#!/usr/bin/env bash
set -euo pipefail
ROOT="$(cd "$(dirname "$0")" && pwd)"
cd "$ROOT"

if ! command -v sha256sum >/dev/null; then
  echo "sha256sum required" >&2; exit 1
fi

sha256sum --check SHA256SUMS
if command -v cosign >/dev/null && [ -f cosign.pub ]; then
  echo "cosign present; DSSE verification placeholders (update paths when signed):"
  echo "- observer_event.schema.dsse"
  echo "- webhook_admission.schema.dsse"
  echo "- thresholds.dsse"
  # Example commands (uncomment once DSSE files exist):
  # cosign verify-blob --key cosign.pub --signature observer_event.schema.dsse schemas/observer_event.schema.json
  # cosign verify-blob --key cosign.pub --signature webhook_admission.schema.dsse schemas/webhook_admission.schema.json
  # cosign verify-blob --key cosign.pub --signature thresholds.dsse thresholds.yaml
else
  echo "cosign not found or cosign.pub missing; skipped DSSE verification"
fi

echo "OK: hashes verified (DSSE verification pending)"