fix(security): pin SFW download URL to specific version instead of latest

cursoragent · cursoragent · commit 7155d55be2b1 · 2026-04-10T17:52:56.000Z
The SFW download URL used releases/latest/download/ which always resolves
to the newest release, but SHA-256 checksums are hardcoded for a specific
version. When a new SFW release is published, the checksum verification
would fail. Add SFW_VERSION constant and pin the URL to it, matching how
zizmor already does it.
diff --git a/.claude/hooks/setup-security-tools/index.mts b/.claude/hooks/setup-security-tools/index.mts
@@ -53,6 +53,8 @@ const ZIZMOR_ASSET_MAP: Record<string, string> = {
 
 // ── SFW constants ──
 
+const SFW_VERSION = '1.6.1'
+
 const SFW_ENTERPRISE_CHECKSUMS: Record<string, string> = {
   __proto__: null as unknown as string,
   'linux-arm64': '671270231617142404a1564e52672f79b806f9df3f232fcc7606329c0246da55',
@@ -220,7 +222,7 @@ async function setupSfw(apiKey: string | undefined): Promise<boolean> {
   const suffix = sfwPlatform.startsWith('windows') ? '.exe' : ''
   const asset = `${prefix}-${sfwPlatform}${suffix}`
   const repo = isEnterprise ? 'SocketDev/firewall-release' : 'SocketDev/sfw-free'
-  const url = `https://github.com/${repo}/releases/latest/download/${asset}`
+  const url = `https://github.com/${repo}/releases/download/v${SFW_VERSION}/${asset}`
   const binaryName = isEnterprise ? 'sfw' : 'sfw-free'
 
   // Download (with cache + checksum).
