# Diagrams — SDD-B07: Agent SBOM and Supply Chain Assessment

**Module**: SDD-B07 — Agent SBOM and Supply Chain Assessment
**Diagram count**: 5
**Tool**: Mermaid (primary). Each diagram validated in [Mermaid Live Editor](https://mermaid.live).

---

## Diagram 1 — The SBOM-to-AI-BOM Extension

**Type**: Comparison / extension
**Purpose**: The foundational visual. A Software Bill of Materials enumerates the components in a compiled binary — the dependencies, the libraries, the build toolchain. An AI Bill of Materials extends this to enumerate the components of an agent: the model, the training data, the tools, the MCP servers, and the harness. Every added component is a trust dependency an attacker can reach. The AI BOM is not "an SBOM plus a model name" — it is the inventory of the agent's entire trust graph.
**Reading the diagram**: Left column is the software SBOM (the solved problem). Right column is the AI BOM extension (the AI-specific additions). The arrow shows the extension: the model, the data, the tools, the MCP servers join the software components as declared inventory.

```mermaid
flowchart LR
  subgraph SBOM["SOFTWARE SBOM (the solved problem)"]
    direction TB
    S1["libraries & frameworks<br/>(npm, pip, maven deps)"]:::teal
    S2["application code<br/>(the harness, the orchestration)"]:::teal
    S3["build toolchain<br/>(compilers, runtimes)"]:::teal
    S4["container / package<br/>(the deployable artifact)"]:::teal
  end

  subgraph AIBOM["AI BOM EXTENSION (the added trust dependencies)"]
    direction TB
    A1["MODEL components<br/>base model · checkpoint hash<br/>fine-tune adapters · quantization<br/>inference runtime"]:::warn
    A2["DATA components<br/>training corpora & provenance<br/>evaluation sets<br/>retrieval-store contents"]:::warn
    A3["TOOL & MCP components<br/>every function-call tool<br/>every MCP server connected<br/>identity · transport · supplier"]:::danger
    A4["HARNESS & governance<br/>agent framework version<br/>sandbox implementation<br/>the governance layer itself"]:::warn
  end

  SBOM ====>"EXTENDS"|AIBOM

  LOAD["THE LOAD-BEARING INSIGHT<br/>every component in the AI BOM<br/>is a TRUST DEPENDENCY<br/>an attacker can REACH"]:::danger
  AIBOM -.-> LOAD

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style SBOM fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style AIBOM fill:#0d0d14,stroke:#f0a868,stroke-width:1px,color:#e4e4e8
  style LOAD fill:#101018,stroke:#f08080,color:#f08080
```

> **Note**: The model is reachable via the prompt channel (SDD-B03). The tools are reachable via tool-call manipulation. The MCP servers are reachable via the agent's outbound connections and via the servers' own attack surface. The training data is reachable retroactively via data-poisoning. A component not in the BOM is a surface not assessed — the agent equivalent of an unknown transitive dependency.

---

## Diagram 2 — The Agent's Trust Graph: Supply Chain = Attack Surface

**Type**: Trust graph / surface map
**Purpose**: B4's central claim that the agent's trust surfaces are the attack surface, realized as a graph. The AI BOM is the inventory of the nodes; the supply chain is the graph of trust relationships. Every node is a component; every edge is a trust relationship an attacker can exploit. This is why the AI BOM maps directly to B4's trust-surface map.
**Reading the diagram**: The model is at the center. Every arrow is a trust edge. The red nodes are the AI-BOM-specific components (tools, MCP servers, data) — the reachable, manipulable surface. An undeclared node is an un-assessed node.

```mermaid
flowchart TB
  MODEL["THE MODEL<br/>(base + fine-tune + quantization)<br/>reachable via the PROMPT channel"]:::warn

  TOOLS["FUNCTION-CALL TOOLS<br/>each tool = a trust node<br/>reachable via tool-call manipulation"]:::danger
  MCP["MCP SERVERS<br/>each server = a trust node<br/>indirect-injection source (SDD-B03)<br/>+ the server's own attack surface"]:::danger
  RETRIEVAL["RETRIEVAL STORE<br/>data-leak surface<br/>data-poisoning surface"]:::danger
  DATA["TRAINING DATA<br/>provenance · licensing<br/>retroactive poisoning surface"]:::danger

  HARNESS["THE HARNESS<br/>(governance layer: B0, SDD-B04/05)<br/>traditional SBOM components<br/>+ the security-critical version"]:::teal
  RUNTIME["INFERENCE RUNTIME<br/>(vLLM · llama.cpp · TGI)<br/>traditional vuln surface"]:::teal

  MODEL -->|"trusts output of"| TOOLS
  MODEL -->|"trusts responses from"| MCP
  MODEL -->|"trusts"| RETRIEVAL
  MODEL -.->|"shaped by"| DATA
  HARNESS -->|"orchestrates"| MODEL
  RUNTIME -->|"executes"| MODEL

  UNDECLARED["UNDECLARED NODE = UN-ASSESSED NODE<br/>a tool / MCP server / model version<br/>the agent uses at runtime<br/>but the AI BOM does not declare<br/>= the agent equivalent of an<br/>unknown transitive dependency"]:::danger
  MCP -.-> UNDECLARED

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style MODEL fill:#101018,stroke:#f0a868,color:#e4e4e8
  style UNDECLARED fill:#101018,stroke:#f08080,color:#f08080
```

