@cyclonedx/cdxgen 12.3.3 → 12.4.1

package/lib/cli/index.poku.js

@@ -1,11 +1,14 @@
-import { execFileSync } from "node:child_process";
+import { execFileSync, spawnSync } from "node:child_process";
 import {
+  copyFileSync,
+  existsSync,
   mkdirSync,
   mkdtempSync,
   readFileSync,
   rmSync,
   writeFileSync,
 } from "node:fs";
+import { createServer } from "node:http";
 import { tmpdir } from "node:os";
 import { dirname, join, normalize, sep } from "node:path";
 import process from "node:process";
@@ -15,6 +18,12 @@ import esmock from "esmock";
 import { assert, describe, it } from "poku";
 import sinon from "sinon";
 
+import { readBinary } from "../helpers/protobom.js";
+import {
+  getRecordedActivities,
+  resetRecordedActivities,
+  setDryRunMode,
+} from "../helpers/utils.js";
 import { auditBom } from "../stages/postgen/auditBom.js";
 import { postProcess } from "../stages/postgen/postgen.js";
 import {
@@ -22,7 +31,10 @@ import {
   createChromeExtensionBom,
   createNodejsBom,
   createPHPBom,
+  createPythonBom,
   createRustBom,
+  listComponents,
+  submitBom,
 } from "./index.js";
 
 const fixtureDir = join(
@@ -60,6 +72,14 @@ const mcpFixtureDir = join(
   "data",
   "mcp-repotest",
 );
+const cbomFixtureDir = join(
+  dirname(fileURLToPath(import.meta.url)),
+  "..",
+  "..",
+  "test",
+  "data",
+  "cbom-js-repotest",
+);
 const cacheDisableFixtureDir = join(
   dirname(fileURLToPath(import.meta.url)),
   "..",
@@ -149,7 +169,125 @@ function getNpmPackFilePaths() {
   return packSummary.files.map((file) => toPortablePath(file.path));
 }
 
+function buildMinimalCliEnv(extraEnv = {}) {
+  const baseEnv = {
+    HOME: process.env.HOME,
+    PATH: process.env.PATH,
+    TMPDIR: process.env.TMPDIR,
+  };
+  if (process.platform === "win32") {
+    baseEnv.SystemRoot = process.env.SystemRoot;
+    baseEnv.TEMP = process.env.TEMP;
+    baseEnv.TMP = process.env.TMP;
+    baseEnv.USERPROFILE = process.env.USERPROFILE;
+  }
+  return Object.fromEntries(
+    Object.entries({
+      ...baseEnv,
+      ...extraEnv,
+    }).filter(([, value]) => value !== undefined),
+  );
+}
+
+async function startSubmitBomTestServer(requestHandler) {
+  const requests = [];
+  const server = createServer((req, res) => {
+    let body = "";
+    req.setEncoding("utf8");
+    req.on("data", (chunk) => {
+      body += chunk;
+    });
+    req.on("end", async () => {
+      const request = {
+        body,
+        headers: req.headers,
+        rawHeaders: req.rawHeaders,
+        method: req.method,
+        url: req.url,
+      };
+      requests.push(request);
+      const response = (await requestHandler(request, requests.length)) || {};
+      if (res.writableEnded) {
+        return;
+      }
+      res.writeHead(response.statusCode || 200, {
+        "Content-Type": "application/json",
+      });
+      res.end(JSON.stringify(response.body || { success: true }));
+    });
+  });
+  await new Promise((resolve) => {
+    server.listen(0, "127.0.0.1", resolve);
+  });
+  const address = server.address();
+  const serverUrl = `http://127.0.0.1:${address.port}`;
+  return {
+    close: () =>
+      new Promise((resolve, reject) => {
+        server.close((error) => {
+          if (error) {
+            reject(error);
+            return;
+          }
+          resolve();
+        });
+      }),
+    requests,
+    serverUrl,
+  };
+}
+
+function getRequestHeader(request, headerName) {
+  const normalizedHeaderName = headerName.toLowerCase();
+  const directValue = request?.headers?.[normalizedHeaderName];
+  if (directValue !== undefined) {
+    return Array.isArray(directValue) ? directValue[0] : directValue;
+  }
+  const rawHeaders = request?.rawHeaders;
+  if (!Array.isArray(rawHeaders)) {
+    return undefined;
+  }
+  for (let index = 0; index < rawHeaders.length; index += 2) {
+    if (rawHeaders[index]?.toLowerCase() === normalizedHeaderName) {
+      return rawHeaders[index + 1];
+    }
+  }
+  return undefined;
+}
+
 describe("CLI tests", () => {
+  describe("component creation", () => {
+    it("keeps readable OBOM bom-refs when no package purl type is available", () => {
+      const components = listComponents(
+        { specVersion: 1.7 },
+        undefined,
+        [
+          {
+            "bom-ref":
+              "osquery:authorized_keys_snapshot:data:root@ssh-ed25519[key_file=/root/.ssh/authorized_keys]",
+            name: "root",
+            properties: [
+              {
+                name: "cdx:osquery:category",
+                value: "authorized_keys_snapshot",
+              },
+            ],
+            type: "data",
+            version: "ssh-ed25519",
+          },
+        ],
+        "",
+      );
+      assert.strictEqual(components.length, 1);
+      assert.strictEqual(components[0].purl, undefined);
+      assert.strictEqual(
+        components[0]["bom-ref"],
+        "osquery:authorized_keys_snapshot:data:root@ssh-ed25519[key_file=/root/.ssh/authorized_keys]",
+      );
+      assert.strictEqual(components[0].type, "data");
+    });
+  });
+
   describe("distribution filters", () => {
     it("keeps npm types while excluding poku tests from npm pack output", () => {
       const packedPaths = getNpmPackFilePaths();
@@ -169,6 +307,560 @@ describe("CLI tests", () => {
     });
   });
 
