Add CycloneDX SBOM

[devin-ai-integration]

Add CycloneDX SBOM

Summary

Adds a CycloneDX JSON SBOM (sbom.json) to the repository root, generated from the project's dependency manifests using @cyclonedx/cdxgen v12.1.2.

• Format: CycloneDX JSON, spec version 1.5
• Components found: 1,174 (sourced from package-lock.json files across the monorepo and GitHub Actions workflow files)
• Tool: cdxgen v12.1.2 (auto-detected project type: npm)

No build or test execution was performed — the SBOM was generated purely from dependency manifests.

Review & Testing Checklist for Human

• Staleness strategy: This is a point-in-time snapshot. Consider whether sbom.json should instead be generated in CI on each release/merge to stay current, rather than checked into the repo.
• Sensitive data: Spot-check the SBOM for any leaked internal URLs, tokens, or paths that shouldn't be public. Note: the evidence fields contain absolute paths from the generation environment (e.g. /home/ubuntu/repos/...) — these are benign but worth being aware of.
• Component completeness: Verify that 1,174 components is a reasonable count for this monorepo (10 packages + root lockfile + GitHub Actions dependencies).

Notes

• The file is ~1.1MB of minified JSON on a single line, so GitHub's diff viewer won't render it inline. To inspect locally: cat sbom.json | python3 -m json.tool | less
• Link to Devin session: https://app.devin.ai/sessions/cb4b84fbf1464fe4b00687e1b7283b92
• Requested by: @Cakasim

[devin-ai-integration]

🤖 Devin AI Engineer

I'll be helping with this pull request! Here's what you should know:

✅ I will automatically:

• Address comments on this PR. Add '(aside)' to your comment to have me ignore it.
• Look at CI failures and help fix them

Note: I can only respond to comments from users who have write access to this repository.

⚙️ Control Options:

• Disable automatic comment and CI monitoring