SDK v4 adds checkMalware() for integrated malware detection.

jdalton · jdalton · commit ee16d6dbeb40 · 2026-04-10T21:01:02.000-04:00
* fix: migrate getSupportedScanFiles to getSupportedFiles (SDK v4)

SDK v4 removed deprecated getSupportedScanFiles(). The replacement
getSupportedFiles(orgSlug) requires an org parameter. Updated all
type references from getReportSupportedFiles to getSupportedFiles.

* fix(tests): update supported files tests for SDK v4 getSupportedFiles(orgSlug)

* fix(tests): correct mock path for fetch-default-org-slug (.mjs not .mts)

* fix: pass orgSlug to fetchSupportedScanFileNames instead of discovering internally
diff --git a/packages/cli/bundle-tools.json b/packages/cli/bundle-tools.json
diff --git a/packages/cli/scripts/environment-variables.mjs b/packages/cli/scripts/environment-variables.mjs
@@ -56,9 +56,9 @@ export class EnvironmentVariables {
       }).trim()
     } catch {}
 
-    // Get external tool versions from external-tools.json.
+    // Get external tool versions from bundle-tools.json.
     const externalTools = JSON.parse(
-      readFileSync(path.join(rootPath, 'external-tools.json'), 'utf-8'),
+      readFileSync(path.join(rootPath, 'bundle-tools.json'), 'utf-8'),
     )
 
     /**
@@ -68,13 +68,13 @@ export class EnvironmentVariables {
       const tool = externalTools[key]
       if (!tool) {
         throw new Error(
-          `External tool "${key}" not found in external-tools.json. Please add it to the configuration.`,
+          `External tool "${key}" not found in bundle-tools.json. Please add it to the configuration.`,
         )
       }
       const value = tool[field]
       if (!value) {
         throw new Error(
-          `External tool "${key}" is missing required field "${field}" in external-tools.json.`,
+          `External tool "${key}" is missing required field "${field}" in bundle-tools.json.`,
         )
       }
       return value
@@ -158,7 +158,7 @@ export class EnvironmentVariables {
   static loadSafe() {
     try {
       const externalTools = JSON.parse(
-        readFileSync(path.join(rootPath, 'external-tools.json'), 'utf-8'),
+        readFileSync(path.join(rootPath, 'bundle-tools.json'), 'utf-8'),
       )
       return {
         INLINED_COANA_VERSION:
diff --git a/packages/cli/scripts/sea-build-utils/downloads.mjs b/packages/cli/scripts/sea-build-utils/downloads.mjs
@@ -35,11 +35,11 @@ import { PLATFORM_MAP_TOOLS } from '../constants/external-tools-platforms.mjs'
 export const logger = getDefaultLogger()
 
 /**
- * External tools configuration loaded from external-tools.json.
+ * External tools configuration loaded from bundle-tools.json.
  * Contains version info, GitHub repos, and download metadata for security tools.
  */
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const externalToolsPath = path.join(__dirname, '../../external-tools.json')
+const externalToolsPath = path.join(__dirname, '../../bundle-tools.json')
 export const externalTools = JSON.parse(readFileSync(externalToolsPath, 'utf8'))
 
 /**
@@ -251,13 +251,13 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
   }
 
   // Security tool versions and GitHub release info.
-  // Versions are read from external-tools.json for centralized management.
+  // Versions are read from bundle-tools.json for centralized management.
   // Repository info is derived from the 'repository' field (format: owner/repo).
   const TOOL_REPOS = {
     __proto__: null,
   }
 
-  // Populate TOOL_REPOS from external-tools.json.
+  // Populate TOOL_REPOS from bundle-tools.json.
   // Filter by type === 'github-release' to include all GitHub-released tools.
   for (const [toolName, toolConfig] of Object.entries(externalTools)) {
     if (toolConfig.type === 'github-release') {
@@ -297,11 +297,11 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
   for (const [toolName, assetName] of Object.entries(toolsForPlatform)) {
     const config = TOOL_REPOS[toolName]
 
-    // Validate tool exists in TOOL_REPOS (populated from external-tools.json).
+    // Validate tool exists in TOOL_REPOS (populated from bundle-tools.json).
     if (!config) {
       throw new Error(
         `Tool "${toolName}" is defined in platform mappings but not found in TOOL_REPOS. ` +
-          `Ensure "${toolName}" exists in external-tools.json with type "github-release".`,
+          `Ensure "${toolName}" exists in bundle-tools.json with type "github-release".`,
       )
     }
 
@@ -327,7 +327,7 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
     const tag = config.version
     const url = `https://github.com/${config.owner}/${config.repo}/releases/download/${tag}/${assetName}`
 
