🔒 rc-verify.sh

Version: v0.2.2 Script Path: bones/scripts/rc-verify.sh

Purpose

• Enforce file integrity by recomputing SHA256 checksums for each file listed in asset-manifest.yaml and comparing them to recorded values.
• Prevent unblessed or tampered files from persisting by failing on any mismatch.

CLI Interface

rc-verify.sh [--dry-run] [--verbose] [--help] [--warn-only] [--update] [--manifest-path PATH]

Supported flags:

• --help, -h Show usage information and exit.

• --dry-run Preview actions without writing changes.

• --verbose, -v Show detailed logs.

• --warn-only Log mismatches without non-zero exit.

• --update Update manifest entries with computed checksums.

• --manifest-path PATH Specify alternate manifest file.

Workflow Steps

1. Setup & Configuration

   • Locate asset-manifest.yaml and ensure logs/ directory exists.
   • Parse CLI flags for custom behavior.

2. Load Manifest

   • Use yq to read each asset path and sha256 value from the manifest.

3. Verification Loop For each manifest entry, recompute SHA256, compare, log OK or ERROR; on mismatches respect --warn-only.

   Skip any entries where the path is empty or malformed.

4. Manifest Update (optional)

   • If --update is used, replace expected SHA values in the manifest with computed ones.

5. Completion & Exit

   • If any mismatches occurred and not in --warn-only, exit code 1.
   • On success or --warn-only, exit code 0.

Exit Codes

• 0 — All files verified (or mismatches only logged in --warn-only mode).
• 1 — One or more mismatches detected.
• 2 — Manifest not found, or tracked file is missing.

Examples

# Standard verify
./bones/scripts/rc-verify.sh

# Preview without writing
./bones/scripts/rc-verify.sh --dry-run --verbose

# Warn-only mode
./bones/scripts/rc-verify.sh --warn-only

# Update manifest
./bones/scripts/rc-verify.sh --update

# Custom manifest
./bones/scripts/rc-verify.sh --manifest-path config/custom-manifest.yaml