@cyclonedx/cdxgen 12.3.0 → 12.3.2

package/lib/cli/index.js

@@ -3,13 +3,9 @@ import {
   accessSync,
   constants,
   lstatSync,
-  mkdtempSync,
   readdirSync,
   readFileSync,
-  rmSync,
   statSync,
-  unlinkSync,
-  writeFileSync,
 } from "node:fs";
 import { platform as _platform, arch, homedir } from "node:os";
 import { basename, dirname, join, relative, resolve, sep } from "node:path";
@@ -22,7 +18,24 @@ import { parse } from "ssri";
 import { v4 as uuidv4 } from "uuid";
 import { parse as loadYaml } from "yaml";
 
-import { findJSImportsExports } from "../helpers/analyzer.js";
+import {
+  AI_INSTRUCTION_FILE_KINDS,
+  AI_INVENTORY_PROJECT_TYPES,
+  AI_SKILL_FILE_KIND,
+  collectAiInventory,
+  filterInventoryDependencies,
+  filterInventorySubjectsByTypes,
+  inventoryPropertyValue,
+  MCP_CONFIG_FILE_KIND,
+  optionIncludesAiInventoryProjectType,
+  summarizeAiInventory,
+} from "../helpers/aiInventory.js";
+import {
+  detectMcpInventory,
+  detectPythonMcpInventory,
+  findJSImportsExports,
+} from "../helpers/analyzer.js";
+import { expandBomAuditCategories } from "../helpers/auditCategories.js";
 import { parseCaxaMetadata } from "../helpers/caxa.js";
 import {
   CHROME_EXTENSION_PURL_TYPE,
@@ -30,9 +43,17 @@ import {
   collectInstalledChromeExtensions,
   discoverChromiumExtensionDirs,
 } from "../helpers/chromextutils.js";
-import { mergeDependencies, trimComponents } from "../helpers/depsUtils.js";
+import {
+  mergeDependencies,
+  mergeServices,
+  trimComponents,
+} from "../helpers/depsUtils.js";
 import { GIT_COMMAND } from "../helpers/envcontext.js";
 import { thoughtLog } from "../helpers/logger.js";
+import {
+  classifyMcpReference,
+  enrichComponentWithMcpMetadata,
+} from "../helpers/mcp.js";
 import { isPyLockFile } from "../helpers/pylockutils.js";
 import {
   buildDependencyTrackBomPayload,
@@ -71,6 +92,7 @@ import {
   generatePixiLockFile,
   getAllFiles,
   getCppModules,
+  getCratesMetadata,
   getGradleCommand,
   getLicenses,
   getMavenCommand,
@@ -87,6 +109,7 @@ import {
   getTmpDir,
   hasAnyProjectType,
   includeMavenTestScope,
+  isDryRun,
   isFeatureEnabled,
   isMac,
   isPackageManagerAllowed,
@@ -105,6 +128,7 @@ import {
   parseCabalData,
   parseCargoData,
   parseCargoDependencyData,
+  parseCargoManifestDependencyData,
   parseCargoTomlData,
   parseCljDep,
   parseCloudBuildData,
@@ -173,13 +197,23 @@ import {
   parseYarnWorkspace,
   readZipEntry,
   recomputeScope,
+  recordActivity,
+  resetActivityContext,
   SWIFT_CMD,
   safeExistsSync,
   safeMkdirSync,
+  safeMkdtempSync,
+  safeRmSync,
   safeSpawnSync,
+  safeUnlinkSync,
+  safeWriteSync,
+  setActivityContext,
   shouldFetchLicense,
   splitOutputByGradleProjects,
 } from "../helpers/utils.js";
+
+export { summarizeAiInventory } from "../helpers/aiInventory.js";
+
 import {
   cleanupTempDir,
   collectInstalledExtensions,
@@ -254,6 +288,16 @@ const GRADLE_INIT_SCRIPT = resolve(
 const SBT_CACHE_DIR =
   process.env.SBT_CACHE_DIR || join(homedir(), ".ivy2", "cache");
 
+function getCargoCacheDir() {
+  return process.env.CARGO_CACHE_DIR
+    ? resolve(process.env.CARGO_CACHE_DIR)
+    : resolve(
+        process.env.CARGO_HOME || join(homedir(), ".cargo"),
+        "registry",
+        "cache",
+      );
+}
+
 // CycloneDX Hash pattern
 const HASH_PATTERN =
   "^([a-fA-F0-9]{32}|[a-fA-F0-9]{40}|[a-fA-F0-9]{64}|[a-fA-F0-9]{96}|[a-fA-F0-9]{128})$";
@@ -1040,6 +1084,7 @@ function addComponent(
     if (pkg.components) {
       component.components = pkg.components;
     }
+    component = enrichComponentWithMcpMetadata(component);
     const compMapKey = component.purl || component["bom-ref"];
     // Issue: 1353. We need to keep merging the properties
     if (compMap[compMapKey]) {
@@ -1241,6 +1286,23 @@ function addComponentHash(alg, digest, component) {
  * @returns {Object} BOM with namespace mapping
  */
 const buildBomNSData = (options, pkgInfo, ptype, context) => {
+  // Many create*Bom call sites provide only a source directory (`src`) when
+  // there is no single manifest/lock file to report, so activity records must
+  // fall back to that directory to keep the target populated.
