coulomb/state-hub
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5c8ee52ebf9bbd77dbc48aa547dd2dfcb2ca8de
state-hub/prompts/sbom-capture-agent.md
tegwick df083b1840 feat(sbom): CUST-WP-0013 — expand SBOM infra to terraform, ansible, and tool manifests 
- Migration d6e7f8a9b0c1: add terraform, ansible, tool to Ecosystem enum
- ingest_sbom.py: new Ansible Galaxy requirements.yml parser (collections + roles)
- ingest_sbom.py: new sbom-tools.yaml manifest parser (agent-generated tool deps)
- ingest_sbom.py: promote .terraform.lock.hcl parser from ecosystem=other → terraform
- ingest_sbom.py: detect_all() runs all four parsers in one comprehensive scan
- capture_sbom_tools.py: agent-assisted tool manifest generator (claude -p)
- prompts/sbom-capture-agent.md: parameterised prompt for repo tool discovery
- Makefile: capture-tools target; ingest-sbom updated docs and DRY_RUN support
- 29 unit tests covering all new parsers and detect_all() behaviour
- canon/standards/sbom-convention_v0.1.md: updated with four-mechanism model and workflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 04:40:26 +01:00

4.4 KiB
Raw Blame History

SBOM Capture Agent Prompt

Task: Generate or update sbom-tools.yaml for the repository at {repo_path} (slug: {repo_slug}).

This file captures system-level tool dependencies that are not tracked by any package manager lockfile — tools that are installed via provisioning, Homebrew, system packages, or assumed present in the environment.

Instructions

  1. Read the following files in {repo_path} (read each that exists; skip gracefully if absent):

    • CLAUDE.md — look for stack declarations, tool prerequisites, dev commands
    • README.md / QUICKSTART.md — prerequisites sections, tool version requirements
    • Makefile — tool invocations, version variables (e.g. ANSIBLE_VERSION := 12.3)
    • pyproject.toml — Python tool dependencies (already covered by uv.lock; note but don't duplicate)
    • .tool-versions — asdf version pins
    • .terraform-version — tfenv pin
    • .ansible-version — if present
    • Dockerfile / docker-compose.yml — base image versions, tool installs
    • .github/workflows/*.yml / .gitlab-ci.yml — CI tool install steps, version pins
    • ansible/requirements.ymlalready captured by lockfile parser; do NOT include Galaxy collections here
    • Any scripts/setup*.sh, scripts/bootstrap*.sh, or tools/ directory

  2. Identify system-level tools only — tools that:

    • Are invoked as CLI commands (e.g. ansible-playbook, terraform, helm, kubectl, k3s, goss, age, sops)
    • Are NOT installed via uv/pip/npm/cargo into a project virtualenv (those are in lockfiles)
    • Note: ansible itself as a CLI tool is a system dep even if ansible-core appears in uv.lock

  3. For each tool, determine:

    • name: canonical tool name (e.g. ansible, terraform, helm, kubectl, k3s, goss, age, sops, cloud-init)
    • version: the pinned or documented version. Use unknown only if no evidence found anywhere.
    • ecosystem: one of python, node, rust, go, java, terraform, ansible, tool, other
      • Use ansible for Ansible itself; terraform for Terraform itself; tool for generic CLI tools
    • license_spdx: the SPDX identifier. Common known licences (use these exact strings):
      • ansible / ansible-core: GPL-3.0-only
      • terraform ≤ 1.5.5: MPL-2.0; terraform ≥ 1.5.6: BSL-1.1
      • helm: Apache-2.0
      • kubectl: Apache-2.0
      • k3s: Apache-2.0
      • goss: Apache-2.0
      • age: BSD-3-Clause
      • sops: MPL-2.0
      • cloud-init: Apache-2.0 (or GPL-3.0-only for older versions — check)
      • docker: Apache-2.0
      • If unknown, use null
    • is_direct: true if this repo directly declares/uses it; false if it's a transitive dependency of another tool
    • is_dev: true only if the tool is only used for development/testing, not production operation

  4. Confidence annotation: Add a # confidence: high/medium/low comment after each entry:

    • high: version found explicitly pinned in a file
    • medium: version inferred from context (e.g. "Ansible 12" in README)
    • low: version not found; using unknown or a reasonable guess

  5. Do NOT include:

    • Python packages already covered by uv.lock or requirements.txt
    • Ansible Galaxy collections (covered by ansible/requirements.yml)
    • Terraform providers (covered by .terraform.lock.hcl)
    • Node packages, Rust crates, etc. (covered by their lockfiles)
    • Operating system packages unless the repo explicitly declares them

  6. Output format: Emit ONLY the YAML block below — no prose, no markdown fences, no explanation. The output must be valid YAML that can be written directly to sbom-tools.yaml.

Output format

# sbom-tools.yaml — system-level tool dependencies for {repo_slug}
# Generated by sbom-capture-agent on {date}
# Review each entry before committing. Entries with confidence: low need human verification.
tools:
  - name: example-tool
    version: "1.2.3"        # confidence: high
    ecosystem: tool
    license_spdx: Apache-2.0
    is_direct: true
    is_dev: false

If no system-level tools are found, output:

# sbom-tools.yaml — system-level tool dependencies for {repo_slug}
# Generated by sbom-capture-agent on {date}
# No system-level tools identified — all dependencies are covered by lockfiles.
tools: []

Now read {repo_path} and produce the sbom-tools.yaml content.

Reference in New Issue View Git Blame Copy Permalink