Add TypeScript CLI for patch application

Implements a CLI tool for applying security patches to node_modules:
- Patch manifest schema with vulnerability tracking
- Git-compatible SHA256 hashing utilities with streaming support
- File and package verification logic
- Atomic patch application (verify all before applying any)
- CLI with --cwd, --dry-run, --silent, --manifest-path flags
- Lint configuration matching main depscan repo

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: mikolalysenko

.oxlintrc.json

@@ -0,0 +1,64 @@
+{
+  "$schema": "./node_modules/oxlint/configuration_schema.json",
+  "ignorePatterns": ["**/dist/", "**/node_modules/", "**/.git/"],
+  "plugins": ["typescript", "oxc", "promise", "import"],
+  "categories": {
+    "correctness": "warn",
+    "perf": "warn",
+    "suspicious": "warn"
+  },
+  "rules": {
+    "no-unused-vars": "allow",
+    "no-new-array": "allow",
+    "no-empty-file": "allow",
+    "no-await-in-loop": "allow",
+    "consistent-function-scoping": "allow",
+    "no-new": "allow",
+    "no-extraneous-class": "allow",
+    "no-array-index-key": "allow",
+    "no-unsafe-optional-chaining": "allow",
+    "no-promise-in-callback": "allow",
+    "no-callback-in-promise": "allow",
+    "consistent-type-imports": "deny",
+    "no-empty-named-blocks": "allow",
+    "no-unnecessary-parameter-property-assignment": "allow",
+    "no-unneeded-ternary": "allow",
+    "no-eq-null": "allow",
+    "max-lines-per-function": "allow",
+    "max-depth": "allow",
+    "no-magic-numbers": "allow",
+    "no-unassigned-import": "allow",
+    "promise/always-return": "allow",
+    "no-unassigned-vars": "deny",
+    "typescript/no-floating-promises": "deny",
+    "typescript/no-misused-promises": "deny",
+    "typescript/return-await": "allow",
+    "typescript/await-thenable": "allow",
+    "typescript/consistent-type-imports": "allow",
+    "typescript/no-base-to-string": "allow",
+    "typescript/no-duplicate-type-constituents": "allow",
+    "typescript/no-for-in-array": "allow",
+    "typescript/no-meaningless-void-operator": "allow",
+    "typescript/no-misused-spread": "allow",
+    "typescript/no-redundant-type-constituents": "allow",
+    "typescript/no-unnecessary-boolean-literal-compare": "allow",
+    "typescript/no-unnecessary-template-expression": "allow",
+    "typescript/no-unnecessary-type-arguments": "allow",
+    "typescript/no-unnecessary-type-assertion": "allow",
+    "typescript/no-unsafe-enum-comparison": "allow",
+    "typescript/no-unsafe-type-assertion": "allow",
+    "typescript/require-array-sort-compare": "allow",
+    "typescript/restrict-template-expressions": "allow",
+    "typescript/triple-slash-reference": "allow",
+    "typescript/unbound-method": "allow"
+  },
+  "overrides": [
+    {
+      "files": ["**/*.test.ts", "**/*.test.js", "**/*.spec.ts", "**/*.spec.js"],
+      "rules": {
+        "typescript/no-floating-promises": "allow",
+        "typescript/no-misused-promises": "allow"
+      }
+    }
+  ]
+}

README.md

@@ -1,2 +1,140 @@
-# socket-patch
-Socket patch CLI tool
+# Socket Patch CLI
+
+CLI tool for applying security patches to dependencies.
+
+## Setup
+
+```bash
+# Install dependencies
+npm install
+
+# Build the project
+npm run build
+```
+
+## Usage
+
+```bash
+# Apply patches from manifest (default: .socket/manifest.json)
+socket-patch apply
+
+# Apply patches with custom manifest path
+socket-patch apply --manifest-path /path/to/manifest.json
+
+# Dry run (verify patches can be applied without modifying files)
+socket-patch apply --dry-run
+
+# Silent mode (only output errors)
+socket-patch apply --silent
+
+# Custom working directory
+socket-patch apply --cwd /path/to/project
+```
+
+## Development
+
+```bash
+# Watch mode for development
+npm run dev
+```
+
+## Project Structure
+
+```
+src/
+├── cli.ts              # Main CLI entry point
+├── commands/
+│   └── apply.ts        # Apply patch command
+├── schema/
+│   └── manifest-schema.ts  # Patch manifest schema (Zod)
+├── hash/
+│   └── git-sha256.ts   # Git-compatible SHA256 hashing
+├── patch/
+│   ├── file-hash.ts    # File hashing utilities
+│   └── apply.ts        # Core patch application logic
+├── types.ts            # TypeScript type definitions
+├── utils.ts            # Utility functions
+└── index.ts            # Library exports
+```
+
+## Commands
+
+### apply
+
+Apply security patches to dependencies from a manifest file.
+
+**Options:**
+- `--cwd` - Working directory (default: current directory)
+- `-d, --dry-run` - Verify patches can be applied without modifying files
+- `-s, --silent` - Only output errors
+- `-m, --manifest-path` - Path to patch manifest file (default: `.socket/manifest.json`)
+- `-h, --help` - Show help
+- `-v, --version` - Show version
+
+**Exit Codes:**
+- `0` - Success (patches applied or already applied)
+- `1` - Error (manifest not found, verification failed, or patch application failed)
+
+## Manifest Format
+
+The manifest file (`.socket/manifest.json`) contains patch definitions:
+
+```json
+{
+  "patches": {
+    "pkg:npm/[email protected]": {
+      "uuid": "unique-patch-id",
+      "exportedAt": "2024-01-01T00:00:00Z",
+      "files": {
+        "path/to/file.js": {
+          "beforeHash": "git-sha256-before",
+          "afterHash": "git-sha256-after"
+        }
+      },
+      "vulnerabilities": {
+        "GHSA-xxxx-xxxx-xxxx": {
+          "cves": ["CVE-2024-12345"],
+          "summary": "Vulnerability summary",
+          "severity": "high",
+          "description": "Detailed description"
+        }
+      },
+      "description": "Patch description",
+      "license": "MIT",
+      "tier": "free"
+    }
+  }
+}
+```
+
+Patched file contents are stored in `.socket/blobs/` directory, named by their Git-compatible SHA256 hash.
+
+## Library Usage
+
+The socket-patch CLI can also be used as a library:
+
+```typescript
+import {
+  PatchManifest,
+  PatchManifestSchema,
+  computeGitSHA256FromBuffer,
+  computeGitSHA256FromChunks,
+  applyPackagePatch,
+  findNodeModules,
+} from '@socketsecurity/socket-patch-cli'
+
+// Validate manifest
+const manifest = PatchManifestSchema.parse(manifestData)
+
+// Compute file hashes
+const hash = computeGitSHA256FromBuffer(fileBuffer)
+
+// Apply patches programmatically
+const result = await applyPackagePatch(
+  packageKey,
+  packagePath,
+  files,
+  blobsPath,
+  dryRun,
+)
+```

