Explore nb tool installer for language ecosystem CLIs

[justrach]

Context

This is a later-stage exploration issue, intentionally behind the native upstream registry work in #251-#256.

The idea is not to replace Bun or uv immediately. A full Bun/uv replacement would require package-manager-level dependency solving, lockfile semantics, workspaces, script execution, native build handling, registry auth, and ecosystem-specific behavior.

A smaller, more realistic first step would be a nanobrew-native tool installer/runner for language-ecosystem CLIs that currently block top-100 upstream coverage.

Candidate shape

Example commands:

nb tool install npm:claude-code
nb tool install npm:codex
nb tool install npm:gemini-cli
nb tool install pypi:ruff
nb tool run npm:some-cli

Possible registry source classes:

• npm_package
• pypi_package
• go_release_index
• node_dist

The runtime would reuse nanobrew's fast trusted-artifact path where possible:

1. Resolve package/version metadata.
2. Lock package tarball/wheel/archive URLs and checksums.
3. Download into the content-addressed cache.
4. Extract into a tool store.
5. Link declared binaries into /opt/nanobrew/prefix/bin.

Why this is later

Current priority is still native upstream coverage:

• classify top-100 gaps
• add resolver classes for vendor URLs, app/pkg/binary casks, GitHub release assets, and source/binary formulae
• keep install speed as the primary adoption metric
• promote through beta registry gates before stable

This issue should stay at the back of the queue until the native upstream registry path is further along.

Acceptance criteria for revisiting

• The top-100 native upstream roadmap has clearer resolver coverage.
• We identify which top missing tokens truly require package-manager CLI support.
• We document a security model for npm/PyPI package integrity and executable shims.
• We decide whether this is nb tool, a registry source class, or a separate command family.