refactor: simplify package structure by consolidating lib packages (#882)

* fix(build): ensure lib-internal and SDK build before CLI

Add lib-internal and SDK to BUILD_PACKAGES array as the first two
build steps to ensure they are built before the CLI package, which
depends on both of them.

This fixes the build order issue where CLI would fail because it
imports from @socketsecurity/lib-internal and @socketsecurity/sdk
but their dist folders didn't exist yet.

* refactor: migrate all imports to use lib-external and lib-internal

- Scripts (build.mjs, etc.) → @socketsecurity/lib-external
- Build infrastructure → @socketsecurity/lib-external
- CLI source code (src/) → @socketsecurity/lib-internal
- Add lib-external alias to root devDependencies

This ensures proper separation between:
- Published package (lib-external) for build scripts
- Workspace package (lib-internal) for application source

* refactor: rename @socketsecurity/lib to @socketsecurity/lib-internal

Change the workspace package name from @socketsecurity/lib to
@socketsecurity/lib-internal to clearly distinguish it from the
published npm package.

This ensures:
- CLI source imports from @socketsecurity/lib-internal (workspace)
- Scripts import from @socketsecurity/lib-external (published package)

Updated CLI package.json to use @socketsecurity/lib-internal workspace
dependency.

* refactor: update all packages to use @socketsecurity/lib-internal

Update all package.json files across the monorepo to use the renamed
@socketsecurity/lib-internal workspace dependency.

Git renamed packages/lib → packages/lib-internal to match the new
package name.

* refactor: remove bootstrap-smol references

Remove bootstrap-smol source file, config, and exports as it's no
longer needed. Keep bootstrap-npm and bootstrap-sea.

* fix(lib-internal): access .default property when requiring maintained-node-versions

Fixed TypeError where CLI crashed on startup with "Cannot read properties of null (reading 'major')".

The issue was that maintained-node-versions exports a default export, but the require() calls were not accessing the .default property. This caused semver.parse() to receive undefined instead of the version string.

Changes:
- packages/lib-internal/src/package-default-node-range.ts: Added .default to require
- packages/lib-internal/src/constants/node.ts: Added .default to require

This fix resolves 19 test failures in the CLI test suite (from 66 to 47 failures).

* fix(tests): update test mocks to use @socketsecurity/lib-internal

After renaming @socketsecurity/lib to @socketsecurity/lib-internal, test mocks were still
referencing the old package name, causing 47 test failures. Updated all vi.mock() statements
and related imports in test files to use the correct lib-internal package.

Changes:
- Updated vi.mock() statements from @socketsecurity/lib/* to @socketsecurity/lib-internal/*
- Updated await import() statements in tests to match mocked package paths
- Fixed import statement in handle-purls-shallow-score.test.mts to match its mock

Test results:
- Before: 47 failed tests across 10 test files
- After: All 2255 tests passing (196 test files, 100% pass rate)

Files modified:
- test/unit/commands/ci/handle-ci.test.mts
- test/unit/commands/fix/ghsa-tracker.test.mts
- test/unit/commands/fix/handle-fix.test.mts
- test/unit/commands/fix/pr-lifecycle-logger.test.mts
- test/unit/commands/package/handle-purl-deep-score.test.mts
- test/unit/commands/package/handle-purls-shallow-score.test.mts
- test/unit/commands/scan/fetch-diff-scan.test.mts
- test/unit/commands/scan/fetch-scan.test.mts
- test/unit/commands/scan/output-create-new-scan.test.mts
- test/unit/commands/threat-feed/output-threat-feed.test.mts

* fix(lib-internal): fix TypeScript compilation errors

Fixed two pre-existing TypeScript errors that were preventing successful builds:

1. bin.ts: Removed incompatible 'env' property from WhichOptions interface
   - The 'which' package has strict type checking that doesn't allow env property
   - This was causing TS2345 errors during build

2. versions.ts: Added 'release' to versionDiff return type
   - semver.diff() can return 'release' type which wasn't in the union type
   - This was causing TS2322 error

These fixes allow lib-internal to build successfully with TypeScript type declarations.

