fix: update missed external-tools.json references to bundle-tools.json

Author: jdalton

.claude/commands/sync-checksums.md

@@ -1,9 +1,9 @@
-Sync SHA-256 checksums from GitHub releases to external-tools.json using the syncing-checksums skill.
+Sync SHA-256 checksums from GitHub releases to bundle-tools.json using the syncing-checksums skill.
 
 ## What it does
 
 1. Fetches checksums.txt from GitHub releases (or computes from assets)
-2. Updates packages/cli/external-tools.json
+2. Updates packages/cli/bundle-tools.json
 3. Validates JSON syntax
 4. Commits changes (if any)
 

.claude/skills/_shared/security-tools.md

@@ -11,7 +11,7 @@ No install step needed — available after `pnpm install`.
 ## Zizmor
 
 Not an npm package. Installed via `pnpm run setup` which downloads the pinned version
-from GitHub releases with SHA256 checksum verification (see `external-tools.json`).
+from GitHub releases with SHA256 checksum verification (see `bundle-tools.json`).
 
 The binary is cached at `.cache/external-tools/zizmor/{version}-{platform}/zizmor`.
 

.claude/skills/updating-checksums/SKILL.md

@@ -1,7 +1,7 @@
 ---
 name: updating-checksums
 description: >
-  Syncs SHA-256 checksums from GitHub releases to external-tools.json.
+  Syncs SHA-256 checksums from GitHub releases to bundle-tools.json.
   Triggers when user mentions "update checksums", "sync checksums", or after
   releasing new tool versions.
 user-invocable: true
@@ -11,7 +11,7 @@ allowed-tools: Bash, Read, Edit
 # updating-checksums
 
 <task>
-Your task is to sync SHA-256 checksums from GitHub releases to the embedded `external-tools.json` file, ensuring SEA builds have up-to-date integrity verification.
+Your task is to sync SHA-256 checksums from GitHub releases to the embedded `bundle-tools.json` file, ensuring SEA builds have up-to-date integrity verification.
 </task>
 
 <constraints>
@@ -24,10 +24,10 @@ Your task is to sync SHA-256 checksums from GitHub releases to the embedded `ext
 
 ## Phases
 
-1. **Check Current State** - Review current checksums and tool versions in `packages/cli/external-tools.json`.
+1. **Check Current State** - Review current checksums and tool versions in `packages/cli/bundle-tools.json`.
 2. **Sync Checksums** - Run `node packages/cli/scripts/sync-checksums.mjs`. Tries `checksums.txt` from the release first; falls back to downloading assets and computing SHA-256.
-3. **Verify Changes** - `git diff packages/cli/external-tools.json`; validate JSON syntax.
-4. **Commit Changes** - If updated, commit `packages/cli/external-tools.json`.
+3. **Verify Changes** - `git diff packages/cli/bundle-tools.json`; validate JSON syntax.
+4. **Commit Changes** - If updated, commit `packages/cli/bundle-tools.json`.
 
 ## Commands
 

.claude/skills/updating-checksums/reference.md

@@ -46,15 +46,15 @@ This document provides detailed information about external tool checksums, the s
 
 ### How It Works
 
-1. Reads `packages/cli/external-tools.json`
+1. Reads `packages/cli/bundle-tools.json`
 2. Filters tools with `type: "github-release"`
 3. For each tool:
    a. Fetches the GitHub release by tag
    b. Looks for `checksums.txt` asset
    c. If found: parses SHA-256 hashes from checksums.txt
    d. If not found: downloads each release asset and computes SHA-256 via `crypto.createHash('sha256')`
 4. Compares new checksums with existing
-5. Writes updated checksums to external-tools.json
+5. Writes updated checksums to bundle-tools.json
 
 ### Command Reference
 
@@ -146,7 +146,7 @@ Each tool has specific asset naming conventions:
 
