fix(fix): validate target directory and detect misplaced IDs (#1227)

* fix(fix): validate target directory and detect misplaced IDs

Backport of v1.x #1199 to main. Two quality-of-life fixes for
\`socket fix\` that surface clear error messages instead of the
confusing API error the user hits today:

1. **Misplaced vulnerability ID**: if the first positional arg looks
   like a GHSA, CVE, or PURL, we treat it as a directory path and
   eventually fail with "Need at least one file to be uploaded" from
   the API. Now we detect the pattern early, fail fast with a
   "Did you mean: socket fix --id <that value>" hint.

2. **Nonexistent target directory**: previously the directory wasn't
   validated upfront, so we'd happily resolve it, glob zero files,
   upload nothing, and the API would reject with the same confusing
   "Need at least one file to be uploaded" message. Now we
   \`existsSync()\` the resolved path and fail with
   "Target directory does not exist: <path>".

Tests:
  * Reworked the existing "should support custom cwd argument" test
    to pass \`process.cwd()\` (guaranteed to exist) now that we
    validate the dir.
  * Added "should fail fast when target directory does not exist".
  * Added "should fail fast when a GHSA is passed as a positional arg".

* fix(fix): move input validation before org-slug resolution

Addresses both Cursor bugbot findings on #1227:

1. **[Medium] Misplaced-ID check was behind getDefaultOrgSlug()**.
   If a user had no API token configured, `getDefaultOrgSlug()` would
   fail first and the helpful "looks like a vulnerability identifier"
   / "Target directory does not exist" messages never reached them.
   Moved both validation blocks ahead of the org-slug resolution —
   they only depend on `cli.input[0]`, no token required.

2. **[Low] Case-insensitive detection with verbatim echo**. The regex
   matched `ghsa-abcd-…` but `handle-fix.mts` matches the GHSA/CVE
   prefix case-sensitively, so the suggested `socket fix --id ghsa-…`
   would fail downstream with "Unsupported ID format". Now we
   normalize GHSA/CVE to uppercase in the suggestion while keeping
   PURLs unchanged (they're intentionally lowercase).

Added tests:
  - uppercase normalization of a lowercase GHSA in the suggestion.
  - validation short-circuits before `getDefaultOrgSlug` for both
    the misplaced-ID path and the missing-target-dir path.

* fix(fix): preserve GHSA body case in uppercased suggestion

Cursor bugbot caught a second-order bug in my earlier case fix on
#1227. The previous commit uppercased the *entire* rawInput, but
handle-fix.mts's format validator is

    GHSA_FORMAT_REGEXP = /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/

which requires the body segments to be lowercase. A user typing
`ghsa-abcd-efgh-ijkl` would have been told to run
`socket fix --id GHSA-ABCD-EFGH-IJKL`, and that command would fail
downstream with "Invalid GHSA format".

Fix: only uppercase the prefix.
  * GHSA: `'GHSA-' + body.toLowerCase()`
  * CVE:  `'CVE-'  + rest` (body is digits + dashes, case-free)
  * PURL: leave verbatim.

Added tests covering all three branches.

* test(fix): tighten coverage of input-validation branches

Tightens the cmd-fix tests introduced with the input-validation work:

  * Consolidates four separate ID-detection tests into an `it.each`
    table that exercises the real case matrix against handle-fix.mts's
    downstream format regexes:
      - canonical / lowercase / mixed-case GHSA
      - canonical / lowercase CVE
      - PURL (unchanged)
    Each row asserts both the "looks like a vulnerability identifier"
    message and the exact downstream-valid `--id <suggestion>` form.
    Previously a mixed-case GHSA and the canonical CVE/GHSA cases
    weren't covered, so a future regression to the case-normalization
    logic could slip by.

  * Splits the directory-validation tests into a dedicated
    `describe('target directory validation', ...)` block and adds a
    happy-path assertion ("lets a real directory flow through to
    handleFix") so we can tell the difference between "validation
    passed" and "validation silently skipped".

