fix(cli): align utils/dlx/ error messages with 4-ingredient strategy

jdalton · jdalton · commit d018b35a441c · 2026-04-22T10:31:23.000-04:00
Rewrites error messages across packages/cli/src/utils/dlx/ to follow the What / Where / Saw vs. wanted / Fix strategy from CLAUDE.md. Sources: - spawn.mts: 27 messages - 6x 'Unexpected resolution type for <tool>' — now name the resolver function and the actual resolution.type seen - Archive/platform errors name the supported formats/platforms - Python DLX errors surface the lock file path and cache dir - PyPI fetch errors include the URL that failed - Security errors (zip-slip, symlink escape) tell user to delete the cached asset and report upstream - resolve-binary.mts: 4 messages (socket-patch, trivy, trufflehog, opengrep platform support) — each now lists supported platforms and suggests how to install the tool manually - vfs-extract.mts: 5 messages (SEA VFS extraction failures) — each names what went wrong with the bundle and how to recover (usually: rebuild SEA) Internal invariant errors stay as plain Error (not InputError) but are informative enough that if they ever fire, the user can open a useful bug report. Tests updated: test/unit/utils/dlx/resolve-binary.test.mts (1 substring match switched to regex). Follows strategy from #1254. Part of the multi-PR series started by #1255 (commands/).
diff --git a/packages/cli/src/utils/dlx/resolve-binary.mts b/packages/cli/src/utils/dlx/resolve-binary.mts
@@ -167,8 +167,7 @@ export function resolveSocketPatch(): BinaryResolution {
 
   if (!assetName) {
     throw new Error(
-      `socket-patch is not available for platform ${platformKey}. ` +
-        `Supported platforms: ${Object.keys(SOCKET_PATCH_ASSETS).join(', ')}`,
+      `socket-patch has no prebuilt binary for "${platformKey}" (supported: ${Object.keys(SOCKET_PATCH_ASSETS).join(', ')}); upgrade socket-cli, build socket-patch from source, or set SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH to point at a local build`,
     )
   }
 
@@ -246,8 +245,7 @@ export function resolveTrivy(): BinaryResolution {
     const platform = os.platform()
     const arch = os.arch()
     throw new Error(
-      `Trivy is not available for platform ${platform}-${arch}. ` +
-        'Supported platforms: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-x64',
+      `Trivy has no prebuilt binary for "${platform}-${arch}" (supported: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-x64); run socket-cli on a supported platform or install Trivy manually and point \`trivy\` at it on PATH`,
     )
   }
 
@@ -310,8 +308,7 @@ export function resolveTrufflehog(): BinaryResolution {
     const platform = os.platform()
     const arch = os.arch()
     throw new Error(
-      `TruffleHog is not available for platform ${platform}-${arch}. ` +
-        'Supported platforms: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-arm64, win32-x64',
+      `TruffleHog has no prebuilt binary for "${platform}-${arch}" (supported: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-arm64, win32-x64); run socket-cli on a supported platform or install TruffleHog manually and point \`trufflehog\` at it on PATH`,
     )
   }
 
@@ -363,8 +360,7 @@ export function resolveOpengrep(): BinaryResolution {
 
   if (!assetName) {
     throw new Error(
-      `OpenGrep is not available for platform ${platformKey}. ` +
-        `Supported platforms: ${Object.keys(OPENGREP_ASSETS).join(', ')}`,
+      `OpenGrep has no prebuilt binary for "${platformKey}" (supported: ${Object.keys(OPENGREP_ASSETS).join(', ')}); run socket-cli on a supported platform or install OpenGrep manually and point \`opengrep\` at it on PATH`,
     )
   }
 
diff --git a/packages/cli/src/utils/dlx/spawn.mts b/packages/cli/src/utils/dlx/spawn.mts
@@ -116,14 +116,14 @@ function validatePackageName(name: string): void {
 
   if (!validNamePattern.test(name)) {
     throw new InputError(
-      `Invalid package name "${name}". Package names must contain only lowercase letters, numbers, hyphens, underscores, dots, and optionally a scope (@org/package).`,
+      `package name "${name}" must match /^(@scope\\/)?[a-z0-9-~][a-z0-9-._~]*$/ (lowercase letters, digits, -, _, ., ~, with optional @scope/); rename the package or check for typos`,
     )
   }
 
