#!/usr/bin/env bash
# Deterministic projection verification for DEVOPS-VULN-29-001/002
# Usage: ./verify_projection.sh [projection-export.json] [expected-hash-file]
set -euo pipefail
PROJECTION=${1:-samples/vuln/events/projection.json}
EXPECTED_HASH_FILE=${2:-ops/devops/vuln/expected_projection.sha256}

if [[ ! -f "$PROJECTION" ]]; then
  echo "projection file not found: $PROJECTION" >&2
  exit 1
fi
if [[ ! -f "$EXPECTED_HASH_FILE" ]]; then
  echo "expected hash file not found: $EXPECTED_HASH_FILE" >&2
  exit 1
fi

calc_hash=$(sha256sum "$PROJECTION" | awk '{print $1}')
expected_hash=$(cut -d' ' -f1 "$EXPECTED_HASH_FILE")

if [[ "$calc_hash" != "$expected_hash" ]]; then
  echo "mismatch: projection hash $calc_hash expected $expected_hash" >&2
  exit 2
fi

echo "projection hash matches ($calc_hash)" >&2