+  describe("dry-run tracing", () => {
+    it("captures sensitive file reads and environment reads for private registry style Docker inputs", () => {
+      const fixtureRoot = mkdtempSync(
+        join(tmpdir(), "cdxgen-dry-run-registry-"),
+      );
+      const dockerConfigDir = join(fixtureRoot, "docker-config");
+      mkdirSync(dockerConfigDir, { recursive: true });
+      writeFileSync(
+        join(dockerConfigDir, "config.json"),
+        JSON.stringify({
+          credHelpers: {
+            "docker.io": "osxkeychain",
+          },
+        }),
+      );
+      try {
+        const output = execFileSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "--dry-run",
+            "-t",
+            "oci",
+            "docker.io/library/alpine:3.20",
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv({
+              DOCKER_CONFIG: dockerConfigDir,
+            }),
+          },
+        );
+        assert.match(output, /cdxgen dry-run activity summary/);
+        assert.match(output, /process\.env:DOCKER_CONFIG/);
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("supports bom audit in dry-run mode while skipping predictive dependency analysis", () => {
+      const result = spawnSync(
+        process.execPath,
+        [
+          join(repoDir, "bin", "cdxgen.js"),
+          "--dry-run",
+          "--bom-audit",
+          "--bom-audit-categories",
+          "mcp-server",
+          "-t",
+          "js",
+          mcpFixtureDir,
+          "--no-banner",
+        ],
+        {
+          cwd: repoDir,
+          encoding: "utf8",
+          env: buildMinimalCliEnv(),
+        },
+      );
+      assert.strictEqual(result.status, 0);
+      const output = `${result.stdout}${result.stderr}`;
+
+      assert.match(output, /BOM Audit Findings/);
+      assert.match(output, /MCP-001/);
+      assert.match(
+        output,
+        /Dry-run mode only planned predictive audit targets/i,
+      );
+    });
+
+    it("enforces CDXGEN_ALLOWED_HOSTS for Dependency-Track submission in secure CLI mode", () => {
+      const result = spawnSync(
+        process.execPath,
+        [
+          join(repoDir, "bin", "cdxgen.js"),
+          "--dry-run",
+          "-t",
+          "js",
+          mcpFixtureDir,
+          "--server-url",
+          "https://blocked.example.com",
+          "--api-key",
+          "test-api-key",
+          "--no-banner",
+        ],
+        {
+          cwd: repoDir,
+          encoding: "utf8",
+          env: buildMinimalCliEnv({
+            CDXGEN_ALLOWED_HOSTS: "allowed.example.com",
+            CDXGEN_SECURE_MODE: "true",
+          }),
+        },
+      );
+      const output = `${result.stdout}${result.stderr}`;
+
+      assert.strictEqual(result.status, 1);
+      assert.match(
+        output,
+        /Dependency-Track server host 'blocked\.example\.com' is not allowed/i,
+      );
+    });
+  });
+
+  describe("protobuf CLI round-trip", () => {
+    it("generates, converts, and validates protobuf BOMs for CycloneDX 1.6 and 1.7", () => {
+      const fixtureRoot = mkdtempSync(
+        join(tmpdir(), "cdxgen-proto-roundtrip-"),
+      );
+      try {
+        for (const specVersion of ["1.6", "1.7"]) {
+          const jsonPath = join(fixtureRoot, `bom-${specVersion}.json`);
+          const protoPath = join(fixtureRoot, `bom-${specVersion}.cdx`);
+          const spdxPath = join(fixtureRoot, `bom-${specVersion}.spdx.json`);
+          const generateResult = spawnSync(
+            process.execPath,
+            [
+              join(repoDir, "bin", "cdxgen.js"),
+              "-t",
+              "js",
+              mcpFixtureDir,
+              "-o",
+              jsonPath,
+              "--spec-version",
+              specVersion,
+              "--export-proto",
+              "--proto-bin-file",
+              protoPath,
+              "--no-banner",
+            ],
+            {
+              cwd: repoDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv(),
+            },
+          );
+          assert.strictEqual(generateResult.status, 0);
+          assert.ok(existsSync(jsonPath));
+          assert.ok(existsSync(protoPath));
+
+          const convertResult = spawnSync(
+            process.execPath,
+            [
+              join(repoDir, "bin", "convert.js"),
+              "-i",
+              protoPath,
+              "-o",
+              spdxPath,
+            ],
+            {
+              cwd: repoDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv(),
+            },
+          );
+          assert.strictEqual(convertResult.status, 0);
+          assert.ok(existsSync(spdxPath));
+
+          const validateResult = spawnSync(
+            process.execPath,
+            [
+              join(repoDir, "bin", "validate.js"),
+              "-i",
+              protoPath,
+              "--fail-severity",
+              "critical",
+              "--no-deep",
+              "--report",
+              "json",
+            ],
+            {
+              cwd: repoDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv(),
+            },
+          );
+          assert.strictEqual(validateResult.status, 0);
+          assert.doesNotMatch(
+            `${validateResult.stdout}${validateResult.stderr}`,
+            /Failed to parse|non-CycloneDX|Unsupported CycloneDX specVersion/i,
+          );
+        }
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("preserves user output directories for research-profile protobuf exports", () => {
+      const fixtureRoot = mkdtempSync(
+        join(tmpdir(), "cdxgen-proto-research-roundtrip-"),
+      );
+      try {
+        const jsonPath = join(fixtureRoot, "research.json");
+        const protoPath = join(fixtureRoot, "research.cdx");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            "-t",
+            "mcp",
+            mcpFixtureDir,
+            "--profile",
+            "research",
+            "-o",
+            jsonPath,
+            "--export-proto",
+            "--proto-bin-file",
+            protoPath,
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+
+        assert.strictEqual(generateResult.status, 0);
+        assert.ok(existsSync(fixtureRoot));
+        assert.ok(existsSync(jsonPath));
+        assert.ok(existsSync(protoPath));
+
+        const generatedBom = JSON.parse(readFileSync(jsonPath, "utf8"));
+        assert.ok((generatedBom.services || []).length >= 1);
+
+        const roundTrippedBom = readBinary(protoPath);
+        assert.ok(roundTrippedBom);
+        assert.ok((roundTrippedBom.formulation || []).length >= 1);
+        assert.ok((roundTrippedBom.services || []).length >= 1);
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("exports standards-enabled BOMs to protobuf using canonical definitions objects", () => {
+      const fixtureRoot = mkdtempSync(
+        join(tmpdir(), "cdxgen-proto-standards-roundtrip-"),
+      );
+      try {
+        const jsonPath = join(fixtureRoot, "standards.json");
+        const protoPath = join(fixtureRoot, "standards.cdx");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "--standard",
+            "asvs-5.0",
+            "-o",
+            jsonPath,
+            "--export-proto",
+            "--proto-bin-file",
+            protoPath,
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+
+        assert.strictEqual(generateResult.status, 0);
+        assert.ok(existsSync(jsonPath));
+        assert.ok(existsSync(protoPath));
+
+        const roundTrippedBom = readBinary(protoPath);
+        assert.ok(roundTrippedBom);
+        assert.equal(Array.isArray(roundTrippedBom.definitions), false);
+        assert.ok((roundTrippedBom.definitions?.standards || []).length >= 1);
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("round-trips research, standards, and CBOM protobuf exports with canonical JSON", () => {
+      const fixtureRoot = mkdtempSync(
+        join(tmpdir(), "cdxgen-proto-mode-roundtrip-"),
+      );
+      const scenarios = [
+        {
+          args: [
+            "-t",
+            "js",
+            "-t",
+            "mcp",
+            mcpFixtureDir,
+            "--profile",
+            "research",
+          ],
+          assertRoundTrip: (bomJson) => {
+            assert.ok((bomJson.formulation || []).length >= 1);
+          },
+          expectedSpecVersion: (specVersion) => specVersion,
+          name: "research",
+        },
+        {
+          args: [cbomFixtureDir, "--include-crypto", "--evidence", "--deep"],
+          assertRoundTrip: (bomJson) => {
+            const cryptoComponents = (bomJson.components || []).filter(
+              (component) => component.type === "cryptographic-asset",
+            );
+            assert.ok(cryptoComponents.length >= 3);
+            assert.equal(
+              cryptoComponents.some(
+                (component) => component.purl !== undefined,
+              ),
+              false,
+            );
+          },
+          isolateDepsSlicesFile: true,
+          expectedSpecVersion: (specVersion) => specVersion,
+          name: "cbom",
+        },
+        {
+          args: ["-t", "js", mcpFixtureDir, "--standard", "asvs-5.0"],
+          assertRoundTrip: (bomJson) => {
+            assert.equal(Array.isArray(bomJson.definitions), false);
+            assert.ok((bomJson.definitions?.standards || []).length >= 1);
+          },
+          expectedSpecVersion: () => "1.7",
+          name: "standards",
+        },
+      ];
+      try {
+        for (const scenario of scenarios) {
+          for (const specVersion of ["1.6", "1.7"]) {
+            const jsonPath = join(
+              fixtureRoot,
+              `${scenario.name}-${specVersion}.json`,
+            );
+            const protoPath = join(
+              fixtureRoot,
+              `${scenario.name}-${specVersion}.cdx`,
+            );
+            const spdxPath = join(
+              fixtureRoot,
+              `${scenario.name}-${specVersion}.spdx.json`,
+            );
+            const depsSlicesPath = join(
+              fixtureRoot,
+              `${scenario.name}-${specVersion}.deps.slices.json`,
+            );
+            const depsSlicesArgs = scenario.isolateDepsSlicesFile
+              ? ["--deps-slices-file", depsSlicesPath]
+              : [];
+            const generateResult = spawnSync(
+              process.execPath,
+              [
+                join(repoDir, "bin", "cdxgen.js"),
+                ...scenario.args,
+                "-o",
+                jsonPath,
+                "--spec-version",
+                specVersion,
+                ...depsSlicesArgs,
+                "--export-proto",
+                "--proto-bin-file",
+                protoPath,
+                "--no-banner",
+              ],
+              {
+                cwd: repoDir,
+                encoding: "utf8",
+                env: buildMinimalCliEnv(),
+              },
+            );
+            assert.strictEqual(
+              generateResult.status,
+              0,
+              `${scenario.name} ${specVersion}: ${generateResult.stdout}${generateResult.stderr}`,
+            );
+
+            const generatedBom = JSON.parse(readFileSync(jsonPath, "utf8"));
+            assert.strictEqual(
+              generatedBom.specVersion,
+              scenario.expectedSpecVersion(specVersion),
+            );
+
+            const convertResult = spawnSync(
+              process.execPath,
+              [
+                join(repoDir, "bin", "convert.js"),
+                "-i",
+                protoPath,
+                "-o",
+                spdxPath,
+              ],
+              {
+                cwd: repoDir,
+                encoding: "utf8",
+                env: buildMinimalCliEnv(),
+              },
+            );
+            assert.strictEqual(
+              convertResult.status,
+              0,
+              `${scenario.name} ${specVersion}: ${convertResult.stdout}${convertResult.stderr}`,
+            );
+
+            const validateResult = spawnSync(
+              process.execPath,
+              [
+                join(repoDir, "bin", "validate.js"),
+                "-i",
+                protoPath,
+                "--fail-severity",
+                "critical",
+                "--no-deep",
+                "--report",
+                "json",
+              ],
+              {
+                cwd: repoDir,
+                encoding: "utf8",
+                env: buildMinimalCliEnv(),
+              },
+            );
+            assert.strictEqual(
+              validateResult.status,
+              0,
+              `${scenario.name} ${specVersion}: ${validateResult.stdout}${validateResult.stderr}`,
+            );
+
+            const roundTrippedBom = readBinary(protoPath);
+            assert.ok(roundTrippedBom);
+            assert.strictEqual(roundTrippedBom.bomFormat, "CycloneDX");
+            assert.strictEqual(
+              roundTrippedBom.specVersion,
+              scenario.expectedSpecVersion(specVersion),
+            );
+            scenario.assertRoundTrip(roundTrippedBom);
+          }
+        }
+        assert.strictEqual(
+          existsSync(join(repoDir, "deps.slices.json")),
+          false,
+          "protobuf round-trip tests must not leave deps.slices.json in the repository root",
+        );
+      } finally {
+        rmSync(join(repoDir, "deps.slices.json"), { force: true });
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+  });
+
+  describe("CycloneDX 2.0 JSON output", () => {
+    it("generates valid experimental 2.0-dev JSON with specFormat", () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-json20-"));
+      try {
+        const jsonPath = join(fixtureRoot, "bom-2.0.json");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "-o",
+            jsonPath,
+            "--spec-version",
+            "2.0",
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(
+          generateResult.status,
+          0,
+          `${generateResult.stdout}${generateResult.stderr}`,
+        );
+
+        const generatedBom = JSON.parse(readFileSync(jsonPath, "utf8"));
+        assert.strictEqual(generatedBom.specFormat, "CycloneDX");
+        assert.strictEqual(generatedBom.bomFormat, undefined);
+        assert.strictEqual(generatedBom.specVersion, "2.0");
+        assert.ok(Array.isArray(generatedBom.metadata?.tools?.components));
+
+        const validateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "validate.js"),
+            "-i",
+            jsonPath,
+            "--fail-severity",
+            "critical",
+            "--no-deep",
+            "--report",
+            "json",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(
+          validateResult.status,
+          0,
+          `${validateResult.stdout}${validateResult.stderr}`,
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+
+    it("rejects experimental 2.0-dev protobuf export until cdx-proto supports it", () => {
+      const fixtureRoot = mkdtempSync(join(tmpdir(), "cdxgen-proto20-"));
+      try {
+        const jsonPath = join(fixtureRoot, "bom-2.0.json");
+        const protoPath = join(fixtureRoot, "bom-2.0.cdx");
+        const generateResult = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "js",
+            mcpFixtureDir,
+            "-o",
+            jsonPath,
+            "--spec-version",
+            "2.0",
+            "--export-proto",
+            "--proto-bin-file",
+            protoPath,
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        assert.strictEqual(generateResult.status, 1);
+        assert.match(
+          `${generateResult.stdout}${generateResult.stderr}`,
+          /CycloneDX 2\.0 is not currently supported for protobuf export/i,
+        );
+      } finally {
+        rmSync(fixtureRoot, { force: true, recursive: true });
+      }
+    });
+  });
+
   describe("submitBom()", () => {
     it("should report blocked Dependency-Track submission during dry-run", async () => {
       const recordActivity = sinon.stub();
@@ -201,18 +893,11 @@ describe("CLI tests", () => {
     });
 
