Add download command and blob cleanup utilities

- Implement download command to fetch patches from Socket API
- Add API client for HTTP requests with Bearer authentication
- Create blob cleanup utility to remove unused blobs
- Integrate cleanup into both apply and download commands
- Support environment variables SOCKET_API_URL and SOCKET_API_TOKEN

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: mikolalysenko

src/cli.ts

@@ -3,12 +3,14 @@
 import yargs from 'yargs'
 import { hideBin } from 'yargs/helpers'
 import { applyCommand } from './commands/apply.js'
+import { downloadCommand } from './commands/download.js'
 
 async function main(): Promise<void> {
   await yargs(hideBin(process.argv))
     .scriptName('socket-patch')
     .usage('$0 <command> [options]')
     .command(applyCommand)
+    .command(downloadCommand)
     .demandCommand(1, 'You must specify a command')
     .help()
     .alias('h', 'help')

src/commands/apply.ts

@@ -11,6 +11,10 @@ import {
   applyPackagePatch,
 } from '../patch/apply.js'
 import type { ApplyResult } from '../patch/apply.js'
+import {
+  cleanupUnusedBlobs,
+  formatCleanupResult,
+} from '../utils/cleanup-blobs.js'
 
 interface ApplyArgs {
   cwd: string
@@ -95,6 +99,14 @@ async function applyPatches(
     }
   }
 
+  // Clean up unused blobs after applying patches
+  if (!silent) {
+    const cleanupResult = await cleanupUnusedBlobs(manifest, blobsPath, dryRun)
+    if (cleanupResult.blobsRemoved > 0) {
+      console.log(`\n${formatCleanupResult(cleanupResult, dryRun)}`)
+    }
+  }
+
   return { success: !hasErrors, results }
 }
 

src/commands/download.ts

@@ -0,0 +1,165 @@
+import * as fs from 'fs/promises'
+import * as path from 'path'
+import type { CommandModule } from 'yargs'
+import { PatchManifestSchema } from '../schema/manifest-schema.js'
+import { getAPIClientFromEnv } from '../utils/api-client.js'
+import {
+  cleanupUnusedBlobs,
+  formatCleanupResult,
+} from '../utils/cleanup-blobs.js'
+
+interface DownloadArgs {
+  uuid: string
+  org: string
+  cwd: string
+  'api-url'?: string
+  'api-token'?: string
+}
+
+async function downloadPatch(
+  uuid: string,
+  orgSlug: string,
+  cwd: string,
+  apiUrl?: string,
+  apiToken?: string,
+): Promise<boolean> {
+  // Override environment variables if CLI options are provided
+  if (apiUrl) {
+    process.env.SOCKET_API_URL = apiUrl
+  }
+  if (apiToken) {
+    process.env.SOCKET_API_TOKEN = apiToken
+  }
+
+  // Get API client (will use env vars if not overridden)
+  const apiClient = getAPIClientFromEnv()
+
+  console.log(`Fetching patch ${uuid} from ${orgSlug}...`)
+
+  // Fetch patch from API
+  const patch = await apiClient.fetchPatch(orgSlug, uuid)
+
+  if (!patch) {
+    throw new Error(`Patch with UUID ${uuid} not found`)
+  }
+
+  console.log(`Downloaded patch for ${patch.purl}`)
+
+  // Prepare .socket directory
+  const socketDir = path.join(cwd, '.socket')
+  const blobsDir = path.join(socketDir, 'blobs')
+  const manifestPath = path.join(socketDir, 'manifest.json')
+
+  // Create directories
+  await fs.mkdir(socketDir, { recursive: true })
+  await fs.mkdir(blobsDir, { recursive: true })
+
+  // Read existing manifest or create new one
+  let manifest: any
+  try {
+    const manifestContent = await fs.readFile(manifestPath, 'utf-8')
+    manifest = PatchManifestSchema.parse(JSON.parse(manifestContent))
+  } catch {
+    // Create new manifest
+    manifest = { patches: {} }
+  }
+
+  // Save blob contents
+  const files: Record<string, { beforeHash?: string; afterHash?: string }> = {}
+  for (const [filePath, fileInfo] of Object.entries(patch.files)) {
+    if (fileInfo.afterHash) {
+      files[filePath] = {
+        beforeHash: fileInfo.beforeHash,
+        afterHash: fileInfo.afterHash,
+      }
+    }
+
+    // Save blob content if provided
+    if (fileInfo.blobContent && fileInfo.afterHash) {
+      const blobPath = path.join(blobsDir, fileInfo.afterHash)
+      const blobBuffer = Buffer.from(fileInfo.blobContent, 'base64')
+      await fs.writeFile(blobPath, blobBuffer)
+      console.log(`  Saved blob: ${fileInfo.afterHash}`)
+    }
+  }
+
+  // Add/update patch in manifest
+  manifest.patches[patch.purl] = {
+    uuid: patch.uuid,
+    exportedAt: patch.publishedAt,
+    files,
+    vulnerabilities: patch.vulnerabilities,
+    description: patch.description,
+    license: patch.license,
+    tier: patch.tier,
+  }
+
+  // Write updated manifest
+  await fs.writeFile(
+    manifestPath,
+    JSON.stringify(manifest, null, 2) + '\n',
+    'utf-8',
+  )
+
+  console.log(`\nPatch saved to ${manifestPath}`)
+  console.log(`  PURL: ${patch.purl}`)
+  console.log(`  UUID: ${patch.uuid}`)
+  console.log(`  Files: ${Object.keys(files).length}`)
+  console.log(`  Vulnerabilities: ${Object.keys(patch.vulnerabilities).length}`)
+
+  // Clean up unused blobs
+  const cleanupResult = await cleanupUnusedBlobs(manifest, blobsDir, false)
+  if (cleanupResult.blobsRemoved > 0) {
+    console.log(`\n${formatCleanupResult(cleanupResult, false)}`)
+  }
+
+  return true
+}
+
+export const downloadCommand: CommandModule<{}, DownloadArgs> = {
+  command: 'download',
+  describe: 'Download a security patch from Socket API',
+  builder: yargs => {
+    return yargs
+      .option('uuid', {
+        describe: 'Patch UUID to download',
+        type: 'string',
+        demandOption: true,
+      })
+      .option('org', {
+        describe: 'Organization slug',
+        type: 'string',
+        demandOption: true,
+      })
+      .option('cwd', {
+        describe: 'Working directory',
+        type: 'string',
+        default: process.cwd(),
+      })
+      .option('api-url', {
+        describe: 'Socket API URL (overrides SOCKET_API_URL env var)',
+        type: 'string',
+      })
+      .option('api-token', {
+        describe: 'Socket API token (overrides SOCKET_API_TOKEN env var)',
+        type: 'string',
+      })
+  },
+  handler: async argv => {
+    try {
+      await downloadPatch(
+        argv.uuid,
+        argv.org,
+        argv.cwd,
+        argv['api-url'],
+        argv['api-token'],
+      )
+
+      process.exit(0)
+    } catch (err) {
+      const errorMessage = err instanceof Error ? err.message : String(err)
+      console.error(`Error: ${errorMessage}`)
+      process.exit(1)
+    }
+  },
+}

