chore: rename external-tools.json to bundle-tools.json

[John-David Dalton (jdalton)]

Summary

• Rename external-tools.json → bundle-tools.json to clarify its purpose as a VFS bundling manifest (npm packages, GitHub releases, PyPI packages with checksums)
• Avoids confusion with the external-tools.json used by build-infra in sibling repos (socket-btm, ultrathink) which is a build tool config
• All source references updated (scripts, src, test setup)

Test plan

• Unit tests pass (pre-commit hook verified)
• Build scripts resolve bundle-tools.json correctly

---

Note

Low Risk
Low risk rename-only change, but any missed reference to external-tools.json will break SEA build/test setup by failing to load tool versions/checksums (e.g., .env.test comments still mention the old name).

Overview
Renames the CLI bundling manifest to bundle-tools.json and updates SEA download/bundling scripts, checksum sync tooling, test setup, and env/version/checksum error messaging to read from the new filename.

This is primarily a wiring/docs update: all places that load tool versions/checksums for inlining and integrity verification now point at bundle-tools.json instead of external-tools.json.

^{Reviewed by Cursor Bugbot for commit ee16d6d. Configure here.}

[John-David Dalton (jdalton)]

Revised schema proposal v3

Addressing all review feedback + aligning with the external-tools.json pattern now used in socket-btm, ultrathink, and the setup-security-tools hook.

Key design decisions

1. repository uses host prefix: github:owner/repo, codeberg:owner/repo (defaults to GitHub if bare)
2. release distinguishes asset vs archive: "asset" or "archive"
3. tag is the release tag when it differs from version. Defaults to version when absent.
4. packageManager tells the installer how to install: "npm", "pip", "pnpm"

URL construction

All URLs are built from generic parts:

release tag  = tag ?? version
asset URL    = https://{host}/{owner}/{repo}/releases/download/{release tag}/{asset}
archive URL  = https://{host}/{owner}/{repo}/archive/refs/tags/{release tag}.tar.gz

Example — Python (tag differs from version):

version: "3.11.14", tag: "20260203"
→ .../releases/download/20260203/cpython-3.11.14+20260203-aarch64-apple-darwin-install_only.tar.gz

Example — OpenGrep (no tag field, version used as release tag):

version: "v1.16.0"
→ .../releases/download/v1.16.0/opengrep-core_linux_aarch64.tar.gz

Schema by example

GitHub release asset:

"opengrep": {
  "description": "OpenGrep SAST engine",
  "repository": "github:opengrep/opengrep",
  "release": "asset",
  "version": "v1.16.0",
  "checksums": { ... }
}

Asset with separate release tag:

"python": {
  "description": "Python runtime",
  "repository": "github:astral-sh/python-build-standalone",
  "release": "asset",
  "version": "3.11.14",
  "tag": "20260203",
  "checksums": { ... }
}

GitHub source archive → pip install:

"socket-basics": {
  "description": "Socket Basics",
  "repository": "github:SocketDev/socket-basics",
  "release": "archive",
  "version": "v2.0.2",
  "packageManager": "pip",
  "checksums": { ... }
}

npm package:

"@coana-tech/cli": {
  "description": "Coana CLI",
  "version": "14.12.165",
  "packageManager": "npm",
  "integrity": "sha512-..."
}

PyPI package:

"socketsecurity": {
  "description": "Socket Python CLI",
  "version": "2.2.70",
  "packageManager": "pip",
  "checksums": { ... }
}

Dual-source (GitHub binary + npm fallback):

"sfw": {
  "description": "Socket Firewall",
  "repository": "github:SocketDev/sfw-free",
  "release": "asset",
  "version": "v1.6.1",
  "checksums": { ... },
  "npm": { "package": "sfw", "version": "2.0.4" }
}

Properties

Property	Purpose	When used
description	What it is	Always
version	Software version	Always
tag	Release tag (defaults to version)	When release tag ≠ version
repository	host:owner/repo	Git-hosted tools
release	"asset" or "archive"	With repository
packageManager	"npm", "pip", "pnpm"	Registry installs
checksums	SHA-256 per artifact	All downloads
integrity	SRI hash	npm packages
npm	Secondary npm source	Dual-source tools
notes	Human notes	Optional

Removed

type → release + packageManager · githubRelease → version · buildTag → tag · package → key name · npmPackage/npmVersion → npm: {}