 ### Checksum Storage Format
 
-In `external-tools.json`, checksums are stored as:
+In `bundle-tools.json`, checksums are stored as:
 
 ```json
 {
@@ -192,7 +192,7 @@ stream.pipe(hash)
 
 ### Tool with Dual Configuration (sfw)
 
-The `sfw` tool has both a GitHub release binary (`SocketDev/sfw-free`) and an npm package (`sfw` on npmjs.com). Both are tracked in the same `external-tools.json` entry via `type: "github-release"` for the binary checksums and `npmPackage`/`npmVersion` fields for the npm component. The checksums skill only handles the GitHub release binary checksums; the npm package version is updated separately via `pnpm run update`.
+The `sfw` tool has both a GitHub release binary (`SocketDev/sfw-free`) and an npm package (`sfw` on npmjs.com). Both are tracked in the same `bundle-tools.json` entry via `type: "github-release"` for the binary checksums and `npmPackage`/`npmVersion` fields for the npm component. The checksums skill only handles the GitHub release binary checksums; the npm package version is updated separately via `pnpm run update`.
 
 ### python-build-standalone
 
@@ -206,11 +206,11 @@ This tool has no checksums.txt in releases. The sync script must:
 Different tools use different tag formats:
 - Most use `v{version}` (e.g., `v1.16.0`)
 - python-build-standalone uses bare version (e.g., `3.11.14`)
-- The `githubRelease` field in external-tools.json stores the exact tag
+- The `githubRelease` field in bundle-tools.json stores the exact tag
 
 ### Stale Checksums After Version Bump
 
-If someone updates a tool version in external-tools.json but forgets to sync checksums:
+If someone updates a tool version in bundle-tools.json but forgets to sync checksums:
 - SEA builds will fail integrity verification
 - Always run checksum sync after any version change
 
@@ -237,7 +237,7 @@ Authenticated requests get 5,000 requests/hour vs 60 for unauthenticated.
 
 **Symptom:** Script reports release not found for a tool.
 
-**Cause:** The `githubRelease` tag in external-tools.json doesn't match any release.
+**Cause:** The `githubRelease` tag in bundle-tools.json doesn't match any release.
 
 **Solution:**
 ```bash
@@ -258,15 +258,15 @@ gh release list --repo <owner/repo> --limit 5
 
 ### JSON Validation Failure
 
-**Symptom:** Updated external-tools.json is invalid JSON.
+**Symptom:** Updated bundle-tools.json is invalid JSON.
 
 **Solution:**
 ```bash
 # Validate JSON
-node -e "JSON.parse(require('fs').readFileSync('packages/cli/external-tools.json'))"
+node -e "JSON.parse(require('fs').readFileSync('packages/cli/bundle-tools.json'))"
 
 # If corrupted, restore and retry
-git checkout packages/cli/external-tools.json
+git checkout packages/cli/bundle-tools.json
 node packages/cli/scripts/sync-checksums.mjs
 ```
 

.claude/skills/updating/reference.md

@@ -28,7 +28,7 @@ Updated via `pnpm run update` which runs `scripts/update.mjs`:
 
 Updated via the `updating-checksums` skill which runs `packages/cli/scripts/sync-checksums.mjs`:
 
-- Syncs SHA-256 checksums from GitHub releases to `packages/cli/external-tools.json`
+- Syncs SHA-256 checksums from GitHub releases to `packages/cli/bundle-tools.json`
 - Only processes tools with `type: "github-release"`
 
 ---
@@ -68,9 +68,9 @@ After update, these files may be modified:
 
 ## External Tool Checksums
 
-### external-tools.json Structure
+### bundle-tools.json Structure
 
-**Location:** `packages/cli/external-tools.json`
+**Location:** `packages/cli/bundle-tools.json`
 
 **Tool types:**
 
@@ -103,10 +103,10 @@ After update, these files may be modified:
 **Location:** `packages/cli/scripts/sync-checksums.mjs`
 