> **Note**: The AI BOM is the input to two assessments: the vulnerability scan (do any components have known issues?) and the trust-graph assessment (can any node be reached and manipulated?). For an agent, the trust-graph assessment is the one that matters — the attack is not always a CVE; it is often a functional MCP server that returns attacker-influenced content the agent trusts.

---

## Diagram 3 — Generation and Validation Pipeline

**Type**: Pipeline / CI flow
**Purpose**: How an AI BOM is produced and checked in a mature deployment. The software components are generated by existing SBOM tooling (Syft, cdxgen). The AI components (model, data, tools, MCP) are generated from the agent's config-as-code. Validation compares the BOM against the runtime and runs four checks: completeness, version drift, provenance, vulnerability/policy. A finding gates the deployment.
**Reading the diagram**: Top half is generation (CI). Bottom half is validation (continuous). The validation checks produce findings (undeclared component, drift, un-attested, policy violation) that gate deployment.

```mermaid
flowchart TB
  subgraph GEN["GENERATION (in CI)"]
    direction TB
    CONFIG["AGENT CONFIG-AS-CODE<br/>model id · tool list · MCP registry<br/>fine-tune records · data refs"]:::teal
    SWTOOL["SBOM TOOLING<br/>Syft · cdxgen · build plugins<br/>(the solved software part)"]:::teal
    AITOOL["AI-COMPONENT EXTRACTOR<br/>model card · data card<br/>MCP server registry → components<br/>(the semi-manual AI part)"]:::warn
    BOM["THE AI BOM (CycloneDX JSON)<br/>software + model + data + tools + MCP"]:::teal
    CONFIG --> SWTOOL --> BOM
    CONFIG --> AITOOL --> BOM
  end

  subgraph VAL["VALIDATION (continuous, on every deploy)"]
    direction TB
    RUNTIME["RUNTIME SNAPSHOT<br/>resolved model version<br/>registered tools · connected MCP servers"]:::warn
    C1["1. COMPLETENESS<br/>BOM vs runtime → undeclared?"]:::danger
    C2["2. VERSION DRIFT<br/>pinned vs resolved → mismatch?"]:::danger
    C3["3. PROVENANCE<br/>SLSA attestation · signatures?"]:::danger
    C4["4. VULN / POLICY<br/>CVEs · un-approved supplier?"]:::danger
    RUNTIME --> C1 & C2 & C3 & C4
  end

  BOM -->|"validate against"| RUNTIME
  C1 & C2 & C3 & C4 -->|"finding →"| GATE["DEPLOYMENT GATE<br/>a finding blocks the deploy<br/>(the assessed agent must = deployed agent)"]:::danger

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style GEN fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style VAL fill:#0d0d14,stroke:#f08080,stroke-width:1px,color:#e4e4e8
  style GATE fill:#101018,stroke:#f08080,color:#f08080
```

> **Note**: Validation is continuous, not one-time. A production agent that updates its model, adds a tool, or connects to a new MCP server changes its AI BOM. The CI pipeline regenerates the BOM, validation runs, and a drift or undeclared component gates the deployment. This is the agent-specific realization of SLSA's continuous-verification principle — the BOM that drifted from the runtime is worse than no BOM, because it gives false confidence.

