feat(security): prevent SIGUSR1 debugger signal handling

Integrate SIGUSR1 prevention flags across Socket CLI subprocess spawning:
- shadow/npm-base.mts: Apply flags when spawning npm/npx with security scanning
- optimize/agent-installer.mts: Apply via NODE_OPTIONS during package installation
- bootstrap/node.mts: Apply when bootstrapping CLI from custom Node binary
- bootstrap/shared/node-flags.mts: Minimal implementation for bootstrap (size-optimized)

Uses @socketsecurity/lib/constants/node getNodeDisableSigusr1Flags() which returns:
- --disable-sigusr1 for Node 22.14+, 23.7+, 24.8+ (prevents thread creation)
- --no-inspect fallback for older Node 18+ (basic protection)

This prevents SIGUSR1 from starting the debugger in production CLI usage.

Author: jdalton

.gitignore

@@ -50,3 +50,4 @@ uild directory for temporary artifacts
 # Ignore socketbin package build artifacts (binaries and wasm files)
 # These are generated during build and should not be committed
 packages/socketbin-*/bin/
+packages/socketbin-*/build/

packages/cli/src/bootstrap/node.mts

@@ -24,6 +24,7 @@ import {
   getCliPackageName,
   getDlxDir,
 } from './shared/paths.mjs'
+import { getNodeDisableSigusr1Flags } from './shared/node-flags.mjs'
 
 /**
  * Check if CLI is installed.
@@ -128,10 +129,14 @@ async function main(): Promise<void> {
   const cliPath = getCliEntryPoint()
   const args = process.argv.slice(2)
 
-  const child = spawn(process.execPath, [cliPath, ...args], {
-    stdio: 'inherit',
-    env: process.env,
-  })
+  const child = spawn(
+    process.execPath,
+    [...getNodeDisableSigusr1Flags(), cliPath, ...args],
+    {
+      stdio: 'inherit',
+      env: process.env,
+    },
+  )
 
   child.on('error', error => {
     console.error('Failed to spawn CLI:', error)

packages/cli/src/bootstrap/shared/node-flags.mts

@@ -0,0 +1,46 @@
+/**
+ * Node.js flags for bootstrap (minimal implementation for size).
+ * This file is bundled into bootstrap, not imported at runtime.
+ */
+
+/**
+ * Get Node major version number.
+ */
+function getNodeMajorVersion(): number {
+  return Number.parseInt(process.version.slice(1).split('.')[0] || '0', 10)
+}
+
+/**
+ * Get Node minor version number.
+ */
+function getNodeMinorVersion(): number {
+  return Number.parseInt(process.version.split('.')[1] || '0', 10)
+}
+
+/**
+ * Check if --disable-sigusr1 flag is supported.
+ * Supported in v22.14.0+, v23.7.0+, v24.8.0+ (stable in v22.20.0+, v24.8.0+).
+ */
+function supportsDisableSigusr1(): boolean {
+  const major = getNodeMajorVersion()
+  const minor = getNodeMinorVersion()
+
+  if (major >= 24) {
+    return minor >= 8
+  }
+  if (major === 23) {
+    return minor >= 7
+  }
+  if (major === 22) {
+    return minor >= 14
+  }
+  return false
+}
+
+/**
+ * Get flags to disable SIGUSR1 debugger signal handling.
+ * Returns --disable-sigusr1 for newer Node, --no-inspect for older versions.
+ */
+export function getNodeDisableSigusr1Flags(): string[] {
+  return supportsDisableSigusr1() ? ['--disable-sigusr1'] : ['--no-inspect']
+}

packages/cli/src/commands/optimize/agent-installer.mts

@@ -19,6 +19,7 @@
 
 import { NPM, PNPM } from '@socketsecurity/lib/constants/agents'
 import {
+  getNodeDisableSigusr1Flags,
   getNodeHardenFlags,
   getNodeNoWarningsFlags,
 } from '@socketsecurity/lib/constants/node'
@@ -96,6 +97,7 @@ export function runAgentInstall(
       NODE_OPTIONS: cmdFlagsToString([
         ...(skipNodeHardenFlags ? [] : getNodeHardenFlags()),
         ...getNodeNoWarningsFlags(),
+        ...getNodeDisableSigusr1Flags(),
       ]),
       // @ts-expect-error - getOwn may return undefined, but spread handles it
       ...getOwn(spawnOpts, 'env'),

packages/cli/src/shadow/npm-base.mts

@@ -11,6 +11,7 @@ import {
 import {
   getExecPath,
   getNodeDebugFlags,
+  getNodeDisableSigusr1Flags,
   getNodeHardenFlags,
   getNodeNoWarningsFlags,
   supportsNodePermissionFlag,
@@ -160,6 +161,7 @@ export default async function shadowNpmBase(
       ...getNodeNoWarningsFlags(),
       ...getNodeDebugFlags(),
       ...getNodeHardenFlags(),
+      ...getNodeDisableSigusr1Flags(),
       // Memory flags commented out.
       // ...constants.nodeMemoryFlags,
       ...(ENV.INLINED_SOCKET_CLI_SENTRY_BUILD