coulomb/state-hub
2
0
Fork 0
generated from coulomb/repo-seed
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
c5c8ee52ebf9bbd77dbc48aa547dd2dfcb2ca8de
state-hub/prompts/sbom-capture-agent.md
tegwick df083b1840 feat(sbom): CUST-WP-0013 — expand SBOM infra to terraform, ansible, and tool manifests 
- Migration d6e7f8a9b0c1: add terraform, ansible, tool to Ecosystem enum
- ingest_sbom.py: new Ansible Galaxy requirements.yml parser (collections + roles)
- ingest_sbom.py: new sbom-tools.yaml manifest parser (agent-generated tool deps)
- ingest_sbom.py: promote .terraform.lock.hcl parser from ecosystem=other → terraform
- ingest_sbom.py: detect_all() runs all four parsers in one comprehensive scan
- capture_sbom_tools.py: agent-assisted tool manifest generator (claude -p)
- prompts/sbom-capture-agent.md: parameterised prompt for repo tool discovery
- Makefile: capture-tools target; ingest-sbom updated docs and DRY_RUN support
- 29 unit tests covering all new parsers and detect_all() behaviour
- canon/standards/sbom-convention_v0.1.md: updated with four-mechanism model and workflow

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-03-12 04:40:26 +01:00

91 lines
4.4 KiB
Markdown
Raw Blame History

# SBOM Capture Agent Prompt
**Task:** Generate or update `sbom-tools.yaml` for the repository at `{repo_path}` (slug: `{repo_slug}`).
This file captures system-level tool dependencies that are not tracked by any package manager lockfile — tools that are installed via provisioning, Homebrew, system packages, or assumed present in the environment.
---
## Instructions
1. **Read the following files** in `{repo_path}` (read each that exists; skip gracefully if absent):
- `CLAUDE.md` — look for stack declarations, tool prerequisites, dev commands
- `README.md` / `QUICKSTART.md` — prerequisites sections, tool version requirements
- `Makefile` — tool invocations, version variables (e.g. `ANSIBLE_VERSION := 12.3`)
- `pyproject.toml` — Python tool dependencies (already covered by uv.lock; note but don't duplicate)
- `.tool-versions` — asdf version pins
- `.terraform-version` — tfenv pin
- `.ansible-version` — if present
- `Dockerfile` / `docker-compose.yml` — base image versions, tool installs
- `.github/workflows/*.yml` / `.gitlab-ci.yml` — CI tool install steps, version pins
- `ansible/requirements.yml`**already captured by lockfile parser; do NOT include Galaxy collections here**
- Any `scripts/setup*.sh`, `scripts/bootstrap*.sh`, or `tools/` directory
2. **Identify system-level tools only** — tools that:
- Are invoked as CLI commands (e.g. `ansible-playbook`, `terraform`, `helm`, `kubectl`, `k3s`, `goss`, `age`, `sops`)
- Are NOT installed via `uv`/`pip`/`npm`/`cargo` into a project virtualenv (those are in lockfiles)
- Note: `ansible` itself as a CLI tool is a system dep even if `ansible-core` appears in `uv.lock`
3. **For each tool, determine**:
- `name`: canonical tool name (e.g. `ansible`, `terraform`, `helm`, `kubectl`, `k3s`, `goss`, `age`, `sops`, `cloud-init`)
- `version`: the pinned or documented version. Use `unknown` only if no evidence found anywhere.
- `ecosystem`: one of `python`, `node`, `rust`, `go`, `java`, `terraform`, `ansible`, `tool`, `other`
- Use `ansible` for Ansible itself; `terraform` for Terraform itself; `tool` for generic CLI tools
- `license_spdx`: the SPDX identifier. Common known licences (use these exact strings):
- ansible / ansible-core: `GPL-3.0-only`
- terraform ≤ 1.5.5: `MPL-2.0`; terraform ≥ 1.5.6: `BSL-1.1`
- helm: `Apache-2.0`
- kubectl: `Apache-2.0`
- k3s: `Apache-2.0`
- goss: `Apache-2.0`
- age: `BSD-3-Clause`
- sops: `MPL-2.0`
- cloud-init: `Apache-2.0` (or `GPL-3.0-only` for older versions — check)
- docker: `Apache-2.0`
- If unknown, use `null`
- `is_direct`: `true` if this repo directly declares/uses it; `false` if it's a transitive dependency of another tool
- `is_dev`: `true` only if the tool is only used for development/testing, not production operation
4. **Confidence annotation**: Add a `# confidence: high/medium/low` comment after each entry:
- `high`: version found explicitly pinned in a file
- `medium`: version inferred from context (e.g. "Ansible 12" in README)
- `low`: version not found; using `unknown` or a reasonable guess
5. **Do NOT include**:
- Python packages already covered by `uv.lock` or `requirements.txt`
- Ansible Galaxy collections (covered by `ansible/requirements.yml`)
- Terraform providers (covered by `.terraform.lock.hcl`)
- Node packages, Rust crates, etc. (covered by their lockfiles)
- Operating system packages unless the repo explicitly declares them
6. **Output format**: Emit ONLY the YAML block below — no prose, no markdown fences, no explanation. The output must be valid YAML that can be written directly to `sbom-tools.yaml`.
---
## Output format
```yaml
# sbom-tools.yaml — system-level tool dependencies for {repo_slug}
# Generated by sbom-capture-agent on {date}
# Review each entry before committing. Entries with confidence: low need human verification.
tools:
- name: example-tool
version: "1.2.3" # confidence: high
ecosystem: tool
license_spdx: Apache-2.0
is_direct: true
is_dev: false
```
If no system-level tools are found, output:
```yaml
# sbom-tools.yaml — system-level tool dependencies for {repo_slug}
# Generated by sbom-capture-agent on {date}
# No system-level tools identified — all dependencies are covered by lockfiles.
tools: []
```
---
Now read `{repo_path}` and produce the `sbom-tools.yaml` content.
Reference in New Issue View Git Blame Copy Permalink