Module verify 

On-disk verification: which manifest entries are actually applied?

A patch is “applied” iff every file the manifest claims it modified currently hashes to its afterHash. Anything else — missing file, hash mismatch, even one file ahead of expectations — disqualifies the patch from the VEX document. Callers feed the failures into a stderr warning + --json envelope warning list; the spec we agreed on is “never emit affected or under_investigation — just omit”.

The CLI is responsible for resolving PURL → on-disk package path (it already does this for apply / scan via the ecosystem dispatcher). We accept a pre-built map so this module stays free of ecosystem-crawler dependencies.

Structs

FailedPatch

One entry per manifest PURL that did NOT pass verification. The reason is a short snake_case tag the CLI can route on (matches the error_code convention used by json_envelope::PatchEvent).

VerifyOutcome

Result of partitioning the manifest into applied vs failed sets.

Functions

applied_patches

Walk the manifest and bucket each PURL into applied / failed.