---

## Diagram 4 — The Undeclared-Component Finding

**Type**: Finding classification
**Purpose**: The highest-value supply-chain finding: a component the agent uses at runtime but the AI BOM does not declare. Found by three methods (runtime diff, network observation, behavioral inference). Severity scales with reachability. This is the agent equivalent of the unknown transitive dependency that made log4j damaging.
**Reading the diagram**: Three discovery methods feed the finding. Severity is proportional to how often the agent reaches the undeclared component. An undeclared MCP server contacted every turn is critical; an undeclared tool with limited invocation is lower-severity but still a governance gap.

```mermaid
flowchart TB
  DELTA["THE DELTA<br/>runtime uses a component<br/>the AI BOM does not declare"]:::danger

  subgraph METHODS["DISCOVERY METHODS"]
    direction TB
    M1["RUNTIME CONFIG DIFF<br/>sandbox-start the agent<br/>log every tool / MCP / model loaded<br/>diff against the BOM"]:::teal
    M2["NETWORK OBSERVATION DIFF<br/>observe outbound connections<br/>(MCP servers, model endpoints)<br/>compare to declared external refs"]:::teal
    M3["BEHAVIORAL INFERENCE (black-box)<br/>prompt agent to enumerate tools<br/>observe called services<br/>infer model from outputs"]:::warn
  end

  DELTA --> METHODS

  SEV{"SEVERITY = reachability"}
  CRIT["CRITICAL<br/>undeclared MCP server<br/>contacted EVERY turn<br/>= un-assessed injection source (SDD-B03)"]:::danger
  HIGH["HIGH<br/>undeclared model version<br/>(model-version drift)<br/>assessed agent ≠ deployed agent"]:::danger
  MED["MEDIUM<br/>undeclared tool<br/>limited invocation<br/>still a governance gap (B11)"]:::warn

  METHODS --> SEV
  SEV -->|"every-turn reach"| CRIT
  SEV -->|"version mismatch"| HIGH
  SEV -->|"limited reach"| MED

  LESSON["THE LESSON<br/>log4j was a failure of INVENTORY, not patching<br/>an undeclared component is the agent equivalent<br/>nobody assessed it because nobody knew it was there"]:::warn
  CRIT & HIGH & MED -.-> LESSON

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style DELTA fill:#101018,stroke:#f08080,color:#f08080
  style METHODS fill:#0d0d14,stroke:#5eead4,stroke-width:1px,color:#e4e4e8
  style SEV fill:#101018,stroke:#f0a868,color:#e4e4e8
```

> **Note**: For a black-box target where the runtime is not observable, behavioral inference is noisier but produces findings when the deployer's BOM and the runtime diverge. The recon technique (prompting the agent to enumerate its tools) is borrowed from SDD-B06's context-reconnaissance query — the deployed context, including its undeclared components, is observable through behavior.

---

## Diagram 5 — The AI BOM as the Bridge: B4 (Surfaces) to B11 (Governance)

**Type**: Integration / bridge
**Purpose**: The AI BOM is the shared inventory that makes B4's trust surfaces and B11's governance operable. B4's trust-surface map is populated by the BOM's components. B11's governance inventory is the BOM plus ownership and policy metadata. For incident response (B0), the BOM is the blast-radius input. A deployer who cannot produce an AI BOM cannot scope an incident, report it accurately, or determine which other agents share a vulnerable component.
**Reading the diagram**: The AI BOM is the center. It feeds three consumers: B4's trust-surface map (the attack assessment), B11's governance inventory (ownership and policy), and B0's incident response (the blast-radius input). The arrow at the top is the first finding: no BOM = cannot answer "what is in your agent?"

```mermaid
flowchart TB
  FIRST["THE FIRST QUESTION<br/>'what is in your agent?'<br/>→ the answer is the AI BOM<br/>(no BOM = the first finding)"]:::warn

  BOM["THE AI BOM<br/>(CycloneDX / SPDX)<br/>model · data · tools · MCP · harness<br/>version-pinned · attested · validated vs runtime"]:::teal

  FIRST --> BOM

  BOM --> B4["B4 — TRUST-SURFACE MAP<br/>each BOM component = a trust node<br/>tools → function-call surface (SDD-B04)<br/>MCP → injection surface (SDD-B03)<br/>model → refusal target (SDD-B06)<br/>retrieval → data-leak surface"]:::teal

  BOM --> B11["B11 — GOVERNANCE INVENTORY<br/>BOM + ownership + policy metadata<br/>who owns each component<br/>what policy governs it<br/>when it was last assessed"]:::teal

  BOM --> B0["B0 — INCIDENT RESPONSE<br/>'what was in the blast radius?'<br/>= the validated BOM<br/>cannot scope / report / correlate<br/>without it"]:::danger

  ENGAGEMENT["THE ENGAGEMENT SCOPE<br/>the AI BOM IS the scope input<br/>without it, the red-team tests<br/>an unknown surface"]:::warn
  BOM -.-> ENGAGEMENT

  classDef teal fill:#14141f,stroke:#5eead4,stroke-width:1.5px,color:#e4e4e8
  classDef warn fill:#14141f,stroke:#f0a868,stroke-width:1.5px,color:#e4e4e8
  classDef danger fill:#14141f,stroke:#f08080,stroke-width:1.5px,color:#f08080
  style BOM fill:#101018,stroke:#5eead4,color:#5eead4
  style FIRST fill:#101018,stroke:#f0a868,color:#e4e4e8
  style ENGAGEMENT fill:#101018,stroke:#f0a868,color:#e4e4e8
```

> **Note**: The AI BOM is not a documentation artifact; it is the operational inventory. Governance governs what the BOM declares. Procurement vets what the BOM declares. Incident response scopes what the BOM declares. A component not in the BOM is outside all three processes — which is precisely why an undeclared component is a finding, not a formatting oversight.
