feat: add supply chain artifact verification (#431)

Author: enricopiovesan

.github/workflows/supply-chain.yml

@@ -0,0 +1,41 @@
+name: Supply Chain
+
+on:
+  schedule:
+    - cron: "17 4 * * *"
+  push:
+    branches:
+      - main
+  workflow_dispatch:
+
+jobs:
+  supply-chain:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v4
+
+      - name: Set up Rust
+        uses: dtolnay/rust-toolchain@stable
+        with:
+          toolchain: 1.94.0
+          components: rustfmt, clippy
+
+      - name: Cache cargo
+        uses: Swatinem/rust-cache@v2
+
+      - name: Run supply-chain checks
+        run: bash scripts/ci/supply_chain_check.sh
+
+      - name: Upload supply-chain evidence
+        if: always()
+        uses: actions/upload-artifact@v4
+        with:
+          name: traverse-supply-chain-evidence
+          path: |
+            target/supply-chain/traverse-sbom.cdx.json
+            target/supply-chain/supply-chain-summary.json
+            target/supply-chain/artifact-verify-report.json
+            target/supply-chain/traverse-cli.provenance.json

Cargo.lock

@@ -26,3 +26,8 @@ unwrap_used = "deny"
 expect_used = "deny"
 panic = "deny"
 todo = "deny"
+
+[workspace.metadata.cyclonedx]
+all_features = true
+format = "json"
+output = "traverse-sbom.cdx.json"

Cargo.toml

@@ -10,6 +10,7 @@ rust-version.workspace = true
 semver = "1.0.27"
 serde = { version = "1.0.228", features = ["derive"] }
 serde_json = "1.0.145"
+sha2 = "0.10"
 traverse-contracts = { path = "../traverse-contracts" }
 traverse-registry = { path = "../traverse-registry" }
 traverse-runtime = { path = "../traverse-runtime" }

crates/traverse-cli/Cargo.toml

@@ -2,6 +2,7 @@ mod agent_packages;
 mod browser_adapter;
 mod federation_operator;
 mod http_api;
+mod supply_chain;
 
 use agent_packages::load_agent_package;
 use browser_adapter::serve_local_browser_adapter;
@@ -56,6 +57,9 @@ enum Command {
     WasmAbiVerify {
         wasm_paths: Vec<PathBuf>,
     },
+    ArtifactVerify {
+        artifact_path: PathBuf,
+    },
     FederationPeers {
         manifest_path: PathBuf,
     },
@@ -202,6 +206,7 @@ fn run_command(command: Command) -> Result<String, CliError> {
             request_path,
         } => execute_agent(&manifest_path, &request_path),
         Command::WasmAbiVerify { wasm_paths } => verify_wasm_abi_imports(&wasm_paths),
+        Command::ArtifactVerify { artifact_path } => verify_supply_chain_artifact(&artifact_path),
         Command::FederationPeers { manifest_path } => {
             render_federation_peers(&manifest_path).map_err(CliError::IoError)
         }
@@ -263,6 +268,7 @@ fn parse_command(args: &[String]) -> Result<Command, String> {
         (Some("serve"), _) => parse_serve_command(args),
         (Some("federation"), Some(_)) => parse_federation_command(args),
         (Some("agent"), Some("execute")) => parse_agent_execute_command(args),
+        (Some("artifact"), Some("verify")) => parse_artifact_verify_command(args),
         (Some("wasm"), Some("abi")) => parse_wasm_abi_command(args),
         (Some("expedition"), Some("execute")) => parse_expedition_execute_command(args),
         (Some("capability"), Some("discover")) => parse_capability_discover_command(args),
@@ -279,6 +285,8 @@ fn subcommand_help(family: Option<&str>, subcommand: Option<&str>) -> String {
         (Some("agent"), Some("inspect")) => help_agent_inspect(),
         (Some("agent"), Some("execute")) => help_agent_execute(),
         (Some("agent"), _) => help_agent(),
+        (Some("artifact"), Some("verify")) => help_artifact_verify(),
+        (Some("artifact"), _) => help_artifact(),
         (Some("wasm"), Some("abi")) => help_wasm_abi(),
         (Some("wasm"), _) => help_wasm(),
         (Some("workflow"), Some("register")) => help_workflow_register(),
@@ -402,6 +410,36 @@ fn help_agent() -> String {
         .to_string()
 }
 