  * Folded the redundant "should support custom cwd argument" test
    into the happy-path assertion — same setup, one test instead of
    two with overlapping mocks.

  * Order-of-operations assertions (that validation runs before
    `getDefaultOrgSlug`) now live next to the related bail tests
    instead of floating at the end of the outer describe.

Net: 6 cases in the ID-detection table (up from 3 hardcoded), plus
3 directory-validation tests including the happy path. 47 tests total.

Author: jdalton

packages/cli/src/commands/fix/cmd-fix.mts

@@ -1,3 +1,4 @@
+import { existsSync } from 'node:fs'
 import path from 'node:path'
 
 import terminalLink from 'terminal-link'
@@ -408,6 +409,54 @@ async function run(
     return
   }
 
+  // Detect the common mistake of passing a vulnerability ID (GHSA / CVE /
+  // PURL) as a positional argument when the user meant to use `--id`.
+  // Without this guard we treat the ID as a directory path, resolve to cwd,
+  // and eventually fail with a confusing upload error. Run this before
+  // `getDefaultOrgSlug()` so users still get the helpful message when no
+  // API token is configured.
+  const rawInput = cli.input[0]
+  if (rawInput) {
+    const upperInput = rawInput.toUpperCase()
+    const isGhsa = upperInput.startsWith('GHSA-')
+    const isCve = upperInput.startsWith('CVE-')
+    const isPurl = rawInput.startsWith('pkg:')
+    if (isGhsa || isCve || isPurl) {
+      // `handle-fix.mts` validates IDs with case-sensitive format regexes:
+      //   * GHSA — prefix must be uppercase, body segments lowercase [a-z0-9]
+      //   * CVE  — prefix must be uppercase, body is all digits (case-free)
+      // PURLs are intentionally lowercase and validated separately.
+      let suggestion: string
+      if (isGhsa) {
+        suggestion = 'GHSA-' + rawInput.slice(5).toLowerCase()
+      } else if (isCve) {
+        suggestion = 'CVE-' + rawInput.slice(4)
+      } else {
+        suggestion = rawInput
+      }
+      logger.fail(
+        `"${rawInput}" looks like a vulnerability identifier, not a directory path.\nDid you mean: socket fix ${FLAG_ID} ${suggestion}`,
+      )
+      process.exitCode = 1
+      return
+    }
+  }
+
+  let [cwd = '.'] = cli.input
+  // Note: path.resolve vs .join:
+  // If given path is absolute then cwd should not affect it.
+  cwd = path.resolve(process.cwd(), cwd)
+
+  // Validate the target directory exists so we fail fast with a clear
+  // message instead of the API's "Need at least one file to be uploaded".
+  // Also runs before the org-slug resolution so the user sees a clearer
+  // error when pointing at a typo'd path without an API token set.
+  if (!existsSync(cwd)) {
+    logger.fail(`Target directory does not exist: ${cwd}`)
+    process.exitCode = 1
+    return
+  }
+
   const orgSlugCResult = await getDefaultOrgSlug()
   if (!orgSlugCResult.ok) {
     process.exitCode = orgSlugCResult.code ?? 1
@@ -419,11 +468,6 @@ async function run(
 
   const orgSlug = orgSlugCResult.data
 
-  let [cwd = '.'] = cli.input
-  // Note: path.resolve vs .join:
-  // If given path is absolute then cwd should not affect it.
-  cwd = path.resolve(process.cwd(), cwd)
-
   const spinner = undefined
 
   const includePatterns = cmdFlagValueToArray(include)

packages/cli/test/unit/commands/fix/cmd-fix.test.mts

@@ -331,14 +331,80 @@ describe('cmd-fix', () => {
       )
     })
 