-    // Get SHA256 checksum from external-tools.json.
+    // Get SHA256 checksum from bundle-tools.json.
     // SECURITY: Checksum verification is REQUIRED for all external tool downloads.
     // If checksum is missing, the build MUST fail.
     const toolConfig = externalTools[toolName]
@@ -336,7 +336,7 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
     if (!sha256) {
       throw new Error(
         `Missing SHA-256 checksum for ${toolName} asset: ${assetName}. ` +
-          'This is a security requirement. Please update external-tools.json with the correct checksum.',
+          'This is a security requirement. Please update bundle-tools.json with the correct checksum.',
       )
     }
 
@@ -477,7 +477,7 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
         if (!wheelSha256) {
           throw new Error(
             `Missing SHA-256 checksum for socketsecurity wheel: ${wheelFilename}. ` +
-              'Please update external-tools.json with the correct checksum.',
+              'Please update bundle-tools.json with the correct checksum.',
           )
         }
 
diff --git a/packages/cli/scripts/sea-build-utils/npm-packages.mjs b/packages/cli/scripts/sea-build-utils/npm-packages.mjs
@@ -20,10 +20,10 @@ import { getRootPath } from './downloads.mjs'
 const logger = getDefaultLogger()
 
 /**
- * External tools configuration loaded from external-tools.json.
+ * External tools configuration loaded from bundle-tools.json.
  */
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const externalToolsPath = path.join(__dirname, '../../external-tools.json')
+const externalToolsPath = path.join(__dirname, '../../bundle-tools.json')
 const externalTools = JSON.parse(readFileSync(externalToolsPath, 'utf8'))
 
 /**
@@ -104,7 +104,7 @@ async function downloadNpmPackage(packageSpec, targetDir, expectedIntegrity) {
 /**
  * Download all npm packages with full dependency trees for VFS bundling.
  *
- * Downloads npm packages specified in external-tools.json that have type='npm',
+ * Downloads npm packages specified in bundle-tools.json that have type='npm',
  * installs them with full production dependency trees using Arborist, and packages
  * them into a compressed tar.gz for VFS embedding.
  *
@@ -163,7 +163,7 @@ export async function downloadNpmPackages() {
     }
   }
 
-  // Collect npm packages from external-tools.json.
+  // Collect npm packages from bundle-tools.json.
   const npmPackages = []
   for (const [toolName, toolConfig] of Object.entries(externalTools)) {
     if (toolConfig.type === 'npm') {
@@ -177,7 +177,7 @@ export async function downloadNpmPackages() {
   }
 
   if (npmPackages.length === 0) {
-    logger.warn('No npm packages defined in external-tools.json')
+    logger.warn('No npm packages defined in bundle-tools.json')
     return null
   }
 
diff --git a/packages/cli/scripts/sync-checksums.mjs b/packages/cli/scripts/sync-checksums.mjs
@@ -1,11 +1,11 @@
 #!/usr/bin/env node
 /**
- * Sync checksums from GitHub releases to external-tools.json.
+ * Sync checksums from GitHub releases to bundle-tools.json.
  *
  * For each GitHub-released tool, this script:
  * 1. Fetches checksums.txt from the release (if available)
  * 2. Or downloads each asset and computes SHA-256 checksums
- * 3. Updates external-tools.json with the new checksums
+ * 3. Updates bundle-tools.json with the new checksums
  *
  * Usage:
  *   node scripts/sync-checksums.mjs [--tool=<tool>] [--force] [--dry-run]
@@ -27,7 +27,7 @@ const __filename = fileURLToPath(import.meta.url)
 const __dirname = path.dirname(__filename)
 const packageRoot = path.join(__dirname, '..')
 
-const EXTERNAL_TOOLS_FILE = path.join(packageRoot, 'external-tools.json')
+const EXTERNAL_TOOLS_FILE = path.join(packageRoot, 'bundle-tools.json')
 
 /**
  * Compute SHA-256 hash of a file.
@@ -180,7 +180,7 @@ async function main() {
   const toolArg = args.find(arg => arg.startsWith('--tool='))
   const toolFilter = toolArg ? toolArg.split('=')[1] : undefined
 