+  const sourcePath =
+    context?.srcDir || context?.src || options.path || options.filePath;
+  const activityProjectType =
+    context?.projectType ||
+    (Array.isArray(options.projectType)
+      ? options.projectType.length === 1
+        ? options.projectType[0]
+        : undefined
+      : options.projectType);
+  setActivityContext({
+    packageType: ptype,
+    sourcePath,
+    ...(activityProjectType ? { projectType: activityProjectType } : {}),
+  });
   const bomNSData = {
     bomJson: undefined,
     bomJsonFiles: undefined,
@@ -1255,6 +1317,7 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
   }
   const nsMapping = context.nsMapping || {};
   const dependencies = context.dependencies || [];
+  const services = context.services || [];
   const parentComponent =
     determineParentComponent(options) || context.parentComponent;
   const metadata = addMetadata(parentComponent, options, context);
@@ -1270,6 +1333,9 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
       components,
       dependencies,
     };
+    if (services.length) {
+      jsonTpl.services = mergeServices([], services);
+    }
     bomNSData.bomJson = jsonTpl;
     bomNSData.nsMapping = nsMapping;
     bomNSData.dependencies = dependencies;
@@ -1280,6 +1346,13 @@ const buildBomNSData = (options, pkgInfo, ptype, context) => {
       bomNSData.formulationList = context.formulationList;
     }
   }
+  recordActivity({
+    kind: "read",
+    reason: `Collected ${ptype || "generic"} component metadata.`,
+    status: components?.length || parentComponent ? "completed" : "failed",
+    target: context?.filename || sourcePath,
+  });
+  resetActivityContext();
   return bomNSData;
 };
 
@@ -1342,7 +1415,7 @@ export async function createJarBom(path, options) {
     jarFiles = jarFiles.concat(hpiFiles);
   }
   for (const jar of jarFiles) {
-    const tempDir = mkdtempSync(join(getTmpDir(), "jar-deps-"));
+    const tempDir = safeMkdtempSync(join(getTmpDir(), "jar-deps-"));
     if (DEBUG_MODE) {
       console.log(`Parsing ${jar}`);
     }
@@ -1354,8 +1427,8 @@ export async function createJarBom(path, options) {
       pkgList = await getMvnMetadata(pkgList);
     }
     // Clean up
-    if (tempDir?.startsWith(getTmpDir()) && rmSync) {
-      rmSync(tempDir, { recursive: true, force: true });
+    if (tempDir?.startsWith(getTmpDir())) {
+      safeRmSync(tempDir, { recursive: true, force: true });
     }
   }
   pkgList = pkgList.concat(await convertJarNSToPackages(nsMapping));
@@ -1384,7 +1457,7 @@ export function createAndroidBom(path, options) {
  * @returns {Object|undefined} BOM object
  */
 export function createBinaryBom(path, options) {
-  const tempDir = mkdtempSync(join(getTmpDir(), "blint-tmp-"));
+  const tempDir = safeMkdtempSync(join(getTmpDir(), "blint-tmp-"));
   const binaryBomFile = join(tempDir, "bom.json");
   getBinaryBom(path, binaryBomFile, options.deep);
   if (safeExistsSync(binaryBomFile)) {
@@ -1425,16 +1498,16 @@ export async function createJavaBom(path, options) {
       if (DEBUG_MODE) {
         console.log(`Retrieving packages from ${path}`);
       }
-      const tempDir = mkdtempSync(join(getTmpDir(), "war-deps-"));
+      const tempDir = safeMkdtempSync(join(getTmpDir(), "war-deps-"));
       jarNSMapping = await collectJarNS(tempDir);
       pkgList = await extractJarArchive(path, tempDir, jarNSMapping);
       if (pkgList.length) {
         pkgList = await getMvnMetadata(pkgList);
       }
       // Clean up
-      if (tempDir?.startsWith(getTmpDir()) && rmSync) {
+      if (tempDir?.startsWith(getTmpDir())) {
         console.log(`Cleaning up ${tempDir}`);
-        rmSync(tempDir, { recursive: true, force: true });
+        safeRmSync(tempDir, { recursive: true, force: true });
       }
     } else {
       console.log(`${path} doesn't exist`);
@@ -1788,7 +1861,7 @@ export async function createJavaBom(path, options) {
               }
             }
             if (!DEBUG_MODE) {
-              unlinkSync(tempMvnTree);
+              safeUnlinkSync(tempMvnTree);
             }
           }
         }
@@ -2329,7 +2402,7 @@ export async function createJavaBom(path, options) {
     `${options.multiProject ? "**/" : ""}build.sbt.lock`,
     options,
   );
-  const tempCacheDir = mkdtempSync(join(getTmpDir(), "sbt-cache-"));
+  const tempCacheDir = safeMkdtempSync(join(getTmpDir(), "sbt-cache-"));
   safeMkdirSync(tempCacheDir, { recursive: true });
   if (
     sbtProjects?.length &&
@@ -2373,8 +2446,8 @@ export async function createJavaBom(path, options) {
       const useSlashSyntax = !sbtVersion || gte(sbtVersion, "1.5.0");
       const isDependencyTreeBuiltIn =
         sbtVersion != null && gte(sbtVersion, "1.4.0");
-      const tempDir = mkdtempSync(join(getTmpDir(), "cdxsbt-"));
-      const tempSbtgDir = mkdtempSync(join(getTmpDir(), "cdxsbtg-"));
+      const tempDir = safeMkdtempSync(join(getTmpDir(), "cdxsbt-"));
+      const tempSbtgDir = safeMkdtempSync(join(getTmpDir(), "cdxsbtg-"));
       safeMkdirSync(tempSbtgDir, { recursive: true });
       // Create temporary plugins file
       const tempSbtPlugins = join(tempSbtgDir, "dep-plugins.sbt");
@@ -2388,7 +2461,7 @@ export async function createJavaBom(path, options) {
           console.log("Using addDependencyTreePlugin as the custom plugin");
         }
       }
-      writeFileSync(tempSbtPlugins, sbtPluginDefinition);
+      safeWriteSync(tempSbtPlugins, sbtPluginDefinition);
       let sbtExtraArgs = "";
       const env = { ...process.env };
       // We need to collect the jars from the cache
