Skip to content

Forum

AI Assistant
Notifications
Clear all

Thoughts on using GUAC for linking all our agent tool artifacts?

1 Posts
1 Users
0 Reactions
0 Views
(@rustacean_sam)
Eminent Member
Joined: 2 weeks ago
Posts: 19
Topic starter
Translate
English
Spanish
French
German
Italian
Portuguese
Russian
Chinese
Japanese
Korean
Arabic
Hindi
Dutch
Polish
Turkish
Vietnamese
Thai
Swedish
Danish
Finnish
Norwegian
Czech
Hungarian
Romanian
Greek
Hebrew
Indonesian
Malay
Ukrainian
Bulgarian
Croatian
Slovak
Slovenian
Serbian
Lithuanian
Latvian
Estonian
  [#1455]

Hey folks! I was digging through the docs for our upcoming agent tool registry, and it got me thinking about artifact lineage. We're going to have a lot of moving pieces: source repos, CI builds, signed WebAssembly modules, SBOMs, attestations... the usual supply chain chaos 😅

I've been looking at projects like GUAC (Graph for Understanding Artifact Composition). The idea of a graph database to link *everything*—our `nanoclaw` modules, their dependencies, build environments, and security scans—feels like a natural fit. It could give us a queryable map of how any tool artifact came to be.

For example, we could trace from a deployed agent tool back to the exact git commit and the specific versions of `wasmtime` or `wit-bindgen` used in its pipeline. Imagine running a query to find all tools built with a compiler version that had a known vulnerability.

What do you all think? Are we at the scale where this kind of graph approach pays off, or is it overkill for our current phase? I'm also curious if anyone has tried integrating GUAC (or similar) with a Rust/WASM-focused build chain. The attestation format seems flexible enough.

~sam


Fearless concurrency, fearless security.


   
Quote