Merge branch 'main' into automated/open-api

Author: jdalton

.config/esbuild.config.mjs

@@ -206,6 +206,56 @@ function createNodeProtocolPlugin() {
   }
 }
 
+/**
+ * Plugin to stub heavy @socketsecurity/lib internals and third-party modules
+ * that are unreachable or safely degradable in the SDK's runtime code paths.
+ *
+ * @socketsecurity/lib stubs:
+ *
+ *   npm-pack.js (2.5MB) — arborist, cacache, pacote, make-fetch-happen,
+ *     semver. Reached via sorts→semver (dead) and cache-with-ttl→cacache
+ *     (degrades gracefully: safeGet returns undefined, in-memory memoization
+ *     still works).
+ *
+ *   pico-pack.js (260KB) — picomatch, fast-glob, del. Reached via
+ *     fs→globs for isDirEmptySync/readDirNames, never called by SDK.
+ *
+ *   globs.js, sorts.js — gateway modules to pico-pack and npm-pack.
+ *
+ * Third-party stubs:
+ *
+ *   mime-db (212KB) — Massive MIME type database bundled via form-data →
+ *     mime-types → mime-db. The SDK only uses 'application/octet-stream'
+ *     (file uploads) and 'application/json' (API calls). Replaced with a
+ *     minimal lookup covering just those types.
+ */
+function createLibStubPlugin() {
+  const libStubPattern =
+    /@socketsecurity\/lib\/dist\/(globs|sorts|external\/(npm-pack|pico-pack))\.js$/
+
+  const mimeDbPattern = /mime-db\/db\.json$/
+
+  return {
+    name: 'stub-unused-internals',
+    setup(build) {
+      // Stub heavy lib modules with empty exports.
+      build.onLoad({ filter: libStubPattern }, () => ({
+        contents: 'module.exports = {}',
+        loader: 'js',
+      }))
+      // Replace 212KB mime-db with minimal lookup for types the SDK uses.
+      build.onLoad({ filter: mimeDbPattern }, () => ({
+        contents: `module.exports = {
+  "application/json": { source: "iana", charset: "UTF-8", compressible: true },
+  "application/octet-stream": { source: "iana", compressible: false },
+  "multipart/form-data": { source: "iana" }
+}`,
+        loader: 'js',
+      }))
+    },
+  }
+}
+
 // Build configuration for ESM output
 export const buildConfig = {
   entryPoints: [`${srcPath}/index.ts`, `${srcPath}/testing.ts`],
@@ -226,9 +276,11 @@ export const buildConfig = {
   logLevel: 'info',
 
   // Use plugins for module resolution and path handling.
-  plugins: [createNodeProtocolPlugin(), createPathShorteningPlugin()].filter(
-    Boolean,
-  ),
+  plugins: [
+    createLibStubPlugin(),
+    createNodeProtocolPlugin(),
+    createPathShorteningPlugin(),
+  ].filter(Boolean),
 
   // External dependencies.
   // All runtime dependencies from package.json are external (not bundled) - consumers must install them.

.git-hooks/pre-push

@@ -118,36 +118,51 @@ while read local_ref local_sha remote_ref remote_sha; do
           continue
         fi
 
+        # Use strings for binary files, grep directly for text files.
+        # This correctly extracts printable strings from WASM, .lockb, etc.
+        is_binary=false
+        if grep -qI '' "$file" 2>/dev/null; then
+          is_binary=false
+        else
+          is_binary=true
+        fi
+
+        if [ "$is_binary" = true ]; then
+          file_text=$(strings "$file" 2>/dev/null || echo "")
+        else
+          file_text=$(cat "$file" 2>/dev/null || echo "")
+        fi
+
         # Check for hardcoded user paths.
-        if grep -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" 2>/dev/null | grep -q .; then
+        if echo "$file_text" | grep -qE '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)'; then
           printf "${RED}✗ BLOCKED: Hardcoded personal path found in: %s${NC}\n" "$file"
-          grep -n -E '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' "$file" | head -3
+          echo "$file_text" | grep -nE '(/Users/[^/\s]+/|/home/[^/\s]+/|C:\\Users\\[^\\]+\\)' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for Socket API keys.
-        if grep -E 'sktsec_[a-zA-Z0-9_-]+' "$file" 2>/dev/null | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
+        if echo "$file_text" | grep -E 'sktsec_[a-zA-Z0-9_-]+' | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'SOCKET_SECURITY_API_KEY=' | grep -v 'fake-token' | grep -v 'test-token' | grep -q .; then
           printf "${RED}✗ BLOCKED: Real API key detected in: %s${NC}\n" "$file"
-          grep -n 'sktsec_' "$file" | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
+          echo "$file_text" | grep -n 'sktsec_' | grep -v "$ALLOWED_PUBLIC_KEY" | grep -v 'your_api_key_here' | grep -v 'fake-token' | grep -v 'test-token' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for AWS keys.
-        if grep -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" 2>/dev/null | grep -q .; then
+        if echo "$file_text" | grep -iqE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})'; then
           printf "${RED}✗ BLOCKED: Potential AWS credentials found in: %s${NC}\n" "$file"
-          grep -n -iE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' "$file" | head -3
+          echo "$file_text" | grep -niE '(aws_access_key|aws_secret|AKIA[0-9A-Z]{16})' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for GitHub tokens.
-        if grep -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" 2>/dev/null | grep -q .; then
+        if echo "$file_text" | grep -qE 'gh[ps]_[a-zA-Z0-9]{36}'; then
           printf "${RED}✗ BLOCKED: Potential GitHub token found in: %s${NC}\n" "$file"
-          grep -n -E 'gh[ps]_[a-zA-Z0-9]{36}' "$file" | head -3
+          echo "$file_text" | grep -nE 'gh[ps]_[a-zA-Z0-9]{36}' | head -3
           ERRORS=$((ERRORS + 1))
         fi
 
         # Check for private keys.
-        if grep -E '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----' "$file" 2>/dev/null | grep -q .; then
+        if echo "$file_text" | grep -qE -- '-----BEGIN (RSA |EC |DSA )?PRIVATE KEY-----'; then
           printf "${RED}✗ BLOCKED: Private key found in: %s${NC}\n" "$file"
           ERRORS=$((ERRORS + 1))
         fi

CLAUDE.md

@@ -21,6 +21,7 @@
 - Dependencies: After `package.json` edits, run `pnpm install` to update `pnpm-lock.yaml`
 - Backward Compatibility: 🚨 FORBIDDEN to maintain - actively remove when encountered (see canonical CLAUDE.md)
 - 🚨 **NEVER use `npx`, `pnpm dlx`, or `yarn dlx`** — use `pnpm exec <package>` for devDep binaries, or `pnpm run <script>` for package.json scripts. If a tool is needed, add it as a pinned devDependency first.
+- **minimumReleaseAge**: NEVER add packages to `minimumReleaseAgeExclude` in CI. Locally, ASK before adding — the age threshold is a security control.
 
 ---
 

package.json

@@ -64,12 +64,9 @@
     "type": "tsgo --noEmit -p .config/tsconfig.check.json",
     "update": "node scripts/update.mjs"
   },
-  "dependencies": {
-    "@socketsecurity/lib": "5.15.0",
-    "form-data": "4.0.5"
-  },
   "devDependencies": {
     "@anthropic-ai/claude-code": "2.1.92",
+    "@socketsecurity/lib": "5.18.2",
     "@babel/generator": "7.28.5",
     "@babel/parser": "7.26.3",
     "@babel/traverse": "7.26.4",
@@ -87,6 +84,7 @@
     "ecc-agentshield": "1.4.0",
     "esbuild": "0.25.11",
     "fast-glob": "3.3.3",
+    "form-data": "4.0.5",
     "husky": "9.1.7",
     "magic-string": "0.30.14",
     "nock": "14.0.10",
@@ -120,7 +118,7 @@
       "unrs-resolver"
     ],
     "overrides": {
-      "defu": ">=6.1.6",
+      "defu": ">=6.1.7",
       "vite": "7.3.2"
     }
   }