     it("should successfully report the SBOM with given project id, name, version and a single tag", async () => {
-      const fakeGotResponse = {
-        json: sinon.stub().resolves({ success: true }),
-      };
-
-      const gotStub = sinon.stub().returns(fakeGotResponse);
-      gotStub.extend = sinon.stub().returns(gotStub);
+      const server = await startSubmitBomTestServer(async () => ({
+        body: { success: true },
+      }));
 
-      const { submitBom } = await esmock("./index.js", {
-        got: { default: gotStub },
-      });
-
-      const serverUrl = "https://dtrack.example.com";
+      const serverUrl = server.serverUrl;
       const projectId = "f7cb9f02-8041-4991-9101-b01fa07a6522";
       const projectName = "cdxgen-test-project";
       const projectVersion = "1.0.0";
@@ -230,47 +915,44 @@ describe("CLI tests", () => {
         projectTags: [{ name: projectTag }],
       };
 
-      await submitBom(
-        {
-          serverUrl,
-          projectId,
-          projectName,
-          projectVersion,
-          apiKey,
-          skipDtTlsCheck,
-          projectTag,
-        },
-        bomContent,
-      );
-
-      // Verify got was called exactly once
-      sinon.assert.calledOnce(gotStub);
-
-      // Grab call arguments
-      const [calledUrl, options] = gotStub.firstCall.args;
+      try {
+        const response = await submitBom(
+          {
+            serverUrl,
+            projectId,
+            projectName,
+            projectVersion,
+            apiKey,
+            skipDtTlsCheck,
+            projectTag,
+          },
+          bomContent,
+        );
 
