targets: ${{ matrix.target }}
+
+      - name: Install cross
+        if: matrix.build-tool == 'cross'
+        run: cargo install cross --git https://github.com/cross-rs/cross
+
+      - name: Build (cargo)
+        if: matrix.build-tool == 'cargo'
+        run: cargo build --release --target ${{ matrix.target }}
+
+      - name: Build (cross)
+        if: matrix.build-tool == 'cross'
+        run: cross build --release --target ${{ matrix.target }}
+
+      - name: Package (unix)
+        if: matrix.archive == 'tar.gz'
+        run: |
+          cd target/${{ matrix.target }}/release
+          tar czf ../../../socket-patch-${{ matrix.target }}.tar.gz socket-patch
+          cd ../../..
+
+      - name: Package (windows)
+        if: matrix.archive == 'zip'
+        shell: pwsh
+        run: |
+          Compress-Archive -Path "target/${{ matrix.target }}/release/socket-patch.exe" -DestinationPath "socket-patch-${{ matrix.target }}.zip"
+
+      - name: Upload artifact (tar.gz)
+        if: matrix.archive == 'tar.gz'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: socket-patch-${{ matrix.target }}
+          path: socket-patch-${{ matrix.target }}.tar.gz
+
+      - name: Upload artifact (zip)
+        if: matrix.archive == 'zip'
+        uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
+        with:
+          name: socket-patch-${{ matrix.target }}
+          path: socket-patch-${{ matrix.target }}.zip
+
+  github-release:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Download all artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Create GitHub Release
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          TAG="${GITHUB_REF_NAME}"
+          gh release create "$TAG" \
+            --repo "$GITHUB_REPOSITORY" \
+            --generate-notes \
+            artifacts/*
+
+  cargo-publish:
+    needs: build
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      id-token: write
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Install Rust
+        uses: dtolnay/rust-toolchain@efa25f7f19611383d5b0ccf2d1c8914531636bf9 # stable
+        with:
+          toolchain: stable
+
+      - name: Authenticate with crates.io
+        uses: rust-lang/crates-io-auth-action@b7e9a28eded4986ec6b1fa40eeee8f8f165559ec # v1.0.3
+
+      - name: Publish socket-patch-core
+        run: cargo publish -p socket-patch-core
+
+      - name: Wait for crates.io index update
+        run: sleep 30
+
+      - name: Publish socket-patch-cli
+        run: cargo publish -p socket-patch-cli
+
+  npm-publish:
+    needs: build
+    runs-on: ubuntu-latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4
+
+      - name: Download all artifacts
+        uses: actions/download-artifact@d3f86a106a0bac45b974a628896c90dbdf5c8093 # v4
+        with:
+          path: artifacts
+          merge-multiple: true
+
+      - name: Setup Node.js
+        uses: actions/setup-node@49933ea5288caeca8642d1e84afbd3f7d6820020 # v4
+        with:
+          node-version: '20'
+          registry-url: 'https://registry.npmjs.org'
+
+      - name: Extract version and sync
+        run: |
+          VERSION="${GITHUB_REF_NAME#v}"
+          echo "VERSION=$VERSION" >> "$GITHUB_ENV"
+          bash scripts/version-sync.sh "$VERSION"
+
+      - name: Stage binaries
+        run: |
+          mkdir -p npm/socket-patch/bin
+          tar xzf artifacts/socket-patch-aarch64-apple-darwin.tar.gz -C npm/socket-patch/bin/
+          mv npm/socket-patch/bin/socket-patch npm/socket-patch/bin/socket-patch-darwin-arm64
+          tar xzf artifacts/socket-patch-x86_64-apple-darwin.tar.gz -C npm/socket-patch/bin/
+          mv npm/socket-patch/bin/socket-patch npm/socket-patch/bin/socket-patch-darwin-x64
+          tar xzf artifacts/socket-patch-x86_64-unknown-linux-musl.tar.gz -C npm/socket-patch/bin/
+          mv npm/socket-patch/bin/socket-patch npm/socket-patch/bin/socket-patch-linux-x64
+          tar xzf artifacts/socket-patch-aarch64-unknown-linux-gnu.tar.gz -C npm/socket-patch/bin/
+          mv npm/socket-patch/bin/socket-patch npm/socket-patch/bin/socket-patch-linux-arm64
+          cd npm/socket-patch/bin
+          unzip ../../../artifacts/socket-patch-x86_64-pc-windows-msvc.zip
+          mv socket-patch.exe socket-patch-win32-x64.exe
+
+      - name: Publish package
+        env:
+          NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
+        run: npm publish npm/socket-patch --provenance --access public

.gitignore

@@ -137,3 +137,9 @@ dist
 # Vite logs files
 vite.config.js.timestamp-*
 vite.config.ts.timestamp-*
+
+# Rust
+target/
+
+# npm binaries (populated at publish time)
+npm/socket-patch/bin/socket-patch-*