fix(sea): add Socket Firewall (sfw) to VFS bundling

Added missing sfw (Socket Firewall) tool to SEA binary builds:

- Updated external-tools.json: Changed sfw from standalone to github-release
  type with SocketDev/sfw-free repository and v1.6.0 version
- Added sfw to all platform mappings (8 platforms supported):
  - darwin-arm64, darwin-x64: Native binaries
  - linux-arm64, linux-x64: Native glibc binaries
  - linux-arm64-musl, linux-x64-musl: Native musl binaries
  - windows-arm64, windows-x64: x64 binaries (ARM64 uses emulation)
- Enhanced downloads.mjs to handle standalone binaries that don't require
  extraction (sfw binaries are not compressed, unlike other tools)

This fixes "File not found in VFS: /snapshot/sfw" error when running
socket-cli SEA binaries with npm/npx/pnpm/yarn commands.

Previous behavior:
- sfw declared in EXTERNAL_TOOLS but never bundled into VFS
- SEA binaries failed with VFS extraction error
- Regular node cli.js worked (downloaded sfw via dlx)

New behavior:
- sfw downloaded from SocketDev/sfw-free releases during SEA build
- sfw bundled into VFS alongside other security tools
- SEA binaries can extract and use sfw from embedded VFS

Sources:
- https://github.com/SocketDev/sfw-free
- https://docs.socket.dev/docs/socket-firewall-free

Author: jdalton

packages/cli/external-tools.json

@@ -46,8 +46,9 @@
   },
   "sfw": {
     "description": "Socket Firewall (sfw)",
-    "type": "standalone",
-    "version": "2.0.4"
+    "type": "github-release",
+    "repository": "SocketDev/sfw-free",
+    "version": "v1.6.0"
   },
   "synp": {
     "description": "Tool for converting between yarn.lock and package-lock.json",

packages/cli/scripts/constants/external-tools-platforms.mjs

@@ -37,6 +37,7 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_osx_aarch64.tar.gz',
     python:
       'cpython-3.11.14+20260203-aarch64-apple-darwin-install_only.tar.gz',
+    sfw: 'sfw-free-macos-arm64',
     trivy: 'trivy_0.69.1_macOS-ARM64.tar.gz',
     trufflehog: 'trufflehog_3.93.1_darwin_arm64.tar.gz',
   },
@@ -47,6 +48,7 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_osx_x86.tar.gz',
     python:
       'cpython-3.11.14+20260203-x86_64-apple-darwin-install_only.tar.gz',
+    sfw: 'sfw-free-macos-x86_64',
     trivy: 'trivy_0.69.1_macOS-64bit.tar.gz',
     trufflehog: 'trufflehog_3.93.1_darwin_amd64.tar.gz',
   },
@@ -57,6 +59,7 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_linux_aarch64.tar.gz',
     python:
       'cpython-3.11.14+20260203-aarch64-unknown-linux-gnu-install_only.tar.gz',
+    sfw: 'sfw-free-linux-arm64',
     trivy: 'trivy_0.69.1_Linux-ARM64.tar.gz',
     trufflehog: 'trufflehog_3.93.1_linux_arm64.tar.gz',
   },
@@ -67,6 +70,7 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_linux_aarch64.tar.gz',
     python:
       'cpython-3.11.14+20260203-aarch64-unknown-linux-musl-install_only.tar.gz',
+    sfw: 'sfw-free-musl-linux-arm64',
     trivy: 'trivy_0.69.1_Linux-ARM64.tar.gz',
     trufflehog: 'trufflehog_3.93.1_linux_arm64.tar.gz',
   },
@@ -77,6 +81,7 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_linux_x86.tar.gz',
     python:
       'cpython-3.11.14+20260203-x86_64-unknown-linux-gnu-install_only.tar.gz',
+    sfw: 'sfw-free-linux-x86_64',
     trivy: 'trivy_0.69.1_Linux-64bit.tar.gz',
     trufflehog: 'trufflehog_3.93.1_linux_amd64.tar.gz',
   },
@@ -87,17 +92,19 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_linux_x86.tar.gz',
     python:
       'cpython-3.11.14+20260203-x86_64-unknown-linux-musl-install_only.tar.gz',
+    sfw: 'sfw-free-musl-linux-x86_64',
     trivy: 'trivy_0.69.1_Linux-64bit.tar.gz',
     trufflehog: 'trufflehog_3.93.1_linux_amd64.tar.gz',
   },
 
   // Windows ARM64 - Python and TruffleHog are native arm64.
-  // Trivy and OpenGrep use x64 binaries (Windows 11 ARM64 emulates x64).
+  // Trivy, OpenGrep, and sfw use x64 binaries (Windows 11 ARM64 emulates x64).
   'windows-arm64': {
     __proto__: null,
     opengrep: 'opengrep-core_windows_x86.zip', // x64 emulated.
     python:
       'cpython-3.11.14+20260203-aarch64-pc-windows-msvc-install_only.tar.gz', // native arm64.
+    sfw: 'sfw-free-windows-x86_64.exe', // x64 emulated.
     trivy: 'trivy_0.69.1_windows-64bit.zip', // x64 emulated.
     trufflehog: 'trufflehog_3.93.1_windows_arm64.tar.gz', // native arm64.
   },
@@ -108,6 +115,7 @@ export const PLATFORM_MAP_TOOLS = {
     opengrep: 'opengrep-core_windows_x86.zip',
     python:
       'cpython-3.11.14+20260203-x86_64-pc-windows-msvc-install_only.tar.gz',
+    sfw: 'sfw-free-windows-x86_64.exe',
     trivy: 'trivy_0.69.1_windows-64bit.zip',
     trufflehog: 'trufflehog_3.93.1_windows_amd64.tar.gz',
   },

packages/cli/scripts/sea-build-utils/downloads.mjs

@@ -316,9 +316,35 @@ export async function downloadExternalTools(platform, arch, isMusl = false) {
       retryDelay: 5000,
     })
 
-    // Extract binary.
-    logger.log(`  Extracting ${toolName}...`)
+    // Extract binary (or handle standalone binaries).
     const isZip = assetName.endsWith('.zip')
+    const isTarGz = assetName.endsWith('.tar.gz') || assetName.endsWith('.tgz')
+    const isStandalone = !isZip && !isTarGz
+
+    if (isStandalone) {
+      // Standalone binary (e.g., sfw) - already downloaded, just rename if needed.
+      logger.log(`  Preparing ${toolName}...`)
+      if (archivePath !== binaryPath) {
+        try {
+          await fs.rename(archivePath, binaryPath)
+        } catch (e) {
+          // Fallback to copy + delete for cross-device moves.
+          await fs.copyFile(archivePath, binaryPath)
+          await fs.unlink(archivePath)
+        }
+      }
+
+      // Make executable on Unix.
+      if (!isPlatWin) {
+        await fs.chmod(binaryPath, 0o755)
+      }
+
+      toolNames.push(binaryName)
+      logger.log(`  ✓ ${toolName} ready`)
+      continue
+    }
+
+    logger.log(`  Extracting ${toolName}...`)
 
     if (isZip) {
       // Use unzip command.