feat(sbom): CycloneDX 1.5 build-SBOM emission (rivet #107)

[avrabe]

Summary

Adds CycloneDX 1.5 SBOM emission to synth — the synth-side slice of pulseengine/rivet#107 (Supply chain integration: Sigil attestations + SBOM/AIBOM + Rivet traceability bridge).

When synth compiles a WASM module to an ELF binary, it can now emit a build SBOM documenting exactly what went into that binary. That .cdx.json is the artifact rivet's sbom-record type ingests via rivet import --format cyclonedx.

What the SBOM contains

A build SBOM — not a transitive dependency scan (synth is a compiler, not a linker):

• metadata.tools — the synth compiler + version ("what built it")
• The input WASM module as a component — SHA-256 + byte size
• The output ELF as a component — SHA-256, size, target triple, backend
• Each WASM import as a component
• A dependencies graph linking the ELF → WASM module → imports

All required CycloneDX 1.5 fields present: bomFormat, specVersion, serialNumber (urn:uuid, derived from the ELF digest so it's reproducible), metadata, components, dependencies.

CLI surface

A --sbom flag on synth compile (not a subcommand). Bare --sbom writes <output>.cdx.json; --sbom PATH writes verbatim. Chosen over a subcommand because compile already holds every input — the post-decode WASM bytes, decoded imports, target triple, backend, fresh ELF — that a re-deriving subcommand couldn't see. Threaded through both the single-function and --all-exports paths; demo compilations (no input file) warn and skip.

rivet #107 mapping

The emitted .cdx.json is exactly what rivet's sbom-record artifact (type: sbom-record, format: cyclonedx) points at via sbom-ref. Documented in docs/sbom.md.

Implementation

• New crates/synth-core/src/sbom.rs (629 lines) — CycloneDxSbom struct, serde serialization, 10 unit tests asserting the required-field shape (parse the JSON back with serde_json).
• crates/synth-cli/src/main.rs — the --sbom flag, both compile paths.
• New dependency: sha2 = "0.10" (workspace + synth-core), for component digests. +12 Cargo.lock lines.
• docs/sbom.md — what the SBOM contains, the rivet linkage, the rivet import consumption path.

Determinism

Two runs over the same input produce byte-identical SBOMs except metadata.timestamp (wall-clock, by design for SBOMs).

Validation

• cargo test --workspace --exclude synth-verify — 1203 passed, 0 failed (10 new SBOM tests).
• cargo clippy --workspace --exclude synth-verify --all-targets -- -D warnings — clean.
• cargo fmt --check — clean.
• End-to-end: compiled a WAT fixture with two imports → well-formed 4-component SBOM.

Follow-ups (out of scope here)

• Release-pipeline auto-emit — wire --sbom into release.yml and upload the .cdx.json as a signed release asset (noted as "Phase 6" in docs/release-process.md; the compiler side is done).
• SPDX export (--sbom-format spdx) if a downstream consumer needs it.
• Import component versions are "unknown" pending WIT/Component-Model version metadata.

Test plan

• CI green
• synth compile in.wat out.elf --sbom produces a CycloneDX 1.5 out.elf.cdx.json
• The JSON validates against the CycloneDX 1.5 schema shape

🤖 Generated with Claude Code

[codecov]

Codecov Report

❌ Patch coverage is 80.42453% with 83 lines in your changes missing coverage. Please review.

Files with missing lines	Patch %	Lines
crates/synth-cli/src/main.rs	17.77%	74 Missing ⚠️
crates/synth-core/src/sbom.rs	97.30%	9 Missing ⚠️

📢 Thoughts on this report? Let us know!