   // Check for path traversal attempts.
   if (name.includes('..') || (name.includes('/') && !name.startsWith('@'))) {
     throw new InputError(
-      `Invalid package name "${name}". Package names cannot contain path traversal sequences.`,
+      `package name "${name}" contains path traversal characters (".." or a "/" outside of @scope/); pass a plain name like "lodash" or "@org/pkg"`,
     )
   }
 }
@@ -232,7 +232,7 @@ async function downloadGitHubReleaseBinary(
         }
       }
       throw new InputError(
-        'Timeout waiting for another process to download GitHub release',
+        `timed out waiting for another socket process to finish downloading ${owner}/${repo}@${version} (${assetName}); if no other socket process is running, remove stale lock files under ${path.dirname(binaryPath)} and retry`,
       )
     }
     throw e
@@ -267,8 +267,7 @@ async function downloadGitHubReleaseBinary(
         const entryPath = path.resolve(path.join(cacheDir, entry.entryName))
         if (!entryPath.startsWith(normalizedCacheDir)) {
           throw new InputError(
-            `Archive contains path traversal: ${entry.entryName}. ` +
-              `This may indicate a compromised release asset.`,
+            `archive entry "${entry.entryName}" resolves outside the cache dir (${normalizedCacheDir}) — this looks like a zip-slip attack; do NOT trust this release asset, report it to the upstream project, and delete ${result.binaryPath}`,
           )
         }
       }
@@ -286,8 +285,7 @@ async function downloadGitHubReleaseBinary(
           if (!resolvedTarget.startsWith(normalizedCacheDir)) {
             await fs.unlink(fullPath)
             throw new InputError(
-              `Archive contains unsafe symbolic link: ${file}. ` +
-                `This may indicate a compromised release asset.`,
+              `extracted symlink ${file} targets ${resolvedTarget} which is outside the cache dir (${normalizedCacheDir}); do NOT trust this release asset, report it to the upstream project, and delete ${cacheDir}`,
             )
           }
         }
@@ -298,19 +296,20 @@ async function downloadGitHubReleaseBinary(
       const tarPath = await whichReal('tar', { nothrow: true })
       if (!tarPath || Array.isArray(tarPath)) {
         throw new InputError(
-          'tar is required to extract GitHub release archives. Please install tar for your system.',
+          `tar is required to extract ${assetName} but was not found on PATH; install tar (e.g. \`apt install tar\`, \`brew install gnu-tar\`) and re-run`,
         )
       }
       await spawn(tarPath, ['-xzf', result.binaryPath, '-C', cacheDir], {})
     } else {
-      throw new InputError(`Unsupported archive format: ${assetName}`)
+      throw new InputError(
+        `archive format of ${assetName} is not supported (expected .zip or .tar.gz / .tgz); check the asset name in bundle-tools.json and the release's actual asset list`,
+      )
     }
 
     // Verify binary was extracted.
     if (!existsSync(binaryPath)) {
       throw new InputError(
-        `Binary ${binaryFileName} not found after extracting ${assetName}. ` +
-          `Expected at: ${binaryPath}`,
+        `archive ${assetName} extracted but ${binaryFileName} was not found inside (expected at ${binaryPath}); the release's archive layout may have changed — verify asset contents and update bundle-tools.json`,
       )
     }
 
@@ -408,7 +407,9 @@ export async function spawnCoanaDlx(
 
     // Use dlx version (resolveCoana only returns 'local' or 'dlx' types).
     if (resolution.type !== 'dlx') {
-      throw new Error('Unexpected resolution type for coana')
+      throw new Error(
+        `internal: resolveCoana returned resolution.type="${resolution.type}" (expected "dlx"); this is a resolver contract bug — re-run with --debug and report the output`,
+      )
     }
     const result = await spawnDlx(
       {
@@ -484,7 +485,9 @@ export async function spawnCdxgenDlx(
 
   // Use dlx version (resolveCdxgen only returns 'local' or 'dlx' types).
   if (resolution.type !== 'dlx') {
-    throw new Error('Unexpected resolution type for cdxgen')
+    throw new Error(
+      `internal: resolveCdxgen returned resolution.type="${resolution.type}" (expected "dlx"); this is a resolver contract bug — re-run with --debug and report the output`,
+    )
   }
   return await spawnDlx(
     resolution.details,
@@ -554,7 +557,9 @@ export async function spawnSfwDlx(
 
   // Use dlx version (resolveSfw only returns 'local' or 'dlx' types).
   if (resolution.type !== 'dlx') {
-    throw new Error('Unexpected resolution type for sfw')
+    throw new Error(
+      `internal: resolveSfw returned resolution.type="${resolution.type}" (expected "dlx"); this is a resolver contract bug — re-run with --debug and report the output`,
+    )
   }
   return await spawnDlx(
     resolution.details,
@@ -675,21 +680,25 @@ async function spawnToolVfs(
 ): Promise<DlxSpawnResult> {
   if (!areExternalToolsAvailable()) {
     throw new Error(
-      `Cannot spawn ${tool} from VFS - tools not available in SEA mode`,
+      `cannot spawn ${tool} from VFS: external tools were not bundled into this SEA binary; rebuild the SEA with INLINED_SOCKET_CLI_INCLUDE_EXTERNAL_TOOLS=1 or run the non-SEA CLI`,
     )
   }
 
   // Extract tools from VFS (returns paths directly).
   const toolPaths = await extractExternalTools()
   if (!toolPaths) {
-    throw new Error(`Failed to extract ${tool} from VFS`)
+    throw new Error(
+      `failed to extract ${tool} from VFS (extractExternalTools returned null); the embedded tool archive may be corrupt — rebuild the SEA binary`,
+    )
   }
 
   // Get tool path.
   const toolPath = toolPaths[tool]
 
   if (!toolPath) {
-    throw new Error(`Tool path not found for ${tool}`)
+    throw new Error(
+      `VFS extraction succeeded but ${tool} was not in the output map (got: ${Object.keys(toolPaths).join(', ') || 'empty'}); the SEA bundle is missing ${tool} — rebuild with it included`,
+    )
   }
 
   const { env: spawnEnv, ...dlxOptions } = {
@@ -938,7 +947,9 @@ function getPythonStandaloneInfo(): { assetName: string; url: string } {
     platformTriple =
       arch === 'arm64' ? 'aarch64-pc-windows-msvc' : 'x86_64-pc-windows-msvc'
   } else {
-    throw new InputError(`Unsupported platform: ${platform}`)
+    throw new InputError(
+      `python-build-standalone does not ship a prebuilt for os.platform()="${platform}" (supported: darwin, linux, win32); install Python manually and point socket at it via PATH`,
+    )
   }
 