@@ -2477,7 +2550,7 @@ export async function createJavaBom(path, options) {
       }
 
       // Cleanup
-      unlinkSync(tempSbtPlugins);
+      safeUnlinkSync(tempSbtPlugins);
     } // else
 
     if (DEBUG_MODE) {
@@ -2510,7 +2583,7 @@ export async function createJavaBom(path, options) {
     }
   }
   if (tempCacheDir?.startsWith(getTmpDir())) {
-    rmSync(tempCacheDir, {
+    safeRmSync(tempCacheDir, {
       recursive: true,
       force: true,
     });
@@ -2661,6 +2734,130 @@ export async function createJavaBom(path, options) {
  * @param {Object} options Parse options from the cli
  * @returns {Promise<Object>} Promise resolving to BOM object
  */
+function getRequestedAiInventoryTypes(options) {
+  return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
+    optionIncludesAiInventoryProjectType(options?.projectType, type),
+  );
+}
+
+function getExcludedAiInventoryTypes(options) {
+  return AI_INVENTORY_PROJECT_TYPES.filter((type) =>
+    optionIncludesAiInventoryProjectType(options?.excludeType, type),
+  );
+}
+
+function getExactAiInventoryType(options) {
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  return requestedAiInventoryTypes.length === 1 &&
+    Array.isArray(options?.projectType) &&
+    options.projectType.length === 1
+    ? requestedAiInventoryTypes[0]
+    : undefined;
+}
+
+function shouldDetectMcpInventory(options, allImports = {}) {
+  if (hasAnyProjectType(["mcp"], options, false)) {
+    return true;
+  }
+  const auditCategories = expandBomAuditCategories(options?.bomAuditCategories);
+  if (
+    auditCategories.some((category) =>
+      ["mcp-server", "ai-agent"].includes(category),
+    )
+  ) {
+    return true;
+  }
+  return Object.keys(allImports).some((importName) => {
+    const classification = classifyMcpReference(importName);
+    return classification.isMcp;
+  });
+}
+
+function summarizeAiInventoryNames(subjects, discoveryPath, kindSet) {
+  return [
+    ...new Set(
+      (subjects || [])
+        .filter((subject) =>
+          kindSet.has(inventoryPropertyValue(subject, "cdx:file:kind")),
+        )
+        .map((subject) => inventoryPropertyValue(subject, "SrcFile"))
+        .filter(Boolean)
+        .map(
+          (filePath) => relative(discoveryPath, filePath) || basename(filePath),
+        ),
+    ),
+  ].sort();
+}
+
+function summarizeAiInventoryServiceNames(services) {
+  return [
+    ...new Set(
+      (services || []).map((service) => service?.name).filter(Boolean),
+    ),
+  ].sort();
+}
+
+function formatAiInventorySummaryLine(label, count, nameList) {
+  return `  ${label.padEnd(20)} ${count}${nameList.length ? ` (${nameList.join(", ")})` : ""}`;
+}
+
+function emitAiInventorySummary(aiInventory, discoveryPath) {
+  const summary = summarizeAiInventory(aiInventory);
+  const totalInventory =
+    summary.instructionCount +
+    summary.skillCount +
+    summary.mcpConfigCount +
+    summary.mcpServiceCount;
+  if (!totalInventory) {
+    return;
+  }
+  const instructionNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    AI_INSTRUCTION_FILE_KINDS,
+  );
+  const skillNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    new Set([AI_SKILL_FILE_KIND]),
+  );
+  const mcpConfigNames = summarizeAiInventoryNames(
+    aiInventory.components,
+    discoveryPath,
+    new Set([MCP_CONFIG_FILE_KIND]),
+  );
+  const mcpServiceNames = summarizeAiInventoryServiceNames(
+    aiInventory.services,
+  );
+  console.warn(
+    [
+      "AI Inventory Summary:",
+      formatAiInventorySummaryLine(
+        "AI instruction files:",
+        summary.instructionCount,
+        instructionNames,
+      ),
+      formatAiInventorySummaryLine(
+        "Skill files:",
+        summary.skillCount,
+        skillNames,
+      ),
+      formatAiInventorySummaryLine(
+        "MCP configs:",
+        summary.mcpConfigCount,
+        mcpConfigNames,
+      ),
+      formatAiInventorySummaryLine(
+        "MCP services:",
+        summary.mcpServiceCount,
+        mcpServiceNames,
+      ),
+      "",
+      "Run --bom-audit --bom-audit-categories ai-inventory to audit these surfaces.",
+    ].join("\n"),
+  );
+}
+
 export async function createNodejsBom(path, options) {
   let pkgList = [];
   let manifestFiles = [];
@@ -2668,6 +2865,15 @@ export async function createNodejsBom(path, options) {
   let parentComponent = {};
   const parentSubComponents = [];
   let ppurl = "";
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const exactAiInventoryType = getExactAiInventoryType(options);
+  const includedAiInventoryTypes = exactAiInventoryType
+    ? requestedAiInventoryTypes
+    : AI_INVENTORY_PROJECT_TYPES.filter(
+        (type) => !excludedAiInventoryTypes.includes(type),
+      );
+  let aiInventory = { components: [], dependencies: [], services: [] };
   // Docker mode requires special handling
   if (hasAnyProjectType(["docker", "oci", "container", "os"], options, false)) {
     const pkgJsonFiles = getAllFiles(path, "**/package.json", options);
@@ -2679,16 +2885,33 @@ export async function createNodejsBom(path, options) {
           pkgList = pkgList.concat(dlist);
         }
       }
+      if (includedAiInventoryTypes.length) {
+        aiInventory = collectAiInventory(
+          path,
+          options,
+          includedAiInventoryTypes,
+        );
+      }
+      if (aiInventory.components?.length) {
+        pkgList = trimComponents(pkgList.concat(aiInventory.components));
+      }
       return buildBomNSData(options, pkgList, "npm", {
         allImports: {},
         src: path,
         filename: "package.json",
+        dependencies: mergeDependencies(
+          [],