-      assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
-      assert.equal(options.method, "PUT");
-      assert.equal(options.followRedirect, false);
-      assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
-      assert.equal(options.headers["X-Api-Key"], apiKey);
-      assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
-      assert.deepEqual(options.json, expectedRequestPayload);
+        assert.deepEqual(response, { success: true });
+        assert.equal(server.requests.length, 1);
+        assert.equal(server.requests[0].method, "PUT");
+        assert.equal(server.requests[0].url, "/api/v1/bom");
+        assert.equal(getRequestHeader(server.requests[0], "x-api-key"), apiKey);
+        assert.equal(
+          getRequestHeader(server.requests[0], "content-type"),
+          "application/json",
+        );
+        assert.deepEqual(
+          JSON.parse(server.requests[0].body),
+          expectedRequestPayload,
+        );
+      } finally {
+        await server.close();
+      }
     });
 
     it("should successfully report the SBOM with given parent project, name, version and multiple tags", async () => {
-      const fakeGotResponse = {
-        json: sinon.stub().resolves({ success: true }),
-      };
-
-      const gotStub = sinon.stub().returns(fakeGotResponse);
-      gotStub.extend = sinon.stub().returns(gotStub);
-
-      const { submitBom } = await esmock("./index.js", {
-        got: { default: gotStub },
-      });
+      const server = await startSubmitBomTestServer(async () => ({
+        body: { success: true },
+      }));
 
-      const serverUrl = "https://dtrack.example.com";
+      const serverUrl = server.serverUrl;
       const projectName = "cdxgen-test-project";
       const projectVersion = "1.1.0";
       const projectTags = ["tag1", "tag2"];
@@ -290,48 +972,44 @@ describe("CLI tests", () => {
         projectTags: [{ name: projectTags[0] }, { name: projectTags[1] }],
       };
 
-      await submitBom(
-        {
-          serverUrl,
-          parentProjectId,
-          projectName,
-          projectVersion,
-          apiKey,
-          skipDtTlsCheck,
-          projectTag: projectTags,
-        },
-        bomContent,
-      );
-
-      // Verify got was called exactly once
-      sinon.assert.calledOnce(gotStub);
-
-      // Grab call arguments
-      const [calledUrl, options] = gotStub.firstCall.args;
+      try {
+        const response = await submitBom(
+          {
+            serverUrl,
+            parentProjectId,
+            projectName,
+            projectVersion,
+            apiKey,
+            skipDtTlsCheck,
+            projectTag: projectTags,
+          },
+          bomContent,
+        );
 
-      // Assert call arguments against expectations
-      assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
-      assert.equal(options.method, "PUT");
-      assert.equal(options.followRedirect, false);
-      assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
-      assert.equal(options.headers["X-Api-Key"], apiKey);
-      assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
-      assert.deepEqual(options.json, expectedRequestPayload);
+        assert.deepEqual(response, { success: true });
+        assert.equal(server.requests.length, 1);
+        assert.equal(server.requests[0].method, "PUT");
+        assert.equal(server.requests[0].url, "/api/v1/bom");
+        assert.equal(getRequestHeader(server.requests[0], "x-api-key"), apiKey);
+        assert.equal(
+          getRequestHeader(server.requests[0], "content-type"),
+          "application/json",
+        );
+        assert.deepEqual(
+          JSON.parse(server.requests[0].body),
+          expectedRequestPayload,
+        );
+      } finally {
+        await server.close();
+      }
     });
 
     it("should include parentName and parentVersion when parent project name and version are passed", async () => {
-      const fakeGotResponse = {
-        json: sinon.stub().resolves({ success: true }),
-      };
-
-      const gotStub = sinon.stub().returns(fakeGotResponse);
-      gotStub.extend = sinon.stub().returns(gotStub);
-
-      const { submitBom } = await esmock("./index.js", {
-        got: { default: gotStub },
-      });
+      const server = await startSubmitBomTestServer(async () => ({
+        body: { success: true },
+      }));
 
-      const serverUrl = "https://dtrack.example.com";
+      const serverUrl = server.serverUrl;
       const projectName = "cdxgen-test-project";
       const projectVersion = "2.0.0";
       const parentProjectName = "parent-project";
@@ -351,77 +1029,71 @@ describe("CLI tests", () => {
         projectVersion,
       };
 
-      await submitBom(
-        {
-          serverUrl,
-          projectName,
-          projectVersion,
-          parentProjectName,
-          parentProjectVersion,
-          apiKey,
-          skipDtTlsCheck,
-        },
-        bomContent,
-      );
-
-      sinon.assert.calledOnce(gotStub);
-      const [calledUrl, options] = gotStub.firstCall.args;
+      try {
+        const response = await submitBom(
+          {
+            serverUrl,
+            projectName,
+            projectVersion,
+            parentProjectName,
+            parentProjectVersion,
+            apiKey,
+            skipDtTlsCheck,
+          },
+          bomContent,
+        );
 
-      assert.equal(calledUrl, `${serverUrl}/api/v1/bom`);
-      assert.equal(options.method, "PUT");
-      assert.equal(options.followRedirect, false);
-      assert.equal(options.https.rejectUnauthorized, !skipDtTlsCheck);
-      assert.equal(options.headers["X-Api-Key"], apiKey);
-      assert.match(options.headers["user-agent"], /@CycloneDX\/cdxgen/);
-      assert.deepEqual(options.json, expectedRequestPayload);
+        assert.deepEqual(response, { success: true });
+        assert.equal(server.requests.length, 1);
+        assert.equal(server.requests[0].method, "PUT");
+        assert.equal(server.requests[0].url, "/api/v1/bom");
+        assert.equal(getRequestHeader(server.requests[0], "x-api-key"), apiKey);
+        assert.equal(
+          getRequestHeader(server.requests[0], "content-type"),
+          "application/json",
+        );
+        assert.deepEqual(
+          JSON.parse(server.requests[0].body),
+          expectedRequestPayload,
+        );
+      } finally {
+        await server.close();
+      }
     });
 
     it("should include configurable autoCreate and isLatest values in payload", async () => {
-      const fakeGotResponse = {
-        json: sinon.stub().resolves({ success: true }),
-      };
-
-      const gotStub = sinon.stub().returns(fakeGotResponse);
-      gotStub.extend = sinon.stub().returns(gotStub);
-
-      const { submitBom } = await esmock("./index.js", {
-        got: { default: gotStub },
-      });
+      const server = await startSubmitBomTestServer(async () => ({
+        body: { success: true },
+      }));
 
-      const serverUrl = "https://dtrack.example.com";
+      const serverUrl = server.serverUrl;
       const projectName = "cdxgen-test-project";
       const apiKey = "TEST_API_KEY";
 
-      await submitBom(
-        {
-          serverUrl,
-          projectName,
-          apiKey,
-          autoCreate: false,
-          isLatest: true,
-        },
-        { bom: "test4" },
-      );
+      try {
+        const response = await submitBom(
+          {
+            serverUrl,
+            projectName,
+            apiKey,
+            autoCreate: false,
+            isLatest: true,
+          },
+          { bom: "test4" },
+        );
 
