|
| 1 | +# Migration Notes |
| 2 | + |
| 3 | +This directory is a first extraction pass. It duplicates the verification logic |
| 4 | + so the API repository can keep working while the standalone project is shaped. |
| 5 | + |
| 6 | +## Code That Was Duplicated |
| 7 | + |
| 8 | +From `sbom-signing-api` into this module: |
| 9 | + |
| 10 | +- `api/application/sbom_verify_application.go` |
| 11 | +- `api/services/sbom/sbom_formatting.go` |
| 12 | +- verification-specific parts of `api/services/digest/*` |
| 13 | +- verification-specific parts of `api/services/ecdsa.go` |
| 14 | +- `api/utils/key_utils.go` |
| 15 | +- `api/cli/offline_verification/*` |
| 16 | +- minimal key metadata types required by digest verification |
| 17 | + |
| 18 | +## Code That Should Stay In The API Repo |
| 19 | + |
| 20 | +- `api/handlers/*verify*` |
| 21 | +- `api/services/verify/service.go` |
| 22 | +- request auth and authorization helpers |
| 23 | +- Firestore access and customer/key ownership checks |
| 24 | +- HTTP contract models |
| 25 | +- usage tracking and rate limiting |
| 26 | + |
| 27 | +## Recommended Next Refactor |
| 28 | + |
| 29 | +1. Introduce this module as a dependency in `api/go.mod`. |
| 30 | +2. Update `api/application` usage sites to import the external module. |
| 31 | +3. Leave `api/services/verify` in place, but change it to call the imported verifier. |
| 32 | +4. Leave handlers unchanged except for import path updates caused by step 2. |
| 33 | +5. Keep signing and key-generation logic in the API repo. |
| 34 | +6. Remove duplicated verification internals from the API repo only after tests pass. |
| 35 | + |
| 36 | +## Notes |
| 37 | + |
| 38 | +- The package layout here intentionally mirrors the current repo in several areas |
| 39 | + to keep the migration low-risk. |
| 40 | +- A later cleanup pass can introduce more polished public packages once the |
| 41 | + dependency boundary is proven in production. |
| 42 | +- GitHub workflows have been staged under `.github/workflows` inside this |
| 43 | + extracted project. They are intended for the future standalone repository and |
| 44 | + will not run while this project remains nested under `sbom-signing-api`. |
0 commit comments