refactor(smol): standardize naming with socketsecurity_ prefix and explicit versions

Standardize all Socket-related files with:
- socketsecurity_ prefix (instead of socket_)
- Explicit version numbers (v24.10.0 instead of v24)
- Minimal injection pattern for all patches

Changes:
- Rename 6 patch files with standardized naming
- Rename header: socketsecurity_brotli_builtin_loader.h
- Rename 9 tool files (source + binaries)
- Add bootstrap loader template with comprehensive documentation
- Add minimal injection patch for bootstrap
- Update all references in build.mjs

Naming convention: socketsecurity_<feature>_<target>_v24.10.0.patch

Author: jdalton

packages/node-smol-builder/additions/lib/internal/socketsecurity_bootstrap_loader.js.template

@@ -0,0 +1,248 @@
+/**
+ * Socket Security Bootstrap Loader
+ *
+ * ============================================================================
+ * CRITICAL: This module MUST be called early in Node.js pre-execution phase
+ * ============================================================================
+ *
+ * PURPOSE (What):
+ * ---------------
+ * Loads and executes Socket CLI security bootstrap code at Node.js startup.
+ * The bootstrap monitors package installations, network requests, and file
+ * operations to detect suspicious activity.
+ *
+ * WHY IT EXISTS (Why):
+ * --------------------
+ * 1. EARLY LOADING: Must run before user code to intercept module loading
+ * 2. ZERO FILESYSTEM: Bootstrap embedded as base64 - no file I/O needed
+ * 3. ASYNC SUPPORT: Allows background security monitoring without blocking startup
+ * 4. ISOLATED CONTEXT: Runs in separate VM context to avoid polluting globals
+ *
+ * HOW IT WORKS (Visual Flow):
+ * ---------------------------
+ *
+ *   Node.js Startup
+ *         │
+ *         ├─→ lib/internal/process/pre_execution.js
+ *         │   └─→ loadPreloadModules()
+ *         │       └─→ require('internal/socketsecurity_bootstrap_loader')()  ← 1-line injection
+ *         │                │
+ *         │                ├─→ [THIS FILE]
+ *         │                │   ├─→ Decode base64 bootstrap
+ *         │                │   ├─→ Create module context
+ *         │                │   ├─→ Compile with vm.compileFunction()
+ *         │                │   └─→ Execute (async background)
+ *         │                │
+ *         │                └─→ Returns immediately
+ *         │
+ *         └─→ User code starts
+ *             (Bootstrap monitors in background)
+ *
+ * PERFORMANCE IMPACT:
+ * -------------------
+ * - Decode: ~1-2ms (base64 → string)
+ * - Compile: ~3-5ms (vm.compileFunction C++ API)
+ * - Execute: Instant return (async code runs in background)
+ * - Total: <10ms added to Node.js startup
+ *
+ * TECHNICAL DETAILS:
+ * ------------------
+ * 1. Uses vm.compileFunction() (C++ API) instead of eval or vm.runInThisContext()
+ *    - Faster compilation
+ *    - Proper stack traces
+ *    - Module parameter injection (exports, require, module, __filename, __dirname)
+ *
+ * 2. Module context created manually:
+ *    - filename: '/internal/bootstrap-smol.js' (virtual path, validation only)
+ *    - paths: Standard node_modules resolution
+ *    - require: Full require() with resolve, cache, extensions
+ *
+ * 3. Async execution pattern:
+ *    - Bootstrap can use main().catch(...) pattern
+ *    - Starts executing but returns immediately
+ *    - Background monitoring continues while Node.js initializes
+ *
+ * ERROR HANDLING:
+ * ---------------
+ * - Catches all errors during load/compile/execute
+ * - Prints to stderr (console not available this early)
+ * - Never crashes Node.js (bootstrap failures are non-fatal)
+ *
+ * VISUAL EXAMPLE:
+ * ---------------
+ *
+ *   Base64 Embedded Bootstrap
+ *   ┌──────────────────────────┐
+ *   │ ZnVuY3Rpb24gbWFpbigpIHs │ ← Build system embeds here
+ *   │ ...21,000+ lines...      │
+ *   └──────────────────────────┘
+ *            │
+ *            ├─→ Buffer.from(base64) → JavaScript source
+ *            │
+ *            ├─→ vm.compileFunction(source, params) → Compiled function
+ *            │
+ *            └─→ compiledFn(exports, require, module, ...) → Execute
+ *                      │
+ *                      ├─→ Synchronous setup code runs immediately
+ *                      └─→ main().catch(...) starts, returns immediately
+ *                              │
+ *                              └─→ Async monitoring continues in background
+ *
+ * MAINTENANCE NOTES:
+ * ------------------
+ * - This file is processed by build.mjs during compilation
+ * - SOCKET_BOOTSTRAP_BASE64_PLACEHOLDER replaced with actual base64
+ * - Final file copied to Node.js source: lib/internal/socketsecurity_bootstrap_loader.js
+ * - Patch injects 1 line: require('internal/socketsecurity_bootstrap_loader')()
+ *
+ * SECURITY CONSIDERATIONS:
+ * ------------------------
+ * - Bootstrap runs with full Node.js internal access (can require internal modules)
+ * - No filesystem or network access during load (embedded base64)
+ * - Errors isolated (won't crash Node.js)
+ * - Module context prevents global pollution
+ *
+ * @module internal/socketsecurity_bootstrap_loader
+ * @requires internal/modules/cjs/loader - Module system access
+ * @requires internal/modules/helpers - makeRequireFunction()
+ * @requires vm - Compilation API
+ * @requires buffer - Base64 decoding
+ */
+
+'use strict';
+
+/**
+ * Load and execute the Socket bootstrap.
+ *
+ * Called from lib/internal/process/pre_execution.js during Node.js startup.
+ * This function MUST return quickly to avoid blocking Node.js initialization.
