From f4844e90ac39bdb553b9129cb4e3c6b2b894e99e Mon Sep 17 00:00:00 2001
From: jdalton <john.david.dalton@gmail.com>
Date: Fri, 17 Apr 2026 16:41:47 -0400
Subject: [PATCH] chore(tools): add checksum for socket-basics archive

Adds a SHA-256 checksum for the socket-basics source archive in
bundle-tools.json and wires it through to the downloader so the
download now gets verified like every other bundled tool.

Previously:
  - socket-basics was the only bundled tool without a checksum in
    bundle-tools.json, so the download was trusted as-is.

Now:
  - `bundle-tools.json` has `checksums["socket-basics-v2.0.2.tar.gz"]`.
  - `downloads.mts` passes `sha256: archiveSha256` to the same
    `httpDownload(...)` helper the other tools already use, and throws
    if the checksum entry is missing.

Note: the archive key uses the tag-qualified filename
(`socket-basics-v<ver>.tar.gz`) to match the existing local-path
convention (`socket-basics-${version}.tar.gz`) and stay consistent
with the asset-keyed checksums elsewhere in the file.
---
 packages/cli/bundle-tools.json                     |  5 ++++-
 packages/cli/scripts/sea-build-utils/downloads.mts | 12 ++++++++++++
 2 files changed, 16 insertions(+), 1 deletion(-)

diff --git a/packages/cli/bundle-tools.json b/packages/cli/bundle-tools.json
index 98d1497e7..609780051 100644
--- a/packages/cli/bundle-tools.json
+++ b/packages/cli/bundle-tools.json
@@ -47,7 +47,10 @@
     "repository": "github:SocketDev/socket-basics",
     "release": "archive",
     "version": "v2.0.2",
-    "packageManager": "pip"
+    "packageManager": "pip",
+    "checksums": {
+      "socket-basics-v2.0.2.tar.gz": "ba175171f07ac927eb926387e526283320630e80da42da000ec6894a55adeb13"
+    }
   },
   "socketsecurity": {
     "description": "Socket Python CLI (socket-python-cli)",
diff --git a/packages/cli/scripts/sea-build-utils/downloads.mts b/packages/cli/scripts/sea-build-utils/downloads.mts
index cdffbba16..751b7671b 100644
--- a/packages/cli/scripts/sea-build-utils/downloads.mts
+++ b/packages/cli/scripts/sea-build-utils/downloads.mts
@@ -538,6 +538,17 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
         const releaseVersion = socketBasicsConfig.version
         const version = releaseVersion.replace(/^v/, '') // Remove 'v' prefix for version
 
+        // Checksum key matches the local filename convention used for
+        // archive-style releases (`socket-basics-v<ver>.tar.gz`).
+        const archiveKey = `socket-basics-${releaseVersion}.tar.gz`
+        const archiveSha256 = socketBasicsConfig.checksums?.[archiveKey]
+        if (!archiveSha256) {
+          throw new Error(
+            `Missing SHA-256 checksum for socket-basics archive: ${archiveKey}. ` +
+              'Please update bundle-tools.json with the correct checksum.',
+          )
+        }
+
         logger.log(`  Installing socket_basics ${version} from GitHub...`)
 
         // Download source tarball from GitHub.
@@ -551,6 +562,7 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
           progressInterval: 10,
           retries: 2,
           retryDelay: 5_000,
+          sha256: archiveSha256,
         })
 
         // Install from tarball using pip (handles building and dependencies).