* refactor(sdk): move SECURITY.md to docs/security.md

Moved SECURITY.md file to comply with monorepo markdown filename conventions.
SCREAMING_CASE files are only allowed at root, docs/, or .claude/ directories.

* refactor(lib-internal): remove invalid type export for babel plugin

Removed types export for babel-plugin-inline-require-calls as the .d.ts file doesn't exist.
This was causing build warnings.

* refactor(lib-internal): remove external imports rewriting system

Removes fix-external-imports.mjs script and its call from fix-build.mjs.
The external bundling system (build-externals.mjs + fix-external-imports.mjs)
was designed for standalone npm package distribution, not monorepo usage.

In standalone distribution, it would:
- Bundle 30+ external dependencies into dist/external/
- Rewrite imports from require('package') to require('./external/package')
- Create a zero-dependency npm package

In monorepo context:
- All packages are in node_modules/ via pnpm workspaces
- External bundling is explicitly disabled (build.mjs:409)
- No need to bundle or rewrite imports

The build now runs:
- Package exports generation
- Path alias fixing
- CommonJS exports fixing

Verified that built files have correct imports (e.g., require("picomatch")
instead of require("./external/picomatch")).

* refactor(sdk): remove orphaned SECURITY.md file

Removes SECURITY.md from sdk package root. This file was orphaned
and not part of the sdk package documentation structure.

* fix(ci): build lib-internal and SDK before CLI

The CLI package now depends on @socketsecurity/lib-internal and
@socketsecurity/sdk as workspace dependencies. These packages must be
built before the CLI can be type-checked or built.

Updated all CI job steps to build dependencies in the correct order:
1. lib-internal
2. SDK
3. CLI

This fixes TypeScript compilation errors in CI where modules could not
be resolved.

* fix(ci): use pnpm recursive filter to build workspace dependencies

Changed from manually chaining build commands to using pnpm's
recursive filter syntax (`--filter @socketsecurity/cli...`) which
automatically builds all workspace dependencies in the correct order.

The `...` suffix tells pnpm to include all dependencies of the CLI
package, ensuring lib-internal and SDK are built before CLI.

This is more maintainable and follows pnpm best practices.

---------

Co-authored-by: Test User <test@example.com>

Author: jdalton

.github/workflows/ci.yml

@@ -35,7 +35,7 @@ jobs:
     name: Run CI Pipeline
     uses: SocketDev/socket-registry/.github/workflows/ci.yml@1a96ced97aaa85d61543351b90d6f463b983c46c # main
     with:
-      test-setup-script: 'pnpm --filter @socketsecurity/cli run build'
+      test-setup-script: 'pnpm --filter @socketsecurity/cli... run build'
       lint-script: 'pnpm --filter @socketsecurity/cli run check'
       type-check-script: 'pnpm --filter @socketsecurity/cli run type'
       run-test: false  # Tests run in separate sharded job below.
@@ -64,9 +64,8 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
 
-      - name: Build CLI
-        working-directory: packages/cli
-        run: pnpm run build
+      - name: Build dependencies and CLI
+        run: pnpm --filter @socketsecurity/cli... run build
 
       - name: Run unit tests (shard ${{ matrix.shard }})
         working-directory: packages/cli
@@ -88,9 +87,8 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
 
-      - name: Build CLI
-        working-directory: packages/cli
-        run: pnpm run build
+      - name: Build dependencies and CLI
+        run: pnpm --filter @socketsecurity/cli... run build
 
       - name: Generate cache keys for binary distributions
         id: cache-keys
@@ -220,9 +218,8 @@ jobs:
         with:
           node-version: ${{ matrix.node-version }}
 
-      - name: Build CLI
-        working-directory: packages/cli
-        run: pnpm run build
+      - name: Build dependencies and CLI
+        run: pnpm --filter @socketsecurity/cli... run build
 
