pgserve 2.5.0 → 2.6.1

package/scripts/fetch-postgres-bins.sh

@@ -0,0 +1,234 @@
+#!/usr/bin/env bash
+#
+# fetch-postgres-bins.sh — Group 7 of autopg-distribution-cutover.
+#
+# Stages PostgreSQL server binaries for one platform under
+#   dist/<platform>/autopg/postgres/{bin,share}/
+# so the assemble-tarball step can pack a self-contained release.
+#
+# Source resolution (in priority order):
+#   1. Explicit local override — AUTOPG_POSTGRES_LOCAL_DIR=<dir>
+#      Useful in CI when binaries are pre-fetched into a runner cache.
+#      Expects <dir>/{bin,share}/.
+#   2. npm/bun package — AUTOPG_POSTGRES_PKG_VERSION (default reads
+#      package.json optionalDependencies). The function pulls
+#      @embedded-postgres/<platform-pkg> into a scratch dir and copies
+#      its native/{bin,share}/ payload.
+#   3. URL template — AUTOPG_POSTGRES_URL_TEMPLATE='https://.../pg-{ver}-{pf}.tar.gz'
+#      with placeholders {ver} and {pf}.
+#
+# Platforms: linux-x64-glibc linux-x64-musl linux-arm64 darwin-x64 darwin-arm64
+#
+# Usage:
+#   scripts/fetch-postgres-bins.sh --platform linux-x64-glibc
+#   scripts/fetch-postgres-bins.sh --all
+#   AUTOPG_POSTGRES_LOCAL_DIR=/cache/pg16-linux-x64 scripts/fetch-postgres-bins.sh --platform linux-x64-glibc
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+DIST_DIR="${AUTOPG_DIST_DIR:-${REPO_ROOT}/dist}"
+
+PLATFORMS=(linux-x64-glibc linux-x64-musl linux-arm64 darwin-x64 darwin-arm64)
+
+# Map autopg platform tag → npm package suffix used by @embedded-postgres.
+# linux-x64-musl + linux-arm64 currently lack a published @embedded-postgres
+# package; for those, set AUTOPG_POSTGRES_LOCAL_DIR or AUTOPG_POSTGRES_URL_TEMPLATE.
+embedded_pkg_for() {
+  case "$1" in
+    linux-x64-glibc) echo "linux-x64" ;;
+    linux-x64-musl)  echo "" ;;
+    linux-arm64)     echo "" ;;
+    darwin-x64)      echo "darwin-x64" ;;
+    darwin-arm64)    echo "darwin-arm64" ;;
+    *) return 1 ;;
+  esac
+}
+
+# URL-template placeholder mapping for the 3rd-source path.
+url_pf_for() {
+  case "$1" in
+    linux-x64-glibc) echo "linux-x86_64-glibc" ;;
+    linux-x64-musl)  echo "linux-x86_64-musl" ;;
+    linux-arm64)     echo "linux-aarch64" ;;
+    darwin-x64)      echo "darwin-x86_64" ;;
+    darwin-arm64)    echo "darwin-aarch64" ;;
+    *) return 1 ;;
+  esac
+}
+
+usage() {
+  cat <<EOF
+Usage: $0 (--platform <p> | --all) [--postgres-version <v>]
+
+Platforms: ${PLATFORMS[*]}
+
+Source priority (first match wins):
+  AUTOPG_POSTGRES_LOCAL_DIR   pre-fetched <dir>/{bin,share}/
+  AUTOPG_POSTGRES_PKG_VERSION npm @embedded-postgres/<platform-pkg>@<ver>
+  AUTOPG_POSTGRES_URL_TEMPLATE 'https://.../pg-{ver}-{pf}.tar.gz'
+
+Defaults:
+  --postgres-version reads optionalDependencies @embedded-postgres/* version
+EOF
+}
+
+parse_args() {
+  TARGET_PLATFORM=""
+  FETCH_ALL=0
+  PG_VERSION="${AUTOPG_POSTGRES_PKG_VERSION:-}"
+
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --platform)         TARGET_PLATFORM="$2"; shift 2 ;;
+      --all)              FETCH_ALL=1; shift ;;
+      --postgres-version) PG_VERSION="$2"; shift 2 ;;
+      -h|--help)          usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+
+  if [[ "$FETCH_ALL" -eq 0 && -z "$TARGET_PLATFORM" ]]; then
+    echo "error: pass --platform <p> or --all" >&2
+    usage; exit 2
+  fi
+
+  if [[ -z "$PG_VERSION" ]]; then
+    PG_VERSION=$(node -p "require('${REPO_ROOT}/package.json').optionalDependencies['@embedded-postgres/linux-x64'] || ''" 2>/dev/null || true)
+  fi
+}
+
+stage_from_local() {
+  local local_dir="$1" out_dir="$2"
+  echo "    -> source: AUTOPG_POSTGRES_LOCAL_DIR=$local_dir"
+  if [[ ! -d "$local_dir/bin" ]]; then
+    echo "error: $local_dir/bin missing" >&2; return 1
+  fi
+  cp -R "$local_dir/bin"   "$out_dir/bin"
+  cp -R "$local_dir/share" "$out_dir/share" 2>/dev/null || mkdir -p "$out_dir/share"
+}
+
+stage_from_pkg() {
+  local pkg="$1" version="$2" out_dir="$3"
+  echo "    -> source: npm @embedded-postgres/${pkg}@${version}"
+  # Initialize before installing trap — under `set -u` the RETURN trap fires
+  # on any early-return path, including ones where `mktemp` hasn't run yet.
+  # Referencing an unset `$scratch` from the trap would print
+  # `scratch: unbound variable` and mask the real fetch error
+  # (chatgpt-codex P2 review on PR #84).
+  local scratch=""
+  trap 'rm -rf "$scratch"' RETURN
+  scratch=$(mktemp -d) || return 1
+
+  pushd "$scratch" >/dev/null
+  cat > package.json <<EOF
+{ "name": "autopg-pg-fetch", "version": "0.0.0", "private": true,
+  "dependencies": { "@embedded-postgres/${pkg}": "${version}" } }
+EOF
+
+  # Use npm; bun pulls into a different layout.
+  if ! npm install --no-audit --no-fund --silent --ignore-scripts; then
+    popd >/dev/null
+    echo "error: npm install failed for @embedded-postgres/${pkg}@${version}" >&2
+    return 1
+  fi
+
+  local native="node_modules/@embedded-postgres/${pkg}/native"
+  if [[ ! -d "$native" ]]; then
+    popd >/dev/null
+    echo "error: native/ missing in @embedded-postgres/${pkg} payload" >&2
+    return 1
+  fi
+
+  cp -R "${native}/bin"   "${out_dir}/bin"
+  cp -R "${native}/share" "${out_dir}/share" 2>/dev/null || mkdir -p "${out_dir}/share"
+  popd >/dev/null
+}
+
+stage_from_url() {
+  local template="$1" version="$2" platform="$3" out_dir="$4"
+  local pf
+  pf="$(url_pf_for "$platform")" || { echo "error: no url mapping for $platform" >&2; return 1; }
+  local url="${template//\{ver\}/$version}"
+  url="${url//\{pf\}/$pf}"
+  echo "    -> source: $url"
+
+  local scratch
+  scratch=$(mktemp -d)
+  trap 'rm -rf "$scratch"' RETURN
+
+  curl -fsSL "$url" -o "${scratch}/pg.tar.gz"
+  tar -xzf "${scratch}/pg.tar.gz" -C "$scratch"
+
+  # Find the first directory containing bin/postgres.
