SocketDev
diff --git a/‎.gitignore‎
Lines changed: 4 additions & 0 deletions b/‎.gitignore‎
Lines changed: 4 additions & 0 deletions
diff --git a/‎package.json‎
Lines changed: 4 additions & 2 deletions b/‎package.json‎
Lines changed: 4 additions & 2 deletions
diff --git a/‎pnpm-lock.yaml‎
Lines changed: 58 additions & 0 deletions b/‎pnpm-lock.yaml‎
Lines changed: 58 additions & 0 deletions
diff --git a/‎scripts/publish-approve.mts‎
Lines changed: 176 additions & 0 deletions b/‎scripts/publish-approve.mts‎
Lines changed: 176 additions & 0 deletions
@@ -82,3 +82,7 @@ npm-debug.log
 pnpm-debug.log
 *.tgz
 # ─── END fleet-canonical ────────────────────────────────────────
+
+# socket-addon: staged-publish manifest produced by `pnpm run publish:stage`
+# and consumed by `pnpm run publish:approve`. Locally-relevant; never tracked.
+/.stage-publish.json
@@ -5,10 +5,10 @@
   "description": "NAPI .node binaries for @socketaddon/* packages. Downloads prebuilt artifacts from socket-btm GH Releases, verifies checksums, publishes to npm.",
   "license": "MIT",
   "type": "module",
-  "packageManager": "pnpm@11.1.3",
+  "packageManager": "pnpm@11.3.0",
   "engines": {
     "node": ">=18.20.8",
-    "pnpm": ">=11.1.3"
+    "pnpm": ">=11.3.0"
   },
   "scripts": {
     "build": "echo 'no build — publish-only repo'",
@@ -22,8 +22,10 @@
     "lint": "node scripts/lint.mts",
     "prepare": "node scripts/install-git-hooks.mts",
     "publish": "node scripts/publish.mts",
+    "publish:approve": "node scripts/publish-approve.mts",
     "publish:ci": "node scripts/publish.mts --tag ${DIST_TAG:-latest}",
     "publish:dry": "node scripts/publish.mts --dry-run",
+    "publish:stage": "node scripts/publish.mts --stage --tag ${DIST_TAG:-latest}",
     "security": "node scripts/security.mts",
     "setup": "node .claude/hooks/setup-security-tools/index.mts",
     "test": "node scripts/test.mts",
 
@@ -0,0 +1,176 @@
+/**
+ * Approve `@socketaddon/*` packages previously uploaded to npm staging via
+ * `scripts/publish.mts --stage`.
+ *
+ * Two-step publish workflow (CI + human):
+ *   1. CI runs `pnpm run publish -- --stage` — uploads all 9 packages to npm
+ *      staging via OIDC trusted-publisher token. The tarballs sit server-side;
+ *      nothing is publicly visible yet. The stage IDs are written to
+ *      `.stage-publish.json` (committed-tree-root, gitignored).
+ *   2. Human runs `pnpm run publish:approve` — this script reads the manifest
+ *      and calls `pnpm stage approve <id>` per package. `pnpm stage approve`
+ *      interactively prompts for 2FA OTP; the registry then promotes each
+ *      staged tarball to its public dist-tag.
+ *
+ * Why split: pnpm stage requires a human 2FA approval for the promote step.
+ * The CI workflow can't supply OTP. Splitting the publish from the approve
+ * keeps the actual public-promotion gated on a human's 2FA token without
+ * sacrificing the OIDC + provenance the stage-publish leg supplies.
+ *
+ * If anything went wrong with one of the stage uploads (wrong file, wrong
+ * version, wrong checksum), `pnpm stage reject <id>` discards the staged
+ * tarball without it ever becoming public. Use that instead of `approve` for
+ * the bad ones; re-run the stage upload for those packages only.
+ *
+ * Usage:
+ *   pnpm run publish:approve              # approve all packages in manifest
+ *   pnpm run publish:approve -- --otp 123456
+ *                                         # pre-supply OTP (skips interactive
+ *                                         # prompt). Useful when batching.
+ *   pnpm run publish:approve -- --dry-run # report what would be approved,
+ *                                         # skip the actual registry calls.
+ *   pnpm run publish:approve -- --reject  # reject (discard) all packages in
+ *                                         # manifest instead of approving.
+ */
+
+import { readFileSync, existsSync, unlinkSync } from 'node:fs'
+import path from 'node:path'
+import process from 'node:process'
+import { fileURLToPath } from 'node:url'
+
+import { getDefaultLogger } from '@socketsecurity/lib/logger'
+import { spawnSync } from '@socketsecurity/lib-stable/spawn/spawn'
+
+import { errorMessage } from './lib/error-utils.mts'
+
+// Windows: pnpm is a .cmd shim that requires shell invocation.
+const useShell = process.platform === 'win32'
+
+const logger = getDefaultLogger()
+
+const __dirname = path.dirname(fileURLToPath(import.meta.url))
+const rootDir = path.resolve(__dirname, '..')
+
+interface StagedPackage {
+  name: string
+  version: string
+  stageId: string
+}
+
+interface StageManifest {
+  tag: string
+  stagedAt: string
+  packages: StagedPackage[]
+}
+
+interface ApproveArgs {
+  dryRun: boolean
+  otp: string | undefined
+  reject: boolean
+}
+
+export function parseArgs(): ApproveArgs {
+  const args = process.argv.slice(2)
+  let otp: string | undefined
+  for (let i = 0; i < args.length; i += 1) {
+    const a = args[i]!
+    if (a.startsWith('--otp=')) {
+      otp = a.slice('--otp='.length)
+    } else if (a === '--otp' && i + 1 < args.length) {
+      otp = args[i + 1]!
+      i += 1
+    }
+  }
+  return {
+    dryRun: args.includes('--dry-run'),
+    otp,
+    reject: args.includes('--reject'),
+  }
+}
+
+export function readManifest(manifestPath: string): StageManifest {
+  if (!existsSync(manifestPath)) {
+    throw new Error(
+      `Manifest not found at ${path.relative(rootDir, manifestPath)}\n` +
+        `Run \`pnpm run publish -- --stage\` first to upload packages to staging.`,
+    )
+  }
+  const raw = readFileSync(manifestPath, 'utf8')
+  return JSON.parse(raw) as StageManifest
+}
+
+export function runStageCommand(
+  subcommand: 'approve' | 'reject',
+  stageId: string,
+  otp: string | undefined,
+  dryRun: boolean,
+): void {
+  const args = ['stage', subcommand, stageId]
+  if (otp) {
+    args.push('--otp', otp)
+  }
+  if (dryRun) {
+    logger.info(`    [dry-run] pnpm ${args.join(' ')}`)
+    return
+  }
+  const r = spawnSync('pnpm', args, {
+    cwd: rootDir,
+    shell: useShell,
+    stdio: 'inherit',
+  })
+  if (r.status !== 0) {
+    throw new Error(
+      `pnpm stage ${subcommand} ${stageId} exited with status ${r.status}`,
+    )
+  }
+}
+
+async function main(): Promise<void> {
+  const { dryRun, otp, reject } = parseArgs()
+  const manifestPath = path.join(rootDir, '.stage-publish.json')
+  const manifest = readManifest(manifestPath)
+
+  const verb = reject ? 'reject' : 'approve'
+  // Past-tense: 'approved' / 'rejected'. Present-participle: 'approving' /
+  // 'rejecting'. Both follow the same drop-final-e + add-suffix rule.
+  const verbing = reject ? 'rejecting' : 'approving'
+  const verbed = reject ? 'rejected' : 'approved'
+  logger.info(
+    `${verb}: ${manifest.packages.length} package(s) staged at ${manifest.stagedAt} for tag=${manifest.tag}` +
+      `${dryRun ? ' (dry-run)' : ''}` +
+      `${otp ? ' (otp-from-flag)' : ''}`,
+  )
+
+  let failed = 0
+  for (let i = 0, { length } = manifest.packages; i < length; i += 1) {
+    const pkg = manifest.packages[i]!
+    logger.info(
+      `  ${pkg.name}@${pkg.version} — ${verbing} (id: ${pkg.stageId})`,
+    )
+    try {
+      runStageCommand(reject ? 'reject' : 'approve', pkg.stageId, otp, dryRun)
+      logger.success(`  ${pkg.name}@${pkg.version} — ${verbed}`)
+    } catch (e) {
+      failed += 1
+      logger.error(`  ${pkg.name}@${pkg.version} — failed: ${errorMessage(e)}`)
+    }
+  }
+
+  if (failed > 0) {
+    throw new Error(
+      `${failed}/${manifest.packages.length} package(s) failed to ${verb}; leaving manifest in place for retry`,
+    )
+  }
+
+  // All succeeded — remove the manifest so a stale one doesn't get
+  // re-approved on a future run. Skip in dry-run.
+  if (!dryRun) {
+    unlinkSync(manifestPath)
+    logger.info(`Removed ${path.relative(rootDir, manifestPath)}`)
+  }
+}
+
+main().catch((e: unknown) => {
+  logger.error(`publish-approve: ${errorMessage(e)}`)
+  process.exitCode = 1
+})