Skip to content

feat: end-to-end pipeline attestation example + wasm_optimize loom fix#446

Merged
avrabe merged 1 commit intomainfrom
feat/pipeline-attestation-example
Apr 20, 2026
Merged

feat: end-to-end pipeline attestation example + wasm_optimize loom fix#446
avrabe merged 1 commit intomainfrom
feat/pipeline-attestation-example

Conversation

@avrabe
Copy link
Copy Markdown
Contributor

@avrabe avrabe commented Apr 20, 2026

Summary

  • Adds examples/pipeline_attestation/ — an end-to-end demo of the PulseEngine attestation surface on a single tiny Rust component: rust_wasm_component_bindgen → wasm_sign → wasm_attest → wasm_show_chain + wasm_verify_chain.
  • Drops the stale -- subcommand separator from wasm/private/wasm_optimize.bzl (loom 0.3.0 rejects it) and adds a TODO noting the remaining WASI path-resolution issue that blocks end-to-end loom runs under Bazel.

Context

Follow-up to #442 / #444 / #445. Those PRs landed the pipeline rules, the meld native toolchain, and the attestation rule family — this one assembles a real demo so users can see the whole flow working without needing to stand up a multi-component fusion setup.

Test plan

  • bazel build //examples/pipeline_attestation:all_pipeline_outputs — produces a wsc "Transformation chain is valid" marker and a JSON chain artifact with one attestation entry
  • Chain JSON contains input/output hashes, tool name/version (wasmsign2 0.2.6), and timestamp
  • bazel build //examples/pipeline_attestation:greeter_chain_verified alone — verify-chain ship-gate succeeds
  • CI green across Linux/macOS/Windows

Why not meld_fuse or wasm_optimize in this example

  • meld_fuse needs two or more components with compatible interfaces — a full fusion demo is more than this example intends to set up. A follow-up can add it.
  • wasm_optimize (loom) has a pending WASI path issue: loom.wasm reads bazel-out/... paths via WASI and --dir=. does not follow the bazel-out symlinks. Documented in a TODO in wasm/private/wasm_optimize.bzl; fixing it cleanly will want a small Go wrapper mirroring the one we already use for wsc. Out of scope here.

wasm_attest is sufficient to exercise the entire sign/attest/verify/show surface against a single component, which is the goal.

🤖 Generated with Claude Code

examples/pipeline_attestation/ exercises the full attestation surface on a
single tiny Rust component:

  rust_wasm_component_bindgen -> wasm_sign -> wasm_attest
                                                  |
                          wasm_show_chain (JSON)  |
                          wasm_verify_chain       |
                                                  |
                                                all verified green

Verified locally: `bazel build //examples/pipeline_attestation:all_pipeline_outputs`
emits a wsc "Transformation chain is valid" marker and a JSON artifact with
one attestation entry recording input hash, output hash, tool name/version
and timestamp.

The example deliberately uses wasm_attest (not meld_fuse or wasm_optimize)
because meld_fuse needs a multi-component setup and wasm_optimize has a
pending WASI path-resolution issue — loom reads `bazel-out/...` paths via
WASI and `--dir=.` does not follow the bazel-out symlinks. Documented in a
TODO in wasm/private/wasm_optimize.bzl. While touching that file also
dropped the stale `--` subcommand separator that loom 0.3.0 rejects.

Co-Authored-By: Claude Opus 4.7 (1M context) <[email protected]>
@avrabe avrabe merged commit 38690b5 into main Apr 20, 2026
28 checks passed
@avrabe avrabe deleted the feat/pipeline-attestation-example branch April 20, 2026 05:46
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant