Add support for public patch API proxy

When SOCKET_API_TOKEN is not set, the CLI now automatically uses
the public patch API proxy (patch-api.socket.dev) to access free
patches without authentication.

Changes:
- APIClient now supports optional authentication for public proxy mode
- getAPIClientFromEnv() returns { client, usePublicProxy } tuple
- --org is now optional when using the public proxy
- Updated examples to show no-auth usage first

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <[email protected]>

Author: mikolalysenko

src/commands/download.ts

@@ -24,7 +24,7 @@ type IdentifierType = 'uuid' | 'cve' | 'ghsa' | 'package'
 
 interface DownloadArgs {
   identifier: string
-  org: string
+  org?: string
   cwd: string
   id?: boolean
   cve?: boolean
@@ -179,8 +179,18 @@ async function downloadPatches(args: DownloadArgs): Promise<boolean> {
     process.env.SOCKET_API_TOKEN = apiToken
   }
 
-  // Get API client
-  const apiClient = getAPIClientFromEnv()
+  // Get API client (will use public proxy if no token is set)
+  const { client: apiClient, usePublicProxy } = getAPIClientFromEnv()
+
+  // Validate that org is provided when using authenticated API
+  if (!usePublicProxy && !orgSlug) {
+    throw new Error(
+      '--org is required when using SOCKET_API_TOKEN. Provide an organization slug.',
+    )
+  }
+
+  // The org slug to use (null when using public proxy)
+  const effectiveOrgSlug = usePublicProxy ? null : orgSlug ?? null
 
   // Determine identifier type
   let idType: IdentifierType
@@ -200,7 +210,7 @@ async function downloadPatches(args: DownloadArgs): Promise<boolean> {
   // For UUID, directly fetch and download the patch
   if (idType === 'uuid') {
     console.log(`Fetching patch by UUID: ${identifier}`)
-    const patch = await apiClient.fetchPatch(orgSlug, identifier)
+    const patch = await apiClient.fetchPatch(effectiveOrgSlug, identifier)
     if (!patch) {
       console.log(`No patch found with UUID: ${identifier}`)
       return true
@@ -246,18 +256,18 @@ async function downloadPatches(args: DownloadArgs): Promise<boolean> {
   switch (idType) {
     case 'cve': {
       console.log(`Searching patches for CVE: ${identifier}`)
-      searchResponse = await apiClient.searchPatchesByCVE(orgSlug, identifier)
+      searchResponse = await apiClient.searchPatchesByCVE(effectiveOrgSlug, identifier)
       break
     }
     case 'ghsa': {
       console.log(`Searching patches for GHSA: ${identifier}`)
-      searchResponse = await apiClient.searchPatchesByGHSA(orgSlug, identifier)
+      searchResponse = await apiClient.searchPatchesByGHSA(effectiveOrgSlug, identifier)
       break
     }
     case 'package': {
       console.log(`Searching patches for package: ${identifier}`)
       searchResponse = await apiClient.searchPatchesByPackage(
-        orgSlug,
+        effectiveOrgSlug,
         identifier,
       )
       break
@@ -331,7 +341,7 @@ async function downloadPatches(args: DownloadArgs): Promise<boolean> {
 
   for (const searchResult of accessiblePatches) {
     // Fetch full patch details with blob content
-    const patch = await apiClient.fetchPatch(orgSlug, searchResult.uuid)
+    const patch = await apiClient.fetchPatch(effectiveOrgSlug, searchResult.uuid)
     if (!patch) {
       console.log(`  [fail] ${searchResult.purl} (could not fetch details)`)
       patchesFailed++
@@ -383,9 +393,9 @@ export const downloadCommand: CommandModule<{}, DownloadArgs> = {
         demandOption: true,
       })
       .option('org', {
-        describe: 'Organization slug',
+        describe: 'Organization slug (required when using SOCKET_API_TOKEN, optional for public proxy)',
         type: 'string',
-        demandOption: true,
+        demandOption: false,
       })
       .option('id', {
         describe: 'Force identifier to be treated as a patch UUID',
@@ -427,24 +437,24 @@ export const downloadCommand: CommandModule<{}, DownloadArgs> = {
         type: 'string',
       })
       .example(
-        '$0 download 12345678-1234-1234-1234-123456789abc --org myorg',
-        'Download a patch by UUID',
+        '$0 download CVE-2021-44228',
+        'Download free patches for a CVE (no auth required)',
       )
       .example(
-        '$0 download CVE-2021-44228 --org myorg',
-        'Search and download patches for a CVE',
+        '$0 download GHSA-jfhm-5ghh-2f97',
+        'Download free patches for a GHSA (no auth required)',
       )
       .example(
-        '$0 download GHSA-jfhm-5ghh-2f97 --org myorg',
-        'Search and download patches for a GHSA',
+        '$0 download lodash --pkg',
+        'Download free patches for a package (no auth required)',
       )
       .example(
-        '$0 download lodash --org myorg --pkg',
-        'Search and download patches for a package',
+        '$0 download 12345678-1234-1234-1234-123456789abc --org myorg',
+        'Download a patch by UUID (requires SOCKET_API_TOKEN)',
       )
       .example(
         '$0 download CVE-2021-44228 --org myorg --yes',
-        'Download all matching patches without confirmation',
+        'Download all matching patches without confirmation (with auth)',
       )
       .check(argv => {
         // Ensure only one type flag is set

