@xemahq/biome-supply-chain
v0.1.1
Published
Shared cosign supply-chain verification for Xema biomes: the single cosign CLI exec + the signature/provenance verdict enums used by biome-fetcher-api (OCI bundles) and @xemahq/biome-package (packaging CLI). Node-builtins only.
Readme
@xemahq/biome-supply-chain
This package belongs to Layer 1 — a framework-free runtime SDK utility.
Shared cosign supply-chain verification for Xema biomes. It centralizes the two
things that were previously copy-pasted between biome-fetcher-api (OCI bundle
verification) and @xemahq/biome-package (the packaging CLI):
- the single cosign CLI invocation (
ensureCosignAvailable,verifyCosignSignature,verifyCosignAttestation,verifyCosignBlob), and - the signature / provenance verdict vocabulary (
SignatureVerdict,ProvenanceVerdict,CosignErrorCode,CosignVerifyOutcome).
It shells out to the cosign binary and uses only Node built-ins — no NestJS,
no framework, no external runtime dependencies — so it is safe to import from a
service runtime image and from a build-time CLI alike.
Usage
import {
ensureCosignAvailable,
verifyCosignSignature,
verifyCosignBlob,
SignatureVerdict,
CosignVerifyOutcome,
} from '@xemahq/biome-supply-chain';
await ensureCosignAvailable();
// OCI ref (keyless identity allowlist)
await verifyCosignSignature({
ociRef: 'oci://registry/biome:1.2.0',
trustedIdentities: ['https://github.com/xema-dev/...'],
oidcIssuer: 'https://token.actions.githubusercontent.com',
});
// Detached blob (caller owns artifact/bundle files on disk)
const { outcome, matchedIdentity } = await verifyCosignBlob({
artifactPath: '/tmp/remoteEntry.js',
bundlePath: '/tmp/remoteEntry.js.bundle',
trustedIdentityRegexps: ['^https://github.com/xema-dev/.*$'],
});
if (outcome === CosignVerifyOutcome.Verified) {
// matchedIdentity is the regexp that verified
}Artifact resolution (resolving an OCI ref, or fetching + writing a blob to a temp file) stays with each consumer; this package owns only the cosign exec and the verdict enums.
