First, Dan complains that the BookmarksManager says "bookmarks" instead of tools for the root node.
Second, and what's bugging me, is that invoking the "Take Screenshot" tool clobbers the current focus URI and the jython script editor. This needs to be disabled for tools.
Third, there needs to be a security validation so that tools show the editor by default, not the code. This would be something like we would keep track of which tools the user has okayed so they are only asked once.
first and second items are done.
For item three, I've decided that any bookmark URI in the tools bookmarks file is trusted. The user added the bookmark to the file, and they were given an okay dialog at the time. This allows teams to publish sets of tools in a remote bookmarks file, and the user can trust the entire bookmarks file which is under their control.
To consider: A trusts B, and B publishes a remote bookmarks file. B trusts C and adds C's remote bookmarks file to B's. Presently, the logic asserts that A trusts C, which is probably not what we want.
I went back in and made it so that it counts the number of levels of remote bookmarks. Now if remote bookmarks form B contain remote bookmarks from C, then a confirm dialog will always be shown.