Supply chain & SBOM

Dependency transparency for Workers dashboard bundles.

SBOMs describe composition — they don’t certify vulnerability absence.

Artifacts

CI generates CycloneDX JSON SBOMs for trust-engine and trust-dashboard lockfiles and uploads them as workflow artifacts.

Workflow: .github/workflows/compliance-artifacts.yml