CD/CD consolidation

devops/vuln/verify_projection.sh

@@ -0,0 +1,25 @@
+#!/usr/bin/env bash
+# Deterministic projection verification for DEVOPS-VULN-29-001/002
+# Usage: ./verify_projection.sh [projection-export.json] [expected-hash-file]
+set -euo pipefail
+PROJECTION=${1:-samples/vuln/events/projection.json}
+EXPECTED_HASH_FILE=${2:-ops/devops/vuln/expected_projection.sha256}
+
+if [[ ! -f "$PROJECTION" ]]; then
+  echo "projection file not found: $PROJECTION" >&2
+  exit 1
+fi
+if [[ ! -f "$EXPECTED_HASH_FILE" ]]; then
+  echo "expected hash file not found: $EXPECTED_HASH_FILE" >&2
+  exit 1
+fi
+
+calc_hash=$(sha256sum "$PROJECTION" | awk '{print $1}')
+expected_hash=$(cut -d' ' -f1 "$EXPECTED_HASH_FILE")
+
+if [[ "$calc_hash" != "$expected_hash" ]]; then
+  echo "mismatch: projection hash $calc_hash expected $expected_hash" >&2
+  exit 2
+fi
+
+echo "projection hash matches ($calc_hash)" >&2