   // Asset name format matches checksums in bundle-tools.json.
@@ -1000,7 +1011,7 @@ async function downloadPython(pythonDir: string): Promise<void> {
   const tarPath = await whichReal('tar', { nothrow: true })
   if (!tarPath || Array.isArray(tarPath)) {
     throw new InputError(
-      'tar is required to extract Python. Please install tar for your system.',
+      `tar is required to extract the Python standalone archive but was not found on PATH; install tar (e.g. \`apt install tar\`, \`brew install gnu-tar\`) and re-run`,
     )
   }
   await spawn(tarPath, ['-xzf', result.binaryPath, '-C', pythonDir], {})
@@ -1046,8 +1057,7 @@ export async function ensurePythonDlx(retryCount = 0): Promise<string> {
 
   if (retryCount >= MAX_RETRIES) {
     throw new InputError(
-      `Failed to acquire Python installation lock after ${MAX_RETRIES} retries. ` +
-        'Please check for filesystem issues or competing processes.',
+      `could not acquire the Python install lock after ${MAX_RETRIES} retries at ${lockFile}; another socket process may be stuck, or the lock file is stale — remove it manually and retry, or check that ${pythonDir} is writable`,
     )
   }
 
@@ -1107,7 +1117,7 @@ export async function ensurePythonDlx(retryCount = 0): Promise<string> {
           }
         }
         throw new InputError(
-          'Timeout waiting for Python download by another process',
+          `timed out after 60s waiting for another socket process to finish downloading Python to ${pythonDir}; if no other socket process is running, remove ${lockFile} and retry`,
         )
       }
       throw e
@@ -1118,7 +1128,7 @@ export async function ensurePythonDlx(retryCount = 0): Promise<string> {
 
       if (!existsSync(pythonBin)) {
         throw new InputError(
-          `Python binary not found after extraction: ${pythonBin}`,
+          `Python archive extracted but ${pythonBin} does not exist; the standalone archive layout may have changed — check the asset contents under ${pythonDir} and update the bin-path logic in spawn.mts`,
         )
       }
 
@@ -1218,7 +1228,9 @@ async function downloadPyPiWheel(
   try {
     const response = await socketHttpRequest(pypiUrl)
     if (!response.ok) {
-      throw new Error(`PyPI API returned ${response.status}`)
+      throw new Error(
+        `PyPI returned HTTP ${response.status} for ${pypiUrl} (expected 200); check the package name and version, or retry if the registry is rate-limiting`,
+      )
     }
     const data = response.json() as {
       urls?: Array<{ filename: string; url: string }>
@@ -1235,14 +1247,13 @@ async function downloadPyPiWheel(
     // If we can't fetch from API, construct URL directly (may not work for all packages).
     // This is a fallback; the API approach is more reliable.
     throw new InputError(
-      `Failed to fetch PyPI package info for ${packageName}@${version}: ${getErrorCause(e)}`,
+      `could not fetch PyPI metadata for ${packageName}==${version} from ${pypiUrl} (${getErrorCause(e)}); check your network or proxy settings, or try again if PyPI is rate-limiting`,
     )
   }
 
   if (!wheelUrl) {
     throw new InputError(
-      `No wheel found for ${packageName}@${version} on PyPI. ` +
-        'This package may only be available as a source distribution.',
+      `${packageName}==${version} has no py3-none-any wheel on PyPI (only sdist available); pin to a version that ships a wheel or install from source manually`,
     )
   }
 
@@ -1275,8 +1286,7 @@ export async function ensureSocketPyCli(
 
   if (retryCount >= MAX_RETRIES) {
     throw new InputError(
-      `Failed to acquire Socket Python CLI installation lock after ${MAX_RETRIES} retries. ` +
-        'Please check for filesystem issues or competing processes.',
+      `could not acquire the Socket Python CLI install lock after ${MAX_RETRIES} retries; another socket process may be stuck, or the lock file is stale — check for stale lock files under the Python cache dir and retry`,
     )
   }
 
@@ -1386,7 +1396,7 @@ export async function ensureSocketPyCli(
         })
       } else {
         throw new InputError(
-          `Failed to download verified socketsecurity wheel for version ${pyCliVersion}`,
+          `could not download the verified socketsecurity==${pyCliVersion} wheel (downloadPyPiWheel returned null — likely a checksum mismatch or missing wheel asset); re-run with --debug for details, or bump the version in bundle-tools.json if the checksum needs refreshing`,
         )
       }
     } else {
@@ -1454,7 +1464,7 @@ export async function spawnSocketPyCliVfs(
         })
       } else {
         throw new Error(
-          `Failed to download verified socketsecurity wheel for version ${pyCliVersion}`,
+          `failed to download socketsecurity==${pyCliVersion} wheel from PyPI (downloadPyPiWheel returned null — likely a checksum mismatch or missing py3-none-any wheel); re-run with --debug for details`,
         )
       }
     } else {
@@ -1673,7 +1683,9 @@ async function spawnTrivyDlx(
   const resolution = resolveTrivy()
 
   if (resolution.type !== 'github-release') {
-    throw new Error('Unexpected resolution type for trivy')
+    throw new Error(
+      `internal: resolveTrivy returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
+    )
   }
 
   const { env: spawnEnv, ...dlxOptions } = {
@@ -1735,7 +1747,9 @@ async function spawnTrufflehogDlx(
   const resolution = resolveTrufflehog()
 
   if (resolution.type !== 'github-release') {
-    throw new Error('Unexpected resolution type for trufflehog')
+    throw new Error(
+      `internal: resolveTrufflehog returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
+    )
   }
 
   const { env: spawnEnv, ...dlxOptions } = {
@@ -1797,7 +1811,9 @@ async function spawnOpengrepDlx(
   const resolution = resolveOpengrep()
 
   if (resolution.type !== 'github-release') {
-    throw new Error('Unexpected resolution type for opengrep')
+    throw new Error(
+      `internal: resolveOpengrep returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
+    )
   }
 
   const { env: spawnEnv, ...dlxOptions } = {
diff --git a/packages/cli/src/utils/dlx/vfs-extract.mts b/packages/cli/src/utils/dlx/vfs-extract.mts
@@ -273,7 +273,7 @@ async function extractTool(tool: ExternalTool): Promise<string> {
 
   if (!processWithSmol.smol?.mount) {
     throw new Error(
-      'process.smol.mount not available - not in node-smol SEA mode',
+      `process.smol.mount is undefined — extractTool("${tool}") requires a node-smol SEA build; this code path should only run inside the SEA. Check isSeaBinary() / areExternalToolsAvailable() upstream`,
     )
   }
 
