swhid-verification-tool 0.1.0__tar.gz

swhid_verification_tool-0.1.0/CHANGELOG.md

@@ -0,0 +1,23 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.0.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [0.1.0] - 2026-06-27
+
+### Added
+- **Multi-Ecosystem Support**: Verification strategies for PyPI (via PEP 740 and project URLs), Cargo/Crates.io (with deterministic normalization), and Maven Central (with SCM metadata validation and source inspections).
+- **Provenance Mapping**: Resolution rules from Package URLs (PURLs) to verified Software Heritage Identifiers (SWHIDs).
+- **Attestation Parsing**: PyPI strategy extracts commit SHAs from Sigstore/PEP 740 attestations via Fulcio certificates.
+- **VCS Normalization**: Restoring Cargo packages to match the original VCS source states by undoing registry modifications.
+- **SPDX 3.0 Compliance**: JSON-LD export compliant with official SPDX 3.0 RDF-based models, and test suites with SHACL shape validation.
+- **Archival Integration**: Automation for Software Heritage "Save Code Now" trigger functionality.
+- **Local Scanner**: Utility to check local installation paths against verified SPDX manifests containing SWHID targets.
+- **FastAPI Endpoint**: HTTP API interface for remote resolution in `swhid_tool/api.py`.
+- **Command Line Interface**: Rich-powered CLI console interface for single PURL resolution, batch processing, path scanning, and status checking.
+
+### Changed
+- Refactored project modules from independent scripts into the structured Python package `swhid_tool`.
+- Consolidated tests under the `tests/` directory with multi-strategy mock suites.

swhid_verification_tool-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Odysseas Kalaitsidis
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

swhid_verification_tool-0.1.0/MANIFEST.in

@@ -0,0 +1,8 @@
+include LICENSE
+include README.md
+include CHANGELOG.md
+include developer_guide.md
+include user_guide.md
+include maintainer_guide.md
+recursive-include swhid_tool *.py
+recursive-include tests *.py

