msaad00/agent-bom

What shipped in v0.82.1

v0.82.1 is the publish-the-window release that picks up everything between v0.81.3 and now (180 commits / 620 files / +42 449 / −4 041 LOC). v0.82.0 was a no-op tag marker; the v0.82.0 release pipeline aborted on Build/dashboard because of a Next 16 static-export regression. v0.82.1 closes that regression and re-fires the publish path.

Hotfix that unblocked the release

• Dashboard static export under Next 16 — ui/app/graph/page.tsx was export const dynamic = "force-dynamic", which is incompatible with output: "export" (the release pipeline runs NEXT_EXPORT=1 npm run build). Replaced with the canonical next/dynamic({ ssr: false }) pattern, since graph-page-client.tsx uses @xyflow/react (needs DOM). #2022

OpenSSF Scorecard regressions closed (#2024)

• Dangerous-Workflow → 10/10: dependabot-ui-lockfile-normalize.yml now checks out the immutable head.sha instead of the mutable head.ref, and pushes back via env-var refspec to keep branch names out of the shell body.
• Token-Permissions → higher: same workflow's top-level scope is now deny-all (permissions: {}); writes are job-scoped only.
• Vulnerabilities → higher: scanner test SBOM fixtures no longer surface as production findings; osv-scanner.toml now declares the fixture-only versions under [[PackageOverrides]] and the non-vulnerable fixture's requests pin is bumped to 2.33.1.

Platform & enterprise

• Multi-tenant + SCIM: SCIM 2.0 user/group provisioning (api/scim*.py, api/routes/scim.py); Postgres-backed per-tenant quota store; tenant resolution unified across CLI and MCP surfaces (#1990); cluster-safe shared auth state with advisory-lock fleet race fixes (#2011, #2012).
• Secret rotation: customer rotation adapter evidence + lifecycle hooks (api/secret_lifecycle.py, api/secret_rotation_adapters.py) (#1950).
• Backpressure & enterprise auth/egress: /v1/auth/policy now surfaces backpressure; auth middleware hardened; jitter + sandbox posture review on the runtime path (#1977, #1997).

Scanner & graph

• Graph-walk dependency reachability engine — new graph/dependency_reach.py (#1896, #2009).
• AI agent topology: GPU containers + k8s GPU clusters now promoted into the unified graph (#1979); static multi-agent topology edges (#1946); direct cloud_principal → agent MANAGES edge (#1996).
• Multi-cloud agent correlation under strict triplet bar — Phase 1: AWS Bedrock (#1999); Phase 2: Azure OpenAI (#2000); Phase 3: GCP Vertex AI (#2001).
• AI observability SDK inventory scanner (#1948).
• Static / floating reference policy for vulnerable-pin detection (#1945).

CLI

• New top-level samples group: agent-bom samples first-run writes a runnable AI-stack demo project (README + inventory.json + prompts/ + services/) for agents --inventory end-to-end testing.
• agent-bom mesh defaults made explicit: machine-wide vs --project . for project-local discovery.

Frontend

• Typed API error taxonomy + GET caching/dedup with prefix invalidation (#1988).
• Dagre layout moved to a Web Worker — lib/dagre-layout.worker.ts + lib/use-dagre-layout.ts. Agent list virtualized via react-virtualized (#1955).
• CSP hardened: removed unsafe-inline for script-src; centralized CSP via lib/csp-source.mjs + lib/security-headers.mjs (#1982, #1985).
• Stable MCP error envelope with codes/categories + API parity matrix (#1986).
• New routes/components: app/global-error.tsx, app/loading.tsx, app/graph/graph-page-client.tsx.

Contracts (new public schemas)

contracts/v1/{audit-export,evidence,finding-feedback,fleet-snapshot,graph-export,scan-report}.schema.json — first-time machine-readable JSON Schemas auto-generated from Pydantic API models (#1963, #2007).

Deploy & ops

• Vanilla EKS production preset (deploy/helm/agent-bom/examples/eks-vanilla-values.yaml) (#1951).
• Postgres sizing docs + weekly scale-evidence regen workflow (perf-scale-evidence.yml) (#1978).
• Docker base alignment to LTS + CI policy gate (#1983).
• Compose healthcheck parity + Docker secrets for platform Postgres (#1984).
• Air-gapped image bundle workflow (airgap-image-bundle.yml).
• Postgres real-integration contract test (#1947).
• AGENT_BOM_* env-var reference auto-generated from config.py with drift gate (#1981).

CI gates added

• check_workflow_timeouts.py, check_docker_base_policy.py, check_duplicate_artifacts.py, check_product_surface_contract.py, check_scale_evidence.py.
• generate_v1_schemas.py, generate_env_var_reference.py, generate_ui_csp_hashes.py, generate_accuracy_baseline.py.

Known issue (resolved in next patch)

• agentbom/agent-bom-ui:0.82.1 Docker image was not published — the multi-arch Publish UI image job hit EBADPLATFORM on the arm64 leg because ui/Dockerfile hard-pinned lightningcss-linux-x64-gnu. The fix (TARGETARCH-aware install) lands in #2025 and will be cut as v0.82.2. Until then, the dashboard image stays at the previously published version. The Python package (pip install agent-bom==0.82.1), main Docker image (agentbom/agent-bom:0.82.1), and Helm chart (0.82.1) are all live and unaffected.

Install

# CLI / library
pip install agent-bom==0.82.1

# Docker (main scanner/API image)
docker pull agentbom/agent-bom:0.82.1

# Helm (control plane)
helm pull oci://registry.example/charts/agent-bom --version 0.82.1

Quick start

agent-bom samples first-run        # write a demo AI stack
agent-bom agents -p .              # scan project + agents/MCP context
agent-bom mesh                     # machine-wide topology
agent-bom doctor                   # readiness check

Verifying the release

• PyPI: https://pypi.org/project/agent-bom/0.82.1/
• Sigstore signature: distribution signed with cosign keyless (transparency log entry visible on the Sigstore search)
• SLSA v1.0 provenance: attached to PyPI artifacts and Docker Hub images
• CycloneDX SBOM: published as a release asset on this page

Compare

v0.81.3...v0.82.1