src/utils/api-client.ts

@@ -1,6 +1,9 @@
 import * as https from 'node:https'
 import * as http from 'node:http'
 
+// Default public patch API proxy URL for free patches (no auth required)
+const DEFAULT_PATCH_API_PROXY_URL = 'https://patch-api.socket.dev'
+
 // Full patch response with blob content (from view endpoint)
 export interface PatchResponse {
   uuid: string
@@ -55,16 +58,23 @@ export interface SearchResponse {
 
 export interface APIClientOptions {
   apiUrl: string
-  apiToken: string
+  apiToken?: string
+  /**
+   * When true, the client will use the public patch API proxy
+   * which only provides access to free patches without authentication.
+   */
+  usePublicProxy?: boolean
 }
 
 export class APIClient {
   private readonly apiUrl: string
-  private readonly apiToken: string
+  private readonly apiToken?: string
+  private readonly usePublicProxy: boolean
 
   constructor(options: APIClientOptions) {
     this.apiUrl = options.apiUrl.replace(/\/$/, '') // Remove trailing slash
     this.apiToken = options.apiToken
+    this.usePublicProxy = options.usePublicProxy ?? false
   }
 
   /**
@@ -78,12 +88,18 @@ export class APIClient {
       const isHttps = urlObj.protocol === 'https:'
       const httpModule = isHttps ? https : http
 
+      const headers: Record<string, string> = {
+        Accept: 'application/json',
+      }
+
+      // Only add auth header if we have a token (not using public proxy)
+      if (this.apiToken) {
+        headers['Authorization'] = `Bearer ${this.apiToken}`
+      }
+
       const options: https.RequestOptions = {
         method: 'GET',
-        headers: {
-          Authorization: `Bearer ${this.apiToken}`,
-          Accept: 'application/json',
-        },
+        headers,
       }
 
       const req = httpModule.request(urlObj, options, res => {
@@ -106,11 +122,10 @@ export class APIClient {
           } else if (res.statusCode === 401) {
             reject(new Error('Unauthorized: Invalid API token'))
           } else if (res.statusCode === 403) {
-            reject(
-              new Error(
-                'Forbidden: Access denied. This may be a paid patch or you may not have access to this organization.',
-              ),
-            )
+            const msg = this.usePublicProxy
+              ? 'Forbidden: This patch is only available to paid subscribers. Sign up at https://socket.dev to access paid patches.'
+              : 'Forbidden: Access denied. This may be a paid patch or you may not have access to this organization.'
+            reject(new Error(msg))
           } else if (res.statusCode === 429) {
             reject(new Error('Rate limit exceeded. Please try again later.'))
           } else {
@@ -135,23 +150,29 @@ export class APIClient {
    * Fetch a patch by UUID (full details with blob content)
    */
   async fetchPatch(
-    orgSlug: string,
+    orgSlug: string | null,
     uuid: string,
   ): Promise<PatchResponse | null> {
-    return this.get(`/v0/orgs/${orgSlug}/patches/view/${uuid}`)
+    // Public proxy uses simpler URL structure (no org slug needed)
+    const path = this.usePublicProxy
+      ? `/view/${uuid}`
+      : `/v0/orgs/${orgSlug}/patches/view/${uuid}`
+    return this.get(path)
   }
 