swhid_verification_tool-0.1.0/PKG-INFO

@@ -0,0 +1,165 @@
+Metadata-Version: 2.4
+Name: swhid-verification-tool
+Version: 0.1.0
+Summary: A verification framework to map PURLs to verified SWHIDs
+Author: Odysseas Kalaitsidis
+License: MIT
+Project-URL: Homepage, https://github.com/OdysseasKalaitsidis/SWHID_POC
+Project-URL: Repository, https://github.com/OdysseasKalaitsidis/SWHID_POC
+Project-URL: Bug Tracker, https://github.com/OdysseasKalaitsidis/SWHID_POC/issues
+Project-URL: Documentation, https://github.com/OdysseasKalaitsidis/SWHID_POC#readme
+Classifier: Development Status :: 4 - Beta
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: Information Technology
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.9
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Programming Language :: Python :: 3.13
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Libraries :: Python Modules
+Requires-Python: >=3.9
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: requests>=2.31.0
+Requires-Dist: swh.model>=6.4.0
+Requires-Dist: rich>=13.7.0
+Requires-Dist: cryptography>=42.0.0
+Requires-Dist: spdx-tools>=0.8.2
+Requires-Dist: semantic-version>=2.10.0
+Requires-Dist: typer>=0.9.0
+Requires-Dist: fastapi>=0.109.0
+Requires-Dist: uvicorn>=0.27.0
+Requires-Dist: packageurl-python>=0.11.2
+Requires-Dist: python-multipart>=0.0.9
+Requires-Dist: pyshacl>=0.25.0
+Requires-Dist: rdflib>=7.0.0
+Provides-Extra: dev
+Requires-Dist: ruff; extra == "dev"
+Requires-Dist: mypy; extra == "dev"
+Requires-Dist: pytest; extra == "dev"
+Requires-Dist: responses; extra == "dev"
+Requires-Dist: pytest-cov; extra == "dev"
+Requires-Dist: build; extra == "dev"
+Requires-Dist: twine; extra == "dev"
+Provides-Extra: test
+Requires-Dist: pytest; extra == "test"
+Requires-Dist: responses; extra == "test"
+Requires-Dist: pytest-cov; extra == "test"
+Dynamic: license-file
+
+# SWHID Verification Tool
+
+[![GSoC 2026](https://img.shields.io/badge/GSoC-2026-orange.svg)](https://summerofcode.withgoogle.com/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+[![Software Heritage](https://img.shields.io/badge/SWH-Archived-red.svg)](https://www.softwareheritage.org/)
+
+A verification framework designed to map Package URLs (PURLs) to verified Software Heritage Identifiers (SWHIDs). This tool ensures cryptographic and structural provenance by establishing a verifiable link between software distributions and their canonical source code archived in the Software Heritage (SWH) ecosystem.
+
+## Key Features
+
+*   **Multi-Ecosystem Support**: Specialized verification strategies for PyPI, Crates.io (Cargo), and Maven Central.
+*   **High-Confidence Provenance**:
+    *   **PyPI**: Extraction of commit SHAs from Sigstore/PEP 740 attestations via Fulcio certificates.
+    *   **Cargo**: Deterministic normalization and restoration of original project state for byte-for-byte matching.
+    *   **Maven**: SCM metadata resolution and verification of cleaned source artifacts.
+*   **SPDX 3.0 Compliance**: Generation of RDF-compatible JSON-LD manifests using official SPDX models.
+*   **Automated Archival Integration**: Proactive use of the Software Heritage "Save Code Now" API.
+*   **Installation Verification**: Local filesystem scanner to audit installed packages against verified SWHID ground truth.
+
+## Installation
+
+### Prerequisites
+- Python 3.9+
+- [Optional] A Software Heritage API Token for higher rate limits.
+
+### Setup
+```bash
+git clone https://github.com/OdysseasKalaitsidis/SWHID_POC
+cd SWHID_POC
+python -m venv venv
+source venv/bin/activate  # Use .\venv\Scripts\activate on Windows
+pip install -r requirements.txt
+```
+
+## Configuration
+
+The tool can be configured via environment variables or a `.env` file:
+
+| Variable | Description | Default |
+| :--- | :--- | :--- |
+| `SWH_TOKEN` | Software Heritage API Authentication Token | None |
+| `CACHE_DIR` | Directory for caching resolution results | `./cache` |
+| `LOG_LEVEL` | Logging verbosity (DEBUG, INFO, ERROR) | `INFO` |
+
+## Usage
+
+### Quick Start
+Map a single PURL to a verified SWHID immediately:
+```bash
+python -m swhid_tool.cli swhid-map pkg:pypi/six@1.17.0
+```
+
+### Batch Processing
+Generate an SPDX 3.0 dataset for multiple PURLs:
+```bash
+python -m swhid_tool.cli batch-process input_purls.txt output_report.jsonld
+```
+
+### Integrity Auditing
+Verify a local directory against a verified manifest:
+```bash
+python -m swhid_tool.cli verify-path /path/to/installed/library manifest.jsonld
+```
+
+### REST API
+Deploy as a service using FastAPI:
+```bash
+python -m uvicorn swhid_tool.api:app --host 0.0.0.0 --port 8000
+```
+
+## Architecture
+
+The system utilizes a strategy-based pattern to decouple ecosystem-specific logic from the core resolution engine.
+
+```mermaid
+graph TD
+    CLI[CLI / API] --> Manager[SWHID Manager]
+    Manager --> PURL[PURL Parser]
+    Manager --> StrategyRouter{Strategy Router}
+    StrategyRouter --> PyPI[PyPI Strategy]
+    StrategyRouter --> Cargo[Cargo Strategy]
+    StrategyRouter --> Maven[Maven Strategy]
+    PyPI --> SWH[SWH API / Archive]
+    Cargo --> SWH
+    Maven --> SWH
+    Manager --> Exporter[SPDX 3.0 Exporter]
+    Exporter --> JSONLD[JSON-LD Manifest]
+```
+
+## Validation and Standards
+
+Verification findings are exported as SPDX 3.0 documents. Compliance with RDF standards is ensured through SHACL shape validation using the integrated `test_validation.py` suite.
+
+## Documentation
+
+Detailed guides for different stakeholders:
+- [**User Guide**](user_guide.md): CLI reference, API specifications, and troubleshooting.
+- [**Developer Guide**](developer_guide.md): Extending the tool to new ecosystems and core internals.
+- [**Maintainer Guide**](maintainer_guide.md): Best practices for enabling high-confidence verifiability.
+
+## Contributing
+
+Contributions are welcome! Please see the [Developer Guide](developer_guide.md) for setup instructions and coding standards.
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+
+## Acknowledgments
+
+This project was developed as part of the **Google Summer of Code (GSoC) 2026** program, under the mentorship of **Software Heritage**.
+

