npm - @cyclonedx/cdxgen - Versions diffs - 12.3.0 → 12.3.2 - Mend

@cyclonedx/cdxgen 12.3.0 → 12.3.2

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (121) hide show

package/README.md +15 -5
package/bin/audit.js +7 -0
package/bin/cdxgen.js +241 -81
package/bin/repl.js +138 -0
package/data/rules/ai-agent-governance.yaml +249 -0
package/data/rules/dependency-sources.yaml +41 -0
package/data/rules/mcp-servers.yaml +304 -0
package/data/rules/package-integrity.yaml +123 -0
package/lib/audit/index.js +353 -29
package/lib/audit/index.poku.js +247 -7
package/lib/audit/reporters.js +26 -0
package/lib/audit/scoring.js +262 -13
package/lib/audit/scoring.poku.js +179 -0
package/lib/audit/targets.js +391 -2
package/lib/audit/targets.poku.js +416 -3
package/lib/cli/index.js +588 -45
package/lib/cli/index.poku.js +735 -1
package/lib/evinser/evinser.js +8 -5
package/lib/helpers/agentFormulationParser.js +318 -0
package/lib/helpers/aiInventory.js +262 -0
package/lib/helpers/aiInventory.poku.js +111 -0
package/lib/helpers/analyzer.js +1769 -0
package/lib/helpers/analyzer.poku.js +284 -3
package/lib/helpers/auditCategories.js +76 -0
package/lib/helpers/ciParsers/githubActions.js +140 -16
package/lib/helpers/ciParsers/githubActions.poku.js +110 -0
package/lib/helpers/communityAiConfigParser.js +672 -0
package/lib/helpers/communityAiConfigParser.poku.js +63 -0
package/lib/helpers/depsUtils.js +108 -0
package/lib/helpers/depsUtils.poku.js +72 -1
package/lib/helpers/display.js +325 -3
package/lib/helpers/display.poku.js +301 -0
package/lib/helpers/formulationParsers.js +28 -0
package/lib/helpers/formulationParsers.poku.js +504 -1
package/lib/helpers/jsonLike.js +102 -0
package/lib/helpers/jsonLike.poku.js +34 -0
package/lib/helpers/mcp.js +248 -0
package/lib/helpers/mcp.poku.js +101 -0
package/lib/helpers/mcpConfigParser.js +656 -0
package/lib/helpers/mcpConfigParser.poku.js +126 -0
package/lib/helpers/mcpDiscovery.js +84 -0
package/lib/helpers/mcpDiscovery.poku.js +21 -0
package/lib/helpers/protobom.js +3 -3
package/lib/helpers/provenanceUtils.js +29 -4
package/lib/helpers/provenanceUtils.poku.js +29 -3
package/lib/helpers/registryProvenance.js +210 -0
package/lib/helpers/registryProvenance.poku.js +144 -0
package/lib/helpers/rustFormulationParser.js +330 -0
package/lib/helpers/source.js +21 -2
package/lib/helpers/source.poku.js +38 -0
package/lib/helpers/utils.js +1331 -83
package/lib/helpers/utils.poku.js +599 -188
package/lib/helpers/vsixutils.js +12 -4
package/lib/helpers/vsixutils.poku.js +34 -0
package/lib/managers/binary.js +36 -12
package/lib/managers/binary.poku.js +68 -0
package/lib/managers/docker.js +59 -9
package/lib/managers/docker.poku.js +61 -0
package/lib/managers/piptree.js +12 -7
package/lib/managers/piptree.poku.js +44 -0
package/lib/stages/postgen/annotator.js +2 -1
package/lib/stages/postgen/annotator.poku.js +15 -0
package/lib/stages/postgen/auditBom.js +20 -6
package/lib/stages/postgen/auditBom.poku.js +694 -1
package/lib/stages/postgen/postgen.js +262 -11
package/lib/stages/postgen/postgen.poku.js +306 -2
package/lib/stages/postgen/ruleEngine.js +49 -1
package/lib/stages/postgen/spdxConverter.poku.js +70 -0
package/lib/stages/pregen/pregen.js +6 -4
package/package.json +1 -1
package/types/bin/repl.d.ts.map +1 -1
package/types/lib/audit/index.d.ts.map +1 -1
package/types/lib/audit/reporters.d.ts.map +1 -1
package/types/lib/audit/scoring.d.ts.map +1 -1
package/types/lib/audit/targets.d.ts +12 -0
package/types/lib/audit/targets.d.ts.map +1 -1
package/types/lib/cli/index.d.ts +2 -8
package/types/lib/cli/index.d.ts.map +1 -1
package/types/lib/evinser/evinser.d.ts.map +1 -1
package/types/lib/helpers/agentFormulationParser.d.ts +19 -0
package/types/lib/helpers/agentFormulationParser.d.ts.map +1 -0
package/types/lib/helpers/aiInventory.d.ts +23 -0
package/types/lib/helpers/aiInventory.d.ts.map +1 -0
package/types/lib/helpers/analyzer.d.ts +10 -0
package/types/lib/helpers/analyzer.d.ts.map +1 -1
package/types/lib/helpers/auditCategories.d.ts +12 -0
package/types/lib/helpers/auditCategories.d.ts.map +1 -0
package/types/lib/helpers/ciParsers/githubActions.d.ts.map +1 -1
package/types/lib/helpers/communityAiConfigParser.d.ts +29 -0
