socket-registry/external-tools.json at main · SocketDev/socket-registry · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
{
  "agentshield": {
    "notes": "ecc-agentshield is an npm-only package (no GitHub-release assets). Integrity is the npm dist.integrity sha512 SRI string from the registry packument — same value the setup-security-tools Claude hook stores in its own external-tools.json. The install action reads this entry as tier 0 for version resolution, replacing the old pnpm-workspace.yaml catalog lookup.",
    "description": "Claude AI config security scanner (prompt injection, secrets)",
    "purl": "pkg:npm/ecc-agentshield@1.4.0",
    "integrity": "sha512-R98OO1Ujyk2lezDLb+iQmMhF6FwTJCHajy3G4FCB6x7wkSTqR9f8+eAelC5KDzYDsGSbc0sOZvjXOOPRBtMpDg=="
  },
  "codedb": {
    "notes": [
      "codedb is a Zig code-intelligence MCP server (justrach/codedb). Each platform asset is a RAW executable, not a tarball — the asset name IS the binary (codedb-<os>-<arch>), so install copies it directly and chmod +x rather than extracting. update-external-tools.mts recognizes the bare-binary asset shape (no .tar.gz/.zip suffix).",
      "Telemetry MUST be disabled: the install + every invocation set CODEDB_NO_TELEMETRY=1 (codedb's documented opt-out). Never ship a codedb shim or MCP launch that omits it.",
      "v0.2.5825 published 2026-06-12, inside the 7-day minimumReleaseAge soak, so the pin rides a dated soakBypass (auto-disarms at removable). codedb releases are GitHub-asset distributions from a known publisher; the soak targets npm typosquats / malicious freshpubs. Each asset's sha512 was verified against the upstream checksums.sha256 before hashing. Drop the cleared soakBypass on the next routine bump.",
      "darwin-x64 maps to codedb-darwin-x86_64 and linux-x64 to codedb-linux-x86_64 (upstream names the Intel/AMD64 assets x86_64)."
    ],
    "description": "Zig code-intelligence MCP server (indexes a repo for fast code search)",
    "repository": "github:justrach/codedb",
    "version": "0.2.5825",
    "soakBypass": {
      "version": "0.2.5825",
      "published": "2026-06-12",
      "removable": "2026-06-19"
    },
    "release": "asset",
    "platforms": {
      "darwin-arm64": {
        "asset": "codedb-darwin-arm64",
        "integrity": "sha512-dlDOa6MfpQxJHMIKI5M4C+2y6X14QpEHiMmmqfyAx9zxBML0Zz5xrmf1pS4oAgZIBJn2R6nRKFS/ppkT+TA0Xg=="
      },
      "darwin-x64": {
        "asset": "codedb-darwin-x86_64",
        "integrity": "sha512-bHdINGyi7A3xSeXLnh/UAFYE3Af6zgj602tL6bnsIwyb0j3r6yHb6AobecgCxD0qfUYsRRRQDbtlvJYi7aoA/A=="
      },
      "linux-arm64": {
        "asset": "codedb-linux-arm64",
        "integrity": "sha512-1ttAxL53tI57MqUHk33+6PHnYKEIoEgUuK8Y9mYygxPUq5LP9QG9Ja1cT3Br1E1ABcgBkb/abwsHBreEj3CMwg=="
      },
      "linux-x64": {
        "asset": "codedb-linux-x86_64",
        "integrity": "sha512-fNbPFko38kdrEokWqwsR0VBLdwBthgdp4gRFc/OrJ/khD0Np2r+lfhwflJwKEPi1Eg1QJ3MAm1LwmW1vWQGOiA=="
      }
    }
  },
  "pnpm": {
    "notes": [
      "pnpm publishes 7 platform-native binaries: linux-{x64,arm64}{,-musl}, darwin-arm64, win-{x64,arm64}. Verified against v11.6.0 (2026-06-13).",
      "linux-*-musl tarballs are first-class assets with distinct integrity from the glibc tarballs — the binaries are linked against different libcs and only the matching one runs on its target. Don't 'simplify' by pointing musl keys at the glibc asset.",
      "darwin-x64 is the odd one out: upstream dropped the SEA binary in 11.0.5 because of nodejs/node#62893 (upstream LIEF/Mach-O bug that the Node team has declined to fix). Intel Mac instead installs the npm-registry JS tarball (`pnpm-<version>.tgz`) + runs it through system Node. update-external-tools.mts recognizes the `<pkg>-<version>.tgz` asset shape and fetches its integrity from the npm registry rather than the GitHub release.",
      "v11.6.0 was bumped via update-external-tools.mts (all 8 platforms re-hashed: GitHub assets + darwin-x64 from the npm registry). It published 2026-06-11, inside the 7-day minimumReleaseAge soak, so the bump rode a dated `soakBypass` entry (auto-disarms at `removable`) — pnpm releases are GitHub-asset distributions from a known publisher; the soak targets npm typosquats / malicious freshpubs. Drop the cleared soakBypass on the next routine bump."