-  // Load current external-tools.json.
+  // Load current bundle-tools.json.
   if (!existsSync(EXTERNAL_TOOLS_FILE)) {
     console.error(`Error: ${EXTERNAL_TOOLS_FILE} not found`)
     process.exitCode = 1
diff --git a/packages/cli/scripts/test-wrapper.mjs b/packages/cli/scripts/test-wrapper.mjs
@@ -6,7 +6,7 @@
  * - Cross-platform compatibility (Windows/Unix)
  * - Build validation before running tests
  * - Environment variable loading from .env.test
- * - Inlined variable injection from external-tools.json
+ * - Inlined variable injection from bundle-tools.json
  */
 
 import { existsSync } from 'node:fs'
diff --git a/packages/cli/src/env/checksum-utils.mts b/packages/cli/src/env/checksum-utils.mts
@@ -63,7 +63,7 @@ export function requireChecksum(
   if (!sha256) {
     throw new Error(
       `Missing SHA-256 checksum for ${toolName} asset: ${assetName}. ` +
-        'This is a security requirement. Please update external-tools.json with the correct checksum.',
+        'This is a security requirement. Please update bundle-tools.json with the correct checksum.',
     )
   }
   return sha256
diff --git a/packages/cli/src/env/coana-version.mts b/packages/cli/src/env/coana-version.mts
@@ -12,7 +12,7 @@ export function getCoanaVersion(): string {
   const version = process.env['INLINED_COANA_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_COANA_VERSION not found. Please ensure @coana-tech/cli is properly configured in external-tools.json.',
+      'INLINED_COANA_VERSION not found. Please ensure @coana-tech/cli is properly configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/env/opengrep-version.mts b/packages/cli/src/env/opengrep-version.mts
@@ -12,7 +12,7 @@ export function getOpengrepVersion(): string {
   const version = process.env['INLINED_OPENGREP_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_OPENGREP_VERSION not found. Please ensure opengrep is properly configured in external-tools.json.',
+      'INLINED_OPENGREP_VERSION not found. Please ensure opengrep is properly configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/env/pycli-version.mts b/packages/cli/src/env/pycli-version.mts
@@ -10,7 +10,7 @@ import process from 'node:process'
 
 /**
  * Get the Socket Python CLI version (socketsecurity package) that should be installed.
- * This version is inlined at build time from external-tools.json.
+ * This version is inlined at build time from bundle-tools.json.
  *
  * @returns Socket Python CLI version string (e.g., "0.8.0").
  * @throws Error if version is not inlined at build time.
diff --git a/packages/cli/src/env/sfw-version.mts b/packages/cli/src/env/sfw-version.mts
@@ -19,7 +19,7 @@ export function getSwfVersion(): string {
   const version = process.env['INLINED_SFW_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_SFW_VERSION not found. Please ensure sfw is properly configured in external-tools.json.',
+      'INLINED_SFW_VERSION not found. Please ensure sfw is properly configured in bundle-tools.json.',
     )
   }
   return version
@@ -32,7 +32,7 @@ export function getSfwNpmVersion(): string {
   const version = process.env['INLINED_SFW_NPM_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_SFW_NPM_VERSION not found. Please ensure sfw npmVersion is configured in external-tools.json.',
+      'INLINED_SFW_NPM_VERSION not found. Please ensure sfw npmVersion is configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/env/socket-basics-version.mts b/packages/cli/src/env/socket-basics-version.mts
@@ -12,7 +12,7 @@ export function getSocketBasicsVersion(): string {
   const version = process.env['INLINED_SOCKET_BASICS_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_SOCKET_BASICS_VERSION not found. Please ensure socket-basics is properly configured in external-tools.json.',
+      'INLINED_SOCKET_BASICS_VERSION not found. Please ensure socket-basics is properly configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/env/socket-patch-version.mts b/packages/cli/src/env/socket-patch-version.mts
@@ -12,7 +12,7 @@ export function getSocketPatchVersion(): string {
   const version = process.env['INLINED_SOCKET_PATCH_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_SOCKET_PATCH_VERSION not found. Please ensure socket-patch is properly configured in external-tools.json.',
+      'INLINED_SOCKET_PATCH_VERSION not found. Please ensure socket-patch is properly configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/env/trivy-version.mts b/packages/cli/src/env/trivy-version.mts
@@ -12,7 +12,7 @@ export function getTrivyVersion(): string {
   const version = process.env['INLINED_TRIVY_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_TRIVY_VERSION not found. Please ensure trivy is properly configured in external-tools.json.',
+      'INLINED_TRIVY_VERSION not found. Please ensure trivy is properly configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/env/trufflehog-version.mts b/packages/cli/src/env/trufflehog-version.mts
@@ -12,7 +12,7 @@ export function getTrufflehogVersion(): string {
   const version = process.env['INLINED_TRUFFLEHOG_VERSION']
   if (!version) {
     throw new Error(
-      'INLINED_TRUFFLEHOG_VERSION not found. Please ensure trufflehog is properly configured in external-tools.json.',
+      'INLINED_TRUFFLEHOG_VERSION not found. Please ensure trufflehog is properly configured in bundle-tools.json.',
     )
   }
   return version
diff --git a/packages/cli/src/utils/dlx/spawn.mts b/packages/cli/src/utils/dlx/spawn.mts
@@ -909,7 +909,7 @@ function getPythonStandaloneInfo(): { assetName: string; url: string } {
     throw new InputError(`Unsupported platform: ${platform}`)
   }
 
