Add checksum validation for archived media

app/Console/Commands/MonitorStorageCommand.php

@@ -46,6 +46,12 @@ class MonitorStorageCommand extends Command
 
             $assetStats = $this->buildAssetStatistics();
             $thresholds = $this->capacityThresholds();
+            $checksumConfig = $this->checksumAlertConfig();
+            $checksumWindowMinutes = $checksumConfig['window_minutes'];
+            $checksumThresholds = $checksumConfig['thresholds'];
+            $checksumMismatches = $checksumConfig['enabled'] && $checksumWindowMinutes > 0
+                ? $this->checksumMismatchCounts($checksumWindowMinutes)
+                : [];
             $alerts = [];
             $snapshotTargets = [];
 
@@ -78,6 +84,7 @@ class MonitorStorageCommand extends Command
                     ];
                 }
 
+                $targetChecksumMismatches = $checksumMismatches[$target->id] ?? 0;
                 $snapshotTargets[] = [
                     'id' => $target->id,
                     'key' => $target->key,
@@ -85,13 +92,35 @@ class MonitorStorageCommand extends Command
                     'is_hot' => (bool) $target->is_hot,
                     'capacity' => $capacity,
                     'assets' => $assets,
+                    'checksum_mismatches' => [
+                        'count' => $targetChecksumMismatches,
+                        'window_minutes' => $checksumWindowMinutes,
+                    ],
                 ];
             }
 
+            if ($checksumConfig['enabled'] && $checksumWindowMinutes > 0) {
+                $totalMismatches = array_sum($checksumMismatches);
+                $checksumSeverity = $this->determineChecksumSeverity($totalMismatches, $checksumThresholds);
+
+                if ($checksumSeverity !== 'ok') {
+                    $alerts[] = [
+                        'type' => 'checksum_mismatch',
+                        'severity' => $checksumSeverity,
+                        'count' => $totalMismatches,
+                        'window_minutes' => $checksumWindowMinutes,
+                    ];
+                }
+            }
+
             $snapshot = [
                 'generated_at' => now()->toIso8601String(),
                 'targets' => $snapshotTargets,
                 'alerts' => $alerts,
+                'checksum' => [
+                    'window_minutes' => $checksumWindowMinutes,
+                    'mismatch_total' => array_sum($checksumMismatches),
+                ],
             ];
 
             $ttlMinutes = max(1, (int) config('storage-monitor.monitor.cache_minutes', 15));
@@ -191,4 +220,62 @@ class MonitorStorageCommand extends Command
 
         return 'ok';
     }
+
+    private function checksumAlertConfig(): array
+    {
+        $enabled = (bool) config('storage-monitor.checksum_validation.enabled', true);
+        $windowMinutes = max(0, (int) config('storage-monitor.checksum_validation.alert_window_minutes', 60));
+        $warning = (int) config('storage-monitor.checksum_validation.thresholds.warning', 1);
+        $critical = (int) config('storage-monitor.checksum_validation.thresholds.critical', 5);
+
+        if ($warning > $critical && $critical > 0) {
+            [$warning, $critical] = [$critical, $warning];
+        }
+
+        return [
+            'enabled' => $enabled,
+            'window_minutes' => $windowMinutes,
+            'thresholds' => [
+                'warning' => $warning,
+                'critical' => $critical,
+            ],
+        ];
+    }
+
+    private function checksumMismatchCounts(int $windowMinutes): array
+    {
+        $query = EventMediaAsset::query()
+            ->selectRaw('media_storage_target_id, COUNT(*) as total_count')
+            ->where('status', 'failed')
+            ->where('meta->checksum_status', 'mismatch');
+
+        if ($windowMinutes > 0) {
+            $query->where('updated_at', '>=', now()->subMinutes($windowMinutes));
+        }
+
+        return $query->groupBy('media_storage_target_id')
+            ->get()
+            ->mapWithKeys(fn ($row) => [(int) $row->media_storage_target_id => (int) $row->total_count])
+            ->all();
+    }
+
+    private function determineChecksumSeverity(int $count, array $thresholds): string
+    {
+        $warning = (int) ($thresholds['warning'] ?? 1);
+        $critical = (int) ($thresholds['critical'] ?? 5);
+
+        if ($count <= 0) {
+            return 'ok';
+        }
+
+        if ($critical > 0 && $count >= $critical) {
+            return 'critical';
+        }
+
+        if ($warning > 0 && $count >= $warning) {
+            return 'warning';
+        }
+
+        return 'ok';
+    }
 }

app/Jobs/ArchiveEventMediaAssets.php

@@ -71,12 +71,44 @@ class ArchiveEventMediaAssets implements ShouldQueue
 
                 Storage::disk($archiveDisk)->put($archivePath, $stream);
 