-      sinon.assert.calledOnce(gotStub);
-      const [_calledUrl, options] = gotStub.firstCall.args;
-      assert.equal(options.json.autoCreate, "false");
-      assert.equal(options.json.isLatest, true);
-      assert.equal(options.json.projectVersion, "main");
+        assert.deepEqual(response, { success: true });
+        assert.equal(server.requests.length, 1);
+        const payload = JSON.parse(server.requests[0].body);
+        assert.equal(payload.autoCreate, "false");
+        assert.equal(payload.isLatest, true);
+        assert.equal(payload.projectVersion, "main");
+      } finally {
+        await server.close();
+      }
     });
 
     it("should reject invalid mixed parent modes before making network request", async () => {
-      const fakeGotResponse = {
-        json: sinon.stub().resolves({ success: true }),
-      };
-
-      const gotStub = sinon.stub().returns(fakeGotResponse);
-      gotStub.extend = sinon.stub().returns(gotStub);
-
-      const { submitBom } = await esmock("./index.js", {
-        got: { default: gotStub },
-      });
-
       const response = await submitBom(
         {
           serverUrl: "https://dtrack.example.com",
@@ -434,42 +1106,57 @@ describe("CLI tests", () => {
       );
 
       assert.equal(response, undefined);
-      sinon.assert.notCalled(gotStub);
     });
 
-    it("disables redirects for the POST fallback request too", async () => {
-      const putError = new Error("Method not allowed");
-      putError.response = { statusCode: 405 };
-      const gotStub = sinon.stub();
-      gotStub
-        .onFirstCall()
-        .returns({
-          json: sinon.stub().rejects(putError),
-        })
-        .onSecondCall()
-        .returns({
-          json: sinon.stub().resolves({ success: true }),
-        });
-      gotStub.extend = sinon.stub().returns(gotStub);
-
-      const { submitBom } = await esmock("./index.js", {
-        got: { default: gotStub },
-      });
-
-      await submitBom(
+    it("rejects malformed Dependency-Track URLs before making a request", async () => {
+      const response = await submitBom(
         {
-          serverUrl: "https://dtrack.example.com",
+          serverUrl: "file:///tmp/dtrack",
           projectName: "cdxgen-test-project",
-          apiKey: "TEST_API_KEY\r\n",
+          apiKey: "TEST_API_KEY",
         },
-        { bom: "test6" },
+        { bom: "test-invalid-url" },
       );
 
-      assert.equal(gotStub.callCount, 2);
-      const [, postOptions] = gotStub.secondCall.args;
-      assert.equal(postOptions.method, "POST");
-      assert.equal(postOptions.followRedirect, false);
-      assert.equal(postOptions.headers["X-Api-Key"], "TEST_API_KEY");
+      assert.equal(response, undefined);
+    });
+
+    it("disables redirects for the POST fallback request too", async () => {
+      const server = await startSubmitBomTestServer(
+        async (_request, requestCount) => {
+          if (requestCount === 1) {
+            return { body: { error: "Method not allowed" }, statusCode: 405 };
+          }
+          return { body: { success: true }, statusCode: 200 };
+        },
+      );
+
+      try {
+        const response = await submitBom(
+          {
+            serverUrl: server.serverUrl,
+            projectName: "cdxgen-test-project",
+            apiKey: "TEST_API_KEY\r\n",
+          },
+          { bom: "test6" },
+        );
+
+        assert.deepEqual(response, { success: true });
+        assert.equal(server.requests.length, 2);
+        assert.equal(server.requests[0].method, "PUT");
+        assert.equal(server.requests[1].method, "POST");
+        assert.equal(server.requests[1].url, "/api/v1/bom");
+        assert.equal(
+          getRequestHeader(server.requests[1], "x-api-key"),
+          "TEST_API_KEY",
+        );
+        assert.equal(
+          getRequestHeader(server.requests[1], "content-type"),
+          "application/json",
+        );
+      } finally {
+        await server.close();
+      }
     });
   });
 
@@ -654,6 +1341,136 @@ describe("CLI tests", () => {
         rmSync(tempRoot, { recursive: true, force: true });
       }
     });
+
+    it("should not scan installed browser locations without explicit extension project type", async () => {
+      const discoverChromiumExtensionDirs = sinon.stub().returns([
+        {
+          browser: "Google Chrome",
+          channel: "stable",
+          dir: join(tmpdir(), "fake-browser-dir"),
+        },
+      ]);
+      const collectInstalledChromeExtensions = sinon.stub().returns([
+        {
+          type: "application",
+          name: "aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa",
+          version: "1.0.0",
+          purl: "pkg:chrome-extension/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@1.0.0",
+          "bom-ref":
+            "pkg:chrome-extension/aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa@1.0.0",
+        },
+      ]);
+      const { createChromeExtensionBom: createChromeExtensionBomMocked } =
+        await esmock("./index.js", {
+          "../helpers/chromextutils.js": {
+            CHROME_EXTENSION_PURL_TYPE: "chrome-extension",
+            collectChromeExtensionsFromPath: sinon
+              .stub()
+              .returns({ components: [], extensionDirs: [] }),
+            collectInstalledChromeExtensions,
+            discoverChromiumExtensionDirs,
+          },
+        });
+      const bomData = await createChromeExtensionBomMocked(
+        join(tmpdir(), "generic-project"),
+        {
+          deep: true,
+          multiProject: false,
+          projectType: ["js"],
+        },
+      );
+      assert.deepStrictEqual(bomData?.bomJson?.components || [], []);
+      sinon.assert.notCalled(discoverChromiumExtensionDirs);
+      sinon.assert.notCalled(collectInstalledChromeExtensions);
+    });
+  });
+
+  describe("createVscodeExtensionBom()", () => {
+    it("should not scan installed IDE locations without explicit extension project type", async () => {
+      const discoverIdeExtensionDirs = sinon.stub().returns([
+        {
+          name: "VS Code",
+          dir: join(tmpdir(), "fake-ide-dir"),
+        },
+      ]);
+      const collectInstalledExtensions = sinon.stub().returns([
+        {
+          type: "application",
+          name: "sample.publisher",
+          version: "1.0.0",
+          purl: "pkg:vscode-extension/sample/publisher@1.0.0",
+          "bom-ref": "pkg:vscode-extension/sample/publisher@1.0.0",
+        },
+      ]);
+      const { createVscodeExtensionBom: createVscodeExtensionBomMocked } =
+        await esmock("./index.js", {
+          "../helpers/vsixutils.js": {
+            cleanupTempDir: sinon.stub(),
+            collectInstalledExtensions,
+            discoverIdeExtensionDirs,
+            extractVsixToTempDir: sinon.stub(),
+            parseVsixFile: sinon.stub(),
+            VSCODE_EXTENSION_PURL_TYPE: "vscode-extension",
+          },
+        });
+      const bomData = await createVscodeExtensionBomMocked(
+        join(tmpdir(), "generic-project"),
+        {
+          deep: true,
+          multiProject: false,
+          projectType: ["js"],
+        },
+      );
+      assert.deepStrictEqual(bomData?.bomJson?.components || [], []);
+      sinon.assert.notCalled(discoverIdeExtensionDirs);
+      sinon.assert.notCalled(collectInstalledExtensions);
+    });
+
+    it("should scan installed IDE locations when explicitly requested", async () => {
+      const discoverIdeExtensionDirs = sinon.stub().returns([
+        {
+          name: "VS Code",
+          dir: join(tmpdir(), "fake-ide-dir"),
+        },
+      ]);
+      const collectInstalledExtensions = sinon.stub().returns([
+        {
+          type: "application",
+          name: "sample.publisher",
+          version: "1.0.0",
+          purl: "pkg:vscode-extension/sample/publisher@1.0.0",
+          "bom-ref": "pkg:vscode-extension/sample/publisher@1.0.0",
+        },
+      ]);
+      const { createVscodeExtensionBom: createVscodeExtensionBomMocked } =
+        await esmock("./index.js", {
+          "../helpers/vsixutils.js": {
+            cleanupTempDir: sinon.stub(),
+            collectInstalledExtensions,
+            discoverIdeExtensionDirs,
+            extractVsixToTempDir: sinon.stub(),
+            parseVsixFile: sinon.stub(),
+            VSCODE_EXTENSION_PURL_TYPE: "vscode-extension",
+          },
+        });
+      const bomData = await createVscodeExtensionBomMocked(
+        join(tmpdir(), "generic-project"),
+        {
+          deep: true,
+          multiProject: false,
+          projectType: ["ide-extension"],
+        },
+      );
+      const components = bomData?.bomJson?.components || [];
+      assert.ok(
+        components.some(
+          (component) =>
+            component.purl === "pkg:vscode-extension/sample/publisher@1.0.0",
+        ),
+      );
+      sinon.assert.calledOnce(discoverIdeExtensionDirs);
+      sinon.assert.calledOnce(collectInstalledExtensions);
+    });
   });
 