-  // Asset name format matches checksums in external-tools.json.
+  // Asset name format matches checksums in bundle-tools.json.
   const assetName = `cpython-${version}+${tag}-${platformTriple}-install_only.tar.gz`
   // URL encoding for the '+' in version string.
   const encodedVersion = `${version}%2B${tag}`
@@ -1338,7 +1338,7 @@ export async function ensureSocketPyCli(
     const pyCliVersion = getPyCliVersion()
 
     // Get checksum for integrity verification.
-    // Checksums are keyed by wheel filename in external-tools.json.
+    // Checksums are keyed by wheel filename in bundle-tools.json.
     const wheelFilename = `socketsecurity-${pyCliVersion}-py3-none-any.whl`
     const checksums = getPyCliChecksums()
     const sha256 = checksums[wheelFilename]
diff --git a/packages/cli/test/setup.mts b/packages/cli/test/setup.mts
@@ -8,10 +8,10 @@ import { fileURLToPath } from 'node:url'
 process.env.DEBUG = ''
 delete process.env.NODE_DEBUG
 
-// Load inlined environment variables from external-tools.json.
+// Load inlined environment variables from bundle-tools.json.
 // These are normally inlined at build time by esbuild, but tests run from source.
 const __dirname = path.dirname(fileURLToPath(import.meta.url))
-const externalToolsPath = path.join(__dirname, '..', 'external-tools.json')
+const externalToolsPath = path.join(__dirname, '..', 'bundle-tools.json')
 
 if (existsSync(externalToolsPath)) {
   try {
@@ -55,6 +55,6 @@ if (existsSync(externalToolsPath)) {
       }
     }
   } catch {
-    // Ignore errors loading external-tools.json.
+    // Ignore errors loading bundle-tools.json.
   }
 }

