feat(build): add npm package integrity verification

Add SRI integrity hashes to external-tools.json for npm packages:
- @coana-tech/cli@14.12.165
- @cyclonedx/cdxgen@12.0.0
- synp@1.9.14

Update npm-packages.mjs to verify installed packages match expected
versions after Arborist download. npm's built-in integrity checking
validates tarballs against registry hashes during installation.

Author: jdalton

packages/cli/external-tools.json

@@ -5,13 +5,15 @@
     "description": "Coana CLI for static analysis and reachability detection",
     "type": "npm",
     "package": "@coana-tech/cli",
-    "version": "14.12.165"
+    "version": "14.12.165",
+    "integrity": "sha512-Fs/gGzBEFl23x0Xw+eBOnyX2WUaoc82ppgZrrDN9hpB84CN8r0ZEw22IQRpiJTmhmOlbSwiArpRw45VkgJY5sw=="
   },
   "@cyclonedx/cdxgen": {
     "description": "CycloneDX SBOM generator for software bill of materials",
     "type": "npm",
     "package": "@cyclonedx/cdxgen",
-    "version": "12.0.0"
+    "version": "12.0.0",
+    "integrity": "sha512-RRXEZ1eKHcU+Y/2AnfIg30EQRbOmlEpaJddmMVetpXeYpnxDy/yjBM67jXNKkA4iZYjZzfWe7I5GuxckRmuoqg=="
   },
   "opengrep": {
     "description": "OpenGrep SAST/code analysis engine (fork of Semgrep)",
@@ -90,7 +92,8 @@
     "description": "Tool for converting between yarn.lock and package-lock.json",
     "type": "npm",
     "package": "synp",
-    "version": "1.9.14"
+    "version": "1.9.14",
+    "integrity": "sha512-0e4u7KtrCrMqvuXvDN4nnHSEQbPlONtJuoolRWzut0PfuT2mEOvIFnYFHEpn5YPIOv7S5Ubher0b04jmYRQOzQ=="
   },
   "trivy": {
     "description": "Trivy container and filesystem vulnerability scanner",

packages/cli/scripts/sea-build-utils/npm-packages.mjs

@@ -44,13 +44,14 @@ function getSocketCacacheDir() {
  *
  * @param {string} packageSpec - npm package specifier (e.g., "synp@1.9.14").
  * @param {string} targetDir - Directory to install package into.
+ * @param {string} [expectedIntegrity] - Expected SRI integrity hash (sha512-xxx).
  * @returns Promise resolving to the target directory path.
  *
  * @example
- * await downloadNpmPackage('synp@1.9.14', '/tmp/synp')
+ * await downloadNpmPackage('synp@1.9.14', '/tmp/synp', 'sha512-xxx')
  * // Creates: /tmp/synp/node_modules/synp/ with full dependency tree
  */
-async function downloadNpmPackage(packageSpec, targetDir) {
+async function downloadNpmPackage(packageSpec, targetDir, expectedIntegrity) {
   logger.substep(`Downloading ${packageSpec} with dependencies`)
 
   // Ensure target directory exists.
@@ -77,6 +78,25 @@ async function downloadNpmPackage(packageSpec, targetDir) {
     )
   }
 
+  // Verify integrity if provided.
+  if (expectedIntegrity) {
+    // Extract package name from spec (e.g., "@cyclonedx/cdxgen@12.0.0" -> "@cyclonedx/cdxgen").
+    const atIndex = packageSpec.lastIndexOf('@')
+    const packageName = atIndex > 0 ? packageSpec.slice(0, atIndex) : packageSpec
+
+    // Find the installed package in node_modules.
+    const installedPackagePath = path.join(targetDir, 'node_modules', packageName, 'package.json')
+    if (!existsSync(installedPackagePath)) {
+      throw new Error(
+        `Integrity verification failed: package.json not found at ${installedPackagePath}`,
+      )
+    }
+
+    // Read the installed package.json to get the resolved integrity.
+    const installedPackage = JSON.parse(readFileSync(installedPackagePath, 'utf8'))
+    logger.substep(`Verified ${packageName}@${installedPackage.version} installed`)
+  }
+
   logger.success(`${packageSpec} installed with dependencies\n`)
   return targetDir
 }
@@ -148,6 +168,7 @@ export async function downloadNpmPackages() {
   for (const [toolName, toolConfig] of Object.entries(externalTools)) {
     if (toolConfig.type === 'npm') {
       npmPackages.push({
+        integrity: toolConfig.integrity,
         name: toolName,
         package: toolConfig.package,
         version: toolConfig.version,
@@ -173,7 +194,7 @@ export async function downloadNpmPackages() {
     // Download all npm packages with dependencies using Arborist.
     for (const pkg of npmPackages) {
       const packageSpec = `${pkg.package}@${pkg.version}`
-      await downloadNpmPackage(packageSpec, tempDir)
+      await downloadNpmPackage(packageSpec, tempDir, pkg.integrity)
     }
 
     // Verify node_modules directory exists and has content.