swhid_verification_tool-0.1.0/README.md

@@ -0,0 +1,113 @@
+# SWHID Verification Tool
+
+[![GSoC 2026](https://img.shields.io/badge/GSoC-2026-orange.svg)](https://summerofcode.withgoogle.com/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+[![Python 3.9+](https://img.shields.io/badge/python-3.9+-blue.svg)](https://www.python.org/downloads/)
+[![Software Heritage](https://img.shields.io/badge/SWH-Archived-red.svg)](https://www.softwareheritage.org/)
+
+A verification framework designed to map Package URLs (PURLs) to verified Software Heritage Identifiers (SWHIDs). This tool ensures cryptographic and structural provenance by establishing a verifiable link between software distributions and their canonical source code archived in the Software Heritage (SWH) ecosystem.
+
+## Key Features
+
+*   **Multi-Ecosystem Support**: Specialized verification strategies for PyPI, Crates.io (Cargo), and Maven Central.
+*   **High-Confidence Provenance**:
+    *   **PyPI**: Extraction of commit SHAs from Sigstore/PEP 740 attestations via Fulcio certificates.
+    *   **Cargo**: Deterministic normalization and restoration of original project state for byte-for-byte matching.
+    *   **Maven**: SCM metadata resolution and verification of cleaned source artifacts.
+*   **SPDX 3.0 Compliance**: Generation of RDF-compatible JSON-LD manifests using official SPDX models.
+*   **Automated Archival Integration**: Proactive use of the Software Heritage "Save Code Now" API.
+*   **Installation Verification**: Local filesystem scanner to audit installed packages against verified SWHID ground truth.
+
+## Installation
+
+### Prerequisites
+- Python 3.9+
+- [Optional] A Software Heritage API Token for higher rate limits.
+
+### Setup
+```bash
+git clone https://github.com/OdysseasKalaitsidis/SWHID_POC
+cd SWHID_POC
+python -m venv venv
+source venv/bin/activate  # Use .\venv\Scripts\activate on Windows
+pip install -r requirements.txt
+```
+
+## Configuration
+
+The tool can be configured via environment variables or a `.env` file:
+
+| Variable | Description | Default |
+| :--- | :--- | :--- |
+| `SWH_TOKEN` | Software Heritage API Authentication Token | None |
+| `CACHE_DIR` | Directory for caching resolution results | `./cache` |
+| `LOG_LEVEL` | Logging verbosity (DEBUG, INFO, ERROR) | `INFO` |
+
+## Usage
+
+### Quick Start
+Map a single PURL to a verified SWHID immediately:
+```bash
+python -m swhid_tool.cli swhid-map pkg:pypi/six@1.17.0
+```
+
+### Batch Processing
+Generate an SPDX 3.0 dataset for multiple PURLs:
+```bash
+python -m swhid_tool.cli batch-process input_purls.txt output_report.jsonld
+```
+
+### Integrity Auditing
+Verify a local directory against a verified manifest:
+```bash
+python -m swhid_tool.cli verify-path /path/to/installed/library manifest.jsonld
+```
+
+### REST API
+Deploy as a service using FastAPI:
+```bash
+python -m uvicorn swhid_tool.api:app --host 0.0.0.0 --port 8000
+```
+
+## Architecture
+
+The system utilizes a strategy-based pattern to decouple ecosystem-specific logic from the core resolution engine.
+
+```mermaid
+graph TD
+    CLI[CLI / API] --> Manager[SWHID Manager]
+    Manager --> PURL[PURL Parser]
+    Manager --> StrategyRouter{Strategy Router}
+    StrategyRouter --> PyPI[PyPI Strategy]
+    StrategyRouter --> Cargo[Cargo Strategy]
+    StrategyRouter --> Maven[Maven Strategy]
+    PyPI --> SWH[SWH API / Archive]
+    Cargo --> SWH
+    Maven --> SWH
+    Manager --> Exporter[SPDX 3.0 Exporter]
+    Exporter --> JSONLD[JSON-LD Manifest]
+```
+
+## Validation and Standards
+
+Verification findings are exported as SPDX 3.0 documents. Compliance with RDF standards is ensured through SHACL shape validation using the integrated `test_validation.py` suite.
+
+## Documentation
+
+Detailed guides for different stakeholders:
+- [**User Guide**](user_guide.md): CLI reference, API specifications, and troubleshooting.
+- [**Developer Guide**](developer_guide.md): Extending the tool to new ecosystems and core internals.
+- [**Maintainer Guide**](maintainer_guide.md): Best practices for enabling high-confidence verifiability.
+
+## Contributing
+
+Contributions are welcome! Please see the [Developer Guide](developer_guide.md) for setup instructions and coding standards.
+
+## License
+
+This project is licensed under the MIT License - see the [LICENSE](LICENSE) file for details.
+
+## Acknowledgments
+
+This project was developed as part of the **Google Summer of Code (GSoC) 2026** program, under the mentorship of **Software Heritage**.
+