 **Process:**
-1. Reads `external-tools.json` for GitHub release tools
+1. Reads `bundle-tools.json` for GitHub release tools
 2. For each tool, tries to download `checksums.txt` from the release
 3. If no checksums.txt, downloads each asset and computes SHA-256
-4. Updates embedded checksums in `external-tools.json`
+4. Updates embedded checksums in `bundle-tools.json`
 
 **Options:**
 - `--tool=<name>` - Sync specific tool only
@@ -115,7 +115,7 @@ After update, these files may be modified:
 
 ### When to Sync Checksums
 
-- After manually updating tool versions in external-tools.json
+- After manually updating tool versions in bundle-tools.json
 - After new GitHub releases are published for any tool
 - As part of the full update cycle (run after npm updates)
 

docs/external-tools.md

@@ -27,7 +27,7 @@ Socket CLI integrates with external security tools for scanning, analysis, and v
 
 ## Configuration
 
-All tools are defined in `packages/cli/external-tools.json`:
+All tools are defined in `packages/cli/bundle-tools.json`:
 
 ```json
 {
@@ -129,7 +129,7 @@ When installed via npm, tools are downloaded at runtime.
 
 ### Checksum Verification
 
-All downloads are verified with SHA-256 checksums defined in `external-tools.json`:
+All downloads are verified with SHA-256 checksums defined in `bundle-tools.json`:
 
 ```json
 {
@@ -168,7 +168,7 @@ Environment variables for development/testing:
 
 | File | Purpose |
 |------|---------|
-| `external-tools.json` | Tool definitions, versions, checksums |
+| `bundle-tools.json` | Tool definitions, versions, checksums |
 | `src/utils/dlx/resolve-binary.mts` | Binary resolution logic |
 | `src/utils/dlx/spawn.mts` | Tool spawning (VFS + dlx) |
 | `src/utils/dlx/vfs-extract.mts` | VFS extraction utilities |
@@ -181,7 +181,7 @@ Environment variables for development/testing:
 
 ## Adding a New Tool
 
-1. Add entry to `external-tools.json` with version and checksums
+1. Add entry to `bundle-tools.json` with version and checksums
 2. Create `src/env/{tool}-version.mts` version getter
 3. Create `src/env/{tool}-checksums.mts` checksum getter (if applicable)
 4. Add resolve function in `src/utils/dlx/resolve-binary.mts`

scripts/validate-checksums.mjs

@@ -3,7 +3,7 @@
 /**
  * @fileoverview Build-time validation for SHA-256 checksums.
  * Ensures all required platform-specific tool assets have checksums defined
- * in external-tools.json before building SEA binaries.
+ * in bundle-tools.json before building SEA binaries.
  *
  * This script is a security requirement - builds MUST NOT proceed if any
  * checksums are missing for downloadable binaries.
@@ -28,7 +28,7 @@ const rootPath = path.join(__dirname, '..')
 // Load external tools configuration.
 const externalToolsPath = path.join(
   rootPath,
-  'packages/cli/external-tools.json',
+  'packages/cli/bundle-tools.json',
 )
 const externalTools = JSON.parse(readFileSync(externalToolsPath, 'utf8'))
 
@@ -64,7 +64,7 @@ function validateChecksums() {
     const toolConfig = externalTools[toolName]
 
     if (!toolConfig) {
-      errors.push(`Tool "${toolName}" not found in external-tools.json`)
+      errors.push(`Tool "${toolName}" not found in bundle-tools.json`)
       continue
     }
 
@@ -128,7 +128,7 @@ function validateChecksums() {
     }
     console.log('')
     logger.error(
-      'All external tool assets MUST have SHA-256 checksums defined in external-tools.json.',
+      'All external tool assets MUST have SHA-256 checksums defined in bundle-tools.json.',
     )
     logger.error('This is a security requirement to prevent supply chain attacks.')
     return false