src/utils/api-client.ts

@@ -0,0 +1,120 @@
+import * as https from 'node:https'
+import * as http from 'node:http'
+
+export interface PatchResponse {
+  uuid: string
+  purl: string
+  publishedAt: string
+  files: Record<
+    string,
+    {
+      beforeHash?: string
+      afterHash?: string
+      socketBlob?: string
+      blobContent?: string
+    }
+  >
+  vulnerabilities: Record<
+    string,
+    {
+      cves: string[]
+      summary: string
+      severity: string
+      description: string
+    }
+  >
+  description: string
+  license: string
+  tier: 'free' | 'paid'
+}
+
+export interface APIClientOptions {
+  apiUrl: string
+  apiToken: string
+}
+
+export class APIClient {
+  private readonly apiUrl: string
+  private readonly apiToken: string
+
+  constructor(options: APIClientOptions) {
+    this.apiUrl = options.apiUrl.replace(/\/$/, '') // Remove trailing slash
+    this.apiToken = options.apiToken
+  }
+
+  async fetchPatch(
+    orgSlug: string,
+    uuid: string,
+  ): Promise<PatchResponse | null> {
+    const url = `${this.apiUrl}/v0/orgs/${orgSlug}/patches/view/${uuid}`
+
+    return new Promise((resolve, reject) => {
+      const urlObj = new URL(url)
+      const isHttps = urlObj.protocol === 'https:'
+      const httpModule = isHttps ? https : http
+
+      const options: https.RequestOptions = {
+        method: 'GET',
+        headers: {
+          Authorization: `Bearer ${this.apiToken}`,
+          Accept: 'application/json',
+        },
+      }
+
+      const req = httpModule.request(urlObj, options, res => {
+        let data = ''
+
+        res.on('data', chunk => {
+          data += chunk
+        })
+
+        res.on('end', () => {
+          if (res.statusCode === 200) {
+            try {
+              const parsed = JSON.parse(data)
+              resolve(parsed)
+            } catch (err) {
+              reject(new Error(`Failed to parse response: ${err}`))
+            }
+          } else if (res.statusCode === 404) {
+            resolve(null)
+          } else if (res.statusCode === 401) {
+            reject(new Error('Unauthorized: Invalid API token'))
+          } else if (res.statusCode === 403) {
+            reject(
+              new Error(
+                'Forbidden: Access denied. This may be a paid patch or you may not have access to this organization.',
+              ),
+            )
+          } else if (res.statusCode === 429) {
+            reject(new Error('Rate limit exceeded. Please try again later.'))
+          } else {
+            reject(
+              new Error(`API request failed with status ${res.statusCode}: ${data}`),
+            )
+          }
+        })
+      })
+
+      req.on('error', err => {
+        reject(new Error(`Network error: ${err.message}`))
+      })
+
+      req.end()
+    })
+  }
+}
+
+export function getAPIClientFromEnv(): APIClient {
+  const apiUrl =
+    process.env.SOCKET_API_URL || 'https://api.socket.dev'
+  const apiToken = process.env.SOCKET_API_TOKEN
+
+  if (!apiToken) {
+    throw new Error(
+      'SOCKET_API_TOKEN environment variable is required. Please set it to your Socket API token.',
+    )
+  }
+
+  return new APIClient({ apiUrl, apiToken })
+}