swhid_verification_tool-0.1.0/developer_guide.md

@@ -0,0 +1,51 @@
+# Developer Guide
+
+This guide is intended for developers who wish to contribute to the SWHID Verification Tool or extend its functionality.
+
+## Core Architecture
+
+The tool follows a **Strategy Pattern** to handle different package ecosystems.
+
+### `SWHIDManager`
+The central orchestrator that routes PURLs to the appropriate `VerificationStrategy`.
+
+### `VerificationStrategy`
+An abstract base class defined in `swhid_tool/strategies/base.py`. Every ecosystem (PyPI, Cargo, etc.) implements this class to provide:
+1. **Source Discovery**: Finding the canonical source repository or sdist.
+2. **Normalization**: Cleaning the source to match SWH's archival format.
+3. **Verification**: Comparing computed SWHIDs with archived ones.
+
+## Extending the Tool
+
+To add support for a new ecosystem (e.g., `npm`):
+
+1. Create a new strategy class in `swhid_tool/strategies/npm_strategy.py`.
+2. Inherit from `VerificationStrategy`.
+3. Register the new strategy in `SWHIDManager.__init__` within `swhid_tool/manager.py`.
+
+## Testing
+
+Run the test suite using `pytest`:
+
+```bash
+pytest tests/
+```
+
+Individual test modules:
+- `test_core.py`: SWHID computation and SWH client logic.
+- `test_purl_parser.py`: PURL parsing for all supported ecosystems.
+- `test_strategies.py`: Strategy-level unit tests (Cargo, Maven, PyPI).
+- `test_scanner.py`: Installation scanner directory auditing.
+- `test_spdx3_model.py`: SPDX 3.0 serialization.
+- `test_exporter.py`: SPDX 3.0 JSON-LD export.
+- `test_swhid.py`: End-to-end CLI smoke test.
+- `test_validation.py`: SHACL validation of generated manifests.
+
+## Development Environment Setup
+
+1. Install development dependencies:
+   ```bash
+   pip install -r requirements.txt
+   pip install pytest pytest-cov
+   ```
+2. Set up a local cache directory to speed up repeated resolutions.

