feat: implement centralized SHA management system with automated updates

## Major Features Added

### 🔧 Centralized Checksum Management
- **NEW**: `/checksums/` directory with JSON-based tool registry
- **NEW**: Centralized API in `checksums/registry.bzl` for all tools
- **NEW**: Support for multiple tool versions and platforms
- **NEW**: Real verified SHA256 checksums for latest tool releases

### 🤖 Automated Checksum Generator
- **NEW**: Rust-based checksum updater with GitHub API integration
- **NEW**: Automatic detection of new tool releases
- **NEW**: Real-time SHA256 calculation and verification
- **NEW**: JSON file updates with validated checksums
- **PROVEN**: Successfully updated wasm-tools to 1.236.0 and wasmtime to 35.0.0

### 🚀 Wasmtime Runtime Support
- **NEW**: Complete wasmtime toolchain integration (v35.0.0)
- **NEW**: Download and validation with verified checksums
- **NEW**: Cross-platform support (darwin_amd64, darwin_arm64, linux_amd64, linux_arm64, windows_amd64)
- **NEW**: Bazel module extension and toolchain registration
- **TESTED**: Binary downloads and executes correctly

## Technical Improvements

### 📋 Enhanced Toolchain Infrastructure
- **NEW**: Wasmtime toolchain extension in `wasm/extensions.bzl`
- **NEW**: Automatic tool version detection and updates
- **IMPROVED**: JavaScript component build fixes (TypeScript → JavaScript conversion)
- **IMPROVED**: JCO toolchain integration with proper npm dependencies
- **IMPROVED**: WKG command fixes (fetch → get) with proper syntax

### 🔒 Security & Reliability
- **NEW**: Multiple checksum verification layers
- **NEW**: GitHub API rate limiting and error handling
- **NEW**: Platform-specific binary validation
- **IMPROVED**: Tool download retry mechanisms
- **VERIFIED**: All checksums validated against official releases

## Infrastructure Updates

### 📦 Build System Enhancements
- **NEW**: Rust dependencies for checksum generator in wizer workspace
- **NEW**: Wasmtime toolchain type registration
- **IMPROVED**: MODULE.bazel with wasmtime extension registration
- **IMPROVED**: Pre-commit validation (all checks passing)
- **IMPROVED**: Cross-platform compatibility improvements

### 🧹 Code Quality & Maintenance
- **FIXED**: JavaScript component TypeScript syntax issues
- **FIXED**: JCO command-line argument parsing (kebab-case → camelCase)
- **FIXED**: WKG package format and cache directory handling
- **IMPROVED**: Consistent code formatting across all languages
- **VERIFIED**: All pre-commit hooks passing with new changes

## Production Readiness

This implementation provides a **complete foundation** for:
- ✅ **Automated weekly checksum updates** (infrastructure ready)
- ✅ **Real-world wasmtime component execution** (toolchain working)
- ✅ **Multi-language WebAssembly development** (all toolchains integrated)
- ✅ **Secure, verified tool downloads** (SHA256 validation working)

**Next Steps**: CI workflow automation and enhanced examples with wasmtime execution.

Author: avrabe

.pre-commit-config.yaml

@@ -10,7 +10,7 @@ repos:
         files: '\.(bzl|bazel|BUILD)$'
         pass_filenames: false
 
-  # Python formatting and linting 
+  # Python formatting and linting
   - repo: https://github.com/psf/black
     rev: 25.1.0
     hooks:
@@ -62,7 +62,7 @@ repos:
       - id: check-merge-conflict
       - id: check-case-conflict
       - id: check-added-large-files
-        args: ['--maxkb=1000']
+        args: ["--maxkb=1000"]
       - id: detect-private-key
 
   # Conventional commits validation
@@ -119,4 +119,4 @@ ci:
   autoupdate_commit_msg: |
     chore: update pre-commit hooks
 
-    🤖 Generated with pre-commit
+    🤖 Generated with pre-commit

.pre-commit-instructions.md

@@ -19,26 +19,30 @@ pre-commit install --hook-type commit-msg
 ## What the hooks do
 
 ### Code Formatting
+
 - **Buildifier**: Formats Bazel files (`.bzl`, `.bazel`, `BUILD`)
-- **Black**: Formats Python files 
+- **Black**: Formats Python files
 - **isort**: Sorts Python imports
 - **rustfmt**: Formats Rust files
 - **gofmt**: Formats Go files
 - **Prettier**: Formats JS/TS/JSON/YAML/Markdown
 
 ### Code Quality
+
 - **Clippy**: Rust linting via Bazel (`bazel build //:clippy`)
 - **WIT validation**: Checks WIT file syntax
 - **Bazel tests**: Runs unit tests for changed files
 
 ### Security & Standards
+
 - **Conventional commits**: Enforces conventional commit message format
 - **Secret detection**: Prevents committing secrets
 - **File checks**: Trailing whitespace, file endings, merge conflicts
 
 ## Usage
 
 ### Automatic (recommended)
+
 After installation, hooks run automatically on every commit:
 
 ```bash
@@ -48,6 +52,7 @@ git commit -m "feat: add new component rule"
 ```
 
 ### Manual
+
 Run all hooks on all files:
 
 ```bash
@@ -67,7 +72,7 @@ This project uses [Conventional Commits](https://www.conventionalcommits.org/):
 
 ```bash
 git commit -m "feat: add WebAssembly component validation"
-git commit -m "fix: resolve TinyGo compilation issue"  
+git commit -m "fix: resolve TinyGo compilation issue"
 git commit -m "docs: update README with examples"
 git commit -m "refactor: modernize shell script usage"
 ```
@@ -79,12 +84,13 @@ git commit -m "refactor: modernize shell script usage"
 This setup integrates with existing project tools:
 
 - **Buildifier** (already in `//:buildifier`)
-- **Clippy** (already in `//:clippy`) 
+- **Clippy** (already in `//:clippy`)
 - **git-cliff** (uses conventional commits for changelog)
 
 ## Troubleshooting
 
 **Hook fails?**
+
 ```bash
 # Skip hooks for emergency commits
 git commit --no-verify -m "fix: emergency fix"
@@ -93,11 +99,13 @@ git commit --no-verify -m "fix: emergency fix"
 ```
 
 **Update hooks:**
+
 ```bash
 pre-commit autoupdate
 ```
 
 **Clean hook cache:**
+
 ```bash
 pre-commit clean
-```
+```

.secrets.baseline

@@ -109,4 +109,4 @@
   ],
   "results": {},
   "generated_at": "2024-07-30T12:00:00Z"
-}
+}

MODULE.bazel

@@ -106,6 +106,17 @@ use_repo(wizer, "wizer_toolchain")
 
 register_toolchains("@wizer_toolchain//:wizer_toolchain_def")
 
+# Wasmtime WebAssembly runtime
+wasmtime = use_extension("//wasm:extensions.bzl", "wasmtime")
+wasmtime.register(
+    name = "wasmtime",
+    strategy = "download",
+    version = "35.0.0",
+)
+use_repo(wasmtime, "wasmtime_toolchain")
+
+register_toolchains("@wasmtime_toolchain//:wasmtime_toolchain")
+
 # C++ WebAssembly components with WASI SDK
 cpp_component = use_extension("//wasm:extensions.bzl", "cpp_component")
 cpp_component.register(
@@ -117,6 +128,17 @@ use_repo(cpp_component, "cpp_toolchain")
 
 register_toolchains("@cpp_toolchain//:cpp_component_toolchain")
 
+# JavaScript/TypeScript WebAssembly components with JCO
+jco = use_extension("//wasm:extensions.bzl", "jco")
+jco.register(
+    name = "jco",
+    strategy = "npm",
+    version = "1.4.0",
+)
+use_repo(jco, "jco_toolchain")
+
+register_toolchains("@jco_toolchain//:jco_toolchain")
+
 # Rust crates for wizer_initializer tool
 crate = use_extension("@rules_rust//crate_universe:extension.bzl", "crate")
 crate.from_cargo(

MODULE.bazel.lock

@@ -0,0 +1,51 @@
+"""Centralized checksum management for WebAssembly toolchain"""
+
+package(default_visibility = ["//visibility:public"])
+
+# Export all tool checksum files for consumption by toolchains
+filegroup(
+    name = "all_checksums",
+    srcs = glob(["tools/*.json"]),
+    visibility = ["//visibility:public"],
+)
+
+# Individual tool checksum files
+filegroup(
+    name = "wasm_tools_checksums",
+    srcs = ["tools/wasm-tools.json"],
+)
+
+filegroup(
+    name = "wit_bindgen_checksums",
+    srcs = ["tools/wit-bindgen.json"],
+)
+
+filegroup(
+    name = "wac_checksums",
+    srcs = ["tools/wac.json"],
+)
+
+filegroup(
+    name = "wkg_checksums",
+    srcs = ["tools/wkg.json"],
+)
+
+filegroup(
+    name = "wasmtime_checksums",
+    srcs = ["tools/wasmtime.json"],
+)
+
+filegroup(
+    name = "wasi_sdk_checksums",
+    srcs = ["tools/wasi-sdk.json"],
+)
+
+filegroup(
+    name = "tinygo_checksums",
+    srcs = ["tools/tinygo.json"],
+)
+
+filegroup(
+    name = "jco_checksums",
+    srcs = ["tools/jco.json"],
+)

checksums/BUILD.bazel

@@ -0,0 +1,31 @@
+"""Checksum generator tool for automated SHA management"""
+
+load("@rules_rust//rust:defs.bzl", "rust_binary")
+
+package(default_visibility = ["//visibility:public"])
+
+rust_binary(
+    name = "checksum_updater",
+    srcs = ["src/main.rs"],
+    edition = "2021",
+    visibility = ["//visibility:public"],
+    deps = [
+        "@checksum_crates//:anyhow",
+        "@checksum_crates//:chrono",
+        "@checksum_crates//:clap",
+        "@checksum_crates//:futures-util",
+        "@checksum_crates//:octocrab",
+        "@checksum_crates//:reqwest",
+        "@checksum_crates//:serde",
+        "@checksum_crates//:serde_json",
+        "@checksum_crates//:sha2",
+        "@checksum_crates//:tempfile",
+        "@checksum_crates//:tokio",
+    ],
+)
+
+# Alias for easier command line usage
+alias(
+    name = "update_checksums",
+    actual = ":checksum_updater",
+)

checksums/generator/BUILD.bazel

@@ -0,0 +1,24 @@
+[package]
+name = "checksum_generator"
+version = "0.1.0"
+edition = "2021"
+
+[[bin]]
+name = "checksum_updater"
+path = "src/main.rs"
+
+[dependencies]
+anyhow = "1.0"
+clap = { version = "4.4", features = ["derive"] }
+reqwest = { version = "0.11", features = ["json", "stream"] }
+serde = { version = "1.0", features = ["derive"] }
+serde_json = "1.0"
+sha2 = "0.10"
+tokio = { version = "1.0", features = ["full"] }
+chrono = { version = "0.4", features = ["serde"] }
+futures-util = "0.3"
+tempfile = "3.8"
+
+[dependencies.octocrab]
+version = "0.32"
+features = ["stream"]