+          aiInventory.dependencies,
+          parentComponent,
+        ),
         parentComponent,
+        services: aiInventory.services,
       });
     }
   }
   let allImports = {};
   let allExports = {};
+  let mcpInventory = {};
   if (
     !hasAnyProjectType(["docker", "oci", "container", "os"], options, false) &&
     !options.noBabel
@@ -2701,6 +2924,43 @@ export async function createNodejsBom(path, options) {
     const retData = await findJSImportsExports(path, options.deep);
     allImports = retData.allImports;
     allExports = retData.allExports;
+    if (shouldDetectMcpInventory(options, allImports)) {
+      mcpInventory = detectMcpInventory(path, options.deep);
+    }
+  }
+  if (includedAiInventoryTypes.length) {
+    aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
+  }
+  if (excludedAiInventoryTypes.includes("mcp")) {
+    mcpInventory = { components: [], dependencies: [], services: [] };
+  }
+  const aiInventorySummary = summarizeAiInventory(aiInventory);
+  if (!exactAiInventoryType) {
+    if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
+      thoughtLog(
+        `I found ${aiInventorySummary.instructionCount + aiInventorySummary.skillCount} AI skill/instruction file component(s). Use '--exclude-type ai-skill' for a package-only BOM, or '--bom-audit --bom-audit-categories ai-inventory' for review-friendly reporting.`,
+      );
+    }
+    if (aiInventorySummary.mcpConfigCount) {
+      thoughtLog(
+        `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
+      );
+    }
+    emitAiInventorySummary(aiInventory, path);
+  }
+  if (exactAiInventoryType === "ai-skill") {
+    const exactComponents = trimComponents([...(aiInventory.components || [])]);
+    const exactDependencies = mergeDependencies([], aiInventory.dependencies);
+    const exactServices = mergeServices([], aiInventory.services);
+    parentComponent = createDefaultParentComponent(path, "generic", options);
+    return buildBomNSData(options, exactComponents, "generic", {
+      dependencies: exactDependencies,
+      filename: path,
+      parentComponent,
+      projectType: exactAiInventoryType,
+      services: exactServices,
+      src: path,
+    });
   }
   let yarnLockFiles = getAllFiles(
     path,
@@ -3582,11 +3842,47 @@ export async function createNodejsBom(path, options) {
       options.deep,
     );
   }
+  if (mcpInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(mcpInventory.components));
+  }
+  if (mcpInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      mcpInventory.dependencies,
+      parentComponent,
+    );
+  }
+  if (aiInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(aiInventory.components));
+  }
+  if (aiInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      aiInventory.dependencies,
+      parentComponent,
+    );
+  }
+  const inventoryServices = mergeServices(
+    mergeServices([], mcpInventory.services || []),
+    aiInventory.services || [],
+  );
+  if (exactAiInventoryType === "mcp") {
+    pkgList = trimComponents(filterInventorySubjectsByTypes(pkgList, ["mcp"]));
+    dependencies = filterInventoryDependencies(
+      dependencies,
+      pkgList,
+      inventoryServices,
+    );
+    if (!parentComponent || !Object.keys(parentComponent).length) {
+      parentComponent = createDefaultParentComponent(path, "generic", options);
+    }
+  }
   return buildBomNSData(options, pkgList, "npm", {
     src: path,
     filename: manifestFiles.join(", "),
     dependencies,
     parentComponent,
+    services: inventoryServices,
   });
 }
 
@@ -3765,7 +4061,17 @@ export async function createPythonBom(path, options) {
   let dependencies = [];
   let pkgList = [];
   let formulationList = [];
-  const tempDir = mkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
+  const requestedAiInventoryTypes = getRequestedAiInventoryTypes(options);
+  const excludedAiInventoryTypes = getExcludedAiInventoryTypes(options);
+  const includedAiInventoryTypes = AI_INVENTORY_PROJECT_TYPES.filter(
+    (type) =>
+      (!requestedAiInventoryTypes.length ||
+        requestedAiInventoryTypes.includes(type)) &&
+      !excludedAiInventoryTypes.includes(type),
+  );
+  let aiInventory = { components: [], dependencies: [], services: [] };
+  let mcpInventory = { components: [], dependencies: [], services: [] };
+  const tempDir = safeMkdtempSync(join(getTmpDir(), "cdxgen-venv-"));
   let parentComponent = createDefaultParentComponent(path, "pypi", options);
   // We are checking only the root here for pipenv
   const pipenvMode = safeExistsSync(join(path, "Pipfile"));
@@ -3984,7 +4290,7 @@ export async function createPythonBom(path, options) {
               tempDir,
               `exported-${basename(basePath)}-reqs.txt`,
             );
-            writeFileSync(tmpReqFile, exportedReqs);
+            safeWriteSync(tmpReqFile, exportedReqs);
             const dlist = await parseReqFile(tmpReqFile, false);
             if (dlist?.length) {
               pkgList = pkgList.concat(dlist);
@@ -4256,6 +4562,24 @@ export async function createPythonBom(path, options) {
       pkgList = pkgList.concat(dlist);
     }
   }
+  if (includedAiInventoryTypes.length) {
+    aiInventory = collectAiInventory(path, options, includedAiInventoryTypes);
+    if (includedAiInventoryTypes.includes("mcp")) {
+      mcpInventory = detectPythonMcpInventory(path, options.deep);
+    }
+  }
+  const aiInventorySummary = summarizeAiInventory(aiInventory);
+  if (aiInventorySummary.instructionCount || aiInventorySummary.skillCount) {
+    thoughtLog(