+  local root postgres_path
+  postgres_path=$(find "$scratch" -mindepth 1 -maxdepth 4 -type f -name postgres -path '*/bin/*' -print -quit)
+  if [[ -n "$postgres_path" ]]; then
+    root=$(dirname "$(dirname "$postgres_path")")
+  else
+    root=""
+  fi
+  if [[ -z "$root" ]]; then
+    echo "error: bin/postgres not found in extracted tarball" >&2
+    return 1
+  fi
+  cp -R "${root}/bin"   "${out_dir}/bin"
+  cp -R "${root}/share" "${out_dir}/share" 2>/dev/null || mkdir -p "${out_dir}/share"
+}
+
+fetch_one() {
+  local platform="$1"
+  local out_dir="${DIST_DIR}/${platform}/autopg/postgres"
+  rm -rf "$out_dir" || return 1
+  mkdir -p "$out_dir" || return 1
+
+  echo "==> [${platform}] fetch postgres bins"
+
+  # `fetch_one` runs without `set -e` (called via `|| rc=$?` in main), so each
+  # stage_* helper must propagate failures explicitly (gemini PR #84 HIGH).
+  if [[ -n "${AUTOPG_POSTGRES_LOCAL_DIR:-}" ]]; then
+    stage_from_local "$AUTOPG_POSTGRES_LOCAL_DIR" "$out_dir" || return 1
+  elif [[ -n "$PG_VERSION" ]]; then
+    local pkg
+    pkg="$(embedded_pkg_for "$platform")" || true
+    if [[ -n "$pkg" ]]; then
+      stage_from_pkg "$pkg" "$PG_VERSION" "$out_dir" || return 1
+    elif [[ -n "${AUTOPG_POSTGRES_URL_TEMPLATE:-}" ]]; then
+      stage_from_url "$AUTOPG_POSTGRES_URL_TEMPLATE" "$PG_VERSION" "$platform" "$out_dir" || return 1
+    else
+      echo "error: no @embedded-postgres pkg for ${platform}; set AUTOPG_POSTGRES_URL_TEMPLATE or AUTOPG_POSTGRES_LOCAL_DIR" >&2
+      return 1
+    fi
+  elif [[ -n "${AUTOPG_POSTGRES_URL_TEMPLATE:-}" ]]; then
+    stage_from_url "$AUTOPG_POSTGRES_URL_TEMPLATE" "${AUTOPG_POSTGRES_URL_VERSION:-16}" "$platform" "$out_dir"
+  else
+    echo "error: no postgres source resolved for ${platform}" >&2
+    return 1
+  fi
+
+  if [[ ! -x "${out_dir}/bin/postgres" ]]; then
+    chmod +x "${out_dir}/bin/postgres" 2>/dev/null || true
+  fi
+  if [[ ! -f "${out_dir}/bin/postgres" ]]; then
+    echo "error: ${out_dir}/bin/postgres missing after stage" >&2
+    return 1
+  fi
+  echo "    ✓ staged ${out_dir} ($(du -sh "$out_dir" | cut -f1))"
+}
+
+main() {
+  parse_args "$@"
+  mkdir -p "$DIST_DIR"
+
+  local rc=0
+  if [[ "$FETCH_ALL" -eq 1 ]]; then
+    for p in "${PLATFORMS[@]}"; do
+      fetch_one "$p" || rc=$?
+    done
+  else
+    fetch_one "$TARGET_PLATFORM" || rc=$?
+  fi
+  exit $rc
+}
+
+main "$@"

package/scripts/postinstall.cjs

@@ -7,6 +7,13 @@
  *   - Upgrade install (data dir exists) → invoke `autopg upgrade --quiet`
  *   - Soft-fail: any error logs warning, exits 0 (never breaks `bun install`)
  *   - Skip override: AUTOPG_SKIP_POSTINSTALL=1 → exit 0 immediately
+ *   - Dev-worktree auto-skip: if the package root sits inside a genie or
+ *     git worktree, skip with a stderr note. Stops contributors running
+ *     `bun install` in a worktree from accidentally migrating their real
+ *     `~/.autopg/data` against half-built code.
+ *   - Non-CI pre-warning: emit a stderr line BEFORE invoking upgrade so
+ *     the operator can see what's about to happen and Ctrl+C if needed.