   /**
    * Search patches by CVE ID
    * Returns lightweight search results (no blob content)
    */
   async searchPatchesByCVE(
-    orgSlug: string,
+    orgSlug: string | null,
     cveId: string,
   ): Promise<SearchResponse> {
-    const result = await this.get<SearchResponse>(
-      `/v0/orgs/${orgSlug}/patches/by-cve/${encodeURIComponent(cveId)}`,
-    )
+    // Public proxy uses simpler URL structure (no org slug needed)
+    const path = this.usePublicProxy
+      ? `/by-cve/${encodeURIComponent(cveId)}`
+      : `/v0/orgs/${orgSlug}/patches/by-cve/${encodeURIComponent(cveId)}`
+    const result = await this.get<SearchResponse>(path)
     return result ?? { patches: [], canAccessPaidPatches: false }
   }
 
@@ -160,12 +181,14 @@ export class APIClient {
    * Returns lightweight search results (no blob content)
    */
   async searchPatchesByGHSA(
-    orgSlug: string,
+    orgSlug: string | null,
     ghsaId: string,
   ): Promise<SearchResponse> {
-    const result = await this.get<SearchResponse>(
-      `/v0/orgs/${orgSlug}/patches/by-ghsa/${encodeURIComponent(ghsaId)}`,
-    )
+    // Public proxy uses simpler URL structure (no org slug needed)
+    const path = this.usePublicProxy
+      ? `/by-ghsa/${encodeURIComponent(ghsaId)}`
+      : `/v0/orgs/${orgSlug}/patches/by-ghsa/${encodeURIComponent(ghsaId)}`
+    const result = await this.get<SearchResponse>(path)
     return result ?? { patches: [], canAccessPaidPatches: false }
   }
 
@@ -174,25 +197,45 @@ export class APIClient {
    * Returns lightweight search results (no blob content)
    */
   async searchPatchesByPackage(
-    orgSlug: string,
+    orgSlug: string | null,
     packageQuery: string,
   ): Promise<SearchResponse> {
-    const result = await this.get<SearchResponse>(
-      `/v0/orgs/${orgSlug}/patches/by-package/${encodeURIComponent(packageQuery)}`,
-    )
+    // Public proxy uses simpler URL structure (no org slug needed)
+    const path = this.usePublicProxy
+      ? `/by-package/${encodeURIComponent(packageQuery)}`
+      : `/v0/orgs/${orgSlug}/patches/by-package/${encodeURIComponent(packageQuery)}`
+    const result = await this.get<SearchResponse>(path)
     return result ?? { patches: [], canAccessPaidPatches: false }
   }
 }
 
-export function getAPIClientFromEnv(): APIClient {
-  const apiUrl = process.env.SOCKET_API_URL || 'https://api.socket.dev'
+/**
+ * Get an API client configured from environment variables.
+ *
+ * If SOCKET_API_TOKEN is not set, the client will use the public patch API proxy
+ * which provides free access to free-tier patches without authentication.
+ *
+ * Environment variables:
+ * - SOCKET_API_URL: Override the API URL (defaults to https://api.socket.dev)
+ * - SOCKET_API_TOKEN: API token for authenticated access to all patches
+ * - SOCKET_PATCH_PROXY_URL: Override the public proxy URL (defaults to https://patch-api.socket.dev)
+ */
+export function getAPIClientFromEnv(): { client: APIClient; usePublicProxy: boolean } {
   const apiToken = process.env.SOCKET_API_TOKEN
 
   if (!apiToken) {
-    throw new Error(
-      'SOCKET_API_TOKEN environment variable is required. Please set it to your Socket API token.',
-    )
+    // No token provided - use public proxy for free patches
+    const proxyUrl = process.env.SOCKET_PATCH_PROXY_URL || DEFAULT_PATCH_API_PROXY_URL
+    console.log('No SOCKET_API_TOKEN set. Using public patch API proxy (free patches only).')
+    return {
+      client: new APIClient({ apiUrl: proxyUrl, usePublicProxy: true }),
+      usePublicProxy: true,
+    }
   }
 
-  return new APIClient({ apiUrl, apiToken })
+  const apiUrl = process.env.SOCKET_API_URL || 'https://api.socket.dev'
+  return {
+    client: new APIClient({ apiUrl, apiToken }),
+    usePublicProxy: false,
+  }
 }