@@ -340,12 +340,16 @@ async function extractTool(tool: ExternalTool): Promise<string> {
     }
 
     if (!existsSync(extractedPath)) {
-      throw new Error(`Extracted tool not found at ${extractedPath}`)
+      throw new Error(
+        `process.smol.mount returned but ${extractedPath} does not exist; the VFS layout for ${tool} may have changed — check the SEA build config and the tool's expected path`,
+      )
     }
 
     return extractedPath
   } catch (e) {
-    throw new Error(`Failed to extract ${tool} from VFS: ${e}`)
+    throw new Error(
+      `failed to extract ${tool} from the SEA VFS (${(e as Error).message}); the embedded tool archive may be corrupt — rebuild the SEA binary`,
+    )
   }
 }
 
@@ -550,7 +554,7 @@ export async function extractExternalTools(
         }
       }
       throw new Error(
-        'Timeout waiting for another process to extract external tools',
+        `timed out waiting for another socket process to finish extracting external tools from the SEA VFS; if no other socket process is running, remove any stale lock files under the node-smol base dir and retry`,
       )
     }
     throw e
@@ -641,7 +645,7 @@ export async function extractExternalTools(
     if (Object.keys(toolPaths).length !== EXTERNAL_TOOLS.length) {
       const missingTools = EXTERNAL_TOOLS.filter(t => !toolPaths[t])
       throw new Error(
-        `Failed to extract all external tools. Missing: ${missingTools.join(', ')}`,
+        `SEA VFS extraction returned ${Object.keys(toolPaths).length}/${EXTERNAL_TOOLS.length} tools (missing: ${missingTools.join(', ')}); the SEA bundle is incomplete — rebuild with all external tools included`,
       )
     }
 
diff --git a/packages/cli/test/unit/utils/dlx/resolve-binary.test.mts b/packages/cli/test/unit/utils/dlx/resolve-binary.test.mts
@@ -353,7 +353,7 @@ describe('binary resolution utilities', () => {
       )
 
       expect(() => resolveSocketPatch()).toThrow(
-        'socket-patch is not available for platform freebsd-x64',
+        /socket-patch has no prebuilt binary for "freebsd-x64"/,
       )
     })
 

