You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
-**`http-request` decompresses `gzip` / `br` response bodies.** Buffered requests advertise `Accept-Encoding: gzip, br` and now decode the body by its `Content-Encoding` before resolving. 6.0.6 sent the header but never decompressed, so a compressed response reached callers as raw deflated bytes. Streamed requests (`stream: true`, e.g. `httpDownload`) skip the header so piped-to-disk payloads stay raw and checksum cleanly. Callers can override with `'identity'`.
13
13
-**`crypto/hash` blob content-address helpers.**`blobHashOf(bytes)` returns Socket's content-addressed blob hash (`Q` + base64url(sha256)), and `verifyBlobHash(hash, bytes)` throws when bytes don't hash to the expected address. Both build on the fast one-shot `hash()`; the `S` file-stream discriminator verifies against the same digest body. Lets blob consumers (the SDK, MCP server) verify integrity against one canonical implementation instead of re-deriving the scheme.
14
+
-**`integrity` — unified checksum/integrity surface.**`checksumToIntegrity(hex, algorithm?)` and `integrityToChecksum(sri)` convert between the two named hash flavors and are idempotent on the destination format (pass an SRI to `checksumToIntegrity`, get it back unchanged). `isIntegrity(s)` and `isChecksum(s)` are the predicates. `parseIntegrity(s)` returns `{ algorithm, body }` for the SRI structure. Replaces the `src/ssri/` directory (`hexToSsri`, `ssriToHex`, `isValidHex`, `isValidSsri`, `parseSsri`) — SSRI is just another name for Subresource Integrity, so the duplication confused readers. `isIntegrity` now accepts the full W3C SRI set (`sha256` / `sha384` / `sha512`) — the previous predicate hardcoded `sha512` only, which mismatched the contract `external-tools/manifest.ts` already promised and rejected the fleet's `sha256-<base64>` integrity strings.
15
+
-**`process/spawn/kill-tree` — cross-platform process-tree termination.**`killProcessTree(target, { detached?, signal? })` walks and signals the whole descendant tree of a `pid` or `ChildProcess`: POSIX uses `process.kill(-pid, signal)` against the detached child's process group; Windows shells out to `taskkill /T /F /pid <pid>`. `isProcessAlive(pid)` probes liveness with `process.kill(pid, 0)`. Both helpers are best-effort and never throw — `ESRCH` (process gone) or `EPERM` (not ours) returns `false` so cleanup kills can't mask the caller's control flow.
16
+
-**`arrays/joinList` — generalized Intl list joiner.**`joinList(items, { with: 'and' | 'or' })` wraps `Intl.ListFormat` for narrow conjunction/disjunction joins. `joinAnd` and `joinOr` keep their old call shapes but delegate to `joinList` so the locale-aware joining lives in one place.
17
+
-**`primordials/intl` — frozen `Intl` constructor captures.**`IntlListFormat`, `IntlPluralRules`, `IntlCollator`, `IntlDateTimeFormat`, `IntlNumberFormat`, `IntlRelativeTimeFormat`, `IntlSegmenter`, and `IntlLocale` are pinned at module load. Lets internal callers reach Intl without paying a property-lookup cost on every call and without being affected by userland prototype tampering.
18
+
-**`constants/node` — `supportsNodeStripTypes()` + `supportsNodeStripTypesDefault()`.** Two feature-detection helpers for runtimes that strip TypeScript types: stable-with-flag in Node 22.6 (`--strip-types`, accepted alias `--experimental-strip-types`), default-on in Node 24. Pair lets tooling pick the right wrapper-script shape per runtime without re-deriving the matrix.
19
+
-**`env/node-version-managers` — detect the active Node manager + emit upgrade hint.**`detectActiveNodeManager()` resolves to one of `'nvm' | 'fnm' | 'volta' | 'asdf' | 'n' | 'corepack' | 'system'` by inspecting `process.execPath` (path-shape regexes are precedence-first) then falling back to manager env vars. `nodeManagerUpgradeHint(manager, version)` returns the exact one-liner a user should paste to install/activate the named version (`nvm install <v> && nvm use <v>`, `volta install node@<v>`, etc.). Used by tools that need Node ≥ X to give an actionable error instead of "install newer Node".
20
+
-**`native-messaging` — Chrome native messaging host scaffold.** New `src/native-messaging/` subpath provides `installNativeHost({ allowedOrigins, wrapperDir? })`, which writes the per-OS `dev.socket.trusted_publisher_host.json` manifest plus a length-prefixed-protocol stdin/stdout loop (`runHost()`). macOS lands the manifest under `~/Library/Application Support/Google/Chrome/NativeMessagingHosts/`, Linux under `~/.config/google-chrome/NativeMessagingHosts/`, Windows under `%APPDATA%\Google\Chrome\User Data\NativeMessagingHosts\` + an `HKCU` registry pointer. The wrapper script bakes in `--strip-types` only when needed (Node 22.6 – 23.x); Node 24+ ships flag-free. Refuses to install on Node < 22.6 with a manager-aware error.
14
21
15
22
### Fixed
16
23
24
+
-**`debug` — namespace `SOCKET_DEBUG` values enable debug output.**`envAsBoolean(getSocketDebug())` returned false for `SOCKET_DEBUG=*` or `SOCKET_DEBUG=socket:foo` — those aren't boolean literals, so debug output was silently suppressed for the common namespace-selection shape. The new `isSocketDebugEnabled()` helper treats any non-empty value other than `0`/`false`/`no` (case-insensitive) as enabled.
17
25
-**`external-tools/skillspector` pipx detection on Windows.** The PATH-tier resolver normalizes the resolved binary path with `normalizePath` and matches a forward-slash-only `pipx/venvs/` pattern, instead of `path.normalize` plus a dual-separator regex. On Windows the old form left backslashes in the path and missed pipx-installed binaries, tagging them `source: 'path'` rather than `source: 'pipx'`.
26
+
-**`arrays/joinAnd` + `joinOr` — restore `string[] | readonly string[]` on params.** The 6.0.6 refactor narrowed the type to plain `string[]` and broke callers passing readonly arrays.
27
+
-**`secrets/keychain` service rename `socket-cli` → `socketsecurity`.** Reads check the new name first then fall back to the legacy `socket-cli` slot, so existing installs keep finding their token. Writes go to the new name only. Callers that wrote tokens via prior versions can re-read them transparently; on next write the value migrates.
28
+
29
+
### Removed
30
+
31
+
-**`@socketsecurity/lib/ssri/{convert,parse,validate}` package exports.** Folded into `@socketsecurity/lib/integrity` (see Added). No fleet consumers were using the `ssri` subpath imports — verified by grep across socket-\* fleet repos.
0 commit comments