+ *     CI runs (`CI=true`) stay quiet.
  *
  * The escape hatch for forced re-runs is `autopg upgrade` (manual).
  *
@@ -21,40 +28,117 @@ function getAutopgRoot() {
   return process.env.AUTOPG_CONFIG_DIR || process.env.PGSERVE_CONFIG_DIR || `${process.env.HOME}/.autopg`;
 }
 
-function main() {
-  if (process.env.AUTOPG_SKIP_POSTINSTALL === '1') {
+/**
+ * Return true if the package root sits inside a development worktree.
+ *
+ * Two markers:
+ *   1. Genie convention: path contains `/.genie/worktrees/`
+ *   2. Git worktree:    `<pkgRoot>/.git` is a FILE (not a dir) whose
+ *      `gitdir:` pointer references another `.git/worktrees/...`
+ *
+ * Either marker is enough; both have high precision for "this is a
+ * dev checkout, not a real consumer install".
+ */
+function isDevWorktree(pkgRoot) {
+  const sep = path.sep;
+  if (pkgRoot.includes(`${sep}.genie${sep}worktrees${sep}`)) return true;
+  try {
+    const gitMarker = path.join(pkgRoot, '.git');
+    const stat = fs.statSync(gitMarker);
+    if (stat.isFile()) {
+      const content = fs.readFileSync(gitMarker, 'utf8');
+      if (content.includes(`${sep}.git${sep}worktrees${sep}`)) return true;
+    }
+  } catch {
+    // No .git, unreadable, or path resolution error — not a worktree
+  }
+  return false;
+}
+
+function isCI() {
+  const v = process.env.CI;
+  return v === 'true' || v === '1';
+}
+
+/**
+ * Decision-and-side-effect entry. Accepts an optional `deps` object so
+ * tests can drive each branch (worktree-skip, fresh-install, CI-quiet,
+ * upgrade-invoke, soft-fail-on-error) without depending on the host
+ * environment. Production callers invoke `main()` with no args; the
+ * defaults reproduce the original behavior verbatim.
+ *
+ * Why dependency injection: a previous spawn-and-grep test attempted
+ * to verify the worktree-skip stderr by symlinking the script into a
+ * synthetic worktree dir. Node's symlink resolution defeated that —
+ * `__dirname` inside the script points at the real-on-disk source, not
+ * the symlink target — so `isDevWorktree(pkgRoot)` saw the real pkgRoot
+ * and the stderr note never fired. Injecting `pkgRoot` + the heuristic
+ * function decouples behavior from filesystem layout for tests.
+ */
+function main(deps = {}) {
+  const env = deps.env ?? process.env;
+  const pkgRoot = deps.pkgRoot ?? path.resolve(__dirname, '..');
+  const isDevWorktreeFn = deps.isDevWorktree ?? isDevWorktree;
+  const isCIFn = deps.isCI ?? isCI;
+  const getAutopgRootFn = deps.getAutopgRoot
+    ?? (() => env.AUTOPG_CONFIG_DIR || env.PGSERVE_CONFIG_DIR || `${env.HOME}/.autopg`);
+  const fsApi = deps.fs ?? fs;
+  const stderr = deps.stderr ?? process.stderr;
+  const spawnSyncFn = deps.spawnSync ?? spawnSync;
+
+  if (env.AUTOPG_SKIP_POSTINSTALL === '1') {
+    return;
+  }
+  if (isDevWorktreeFn(pkgRoot)) {
+    stderr.write(
+      `[autopg-postinstall] dev worktree detected at ${pkgRoot} — skipping upgrade.\n` +
+      '[autopg-postinstall] Set AUTOPG_SKIP_POSTINSTALL=1 to silence this notice.\n',
+    );
     return;
   }
-  const dataDir = path.join(getAutopgRoot(), 'data');
-  if (!fs.existsSync(dataDir)) {
+  const dataDir = path.join(getAutopgRootFn(), 'data');
+  if (!fsApi.existsSync(dataDir)) {
