# TODO: Implement Verify Command

## Overview
Implement the `verify` command to check snapshot integrity. Both shallow and deep verification require the age_secret_key from config to decrypt the database index.

## Implementation Steps

### 1. Update Config Structure
- Add `AgeSecretKey string` field to the Config struct in `internal/config/config.go`
- Add corresponding `age_secret_key` YAML tag
- Ensure the field is properly loaded from config file

### 2. Remove Command Line Flags
- Remove --bucket, --prefix, and --snapshot flags from:
  - `internal/cli/verify.go`
  - `internal/cli/restore.go` 
  - `internal/cli/fetch.go`
- Update all commands to use bucket/prefix from config instead of flags
- Update verify command to take snapshot ID as first positional argument

### 3. Implement Shallow Verification
**Requires age_secret_key from config**

1. Download from S3:
   - `metadata/{snapshot-id}/manifest.json.zst` 
   - `metadata/{snapshot-id}/db.zst.age`

2. Process files:
   - Decompress manifest (not encrypted)
   - Decrypt db.zst.age using age_secret_key
   - Decompress decrypted database
   - Load SQLite database from dump

3. Verify integrity:
   - Query snapshot_blobs table for all blobs in this snapshot
   - Compare DB blob list against manifest blob list
   - **FAIL IMMEDIATELY** if lists don't match exactly
   
4. For each blob in manifest:
   - Use S3 HeadObject to check existence
   - **FAIL IMMEDIATELY** if blob is missing
   - Verify blob hash matches filename
   - **FAIL IMMEDIATELY** if hash mismatch

5. Only report success if ALL checks pass

### 4. Implement Deep Verification  
**Requires age_secret_key from config**

1. Run all shallow verification first (fail on any error)

2. For each blob referenced in snapshot:
   - Download blob from S3
   - Decrypt using age_secret_key (streaming)
   - Decompress (streaming)
   - Parse blob structure to extract chunks

3. For each chunk in blob:
   - Calculate SHA256 of chunk data
   - Query database for expected chunk hash
   - **FAIL IMMEDIATELY** if calculated != expected
   - Verify chunks are ordered correctly by offset
   - **FAIL IMMEDIATELY** if chunks out of order

4. Progress reporting:
   - Show blob-by-blob progress
   - Show chunk verification within each blob
   - But continue only if no errors

5. Only report success if ALL blobs and ALL chunks verify

### 5. Error Handling

- **FAIL IMMEDIATELY** if age_secret_key missing from config
- **FAIL IMMEDIATELY** on decryption failure
- **FAIL IMMEDIATELY** on any verification mismatch
- Use log.Fatal() or return error to ensure non-zero exit code
- Provide clear error messages indicating exactly what failed

## Success Criteria

- Verify command exits with code 0 only if ALL checks pass
- Any failure results in non-zero exit code
- Clear error messages for each failure type
- Progress reporting during verification
- Works with remote-only snapshots (not in local DB)