-    it('should support custom cwd argument', async () => {
-      await cmdFix.run(['./custom/path'], importMeta, context)
+    describe('misplaced vulnerability identifier detection', () => {
+      // The case matrix handle-fix.mts actually validates downstream:
+      //   GHSA: /^GHSA-[a-z0-9]{4}-[a-z0-9]{4}-[a-z0-9]{4}$/
+      //   CVE:  /^CVE-\d{4}-\d{4,}$/
+      // Suggestion must be exactly the form that passes those regexes,
+      // otherwise the user follows our advice and still gets an error.
+      it.each([
+        // [label, input, expectedSuggestion]
+        // GHSA: prefix to upper, body to lower, regardless of input casing.
+        ['canonical GHSA', 'GHSA-abcd-efgh-ijkl', 'GHSA-abcd-efgh-ijkl'],
+        ['lowercase GHSA', 'ghsa-abcd-efgh-ijkl', 'GHSA-abcd-efgh-ijkl'],
+        ['mixed-case GHSA', 'GhSa-AbCd-EfGh-IjKl', 'GHSA-abcd-efgh-ijkl'],
+        // CVE: prefix to upper, body is digits so case is a no-op.
+        ['canonical CVE', 'CVE-2021-23337', 'CVE-2021-23337'],
+        ['lowercase CVE', 'cve-2021-23337', 'CVE-2021-23337'],
+        // PURL: always lowercase by spec, echo verbatim.
+        ['npm PURL', 'pkg:npm/left-pad@1.3.0', 'pkg:npm/left-pad@1.3.0'],
+      ])(
+        'detects %s and suggests the downstream-valid form',
+        async (_label, input, expectedSuggestion) => {
+          await cmdFix.run([input], importMeta, context)
+
+          expect(process.exitCode).toBe(1)
+          expect(mockHandleFix).not.toHaveBeenCalled()
+          expect(mockLogger.fail).toHaveBeenCalledWith(
+            expect.stringContaining(
+              'looks like a vulnerability identifier, not a directory path',
+            ),
+          )
+          expect(mockLogger.fail).toHaveBeenCalledWith(
+            expect.stringContaining(`--id ${expectedSuggestion}`),
+          )
+        },
+      )
+
+      it('validates IDs before resolving the org slug (no API token path)', async () => {
+        await cmdFix.run(['GHSA-xxxx-xxxx-xxxx'], importMeta, context)
+
+        // The check must run *before* `getDefaultOrgSlug`, so users without
+        // a configured API token still see the helpful message instead of
+        // the generic "Unable to resolve org".
+        expect(mockGetDefaultOrgSlug).not.toHaveBeenCalled()
+      })
+    })
 
-      expect(mockHandleFix).toHaveBeenCalledWith(
-        expect.objectContaining({
-          cwd: expect.stringContaining('custom/path'),
-        }),
-      )
+    describe('target directory validation', () => {
+      it('should fail fast when target directory does not exist', async () => {
+        await cmdFix.run(['./this/path/does/not/exist'], importMeta, context)
+
+        expect(process.exitCode).toBe(1)
+        expect(mockHandleFix).not.toHaveBeenCalled()
+        expect(mockLogger.fail).toHaveBeenCalledWith(
+          expect.stringContaining('Target directory does not exist'),
+        )
+      })
+
+      it('validates the directory before resolving the org slug', async () => {
+        await cmdFix.run(['./this/path/does/not/exist'], importMeta, context)
+
+        expect(mockGetDefaultOrgSlug).not.toHaveBeenCalled()
+      })
+
+      it('lets a real directory flow through to handleFix', async () => {
+        const realDir = process.cwd()
+        await cmdFix.run([realDir], importMeta, context)
+
+        expect(mockHandleFix).toHaveBeenCalledWith(
+          expect.objectContaining({ cwd: realDir }),
+        )
+        // Sanity: no bail on the happy path.
+        expect(mockLogger.fail).not.toHaveBeenCalledWith(
+          expect.stringContaining('Target directory does not exist'),
+        )
+      })
     })
 
     it('should support --json output mode', async () => {