    ],
    "description": "Fast, disk space efficient package manager",
    "repository": "github:pnpm/pnpm",
    "version": "11.6.0",
    "soakBypass": {
      "version": "11.6.0",
      "published": "2026-06-11",
      "removable": "2026-06-18"
    },
    "release": "asset",
    "platforms": {
      "darwin-arm64": {
        "asset": "pnpm-darwin-arm64.tar.gz",
        "integrity": "sha512-DHKwseQ/HKcfXLOrzwLGFAd4SWOyo3jW+PileiHwQaI8/ZDpg0IR1vVz0SzBWWv7O7HinYUjbm1elENkR8EG9w=="
      },
      "darwin-x64": {
        "asset": "pnpm-11.6.0.tgz",
        "integrity": "sha512-mjZRgiQIDG/lFlr9z+eb+hGMKb5wPz9GKx4y7+HpjkfodQsUjggoYlCq1BE8x5k8pBPE4s1Ed1JwjC7ldRvJXw=="
      },
      "linux-arm64": {
        "asset": "pnpm-linux-arm64.tar.gz",
        "integrity": "sha512-x1bEpvzYu6CLlxc78cfNl4pDTa2sITFCaictgW/TK+QFL1uD1IJe9ssV3tAfclD+RhsIaSrxanPajHzJjGyrlg=="
      },
      "linux-arm64-musl": {
        "asset": "pnpm-linux-arm64-musl.tar.gz",
        "integrity": "sha512-gpdSD/YT0eAm3jmS6dWdWwzDuW0gaRuWVQ4qjsWBDX9/KcYCWW1PLZ3JLZ6tiXkkT2a1GSKQUaHuKul57wbqlQ=="
      },
      "linux-x64": {
        "asset": "pnpm-linux-x64.tar.gz",
        "integrity": "sha512-uj1Zz76+lcHATLkCrM/JUIIUaIYgXEEXOXNvSO+g3cYd5RXpS6MacuII9TRBAknr2n5XTIi/bAbOLfxF3hk4nw=="
      },
      "linux-x64-musl": {
        "asset": "pnpm-linux-x64-musl.tar.gz",
        "integrity": "sha512-4IC9DBZbiJVXz2/VtrZFtXc+OVXUIOhGv6WfN/p27k/rFJOj/57iNNC+MzZDRzlCZsZIAb3WAJUe2B4AAPLsnQ=="
      },
      "win-arm64": {
        "asset": "pnpm-win32-arm64.zip",
        "integrity": "sha512-VITunLEwYnoEeVF/UP5QD1qOCDhDy+C+BVhBKq5IT4UTiP3X2wanWCtL1nk5OTHg+oPB7NHaWah0SkLqtMcqTA=="
      },
      "win-x64": {
        "asset": "pnpm-win32-x64.zip",
        "integrity": "sha512-oX2y8mihTVM6QEDA8MdXyBGOQ8xxGjqhX1I9+jLfrFY5vCrwpkArhu8bTMq//vMPaS2Rl/nQ7cSgOySnhsvFog=="
      }
    }
  },
  "rust": {
    "notes": "Rust toolchain — required by socket-btm's Node 26+ build to link the temporal_rs Rust crate that backs Temporal. Per Node BUILDING.md \"Building Node.js with Temporal support\": rustc/cargo >= 1.82 with LLVM >= 19. The minimum is what configure.py asserts at build time; downstream consumers (CI runners + local dev machines) typically have a newer stable toolchain via rustup, which is fine. Unlike pnpm/sfw/zizmor this entry has no per-platform integrity — Rust is installed via rustup or a runner-image preinstall, not by downloading a single tarball. Workflows install it via `dtolnay/rust-toolchain@stable` (CI) or `rustup default stable` (local).",
    "description": "Rust toolchain — required for Node 26+ Temporal support",
    "repository": "rust-lang/rust",
    "minVersion": "1.82.0",
    "minLlvmVersion": "19",
    "release": "rustup",
    "components": ["rustc", "cargo"]
  },
  "sfw": {
    "notes": [
      "SFW (Socket Firewall) is published in two flavors: free (public, SocketDev/sfw-free) and enterprise (private, SocketDev/firewall-release). Both ship the same 7-platform set: linux-{x64,arm64}{,-musl}, darwin-{x64,arm64}, win-x64. win-arm64 is intentionally absent — upstream does not yet build it. Unlike zizmor (a security audit), SFW is a required dependency of the install flow, so consumers on win-arm64 must skip SFW-dependent steps until upstream support lands.",
      "Setup action picks the enterprise flavor when SOCKET_API_KEY is in env, otherwise the free flavor. Enterprise downloads require GITHUB_TOKEN auth (private repo); install-tool.mjs forwards GITHUB_TOKEN automatically when set."
    ],
    "description": "Socket Firewall — package manager command wrapper",
    "version": "1.12.0",
    "release": "asset",
    "free": {
      "repository": "github:SocketDev/sfw-free",
      "binaryName": "sfw",
      "platforms": {
        "darwin-arm64": {
          "asset": "sfw-free-macos-arm64",
          "integrity": "sha512-lwh/AIf7HXVIrE28LDfvtJqnaGb7azC+Up8Hi/c9hIfn9wMRt55misCKx9b6CjYi+d3bHladYNYPlqVtlqNpcQ=="
        },
        "darwin-x64": {
          "asset": "sfw-free-macos-x86_64",
          "integrity": "sha512-iBLJ7bzrnnUPmUbN8FFzmXNYowWnahOD4DWzKYbneeCsvFa1xlHT4LaLWTysatd5npJIO7QOiRow6yw/tgjCWw=="
        },
        "linux-arm64": {
          "asset": "sfw-free-linux-arm64",
          "integrity": "sha512-TZ0hzAzPyNfi1PgqU5+TzkrlBcWXZlXaSHkx1/wzIck4vlZXFQI8i7CCvWYihrJQ3zgEwVI30MmrqsJ9W7xWQw=="
        },
        "linux-arm64-musl": {
          "asset": "sfw-free-musl-linux-arm64",
          "integrity": "sha512-O+X0JxQJJn2YpAJFP38ZuG156pewgk+HJBVUTJZM8AMZSbERLy6LLDD2S8uwPXpMXDD9uRy8/h7EpRcu1OQLcw=="
        },
        "linux-x64": {
          "asset": "sfw-free-linux-x86_64",
          "integrity": "sha512-Yuu+qoqxa0n7WIS9NMI3uuitUMoELbbUqJm3W6L2AsMJNZpVekXKmrZIhEjxWjJqvKt3mErKxK+izdP3/F+64Q=="
        },
        "linux-x64-musl": {
          "asset": "sfw-free-musl-linux-x86_64",
          "integrity": "sha512-U4WJeq+/Z634uFvW0+Hvmb/BUutMeiZQ1dwP40/wKMiCDwKGPr+Unl4KqwaG3qaLjkTRJ938sUWQy+/gFeEmDg=="
        },
        "win-x64": {
          "asset": "sfw-free-windows-x86_64.exe",
          "integrity": "sha512-tkZHeaxydBStW6SsCi5S2jLMtdj2UQ/PdZb/ch8W532UjFdZUJD0oygW/YWliK0HQkcyw5GQm2d1iZU0P/yElg=="
        }
      }
    },
    "enterprise": {
      "repository": "github:SocketDev/firewall-release",
      "binaryName": "sfw",
      "platforms": {
        "darwin-arm64": {
          "asset": "sfw-macos-arm64",
          "integrity": "sha512-G7te2xB1Q+K/k/2Wijbn96eJZUZoNFlDNKURydLBLB69Jkuc1M1lNFbqxiyP8tfOlMIBKWxRwfZyeX9ipPy4Ew=="
        },
        "darwin-x64": {
          "asset": "sfw-macos-x86_64",
          "integrity": "sha512-/ogpJY01pDTEcvDPq09FNxGP5eXu4d+ab2RxT1r4he0ptfCOGOO3rQXfxTFqrOmS+OSz5RZe+4qPupM4nGriMQ=="
        },
        "linux-arm64": {
          "asset": "sfw-linux-arm64",
          "integrity": "sha512-oXhTWx/I/1yZRn0ik3DL5y2/4RZqv/msJpTi6m190jBGg/x7bgqJO4uCOUJe1+iudK3bNGsYB8zs6vIJTLwA7g=="
        },
        "linux-arm64-musl": {
          "asset": "sfw-musl-linux-arm64",
          "integrity": "sha512-VtvO4OkLNO7XW1YwY73WoIZeRp7sMg+LbdeL2CVy5bgysTnuBxKrkkJvW41BsuScVdf7nt/bh5V8ZBAMN993rg=="
        },
        "linux-x64": {
          "asset": "sfw-linux-x86_64",
          "integrity": "sha512-91W90AOLI0RBN6lsPor2wf7wUvV3hzebXf0SM7SEzVPGM76Yjwj2D5E/jtJ8LjNNE7afggUDEtgMvFSTmgnZDg=="
        },
        "linux-x64-musl": {
