feat(validation): universal validateSchema for TypeBox + Zod

Adds `validateSchema` / `parseSchema` at `@socketsecurity/lib/validation/validate-schema` — a single structurally-dispatched entry point that accepts TypeBox schemas, Zod v3/v4 schemas, or any `safeParse`-shaped duck type, and returns a tagged `{ ok, value | errors }` result with normalized `{ path, message }` issues across all validator backends. Type inference flows through: Zod users get `z.infer<…>`, TypeBox users get `Static<…>`, no casts.

Migrates the bundled external from `zod` to `@sinclair/typebox` since TypeBox is the only backend whose runtime we eagerly need (`Value.Check` / `Value.Errors`); Zod is detected purely via `.safeParse`, so it stays a pinned devDep used by tests that verify the Zod path. `ipc.ts`'s stub schema switches from `z.object(...)` to `Type.Object(...)` + `parseSchema` to prove the new path end-to-end.

Drops `./zod` subpath export + `src/zod.ts` + `src/external/zod.*` + `test/unit/zod.test.mts` (the wrapper has no consumers now that validation goes through the universal helper). TypeBox is bundled as `dist/external/@sinclair/typebox.js` (+ `/value.js` subpath) so consumers of `@socketsecurity/lib` do not need to install `@sinclair/typebox` themselves.

Author: jdalton

docs/api-index.md

@@ -58,7 +58,6 @@ Each entry links to the source module and shows the first sentence of its `@file
 | [`@socketsecurity/lib/url`](../src/url.ts)                               | URL parsing and validation utilities.                                                                          |
 | [`@socketsecurity/lib/versions`](../src/versions.ts)                     | Version comparison and validation utilities for Socket ecosystem.                                              |
 | [`@socketsecurity/lib/words`](../src/words.ts)                           | Word manipulation utilities for capitalization and formatting.                                                 |
-| [`@socketsecurity/lib/zod`](../src/zod.ts)                               | Zod schema validation library wrapper for type-safe runtime validation.                                        |
 
 ## argv/
 
@@ -218,7 +217,8 @@ Each entry links to the source module and shows the first sentence of its `@file
 
 ## validation/
 
-| Subpath                                                                          | Description                                              |
-| -------------------------------------------------------------------------------- | -------------------------------------------------------- |
-| [`@socketsecurity/lib/validation/json-parser`](../src/validation/json-parser.ts) | Safe JSON parsing with validation and security controls. |
-| [`@socketsecurity/lib/validation/types`](../src/validation/types.ts)             | Validation type definitions.                             |
+| Subpath                                                                                  | Description                                                                                                  |
+| ---------------------------------------------------------------------------------------- | ------------------------------------------------------------------------------------------------------------ |
+| [`@socketsecurity/lib/validation/json-parser`](../src/validation/json-parser.ts)         | Safe JSON parsing with validation and security controls.                                                     |
+| [`@socketsecurity/lib/validation/types`](../src/validation/types.ts)                     | Validation type definitions.                                                                                 |
+| [`@socketsecurity/lib/validation/validate-schema`](../src/validation/validate-schema.ts) | Universal schema validation — works with TypeBox, Zod (v3 and v4), and any Zod-shaped `Schema<T>` duck type. |

package.json

@@ -663,6 +663,10 @@
       "types": "./dist/validation/types.d.ts",
       "default": "./dist/validation/types.js"
     },
+    "./validation/validate-schema": {
+      "types": "./dist/validation/validate-schema.d.ts",
+      "default": "./dist/validation/validate-schema.js"
+    },
     "./versions": {
       "types": "./dist/versions.d.ts",
       "default": "./dist/versions.js"
@@ -671,10 +675,6 @@
       "types": "./dist/words.d.ts",
       "default": "./dist/words.js"
     },
-    "./zod": {
-      "types": "./dist/zod.d.ts",
-      "default": "./dist/zod.js"
-    },
     "./data/extensions.json": "./data/extensions.json",
     "./package.json": "./package.json",
     "./tsconfig.dts.json": "./tsconfig.dts.json",
@@ -720,6 +720,7 @@
     "@npmcli/arborist": "9.1.4",
     "@npmcli/package-json": "7.0.0",
     "@npmcli/promise-spawn": "8.0.3",
+    "@sinclair/typebox": "0.34.49",
     "@socketregistry/is-unicode-supported": "1.0.5",
     "@socketregistry/packageurl-js": "1.4.2",
     "@socketregistry/yocto-spinner": "1.0.25",

pnpm-lock.yaml

@@ -49,8 +49,6 @@ export const externalPackages = [
   { name: 'which', bundle: true },
   { name: 'yargs-parser', bundle: true },
   { name: 'yoctocolors-cjs', bundle: false },
-  // Used by socket-cli (dist/cli.js has minified zod).
-  { name: 'zod', bundle: true },
 ]
 
 // Scoped packages need special handling.
@@ -86,5 +84,18 @@ export const scopedPackages = [
     packages: ['packageurl-js', 'is-unicode-supported', 'yocto-spinner'],
     optional: true,
   },
+  // @sinclair/typebox powers validateSchema()'s TypeBox path. Bundle
+  // so consumers don't need to install typebox separately — they just
+  // import from @socketsecurity/lib/validation/validate-schema and
+  // pass in TypeBox schemas built with our vendored copy of Type.*.
+  //
+  // Bundles both the core entry (for Type.* builders) and the /value
+  // runtime (for Value.Check + Value.Errors used internally).
+  {
+    scope: '@sinclair',
+    name: 'typebox',
+    bundle: true,
+    subpaths: ['typebox/value'],
+  },
   { scope: '@yarnpkg', name: 'extensions', bundle: true },
 ]

scripts/build-externals/config.mts

@@ -0,0 +1,3 @@
+// Re-export types from @sinclair/typebox. The runtime side is provided
+// by the bundled ./dist/external/@sinclair/typebox.js.
+export * from '@sinclair/typebox'

src/external/@sinclair/typebox.d.ts

@@ -0,0 +1,5 @@
+'use strict'
+
+// Direct re-export of @sinclair/typebox (core Type.* builders).
+// Bundled by esbuild into dist/external/@sinclair/typebox.js.
+module.exports = require('@sinclair/typebox')

src/external/@sinclair/typebox.js

@@ -0,0 +1 @@
+export * from '@sinclair/typebox/value'

src/external/@sinclair/typebox/value.d.ts

@@ -0,0 +1,5 @@
+'use strict'
+
+// Direct re-export of @sinclair/typebox/value (Value.Check / Value.Errors).
+// Bundled by esbuild into dist/external/@sinclair/typebox/value.js.
+module.exports = require('@sinclair/typebox/value')