+ *
+ * EXECUTION FLOW:
+ * ---------------
+ * 1. Decode base64 → JavaScript source code
+ * 2. Create module context (exports, require, module, __filename, __dirname)
+ * 3. Compile source with vm.compileFunction() (C++ API, fast!)
+ * 4. Execute compiled function (synchronous setup + async background)
+ * 5. Return immediately (async code continues in background)
+ *
+ * ERROR BEHAVIOR:
+ * ---------------
+ * - Any error during load/compile/execute is caught
+ * - Error printed to stderr (console not available)
+ * - Node.js continues initialization (non-fatal)
+ * - User code runs normally (bootstrap disabled)
+ *
+ * @returns {void}
+ * @throws {never} All errors caught and logged to stderr
+ */
+module.exports = function loadSocketBootstrap() {
+  // Bootstrap code embedded as base64 (build system replaces this placeholder).
+  // Split across multiple lines for readability and to avoid line length limits.
+  //
+  // PLACEHOLDER REPLACEMENT:
+  // ├─→ Build system (build.mjs) reads bootstrap source
+  // ├─→ Encodes as base64 (1275KB → 1700KB)
+  // ├─→ Splits into 80-char chunks
+  // └─→ Replaces SOCKET_BOOTSTRAP_BASE64_PLACEHOLDER
+  const SOCKET_BOOTSTRAP_B64 = (
+    SOCKET_BOOTSTRAP_BASE64_PLACEHOLDER
+  );
+
+  try {
+    // STEP 1: Load Node.js internals.
+    // --------------------------------
+    // These modules MUST be available during pre-execution phase.
+    // If any are missing, the catch block will handle gracefully.
+    const Module = require('internal/modules/cjs/loader').Module;
+    const { makeRequireFunction } = require('internal/modules/helpers');
+    const vm = require('vm');
+    const { Buffer } = require('buffer');
+
+    // STEP 2: Decode bootstrap from base64.
+    // --------------------------------------
+    // Performance: ~1-2ms for 1700KB base64 → 1275KB JavaScript
+    // Result: Plain JavaScript source code ready for compilation
+    const bootstrapCode = Buffer.from(SOCKET_BOOTSTRAP_B64, 'base64').toString('utf8');
+
+    // STEP 3: Create module context.
+    // -------------------------------
+    // This gives the bootstrap access to require(), module.exports, etc.
+    //
+    // CRITICAL: filename MUST be absolute path format for validation.
+    // - Module.createRequire() validates filename is absolute
+    // - Doesn't need to exist as real file, just valid path format
+    // - Using '/internal/bootstrap-smol.js' (Node.js internal path style)
+    const bootstrapModule = new Module('socket:bootstrap', null);
+    bootstrapModule.filename = '/internal/bootstrap-smol.js';  // Virtual path (validation only)
+    bootstrapModule.paths = Module._nodeModulePaths(process.cwd());  // Standard resolution
+    const exports = {};
+    bootstrapModule.exports = exports;
+
+    // STEP 4: Create require function.
+    // ---------------------------------
+    // makeRequireFunction() adds:
+    // - require.resolve()
+    // - require.cache
+    // - require.extensions
+    // - require.main
+    const moduleRequire = makeRequireFunction(bootstrapModule);
+
+    // STEP 5: Compile using C++ API.
+    // -------------------------------
+    // vm.compileFunction() is FASTER than:
+    // - eval() (no stack traces, security issues)
+    // - vm.runInThisContext() (slower, no parameter injection)
+    // - Module.wrap() + compilation (extra wrapping overhead)
+    //
+    // Parameters: ['exports', 'require', 'module', '__filename', '__dirname']
+    // These match standard CommonJS module parameters.
+    const compiledFn = vm.compileFunction(
+      bootstrapCode,
+      ['exports', 'require', 'module', '__filename', '__dirname'],
+      {
+        filename: '/internal/bootstrap-smol.js',  // For stack traces
+        lineOffset: 0,  // Source starts at line 0
+        columnOffset: 0,  // Source starts at column 0
+      }
+    );
+
+    // STEP 6: Execute with module context.
+    // -------------------------------------
+    // Reflect.apply() provides clean invocation:
+    // - thisArg: exports (standard CommonJS)
+    // - args: [exports, require, module, __filename, __dirname]
+    //
+    // ASYNC BEHAVIOR:
+    // - If bootstrap has main().catch(...), it starts executing
+    // - Function returns immediately (doesn't wait for async)
+    // - Async operations continue in background
+    // - Node.js initialization proceeds normally
+    Reflect.apply(compiledFn, exports, [
+      exports,              // exports object
+      moduleRequire,        // require() with resolve, cache, etc.
+      bootstrapModule,      // module object
+      '/internal/bootstrap-smol.js',  // __filename (virtual)
+      '/internal'           // __dirname (virtual)
+    ]);
+
+    // Returns here immediately, even if bootstrap has async code!
+    // Background monitoring continues while Node.js initializes.
+
+  } catch (err) {
+    // ERROR HANDLING:
+    // ---------------
+    // - console.* not available this early in bootstrap
+    // - Use process.stderr.write() for direct output
+    // - Include stack trace for debugging
+    // - Never throw (would crash Node.js)
+    //
+    // FAILURE MODES:
+    // 1. Module loading error (require fails) → Bootstrap disabled
+    // 2. Base64 decode error → Bootstrap disabled
+    // 3. Compilation error (invalid syntax) → Bootstrap disabled
+    // 4. Execution error (runtime error) → Bootstrap disabled
+    //
+    // In all cases: Node.js continues, user code runs normally.
+    process.stderr.write(`Socket bootstrap error: ${err.message}\n${err.stack}\n`);
+  }
+};

