Fix/tier one quality

.github/dependabot.yml

@@ -0,0 +1,6 @@
+version: 2
+updates:
+  - package-ecosystem: github-actions
+    directory: /
+    schedule:
+      interval: monthly

.github/workflows/ci.yml

@@ -26,11 +26,11 @@ jobs:
         run: shellcheck --severity=warning smoosh install.sh
 
       - name: Install shfmt
+        # go install verifies integrity via the Go module sum database (sum.golang.org).
+        # mvdan/sh does not publish separate checksum files for its binary releases.
         run: |
-          curl -fsSL "https://github.com/mvdan/sh/releases/download/v3.13.0/shfmt_v3.13.0_linux_amd64" \
-            -o /usr/local/bin/shfmt
-          chmod +x /usr/local/bin/shfmt
-
+          go install mvdan.cc/sh/v3/cmd/shfmt@v3.13.0
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
 
       - name: Run shfmt
         run: shfmt -d -i 2 smoosh
@@ -75,6 +75,24 @@ jobs:
           TERM: xterm-256color
         run: bats test/*.bats
 
+  bash32:
+    name: Bash 3.2 syntax check
+    runs-on: macos-latest
+    needs: lint
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # tag: v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Confirm /bin/bash version
+        run: /bin/bash --version | head -1
+
+      - name: Check syntax under Bash 3.2
+        # /bin/bash on macOS is Bash 3.2 (Apple-shipped, GPLv2).
+        # -n parses the script without executing it — catches Bash 4+ syntax
+        # such as declare -A, ${var,,}, mapfile, and named references.
+        run: /bin/bash -n smoosh
+
   coverage:
     name: Coverage
     runs-on: ubuntu-22.04  # kcov not packaged for ubuntu-24.04 (noble)

.github/workflows/release.yml

@@ -42,11 +42,11 @@ jobs:
         run: shellcheck --severity=warning smoosh install.sh
 
       - name: Install shfmt
+        # go install verifies integrity via the Go module sum database (sum.golang.org).
+        # mvdan/sh does not publish separate checksum files for its binary releases.
         run: |
-          curl -fsSL "https://github.com/mvdan/sh/releases/download/v3.13.0/shfmt_v3.13.0_linux_amd64" \
-            -o /usr/local/bin/shfmt
-          chmod +x /usr/local/bin/shfmt
-
+          go install mvdan.cc/sh/v3/cmd/shfmt@v3.13.0
+          echo "$(go env GOPATH)/bin" >> "$GITHUB_PATH"
 
       - name: Check shfmt
         run: shfmt -d -i 2 smoosh

install.sh

@@ -8,6 +8,7 @@
 #   SMOOSH_INSTALL_DIR  — installation directory (default: /usr/local/bin)
 #   SMOOSH_VERSION      — specific version to install (default: latest)
 #   SMOOSH_NO_CONFIRM   — set to 1 to skip the confirmation prompt
+#   SMOOSH_NO_VERIFY    — set to 1 to skip checksum verification (unsafe)
 
 set -euo pipefail
 
@@ -21,6 +22,7 @@ readonly BINARY_NAME="smoosh"
 INSTALL_DIR="${SMOOSH_INSTALL_DIR:-/usr/local/bin}"
 REQUESTED_VERSION="${SMOOSH_VERSION:-}"
 NO_CONFIRM="${SMOOSH_NO_CONFIRM:-0}"
+NO_VERIFY="${SMOOSH_NO_VERIFY:-0}"
 
 # ---------------------------------------------------------------------------
 # Terminal colours — disabled when not a TTY
@@ -147,8 +149,10 @@ download_and_install() {
     local expected
     expected="$(awk '{print $1}' "${tmp_sha}")"
     sha256_verify "${tmp_bin}" "${expected}"
+  elif [[ "${NO_VERIFY}" == "1" ]]; then
+    warn "SMOOSH_NO_VERIFY=1 set — skipping checksum verification (unsafe)"
   else
-    warn "No .sha256 file found for this release — skipping verification"
+    die "No .sha256 file found for v${VERSION} — aborting to protect against an unverified install. Set SMOOSH_NO_VERIFY=1 to skip (unsafe)."
   fi
 
   # Install: try without sudo first, fall back to sudo.

smoosh

@@ -342,8 +342,10 @@ Exit Codes:
   1   Usage error (bad arguments)
   2   Target not found or not a git repository
   3   No matching files found
+  4   Verification failed — output does not match expected file list
   5   Remote clone failed
   7   Cannot create output directory
+  130 Interrupted (Ctrl-C)
 
 Examples:
   smoosh                          # interactive mode (guided setup)
@@ -784,8 +786,7 @@ batch_mime_check() {
   [[ "${MODE}" != "all" ]] && return 0 # extension filter is sufficient for docs/code
 
   command -v file >/dev/null 2>&1 || {
-    warn "file command not found — skipping MIME validation"
-    return 0
+    die 1 "'file' command not found — required for --all mode. Install it (e.g. apt-get install file) or use --code instead of --all."
   }
 
   local list_file