updates

README.md

@@ -87,3 +87,69 @@ transmute vcwg issue-credential ./tests/fixtures/private.sig.jwk.json ./tests/fi
 See [scripts](./scripts/) for more examples.
 
 TODO: all command examples
+
+## Use Cases
+
+### Software Supply Chain
+
+#### In Search of Transparency
+
+##### Product Integrity
+
+```bash
+
+sbom-tool generate -b ./dist -bc ./ -pn transmute -ps transmute.industries -pv `jq -r .version package.json` -nsu `git rev-parse --verify HEAD`
+
+transmute scitt issue-statement ./tests/fixtures/private.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.json \
+--iss https://software.vendor.example \
+--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
+--content-type application/spdx+json \
+--location https://github.com/transmute-industries/transmute/blob/main/dist/_manifest/spdx_2.2/manifest.spdx.json \
+--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor
+
+transmute scitt issue-receipt ./tests/fixtures/private.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
+--iss https://software.notary.example \
+--sub `jq -r .documentNamespace ./dist/_manifest/spdx_2.2/manifest.spdx.json` \
+--log ./tests/fixtures/trans.json \
+--output ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor
+
+transmute scitt verify-receipt-hash ./tests/fixtures/public.notary.key.cbor ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor `cat ./dist/_manifest/spdx_2.2/manifest.spdx.json.sha256`
+
+```
+
+<img src="./docs/build.png" alt="command line image of build script execution" />
+
+##### Compliance Automation
+
+```yaml
+name: CI
+on: [push]
+jobs:
+  scitt:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Push Transparency
+        uses: transmute-industries/transmute@main
+        with:
+          neo4j-uri: ${{ secrets.NEO4J_URI }}
+          neo4j-user: ${{ secrets.NEO4J_USERNAME }}
+          neo4j-password: ${{ secrets.NEO4J_PASSWORD }}
+          transmute: |
+            graph assist ./dist/_manifest/spdx_2.2/manifest.spdx.scitt.cbor \
+              --credential-type application/cose \
+              --graph-type application/gql \
+              --push
+```
+
+<img src="./docs/receipt.png.png" alt="graph query results" />
+
+```
+MATCH (statement {
+    subject: 'https://spdx.org/spdxdocs/sbom-tool-2.2.7-66a07f86-0f12-4c6f-887b-9a1510b11d8a/transmute/0.9.2/2e57d4b2d9b45cccdd74dad91edbaabaa06074f9'
+})
+MATCH (receipt {
+    subject: statement.subject
+})
+RETURN statement, receipt
+```

src/graph/collate/collate.ts

@@ -13,6 +13,8 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
   const payload = decoded.value[2].toString('hex')
   let sig = header.get(Protected.Alg)
   let hash = header.get(Protected.PayloadHashAlgorithm)
+  const payloadPreImageContentType = header.get(Protected.PayloadPreImageContentType)
+  const payloadLocation = header.get(Protected.PayloadLocation)
   const cwtClaims = header.get(Protected.CWTClaims)
   const iat = cwtClaims.get(6)
   const iss = cwtClaims.get(1)
@@ -35,7 +37,8 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
     hash_value: payload,
     hash_algorithm: hash,
     signature_algorithm: sig,
-    content_type: 'application/cose',
+    content_type: payloadPreImageContentType,
+    location: payloadLocation,
     labels: ['scitt-statement'],
   };
   nodes[statement.id] = statement;
@@ -50,7 +53,7 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
     const iss = cwtClaims.get(1)
     const sub = cwtClaims.get(2)
     if (vds === VerifiableDataStructures["RFC9162-Binary-Merkle-Tree"]) {
-      vds = "RFC9162-Binary-Merkle-Tree"
+      vds = "Binary Merkle Tree"
     }
     if (alg === Signature.ES256) {
       alg = 'ES256'
@@ -69,7 +72,7 @@ export const collate = async (data: Uint8Array, inputType = 'application/cose',
     }
     nodes[receipt.id] = receipt
     if (vdp === 'RFC9162-Inclusion-Proof') {
-      vdp = 'Notarization'
+      vdp = 'Inclusion Proof'
     }
     const edge = {
       source: receipt.id,