Interactive setup

sbomflow setup is a guided, first-run experience for a real terminal. It reuses the same project detection, doctor, init, config validation, and offline audit that the individual commands use — it does not add hidden behavior.

bash
sbomflow setup

What it does

  1. Shows a short, restrained welcome and a one-line reminder that SBOMFlow creates evidence-readiness records and does not determine conformity.
  2. Lets you pick an output style (system, light, dark, high-contrast, ANSI-limited, or no color) when the terminal supports styling. NO_COLOR, TERM=dumb, redirected output, and --no-color keep output plain.
  3. Detects your project read-only (it never executes your build) and shows each detected value and where it came from, so you can correct it.
  4. Lets you declare the product class, with a clear note that SBOMFlow records your declaration and does not classify the product.
  5. Chooses an output directory and protects against overwriting.
  6. Shows a read-only local capability summary using the same facts as doctor.
  7. Keeps offline as the recommended default; any online enrichment is explained separately, including exactly what would be sent.
  8. Previews the files and exact command before writing anything and writes config atomically. Ctrl-C before or during the audit leaves config unchanged; an interrupted audit output directory may contain incomplete artifacts and should be removed or replaced by a fresh run.
  9. Runs a first offline audit and finishes with observed counts, artifact paths, and the next review / gate / explain commands.

Important

Setup never asks for payment, login, a license, telemetry consent, API tokens
via visible prompts, legal acceptance, or cloud connectivity.

Automation

Setup is interactive-only. It never runs in CI, when input/output is redirected, or when --no-input is passed — it exits with a clear message pointing to the scriptable path (quickstart + audit). Product identity, declared class, output directory, timestamp, colour, and style can be supplied as flags to set the editable defaults; automation should continue to use quickstart or audit.

Offline

The default setup path makes no network request.