git.stella-ops.org/src/Scanner/StellaOps.Scanner.Sbomer.BuildXPlugin/AGENTS.md

StellaOps.Scanner.Sbomer.BuildXPlugin — Agent Charter

Mission

Implement the build-time SBOM generator described in docs/modules/scanner/ARCHITECTURE.md and new buildx dossier requirements:

• Provide a deterministic BuildKit/Buildx generator that produces layer SBOM fragments and uploads them to local CAS.
• Emit OCI annotations (+provenance) compatible with Scanner.Emit and Attestor hand-offs.
• Respect restart-time plug-in policy (plugins/scanner/buildx/ manifests) and keep CI overhead ≤300 ms per layer.

Expectations

• Read architecture + upcoming Buildx addendum before coding.
• Ensure graceful fallback to post-build scan when generator unavailable.
• Provide integration tests with mock BuildKit, and update TASKS.md as states change.

Required Reading

• docs/modules/scanner/architecture.md
• docs/modules/platform/architecture-overview.md

Working Agreement

• 1. Update task status to DOING/DONE in both correspoding sprint file /docs/implplan/SPRINT_*.md and the local TASKS.md when you start or finish work.
• 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
• 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
• 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
• 5. Revert to TODO if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.