#!/bin/bash
# MARLOWE Substrate Verification Script
# Build: v34.10
# Purpose: Verify integrity of substrate-defining files against canonical SHA-256 hashes.
#
# Usage (from site root):
#   bash hashes/verify.sh
#
# Returns 0 if all hashes match, non-zero if any have drifted.

set -e

cd "$(dirname "$0")/.."

if [ ! -f hashes/SHA256SUMS ]; then
  echo "ERROR: hashes/SHA256SUMS not found. Are you in the site root?"
  exit 1
fi

echo "MARLOWE Substrate Hash Verification"
echo "Build:        v34.10"
echo "Algorithm:    SHA-256"
echo "Manifest:     hashes/SHA256SUMS"
echo ""

# Use sha256sum if available, else shasum -a 256 (macOS)
if command -v sha256sum >/dev/null 2>&1; then
  HASHER="sha256sum"
elif command -v shasum >/dev/null 2>&1; then
  HASHER="shasum -a 256"
else
  echo "ERROR: neither sha256sum nor shasum found."
  exit 2
fi

PASS=0
FAIL=0
FAIL_FILES=""

while IFS= read -r line; do
  # Skip comments and blank lines
  [[ "$line" =~ ^#.*$ ]] && continue
  [[ -z "$line" ]] && continue

  EXPECTED=$(echo "$line" | awk '{print $1}')
  FILE=$(echo "$line" | awk '{print $2}')

  if [ ! -f "$FILE" ]; then
    echo "MISSING:  $FILE"
    FAIL=$((FAIL + 1))
    FAIL_FILES="$FAIL_FILES\n  $FILE (missing)"
    continue
  fi

  ACTUAL=$($HASHER "$FILE" | awk '{print $1}')

  if [ "$EXPECTED" = "$ACTUAL" ]; then
    PASS=$((PASS + 1))
  else
    echo "DRIFT:    $FILE"
    echo "  expected: $EXPECTED"
    echo "  actual:   $ACTUAL"
    FAIL=$((FAIL + 1))
    FAIL_FILES="$FAIL_FILES\n  $FILE (drift)"
  fi
done < hashes/SHA256SUMS

echo ""
echo "RESULT: $PASS passed, $FAIL failed"

if [ $FAIL -eq 0 ]; then
  echo "STATUS: SUBSTRATE INTACT — all hashes verified"
  echo ""
  echo "1.57 Invariance: LOCKED"
  exit 0
else
  echo "STATUS: SUBSTRATE DRIFT DETECTED"
  echo -e "Files with issues:$FAIL_FILES"
  echo ""
  echo "1.57 Invariance: DRIFT"
  exit 1
fi