Skip to content

feat(cli): add transformation attestation support #44

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
avrabe merged 1 commit into from
Jan 12, 2026
Merged

feat(cli): add transformation attestation support #44

avrabe merged 1 commit into from
Jan 12, 2026

Conversation

@avrabe
Copy link
Contributor

@avrabe avrabe commented Jan 9, 2026

Summary

Integrate wsc-attestation crate for supply chain security audit trails. When optimizing WASM modules, LOOM now embeds a cryptographic attestation in a custom section.

What's Added

  • Dependency: wsc-attestation = "0.4" (optional feature, enabled by default)
  • CLI Flag: --attestation (default: true, use --attestation=false to disable)
  • Custom Section: wsc.transformation.attestation containing JSON attestation

Attestation Contents

{
  "version": "1.0",
  "transformation_type": "optimization",
  "attestation_id": "uuid",
  "timestamp": "ISO8601",
  "output": { "name": "output.wasm", "hash": "sha256...", "size": N },
  "inputs": [{ "artifact": {...}, "signature_status": "unsigned" }],
  "tool": { "name": "loom", "version": "0.1.0", "parameters": {"passes": "all"} },
  "metadata": { "instructions_before": N, "instructions_after": M }
}

Usage

# Attestation enabled by default
loom optimize input.wasm -o output.wasm

# Disable attestation
loom optimize input.wasm -o output.wasm --attestation=false

Benefits

  1. Signature chain preservation - Verifiers can trace optimized modules back to original signed sources
  2. Audit compliance - ISO 21434, IEC 62443, SLSA requirements for transformation traceability
  3. Supply chain security - Each transformation step is cryptographically recorded
  4. Reproducibility - Optimization parameters preserved for rebuild verification

Test plan

  • Build with cargo build -p loom-cli
  • Test attestation: loom optimize test.wat -o out.wasm → verify custom section exists
  • Test disable: loom optimize test.wat -o out.wasm --attestation=false → verify no custom section
  • Verify JSON structure with wasm-tools print

Closes #43

@avrabe
feat(cli): add transformation attestation support
ebee65a 
Integrate wsc-attestation crate for supply chain security audit trails.
When optimizing WASM modules, LOOM now embeds a cryptographic attestation
in a custom section containing:

- Input/output SHA256 hashes for integrity verification
- Tool name, version, and optimization parameters
- Timestamp and unique attestation ID
- Z3 verification status (when --verify is used)
- Instruction count metadata

Usage:
  loom optimize input.wasm -o output.wasm          # attestation on (default)
  loom optimize input.wasm -o output.wasm --attestation=false  # disable

The attestation follows the wsc-attestation format and is stored in the
"wsc.transformation.attestation" custom section, enabling verifiers to
trace optimized modules back to their original signed sources.

Closes #43
@avrabe avrabe force-pushed the feat/attestation-support branch from ca8aff0 to ebee65a Compare January 12, 2026 10:15
@avrabe avrabe merged commit e08bf27 into main Jan 12, 2026
20 checks passed
@avrabe avrabe deleted the feat/attestation-support branch January 12, 2026 13:10
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

feat: integrate wsc-attestation for transformation audit trails

2 participants

@avrabe