#!/usr/bin/env bash
set -euo pipefail

# Offline verifier stub for SBOM -> VEX proof bundles.
# Expected inputs: path to DSSE envelope, Rekor log snapshot, and bundled trust roots.

if [ "$#" -lt 4 ]; then
  echo "usage: $0 <sbom.json> <vex.json> <dsse.envelope> <rekor-bundle.json>" >&2
  exit 1
fi

SBOM="$1"
VEX="$2"
DSSE="$3"
REKOR="$4"

if ! command -v jq >/dev/null; then
  echo "jq is required (offline-capable)." >&2
  exit 2
fi

echo "[stub] canonicalising inputs..." >&2
tmpdir=$(mktemp -d)
trap 'rm -rf "$tmpdir"' EXIT

jq -S . "$SBOM" > "$tmpdir/sbom.canon"
jq -S . "$VEX" > "$tmpdir/vex.canon"
jq -S . "$DSSE" > "$tmpdir/dsse.canon"
jq -S . "$REKOR" > "$tmpdir/rekor.canon"

cat "$tmpdir/sbom.canon" "$tmpdir/dsse.canon" "$tmpdir/rekor.canon" "$tmpdir/vex.canon" | sha256sum | awk '{print $1}' > "$tmpdir/proof.hash"
echo "chain-hash (sbom+dsse+rekor+vex): $(cat "$tmpdir/proof.hash")"
echo "[stub] verify DSSE signatures and Rekor inclusion separately; add manifests to DSSE envelope for full proof"