feat: add apply --force flag and rename --no-apply to --save-only

Add --force/-f flag to `apply` command that skips pre-application hash
verification, allowing patches to be applied even when the installed
package version differs from what the patch targets. When force is
enabled, hash mismatches are treated as ready-to-patch and missing
files (for non-new entries) are skipped rather than aborting.

Rename `get --no-apply` to `get --save-only` for clarity, with
`--no-apply` kept as a backward-compatible alias.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: mikolalysenko

crates/socket-patch-cli/src/commands/apply.rs

@@ -48,6 +48,10 @@ pub struct ApplyArgs {
     /// Restrict patching to specific ecosystems
     #[arg(long, value_delimiter = ',')]
     pub ecosystems: Option<Vec<String>>,
+
+    /// Skip pre-application hash verification (apply even if package version differs)
+    #[arg(short = 'f', long, default_value_t = false)]
+    pub force: bool,
 }
 
 pub async fn run(args: ApplyArgs) -> i32 {
@@ -246,11 +250,13 @@ async fn apply_patches_inner(
                     None => continue,
                 };
 
-                // Check first file hash match
-                if let Some((file_name, file_info)) = patch.files.iter().next() {
-                    let verify = verify_file_patch(pkg_path, file_name, file_info).await;
-                    if verify.status == socket_patch_core::patch::apply::VerifyStatus::HashMismatch {
-                        continue;
+                // Check first file hash match (skip when --force)
+                if !args.force {
+                    if let Some((file_name, file_info)) = patch.files.iter().next() {
+                        let verify = verify_file_patch(pkg_path, file_name, file_info).await;
+                        if verify.status == socket_patch_core::patch::apply::VerifyStatus::HashMismatch {
+                            continue;
+                        }
                     }
                 }
 
@@ -260,6 +266,7 @@ async fn apply_patches_inner(
                     &patch.files,
                     &blobs_path,
                     args.dry_run,
+                    args.force,
                 )
                 .await;
 
@@ -292,6 +299,7 @@ async fn apply_patches_inner(
                 &patch.files,
                 &blobs_path,
                 args.dry_run,
+                args.force,
             )
             .await;
 

crates/socket-patch-cli/src/commands/get.rs

@@ -57,8 +57,8 @@ pub struct GetArgs {
     pub api_token: Option<String>,
 
     /// Download patch without applying it
-    #[arg(long = "no-apply", default_value_t = false)]
-    pub no_apply: bool,
+    #[arg(long = "save-only", alias = "no-apply", default_value_t = false)]
+    pub save_only: bool,
 
     /// Apply patch to globally installed npm packages
     #[arg(short = 'g', long, default_value_t = false)]
@@ -110,8 +110,8 @@ pub async fn run(args: GetArgs) -> i32 {
         eprintln!("Error: Only one of --id, --cve, --ghsa, or --package can be specified");
         return 1;
     }
-    if args.one_off && args.no_apply {
-        eprintln!("Error: --one-off and --no-apply cannot be used together");
+    if args.one_off && args.save_only {
+        eprintln!("Error: --one-off and --save-only cannot be used together");
         return 1;
     }
 
@@ -125,11 +125,8 @@ pub async fn run(args: GetArgs) -> i32 {
 
     let (api_client, use_public_proxy) = get_api_client_from_env(args.org.as_deref()).await;
 
-    let effective_org_slug: Option<&str> = if use_public_proxy {
-        None
-    } else {
-        None // org slug is already stored in the client
-    };
+    // org slug is already stored in the client
+    let effective_org_slug: Option<&str> = None;
 
     // Determine identifier type
     let id_type = if args.id {
@@ -438,8 +435,8 @@ pub async fn run(args: GetArgs) -> i32 {
         println!("  Failed: {patches_failed}");
     }
 
-    // Auto-apply unless --no-apply
-    if !args.no_apply && patches_added > 0 {
+    // Auto-apply unless --save-only
+    if !args.save_only && patches_added > 0 {
         println!("\nApplying patches...");
         let apply_args = super::apply::ApplyArgs {
             cwd: args.cwd.clone(),
@@ -450,6 +447,7 @@ pub async fn run(args: GetArgs) -> i32 {
             global: args.global,
             global_prefix: args.global_prefix.clone(),
             ecosystems: None,
+            force: false,
         };
         let code = super::apply::run(apply_args).await;
         if code != 0 {
@@ -621,7 +619,7 @@ async fn save_and_apply_patch(
         println!("  Skipped: 1 (already exists)");
     }
 
