feat(scripts): verify.sh — .brain-version + sha256 + strict-secrets check

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

scripts/tests/verify-test.sh

@@ -0,0 +1,30 @@
+#!/usr/bin/env bash
+set -u
+SCRIPT_DIR="$(cd "$(dirname "$0")/.." && pwd)"
+source "$SCRIPT_DIR/lib/common.sh"
+
+FAILURES=0
+assert_eq() {
+    if [ "$1" = "$2" ]; then echo "PASS: $3"; else echo "FAIL: $3 (expected '$1', got '$2')"; FAILURES=$((FAILURES + 1)); fi
+}
+
+# Test 1: missing .brain-version → exit 1
+tmpdir=$(mktemp -d)
+bash "$SCRIPT_DIR/verify.sh" --target="$tmpdir" >/dev/null 2>&1
+assert_eq "1" "$?" "missing .brain-version returns exit 1"
+rm -rf "$tmpdir"
+
+# Test 2: valid .brain-version → exit 0 (минимальный manifest пустой)
+tmpdir=$(mktemp -d)
+echo "brain-v1.0" > "$tmpdir/.brain-version"
+echo "sha: 0000000000000000000000000000000000000000" >> "$tmpdir/.brain-version"
+# Создаём минимальный manifest в brain
+brain_dir=$(mktemp -d)
+echo '{"version": "brain-v1.0", "files": {}}' > "$brain_dir/manifest.json"
+BRAIN_ROOT="$brain_dir" bash "$SCRIPT_DIR/verify.sh" --target="$tmpdir" >/dev/null 2>&1
+assert_eq "0" "$?" "valid .brain-version returns exit 0"
+rm -rf "$tmpdir" "$brain_dir"
+
+echo "---"
+echo "Failures: $FAILURES"
+exit $FAILURES