swhid_verification_tool-0.1.0/maintainer_guide.md

@@ -0,0 +1,24 @@
+# Maintainer Guide
+
+This guide is for package maintainers who want to ensure their packages are easily verifiable using SWHIDs.
+
+## Why SWHIDs?
+SWHIDs provide a persistent, cryptographic link to the exact source code of a package version. By ensuring your package is SWHID-verifiable, you provide users with high-confidence provenance.
+
+## Best Practices for Verifiability
+
+### 1. Use Sigstore Attestations (PyPI)
+For Python packages, use [Sigstore](https://www.sigstore.dev/) to sign your releases. This tool extracts the git commit SHA from the Sigstore certificate to verify that the sdist matches the source repository.
+
+### 2. Include SCM Metadata (Maven/Cargo)
+Ensure your package metadata includes a valid `scm` (Maven) or `repository` (Cargo) URL. The tool uses this to locate the source code for comparison.
+
+### 3. Clean Releases
+Avoid including generated files (like `.pyc`, compiled binaries, or `.egg-info`) in your source distributions (sdists) unless they are absolutely necessary. The closer the sdist matches the git tree, the higher the verification confidence.
+
+## Verifying Your Own Package
+You can verify your package's archival status by running:
+```bash
+python -m swhid_tool.cli swhid-map pkg:<ecosystem>/<name>@<version>
+```
+If the tool reports a low confidence score, check if your source distribution contains extra files not present in the git repository.

swhid_verification_tool-0.1.0/pyproject.toml

@@ -0,0 +1,81 @@
+[build-system]
+requires = ["setuptools>=61.0"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "swhid-verification-tool"
+version = "0.1.0"
+description = "A verification framework to map PURLs to verified SWHIDs"
+readme = "README.md"
+requires-python = ">=3.9"
+license = {text = "MIT"}
+authors = [
+    {name = "Odysseas Kalaitsidis"}
+]
+classifiers = [
+    "Development Status :: 4 - Beta",
+    "Intended Audience :: Developers",
+    "Intended Audience :: Information Technology",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.9",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Programming Language :: Python :: 3.13",
+    "Topic :: Security",
+    "Topic :: Software Development :: Libraries :: Python Modules",
+]
+dependencies = [
+    "requests>=2.31.0",
+    "swh.model>=6.4.0",
+    "rich>=13.7.0",
+    "cryptography>=42.0.0",
+    "spdx-tools>=0.8.2",
+    "semantic-version>=2.10.0",
+    "typer>=0.9.0",
+    "fastapi>=0.109.0",
+    "uvicorn>=0.27.0",
+    "packageurl-python>=0.11.2",
+    "python-multipart>=0.0.9",
+    "pyshacl>=0.25.0",
+    "rdflib>=7.0.0",
+]
+
+[project.optional-dependencies]
+dev = [
+    "ruff",
+    "mypy",
+    "pytest",
+    "responses",
+    "pytest-cov",
+    "build",
+    "twine",
+]
+test = [
+    "pytest",
+    "responses",
+    "pytest-cov",
+]
+
+[project.urls]
+Homepage = "https://github.com/OdysseasKalaitsidis/SWHID_POC"
+Repository = "https://github.com/OdysseasKalaitsidis/SWHID_POC"
+"Bug Tracker" = "https://github.com/OdysseasKalaitsidis/SWHID_POC/issues"
+Documentation = "https://github.com/OdysseasKalaitsidis/SWHID_POC#readme"
+
+[project.scripts]
+swhid-tool = "swhid_tool.cli:app"
+
+[tool.setuptools.packages.find]
+where = ["."]
+include = ["swhid_tool*"]
+
+[tool.ruff]
+line-length = 100
+target-version = "py39"
+
+[tool.mypy]
+python_version = "3.9"
+strict = true
+ignore_missing_imports = true