Original file line number	Diff line number	Diff line change
`@@ -167,8 +167,7 @@ export function resolveSocketPatch(): BinaryResolution {`
`167`	`167`
`168`	`168`	`if (!assetName) {`
`169`	`169`	`throw new Error(`
`170`		- `socket-patch is not available for platform ${platformKey}. ` +
`171`		- `Supported platforms: ${Object.keys(SOCKET_PATCH_ASSETS).join(', ')}`,
	`170`	+ `socket-patch has no prebuilt binary for "${platformKey}" (supported: ${Object.keys(SOCKET_PATCH_ASSETS).join(', ')}); upgrade socket-cli, build socket-patch from source, or set SOCKET_CLI_SOCKET_PATCH_LOCAL_PATH to point at a local build`,
`172`	`171`	`)`
`173`	`172`	`}`
`174`	`173`
`@@ -246,8 +245,7 @@ export function resolveTrivy(): BinaryResolution {`
`246`	`245`	`const platform = os.platform()`
`247`	`246`	`const arch = os.arch()`
`248`	`247`	`throw new Error(`
`249`		- `Trivy is not available for platform ${platform}-${arch}. ` +
`250`		`- 'Supported platforms: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-x64',`
	`248`	+ `Trivy has no prebuilt binary for "${platform}-${arch}" (supported: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-x64); run socket-cli on a supported platform or install Trivy manually and point \`trivy\` at it on PATH`,
`251`	`249`	`)`
`252`	`250`	`}`
`253`	`251`
`@@ -310,8 +308,7 @@ export function resolveTrufflehog(): BinaryResolution {`
`310`	`308`	`const platform = os.platform()`
`311`	`309`	`const arch = os.arch()`
`312`	`310`	`throw new Error(`
`313`		- `TruffleHog is not available for platform ${platform}-${arch}. ` +
`314`		`- 'Supported platforms: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-arm64, win32-x64',`
	`311`	+ `TruffleHog has no prebuilt binary for "${platform}-${arch}" (supported: darwin-arm64, darwin-x64, linux-arm64, linux-x64, win32-arm64, win32-x64); run socket-cli on a supported platform or install TruffleHog manually and point \`trufflehog\` at it on PATH`,
`315`	`312`	`)`
`316`	`313`	`}`
`317`	`314`
`@@ -363,8 +360,7 @@ export function resolveOpengrep(): BinaryResolution {`
`363`	`360`
`364`	`361`	`if (!assetName) {`
`365`	`362`	`throw new Error(`
`366`		- `OpenGrep is not available for platform ${platformKey}. ` +
`367`		- `Supported platforms: ${Object.keys(OPENGREP_ASSETS).join(', ')}`,
	`363`	+ `OpenGrep has no prebuilt binary for "${platformKey}" (supported: ${Object.keys(OPENGREP_ASSETS).join(', ')}); run socket-cli on a supported platform or install OpenGrep manually and point \`opengrep\` at it on PATH`,
`368`	`364`	`)`
`369`	`365`	`}`
`370`	`366`
Original file line number	Diff line number	Diff line change
`@@ -116,14 +116,14 @@ function validatePackageName(name: string): void {`
`116`	`116`
`117`	`117`	`if (!validNamePattern.test(name)) {`
`118`	`118`	`throw new InputError(`
`119`		- `Invalid package name "${name}". Package names must contain only lowercase letters, numbers, hyphens, underscores, dots, and optionally a scope (@org/package).`,
	`119`	+ `package name "${name}" must match /^(@scope\\/)?[a-z0-9-~][a-z0-9-._~]*$/ (lowercase letters, digits, -, _, ., ~, with optional @scope/); rename the package or check for typos`,
`120`	`120`	`)`
`121`	`121`	`}`
`122`	`122`
`123`	`123`	`// Check for path traversal attempts.`
`124`	`124`	`if (name.includes('..') \|\| (name.includes('/') && !name.startsWith('@'))) {`
`125`	`125`	`throw new InputError(`
`126`		- `Invalid package name "${name}". Package names cannot contain path traversal sequences.`,
	`126`	+ `package name "${name}" contains path traversal characters (".." or a "/" outside of @scope/); pass a plain name like "lodash" or "@org/pkg"`,
`127`	`127`	`)`
`128`	`128`	`}`
`129`	`129`	`}`
`@@ -232,7 +232,7 @@ async function downloadGitHubReleaseBinary(`
`232`	`232`	`}`
`233`	`233`	`}`
`234`	`234`	`throw new InputError(`
`235`		`- 'Timeout waiting for another process to download GitHub release',`
	`235`	+ `timed out waiting for another socket process to finish downloading ${owner}/${repo}@${version} (${assetName}); if no other socket process is running, remove stale lock files under ${path.dirname(binaryPath)} and retry`,
`236`	`236`	`)`
`237`	`237`	`}`
`238`	`238`	`throw e`
`@@ -267,8 +267,7 @@ async function downloadGitHubReleaseBinary(`
`267`	`267`	`const entryPath = path.resolve(path.join(cacheDir, entry.entryName))`
`268`	`268`	`if (!entryPath.startsWith(normalizedCacheDir)) {`
`269`	`269`	`throw new InputError(`
`270`		- `Archive contains path traversal: ${entry.entryName}. ` +
`271`		- `This may indicate a compromised release asset.`,
	`270`	+ `archive entry "${entry.entryName}" resolves outside the cache dir (${normalizedCacheDir}) — this looks like a zip-slip attack; do NOT trust this release asset, report it to the upstream project, and delete ${result.binaryPath}`,
`272`	`271`	`)`
`273`	`272`	`}`
`274`	`273`	`}`
`@@ -286,8 +285,7 @@ async function downloadGitHubReleaseBinary(`
`286`	`285`	`if (!resolvedTarget.startsWith(normalizedCacheDir)) {`
`287`	`286`	`await fs.unlink(fullPath)`
`288`	`287`	`throw new InputError(`
`289`		- `Archive contains unsafe symbolic link: ${file}. ` +
`290`		- `This may indicate a compromised release asset.`,