package/types/lib/helpers/communityAiConfigParser.d.ts.map +1 -0
package/types/lib/helpers/depsUtils.d.ts +8 -0
package/types/lib/helpers/depsUtils.d.ts.map +1 -1
package/types/lib/helpers/display.d.ts +17 -1
package/types/lib/helpers/display.d.ts.map +1 -1
package/types/lib/helpers/formulationParsers.d.ts.map +1 -1
package/types/lib/helpers/jsonLike.d.ts +4 -0
package/types/lib/helpers/jsonLike.d.ts.map +1 -0
package/types/lib/helpers/mcp.d.ts +29 -0
package/types/lib/helpers/mcp.d.ts.map +1 -0
package/types/lib/helpers/mcpConfigParser.d.ts +30 -0
package/types/lib/helpers/mcpConfigParser.d.ts.map +1 -0
package/types/lib/helpers/mcpDiscovery.d.ts +5 -0
package/types/lib/helpers/mcpDiscovery.d.ts.map +1 -0
package/types/lib/helpers/provenanceUtils.d.ts +5 -3
package/types/lib/helpers/provenanceUtils.d.ts.map +1 -1
package/types/lib/helpers/registryProvenance.d.ts +9 -0
package/types/lib/helpers/registryProvenance.d.ts.map +1 -1
package/types/lib/helpers/rustFormulationParser.d.ts +17 -0
package/types/lib/helpers/rustFormulationParser.d.ts.map +1 -0
package/types/lib/helpers/source.d.ts.map +1 -1
package/types/lib/helpers/utils.d.ts +31 -1
package/types/lib/helpers/utils.d.ts.map +1 -1
package/types/lib/helpers/vsixutils.d.ts.map +1 -1
package/types/lib/managers/binary.d.ts.map +1 -1
package/types/lib/managers/docker.d.ts.map +1 -1
package/types/lib/managers/piptree.d.ts.map +1 -1
package/types/lib/stages/postgen/annotator.d.ts.map +1 -1
package/types/lib/stages/postgen/auditBom.d.ts.map +1 -1
package/types/lib/stages/postgen/postgen.d.ts.map +1 -1
package/types/lib/stages/postgen/ruleEngine.d.ts.map +1 -1
package/types/lib/stages/pregen/pregen.d.ts.map +1 -1

package/lib/cli/index.poku.js CHANGED Viewed

@@ -14,7 +14,14 @@ import esmock from "esmock";
 import { assert, describe, it } from "poku";
 import sinon from "sinon";
-import { createChromeExtensionBom } from "./index.js";
+import { auditBom } from "../stages/postgen/auditBom.js";
+import { postProcess } from "../stages/postgen/postgen.js";
+import {
+  createBom,
+  createChromeExtensionBom,
+  createNodejsBom,
+  createRustBom,
+} from "./index.js";
 const fixtureDir = join(
   dirname(fileURLToPath(import.meta.url)),
@@ -24,9 +31,70 @@ const fixtureDir = join(
   "data",
   "chrome-extensions",
 );
+const cargoFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "cargo-workspace-repotest",
+);
+const cargoCacheFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "cargo-cache-fixture",
+  "registry",
+  "cache",
+  "index.crates.io-1949cf8c6b5b557f",
+);
+const mcpFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "mcp-repotest",
+);
+function getProp(obj, name) {
+  return obj?.properties?.find((property) => property.name === name)?.value;
+}
 describe("CLI tests", () => {
   describe("submitBom()", () => {
+    it("should report blocked Dependency-Track submission during dry-run", async () => {
+      const recordActivity = sinon.stub();
+      const actualUtils = await import("../helpers/utils.js");
+      const { submitBom } = await esmock("./index.js", {
+        "../helpers/utils.js": {
+          ...actualUtils,
+          isDryRun: true,
+          recordActivity,
+        },
+      });
+      const response = await submitBom(
+        {
+          apiKey: "TEST_API_KEY",
+          projectId: "f7cb9f02-8041-4991-9101-b01fa07a6522",
+          projectName: "cdxgen-test-project",
+          projectVersion: "1.0.0",
+          serverUrl: "https://dtrack.example.com",
+        },
+        { bom: "test" },
+      );
+      assert.strictEqual(response, undefined);
+      sinon.assert.calledWithMatch(recordActivity, {
+        kind: "network",
+        status: "blocked",
+        target: sinon.match("https://dtrack.example.com"),
+      });
+    });
     it("should successfully report the SBOM with given project id, name, version and a single tag", async () => {
       const fakeGotResponse = {
         json: sinon.stub().resolves({ success: true }),
@@ -488,5 +556,671 @@ describe("CLI tests", () => {
         rmSync(tempRoot, { recursive: true, force: true });
       }
     });
+    it("records the specific create*Bom project type for multi-type dry-run activities", async () => {