          "asset": "sfw-musl-linux-x86_64",
          "integrity": "sha512-5CUE3LnXKzRqoT7SmT/yDBtyVyiUqwKtgS11j7qEhb2KJI3kztBuUQwBoOKPxxwpS0X7R/DuANvax7pQ76f4xw=="
        },
        "win-x64": {
          "asset": "sfw-windows-x86_64.exe",
          "integrity": "sha512-GXKV67rN0XTP+2v9VTfzz84N09x9UkEItj2wmcA7pmy5YoLPF/+Z/XkVGoUHzVSTTeivbYicRLAxl8BNkoUZ6w=="
        }
      }
    }
  },
  "skillspector": {
    "notes": "NVIDIA/skillspector has no releases or semver tags — pinned to a commit SHA on main. version is the 8-char short SHA; versionDate is the committer date of that SHA (ISO 8601). The cascade tool bumps both by calling the GitHub commits API. Installed via pipx at CI time using the pipx-git release shape.",
    "description": "NVIDIA skill security scanner (YARA + AST + OSV.dev CVE + optional LLM analysis)",
    "repository": "github:NVIDIA/skillspector",
    "release": "pipx-git",
    "version": "2eb84478",
    "versionDate": "2026-05-18"
  },
  "zizmor": {
    "notes": "Socket fleet targets 8 platforms: linux-x64, linux-arm64, linux-x64-musl, linux-arm64-musl, darwin-x64, darwin-arm64, win-x64, win-arm64. zizmor upstream (zizmorcore/zizmor) only publishes 5 of those: linux-gnu x64+arm64, darwin x64+arm64, win-x64. The three unsupported combos (linux-x64-musl, linux-arm64-musl, win-arm64) are intentionally absent below — adding alias keys with mismatched binaries would break sha256 verification on those runners. Workflows that need zizmor on linux-musl or win-arm64 must conditionally skip the audit on those cells until upstream ships matching binaries.",
    "description": "GitHub Actions security linter",
    "repository": "github:zizmorcore/zizmor",
    "version": "1.25.2",
    "release": "asset",
    "platforms": {
      "darwin-arm64": {
        "asset": "zizmor-aarch64-apple-darwin.tar.gz",
        "integrity": "sha512-LUPNdfltqkBiFfPSUAWJovrH4kaqOoFQgn1ISEKc6yOmsUD1cYmKvnnsYfDP/Y1KsMua+BKNWJ3B9IMb0D1lpg=="
      },
      "darwin-x64": {
        "asset": "zizmor-x86_64-apple-darwin.tar.gz",
        "integrity": "sha512-M/T9PX+FRG1VvfS34T3aXXJ95DjpnsxcJV767BHYfKhmy/oUecI4v3jIwDBGnDt52oDtZTHx9H0uMVKg9NaNOA=="
      },
      "linux-arm64": {
        "asset": "zizmor-aarch64-unknown-linux-gnu.tar.gz",
        "integrity": "sha512-SBFp8h++QWZEZ5SfkmPxElDUYy5u0JUkgbzlz90gmB3UPbKgOcYqKOn6mY1tha5+RriMmuNtZxtrAiihECMOFA=="
      },
      "linux-x64": {
        "asset": "zizmor-x86_64-unknown-linux-gnu.tar.gz",
        "integrity": "sha512-FSmYWvlOzySHwlI2IkoEQNHfRU/UitumuQJc+umYyYcDr50colg0Bzio74YS19sGH41leMdXu4KJtB5XM45eUg=="
      },
      "win-x64": {
        "asset": "zizmor-x86_64-pc-windows-msvc.zip",
        "integrity": "sha512-OhgPngI8gKygJFKa3VGk5y4S7KUuW5CPyBiI1WvfM58OHd5rUbdillfJeLsLhRbOMFAdigdUeZtNDyR6VPIs1A=="
      }
    }
  }
}