+fn help_artifact_verify() -> String {
+    "traverse-cli artifact verify <artifact-or-manifest-path>
+
+  Purpose:
+    Verify one governed artifact's supply-chain evidence. The command reads
+    either a manifest JSON path or an artifact path with sidecars named
+    <artifact>.manifest.json and <artifact>.provenance.json, then emits a
+    structured JSON report for checksum, signature, and provenance checks.
+
+  Required arguments:
+    <artifact-or-manifest-path>   Artifact file or artifact manifest JSON path.
+
+  Optional flags:
+    --help                       Print this help text.
+
+  Example:
+    traverse-cli artifact verify target/release/traverse-cli"
+        .to_string()
+}
+
+fn help_artifact() -> String {
+    "traverse-cli artifact <subcommand> [options]
+
+  Subcommands:
+    verify <artifact-or-manifest-path>   Verify checksum, signature, and provenance evidence.
+
+  Run `traverse-cli artifact verify --help` for subcommand-specific help."
+        .to_string()
+}
+
 fn help_wasm_abi() -> String {
     "traverse-cli wasm abi verify <wasm-path>...
 
@@ -824,6 +862,15 @@ fn parse_fixed_arity_command(args: &[String]) -> Result<Command, String> {
     }
 }
 
+fn parse_artifact_verify_command(args: &[String]) -> Result<Command, String> {
+    match args {
+        [_, _, _, artifact_path] => Ok(Command::ArtifactVerify {
+            artifact_path: PathBuf::from(artifact_path),
+        }),
+        _ => Err(usage()),
+    }
+}
+
 fn parse_agent_execute_command(args: &[String]) -> Result<Command, String> {
     match args {
         [_, _, _, manifest_path, request_path] => Ok(Command::AgentExecute {
@@ -1064,6 +1111,17 @@ fn verify_wasm_abi_imports(wasm_paths: &[PathBuf]) -> Result<String, CliError> {
     Ok(lines.join("\n"))
 }
 
+fn verify_supply_chain_artifact(artifact_path: &Path) -> Result<String, CliError> {
+    let report = supply_chain::verify_artifact(artifact_path);
+    let json = serde_json::to_string_pretty(&report)
+        .map_err(|e| CliError::IoError(format!("failed to serialize artifact report: {e}")))?;
+    if report.passed() {
+        Ok(json)
+    } else {
+        Err(CliError::ValidationFailed(json))
+    }
+}
+
 fn execute_expedition(
     request_path: &Path,
     trace_output_path: Option<&Path>,
@@ -2428,6 +2486,12 @@ mod tests {
             "verify".to_string(),
             "examples/hello-world/say-hello-agent/artifacts/say-hello-agent.wasm".to_string(),
         ];
+        let artifact_verify = vec![
+            "traverse-cli".to_string(),
+            "artifact".to_string(),
+            "verify".to_string(),
+            "target/release/traverse-cli".to_string(),
+        ];
         let expedition_execute = vec![
             "traverse-cli".to_string(),
             "expedition".to_string(),
@@ -2467,6 +2531,7 @@ mod tests {
         assert!(parse_command(&agent_inspect).is_ok());
         assert!(parse_command(&agent_execute).is_ok());
         assert!(parse_command(&wasm_abi_verify).is_ok());
+        assert!(parse_command(&artifact_verify).is_ok());
         assert!(parse_command(&expedition_execute).is_ok());
         assert!(parse_command(&expedition_execute_with_trace).is_ok());
         assert!(parse_command(&event).is_ok());
@@ -2678,6 +2743,22 @@ mod tests {
         assert!(text.contains("Example:"));
     }
 
+    #[test]
+    fn parse_command_returns_artifact_verify_help_on_help_flag() {
+        let args = vec![
+            "traverse-cli".to_string(),
+            "artifact".to_string(),
+            "verify".to_string(),
+            "--help".to_string(),
+        ];
+        let result = parse_command(&args);
+        assert!(result.is_err(), "expected Err for --help");
+        let text = result.err().unwrap_or_default();
+        assert!(text.contains("artifact verify"));
+        assert!(text.contains("<artifact-or-manifest-path>"));
+        assert!(text.contains("Example:"));
+    }
+
     #[test]
     fn parse_command_returns_workflow_inspect_help_on_help_flag() {
         let args = vec![