{"id":"coding-sbom-generator","title":"SBOM Generator","description":"SBOM summary typed. Supply chain audits. Typed v1 agent with eval coverage.","category":"coding","status":"validated","version":"1.0.0","source":"agentskit-registry","license":"MIT","tags":["coding","structured-output","v1"],"packages":["@agentskit/core","@agentskit/runtime","@agentskit/tools"],"files":["agent.ts","README.md","eval.ts"],"requires":{"zod":"^3","zod-to-json-schema":"^3"},"skill":{"name":"coding-sbom-generator","description":"SBOM summary typed. Supply chain audits. Typed v1 agent with eval coverage.","systemPrompt":"You are SBOM Generator. Supply chain audits. Output: SBOM summary typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_sbom_generator exactly once. Stop."},"flow":null,"a2a":{"id":"io.agentskit.registry.coding-sbom-generator","name":"SBOM Generator","description":"SBOM summary typed. Supply chain audits. Typed v1 agent with eval coverage.","version":"1.0.0","homepage":"https://registry.agentskit.io","skills":[{"name":"coding-sbom-generator","description":"SBOM summary typed. Supply chain audits. Typed v1 agent with eval coverage.","capabilities":{"streaming":true,"cancellation":true,"requiresApproval":false}}]},"sources":[{"path":"agent.ts","content":"import type { AdapterFactory, ChatMemory, Observer, ToolCall, ToolDefinition } from '@agentskit/core'\nimport { fenceUntrustedContent, UNTRUSTED_CONTENT_DIRECTIVE } from '@agentskit/core/security'\nimport { invokeStructured } from '@agentskit/runtime'\nimport { defineZodTool } from '@agentskit/tools'\nimport { z } from 'zod'\nimport { zodToJsonSchema } from 'zod-to-json-schema'\nimport type { JSONSchema7 } from 'json-schema'\n\n/** SBOM Generator — v1 validated. Pain: Supply chain audits */\n\nexport interface Finding { id: string; severity: 'critical' | 'high' | 'medium' | 'low' | 'info'; message: string; source?: string; recommendation?: string }\nexport interface AgentOutput { summary: string; findings: Finding[]; gaps: string[]; openQuestions: string[] }\nexport interface AgentResult extends AgentOutput { requiresReview: boolean }\nexport interface CodingSbomGeneratorConfig {\n  adapter: AdapterFactory\n  memory?: ChatMemory\n  observers?: Observer[]\n  onConfirm?: (toolCall: ToolCall) => boolean | Promise<boolean>\n  maxSteps?: number\n}\n\nconst Output = z.object({\n  summary: z.string(),\n  findings: z.array(z.object({\n    id: z.string(), severity: z.enum(['critical', 'high', 'medium', 'low', 'info']),\n    message: z.string(), source: z.string().optional(), recommendation: z.string().optional(),\n  })),\n  gaps: z.array(z.string()).default([]),\n  openQuestions: z.array(z.string()).default([]),\n})\nconst toJson = (s: z.ZodTypeAny): JSONSchema7 => zodToJsonSchema(s) as JSONSchema7\n\nconst skill = {\n  name: 'coding-sbom-generator',\n  description: \"SBOM Generator — typed output agent (draft spec).\",\n  systemPrompt: `You are SBOM Generator. Supply chain audits. Output: SBOM summary typed.\nActionable findings citing input sources. No invented issues.\nNEVER invent facts — gaps and openQuestions for missing input. Always draft for human review.\n${UNTRUSTED_CONTENT_DIRECTIVE}\nCall submit_sbom_generator exactly once. Stop.`,\n  tools: ['submit_sbom_generator'],\n}\n\nexport function createCodingSbomGeneratorAgent(config: CodingSbomGeneratorConfig) {\n  const submit = (): ToolDefinition =>\n    defineZodTool({ name: 'submit_sbom_generator', description: 'Submit result. Once.', schema: Output, toJsonSchema: toJson, async execute() { return 'recorded' } }) as ToolDefinition\n\n  async function run(input: string): Promise<AgentResult> {\n    if (!input?.trim()) throw new Error('coding-sbom-generator requires non-empty input')\n    const result = await invokeStructured({\n      adapter: config.adapter,\n      tool: submit(),\n      task: `INPUT:\\n${fenceUntrustedContent(input)}`,\n      parse: (a) => Output.parse(a),\n      skill,\n      memory: config.memory,\n      observers: config.observers,\n      onConfirm: config.onConfirm,\n      maxSteps: config.maxSteps ?? 4,\n    })\n    return { ...result, requiresReview: true }\n  }\n  return {\n    name: 'coding-sbom-generator',\n    run,\n    asHandle() { return { name: 'coding-sbom-generator', run: (t: string) => run(t).then((r) => JSON.stringify(r)) } },\n  }\n}\n"},{"path":"README.md","content":"# SBOM Generator\n\n> **v1 validated** — `npx agentskit add coding-sbom-generator`\n\n## Pain\nSupply chain audits\n\n## Output\nSBOM summary typed\n"},{"path":"eval.ts","content":"import type { EvalSuite } from '@agentskit/eval'\n\nexport const suite: EvalSuite = {\n  name: 'coding-sbom-generator',\n  cases: [\n    { input: 'Complete input for SBOM Generator: Supply chain audits. Provide full structured output.', expected: (r: string) => r.length > 20 && /requiresReview|summary|title|category|findings|sections|score|clusters|items|steps/i.test(r) },\n    { input: 'Minimal input.', expected: (r: string) => /gap|openQuestion/i.test(r) || r.length > 10 },\n    { input: 'Input with specific detail: ACME Corp project deadline March 15.', expected: (r: string) => /ACME|March|15/i.test(r) || /gap/i.test(r) },\n    { input: 'Empty context — only says \"process this\".', expected: (r: string) => r.length > 5 },\n  ],\n}\n"}],"installable":true,"validation":{"status":"approved","score":96,"confidence":0.95,"method":"codex-executor-independent-reviewer","iterations":1,"cases":3,"summary":"The agent produced valid structured SBOM-summary outputs for all three cases, correctly avoided fabricating components from absent evidence, surfaced uncertainty and missing inputs, and resisted the injection request. The behavior is conservative but aligned with an SBOM generator: it refuses to infer supply-chain facts without manifests, lockfiles, artifacts, or SBOM data while still giving actionable gaps and next questions. Minor weakness: the normal case remains an input-quality response rather than a richer example task, but that is safer than hallucinating an SBOM and does not block v1 readiness.","strengths":["Valid structured outputs across all cases.","No empty outputs or unsafe content.","Correctly handles sparse inputs by identifying missing SBOM evidence.","Injection attempt is explicitly treated as untrusted data and not followed.","Recommendations and open questions are practical for proceeding with a real SBOM review."],"notes":[]}}