CLI Simplification for 0.7

[puerco]

Current CLI Interface

Currently sourcetool has a group of check* and other commands which seem redundant and could be simplified to provider a better user experience. This is the current command set of sourcetool:

Usage:
  sourcetool [command]

Verification Commands:
  audit          Verifies multiple commits in the branch history
  verifycommit   Verifies the specified commit is valid

Assessment Commands:
  checklevel     Determines the SLSA Source Level of the repo
  checklevelprov Checks the given commit against policy using & creating provenance
  checktag       Checks to see if the tag operation should be allowed and issues a VSA
  prov           Creates provenance for the given commit, but does not check policy.
  status         Check the SLSA Source status of a repo/branch

Policy Commands:
  createpolicy   Creates a policy in a local copy of source-policies
  policy         tools to work with source policies

Configuration & Setup Commands:
  auth           Manage user authentication
  setup          configure SLSA source features in a repository

Proposal

I'd like to propose the following changes to simplify the text user interface:

1. Consolidate checklevel, checklevelprov , checktag and prov to a single sourcetool attest subcommand. Te sourcetool api already handles attesting with a single sourcetool.AttestRevision() function. We can emulate the existing functionality with a single attest command that handles all revision types and controlling the behavior with flags (eg --apply-policy=true)
2. Rename verifycommit to simply verify and also allow it to verify any type of revision (tags or commits)
3. Remove sourcetool createpolicy and move it to sourcetool policy create to group it with the other policy subcommands
4. Finally add a sourcetool get repo/org subcommand that retrieves the provenance of a revision.

As the old commands are used by the workflows, I propose deprecating but keeping them hidden for a period of time to allow for a phase out period.

[arewm]

I think that this makes sense overall. Will the get subcommand be able to get the provenance or the VSA attestations? Generally having three subcommands with options makes sense -- get, verify, and attest. Each of these subcommands can have options and those options should be consistent between subcommands if relevant.

I didn't comment about the policy subcommand because I am not currently familiar with that.

This will create a breaking change. While unfortunate, since we have not reached a stable version of at least 1.0.0, this is acceptable according to SemVer. We will just need to clearly communicate that with the release.

Thanks for working to simplify the UX, @puerco !