agent-bom-discover-gcp

Use this skill to collect GCP AI and workload inventory as schema-valid agent-bom inventory. Default to discover-only: write JSON to an operator-selected path and stop.

Guardrails

• Use only operator-approved projects and read-only credentials.
• Do not request or display service account private keys, OAuth refresh tokens, or bearer tokens.
• Do not modify GCP resources. This workflow is discovery-only.
• Write inventory only to a path the operator chose.
• Treat AI-generated prose as non-authoritative; schema-validated inventory JSON is the evidence.

Workflow

python examples/operator_pull/gcp_inventory_adapter.py \
  --project "$GOOGLE_CLOUD_PROJECT" \
  --region us-central1 \
  --source gcp-skill-invoked \
  --discovery-method skill_invoked_pull \
  --output gcp-inventory.json

Scan only when the operator asks for findings:

agent-bom agents --inventory gcp-inventory.json --format json --output agent-bom-gcp-findings.json

Evidence Contract

The emitted inventory carries discovery_provenance.source_type: skill_invoked_pull, observed_via: skill_invoked_pull, gcp_sdk, sanitized metadata.permissions_used, and redacted credential material. If schema validation fails, stop and fix the inventory instead of scanning a best-effort summary.