feat(companion): enforce checksum verification in generated launcher

src/companion/releaseBundle.test.ts

@@ -59,6 +59,7 @@ describe('writeCompanionReleaseBundle', () => {
     expect(launcherRaw).toContain('exec flynn');
     expect(launcherRaw).toContain('--push-token');
     expect(launcherRaw).toContain('--latitude');
+    expect(launcherRaw).toContain('sha256sum --check CHECKSUMS.sha256');
     expect(readmeRaw).toContain('Flynn Companion Release Bundle');
     expect(checksumsRaw).toContain('companion.bootstrap.json');
     expect(checksumsRaw).toContain('run-companion.sh');

src/companion/releaseBundle.ts

@@ -101,6 +101,29 @@ function createLauncherScript(manifest: CompanionBootstrapManifest): string {
 set -euo pipefail
 
 # Generated by Flynn companion release-bundle export.
+bundle_dir="$(cd -- "$(dirname -- "\${BASH_SOURCE[0]}")" && pwd)"
+checksums_file="\${bundle_dir}/CHECKSUMS.sha256"
+if [[ ! -f "\${checksums_file}" ]]; then
+  echo "Missing CHECKSUMS.sha256 in \${bundle_dir}" >&2
+  exit 1
+fi
+if command -v sha256sum >/dev/null 2>&1; then
+  (cd "\${bundle_dir}" && sha256sum --check CHECKSUMS.sha256)
+elif command -v shasum >/dev/null 2>&1; then
+  while IFS= read -r line; do
+    [[ -z "\${line}" ]] && continue
+    expected="\${line%% *}"
+    file="\${line##*  }"
+    actual="$(shasum -a 256 "\${bundle_dir}/\${file}" | awk '{print $1}')"
+    if [[ "\${actual}" != "\${expected}" ]]; then
+      echo "Checksum mismatch for \${file}" >&2
+      exit 1
+    fi
+  done <"\${checksums_file}"
+else
+  echo "Neither sha256sum nor shasum is available for checksum verification" >&2
+  exit 1
+fi
 exec flynn ${quotedArgs} \"$@\"
 `;
 }