     // Fresh install — nothing to upgrade
     return;
   }
   // Locate own CLI entry — script is run from the package dir at install time
-  const cliEntry = path.join(__dirname, '..', 'bin', 'pgserve-wrapper.cjs');
-  if (!fs.existsSync(cliEntry)) {
-    process.stderr.write(`[autopg-postinstall] wrapper not found at ${cliEntry}, skipping\n`);
+  const cliEntry = path.join(pkgRoot, 'bin', 'pgserve-wrapper.cjs');
+  if (!fsApi.existsSync(cliEntry)) {
+    stderr.write(`[autopg-postinstall] wrapper not found at ${cliEntry}, skipping\n`);
     return;
   }
-  const result = spawnSync(process.execPath, [cliEntry, 'upgrade', '--quiet'], {
+  if (!isCIFn()) {
+    stderr.write(
+      `[autopg-postinstall] About to run \`autopg upgrade --quiet\` against ${dataDir}.\n` +
+      '[autopg-postinstall] Set AUTOPG_SKIP_POSTINSTALL=1 in the environment to skip (recommended for dev worktrees).\n',
+    );
+  }
+  const result = spawnSyncFn(process.execPath, [cliEntry, 'upgrade', '--quiet'], {
     stdio: ['ignore', 'inherit', 'inherit'],
     timeout: 60_000,
   });
   if (result.error) {
-    process.stderr.write(`[autopg-postinstall] WARNING: upgrade invocation failed: ${result.error.message}\n`);
-    process.stderr.write('[autopg-postinstall] Run `autopg upgrade` manually to retry.\n');
+    stderr.write(`[autopg-postinstall] WARNING: upgrade invocation failed: ${result.error.message}\n`);
+    stderr.write('[autopg-postinstall] Run `autopg upgrade` manually to retry.\n');
     return;
   }
   if (result.status !== 0) {
-    process.stderr.write(`[autopg-postinstall] WARNING: \`autopg upgrade\` exited ${result.status}\n`);
-    process.stderr.write('[autopg-postinstall] Run `autopg upgrade` manually to investigate.\n');
+    stderr.write(`[autopg-postinstall] WARNING: \`autopg upgrade\` exited ${result.status}\n`);
+    stderr.write('[autopg-postinstall] Run `autopg upgrade` manually to investigate.\n');
   }
 }
 
-try {
-  main();
-} catch (err) {
-  process.stderr.write(`[autopg-postinstall] WARNING: unexpected error: ${err.message}\n`);
-}
+// Test surface: postinstall.test.js exercises isDevWorktree + isCI in
+// isolation (pure path + env reads, no shellouts). require() this file
+// from a test to inspect the helpers without the side-effect of running
+// main(); main() is only invoked when this is the entry point.
+module.exports = { isDevWorktree, isCI, getAutopgRoot, main };
 
-process.exit(0);
+if (require.main === module) {
+  try {
+    main();
+  } catch (err) {
+    process.stderr.write(`[autopg-postinstall] WARNING: unexpected error: ${err.message}\n`);
+  }
+  process.exit(0);
+}

package/scripts/verify-published-artifacts.sh

@@ -0,0 +1,211 @@
+#!/usr/bin/env bash
+#
+# verify-published-artifacts.sh — Group 8 of autopg-distribution-cutover.
+#
+# Validates that every autopg tarball in the given directory is:
+#   1. accompanied by its outer .sha256 and that the hash matches.
+#   2. cosign-signed (verifies against keys/cosign.pub or AUTOPG_COSIGN_PUB).
+#   3. accompanied by a SLSA L3 in-toto provenance attestation that
+#      slsa-verifier can verify against the source repo URI.
+#   4. listed in the aggregated manifest.json with matching metadata.
+#
+# Usage:
+#   bash scripts/verify-published-artifacts.sh dist/
+#   bash scripts/verify-published-artifacts.sh dist/ --skip-slsa
+#   AUTOPG_COSIGN_PUB=tests/fixtures/cosign/cosign.pub \
+#     bash scripts/verify-published-artifacts.sh dist/
+#
+# Exit codes:
+#   0  all artifacts verified
+#   1  verification failure (any tarball fails any check)
+#   2  invalid args / missing inputs
+#
+# Group 8 acceptance criteria:
+#   - cosign verify-blob succeeds for every platform tarball
+#   - slsa-verifier verify-artifact succeeds for every platform tarball
+#   - tampered tarball fails both verifications
+#   - script exits non-zero if any tarball ships without sig + provenance
+
+set -euo pipefail
+
+REPO_ROOT="$(cd "$(dirname "$0")/.." && pwd)"
+COSIGN_PUB_DEFAULT="${REPO_ROOT}/keys/cosign.pub"
+COSIGN_PUB="${AUTOPG_COSIGN_PUB:-${COSIGN_PUB_DEFAULT}}"
+SOURCE_URI_DEFAULT="github.com/automagik-dev/autopg"
+SOURCE_URI="${AUTOPG_SOURCE_URI:-${SOURCE_URI_DEFAULT}}"
+
+PASS=0
+FAIL=0
+SKIP_SLSA=0
+SKIP_MANIFEST=0
+
+ok()   { printf '    \xe2\x9c\x93 %s\n'    "$*";          PASS=$((PASS + 1)); }
+bad()  { printf '    \xe2\x9c\x97 %s\n'    "$*" >&2;      FAIL=$((FAIL + 1)); }
+note() { printf '    \xe2\x80\xa2 %s\n'    "$*" >&2; }
+
+usage() {
+  cat <<EOF
+Usage: $0 <dist-dir> [--skip-slsa] [--skip-manifest]
+
+Verifies every autopg-*.tar.gz in <dist-dir> using:
+  - keys/cosign.pub    (override with AUTOPG_COSIGN_PUB=<path>)
+  - source URI         ${SOURCE_URI_DEFAULT}
+                       (override with AUTOPG_SOURCE_URI=<uri>)
+
+Required siblings per tarball:
+  <tarball>.sha256
+  <tarball>.sig
+  <tarball>.intoto.jsonl    (skip with --skip-slsa)
+
+Optional:
+  manifest.json            (skip with --skip-manifest)
+EOF
+}
+
+parse_args() {
+  if [[ $# -lt 1 ]]; then usage; exit 2; fi
+  DIST_DIR="$1"; shift
+  while [[ $# -gt 0 ]]; do
+    case "$1" in
+      --skip-slsa)     SKIP_SLSA=1; shift ;;
+      --skip-manifest) SKIP_MANIFEST=1; shift ;;
+      -h|--help)       usage; exit 0 ;;
+      *) echo "unknown arg: $1" >&2; usage; exit 2 ;;
+    esac
+  done
+  if [[ ! -d "$DIST_DIR" ]]; then
+    echo "error: dist dir not found: $DIST_DIR" >&2; exit 2
+  fi
+  if [[ ! -f "$COSIGN_PUB" ]]; then
+    echo "error: cosign public key not found: $COSIGN_PUB" >&2; exit 2
+  fi
+}
+
+require_tools() {
+  command -v cosign >/dev/null 2>&1 || {
+    echo "error: cosign not on PATH (install: https://docs.sigstore.dev/cosign/installation/)" >&2
+    exit 2
+  }
+  if [[ "$SKIP_SLSA" -eq 0 ]]; then
+    if ! command -v slsa-verifier >/dev/null 2>&1; then
+      note "slsa-verifier not on PATH — provenance check will be skipped (pass --skip-slsa to silence)"
+      SKIP_SLSA=1
+    fi
+  fi
+}
+
+# Portable SHA256 — sha256sum on linux, shasum -a 256 on macOS.