Original file line number	Diff line number	Diff line change
`@@ -56,9 +56,9 @@ export class EnvironmentVariables {`
`56`	`56`	`}).trim()`
`57`	`57`	`} catch {}`
`58`	`58`
`59`		`- // Get external tool versions from external-tools.json.`
	`59`	`+ // Get external tool versions from bundle-tools.json.`
`60`	`60`	`const externalTools = JSON.parse(`
`61`		`- readFileSync(path.join(rootPath, 'external-tools.json'), 'utf-8'),`
	`61`	`+ readFileSync(path.join(rootPath, 'bundle-tools.json'), 'utf-8'),`
`62`	`62`	`)`
`63`	`63`
`64`	`64`	`/**`
`@@ -68,13 +68,13 @@ export class EnvironmentVariables {`
`68`	`68`	`const tool = externalTools[key]`
`69`	`69`	`if (!tool) {`
`70`	`70`	`throw new Error(`
`71`		- `External tool "${key}" not found in external-tools.json. Please add it to the configuration.`,
	`71`	+ `External tool "${key}" not found in bundle-tools.json. Please add it to the configuration.`,
`72`	`72`	`)`
`73`	`73`	`}`
`74`	`74`	`const value = tool[field]`
`75`	`75`	`if (!value) {`
`76`	`76`	`throw new Error(`
`77`		- `External tool "${key}" is missing required field "${field}" in external-tools.json.`,
	`77`	+ `External tool "${key}" is missing required field "${field}" in bundle-tools.json.`,
`78`	`78`	`)`
`79`	`79`	`}`
`80`	`80`	`return value`
`@@ -158,7 +158,7 @@ export class EnvironmentVariables {`
`158`	`158`	`static loadSafe() {`
`159`	`159`	`try {`
`160`	`160`	`const externalTools = JSON.parse(`
`161`		`- readFileSync(path.join(rootPath, 'external-tools.json'), 'utf-8'),`
	`161`	`+ readFileSync(path.join(rootPath, 'bundle-tools.json'), 'utf-8'),`
`162`	`162`	`)`
`163`	`163`	`return {`
`164`	`164`	`INLINED_COANA_VERSION:`
Original file line number	Diff line number	Diff line change
`@@ -20,10 +20,10 @@ import { getRootPath } from './downloads.mjs'`
`20`	`20`	`const logger = getDefaultLogger()`
`21`	`21`
`22`	`22`	`/**`
`23`		`- * External tools configuration loaded from external-tools.json.`
	`23`	`+ * External tools configuration loaded from bundle-tools.json.`
`24`	`24`	`*/`
`25`	`25`	`const __dirname = path.dirname(fileURLToPath(import.meta.url))`
`26`		`-const externalToolsPath = path.join(__dirname, '../../external-tools.json')`
	`26`	`+const externalToolsPath = path.join(__dirname, '../../bundle-tools.json')`
`27`	`27`	`const externalTools = JSON.parse(readFileSync(externalToolsPath, 'utf8'))`
`28`	`28`
`29`	`29`	`/**`
`@@ -104,7 +104,7 @@ async function downloadNpmPackage(packageSpec, targetDir, expectedIntegrity) {`
`104`	`104`	`/**`
`105`	`105`	`* Download all npm packages with full dependency trees for VFS bundling.`
`106`	`106`	`*`
`107`		`- * Downloads npm packages specified in external-tools.json that have type='npm',`
	`107`	`+ * Downloads npm packages specified in bundle-tools.json that have type='npm',`
`108`	`108`	`* installs them with full production dependency trees using Arborist, and packages`
`109`	`109`	`* them into a compressed tar.gz for VFS embedding.`
`110`	`110`	`*`
`@@ -163,7 +163,7 @@ export async function downloadNpmPackages() {`
`163`	`163`	`}`
`164`	`164`	`}`
`165`	`165`
`166`		`- // Collect npm packages from external-tools.json.`
	`166`	`+ // Collect npm packages from bundle-tools.json.`
`167`	`167`	`const npmPackages = []`
`168`	`168`	`for (const [toolName, toolConfig] of Object.entries(externalTools)) {`
`169`	`169`	`if (toolConfig.type === 'npm') {`
`@@ -177,7 +177,7 @@ export async function downloadNpmPackages() {`
`177`	`177`	`}`
`178`	`178`
`179`	`179`	`if (npmPackages.length === 0) {`
`180`		`- logger.warn('No npm packages defined in external-tools.json')`
	`180`	`+ logger.warn('No npm packages defined in bundle-tools.json')`
`181`	`181`	`return null`
`182`	`182`	`}`
`183`	`183`
Original file line number	Diff line number	Diff line change
`@@ -63,7 +63,7 @@ export function requireChecksum(`
`63`	`63`	`if (!sha256) {`
`64`	`64`	`throw new Error(`
`65`	`65`	`Missing SHA-256 checksum for ${toolName} asset: ${assetName}. ` +
`66`		`- 'This is a security requirement. Please update external-tools.json with the correct checksum.',`
	`66`	`+ 'This is a security requirement. Please update bundle-tools.json with the correct checksum.',`
`67`	`67`	`)`
`68`	`68`	`}`
`69`	`69`	`return sha256`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ export function getCoanaVersion(): string {`
`12`	`12`	`const version = process.env['INLINED_COANA_VERSION']`
`13`	`13`	`if (!version) {`
`14`	`14`	`throw new Error(`
`15`		`- 'INLINED_COANA_VERSION not found. Please ensure @coana-tech/cli is properly configured in external-tools.json.',`
	`15`	`+ 'INLINED_COANA_VERSION not found. Please ensure @coana-tech/cli is properly configured in bundle-tools.json.',`
`16`	`16`	`)`
`17`	`17`	`}`
`18`	`18`	`return version`
Original file line number	Diff line number	Diff line change
`@@ -12,7 +12,7 @@ export function getOpengrepVersion(): string {`
`12`	`12`	`const version = process.env['INLINED_OPENGREP_VERSION']`
`13`	`13`	`if (!version) {`
`14`	`14`	`throw new Error(`
`15`		`- 'INLINED_OPENGREP_VERSION not found. Please ensure opengrep is properly configured in external-tools.json.',`
	`15`	`+ 'INLINED_OPENGREP_VERSION not found. Please ensure opengrep is properly configured in bundle-tools.json.',`
`16`	`16`	`)`
`17`	`17`	`}`
`18`	`18`	`return version`
Original file line number	Diff line number	Diff line change
`@@ -10,7 +10,7 @@ import process from 'node:process'`
`10`	`10`
`11`	`11`	`/**`
`12`	`12`	`* Get the Socket Python CLI version (socketsecurity package) that should be installed.`
`13`		`- * This version is inlined at build time from external-tools.json.`
	`13`	`+ * This version is inlined at build time from bundle-tools.json.`
`14`	`14`	`*`
`15`	`15`	`* @returns Socket Python CLI version string (e.g., "0.8.0").`
`16`	`16`	`* @throws Error if version is not inlined at build time.`