refactor(dlx): extract defineToolSpawn factory; migrate 7 spawn-* wrappers

Every per-tool wrapper in dlx/spawn-* used to declare the same triple by
hand:
  - spawn{Tool}Dlx — npm-CLI mode
  - spawn{Tool}Vfs — SEA mode
  - spawn{Tool}    — auto-dispatcher

Add `define-tool-spawn.mts` with three small helpers:
  - defineGitHubReleaseSpawn — full Dlx flow for tools that ship strictly
    via GitHub releases (resolveTool() returns 'github-release')
  - defineVfsSpawn — wraps spawnToolVfs() with the VFS bundle name
  - defineAutoDispatch — the canonical isSeaBinary()+areExternalToolsAvailable()
    branch shared by every tool
And a top-level `defineToolSpawn` that emits the full triple in one call
for the simple GitHub-release case.

Migrations:
  - trufflehog, trivy, opengrep — pure GitHub release; collapse to one
    defineToolSpawn call each (81 → 22 LOC each).
  - synp — pure npm dlx; keep bespoke Dlx, use defineVfsSpawn +
    defineAutoDispatch for the rest (62 → 47 LOC).
  - cdxgen — local override + dlx; keep bespoke Dlx, use shared
    Vfs + auto-dispatch (99 → 84 LOC).
  - sfw — local override + machine-mode + dlx; keep bespoke Dlx, use
    shared Vfs + auto-dispatch (131 → 113 LOC).
  - socket-patch — three-way (local / GitHub release / legacy npm); keep
    bespoke Dlx, use shared Vfs + auto-dispatch (120 → 103 LOC).

coana stays bespoke — its return shape (CResult<string>) and signature
(extra orgSlug arg) don't fit the shared contract.

LOC: 655 → 545 (-110 net) across the 7 migrated tools + the new helper.
All 72 dlx unit tests still pass.

Author: jdalton

packages/cli/src/utils/dlx/define-tool-spawn.mts

@@ -0,0 +1,132 @@
+/**
+ * Factory for "tool spawner" functions in the dlx/spawn-* family.
+ *
+ * Every per-tool wrapper exposes the same triple:
+ *   - spawn{Tool}Dlx — npm-CLI mode (download / local override / GitHub release)
+ *   - spawn{Tool}Vfs — SEA mode (extract from VFS bundle)
+ *   - spawn{Tool}    — auto-dispatch between the two based on isSeaBinary()
+ *
+ * The auto-dispatch and the GitHub-release flow are identical across the
+ * pure-binary tools (trufflehog, trivy, opengrep). This factory encapsulates
+ * both so per-tool files can declare just `name + resolver` and get the rest.
+ *
+ * Hybrid tools that need local-path overrides or extra wiring (cdxgen, sfw,
+ * socket-patch) keep their bespoke Dlx implementations and only call
+ * `defineAutoDispatch` for the auto-dispatcher.
+ */
+
+import { spawn } from '@socketsecurity/lib/spawn'
+
+import { downloadGitHubReleaseBinary, spawnToolVfs } from './spawn.mts'
+import { areExternalToolsAvailable } from './vfs-extract.mjs'
+import { isSeaBinary } from '../sea/detect.mts'
+
+import type { DlxOptions, DlxSpawnResult } from './spawn.mts'
+import type { BinaryResolution } from './resolve-binary.mts'
+import type { StdioOptions } from 'node:child_process'
+import type { SpawnExtra } from '@socketsecurity/lib/spawn'
+
+/**
+ * Argument shape for every spawn function the factory emits.
+ */
+export type ToolSpawnFn = (
+  args: string[] | readonly string[],
+  options?: DlxOptions | undefined,
+  spawnExtra?: SpawnExtra | undefined,
+) => Promise<DlxSpawnResult>
+
+/**
+ * Build the standard auto-dispatcher: in SEA mode use VFS, otherwise use Dlx.
+ *
+ * Used by every tool wrapper in the dlx/spawn-* family.
+ */
+export function defineAutoDispatch(opts: {
+  vfs: ToolSpawnFn
+  dlx: ToolSpawnFn
+}): ToolSpawnFn {
+  const { dlx, vfs } = opts
+  return async (args, options, spawnExtra) => {
+    if (isSeaBinary() && areExternalToolsAvailable()) {
+      return await vfs(args, options, spawnExtra)
+    }
+    return await dlx(args, options, spawnExtra)
+  }
+}
+
+/**
+ * Build the standard SEA-mode VFS spawner for a tool.
+ *
+ * The VFS name (e.g. 'trufflehog') is the directory key under the SEA bundle.
+ */
+export function defineVfsSpawn(vfsName: string): ToolSpawnFn {
+  return async (args, options, spawnExtra) => {
+    return await spawnToolVfs(vfsName, args, options, spawnExtra)
+  }
+}
+
+/**
+ * Build a npm-CLI-mode spawner for a tool that ships strictly via GitHub
+ * releases (trufflehog, trivy, opengrep). Throws a clearly-attributed
+ * resolver-contract error if the resolver returns a non-github-release type.
+ */
+export function defineGitHubReleaseSpawn(opts: {
+  toolName: string
+  resolve: () => BinaryResolution
+}): ToolSpawnFn {
+  const { resolve, toolName } = opts
+  return async (args, options, spawnExtra) => {
+    const resolution = resolve()
+
+    if (resolution.type !== 'github-release') {
+      throw new Error(
+        `internal: resolve${capitalize(toolName)} returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
+      )
+    }
+
+    const { env: spawnEnv, ...dlxOptions } = {
+      __proto__: null,
+      ...options,
+    } as DlxOptions
+
+    const binaryPath = await downloadGitHubReleaseBinary(resolution.details)
+
+    const spawnPromise = spawn(binaryPath, args, {
+      ...dlxOptions,
+      env: {
+        ...process.env,
+        ...spawnEnv,
+      },
+      stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
+    })
+
+    return { spawnPromise }
+  }
+}
+
+/**
+ * Build the full spawn-* triple for a pure-GitHub-release tool.
+ *
+ * Returns `{ Dlx, Vfs, auto }` where `auto` is the public spawnFoo()
+ * dispatcher and Dlx/Vfs are the underlying spawners.
+ */
+export function defineToolSpawn(opts: {
+  toolName: string
+  vfsName: string
+  resolve: () => BinaryResolution
+}): {
+  Dlx: ToolSpawnFn
+  Vfs: ToolSpawnFn
+  auto: ToolSpawnFn
+} {
+  const Dlx = defineGitHubReleaseSpawn({
+    toolName: opts.toolName,
+    resolve: opts.resolve,
+  })
+  const Vfs = defineVfsSpawn(opts.vfsName)
+  const auto = defineAutoDispatch({ vfs: Vfs, dlx: Dlx })
+  return { Dlx, Vfs, auto }
+}
+
+function capitalize(s: string): string {
+  return s.length ? s[0]!.toUpperCase() + s.slice(1) : s
+}