+      `I found ${aiInventorySummary.instructionCount + aiInventorySummary.skillCount} AI skill/instruction file component(s). Use '--exclude-type ai-skill' for a package-only BOM, or '--bom-audit --bom-audit-categories ai-inventory' for review-friendly reporting.`,
+    );
+  }
+  if (aiInventorySummary.mcpConfigCount) {
+    thoughtLog(
+      `I found ${aiInventorySummary.mcpConfigCount} MCP config component(s). Use '--exclude-type mcp' to drop them, or '--bom-audit --bom-audit-categories ai-inventory --tlp-classification AMBER' to keep and flag them.`,
+    );
+  }
+  emitAiInventorySummary(aiInventory, path);
   // Check and complete the dependency tree
   if (
     isFeatureEnabled(options, "safe-pip-install") &&
@@ -4296,14 +4620,38 @@ export async function createPythonBom(path, options) {
     }
   }
   // Clean up
-  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
-    rmSync(tempDir, { recursive: true, force: true });
+  if (tempDir?.startsWith(getTmpDir())) {
+    safeRmSync(tempDir, { recursive: true, force: true });
   }
   // Re-compute the component scope
   pkgList = recomputeScope(pkgList, dependencies);
   if (shouldFetchLicense()) {
     pkgList = await getPyMetadata(pkgList, false);
   }
+  if (mcpInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(mcpInventory.components));
+  }
+  if (mcpInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      mcpInventory.dependencies,
+      parentComponent,
+    );
+  }
+  if (aiInventory.components?.length) {
+    pkgList = trimComponents(pkgList.concat(aiInventory.components));
+  }
+  if (aiInventory.dependencies?.length) {
+    dependencies = mergeDependencies(
+      dependencies,
+      aiInventory.dependencies,
+      parentComponent,
+    );
+  }
+  const inventoryServices = mergeServices(
+    mergeServices([], mcpInventory.services || []),
+    aiInventory.services || [],
+  );
   return buildBomNSData(options, pkgList, "pypi", {
     allImports,
     src: path,
@@ -4311,6 +4659,7 @@ export async function createPythonBom(path, options) {
     dependencies,
     parentComponent,
     formulationList,
+    services: inventoryServices,
   });
 }
 
@@ -4828,7 +5177,9 @@ export async function createRustBom(path, options) {
     if (DEBUG_MODE) {
       console.log(`Parsing ${f}`);
     }
-    const dlist = await parseCargoTomlData(f, cargoLockMode, pkgFilesMap);
+    const dlist = await parseCargoTomlData(f, cargoLockMode, pkgFilesMap, {
+      includeWorkspaceMembers: !options.multiProject,
+    });
     if (dlist?.length) {
       if (!cargoLockMode) {
         pkgList = pkgList.concat(dlist);
@@ -4873,6 +5224,18 @@ export async function createRustBom(path, options) {
       }
     }
   }
+  for (const f of cargoFiles) {
+    const manifestDependencyList = parseCargoManifestDependencyData(f, {
+      includeWorkspaceMembers: !options.multiProject,
+    });
+    if (manifestDependencyList?.length) {
+      dependencyTree = mergeDependencies(
+        dependencyTree,
+        manifestDependencyList,
+        parentComponent,
+      );
+    }
+  }
   return buildBomNSData(options, pkgList, "cargo", {
     src: path,
     filename: cargoLockFiles.join(", "),
@@ -4881,6 +5244,95 @@ export async function createRustBom(path, options) {
   });
 }
 
+function buildCargoCacheComponent(crateFile) {
+  const crateFileName = basename(crateFile, ".crate");
+  const nameVersionMatch = crateFileName.match(/^(.+)-([0-9][A-Za-z0-9.+-]*)$/);
+  if (!nameVersionMatch) {
+    return undefined;
+  }
+  const [, name, version] = nameVersionMatch;
+  const purl = new PackageURL(
+    "cargo",
+    "",
+    name,
+    version,
+    null,
+    null,
+  ).toString();
+  return {
+    "bom-ref": decodeURIComponent(purl),
+    group: "",
+    name,
+    properties: [
+      {
+        name: "SrcFile",
+        value: crateFile,
+      },
+      {
+        name: "cdx:cargo:cacheSource",
+        value: "registry-cache",
+      },
+    ],
+    purl,
+    type: "library",
+    version,
+  };
+}
+
+async function enrichCargoCacheComponent(crateFile, component) {
+  if (!component) {
+    return undefined;
+  }
+  try {
+    component.hashes = [
+      {
+        alg: "SHA-256",
+        content: await checksumFile("sha256", crateFile),
+      },
+    ];
+  } catch {
+    // continue without hashes
+  }
+  component.evidence = {
+    identity: {
+      field: "purl",
+      confidence: 0.5,
+      methods: [
+        {
+          technique: "filename",
+          confidence: 0.5,
+          value: crateFile,
+        },
+      ],
+    },
+  };
+  return component;
+}
+
+async function createCargoCacheBom(path, options) {
+  const parentComponent = createDefaultParentComponent(path, "cargo", options);
+  const crateFiles = path.endsWith(".crate")
+    ? [resolve(path)]
+    : getAllFiles(path, "**/*.crate", options);
+  let pkgList = [];
+  for (const crateFile of crateFiles) {
+    const component = await enrichCargoCacheComponent(
+      crateFile,
+      buildCargoCacheComponent(crateFile),
+    );
+    if (component) {
+      pkgList.push(component);
+    }
+  }
+  if (pkgList.length && shouldFetchLicense()) {
+    pkgList = await getCratesMetadata(pkgList);
+  }
+  return buildBomNSData(options, pkgList, "cargo", {
+    src: path,
+    parentComponent,
+  });
+}
+
 /**
  * Function to create bom string for Dart projects
  *
@@ -5483,7 +5935,7 @@ export async function createJenkinsBom(path, options) {
     `${options.multiProject ? "**/" : ""}*.hpi`,
     options,
   );
-  const tempDir = mkdtempSync(join(getTmpDir(), "hpi-deps-"));
+  const tempDir = safeMkdtempSync(join(getTmpDir(), "hpi-deps-"));
   if (hpiFiles.length) {
