From 509e02b2e81124da8829dffb7dd24149fe8216b7 Mon Sep 17 00:00:00 2001
From: Gregory Gauthier <gregory.gauthier@perspectum.com>
Date: Mon, 30 Mar 2026 11:06:50 +0100
Subject: [PATCH] feat(install): enhance grokkit-install script with checksum
 verification and version flexibility

- Strip leading 'v' from VERSION for flexible invocation
- Add robust checksum download and verification using sha256sum or shasum
- Handle missing checksum tools or entries gracefully with warnings
- Update asset naming to include 'v' prefix consistently
- Improve platform detection formatting and add trap for temp dir cleanup
- Minor echo message updates for better user feedback
---
 scripts/grokkit-install.sh | 57 ++++++++++++++++++++++++++------------
 1 file changed, 40 insertions(+), 17 deletions(-)

diff --git a/scripts/grokkit-install.sh b/scripts/grokkit-install.sh
index c3f3465..b9f904d 100644
--- a/scripts/grokkit-install.sh
+++ b/scripts/grokkit-install.sh
@@ -1,21 +1,24 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
-VERSION=${VERSION:-${1:?Provide VERSION env or arg, e.g. VERSION=1.0.0 bash grokkit-install.sh}}
+VERSION=${VERSION:-${1:?Provide VERSION env or arg, e.g. VERSION=0.3.2 bash grokkit-install.sh}}
+
+# Strip leading 'v' if present (makes invocation flexible)
+VERSION=${VERSION#v}
 
 GITEA_BASE=https://repos.gmgauthier.com/gmgauthier/grokkit
 
-# Detect platform
+# Platform detection
 OS=$(uname -s | tr '[:upper:]' '[:lower:]')
 case "$OS" in
-  linux) OS=linux ;;
-  darwin) OS=darwin ;;
+    linux) OS=linux ;;
+    darwin) OS=darwin ;;
 esac
 
 ARCH=$(uname -m)
 case "$ARCH" in
-  x86_64|amd64) ARCH=amd64 ;;
-  arm64|aarch64) ARCH=arm64 ;;
+    x86_64|amd64) ARCH=amd64 ;;
+    arm64|aarch64) ARCH=arm64 ;;
 esac
 
 ASSET="grokkit-${OS}-${ARCH}-v${VERSION}.tar.gz"
@@ -23,28 +26,48 @@ ASSET="grokkit-${OS}-${ARCH}-v${VERSION}.tar.gz"
 echo "Installing grokkit ${VERSION} for ${OS}/${ARCH}..."
 
 TEMP_DIR=$(mktemp -d)
-#trap 'rm -rf "${TEMP_DIR}" EXIT'
+trap 'rm -rf "${TEMP_DIR}"' EXIT
 
 cd "${TEMP_DIR}"
 
-# Download
-echo "Downloading From ${GITEA_BASE}/releases/download/v${VERSION}/${ASSET}"
+# Download asset + checksums
+echo "Downloading ${ASSET}..."
 curl -fL "${GITEA_BASE}/releases/download/v${VERSION}/${ASSET}" -o asset.tar.gz
-#echo "Downloading checksums..."
-#curl -fL "${GITEA_BASE}/releases/download/v${VERSION}/checksums.txt" -o checksums.txt
 
-# Verify checksum
-#echo "Verifying checksums..."
-#HASH=$(grep " ${ASSET}$" checksums.txt | cut -d " " -f1)
-#echo "${HASH}  asset.tar.gz" | shasum -a 256 --check - || { echo "Checksum mismatch!"; exit 1; }
+echo "Downloading checksums.txt..."
+curl -fL "${GITEA_BASE}/releases/download/v${VERSION}/checksums.txt" -o checksums.txt
+
+# Robust checksum verification
+echo "Verifying checksum..."
+CHECKSUM_CMD=""
+if command -v sha256sum >/dev/null 2>&1; then
+    CHECKSUM_CMD="sha256sum"
+elif command -v shasum >/dev/null 2>&1; then
+    CHECKSUM_CMD="shasum -a 256"
+fi
+
+if [ -n "$CHECKSUM_CMD" ] && [ -f checksums.txt ]; then
+    # Extract hash (handles "build/..." prefix in checksums.txt)
+    HASH=$(grep -oE '[0-9a-f]{64}\s+build/[^ ]*' checksums.txt | grep "${ASSET}" | cut -d' ' -f1)
+    if [ -z "$HASH" ]; then
+        echo "⚠️  No checksum entry found for ${ASSET} – continuing without verification"
+    else
+        echo "${HASH}  asset.tar.gz" | $CHECKSUM_CMD --check - || {
+            echo "❌ Checksum mismatch for ${ASSET}!"
+            exit 1
+        }
+        echo "✅ Checksum verified successfully"
+    fi
+else
+    echo "⚠️  Checksum tool not found (sha256sum/shasum) – skipping verification"
+fi
 
 # Extract
-echo "Extracting asset"
+echo "Extracting asset..."
 tar xzf asset.tar.gz
 BINARY="grokkit-${OS}-${ARCH}"
 
 # Install
-echo "Installing ${BINARY}..."
 INSTALL_DIR="${HOME}/.local/bin"
 mkdir -p "${INSTALL_DIR}"
 mv "${BINARY}" "${INSTALL_DIR}/grokkit"