packages/cli/src/utils/dlx/spawn-cdxgen.mts

@@ -4,15 +4,21 @@
  * - spawnCdxgenDlx: local override > Socket dlx download.
  * - spawnCdxgenVfs: extract from SEA bundle, then exec.
  * - spawnCdxgen: auto-detect SEA vs npm-CLI mode and dispatch.
+ *
+ * The local-override path is bespoke (cdxgen is a JS file when local), so
+ * Dlx stays hand-rolled here. Vfs + auto-dispatch use the shared helpers
+ * from define-tool-spawn.
  */
 
 import { detectExecutableType } from '@socketsecurity/lib/dlx/detect'
 import { spawn } from '@socketsecurity/lib/spawn'
 
-import { spawnDlx, spawnToolVfs } from './spawn.mts'
+import {
+  defineAutoDispatch,
+  defineVfsSpawn,
+} from './define-tool-spawn.mts'
+import { spawnDlx } from './spawn.mts'
 import { resolveCdxgen } from './resolve-binary.mjs'
-import { areExternalToolsAvailable } from './vfs-extract.mjs'
-import { isSeaBinary } from '../sea/detect.mts'
 
 import type { DlxOptions, DlxSpawnResult } from './spawn.mts'
 import type { StdioOptions } from 'node:child_process'
@@ -70,29 +76,9 @@ export async function spawnCdxgenDlx(
   )
 }
 
-/**
- * Helper to spawn cdxgen from VFS.
- * Used when running in SEA mode.
- */
-export async function spawnCdxgenVfs(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  return await spawnToolVfs('cdxgen', args, options, spawnExtra)
-}
+export const spawnCdxgenVfs = defineVfsSpawn('cdxgen')
 
-/**
- * Spawn cdxgen (CycloneDX generator).
- * Auto-detects SEA mode and uses appropriate spawn method.
- */
-export async function spawnCdxgen(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  if (isSeaBinary() && areExternalToolsAvailable()) {
-    return await spawnCdxgenVfs(args, options, spawnExtra)
-  }
-  return await spawnCdxgenDlx(args, options, spawnExtra)
-}
+export const spawnCdxgen = defineAutoDispatch({
+  vfs: spawnCdxgenVfs,
+  dlx: spawnCdxgenDlx,
+})

packages/cli/src/utils/dlx/spawn-opengrep.mts

@@ -4,78 +4,19 @@
  * - spawnOpengrepDlx: download from GitHub releases, then exec.
  * - spawnOpengrepVfs: extract from SEA bundle, then exec.
  * - spawnOpengrep: auto-detect SEA vs npm-CLI mode and dispatch.
+ *
+ * Defined via `defineToolSpawn`. See utils/dlx/define-tool-spawn.mts.
  */
 
-import { spawn } from '@socketsecurity/lib/spawn'
-
-import {
-  downloadGitHubReleaseBinary,
-  spawnToolVfs,
-} from './spawn.mts'
+import { defineToolSpawn } from './define-tool-spawn.mts'
 import { resolveOpengrep } from './resolve-binary.mjs'
-import { areExternalToolsAvailable } from './vfs-extract.mjs'
-import { isSeaBinary } from '../sea/detect.mts'
-
-import type { DlxOptions, DlxSpawnResult } from './spawn.mts'
-import type { StdioOptions } from 'node:child_process'
-import type { SpawnExtra } from '@socketsecurity/lib/spawn'
-
-export async function spawnOpengrepDlx(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  const resolution = resolveOpengrep()
-
-  if (resolution.type !== 'github-release') {
-    throw new Error(
-      `internal: resolveOpengrep returned resolution.type="${resolution.type}" (expected "github-release"); this is a resolver contract bug — re-run with --debug and report the output`,
-    )
-  }
-
-  const { env: spawnEnv, ...dlxOptions } = {
-    __proto__: null,
-    ...options,
-  } as DlxOptions
-
-  const binaryPath = await downloadGitHubReleaseBinary(resolution.details)
 
-  const spawnPromise = spawn(binaryPath, args, {
-    ...dlxOptions,
-    env: {
-      ...process.env,
-      ...spawnEnv,
-    },
-    stdio: (spawnExtra?.['stdio'] as StdioOptions | undefined) ?? 'inherit',
-  })
+const triple = defineToolSpawn({
+  toolName: 'opengrep',
+  vfsName: 'opengrep',
+  resolve: resolveOpengrep,
+})
 
-  return {
-    spawnPromise,
-  }
-}
-
-/**
- * Spawn OpenGrep from VFS (SEA mode).
- */
-export async function spawnOpengrepVfs(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  return await spawnToolVfs('opengrep', args, options, spawnExtra)
-}
-
-/**
- * Spawn OpenGrep.
- * Auto-detects SEA mode and uses appropriate spawn method.
- */
-export async function spawnOpengrep(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  if (isSeaBinary() && areExternalToolsAvailable()) {
-    return await spawnOpengrepVfs(args, options, spawnExtra)
-  }
-  return await spawnOpengrepDlx(args, options, spawnExtra)
-}
+export const spawnOpengrepDlx = triple.Dlx
+export const spawnOpengrepVfs = triple.Vfs
+export const spawnOpengrep = triple.auto

packages/cli/src/utils/dlx/spawn-sfw.mts

@@ -7,16 +7,19 @@
  *
  * sfw is a transparent proxy: args is [innerTool, innerSubcommand?, ...rest].
  * Machine-mode flags forward to the inner tool so its stdout stays pipe-safe
- * under --json.
+ * under --json. The Dlx flow stays bespoke (machine-mode + local-override
+ * both apply); Vfs + auto-dispatch use the shared helpers.
  */
 
 import { detectExecutableType } from '@socketsecurity/lib/dlx/detect'
 import { spawn } from '@socketsecurity/lib/spawn'
 
-import { spawnDlx, spawnToolVfs } from './spawn.mts'
+import {
+  defineAutoDispatch,
+  defineVfsSpawn,
+} from './define-tool-spawn.mts'
+import { spawnDlx } from './spawn.mts'
 import { resolveSfw } from './resolve-binary.mjs'
-import { areExternalToolsAvailable } from './vfs-extract.mjs'
-import { isSeaBinary } from '../sea/detect.mts'
 import {
   applyMachineModeIfActive,
   inferSubcommand,
@@ -102,29 +105,9 @@ export async function spawnSfwDlx(
   )
 }
 
-/**
- * Helper to spawn Socket Firewall (sfw) from VFS.
- * Used when running in SEA mode.
- */
-export async function spawnSfwVfs(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  return await spawnToolVfs('sfw', args, options, spawnExtra)
-}
+export const spawnSfwVfs = defineVfsSpawn('sfw')
 
-/**
- * Spawn Socket Firewall (sfw).
- * Auto-detects SEA mode and uses appropriate spawn method.
- */
-export async function spawnSfw(
-  args: string[] | readonly string[],
-  options?: DlxOptions | undefined,
-  spawnExtra?: SpawnExtra | undefined,
-): Promise<DlxSpawnResult> {
-  if (isSeaBinary() && areExternalToolsAvailable()) {
-    return await spawnSfwVfs(args, options, spawnExtra)
-  }
-  return await spawnSfwDlx(args, options, spawnExtra)
-}
+export const spawnSfw = defineAutoDispatch({
+  vfs: spawnSfwVfs,
+  dlx: spawnSfwDlx,
+})