…tions/src/socket_brotli_builtin_loader.h …c/socketsecurity_brotli_builtin_loader.hpackages/node-smol-builder/additions/src/socket_brotli_builtin_loader.h renamed to packages/node-smol-builder/additions/src/socketsecurity_brotli_builtin_loader.h packages/node-smol-builder/additions/src/socket_brotli_builtin_loader.h renamed to packages/node-smol-builder/additions/src/socketsecurity_brotli_builtin_loader.h

@@ -1,7 +1,7 @@
 /**
  * Socket Security - Minimal-Touch Brotli Builtin Loader
  *
- * @file socket_brotli_builtin_loader.h
+ * @file socketsecurity_brotli_builtin_loader.h
  * @brief External header for Node.js builtin Brotli decompression
  * @version 1.0.0
  * @date 2025-01-17
@@ -49,8 +49,8 @@
  * SPDX-License-Identifier: MIT
  */
 
-#ifndef SOCKET_BROTLI_BUILTIN_LOADER_H_
-#define SOCKET_BROTLI_BUILTIN_LOADER_H_
+#ifndef SOCKETSECURITY_BROTLI_BUILTIN_LOADER_H_
+#define SOCKETSECURITY_BROTLI_BUILTIN_LOADER_H_
 
 #include "node_union_bytes.h"
 #include "v8.h"