prompt-bom

AI-BOM emitter — sign and verify SPDX-AI provenance for AI-assisted code

prompt-bom is a single-binary Rust CLI that walks a repository, attributes each AI-generated code hunk to its source (model, session, prompt hash), and emits a signed SPDX 2.3 + SPDX-AI extension JSON file. Designed for EU AI Act / EU CRA compliance and OSS provenance trust.

Why

AI-assisted code is now in production codebases everywhere, and there's no portable way to prove which lines came from which model with which prompt. SPDX-AI is the emerging standard. prompt-bom aims to be the first Rust CLI to emit and verify it.

Status

Pre-release scaffold (v0.0.1). No usable features yet — see milestones in repo.

Install

Once published:

cargo install prompt-bom

License

MIT — by @verepdev.

Name		Name	Last commit message	Last commit date
Latest commit History 6 Commits
.github/workflows		.github/workflows
src		src
tests		tests
.editorconfig		.editorconfig
.gitignore		.gitignore
.pre-commit-config.yaml		.pre-commit-config.yaml
Cargo.lock		Cargo.lock
Cargo.toml		Cargo.toml
LICENSE		LICENSE
README.md		README.md

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Repository files navigation

prompt-bom

Why

Status

Install

License

About

Uh oh!

Releases

Packages

Uh oh!

Contributors

Uh oh!

Languages

Folders and files

Latest commit

History

Repository files navigation

prompt-bom

Why

Status

Install

License

About

Topics

Resources

License

Uh oh!

Stars

Watchers

Forks

Releases

Packages 0

Uh oh!

Contributors

Uh oh!

Languages

Packages