	`288`	+ `extracted symlink ${file} targets ${resolvedTarget} which is outside the cache dir (${normalizedCacheDir}); do NOT trust this release asset, report it to the upstream project, and delete ${cacheDir}`,
`291`	`289`	`)`
`292`	`290`	`}`
`293`	`291`	`}`
`@@ -298,19 +296,20 @@ async function downloadGitHubReleaseBinary(`
`298`	`296`	`const tarPath = await whichReal('tar', { nothrow: true })`
`299`	`297`	`if (!tarPath \|\| Array.isArray(tarPath)) {`
`300`	`298`	`throw new InputError(`
`301`		`- 'tar is required to extract GitHub release archives. Please install tar for your system.',`
	`299`	+ `tar is required to extract ${assetName} but was not found on PATH; install tar (e.g. \`apt install tar\`, \`brew install gnu-tar\`) and re-run`,
`302`	`300`	`)`
`303`	`301`	`}`
`304`	`302`	`await spawn(tarPath, ['-xzf', result.binaryPath, '-C', cacheDir], {})`
`305`	`303`	`} else {`
`306`		- throw new InputError(`Unsupported archive format: ${assetName}`)
	`304`	`+ throw new InputError(`
	`305`	+ `archive format of ${assetName} is not supported (expected .zip or .tar.gz / .tgz); check the asset name in bundle-tools.json and the release's actual asset list`,
	`306`	`+ )`
`307`	`307`	`}`
`308`	`308`
`309`	`309`	`// Verify binary was extracted.`
`310`	`310`	`if (!existsSync(binaryPath)) {`
`311`	`311`	`throw new InputError(`
`312`		- `Binary ${binaryFileName} not found after extracting ${assetName}. ` +
`313`		- `Expected at: ${binaryPath}`,
	`312`	+ `archive ${assetName} extracted but ${binaryFileName} was not found inside (expected at ${binaryPath}); the release's archive layout may have changed — verify asset contents and update bundle-tools.json`,
`314`	`313`	`)`
`315`	`314`	`}`
`316`	`315`
`@@ -408,7 +407,9 @@ export async function spawnCoanaDlx(`
`408`	`407`
`409`	`408`	`// Use dlx version (resolveCoana only returns 'local' or 'dlx' types).`
`410`	`409`	`if (resolution.type !== 'dlx') {`
`411`		`- throw new Error('Unexpected resolution type for coana')`
	`410`	`+ throw new Error(`
	`411`	+ `internal: resolveCoana returned resolution.type="${resolution.type}" (expected "dlx"); this is a resolver contract bug — re-run with --debug and report the output`,
	`412`	`+ )`
`412`	`413`	`}`
`413`	`414`	`const result = await spawnDlx(`
`414`	`415`	`{`
`@@ -484,7 +485,9 @@ export async function spawnCdxgenDlx(`
`484`	`485`
`485`	`486`	`// Use dlx version (resolveCdxgen only returns 'local' or 'dlx' types).`
`486`	`487`	`if (resolution.type !== 'dlx') {`
`487`		`- throw new Error('Unexpected resolution type for cdxgen')`
	`488`	`+ throw new Error(`
	`489`	+ `internal: resolveCdxgen returned resolution.type="${resolution.type}" (expected "dlx"); this is a resolver contract bug — re-run with --debug and report the output`,
	`490`	`+ )`
`488`	`491`	`}`
`489`	`492`	`return await spawnDlx(`
`490`	`493`	`resolution.details,`
`@@ -554,7 +557,9 @@ export async function spawnSfwDlx(`
`554`	`557`
`555`	`558`	`// Use dlx version (resolveSfw only returns 'local' or 'dlx' types).`
`556`	`559`	`if (resolution.type !== 'dlx') {`
`557`		`- throw new Error('Unexpected resolution type for sfw')`
	`560`	`+ throw new Error(`
	`561`	+ `internal: resolveSfw returned resolution.type="${resolution.type}" (expected "dlx"); this is a resolver contract bug — re-run with --debug and report the output`,
	`562`	`+ )`
`558`	`563`	`}`
`559`	`564`	`return await spawnDlx(`
`560`	`565`	`resolution.details,`
`@@ -675,21 +680,25 @@ async function spawnToolVfs(`
`675`	`680`	`): Promise<DlxSpawnResult> {`
`676`	`681`	`if (!areExternalToolsAvailable()) {`
`677`	`682`	`throw new Error(`
`678`		- `Cannot spawn ${tool} from VFS - tools not available in SEA mode`,
	`683`	+ `cannot spawn ${tool} from VFS: external tools were not bundled into this SEA binary; rebuild the SEA with INLINED_SOCKET_CLI_INCLUDE_EXTERNAL_TOOLS=1 or run the non-SEA CLI`,
`679`	`684`	`)`
`680`	`685`	`}`
`681`	`686`
`682`	`687`	`// Extract tools from VFS (returns paths directly).`
`683`	`688`	`const toolPaths = await extractExternalTools()`
`684`	`689`	`if (!toolPaths) {`
`685`		- throw new Error(`Failed to extract ${tool} from VFS`)
	`690`	`+ throw new Error(`
	`691`	+ `failed to extract ${tool} from VFS (extractExternalTools returned null); the embedded tool archive may be corrupt — rebuild the SEA binary`,
	`692`	`+ )`
`686`	`693`	`}`
`687`	`694`
`688`	`695`	`// Get tool path.`
`689`	`696`	`const toolPath = toolPaths[tool]`
`690`	`697`
`691`	`698`	`if (!toolPath) {`
`692`		- throw new Error(`Tool path not found for ${tool}`)
	`699`	`+ throw new Error(`
	`700`	+ `VFS extraction succeeded but ${tool} was not in the output map (got: ${Object.keys(toolPaths).join(', ') \|\| 'empty'}); the SEA bundle is missing ${tool} — rebuild with it included`,
	`701`	`+ )`
`693`	`702`	`}`
`694`	`703`
`695`	`704`	`const { env: spawnEnv, ...dlxOptions } = {`
`@@ -938,7 +947,9 @@ function getPythonStandaloneInfo(): { assetName: string; url: string } {`
`938`	`947`	`platformTriple =`
`939`	`948`	`arch === 'arm64' ? 'aarch64-pc-windows-msvc' : 'x86_64-pc-windows-msvc'`
`940`	`949`	`} else {`
`941`		- throw new InputError(`Unsupported platform: ${platform}`)