+      let currentActivityContext = {};
+      const recordedActivities = [];
+      const actualUtils = await import("../helpers/utils.js");
+      const { createBom: createBomMocked } = await esmock("./index.js", {
+        "../helpers/utils.js": {
+          ...actualUtils,
+          recordActivity: (activity) => {
+            recordedActivities.push({
+              packageType: currentActivityContext.packageType,
+              projectType: currentActivityContext.projectType,
+              sourcePath: currentActivityContext.sourcePath,
+              ...activity,
+            });
+          },
+          resetActivityContext: () => {
+            currentActivityContext = {};
+          },
+          setActivityContext: (context = {}) => {
+            currentActivityContext = {
+              ...currentActivityContext,
+              ...context,
+            };
+          },
+        },
+      });
+      await createBomMocked(cargoFixtureDir, {
+        installDeps: false,
+        multiProject: true,
+        projectType: ["cargo", "github"],
+        specVersion: 1.7,
+      });
+      const activities = recordedActivities.filter(
+        (activity) =>
+          activity.kind === "read" &&
+          ["cargo", "github"].includes(activity.packageType),
+      );
+      const cargoActivity = activities.find(
+        (activity) => activity.packageType === "cargo",
+      );
+      const githubActivity = activities.find(
+        (activity) => activity.packageType === "github",
+      );
+      assert.strictEqual(cargoActivity?.projectType, "rust");
+      assert.strictEqual(githubActivity?.projectType, "github");
+      assert.ok(
+        activities.every((activity) => activity.projectType !== "cargo,github"),
+      );
+    });
+    it("records the python source directory as the activity target when no metadata filename is available", async () => {
+      let currentActivityContext = {};
+      const recordedActivities = [];
+      const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-python-activity-"));
+      const requirementsFile = join(tempDir, "requirements.txt");
+      const actualUtils = await import("../helpers/utils.js");
+      try {
+        writeFileSync(requirementsFile, "flask==3.1.0\n", "utf-8");
+        const { createBom: createBomMocked } = await esmock("./index.js", {
+          "../helpers/utils.js": {
+            ...actualUtils,
+            recordActivity: (activity) => {
+              recordedActivities.push({
+                packageType: currentActivityContext.packageType,
+                projectType: currentActivityContext.projectType,
+                sourcePath: currentActivityContext.sourcePath,
+                ...activity,
+              });
+            },
+            resetActivityContext: () => {
+              currentActivityContext = {};
+            },
+            setActivityContext: (context = {}) => {
+              currentActivityContext = {
+                ...currentActivityContext,
+                ...context,
+              };
+            },
+          },
+        });
+        await createBomMocked(tempDir, {
+          installDeps: false,
+          multiProject: false,
+          projectType: ["python"],
+          specVersion: 1.7,
+        });
+        const pythonActivity = recordedActivities.find(
+          (activity) =>
+            activity.kind === "read" && activity.packageType === "pypi",
+        );
+        assert.strictEqual(pythonActivity?.projectType, "python");
+        assert.strictEqual(pythonActivity?.sourcePath, tempDir);
+        assert.strictEqual(pythonActivity?.target, tempDir);
+      } finally {
+        rmSync(tempDir, { recursive: true, force: true });
+      }
+    });
+  });
+  describe("createBom() cargo cache support", () => {
+    it("catalogs cached cargo crate archives via the cargo-cache project type", async () => {
+      const originalCargoCacheDir = process.env.CARGO_CACHE_DIR;
+      try {
+        process.env.CARGO_CACHE_DIR = cargoCacheFixtureDir;
+        const bomNSData = await createBom(cargoCacheFixtureDir, {
+          deep: false,
+          failOnError: true,
+          installDeps: false,
+          multiProject: false,
+          projectType: ["cargo-cache"],
+          specVersion: 1.6,
+        });
+        const bomJson = bomNSData?.bomJson || {};
+        const components = bomJson.components || [];
+        const serdeComponent = components.find(
+          (component) => component.name === "serde",
+        );
+        assert.ok(serdeComponent);
+        assert.strictEqual(serdeComponent.version, "1.0.217");
+        assert.strictEqual(
+          serdeComponent.properties.find(
+            (property) => property.name === "cdx:cargo:cacheSource",
+          )?.value,
+          "registry-cache",
+        );
+      } finally {
+        if (originalCargoCacheDir === undefined) {
+          delete process.env.CARGO_CACHE_DIR;
+        } else {
+          process.env.CARGO_CACHE_DIR = originalCargoCacheDir;
+        }
+      }
+    });
+    it("creates a Cargo workspace BOM with workflow signals and matching audit findings", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "package-integrity",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        includeFormulation: true,
+        installDeps: false,
+        multiProject: true,
+        projectType: ["cargo", "github"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(cargoFixtureDir, options);
+      const processedBomNSData = postProcess(
+        bomNSData,
+        options,
+        cargoFixtureDir,
+      );
+      const bomJson = processedBomNSData?.bomJson || {};
+      const coreComponent = (bomJson.components || []).find(
+        (component) =>
+          component.name === "core" &&
+          component.properties?.some(
+            (property) =>
+              property.name === "cdx:cargo:workspaceDependencyResolved" &&
+              property.value === "true",
+          ),
+      );
+      const buildHelperComponent = (bomJson.components || []).find(
+        (component) =>
+          component.name === "build-helper" &&
+          component.properties?.some(
+            (property) =>
+              property.name === "cdx:cargo:workspaceDependencyResolved" &&
+              property.value === "true",
+          ),
+      );
+      const cargoToolchainComponent = (bomJson.components || []).find(
+        (component) =>
+          component.properties?.some(
+            (property) =>
+              property.name === "cdx:github:action:role" &&
+              property.value === "toolchain",
+          ),
+      );
+      const cargoRunComponent = (bomJson.components || []).find((component) =>
+        component.properties?.some(
+          (property) =>
+            property.name === "cdx:github:step:usesCargo" &&
+            property.value === "true",
+        ),
+      );
+      assert.strictEqual(
+        coreComponent?.properties?.find(
+          (property) =>
+            property.name === "cdx:cargo:workspaceDependencyResolved",
+        )?.value,
+        "true",
+      );
+      assert.strictEqual(
+        buildHelperComponent?.properties?.find(
+          (property) => property.name === "cdx:cargo:dependencyKind",
+        )?.value,
+        "build",
+      );
+      assert.strictEqual(
+        buildHelperComponent?.properties?.find(
+          (property) => property.name === "cdx:cargo:resolvedWorkspaceMember",
+        )?.value,
+        "build-helper",
+      );
+      assert.strictEqual(
+        cargoToolchainComponent?.properties?.find(
+          (property) => property.name === "cdx:github:action:ecosystem",
+        )?.value,
+        "cargo",
+      );
+      assert.strictEqual(
+        cargoRunComponent?.properties?.find(
+          (property) => property.name === "cdx:github:step:cargoSubcommands",
+        )?.value,
+        "build,test",
+      );
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "package-integrity",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(findings.some((finding) => finding.ruleId === "INT-012"));
+      assert.ok(findings.some((finding) => finding.ruleId === "INT-013"));
+    });
+    it("nests only manifest package components under the Rust parent component", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-rust-parent-"));
+      const helperDir = join(tmpDir, "crates", "helper");
+      mkdirSync(helperDir, { recursive: true });
+      writeFileSync(
+        join(tmpDir, "Cargo.toml"),
+        `[package]
+name = "demo-app"
+version = "1.0.0"
+[workspace]
+members = ["crates/helper"]
+[dependencies]
+helper = { path = "crates/helper" }
+serde = "1.0.0"
+`,
+      );
+      writeFileSync(
+        join(helperDir, "Cargo.toml"),
+        `[package]
+name = "helper"
+version = "0.1.0"
+[dependencies]
+serde = "1.0.0"
+`,
+      );
+      writeFileSync(
+        join(tmpDir, "Cargo.lock"),
+        `version = 3
+[[package]]
+name = "demo-app"
+version = "1.0.0"
+dependencies = ["helper", "serde"]
+[[package]]
+name = "helper"
+version = "0.1.0"
+dependencies = ["serde"]
+[[package]]
+name = "serde"
+version = "1.0.0"
+checksum = "${"a".repeat(64)}"
+`,
+      );
+      try {
+        const bomData = await createRustBom(tmpDir, {
+          installDeps: false,
+          multiProject: true,
+          specVersion: 1.7,
+        });
+        const parentComponent = bomData.parentComponent;
+        const nestedComponentNames = parentComponent.components.map(
+          (component) => component.name,
+        );
+        assert.strictEqual(parentComponent.name, "demo-app");
+        assert.deepStrictEqual(nestedComponentNames, ["helper"]);
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+  });
+  describe("createBom() MCP inventory support", () => {
+    it("catalogs MCP services, primitives, and audit findings for JavaScript projects", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "mcp-server",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        installDeps: false,
+        multiProject: false,
+        projectType: ["js"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(mcpFixtureDir, options);
+      const processedBomNSData = postProcess(bomNSData, options, mcpFixtureDir);
+      const bomJson = processedBomNSData?.bomJson || {};
+      const officialSdk = (bomJson.components || []).find(
+        (component) =>
+          component.purl ===
+          "pkg:npm/%40modelcontextprotocol/server@2.0.0-alpha.0",
+      );
+      const wrapperSdk = (bomJson.components || []).find(
+        (component) => component.purl === "pkg:npm/%40acme/mcp-server@0.1.0",
+      );
+      assert.ok(officialSdk);
+      assert.ok(
+        officialSdk.tags?.includes("official-mcp-sdk"),
+        "expected official MCP SDK tags",
+      );
+      assert.ok(wrapperSdk);
+      assert.ok(
+        wrapperSdk.properties?.some(
+          (property) =>
+            property.name === "cdx:mcp:official" && property.value === "false",
+        ),
+        "expected non-official MCP wrapper signal",
+      );
+      assert.strictEqual((bomJson.services || []).length, 2);
+      const unsafeService = (bomJson.services || []).find(
+        (service) => service.name === "unsafe-http-server",
+      );
+      const authService = (bomJson.services || []).find(
+        (service) => service.name === "auth-http-server",
+      );
+      assert.ok(unsafeService);
+      assert.strictEqual(unsafeService.authenticated, false);
+      assert.ok(authService);
+      assert.strictEqual(authService.authenticated, true);
+      assert.ok(
+        (bomJson.dependencies || []).some(
+          (dependency) =>
+            dependency.ref === unsafeService["bom-ref"] &&
+            dependency.provides.length >= 1,
+        ),
+      );
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "mcp-server",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(findings.some((finding) => finding.ruleId === "MCP-001"));
+      assert.ok(findings.some((finding) => finding.ruleId === "MCP-002"));
+      assert.ok(findings.some((finding) => finding.ruleId === "MCP-003"));
+    });
+    it("supports the ai-inventory audit category alias for MCP discovery", async () => {
+      const options = {
+        bomAudit: true,
+        bomAuditCategories: "ai-inventory",
+        bomAuditMinSeverity: "low",
+        failOnError: true,
+        installDeps: false,
+        multiProject: false,
+        projectType: ["js"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(mcpFixtureDir, options);
+      const processedBomNSData = postProcess(bomNSData, options, mcpFixtureDir);
+      const bomJson = processedBomNSData?.bomJson || {};
+      assert.ok(
+        (bomJson.services || []).some(
+          (service) => service.name === "unsafe-http-server",
+        ),
+      );
+      const findings = await auditBom(bomJson, {
+        bomAuditCategories: "ai-inventory",
+        bomAuditMinSeverity: "low",
+      });
+      assert.ok(findings.some((finding) => finding.ruleId === "MCP-001"));
+    });
+    it("supports the dedicated mcp project type alias", async () => {
+      const options = {
+        bomAudit: false,
+        failOnError: true,
+        installDeps: false,
+        multiProject: false,
+        projectType: ["mcp"],
+        specVersion: 1.7,
+      };
+      const bomNSData = await createBom(mcpFixtureDir, options);
+      const processedBomNSData = postProcess(bomNSData, options, mcpFixtureDir);
+      const bomJson = processedBomNSData?.bomJson || {};
+      assert.ok(
+        (bomJson.services || []).some(
+          (service) => service.name === "unsafe-http-server",
+        ),
+      );
+      assert.ok(
+        (bomJson.components || []).some(
+          (component) =>
+            component.purl ===
+            "pkg:npm/%40modelcontextprotocol/server@2.0.0-alpha.0",
+        ),
+      );
+    });
+    it("supports exact AI skill scans and js exclude-type filtering for AI inventory", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-ai-inventory-"));
+      mkdirSync(join(tmpDir, ".claude", "skills", "release"), {
+        recursive: true,
+      });
+      mkdirSync(join(tmpDir, ".vscode"), { recursive: true });
+      writeFileSync(
+        join(tmpDir, "package.json"),
+        JSON.stringify(
+          {
+            dependencies: {
+              "left-pad": "1.3.0",
+            },
+            name: "ai-inventory-demo",
+            version: "1.0.0",
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "package-lock.json"),
+        JSON.stringify(
+          {
+            lockfileVersion: 3,
+            name: "ai-inventory-demo",
+            packages: {
+              "": {
+                dependencies: {
+                  "left-pad": "1.3.0",
+                },
+                name: "ai-inventory-demo",
+                version: "1.0.0",
+              },
+              "node_modules/left-pad": {
+                resolved:
+                  "https://registry.npmjs.org/left-pad/-/left-pad-1.3.0.tgz",
+                version: "1.3.0",
+              },
+            },
+            requires: true,
+            version: "1.0.0",
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "CLAUDE.md"),
+        "Use the release skill before publishing artifacts.",
+      );
+      writeFileSync(
+        join(tmpDir, ".claude", "skills", "release", "SKILL.md"),
+        [
+          "---",
+          "name: release",
+          "description: Prepare release artifacts",
+          "---",
+          "Use this skill before shipping.",
+        ].join("\n"),
+      );
+      writeFileSync(
+        join(tmpDir, ".vscode", "mcp.json"),
+        JSON.stringify(
+          {
+            mcpServers: {
+              releaseDocs: {
+                endpoint: "https://example.com/mcp",
+                transport: "http",
+              },
+            },
+          },
+          null,
+          2,
+        ),
+      );
+      writeFileSync(
+        join(tmpDir, "pyproject.toml"),
+        [
+          "[project]",
+          'name = "demo-python-app"',
+          'version = "0.1.0"',
+          'requires-python = ">=3.10"',
+        ].join("\n"),
+      );
+      writeFileSync(
+        join(tmpDir, "server.py"),
+        [
+          "import mcp.server.stdio",
+          "import mcp.types as mtypes",
+          "from mcp.server import Server",
+          "",
+          'server = Server("python-release-docs", version="0.2.0")',
+          "",
+          "@server.list_tools()",
+          "async def handle_list_tools():",
+          '    return [mtypes.Tool(name="summarize_vulns", description="Summarize vulns", inputSchema={"type": "object"})]',
+          "",
+          "async with mcp.server.stdio.stdio_server() as (read_stream, write_stream):",