-    if !args.no_apply {
+    if !args.save_only {
         println!("\nApplying patches...");
         let apply_args = super::apply::ApplyArgs {
             cwd: args.cwd.clone(),
@@ -632,6 +630,7 @@ async fn save_and_apply_patch(
             global: args.global,
             global_prefix: args.global_prefix.clone(),
             ecosystems: None,
+            force: false,
         };
         let code = super::apply::run(apply_args).await;
         if code != 0 {

crates/socket-patch-cli/tests/e2e_npm.rs

@@ -393,6 +393,98 @@ fn test_npm_global_lifecycle() {
     );
 }
 
+/// `get --save-only` should save the patch to the manifest without applying.
+#[test]
+#[ignore]
+fn test_npm_save_only() {
+    if !has_command("npm") {
+        eprintln!("SKIP: npm not found on PATH");
+        return;
+    }
+
+    let dir = tempfile::tempdir().unwrap();
+    let cwd = dir.path();
+
+    write_package_json(cwd);
+    npm_run(cwd, &["install", "minimist@1.2.2"]);
+
+    let index_js = cwd.join("node_modules/minimist/index.js");
+    assert_eq!(git_sha256_file(&index_js), BEFORE_HASH);
+
+    // Download with --save-only (new name for --no-apply).
+    assert_run_ok(cwd, &["get", NPM_UUID, "--save-only"], "get --save-only");
+
+    // File should still be original.
+    assert_eq!(
+        git_sha256_file(&index_js),
+        BEFORE_HASH,
+        "file should not change after get --save-only"
+    );
+
+    // Manifest should exist with the patch.
+    let manifest_path = cwd.join(".socket/manifest.json");
+    assert!(manifest_path.exists(), "manifest should exist after get --save-only");
+
+    let manifest: serde_json::Value =
+        serde_json::from_str(&std::fs::read_to_string(&manifest_path).unwrap()).unwrap();
+    let patch = &manifest["patches"][NPM_PURL];
+    assert!(patch.is_object(), "manifest should contain {NPM_PURL}");
+    assert_eq!(patch["uuid"].as_str().unwrap(), NPM_UUID);
+
+    // Real apply should work.
+    assert_run_ok(cwd, &["apply"], "apply");
+    assert_eq!(
+        git_sha256_file(&index_js),
+        AFTER_HASH,
+        "file should match afterHash after apply"
+    );
+}
+
+/// `apply --force` should apply patches even when the installed version differs.
+#[test]
+#[ignore]
+fn test_npm_apply_force() {
+    if !has_command("npm") {
+        eprintln!("SKIP: npm not found on PATH");
+        return;
+    }
+
+    let dir = tempfile::tempdir().unwrap();
+    let cwd = dir.path();
+
+    // Install minimist@1.2.2 first, get the patch, then swap to a different version.
+    write_package_json(cwd);
+    npm_run(cwd, &["install", "minimist@1.2.2"]);
+
+    let index_js = cwd.join("node_modules/minimist/index.js");
+    assert_eq!(git_sha256_file(&index_js), BEFORE_HASH);
+
+    // Save the patch without applying.
+    assert_run_ok(cwd, &["get", NPM_UUID, "--save-only"], "get --save-only");
+
+    // Now reinstall a different version to create a hash mismatch.
+    npm_run(cwd, &["install", "minimist@1.2.5"]);
+
+    let mismatched_hash = git_sha256_file(&index_js);
+    assert_ne!(
+        mismatched_hash, BEFORE_HASH,
+        "minimist@1.2.5 should have a different index.js hash"
+    );
+
+    // Normal apply should fail due to hash mismatch.
+    let (code, _stdout, _stderr) = run(cwd, &["apply"]);
+    assert_ne!(code, 0, "apply without --force should fail on hash mismatch");
+
+    // Apply with --force should succeed.
+    assert_run_ok(cwd, &["apply", "--force"], "apply --force");
+
+    assert_eq!(
+        git_sha256_file(&index_js),
+        AFTER_HASH,
+        "index.js should match afterHash after apply --force"
+    );
+}
+
 /// UUID shortcut: `socket-patch <UUID>` should behave like `socket-patch get <UUID>`.
 #[test]
 #[ignore]

