From 6431bfab79bc2d7fed88116a5f8407792111d0a0 Mon Sep 17 00:00:00 2001
From: tegwick <bernd.worsch@gmail.com>
Date: Wed, 18 Mar 2026 18:31:12 +0100
Subject: [PATCH] chore(sbom): add system-level tool dependency manifest
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Captures k3s, helm, kubectl, goss, sops, and age as direct tool
dependencies for railiance-cluster. Versions are unresolved (confidence:
low) — no version pins exist in the repo yet.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 sbom-tools.yaml | 52 +++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 52 insertions(+)
 create mode 100644 sbom-tools.yaml

diff --git a/sbom-tools.yaml b/sbom-tools.yaml
new file mode 100644
index 0000000..21cde43
--- /dev/null
+++ b/sbom-tools.yaml
@@ -0,0 +1,52 @@
+# sbom-tools.yaml — system-level tool dependencies for railiance-cluster
+# Generated by sbom-capture-agent on 2026-03-12
+# Review each entry before committing. Entries with confidence: low need human verification.
+#
+# NOT included here (covered by other parsers):
+#   - ansible / ansible-core Python packages → uv.lock
+#
+# Note: ansible is installed via uv (see uv.lock) — versions 12.3.0 / 13.4.0 depending
+# on Python version. Listed here as a system-level runtime tool for completeness; the
+# uv.lock entry is the authoritative version source.
+tools:
+  - name: k3s
+    version: null           # confidence: low (referenced in Makefile and CLAUDE.md; no version pin found)
+    ecosystem: tool
+    license_spdx: Apache-2.0
+    is_direct: true
+    is_dev: false
+
+  - name: helm
+    version: null           # confidence: low (referenced in bin/railiance and Makefile; no version pin)
+    ecosystem: tool
+    license_spdx: Apache-2.0
+    is_direct: true
+    is_dev: false
+
+  - name: kubectl
+    version: null           # confidence: low (referenced in bin/railiance dispatcher; no version pin)
+    ecosystem: tool
+    license_spdx: Apache-2.0
+    is_direct: true
+    is_dev: false
+
+  - name: goss
+    version: null           # confidence: low (referenced in Makefile verify targets; no version pin)
+    ecosystem: tool
+    license_spdx: Apache-2.0
+    is_direct: true
+    is_dev: true
+
+  - name: sops
+    version: null           # confidence: low (referenced via railiance-doctor check; no version pin)
+    ecosystem: tool
+    license_spdx: MPL-2.0
+    is_direct: true
+    is_dev: false
+
+  - name: age
+    version: null           # confidence: low (referenced via railiance-doctor check; no version pin)
+    ecosystem: tool
+    license_spdx: BSD-3-Clause
+    is_direct: true
+    is_dev: false