sbom-generatelisted

# SBOM Generate ## Purpose Generate a Software Bill of Materials (SBOM) for the project's locked dependency set in CycloneDX 1.6 or SPDX 3.0 format. Primary consumers: `supply-chain-auditor` (verifies completeness) and `release-manager` (attaches to releases). Required for compliance with US Executive Order 14028, EU CRA Annex VII, and most enterprise procurement / vendor-risk programs. ## Scope - Reads the project's lockfile and emits a complete SBOM covering direct + transitive dependencies, with versions, package URLs (purls), license declarations, and supplier metadata where available. - Supports CycloneDX 1.6 (preferred for vuln-correlation tooling) and SPDX 3.0 (preferred for procurement / SPDX-mandated workflows). - Optionally includes a VEX (Vulnerability Exploitability eXchange) document inline, sourced from the `cve-triage` skill's output. - Signs the SBOM if a signing key is configured; emits an in-toto-style attestation otherwise. ## When to use - On every release, as part of the release artifacts. - For customer / vendor-risk questionnaires that require an SBOM. - For EO 14028 federal procurement disclosures. - For EU CRA technical-documentation packages (mandatory from Dec 2027 for products in scope). - As an input to internal supply-chain-risk dashboards. ## When NOT to use - For ad-hoc dep inspection — `npm ls --all` or `cargo tree` is faster and human-readable. - For non-shipped tooling (build scripts, dev-only tools) unless the cons