       - name: Run e2e tests
         working-directory: packages/cli

package.json

@@ -35,6 +35,8 @@
     "@socketregistry/packageurl-js": "catalog:",
     "@socketregistry/yocto-spinner": "catalog:",
     "@socketsecurity/config": "catalog:",
+    "@socketsecurity/lib": "3.2.8",
+    "@socketsecurity/lib-external": "npm:@socketsecurity/lib@3.2.8",
     "@socketsecurity/registry": "catalog:",
     "@types/cmd-shim": "catalog:",
     "@types/ink": "catalog:",

packages/bootstrap/.config/esbuild.smol.config.mjs

@@ -7,7 +7,6 @@
     ".": "./dist/index.js",
     "./bootstrap-npm.js": "./dist/bootstrap-npm.js",
     "./bootstrap-sea.js": "./dist/bootstrap-sea.js",
-    "./bootstrap-smol.js": "./dist/bootstrap-smol.js",
     "./node-version.json": "./node-version.json"
   },
   "scripts": {
@@ -22,7 +21,7 @@
     "@babel/types": "catalog:",
     "@socketsecurity/build-infra": "workspace:*",
     "@socketsecurity/cli": "workspace:*",
-    "@socketsecurity/lib": "workspace:*",
+    "@socketsecurity/lib-internal": "workspace:*",
     "del-cli": "catalog:",
     "esbuild": "catalog:",
     "magic-string": "catalog:",

packages/bootstrap/package.json

@@ -56,16 +56,6 @@ module.exports = {
     return loadBootstrap('bootstrap-sea.js')
   },
 
-  /**
-   * Load smol bootstrap (for smol Node.js binary - also available compressed).
-   * Note: This is also embedded in base64 in the Node.js binary via
-   * packages/node-smol-builder, but providing compressed version for consistency.
-   * @returns {any} Bootstrap exports
-   */
-  loadSmolBootstrap() {
-    return loadBootstrap('bootstrap-smol.js')
-  },
-
   // Re-export the loader function for custom usage.
   loadBootstrap,
 }

packages/bootstrap/src/bootstrap-smol.mts

@@ -8,9 +8,9 @@
 import { promises as fs } from 'node:fs'
 import path from 'node:path'
 
-import binPkg from '@socketsecurity/lib/bin'
-import platformPkg from '@socketsecurity/lib/constants/platform'
-import spawnPkg from '@socketsecurity/lib/spawn'
+import binPkg from '@socketsecurity/lib-external/bin'
+import platformPkg from '@socketsecurity/lib-external/constants/platform'
+import spawnPkg from '@socketsecurity/lib-external/spawn'
 
 const { whichBinSync } = binPkg
 const { WIN32 } = platformPkg

packages/bootstrap/src/index.mts

@@ -4,7 +4,7 @@
  * Provides consistent, pretty logging for build processes.
  */
 
-import loggerPkg from '@socketsecurity/lib/logger'
+import loggerPkg from '@socketsecurity/lib-external/logger'
 
 const logger = loggerPkg.getDefaultLogger()
 

packages/build-infra/lib/build-helpers.mjs

@@ -6,8 +6,8 @@
 
 import { cpus } from 'node:os'
 
-import platformPkg from '@socketsecurity/lib/constants/platform'
-import spawnPkg from '@socketsecurity/lib/spawn'
+import platformPkg from '@socketsecurity/lib-external/constants/platform'
+import spawnPkg from '@socketsecurity/lib-external/spawn'
 
 const { WIN32 } = platformPkg
 const { spawn } = spawnPkg

packages/build-infra/lib/build-output.mjs

@@ -7,8 +7,8 @@
 import { cpus } from 'node:os'
 import path from 'node:path'
 
-import platformPkg from '@socketsecurity/lib/constants/platform'
-import spawnPkg from '@socketsecurity/lib/spawn'
+import platformPkg from '@socketsecurity/lib-external/constants/platform'
+import spawnPkg from '@socketsecurity/lib-external/spawn'
 
 const { WIN32 } = platformPkg
 const { spawn } = spawnPkg