+sha256_of() {
+  if command -v sha256sum >/dev/null 2>&1; then
+    sha256sum "$1" | awk '{print $1}'
+  else
+    shasum -a 256 "$1" | awk '{print $1}'
+  fi
+}
+
+verify_outer_sha() {
+  local tarball="$1"
+  local sha_file="${tarball}.sha256"
+  if [[ ! -f "$sha_file" ]]; then
+    bad "$(basename "$tarball"): missing .sha256 sibling"
+    return 1
+  fi
+  local recorded actual
+  recorded=$(awk '{print $1}' "$sha_file")
+  actual=$(sha256_of "$tarball")
+  if [[ "$recorded" != "$actual" ]]; then
+    bad "$(basename "$tarball"): sha256 mismatch (recorded=$recorded actual=$actual)"
+    return 1
+  fi
+  ok "$(basename "$tarball"): sha256 matches recorded"
+}
+
+verify_cosign() {
+  local tarball="$1"
+  local sig="${tarball}.sig"
+  if [[ ! -f "$sig" ]]; then
+    bad "$(basename "$tarball"): missing .sig sibling"
+    return 1
+  fi
+  if cosign verify-blob \
+        --key "$COSIGN_PUB" \
+        --signature "$sig" \
+        "$tarball" >/dev/null 2>&1; then
+    ok "$(basename "$tarball"): cosign signature verifies"
+  else
+    bad "$(basename "$tarball"): cosign verify-blob FAILED"
+    return 1
+  fi
+}
+
+verify_slsa() {
+  local tarball="$1"
+  local prov="${tarball}.intoto.jsonl"
+  if [[ ! -f "$prov" ]]; then
+    bad "$(basename "$tarball"): missing .intoto.jsonl provenance"
+    return 1
+  fi
+  if slsa-verifier verify-artifact \
+        "$tarball" \
+        --provenance-path "$prov" \
+        --source-uri "$SOURCE_URI" >/dev/null 2>&1; then
+    ok "$(basename "$tarball"): SLSA provenance verifies"
+  else
+    bad "$(basename "$tarball"): slsa-verifier FAILED"
+    return 1
+  fi
+}
+
+verify_manifest_entry() {
+  local tarball="$1" manifest="$2"
+  local base
+  base=$(basename "$tarball")
+  if ! grep -q "\"file\": \"${base}\"" "$manifest"; then
+    bad "$(basename "$tarball"): not listed in manifest.json"
+    return 1
+  fi
+  ok "$(basename "$tarball"): manifest.json entry present"
+}
+
+main() {
+  parse_args "$@"
+  require_tools
+
+  echo "==> verify-published-artifacts: $DIST_DIR"
+  echo "    cosign pub: $COSIGN_PUB"
+  echo "    source uri: $SOURCE_URI"
+
+  local tarballs=()
+  while IFS= read -r line; do
+    tarballs+=("$line")
+  done < <(find "$DIST_DIR" -maxdepth 1 -name 'autopg-*.tar.gz' -type f | LC_ALL=C sort)
+
+  if [[ ${#tarballs[@]} -eq 0 ]]; then
+    bad "no autopg-*.tar.gz files in $DIST_DIR"
+    echo "==> result: FAIL (no inputs)"
+    exit 1
+  fi
+
+  local manifest="${DIST_DIR}/manifest.json"
+  if [[ "$SKIP_MANIFEST" -eq 0 && ! -f "$manifest" ]]; then
+    bad "manifest.json missing in $DIST_DIR (pass --skip-manifest to ignore)"
+  fi
+
+  for tarball in "${tarballs[@]}"; do
+    echo "  -- $(basename "$tarball")"
+    verify_outer_sha "$tarball" || true
+    verify_cosign "$tarball"    || true
+    if [[ "$SKIP_SLSA" -eq 0 ]]; then
+      verify_slsa "$tarball" || true
+    fi
+    if [[ "$SKIP_MANIFEST" -eq 0 && -f "$manifest" ]]; then
+      verify_manifest_entry "$tarball" "$manifest" || true
+    fi
+  done
+
+  echo
+  echo "==> result: pass=${PASS} fail=${FAIL}"
+  if [[ "$FAIL" -gt 0 ]]; then exit 1; fi
+}
+
+main "$@"