From d0391db078d4cc273849404f282cae6a8a044c89 Mon Sep 17 00:00:00 2001
From: K1-R1 <77465250+K1-R1@users.noreply.github.com>
Date: Sun, 15 Mar 2026 14:39:04 +0000
Subject: [PATCH 1/4] fix: add exit codes 4 and 130 to --help text

Both codes were documented in README.md but missing from the --help
output, creating an inconsistency that misleads users and agents
relying on --help as the authoritative reference.

Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
---
 smoosh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/smoosh b/smoosh
index eea56f9..bae356c 100755
--- a/smoosh
+++ b/smoosh
@@ -342,8 +342,10 @@ Exit Codes:
   1   Usage error (bad arguments)
   2   Target not found or not a git repository
   3   No matching files found
+  4   Verification failed — output does not match expected file list
   5   Remote clone failed
   7   Cannot create output directory
+  130 Interrupted (Ctrl-C)
 
 Examples:
   smoosh                          # interactive mode (guided setup)
@@ -784,8 +786,7 @@ batch_mime_check() {
   [[ "${MODE}" != "all" ]] && return 0 # extension filter is sufficient for docs/code
 
   command -v file >/dev/null 2>&1 || {
-    warn "file command not found — skipping MIME validation"
-    return 0
+    die 1 "'file' command not found — required for --all mode. Install it (e.g. apt-get install file) or use --code instead of --all."
   }
 
   local list_file

From b68fdd31c895dc5a5a7768ab23ffde57197c389c Mon Sep 17 00:00:00 2001
From: K1-R1 <77465250+K1-R1@users.noreply.github.com>
Date: Sun, 15 Mar 2026 14:39:18 +0000
Subject: [PATCH 2/4] fix: abort install when SHA256 file absent instead of
 warning

A missing .sha256 file previously produced only a warning and continued,
allowing an unverified binary to install silently. Now exits with an
error. Users in restricted environments can opt out via SMOOSH_NO_VERIFY=1,
which emits a prominent unsafe warning.

Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
---
 install.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/install.sh b/install.sh
index 730cb08..7700cb3 100644
--- a/install.sh
+++ b/install.sh
@@ -8,6 +8,7 @@
 #   SMOOSH_INSTALL_DIR  — installation directory (default: /usr/local/bin)
 #   SMOOSH_VERSION      — specific version to install (default: latest)
 #   SMOOSH_NO_CONFIRM   — set to 1 to skip the confirmation prompt
+#   SMOOSH_NO_VERIFY    — set to 1 to skip checksum verification (unsafe)
 
 set -euo pipefail
 
@@ -21,6 +22,7 @@ readonly BINARY_NAME="smoosh"
 INSTALL_DIR="${SMOOSH_INSTALL_DIR:-/usr/local/bin}"
 REQUESTED_VERSION="${SMOOSH_VERSION:-}"
 NO_CONFIRM="${SMOOSH_NO_CONFIRM:-0}"
+NO_VERIFY="${SMOOSH_NO_VERIFY:-0}"
 
 # ---------------------------------------------------------------------------
 # Terminal colours — disabled when not a TTY
@@ -147,8 +149,10 @@ download_and_install() {
     local expected
     expected="$(awk '{print $1}' "${tmp_sha}")"
     sha256_verify "${tmp_bin}" "${expected}"
+  elif [[ "${NO_VERIFY}" == "1" ]]; then
+    warn "SMOOSH_NO_VERIFY=1 set — skipping checksum verification (unsafe)"
   else
-    warn "No .sha256 file found for this release — skipping verification"
+    die "No .sha256 file found for v${VERSION} — aborting to protect against an unverified install. Set SMOOSH_NO_VERIFY=1 to skip (unsafe)."
   fi
 
   # Install: try without sudo first, fall back to sudo.

From 33c96f760ff4a89c3f411b79cb160c9c3d9018b0 Mon Sep 17 00:00:00 2001
From: K1-R1 <77465250+K1-R1@users.noreply.github.com>
Date: Sun, 15 Mar 2026 14:39:37 +0000
Subject: [PATCH 3/4] chore: install shfmt via go install for verified supply
 chain

The previous curl-based binary download had no integrity check (mvdan/sh
does not publish separate checksum files). Switching to go install routes
through the Go module sum database (sum.golang.org), an append-only
transparency log that provides cryptographic integrity.

