Feature request: protofetch verify — integrity check fetched protos against lockfile

[cschanhniem]

Summary

Protofetch handles transitive dependency resolution and file policy filtering, but there is no built-in way to verify that fetched protobuf files match the expected content recorded in the lockfile after the initial fetch.

Evidence

• The lockfile (protofetch.lock) records resolved revisions (git hashes) for each dependency, but nothing guarantees the files on disk match the lockfile at fetch time (e.g., git objects corrupted, manual edits, cache poisoning).
• The --locked flag only checks that the lockfile itself is unchanged, not that the fetched files match the lockfile content.
• Other dependency managers (Cargo with cargo vendor, npm with npm ci integrity fields, Go modules with go mod verify) provide a verify command that checks file integrity against stored hashes.

Suggested approach

Add a protofetch verify command that:

1. Reads protofetch.lock to get the expected revision for each dependency
2. Re-computes a hash (SHA-256) of every proto file on disk under the output directory
3. Compares against a stored checksum (could be a new field in protofetch.lock, e.g., checksum per dependency entry)
4. Exits non-zero on mismatch with a clear diff report

This would close a gap in the dependency integrity guarantees and is consistent with how the existing lockfile mechanism already tracks revisions.

An alternative lightweight approach: add an integrity hash to the existing lockfile format for each fetched dependency and compare on protofetch fetch --locked.