swhid_verification_tool-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

swhid_verification_tool-0.1.0/swhid_tool/__init__.py

@@ -0,0 +1,4 @@
+# SPDX-FileCopyrightText: 2026 Odysseas Kalaitsidis
+# SPDX-License-Identifier: MIT
+
+__version__ = "0.1.0"

swhid_verification_tool-0.1.0/swhid_tool/api.py

@@ -0,0 +1,34 @@
+# SPDX-FileCopyrightText: 2026 Odysseas Kalaitsidis
+# SPDX-License-Identifier: MIT
+
+from fastapi import FastAPI, Query, HTTPException
+from swhid_tool.manager import SWHIDManager
+from swhid_tool.logging_config import setup_logging
+from typing import Dict, Any
+
+setup_logging()
+app = FastAPI(title="SWHID Verification API")
+manager = SWHIDManager()
+
+
+@app.get("/resolve")
+async def resolve_purl(purl: str = Query(..., description="The Package URL to resolve")):
+    """
+    Resolves a PURL to a SWHID, returning confidence level and strategy used.
+    """
+    try:
+        result = manager.resolve(purl)
+        return {
+            "purl": result.get("purl"),
+            "swhid": result.get("swhid"),
+            "confidence": result.get("confidence"),
+            "strategy": result.get("strategy", result.get("name", "unknown")),
+            "status": result.get("status", "Done"),
+            "details": result
+        }
+    except Exception as e:
+        raise HTTPException(status_code=400, detail=str(e))
+
+@app.get("/health")
+async def health():
+    return {"status": "ok"}

swhid_verification_tool-0.1.0/swhid_tool/batch_processor.py

@@ -0,0 +1,59 @@
+# SPDX-FileCopyrightText: 2026 Odysseas Kalaitsidis
+# SPDX-License-Identifier: MIT
+
+import time
+import json
+import os
+import logging
+from typing import List, Dict, Any
+from swhid_tool.manager import SWHIDManager
+from rich.progress import Progress
+
+logger = logging.getLogger(__name__)
+
+class BatchProcessor:
+    def __init__(self, manager: SWHIDManager, cache_dir: str = "cache"):
+        self.manager = manager
+        self.cache_dir = cache_dir
+        if not os.path.exists(cache_dir):
+            os.makedirs(cache_dir)
+
+    def process_purls(self, purls: List[str]) -> List[Dict[str, Any]]:
+        results = []
+        with Progress() as progress:
+            task = progress.add_task("[cyan]Processing PURLs...", total=len(purls))
+            
+            for purl in purls:
+                # Check cache
+                cache_file = os.path.join(self.cache_dir, f"{purl.replace(':', '_').replace('/', '_')}.json")
+                if os.path.exists(cache_file):
+                    with open(cache_file, "r") as f:
+                        results.append(json.load(f))
+                    progress.update(task, advance=1)
+                    continue
+
+                try:
+                    logger.info(f"Resolving {purl}")
+                    result = self.manager.resolve(purl)
+                    
+                    # Trigger Save Code Now if not verified but repo is known
+                    if result.get("status") in ["Partial", "Inferred"] and "repo_url" in result:
+                        progress.console.print(f"[blue]Triggering Save Code Now for {result['repo_url']}...[/blue]")
+                        save_result = self.manager.swh.trigger_save_code_now(result["repo_url"])
+                        result["save_code_now"] = save_result
+                        
+                    results.append(result)
+                    # Save to cache
+                    with open(cache_file, "w") as f:
+                        json.dump(result, f)
+                except Exception as e:
+                    logger.error(f"Error processing {purl}: {str(e)}")
+                    progress.console.print(f"[red]Error processing {purl}: {str(e)}[/red]")
+                    results.append({"purl": purl, "status": "Error", "reason": str(e)})
+                
+                progress.update(task, advance=1)
+                # Small delay to be polite
+                time.sleep(0.5)
+        
+        return results
+