Also adds a bash32 CI job that parses smoosh under /bin/bash (Bash 3.2
on macOS runners), catching any Bash 4+ syntax that would break the
compatibility guarantee.

Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
---
 .github/workflows/ci.yml      | 26 ++++++++++++++++++++++----
 .github/workflows/release.yml |  8 ++++----
 2 files changed, 26 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index d28480d..7ceccbd 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -26,11 +26,11 @@ jobs:
         run: shellcheck --severity=warning smoosh install.sh
 
       - name: Install shfmt
+        # go install verifies integrity via the Go module sum database (sum.golang.org).
+        # mvdan/sh does not publish separate checksum files for its binary releases.
         run: |
-          curl -fsSL "https://github.com/mvdan/sh/releases/download/v3.13.0/shfmt_v3.13.0_linux_amd64" \
-            -o /usr/local/bin/shfmt
-          chmod +x /usr/local/bin/shfmt
-
+          go install mvdan.cc/sh/v3/cmd/shfmt@v3.13.0
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
 
       - name: Run shfmt
         run: shfmt -d -i 2 smoosh
@@ -75,6 +75,24 @@ jobs:
           TERM: xterm-256color
         run: bats test/*.bats
 
+  bash32:
+    name: Bash 3.2 syntax check
+    runs-on: macos-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Confirm /bin/bash version
+        run: /bin/bash --version | head -1
+
+      - name: Check syntax under Bash 3.2
+        # /bin/bash on macOS is Bash 3.2 (Apple-shipped, GPLv2).
+        # -n parses the script without executing it — catches Bash 4+ syntax
+        # such as declare -A, ${var,,}, mapfile, and named references.
+        run: /bin/bash -n smoosh
+
   coverage:
     name: Coverage
     runs-on: ubuntu-22.04  # kcov not packaged for ubuntu-24.04 (noble)
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index 8c3ac3f..d5d4171 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -42,11 +42,11 @@ jobs:
         run: shellcheck --severity=warning smoosh install.sh
 
       - name: Install shfmt
+        # go install verifies integrity via the Go module sum database (sum.golang.org).
+        # mvdan/sh does not publish separate checksum files for its binary releases.
         run: |
-          curl -fsSL "https://github.com/mvdan/sh/releases/download/v3.13.0/shfmt_v3.13.0_linux_amd64" \
-            -o /usr/local/bin/shfmt
-          chmod +x /usr/local/bin/shfmt
-
+          go install mvdan.cc/sh/v3/cmd/shfmt@v3.13.0
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
 
       - name: Check shfmt
         run: shfmt -d -i 2 smoosh

From 4720c5b43217ce5e6aaeda30510ab456a8ce3fa3 Mon Sep 17 00:00:00 2001
From: K1-R1 <77465250+K1-R1@users.noreply.github.com>
Date: Sun, 15 Mar 2026 14:39:41 +0000
Subject: [PATCH 4/4] chore: add Dependabot for monthly Actions SHA updates

Actions are already pinned to commit SHAs, but without Dependabot those
pins will never be updated. Monthly cadence keeps them current without
generating noise.

Signed-off-by: K1-R1 <77465250+K1-R1@users.noreply.github.com>
---
 .github/dependabot.yml | 6 ++++++
 1 file changed, 6 insertions(+)
 create mode 100644 .github/dependabot.yml

diff --git a/.github/dependabot.yml b/.github/dependabot.yml
new file mode 100644
index 0000000..3a626c3
--- /dev/null
+++ b/.github/dependabot.yml
@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly