bd1b01fdc0
feat(sbom): add go.sum parser to ingest_sbom.py
...
Parses go.sum lockfiles for Go projects. Reads go.mod alongside to
mark direct vs indirect dependencies. Deduplicates by (module, version),
skipping go.mod hash lines.
Used to ingest key-cape (netkingdom domain): 23 Go modules.
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-19 01:04:34 +01:00
df083b1840
feat(sbom): CUST-WP-0013 — expand SBOM infra to terraform, ansible, and tool manifests
...
- Migration d6e7f8a9b0c1: add terraform, ansible, tool to Ecosystem enum
- ingest_sbom.py: new Ansible Galaxy requirements.yml parser (collections + roles)
- ingest_sbom.py: new sbom-tools.yaml manifest parser (agent-generated tool deps)
- ingest_sbom.py: promote .terraform.lock.hcl parser from ecosystem=other → terraform
- ingest_sbom.py: detect_all() runs all four parsers in one comprehensive scan
- capture_sbom_tools.py: agent-assisted tool manifest generator (claude -p)
- prompts/sbom-capture-agent.md: parameterised prompt for repo tool discovery
- Makefile: capture-tools target; ingest-sbom updated docs and DRY_RUN support
- 29 unit tests covering all new parsers and detect_all() behaviour
- canon/standards/sbom-convention_v0.1.md: updated with four-mechanism model and workflow
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-12 04:40:26 +01:00
fae9151144
feat(sbom): add Terraform .terraform.lock.hcl parser; ingest railiance repos
...
- ingest_sbom.py: parse .terraform.lock.hcl provider blocks (name, version);
ecosystem stored as 'other' until terraform added to DB ENUM
- Registered railiance-bootstrap + railiance-hosts under railiance domain
- railiance-hosts ingested: 2 Terraform providers (hashicorp/template 2.2.0,
hetznercloud/hcloud 1.52.0)
- railiance-bootstrap: no lockfile (pure Ansible/shell — noted in convention)
- sbom-convention_v0.1.md: add Terraform + Ansible rows to lockfile table;
update registered repos status table
Total SBOM: 422 packages across 2 repos (custodian + railiance-hosts)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-01 18:07:56 +01:00
4c157d43a8
feat(sbom): scan mode, domain grouping dashboard, SBOM convention doc
...
- ingest_sbom.py: add --scan flag (recursive lockfile discovery) +
--lockfile repeatable for explicit multi-file ingestion; skip
.venv/node_modules/.git/dist/etc; Makefile gains SCAN= and REPO_PATH= vars
- sbom.md: add /domains/ fetch; domain-level summary table; per-repo
accordion with details/summary; domain filter on package table; dual-
licence false-positive note; +1 KPI card (Domains Covered)
- canon/standards/sbom-convention_v0.1.md: authoritative lockfile table,
ingest workflow (single/scan/explicit), snapshot semantics, direct-vs-
transitive caveats, licence governance + copyleft escalation, update
cadence, multi-repo domain pattern, planned enhancements
First ingest: the-custodian — 420 pkgs (88 python + 332 node), 13 licence
groups, 1 copyleft flag (jszip dual-licensed MIT OR GPL-3.0-or-later)
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-03-01 16:15:40 +01:00
7d3487d4fe
feat(state-hub): v0.3 registration workflow + ingest-sbom + CLAUDE.md template update
...
- scripts/ingest_sbom.py: lockfile parser + API poster for uv.lock, requirements.txt,
package-lock.json, yarn.lock, Cargo.lock; auto-detects from repo root
- Makefile: make ingest-sbom REPO=<slug> [LOCKFILE=<path>] target
- scripts/register_project.sh: adds {REPO_SLUG} template substitution + optional
SBOM ingest prompt at end of registration (non-fatal if venv not ready)
- scripts/project_claude_md.template: adds Contribution Tracking + SBOM sections
documenting register_contribution(), update_contribution_status(), ingest-sbom,
and the contrib/ directory layout
- workplans/CUST-WP-0002: all 15 tasks → done, status → completed
Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com >
2026-02-28 17:28:49 +01:00