	`950`	`+ throw new InputError(`
	`951`	+ `python-build-standalone does not ship a prebuilt for os.platform()="${platform}" (supported: darwin, linux, win32); install Python manually and point socket at it via PATH`,
	`952`	`+ )`
`942`	`953`	`}`
`943`	`954`
`944`	`955`	`// Asset name format matches checksums in bundle-tools.json.`
`@@ -1000,7 +1011,7 @@ async function downloadPython(pythonDir: string): Promise<void> {`
`1000`	`1011`	`const tarPath = await whichReal('tar', { nothrow: true })`
`1001`	`1012`	`if (!tarPath \|\| Array.isArray(tarPath)) {`
`1002`	`1013`	`throw new InputError(`
`1003`		`- 'tar is required to extract Python. Please install tar for your system.',`
	`1014`	+ `tar is required to extract the Python standalone archive but was not found on PATH; install tar (e.g. \`apt install tar\`, \`brew install gnu-tar\`) and re-run`,
`1004`	`1015`	`)`
`1005`	`1016`	`}`
`1006`	`1017`	`await spawn(tarPath, ['-xzf', result.binaryPath, '-C', pythonDir], {})`
`@@ -1046,8 +1057,7 @@ export async function ensurePythonDlx(retryCount = 0): Promise<string> {`
`1046`	`1057`
`1047`	`1058`	`if (retryCount >= MAX_RETRIES) {`
`1048`	`1059`	`throw new InputError(`
`1049`		- `Failed to acquire Python installation lock after ${MAX_RETRIES} retries. ` +
`1050`		`- 'Please check for filesystem issues or competing processes.',`
	`1060`	+ `could not acquire the Python install lock after ${MAX_RETRIES} retries at ${lockFile}; another socket process may be stuck, or the lock file is stale — remove it manually and retry, or check that ${pythonDir} is writable`,
`1051`	`1061`	`)`
`1052`	`1062`	`}`
`1053`	`1063`
`@@ -1107,7 +1117,7 @@ export async function ensurePythonDlx(retryCount = 0): Promise<string> {`
`1107`	`1117`	`}`
`1108`	`1118`	`}`
`1109`	`1119`	`throw new InputError(`
`1110`		`- 'Timeout waiting for Python download by another process',`
	`1120`	+ `timed out after 60s waiting for another socket process to finish downloading Python to ${pythonDir}; if no other socket process is running, remove ${lockFile} and retry`,
`1111`	`1121`	`)`
`1112`	`1122`	`}`
`1113`	`1123`	`throw e`
`@@ -1118,7 +1128,7 @@ export async function ensurePythonDlx(retryCount = 0): Promise<string> {`
`1118`	`1128`
`1119`	`1129`	`if (!existsSync(pythonBin)) {`
`1120`	`1130`	`throw new InputError(`
`1121`		- `Python binary not found after extraction: ${pythonBin}`,
	`1131`	+ `Python archive extracted but ${pythonBin} does not exist; the standalone archive layout may have changed — check the asset contents under ${pythonDir} and update the bin-path logic in spawn.mts`,
`1122`	`1132`	`)`
`1123`	`1133`	`}`
`1124`	`1134`
`@@ -1218,7 +1228,9 @@ async function downloadPyPiWheel(`
`1218`	`1228`	`try {`
`1219`	`1229`	`const response = await socketHttpRequest(pypiUrl)`
`1220`	`1230`	`if (!response.ok) {`
`1221`		- throw new Error(`PyPI API returned ${response.status}`)
	`1231`	`+ throw new Error(`
	`1232`	+ `PyPI returned HTTP ${response.status} for ${pypiUrl} (expected 200); check the package name and version, or retry if the registry is rate-limiting`,
	`1233`	`+ )`
`1222`	`1234`	`}`
`1223`	`1235`	`const data = response.json() as {`
`1224`	`1236`	`urls?: Array<{ filename: string; url: string }>`
`@@ -1235,14 +1247,13 @@ async function downloadPyPiWheel(`
`1235`	`1247`	`// If we can't fetch from API, construct URL directly (may not work for all packages).`
`1236`	`1248`	`// This is a fallback; the API approach is more reliable.`
`1237`	`1249`	`throw new InputError(`
`1238`		- `Failed to fetch PyPI package info for ${packageName}@${version}: ${getErrorCause(e)}`,
	`1250`	+ `could not fetch PyPI metadata for ${packageName}==${version} from ${pypiUrl} (${getErrorCause(e)}); check your network or proxy settings, or try again if PyPI is rate-limiting`,
`1239`	`1251`	`)`
`1240`	`1252`	`}`
`1241`	`1253`
`1242`	`1254`	`if (!wheelUrl) {`
`1243`	`1255`	`throw new InputError(`
`1244`		- `No wheel found for ${packageName}@${version} on PyPI. ` +
`1245`		`- 'This package may only be available as a source distribution.',`
	`1256`	+ `${packageName}==${version} has no py3-none-any wheel on PyPI (only sdist available); pin to a version that ships a wheel or install from source manually`,
`1246`	`1257`	`)`
`1247`	`1258`	`}`
`1248`	`1259`
`@@ -1275,8 +1286,7 @@ export async function ensureSocketPyCli(`
`1275`	`1286`
`1276`	`1287`	`if (retryCount >= MAX_RETRIES) {`
`1277`	`1288`	`throw new InputError(`
`1278`		- `Failed to acquire Socket Python CLI installation lock after ${MAX_RETRIES} retries. ` +
`1279`		`- 'Please check for filesystem issues or competing processes.',`
	`1289`	+ `could not acquire the Socket Python CLI install lock after ${MAX_RETRIES} retries; another socket process may be stuck, or the lock file is stale — check for stale lock files under the Python cache dir and retry`,
`1280`	`1290`	`)`
`1281`	`1291`	`}`
`1282`	`1292`
`@@ -1386,7 +1396,7 @@ export async function ensureSocketPyCli(`
`1386`	`1396`	`})`
`1387`	`1397`	`} else {`
`1388`	`1398`	`throw new InputError(`
`1389`		- `Failed to download verified socketsecurity wheel for version ${pyCliVersion}`,