biome.json

@@ -0,0 +1,47 @@
+{
+  "$schema": "./node_modules/@biomejs/biome/configuration_schema.json",
+  "files": {
+    "includes": ["**", "!.git", "!dist", "!node_modules"]
+  },
+  "formatter": {
+    "enabled": true,
+    "formatWithErrors": false,
+    "indentStyle": "space",
+    "indentWidth": 2,
+    "lineEnding": "lf",
+    "lineWidth": 80
+  },
+  "linter": {
+    "enabled": false,
+    "rules": {
+      "style": {
+        "noParameterAssign": "error",
+        "useAsConstAssertion": "error",
+        "useDefaultParameterLast": "error",
+        "useEnumInitializers": "error",
+        "useSelfClosingElements": "error",
+        "useSingleVarDeclarator": "error",
+        "noUnusedTemplateLiteral": "error",
+        "useNumberNamespace": "error",
+        "noInferrableTypes": "error",
+        "noUselessElse": "error"
+      }
+    }
+  },
+  "javascript": {
+    "formatter": {
+      "arrowParentheses": "asNeeded",
+      "semicolons": "asNeeded",
+      "quoteStyle": "single",
+      "jsxQuoteStyle": "single",
+      "trailingCommas": "all"
+    }
+  },
+  "json": {
+    "formatter": {
+      "trailingCommas": "none",
+      "indentStyle": "space",
+      "indentWidth": 2
+    }
+  }
+}

package.json

@@ -0,0 +1,63 @@
+{
+  "name": "@socketsecurity/socket-patch-cli",
+  "version": "0.1.0",
+  "description": "CLI tool for applying security patches to dependencies",
+  "type": "module",
+  "main": "dist/index.js",
+  "types": "dist/index.d.ts",
+  "bin": {
+    "socket-patch": "dist/cli.js"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "require": "./dist/index.js",
+      "import": "./dist/index.js"
+    },
+    "./schema": {
+      "types": "./dist/schema/manifest-schema.d.ts",
+      "require": "./dist/schema/manifest-schema.js",
+      "import": "./dist/schema/manifest-schema.js"
+    },
+    "./hash": {
+      "types": "./dist/hash/git-sha256.d.ts",
+      "require": "./dist/hash/git-sha256.js",
+      "import": "./dist/hash/git-sha256.js"
+    },
+    "./patch": {
+      "types": "./dist/patch/apply.d.ts",
+      "require": "./dist/patch/apply.js",
+      "import": "./dist/patch/apply.js"
+    }
+  },
+  "scripts": {
+    "build": "tsc",
+    "dev": "tsc --watch",
+    "patch": "node dist/cli.js",
+    "lint": "oxlint -c ./.oxlintrc.json --tsconfig ./tsconfig.json --deny-warnings",
+    "lint:fix": "pnpm run lint --fix && pnpm run lint:fix:fast",
+    "lint:fix:fast": "biome format --write"
+  },
+  "keywords": [
+    "security",
+    "patch",
+    "cli",
+    "dependencies"
+  ],
+  "author": "Socket Security",
+  "license": "MIT",
+  "dependencies": {
+    "yargs": "^17.7.2",
+    "zod": "^3.24.4"
+  },
+  "devDependencies": {
+    "@biomejs/biome": "^2.1.2",
+    "@types/node": "^20.0.0",
+    "@types/yargs": "^17.0.32",
+    "oxlint": "^1.15.0",
+    "typescript": "^5.3.0"
+  },
+  "engines": {
+    "node": ">=18.0.0"
+  }
+}

src/cli.ts

@@ -0,0 +1,24 @@
+#!/usr/bin/env node
+
+import yargs from 'yargs'
+import { hideBin } from 'yargs/helpers'
+import { applyCommand } from './commands/apply.js'
+
+async function main(): Promise<void> {
+  await yargs(hideBin(process.argv))
+    .scriptName('socket-patch')
+    .usage('$0 <command> [options]')
+    .command(applyCommand)
+    .demandCommand(1, 'You must specify a command')
+    .help()
+    .alias('h', 'help')
+    .version()
+    .alias('v', 'version')
+    .strict()
+    .parse()
+}
+
+main().catch((error: Error) => {
+  console.error('Error:', error.message)
+  process.exit(1)
+})