   describe("createMultiXBom()", () => {
@@ -1088,6 +1905,291 @@ checksum = "${"a".repeat(64)}"
     });
   });
 
+  if (process.platform !== "win32") {
+    describe("HBOM support", () => {
+      it("delegates hbom project types to the hbom helper", async () => {
+        const actualHbomHelpers = await import("../helpers/hbom.js");
+        const createHbomDocument = sinon.stub().resolves({
+          bomFormat: "CycloneDX",
+          components: [],
+          metadata: {
+            component: {
+              name: "Demo Board",
+              type: "device",
+              version: "rev-a",
+            },
+          },
+          specVersion: "1.7",
+        });
+        const { createBom: createBomMocked } = await esmock("./index.js", {
+          "../helpers/hbom.js": {
+            ...actualHbomHelpers,
+            createHbomDocument,
+          },
+        });
+
+        const bomNSData = await createBomMocked(repoDir, {
+          projectType: ["hbom"],
+          specVersion: 1.7,
+        });
+
+        sinon.assert.calledOnce(createHbomDocument);
+        assert.strictEqual(
+          bomNSData?.bomJson?.metadata?.component?.name,
+          "Demo Board",
+        );
+        assert.strictEqual(bomNSData?.parentComponent?.type, "device");
+      });
+
+      it("supports dry-run mode for hbom project types in the main CLI flow", async () => {
+        setDryRunMode(true);
+        resetRecordedActivities();
+
+        try {
+          const bomNSData = await createBom(repoDir, {
+            projectType: ["hbom"],
+            specVersion: 1.7,
+          });
+
+          assert.strictEqual(bomNSData?.bomJson?.bomFormat, "CycloneDX");
+          assert.strictEqual(bomNSData?.bomJson?.specVersion, "1.7");
+          assert.ok(Array.isArray(bomNSData?.bomJson?.components));
+          assert.ok(bomNSData?.bomJson?.components.length >= 1);
+          assert.ok(Array.isArray(bomNSData?.dependencies));
+        } finally {
+          setDryRunMode(false);
+          resetRecordedActivities();
+        }
+      });
+
+      it("shows dedicated hbom command help", () => {
+        const result = spawnSync(
+          process.execPath,
+          [join(repoDir, "bin", "hbom.js"), "--help"],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        const output = `${result.stdout}${result.stderr}`;
+
+        assert.strictEqual(result.status, 0);
+        assert.match(output, /Output file\.\s+Default\s+hbom\.json/u);
+        assert.match(output, /--include-runtime/u);
+        assert.match(output, /--privileged/u);
+        assert.match(output, /diagnostics/u);
+      });
+
+      it("uses the invoked hbom binary name in help output", () => {
+        const tempDir = mkdtempSync(join(repoDir, ".cdxgen-hbom-help-name-"));
+        try {
+          const slimScript = join(tempDir, "hbom-slim");
+          copyFileSync(join(repoDir, "bin", "hbom.js"), slimScript);
+          const result = spawnSync(process.execPath, [slimScript, "--help"], {
+            cwd: tempDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          });
+          const output = `${result.stdout}${result.stderr}`;
+
+          assert.strictEqual(result.status, 0);
+          assert.match(output, /hbom-slim \[command\] \[options\]/u);
+        } finally {
+          rmSync(tempDir, { force: true, recursive: true });
+        }
+      });
+
+      it("fails early when hbom include-runtime lacks osquery support", () => {
+        const emptyPluginsDir = mkdtempSync(
+          join(tmpdir(), "cdxgen-empty-plugins-"),
+        );
+        try {
+          const result = spawnSync(
+            process.execPath,
+            [join(repoDir, "bin", "hbom.js"), "--include-runtime"],
+            {
+              cwd: repoDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv({
+                CDXGEN_PLUGINS_DIR: emptyPluginsDir,
+              }),
+            },
+          );
+          const output = `${result.stdout}${result.stderr}`;
+
+          assert.strictEqual(result.status, 1);
+          assert.match(output, /--include-runtime/u);
+          assert.match(output, /cdxgen-plugins-bin/u);
+          assert.match(
+            output,
+            /'hbom' is the bundled option required for '--include-runtime' support/u,
+          );
+          assert.doesNotMatch(output, /About to generate OBOM/u);
+        } finally {
+          rmSync(emptyPluginsDir, { force: true, recursive: true });
+        }
+      });
+
+      it("guides hbom-slim users to the standard binary for include-runtime", () => {
+        const tempDir = mkdtempSync(
+          join(repoDir, ".cdxgen-hbom-runtime-check-"),
+        );
+        const emptyPluginsDir = mkdtempSync(
+          join(tmpdir(), "cdxgen-empty-plugins-"),
+        );
+        try {
+          const slimScript = join(tempDir, "hbom-slim");
+          copyFileSync(join(repoDir, "bin", "hbom.js"), slimScript);
+          const result = spawnSync(
+            process.execPath,
+            [slimScript, "--include-runtime"],
+            {
+              cwd: tempDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv({
+                CDXGEN_PLUGINS_DIR: emptyPluginsDir,
+              }),
+            },
+          );
+          const output = `${result.stdout}${result.stderr}`;
+
+          assert.strictEqual(result.status, 1);
+          assert.match(output, /'hbom-slim' is hardware-only by default/u);
+          assert.match(
+            output,
+            /Use 'hbom' for bundled '--include-runtime' support/u,
+          );
+        } finally {
+          rmSync(tempDir, { force: true, recursive: true });
+          rmSync(emptyPluginsDir, { force: true, recursive: true });
+        }
+      });
+
+      it("supports the hbom diagnostics subcommand for existing BOM files", () => {
+        const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-hbom-diagnostics-"));
+        try {
+          const inputFile = join(tempDir, "hbom.json");
+          writeFileSync(
+            inputFile,
+            JSON.stringify({
+              bomFormat: "CycloneDX",
+              components: [],
+              metadata: {
+                component: {
+                  name: "demo-host",
+                  properties: [
+                    { name: "cdx:hbom:platform", value: "linux" },
+                    { name: "cdx:hbom:architecture", value: "amd64" },
+                  ],
+                  type: "device",
+                },
+              },
+              properties: [
+                { name: "cdx:hbom:collectorProfile", value: "linux-amd64-v1" },
+                {
+                  name: "cdx:hbom:evidence:commandDiagnosticCount",
+                  value: "2",
+                },
+                {
+                  name: "cdx:hbom:evidence:commandDiagnostic",
+                  value: JSON.stringify({
+                    command: "lsusb",
+                    installHint:
+                      "Command not found: install the Linux package providing lsusb (commonly `usbutils`).",
+                    issue: "missing-command",
+                    message: "lsusb failed with missing-command",
+                  }),
+                },
+                {
+                  name: "cdx:hbom:evidence:commandDiagnostic",
+                  value: JSON.stringify({
+                    command: "drm_info",
+                    issue: "permission-denied",
+                    message: "drm_info failed with permission-denied",
+                    privilegeHint:
+                      "Retry with --privileged to allow a non-interactive sudo attempt for permission-sensitive Linux commands.",
+                  }),
+                },
+              ],
+              specVersion: "1.7",
+              version: 1,
+            }),
+          );
+          const result = spawnSync(
+            process.execPath,
+            [
+              join(repoDir, "bin", "hbom.js"),
+              "diagnostics",
+              "--input",
+              inputFile,
+            ],
+            {
+              cwd: tempDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv(),
+            },
+          );
+          const output = `${result.stdout}${result.stderr}`;
+
+          assert.strictEqual(result.status, 0);
+          assert.match(output, /HBOM diagnostics summary/u);
+          assert.match(output, /Missing commands:\n- lsusb/u);
+          assert.match(output, /Permission-sensitive enrichments:/u);
+          assert.match(output, /--privileged/u);
+        } finally {
+          rmSync(tempDir, { force: true, recursive: true });
+        }
+      });
+
+      it("supports dry-run mode in the dedicated hbom command", () => {
+        const tempDir = mkdtempSync(join(tmpdir(), "cdxgen-hbom-dry-run-"));
+        try {
+          const outputFile = join(tempDir, "hbom.json");
+          const result = spawnSync(
+            process.execPath,
+            [join(repoDir, "bin", "hbom.js"), "--dry-run"],
+            {
+              cwd: tempDir,
+              encoding: "utf8",
+              env: buildMinimalCliEnv(),
+            },
+          );
+          const output = `${result.stdout}${result.stderr}`;
+
+          assert.strictEqual(result.status, 0);
+          assert.match(output, /cdxgen dry-run activity summary/u);
+          assert.strictEqual(existsSync(outputFile), false);
+        } finally {
+          rmSync(tempDir, { force: true, recursive: true });
+        }
+      });
+
+      it("rejects mixed hbom and sbom project types in the main CLI", () => {
+        const result = spawnSync(
+          process.execPath,
+          [
+            join(repoDir, "bin", "cdxgen.js"),
+            "-t",
+            "hbom",
+            "-t",
+            "js",
+            "--no-banner",
+          ],
+          {
+            cwd: repoDir,
+            encoding: "utf8",
+            env: buildMinimalCliEnv(),
+          },
+        );
+        const output = `${result.stdout}${result.stderr}`;
+
+        assert.strictEqual(result.status, 1);
+        assert.match(output, /HBOM project types cannot be mixed/u);
+      });
+    });
+  }
+
   describe("createBom() Collider lock support", () => {
     it("preserves Collider integrity metadata and dependency nodes in the BOM", async () => {
       const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-collider-"));
@@ -1421,7 +2523,7 @@ checksum = "${"a".repeat(64)}"
       );
     });
 