+                $checksumMeta = null;
+                $archiveChecksum = null;
+                if ($this->checksumValidationEnabled()) {
+                    $archiveChecksum = $this->computeChecksum($archiveDisk, $archivePath);
+                    if (! $archiveChecksum) {
+                        throw new \RuntimeException('Archive checksum unavailable');
+                    }
+
+                    $expectedChecksum = $asset->checksum;
+                    if ($expectedChecksum) {
+                        if (! hash_equals($expectedChecksum, $archiveChecksum)) {
+                            $this->handleChecksumMismatch($asset, $expectedChecksum, $archiveChecksum, $sourceDisk, $archiveDisk);
+                            $this->deleteArchiveCopy($archiveDisk, $archivePath);
+
+                            continue;
+                        }
+
+                        $checksumMeta = [
+                            'checksum_status' => 'verified',
+                            'checksum_verified_at' => now()->toIso8601String(),
+                        ];
+                    } else {
+                        $asset->checksum = $archiveChecksum;
+                        $checksumMeta = [
+                            'checksum_status' => 'seeded',
+                            'checksum_verified_at' => now()->toIso8601String(),
+                        ];
+                    }
+                }
+
                 $asset->fill([
                     'disk' => $archiveDisk,
                     'media_storage_target_id' => $archiveTargetId,
                     'status' => 'archived',
                     'archived_at' => now(),
                     'error_message' => null,
+                    'checksum' => $asset->checksum,
+                    'meta' => $this->mergeMeta($asset->meta, $checksumMeta),
                 ])->save();
 
                 if ($this->deleteSource) {
@@ -102,4 +134,92 @@ class ArchiveEventMediaAssets implements ShouldQueue
             }
         }
     }
+
+    private function checksumValidationEnabled(): bool
+    {
+        return (bool) config('storage-monitor.checksum_validation.enabled', true);
+    }
+
+    private function computeChecksum(string $disk, string $path): ?string
+    {
+        try {
+            $stream = Storage::disk($disk)->readStream($path);
+        } catch (\Throwable $e) {
+            Log::channel('storage-jobs')->warning('Failed to open stream for checksum', [
+                'disk' => $disk,
+                'path' => $path,
+                'error' => $e->getMessage(),
+            ]);
+
+            return null;
+        }
+
+        if (! $stream) {
+            return null;
+        }
+
+        try {
+            $context = hash_init('sha256');
+            $ok = hash_update_stream($context, $stream);
+            if ($ok === false) {
+                return null;
+            }
+
+            return hash_final($context);
+        } finally {
+            if (is_resource($stream)) {
+                fclose($stream);
+            }
+        }
+    }
+
+    private function handleChecksumMismatch(
+        EventMediaAsset $asset,
+        string $expectedChecksum,
+        string $actualChecksum,
+        string $sourceDisk,
+        string $archiveDisk,
+    ): void {
+        Log::channel('storage-jobs')->alert('Checksum mismatch detected during archive', [
+            'asset_id' => $asset->id,
+            'event_id' => $asset->event_id,
+            'source_disk' => $sourceDisk,
+            'archive_disk' => $archiveDisk,
+            'expected_checksum' => $expectedChecksum,
+            'actual_checksum' => $actualChecksum,
+        ]);
+
+        $asset->update([
+            'status' => 'failed',
+            'error_message' => 'checksum_mismatch',
+            'meta' => $this->mergeMeta($asset->meta, [
+                'checksum_status' => 'mismatch',
+                'checksum_verified_at' => now()->toIso8601String(),
+                'checksum_expected' => $expectedChecksum,
+                'checksum_actual' => $actualChecksum,
+            ]),
+        ]);
+    }
+
+    private function deleteArchiveCopy(string $archiveDisk, string $path): void
+    {
+        try {
+            Storage::disk($archiveDisk)->delete($path);
+        } catch (\Throwable $e) {
+            Log::channel('storage-jobs')->warning('Failed to clean up archive copy after checksum mismatch', [
+                'disk' => $archiveDisk,
+                'path' => $path,
+                'error' => $e->getMessage(),
+            ]);
+        }
+    }
+
+    private function mergeMeta(?array $meta, ?array $updates): ?array
+    {
+        if (! $updates) {
+            return $meta;
+        }
+
+        return array_merge($meta ?? [], $updates);
+    }
 }