+          "    await server.run(read_stream, write_stream, None)",
+        ].join("\n"),
+      );
+      try {
+        const baseOptions = {
+          installDeps: false,
+          multiProject: false,
+          specVersion: 1.7,
+        };
+        const jsOptions = {
+          ...baseOptions,
+          projectType: ["js"],
+        };
+        const jsBomJson = postProcess(
+          await createBom(tmpDir, jsOptions),
+          jsOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in js scan",
+        );
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) =>
+              component.name === "CLAUDE.md" &&
+              getProp(component, "cdx:file:kind") === "agent-instructions",
+          ),
+          "expected CLAUDE.md in js scan",
+        );
+        assert.ok(
+          (jsBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in js scan",
+        );
+        assert.ok(
+          (jsBomJson.services || []).some(
+            (service) =>
+              service.name === "releaseDocs" &&
+              getProp(service, "cdx:mcp:inventorySource") === "config-file",
+          ),
+          "expected MCP config service in js scan",
+        );
+        const dockerOptions = {
+          ...baseOptions,
+          projectType: ["js", "docker"],
+        };
+        const dockerBomJson = postProcess(
+          await createNodejsBom(tmpDir, dockerOptions),
+          dockerOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (dockerBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in docker js scan",
+        );
+        assert.ok(
+          (dockerBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in docker js scan",
+        );
+        const exactAiSkillOptions = {
+          ...baseOptions,
+          projectType: ["ai-skill"],
+        };
+        const aiSkillBomJson = postProcess(
+          await createBom(tmpDir, exactAiSkillOptions),
+          exactAiSkillOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (aiSkillBomJson.components || []).some(
+            (component) =>
+              component.name === "CLAUDE.md" &&
+              getProp(component, "cdx:file:kind") === "agent-instructions",
+          ),
+          "expected CLAUDE.md in exact ai-skill scan",
+        );
+        assert.ok(
+          !(aiSkillBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "did not expect MCP configs in exact ai-skill scan",
+        );
+        const filteredOptions = {
+          ...baseOptions,
+          excludeType: ["ai-skill", "mcp"],
+          projectType: ["js"],
+        };
+        const filteredBomJson = postProcess(
+          await createBom(tmpDir, filteredOptions),
+          filteredOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          !(filteredBomJson.components || []).some((component) =>
+            ["agent-instructions", "mcp-config", "skill-file"].includes(
+              getProp(component, "cdx:file:kind"),
+            ),
+          ),
+          "did not expect AI inventory components after exclude-type filtering",
+        );
+        assert.ok(
+          !(filteredBomJson.services || []).some((service) =>
+            service.properties?.some((property) =>
+              property.name.startsWith("cdx:mcp:"),
+            ),
+          ),
+          "did not expect MCP services after exclude-type filtering",
+        );
+        const pyOptions = {
+          ...baseOptions,
+          projectType: ["py"],
+        };
+        const pyBomJson = postProcess(
+          await createBom(tmpDir, pyOptions),
+          pyOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (pyBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in python scan",
+        );
+        assert.ok(
+          (pyBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in python scan",
+        );
+        assert.ok(
+          (pyBomJson.services || []).some(
+            (service) =>
+              service.name === "python-release-docs" &&
+              getProp(service, "cdx:mcp:inventorySource") ===
+                "source-code-analysis",
+          ),
+          "expected Python MCP service in python scan",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
   });
 });