-    it("supports exact AI skill scans and js exclude-type filtering for AI inventory", async () => {
+    it("requires explicit opt-in for AI inventory in js and python scans", async () => {
       const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-ai-inventory-"));
       mkdirSync(join(tmpDir, ".claude", "skills", "release"), {
         recursive: true,
@@ -1539,88 +2641,158 @@ checksum = "${"a".repeat(64)}"
           tmpDir,
         ).bomJson;
         assert.ok(
-          (jsBomJson.components || []).some(
-            (component) =>
-              getProp(component, "cdx:file:kind") === "skill-file" &&
-              getProp(component, "cdx:skill:name") === "release",
+          !(jsBomJson.components || []).some((component) =>
+            ["agent-instructions", "mcp-config", "skill-file"].includes(
+              getProp(component, "cdx:file:kind"),
+            ),
+          ),
+          "did not expect AI inventory components in js scan without opt-in",
+        );
+        assert.ok(
+          !(jsBomJson.services || []).some((service) =>
+            service.properties?.some((property) =>
+              property.name.startsWith("cdx:mcp:"),
+            ),
           ),
-          "expected skill file in js scan",
+          "did not expect MCP services in js scan without opt-in",
         );
+
+        const dockerOptions = {
+          ...baseOptions,
+          projectType: ["js", "docker"],
+        };
+        const dockerBomJson = postProcess(
+          await createNodejsBom(tmpDir, dockerOptions),
+          dockerOptions,
+          tmpDir,
+        ).bomJson;
         assert.ok(
-          (jsBomJson.components || []).some(
+          !(dockerBomJson.components || []).some((component) =>
+            ["agent-instructions", "mcp-config", "skill-file"].includes(
+              getProp(component, "cdx:file:kind"),
+            ),
+          ),
+          "did not expect AI inventory components in docker js scan without opt-in",
+        );
+
+        const exactAiSkillOptions = {
+          ...baseOptions,
+          projectType: ["ai-skill"],
+        };
+        const aiSkillBomJson = postProcess(
+          await createBom(tmpDir, exactAiSkillOptions),
+          exactAiSkillOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (aiSkillBomJson.components || []).some(
             (component) =>
               component.name === "CLAUDE.md" &&
               getProp(component, "cdx:file:kind") === "agent-instructions",
           ),
-          "expected CLAUDE.md in js scan",
+          "expected CLAUDE.md in exact ai-skill scan",
         );
         assert.ok(
-          (jsBomJson.components || []).some(
+          !(aiSkillBomJson.components || []).some(
             (component) => getProp(component, "cdx:file:kind") === "mcp-config",
           ),
-          "expected MCP config in js scan",
+          "did not expect MCP configs in exact ai-skill scan",
+        );
+
+        const optedInJsOptions = {
+          ...baseOptions,
+          projectType: ["js", "ai-skill", "mcp"],
+        };
+        const optedInJsBomJson = postProcess(
+          await createBom(tmpDir, optedInJsOptions),
+          optedInJsOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (optedInJsBomJson.components || []).some(
+            (component) =>
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
+          ),
+          "expected skill file in opted-in js scan",
         );
         assert.ok(
-          (jsBomJson.services || []).some(
+          (optedInJsBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "mcp-config",
+          ),
+          "expected MCP config in opted-in js scan",
+        );
+        assert.ok(
+          (optedInJsBomJson.services || []).some(
             (service) =>
               service.name === "releaseDocs" &&
               getProp(service, "cdx:mcp:inventorySource") === "config-file",
           ),
-          "expected MCP config service in js scan",
+          "expected MCP config service in opted-in js scan",
         );
 