crates/socket-patch-cli/tests/e2e_pypi.rs

@@ -517,6 +517,120 @@ fn test_pypi_global_lifecycle() {
     );
 }
 
+/// `get --save-only` should save the patch to the manifest without applying.
+#[test]
+#[ignore]
+fn test_pypi_save_only() {
+    if !has_python3() {
+        eprintln!("SKIP: python3 not found on PATH");
+        return;
+    }
+
+    let dir = tempfile::tempdir().unwrap();
+    let cwd = dir.path();
+
+    setup_venv(cwd);
+
+    let site_packages = find_site_packages(cwd);
+    let messages_py = site_packages.join("pydantic_ai/messages.py");
+    assert!(messages_py.exists());
+    let original_hash = git_sha256_file(&messages_py);
+
+    // Download with --save-only.
+    assert_run_ok(cwd, &["get", PYPI_UUID, "--save-only"], "get --save-only");
+
+    // File should be unchanged.
+    assert_eq!(
+        git_sha256_file(&messages_py),
+        original_hash,
+        "file should not change after get --save-only"
+    );
+
+    // Manifest should exist with the patch.
+    let manifest_path = cwd.join(".socket/manifest.json");
+    assert!(manifest_path.exists(), "manifest should exist after get --save-only");
+
+    let (purl, _) = read_patch_files(&manifest_path);
+    assert!(
+        purl.starts_with(PYPI_PURL_PREFIX),
+        "manifest should contain a pydantic-ai patch"
+    );
+
+    // Real apply should work.
+    assert_run_ok(cwd, &["apply"], "apply");
+
+    let (_, files_value) = read_patch_files(&manifest_path);
+    let files = files_value.as_object().unwrap();
+    let after_hash = files["pydantic_ai/messages.py"]["afterHash"]
+        .as_str()
+        .unwrap();
+    assert_eq!(
+        git_sha256_file(&messages_py),
+        after_hash,
+        "file should match afterHash after apply"
+    );
+}
+
+/// `apply --force` should apply patches even when file hashes don't match.
+#[test]
+#[ignore]
+fn test_pypi_apply_force() {
+    if !has_python3() {
+        eprintln!("SKIP: python3 not found on PATH");
+        return;
+    }
+
+    let dir = tempfile::tempdir().unwrap();
+    let cwd = dir.path();
+
+    setup_venv(cwd);
+
+    let site_packages = find_site_packages(cwd);
+
+    // Save the patch without applying.
+    assert_run_ok(cwd, &["get", PYPI_UUID, "--save-only"], "get --save-only");
+
+    let manifest_path = cwd.join(".socket/manifest.json");
+    let (_, files_value) = read_patch_files(&manifest_path);
+    let files = files_value.as_object().unwrap();
+
+    // Corrupt one of the files to create a hash mismatch.
+    let messages_py = site_packages.join("pydantic_ai/messages.py");
+    let before_hash = files["pydantic_ai/messages.py"]["beforeHash"]
+        .as_str()
+        .unwrap();
+    assert_eq!(
+        git_sha256_file(&messages_py),
+        before_hash,
+        "file should match beforeHash before corruption"
+    );
+
+    std::fs::write(&messages_py, b"# corrupted content\n").unwrap();
+    assert_ne!(
+        git_sha256_file(&messages_py),
+        before_hash,
+        "file should have a different hash after corruption"
+    );
+
+    // Normal apply should fail due to hash mismatch.
+    let (code, _stdout, _stderr) = run(cwd, &["apply"]);
+    assert_ne!(code, 0, "apply without --force should fail on hash mismatch");
+
+    // Apply with --force should succeed.
+    assert_run_ok(cwd, &["apply", "--force"], "apply --force");
+
+    // Verify all files match afterHash.
+    for (rel_path, info) in files {
+        let after_hash = info["afterHash"].as_str().expect("afterHash");
+        let full_path = site_packages.join(rel_path);
+        assert_eq!(
+            git_sha256_file(&full_path),
+            after_hash,
+            "{rel_path} should match afterHash after apply --force"
+        );
+    }
+}
+
 /// UUID shortcut: `socket-patch <UUID>` should behave like `socket-patch get <UUID>`.
 #[test]
 #[ignore]