SBOM Registry Service

adr-ledger no longer treats ./.chain/sbom/sbom_current.json as the official SBOM source of truth.

The supported model is:

the repository generates a candidate SBOM locally;
an internal registry service receives the manifest;
the service persists the official artifact in GCS;
the service optionally publishes a status event on NATS;
CI/release flows verify the repository state against the remote official manifest.

Service runtime

The workspace now includes sbom-registry, a small HTTP service.

Required environment variables:

SBOM_GCS_BUCKET: target GCS bucket

Optional environment variables:

SBOM_GCS_PREFIX: object prefix inside the bucket
SBOM_REGISTRY_BIND: bind address, default 127.0.0.1:8787
SBOM_NATS_URL: when set, publish registry events to NATS
SBOM_NATS_SUBJECT: event subject, default adr.sbom.status.v1
GCS_OAUTH_BEARER_TOKEN: explicit OAuth token for GCS

If GCS_OAUTH_BEARER_TOKEN is absent, the service tries:

gcloud auth application-default print-access-token
gcloud auth print-access-token

Client-side environment

Commands in sbom_manager.py understand:

ADR_SBOM_BACKEND=service
ADR_SBOM_SERVICE_URL=http://127.0.0.1:8787
ADR_SBOM_EXPECTED_REF=<git sha or tag>
ADR_SBOM_REQUIRE_REMOTE=1

Example

# terminal 1
SBOM_GCS_BUCKET=my-secure-bucket \
SBOM_NATS_URL=nats://127.0.0.1:4222 \
cargo run -p sbom-registry

# terminal 2
export ADR_SBOM_BACKEND=service
export ADR_SBOM_SERVICE_URL=http://127.0.0.1:8787
export ADR_SBOM_EXPECTED_REF="$(git rev-parse HEAD)"

python3.13 .chain/sbom_manager.py publish --git-ref "$ADR_SBOM_EXPECTED_REF"
python3.13 .chain/sbom_manager.py verify --remote --strict-remote --expected-ref "$ADR_SBOM_EXPECTED_REF"

Keys	Action
`?`	Open this help
`n`	Next page
`p`	Previous page
`s`	Search