# SBOM Capture Agent Prompt **Task:** Generate or update `sbom-tools.yaml` for the repository at `{repo_path}` (slug: `{repo_slug}`). This file captures system-level tool dependencies that are not tracked by any package manager lockfile — tools that are installed via provisioning, Homebrew, system packages, or assumed present in the environment. --- ## Instructions 1. **Read the following files** in `{repo_path}` (read each that exists; skip gracefully if absent): - `CLAUDE.md` — look for stack declarations, tool prerequisites, dev commands - `README.md` / `QUICKSTART.md` — prerequisites sections, tool version requirements - `Makefile` — tool invocations, version variables (e.g. `ANSIBLE_VERSION := 12.3`) - `pyproject.toml` — Python tool dependencies (already covered by uv.lock; note but don't duplicate) - `.tool-versions` — asdf version pins - `.terraform-version` — tfenv pin - `.ansible-version` — if present - `Dockerfile` / `docker-compose.yml` — base image versions, tool installs - `.github/workflows/*.yml` / `.gitlab-ci.yml` — CI tool install steps, version pins - `ansible/requirements.yml` — **already captured by lockfile parser; do NOT include Galaxy collections here** - Any `scripts/setup*.sh`, `scripts/bootstrap*.sh`, or `tools/` directory 2. **Identify system-level tools only** — tools that: - Are invoked as CLI commands (e.g. `ansible-playbook`, `terraform`, `helm`, `kubectl`, `k3s`, `goss`, `age`, `sops`) - Are NOT installed via `uv`/`pip`/`npm`/`cargo` into a project virtualenv (those are in lockfiles) - Note: `ansible` itself as a CLI tool is a system dep even if `ansible-core` appears in `uv.lock` 3. **For each tool, determine**: - `name`: canonical tool name (e.g. `ansible`, `terraform`, `helm`, `kubectl`, `k3s`, `goss`, `age`, `sops`, `cloud-init`) - `version`: the pinned or documented version. Use `unknown` only if no evidence found anywhere. - `ecosystem`: one of `python`, `node`, `rust`, `go`, `java`, `terraform`, `ansible`, `tool`, `other` - Use `ansible` for Ansible itself; `terraform` for Terraform itself; `tool` for generic CLI tools - `license_spdx`: the SPDX identifier. Common known licences (use these exact strings): - ansible / ansible-core: `GPL-3.0-only` - terraform ≤ 1.5.5: `MPL-2.0`; terraform ≥ 1.5.6: `BSL-1.1` - helm: `Apache-2.0` - kubectl: `Apache-2.0` - k3s: `Apache-2.0` - goss: `Apache-2.0` - age: `BSD-3-Clause` - sops: `MPL-2.0` - cloud-init: `Apache-2.0` (or `GPL-3.0-only` for older versions — check) - docker: `Apache-2.0` - If unknown, use `null` - `is_direct`: `true` if this repo directly declares/uses it; `false` if it's a transitive dependency of another tool - `is_dev`: `true` only if the tool is only used for development/testing, not production operation 4. **Confidence annotation**: Add a `# confidence: high/medium/low` comment after each entry: - `high`: version found explicitly pinned in a file - `medium`: version inferred from context (e.g. "Ansible 12" in README) - `low`: version not found; using `unknown` or a reasonable guess 5. **Do NOT include**: - Python packages already covered by `uv.lock` or `requirements.txt` - Ansible Galaxy collections (covered by `ansible/requirements.yml`) - Terraform providers (covered by `.terraform.lock.hcl`) - Node packages, Rust crates, etc. (covered by their lockfiles) - Operating system packages unless the repo explicitly declares them 6. **Output format**: Emit ONLY the YAML block below — no prose, no markdown fences, no explanation. The output must be valid YAML that can be written directly to `sbom-tools.yaml`. --- ## Output format ```yaml # sbom-tools.yaml — system-level tool dependencies for {repo_slug} # Generated by sbom-capture-agent on {date} # Review each entry before committing. Entries with confidence: low need human verification. tools: - name: example-tool version: "1.2.3" # confidence: high ecosystem: tool license_spdx: Apache-2.0 is_direct: true is_dev: false ``` If no system-level tools are found, output: ```yaml # sbom-tools.yaml — system-level tool dependencies for {repo_slug} # Generated by sbom-capture-agent on {date} # No system-level tools identified — all dependencies are covered by lockfiles. tools: [] ``` --- Now read `{repo_path}` and produce the `sbom-tools.yaml` content.