     for (const f of hpiFiles) {
       if (DEBUG_MODE) {
@@ -5508,9 +5960,9 @@ export async function createJenkinsBom(path, options) {
     }
   }
   // Clean up
-  if (tempDir?.startsWith(getTmpDir()) && rmSync) {
+  if (tempDir?.startsWith(getTmpDir())) {
     console.log(`Cleaning up ${tempDir}`);
-    rmSync(tempDir, { recursive: true, force: true });
+    safeRmSync(tempDir, { recursive: true, force: true });
   }
   return buildBomNSData(options, pkgList, "maven", {
     src: path,
@@ -6281,7 +6733,7 @@ export async function createContainerSpecLikeBom(path, options) {
             },
           ];
         }
-        services = services.concat(servlist);
+        services = mergeServices(services, servlist);
       }
     }
   }
@@ -6303,7 +6755,7 @@ export async function createContainerSpecLikeBom(path, options) {
         console.log(`Parsing ${f}`);
       }
       const servlist = parsePrivadoFile(f);
-      services = services.concat(servlist);
+      services = mergeServices(services, servlist);
       if (servlist.length) {
         const aservice = servlist[0];
         if (aservice.data) {
@@ -6353,7 +6805,7 @@ export async function createContainerSpecLikeBom(path, options) {
           );
         }
         if (mbomData.bomJson.services) {
-          services = services.concat(mbomData.bomJson.services);
+          services = mergeServices(services, mbomData.bomJson.services);
         }
       }
       if (DEBUG_MODE) {
@@ -6363,7 +6815,7 @@ export async function createContainerSpecLikeBom(path, options) {
       }
     }
   }
-  options.services = services;
+  options.services = mergeServices([], services);
   options.ociSpecs = ociSpecs;
   return dedupeBom(options, components, parentComponent, dependencies);
 }
@@ -6763,7 +7215,10 @@ export async function createRubyBom(path, options) {
       }
       // Clean up
       if (process.env?.CDXGEN_GEM_HOME?.startsWith(getTmpDir())) {
-        rmSync(process.env.CDXGEN_GEM_HOME, { recursive: true, force: true });
+        safeRmSync(process.env.CDXGEN_GEM_HOME, {
+          recursive: true,
+          force: true,
+        });
       }
     } else {
       if (process.env.CDXGEN_GEM_HOME) {
@@ -7578,6 +8033,12 @@ export async function createMultiXBom(pathList, options) {
   let formulationList = [];
   let parentComponent = determineParentComponent(options) || {};
   let parentSubComponents = [];
+  const setProjectTypeActivityContext = (projectType, sourcePath) => {
+    setActivityContext({
+      projectType,
+      sourcePath,
+    });
+  };
   options.createMultiXBom = true;
   // Convert single path to an array
   if (!Array.isArray(pathList)) {
@@ -7657,27 +8118,58 @@ export async function createMultiXBom(pathList, options) {
     }
   }
   for (const path of pathList) {
+    setActivityContext({
+      projectType: Array.isArray(options.projectType)
+        ? options.projectType.join(",")
+        : options.projectType,
+      sourcePath: path,
+    });
+    recordActivity({
+      kind: "read",
+      reason:
+        "Scanning project path for supported languages and package managers.",
+      status: "completed",
+      target: path,
+    });
     if (DEBUG_MODE) {
       console.log("Scanning", path);
     }
     if (pathList.length > 2) {
       thoughtLog(`Let's thoroughly check the path ${path}.`);
     }
-    // Node.js
-    if (hasAnyProjectType(["oci", "js"], options)) {
+    // Node.js and AI inventory
+    if (hasAnyProjectType(["oci", "js", "mcp", "ai-skill"], options)) {
+      const exactAiInventoryType = getExactAiInventoryType(options);
       if (!hasAnyProjectType(["oci"], options, false)) {
-        thoughtLog(
-          "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
-        );
+        if (exactAiInventoryType === "mcp") {
+          thoughtLog(
+            "**MCP**: Looking for MCP services, MCP configs, and related AI control-plane artifacts.",
+          );
+        } else if (exactAiInventoryType === "ai-skill") {
+          thoughtLog(
+            "**AI-SKILL**: Looking for AI instruction, skill, and agent-definition files that can influence build or release flows.",
+          );
+        } else {
+          thoughtLog(
+            "**JS**: Now looking for JavaScript projects (npm, yarn, pnpm) and files.",
+          );
+        }
       }
+      setProjectTypeActivityContext(exactAiInventoryType || "js", path);
       bomData = await createNodejsBom(path, options);
       if (bomData?.bomJson?.components?.length) {
-        thoughtLog(
-          `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
-        );
+        if (exactAiInventoryType) {
+          thoughtLog(
+            `I found ${bomData.bomJson.components.length} ${exactAiInventoryType} component(s). Let's keep looking.`,
+          );
+        } else {
+          thoughtLog(
+            `I found ${bomData.bomJson.components.length} npm packages. Let's keep looking.`,
+          );
+        }
         if (DEBUG_MODE) {
           console.log(
-            `Found ${bomData.bomJson.components.length} npm packages at ${path}`,
+            `Found ${bomData.bomJson.components.length} ${exactAiInventoryType || "npm"} components at ${path}`,
           );
         }
         components = components.concat(bomData.bomJson.components);
@@ -7685,6 +8177,12 @@ export async function createMultiXBom(pathList, options) {
           dependencies,
           bomData.bomJson.dependencies,
         );
+        if (bomData?.bomJson?.services?.length) {
+          options.services = mergeServices(
+            options.services || [],
+            bomData.bomJson.services,
+          );
+        }
         if (
           bomData.parentComponent &&
           Object.keys(bomData.parentComponent).length
@@ -7707,6 +8205,7 @@ export async function createMultiXBom(pathList, options) {
           "**JAVA**: Looking for Java projects (e.g., Maven, Gradle, SBT). I hope all configurations—from Java version to individual build settings—are correctly aligned.",
         );
       }
+      setProjectTypeActivityContext("java", path);
       bomData = await createJavaBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7764,6 +8263,7 @@ export async function createMultiXBom(pathList, options) {
           "I'm running in a non-container environment. Let's hope the correct build tools are available ✌️.",
         );
       }
+      setProjectTypeActivityContext("py", path);
       bomData = await createPythonBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7796,6 +8296,7 @@ export async function createMultiXBom(pathList, options) {
           "**GO**: Looking for go projects. I need to be cautious about purl namespaces and potential failures with the 'go list' command.",
         );
       }
+      setProjectTypeActivityContext("go", path);
       bomData = await createGoBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(`I found ${bomData.bomJson.components.length} go packages.`);
@@ -7823,6 +8324,7 @@ export async function createMultiXBom(pathList, options) {
           "**RUST**: Let's search for Cargo/Rust projects. Should I warn the user that we don't support Cargo 'features' and native dependencies, which may lead to both false positives and false negatives? 🤔?",
         );
       }
+      setProjectTypeActivityContext("rust", path);
       bomData = await createRustBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7859,6 +8361,7 @@ export async function createMultiXBom(pathList, options) {
           "**PHP**: About to search for Composer-based projects. I hope lock files are available; otherwise, the 'composer install' command might fail for various reasons.",
         );
       }
+      setProjectTypeActivityContext("php", path);
       bomData = createPHPBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7895,6 +8398,7 @@ export async function createMultiXBom(pathList, options) {
           "**RUBY**: Are there any Ruby projects in this path? There's only one way to know.",
         );
       }
+      setProjectTypeActivityContext("ruby", path);
       bomData = await createRubyBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7930,6 +8434,7 @@ export async function createMultiXBom(pathList, options) {
       if (!hasAnyProjectType(["oci"], options, false)) {
         thoughtLog("**CSHARP**: What about csharp and fsharp projects?");
       }
+      setProjectTypeActivityContext("csharp", path);
       bomData = await createCsharpBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7966,6 +8471,7 @@ export async function createMultiXBom(pathList, options) {
           "**DART**: Looking for Dart projects. These are rare ones. Should I inform the user that they can pass the types argument via the command-line to speed things up?",
         );
       }
+      setProjectTypeActivityContext("dart", path);
       bomData = await createDartBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -7995,6 +8501,7 @@ export async function createMultiXBom(pathList, options) {
           "**HASKELL**: Looking for Haskell projects. They're rarely encountered.",
         );
       }
+      setProjectTypeActivityContext("haskell", path);
       bomData = createHaskellBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8024,6 +8531,7 @@ export async function createMultiXBom(pathList, options) {
           "**ELIXIR**: Looking for Elixir projects—they're quite rare as well.",
         );
       }
+      setProjectTypeActivityContext("elixir", path);
       bomData = createElixirBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8053,6 +8561,7 @@ export async function createMultiXBom(pathList, options) {
           "**C/C++**: Looking for C/C++ projects. Should I warn the user that the generated SBOM might have low accuracy and contain errors?",
         );
       }
+      setProjectTypeActivityContext("c", path);
       bomData = createCppBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8082,6 +8591,7 @@ export async function createMultiXBom(pathList, options) {
           "**CLOJURE**: Looking for Clojure projects. Should I warn the user that the purl namespace 'clojars' isn't widely supported by tools like Dependency-Track?",
         );
       }
+      setProjectTypeActivityContext("clojure", path);
       bomData = createClojureBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8111,6 +8621,7 @@ export async function createMultiXBom(pathList, options) {
           "**GITHUB**: Looking for any github packages and workflows.",
         );
       }
+      setProjectTypeActivityContext("github", path);
       bomData = createGitHubBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8140,6 +8651,7 @@ export async function createMultiXBom(pathList, options) {
           "**CLOUDBUILD**: Let's check for CloudBuild configuration files that include package dependencies.",
         );
       }
+      setProjectTypeActivityContext("cloudbuild", path);
       bomData = createCloudBuildBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8169,6 +8681,7 @@ export async function createMultiXBom(pathList, options) {
           "**SWIFT**: Now checking for Swift projects. We don't support CocoaPods, Objective-C, or pure Xcode projects, so the SBOM will be incomplete.",
