refactor(preflight): stagger downloads sequentially and add Python

jdalton · jdalton · commit c40e17f3ef54 · 2025-11-01T18:07:35.000-04:00
Download order to avoid resource contention:
1. @coana-tech/cli (smallest)
2. @cyclonedx/cdxgen (medium)
3. @socketbin/cli-ai (medium)
4. Python + socketsecurity (largest: 17-41MB + pip install)

Changed from parallel Promise.all to sequential await for better
resource management during background preflight caching.
diff --git a/packages/cli/src/utils/preflight/downloads.mts b/packages/cli/src/utils/preflight/downloads.mts
@@ -1,9 +1,13 @@
 /**
  * Background preflight downloads for optional dependencies.
  *
- * Silently downloads @coana-tech/cli, @cyclonedx/cdxgen, and @socketbin/cli-ai
- * in the background on first CLI run to ensure they're cached for future use.
+ * Silently downloads dependencies in the background on first CLI run:
+ * 1. @coana-tech/cli
+ * 2. @cyclonedx/cdxgen
+ * 3. @socketbin/cli-ai
+ * 4. Python + socketsecurity (socket-python-cli)
  *
+ * Downloads are staggered sequentially to avoid resource contention.
  * This runs asynchronously and never blocks the main CLI execution.
  */
 
@@ -14,6 +18,7 @@ import { downloadPackage } from '@socketsecurity/lib/dlx-package'
 
 import ENV from '../../constants/env.mts'
 import { getSocketHomePath } from '../dlx/binary.mts'
+import { ensurePython, ensureSocketCli } from '../python/standalone.mts'
 
 /**
  * Check if a package is already cached by the package manager.
@@ -43,40 +48,46 @@ export function runPreflightDownloads(): void {
 
   // Run asynchronously in the background.
   void (async () => {
-    const downloads: Array<{ packageSpec: string; binaryName?: string }> = []
+    try {
+      // Stagger downloads sequentially to avoid resource contention.
+      // Order: coana → cdxgen → cli-ai → Python → socketsecurity.
 
-    // @coana-tech/cli preflight.
-    const coanaVersion = ENV.INLINED_SOCKET_CLI_COANA_VERSION
-    const coanaSpec = `@coana-tech/cli@~${coanaVersion}`
-    if (!isPackageCached(coanaSpec)) {
-      downloads.push({ packageSpec: coanaSpec, binaryName: 'coana' })
-    }
+      // 1. @coana-tech/cli preflight.
+      const coanaVersion = ENV.INLINED_SOCKET_CLI_COANA_VERSION
+      const coanaSpec = `@coana-tech/cli@~${coanaVersion}`
+      if (!isPackageCached(coanaSpec)) {
+        await downloadPackage({
+          package: coanaSpec,
+          binaryName: 'coana',
+          force: false,
+        })
+      }
 
-    // @cyclonedx/cdxgen preflight.
-    const cdxgenVersion = ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION
-    const cdxgenSpec = `@cyclonedx/cdxgen@~${cdxgenVersion}`
-    if (!isPackageCached(cdxgenSpec)) {
-      downloads.push({ packageSpec: cdxgenSpec, binaryName: 'cdxgen' })
-    }
+      // 2. @cyclonedx/cdxgen preflight.
+      const cdxgenVersion = ENV.INLINED_SOCKET_CLI_CYCLONEDX_CDXGEN_VERSION
+      const cdxgenSpec = `@cyclonedx/cdxgen@~${cdxgenVersion}`
+      if (!isPackageCached(cdxgenSpec)) {
+        await downloadPackage({
+          package: cdxgenSpec,
+          binaryName: 'cdxgen',
+          force: false,
+        })
+      }
 
-    // @socketbin/cli-ai preflight.
-    const cliAiVersion = ENV.INLINED_SOCKET_CLI_AI_VERSION
-    const cliAiSpec = `@socketbin/cli-ai@^${cliAiVersion}`
-    if (!isPackageCached(cliAiSpec)) {
-      downloads.push({ packageSpec: cliAiSpec, binaryName: 'cli-ai' })
-    }
+      // 3. @socketbin/cli-ai preflight.
+      const cliAiVersion = ENV.INLINED_SOCKET_CLI_AI_VERSION
+      const cliAiSpec = `@socketbin/cli-ai@^${cliAiVersion}`
+      if (!isPackageCached(cliAiSpec)) {
+        await downloadPackage({
+          package: cliAiSpec,
+          binaryName: 'cli-ai',
+          force: false,
+        })
+      }
 
-    try {
-      // Download in background (fire and forget).
-      await Promise.all(
-        downloads.map(p =>
-          downloadPackage({
-            package: p.packageSpec,
-            binaryName: p.binaryName,
-            force: false,
-          }),
-        ),
-      )
+      // 4. Python + socketsecurity (socket-python-cli) preflight.
+      const pythonBin = await ensurePython()
+      await ensureSocketCli(pythonBin)
     } catch {}
   })()
 }