-        const dockerOptions = {
+        const auditAliasJsOptions = {
           ...baseOptions,
-          projectType: ["js", "docker"],
+          bomAuditCategories: "ai-inventory",
+          projectType: ["js"],
         };
-        const dockerBomJson = postProcess(
-          await createNodejsBom(tmpDir, dockerOptions),
-          dockerOptions,
+        const auditAliasJsBomJson = postProcess(
+          await createBom(tmpDir, auditAliasJsOptions),
+          auditAliasJsOptions,
           tmpDir,
         ).bomJson;
         assert.ok(
-          (dockerBomJson.components || []).some(
+          (auditAliasJsBomJson.components || []).some(
             (component) =>
               getProp(component, "cdx:file:kind") === "skill-file" &&
               getProp(component, "cdx:skill:name") === "release",
           ),
-          "expected skill file in docker js scan",
+          "expected skill file in ai-inventory audit-category js scan",
         );
         assert.ok(
-          (dockerBomJson.components || []).some(
+          (auditAliasJsBomJson.components || []).some(
             (component) => getProp(component, "cdx:file:kind") === "mcp-config",
           ),
-          "expected MCP config in docker js scan",
+          "expected MCP config in ai-inventory audit-category js scan",
+        );
+        assert.ok(
+          (auditAliasJsBomJson.services || []).some(
+            (service) =>
+              service.name === "releaseDocs" &&
+              getProp(service, "cdx:mcp:inventorySource") === "config-file",
+          ),
+          "expected MCP config service in ai-inventory audit-category js scan",
         );
 
-        const exactAiSkillOptions = {
+        const auditAgentJsOptions = {
           ...baseOptions,
-          projectType: ["ai-skill"],
+          bomAuditCategories: "ai-agent",
+          projectType: ["js"],
         };
-        const aiSkillBomJson = postProcess(
-          await createBom(tmpDir, exactAiSkillOptions),
-          exactAiSkillOptions,
+        const auditAgentJsBomJson = postProcess(
+          await createBom(tmpDir, auditAgentJsOptions),
+          auditAgentJsOptions,
           tmpDir,
         ).bomJson;
         assert.ok(
-          (aiSkillBomJson.components || []).some(
+          (auditAgentJsBomJson.components || []).some(
             (component) =>
-              component.name === "CLAUDE.md" &&
-              getProp(component, "cdx:file:kind") === "agent-instructions",
+              getProp(component, "cdx:file:kind") === "skill-file" &&
+              getProp(component, "cdx:skill:name") === "release",
           ),
-          "expected CLAUDE.md in exact ai-skill scan",
+          "expected skill file in ai-agent audit-category js scan",
         );
         assert.ok(
-          !(aiSkillBomJson.components || []).some(
+          !(auditAgentJsBomJson.components || []).some(
             (component) => getProp(component, "cdx:file:kind") === "mcp-config",
           ),
-          "did not expect MCP configs in exact ai-skill scan",
+          "did not expect MCP config in ai-agent audit-category js scan",
         );
 
         const filteredOptions = {
           ...baseOptions,
           excludeType: ["ai-skill", "mcp"],
-          projectType: ["js"],
+          projectType: ["js", "ai-skill", "mcp"],
         };
         const filteredBomJson = postProcess(
           await createBom(tmpDir, filteredOptions),
@@ -1654,29 +2826,114 @@ checksum = "${"a".repeat(64)}"
           tmpDir,
         ).bomJson;
         assert.ok(
-          (pyBomJson.components || []).some(
+          !(pyBomJson.components || []).some((component) =>
+            ["agent-instructions", "mcp-config", "skill-file"].includes(
+              getProp(component, "cdx:file:kind"),
+            ),
+          ),
+          "did not expect AI inventory components in python scan without opt-in",
+        );
+        assert.ok(
+          !(pyBomJson.services || []).some((service) =>
+            service.properties?.some((property) =>
+              property.name.startsWith("cdx:mcp:"),
+            ),
+          ),
+          "did not expect MCP services in python scan without opt-in",
+        );
+
+        const optedInPyOptions = {
+          ...baseOptions,
+          projectType: ["py", "ai-skill", "mcp"],
+        };
+        const optedInPyBomJson = postProcess(
+          await createPythonBom(tmpDir, optedInPyOptions),
+          optedInPyOptions,
+          tmpDir,
+        ).bomJson;
+        assert.ok(
+          (optedInPyBomJson.components || []).some(
             (component) =>
               getProp(component, "cdx:file:kind") === "skill-file" &&
               getProp(component, "cdx:skill:name") === "release",
           ),
-          "expected skill file in python scan",
+          "expected skill file in opted-in python scan",
         );
         assert.ok(
-          (pyBomJson.components || []).some(
+          (optedInPyBomJson.components || []).some(
             (component) => getProp(component, "cdx:file:kind") === "mcp-config",
           ),
-          "expected MCP config in python scan",
+          "expected MCP config in opted-in python scan",
+        );
+        assert.ok(
+          (optedInPyBomJson.services || []).some(
+            (service) =>
+              service.name === "python-release-docs" &&
+              getProp(service, "cdx:mcp:inventorySource") ===
+                "source-code-analysis",
+          ),
+          "expected Python MCP service in opted-in python scan",
         );
+
+        const auditMcpPyOptions = {
+          ...baseOptions,
+          bomAuditCategories: "mcp-server",
+          projectType: ["py"],
+        };
+        const auditMcpPyBomJson = postProcess(
+          await createPythonBom(tmpDir, auditMcpPyOptions),
+          auditMcpPyOptions,
+          tmpDir,
+        ).bomJson;
         assert.ok(
-          (pyBomJson.services || []).some(
+          (auditMcpPyBomJson.services || []).some(
             (service) =>
               service.name === "python-release-docs" &&
               getProp(service, "cdx:mcp:inventorySource") ===
                 "source-code-analysis",
           ),
-          "expected Python MCP service in python scan",
+          "expected Python MCP service in mcp-server audit-category scan",
+        );
+        assert.ok(
+          !(auditMcpPyBomJson.components || []).some(
+            (component) => getProp(component, "cdx:file:kind") === "skill-file",
+          ),
+          "did not expect skill file in mcp-server audit-category python scan",
+        );
+      } finally {
+        rmSync(tmpDir, { force: true, recursive: true });
+      }
+    });
+
+    it("does not trace an npm registry config read when opening .npmrc fails", async () => {
+      const tmpDir = mkdtempSync(join(tmpdir(), "cdxgen-npmrc-read-fail-"));
+      writeFileSync(
+        join(tmpDir, "package.json"),
+        JSON.stringify({
+          name: "npmrc-read-fail",
+          version: "1.0.0",
+        }),
+      );
+      mkdirSync(join(tmpDir, ".npmrc"), { recursive: true });
+      setDryRunMode(true);
+      resetRecordedActivities();
+      try {
+        await assert.rejects(() =>
+          createNodejsBom(tmpDir, {
+            installDeps: true,
+            multiProject: false,
+            projectType: ["npm"],
+          }),
+        );
+        const readActivities = getRecordedActivities().filter(
+          (activity) =>
+            activity.kind === "read" &&
+            activity.target === join(tmpDir, ".npmrc"),
         );
+        assert.deepStrictEqual(readActivities, []);
       } finally {
+        setDryRunMode(false);
+        resetRecordedActivities();
         rmSync(tmpDir, { force: true, recursive: true });
       }
     });