SBOM DISCLOSURE / 03:00 UTC / PRESSURE LEDGER

sbom.day

A quiet day for opening the software manifest and reading every submerged obligation in the clear.

sha256: 7d5b-bill-of-materials Sealed manifest surface origin · package · license · risk · attestation

CHAPTER 01 · COMPONENT DESCENT

Every dependency has a depth, an origin, and a shadow.

Packages are preserved as thin slivers under glass: direct parts, transitive layers, bundled fragments, and the quiet coordinates that explain where each one entered the vessel.

pkg:npm/react@18.3.1direct

pkg:cargo/serde@1.0transitive

pkg:maven/logback@1.5pinned

pkg:pypi/urllib3@2.2observed

container layer / baseshadow

CHAPTER 02 · LICENSE CURRENT

Obligations move like currents through the assembled work.

The day of SBOM is not only inventory. It is a formal reading of terms: notice, reciprocity, attribution, export, stewardship, and the folded tags tied to each component.

SPDX: Apache-2.0

SPDX: MIT

SPDX: GPL-3.0-only

NOTICE REQUIRED

CHAPTER 03 · VULNERABILITY TRENCH

When the water clears, fractures become evidence.

Risk is marked sparingly: not as spectacle, but as pressure lines in the ledger where a component, version, path, and exploit condition intersect.

CVE-2026-0417 · reachable

fixed in observed branch

CHAPTER 04 · ATTESTATION FLOOR

A disclosed manifest becomes a chain of custody.

sbom.day treats provenance as a ceremony of disclosure: what is inside the software, where each part came from, what obligations follow, and what risks surface when the water finally clears.

Return to surface

signed

verified

archived