         );
       }
+      setProjectTypeActivityContext("swift", path);
       bomData = await createSwiftBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8198,6 +8711,7 @@ export async function createMultiXBom(pathList, options) {
           "**JAR**: Let's check for any bundled jar/war/ear files to improve the SBOM accuracy.",
         );
       }
+      setProjectTypeActivityContext("jar", path);
       bomData = await createJarBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8222,6 +8736,7 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "cocoa"], options)) {
+      setProjectTypeActivityContext("cocoa", path);
       bomData = await createCocoaBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         if (DEBUG_MODE) {
@@ -8240,6 +8755,7 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["oci", "nix"], options)) {
+      setProjectTypeActivityContext("nix", path);
       bomData = await createNixBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         if (DEBUG_MODE) {
@@ -8261,6 +8777,7 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["caxa"], options)) {
+      setProjectTypeActivityContext("caxa", path);
       bomData = await createCaxaBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         if (DEBUG_MODE) {
@@ -8282,6 +8799,7 @@ export async function createMultiXBom(pathList, options) {
       }
     }
     if (hasAnyProjectType(["vscode-extension"], options)) {
+      setProjectTypeActivityContext("vscode-extension", path);
       bomData = await createVscodeExtensionBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         if (DEBUG_MODE) {
@@ -8321,6 +8839,7 @@ export async function createMultiXBom(pathList, options) {
         if (!isExplicitChromeExtensionPath) {
           options.__didScanChromeExtensions = true;
         }
+        setProjectTypeActivityContext("chrome-extension", path);
         bomData = await createChromeExtensionBom(path, options);
         if (bomData?.bomJson?.components?.length) {
           if (DEBUG_MODE) {
@@ -8349,6 +8868,7 @@ export async function createMultiXBom(pathList, options) {
           "**CBOM**: Wait, the user wants me to look for cryptographic assets. Let's check thoroughly.",
         );
       }
+      setProjectTypeActivityContext("cbom", path);
       bomData = await createCryptoCertsBom(path, options);
       if (bomData?.bomJson?.components?.length) {
         thoughtLog(
@@ -8370,6 +8890,7 @@ export async function createMultiXBom(pathList, options) {
     !options.lastWorkingDir.includes("/opt/") &&
     !options.lastWorkingDir.includes("/home/")
   ) {
+    setProjectTypeActivityContext("jar", options.lastWorkingDir);
     bomData = createJarBom(options.lastWorkingDir, options);
     if (bomData?.bomJson?.components?.length) {
       if (DEBUG_MODE) {
@@ -8435,9 +8956,7 @@ export async function createMultiXBom(pathList, options) {
   // some cleanup, but not complete
   for (const path of pathList) {
     if (path.startsWith(join(getTmpDir(), "docker-images-"))) {
-      if (rmSync) {
-        rmSync(path, { recursive: true, force: true });
-      }
+      safeRmSync(path, { recursive: true, force: true });
     }
   }
   const multiResult = dedupeBom(
@@ -8956,6 +9475,10 @@ export async function createBom(path, options) {
     projectType = ["java"];
   }
   if (projectType.length > 1) {
+    setActivityContext({
+      projectType: projectType.join(","),
+      sourcePath: path,
+    });
     thoughtLog(
       `The user has specified multiple project types: ${projectType.join(", ")}. Let's focus on the types one at a time.`,
     );
@@ -8963,6 +9486,7 @@ export async function createBom(path, options) {
     return await createMultiXBom(path, options);
   }
   if (projectType.length === 1) {
+    setActivityContext({ projectType: projectType[0], sourcePath: path });
     if (hasAnyProjectType(["oci"], options, false)) {
       thoughtLog(
         "Okay, we're generating an SBOM for the OCI type. We'll need a compatible tool like Docker, Podman, or Nerdctl, along with the binary plugins.",
@@ -8986,6 +9510,12 @@ export async function createBom(path, options) {
   ) {
     return await createNodejsBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["mcp"].includes(projectType[0])) {
+    return await createNodejsBom(path, options);
+  }
+  if (PROJECT_TYPE_ALIASES["ai-skill"].includes(projectType[0])) {
+    return await createNodejsBom(path, options);
+  }
   if (
     PROJECT_TYPE_ALIASES["py"].includes(projectType[0]) ||
     projectType?.[0]?.startsWith("python")
@@ -8998,6 +9528,9 @@ export async function createBom(path, options) {
   if (PROJECT_TYPE_ALIASES["rust"].includes(projectType[0])) {
     return await createRustBom(path, options);
   }
+  if (PROJECT_TYPE_ALIASES["cargo-cache"].includes(projectType[0])) {
+    return await createCargoCacheBom(getCargoCacheDir(), options);
+  }
   if (PROJECT_TYPE_ALIASES["php"].includes(projectType[0])) {
     return createPHPBom(path, options);
   }
@@ -9108,6 +9641,16 @@ export async function createBom(path, options) {
  * @throws {Error} if the request fails
  */
 export async function submitBom(args, bomContents) {
+  if (isDryRun) {
+    recordActivity({
+      kind: "network",
+      reason:
+        "Dry run mode blocks Dependency-Track submission and reports the request instead.",
+      status: "blocked",
+      target: getDependencyTrackBomUrl(args.serverUrl),
+    });
+    return undefined;
+  }
   const serverUrl = getDependencyTrackBomUrl(args.serverUrl);
   const bomPayload = buildDependencyTrackBomPayload(args, bomContents);
   if (!bomPayload) {