feat(state-hub): v0.3 registration workflow + ingest-sbom + CLAUDE.md template update

- scripts/ingest_sbom.py: lockfile parser + API poster for uv.lock, requirements.txt, package-lock.json, yarn.lock, Cargo.lock; auto-detects from repo root - Makefile: make ingest-sbom REPO=<slug> [LOCKFILE=<path>] target - scripts/register_project.sh: adds {REPO_SLUG} template substitution + optional SBOM ingest prompt at end of registration (non-fatal if venv not ready) - scripts/project_claude_md.template: adds Contribution Tracking + SBOM sections documenting register_contribution(), update_contribution_status(), ingest-sbom, and the contrib/ directory layout - workplans/CUST-WP-0002: all 15 tasks → done, status → completed Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-28 17:28:49 +01:00
parent 8f34b3547f
commit e471ed2cd5
5 changed files with 373 additions and 16 deletions
--- a/state-hub/scripts/project_claude_md.template
+++ b/state-hub/scripts/project_claude_md.template
@@ -82,6 +82,63 @@ add_progress_event(
 )
 ```

+### Contribution Tracking
+
+This project tracks upstream contributions in `contrib/` — bug reports, feature
+requests, extension-point proposals, and upstream PRs — as canonical Markdown files.
+
+**Directory layout:**
+```
+contrib/
+  bug-reports/       # br-YYYY-MM-DD--org--repo--slug.md
+  feature-requests/  # fr-YYYY-MM-DD--org--repo--slug.md
+  extension-points/  # EP-{DOMAIN}-NNN--org--repo--slug.md
+  upstream-prs/      # upr-YYYY-MM-DD--org--repo--slug.md
+```
+
+Templates: `~/the-custodian/canon/standards/contrib-templates/`
+Convention: `~/the-custodian/canon/standards/contribution-convention_v0.1.md`
+
+**Register a contribution in the State Hub:**
+```
+register_contribution(
+    type="upr",             # br | fr | ep | upr
+    title="Add injectTocTop to Observable Framework",
+    target_org="observablehq",
+    target_repo="framework",
+    body_path="contrib/upstream-prs/2026-02-26--observablehq--framework--inject.md",
+    related_workstream_id="<uuid>",
+)
+```
+
+**Update status when upstream responds:**
+```
+update_contribution_status(contribution_id="<uuid>", status="submitted")
+# then: acknowledged → accepted → merged
+```
+
+**List all contributions for this domain:**
+```
+get_contributions(target_repo="framework")
+```
+
+### SBOM
+
+Software Bill of Materials for this repo is tracked in the State Hub.
+
+**Ingest the current lockfile:**
+```bash
+cd ~/the-custodian/state-hub
+make ingest-sbom REPO={REPO_SLUG}
+```
+
+**Check licence risk:**
+```
+get_licence_report()
+```
+
+**View SBOM dashboard:** `http://localhost:3000/sbom`
+
 ### Quick Reference

 See `~/the-custodian/state-hub/mcp_server/TOOLS.md` for a compact tool reference.