	`1399`	+ `could not download the verified socketsecurity==${pyCliVersion} wheel (downloadPyPiWheel returned null — likely a checksum mismatch or missing wheel asset); re-run with --debug for details, or bump the version in bundle-tools.json if the checksum needs refreshing`,
`1390`	`1400`	`)`
`1391`	`1401`	`}`
`1392`	`1402`	`} else {`
`@@ -1454,7 +1464,7 @@ export async function spawnSocketPyCliVfs(`
`1454`	`1464`	`})`
`1455`	`1465`	`} else {`
`1456`	`1466`	`throw new Error(`
`1457`		- `Failed to download verified socketsecurity wheel for version ${pyCliVersion}`,
	`1467`	+ `failed to download socketsecurity==${pyCliVersion} wheel from PyPI (downloadPyPiWheel returned null — likely a checksum mismatch or missing py3-none-any wheel); re-run with --debug for details`,
`1458`	`1468`	`)`
`1459`	`1469`	`}`
`1460`	`1470`	`} else {`
`@@ -1673,7 +1683,9 @@ async function spawnTrivyDlx(`
`1673`	`1683`	`const resolution = resolveTrivy()`
`1674`	`1684`
`1675`	`1685`	`if (resolution.type !== 'github-release') {`
`1676`		`- throw new Error('Unexpected resolution type for trivy')`
	`1686`	`+ throw new Error(`
	`1687`	+ `internal: resolveTrivy returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
	`1688`	`+ )`
`1677`	`1689`	`}`
`1678`	`1690`
`1679`	`1691`	`const { env: spawnEnv, ...dlxOptions } = {`
`@@ -1735,7 +1747,9 @@ async function spawnTrufflehogDlx(`
`1735`	`1747`	`const resolution = resolveTrufflehog()`
`1736`	`1748`
`1737`	`1749`	`if (resolution.type !== 'github-release') {`
`1738`		`- throw new Error('Unexpected resolution type for trufflehog')`
	`1750`	`+ throw new Error(`
	`1751`	+ `internal: resolveTrufflehog returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
	`1752`	`+ )`
`1739`	`1753`	`}`
`1740`	`1754`
`1741`	`1755`	`const { env: spawnEnv, ...dlxOptions } = {`
`@@ -1797,7 +1811,9 @@ async function spawnOpengrepDlx(`
`1797`	`1811`	`const resolution = resolveOpengrep()`
`1798`	`1812`
`1799`	`1813`	`if (resolution.type !== 'github-release') {`
`1800`		`- throw new Error('Unexpected resolution type for opengrep')`
	`1814`	`+ throw new Error(`
	`1815`	+ `internal: resolveOpengrep returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
	`1816`	`+ )`
`1801`	`1817`	`}`
`1802`	`1818`
`1803`	`1819`	`const { env: spawnEnv, ...dlxOptions } = {`
Original file line number	Diff line number	Diff line change
`@@ -273,7 +273,7 @@ async function extractTool(tool: ExternalTool): Promise<string> {`
`273`	`273`
`274`	`274`	`if (!processWithSmol.smol?.mount) {`
`275`	`275`	`throw new Error(`
`276`		`- 'process.smol.mount not available - not in node-smol SEA mode',`
	`276`	+ `process.smol.mount is undefined — extractTool("${tool}") requires a node-smol SEA build; this code path should only run inside the SEA. Check isSeaBinary() / areExternalToolsAvailable() upstream`,
`277`	`277`	`)`
`278`	`278`	`}`
`279`	`279`
`@@ -340,12 +340,16 @@ async function extractTool(tool: ExternalTool): Promise<string> {`
`340`	`340`	`}`
`341`	`341`
`342`	`342`	`if (!existsSync(extractedPath)) {`
`343`		- throw new Error(`Extracted tool not found at ${extractedPath}`)
	`343`	`+ throw new Error(`
	`344`	+ `process.smol.mount returned but ${extractedPath} does not exist; the VFS layout for ${tool} may have changed — check the SEA build config and the tool's expected path`,
	`345`	`+ )`
`344`	`346`	`}`
`345`	`347`
`346`	`348`	`return extractedPath`
`347`	`349`	`} catch (e) {`
`348`		- throw new Error(`Failed to extract ${tool} from VFS: ${e}`)
	`350`	`+ throw new Error(`
	`351`	+ `failed to extract ${tool} from the SEA VFS (${(e as Error).message}); the embedded tool archive may be corrupt — rebuild the SEA binary`,
	`352`	`+ )`
`349`	`353`	`}`
`350`	`354`	`}`
`351`	`355`
`@@ -550,7 +554,7 @@ export async function extractExternalTools(`
`550`	`554`	`}`
`551`	`555`	`}`
`552`	`556`	`throw new Error(`
`553`		`- 'Timeout waiting for another process to extract external tools',`
	`557`	+ `timed out waiting for another socket process to finish extracting external tools from the SEA VFS; if no other socket process is running, remove any stale lock files under the node-smol base dir and retry`,
`554`	`558`	`)`
`555`	`559`	`}`
`556`	`560`	`throw e`
`@@ -641,7 +645,7 @@ export async function extractExternalTools(`
`641`	`645`	`if (Object.keys(toolPaths).length !== EXTERNAL_TOOLS.length) {`
`642`	`646`	`const missingTools = EXTERNAL_TOOLS.filter(t => !toolPaths[t])`
`643`	`647`	`throw new Error(`
`644`		- `Failed to extract all external tools. Missing: ${missingTools.join(', ')}`,
	`648`	+ `SEA VFS extraction returned ${Object.keys(toolPaths).length}/${EXTERNAL_TOOLS.length} tools (missing: ${missingTools.join(', ')}); the SEA bundle is incomplete — rebuild with all external tools included`,
`645`	`649`	`)`
`646`	`650`	`}`
`647`	`651`
Original file line number	Diff line number	Diff line change
`@@ -353,7 +353,7 @@ describe('binary resolution utilities', () => {`
`353`	`353`	`)`
`354`	`354`
`355`	`355`	`expect(() => resolveSocketPatch()).toThrow(`
`356`		`- 'socket-patch is not available for platform freebsd-x64',`
	`356`	`+ /socket-patch has no prebuilt binary for "freebsd-x64"/,`
`357`	`357`	`)`
`358`	`358`	`})`
`359`	`359`