{
  "context": "Evaluates how well the solution leverages the npm CLI sbom command to generate CycloneDX or SPDX output with the required flags. Checks focus on correct flag usage for formats, workspace scoping, omit filtering, and lockfile-only handling. Scoring rewards calling the CLI rather than reimplementing SBOM logic.",
  "type": "weighted_checklist",
  "checklist": [
    {
      "name": "sbom-format flag",
      "description": "Invokes `npm sbom` with `--sbom-format` set to either `cyclonedx` or `spdx`, rejects unsupported values with an error that lists the allowed formats, and never defaults silently.",
      "max_score": 25
    },
    {
      "name": "CycloneDX output",
      "description": "When `cyclonedx` is requested, passes `--sbom-format=cyclonedx` and persists the CLI's JSON output so the saved file retains CycloneDX metadata such as the `bomFormat` indicator.",
      "max_score": 20
    },
    {
      "name": "SPDX support",
      "description": "Accepts `spdx` requests by forwarding `--sbom-format=spdx` to `npm sbom` and writing the resulting SPDX-formatted JSON without substituting a hand-crafted structure.",
      "max_score": 15
    },
    {
      "name": "Workspace scope",
      "description": "Scopes generation to specific workspaces by supplying `--workspace`/`--workspaces` when names are provided, and omits other workspaces or the root when scoped generation is requested.",
      "max_score": 20
    },
    {
      "name": "Omit filtering",
      "description": "Respects omit requests by forwarding `--omit` (e.g., `--omit=dev`) to `npm sbom` rather than filtering results manually, so dev-only packages disappear from the emitted document.",
      "max_score": 10
    },
    {
      "name": "Lockfile-only mode",
      "description": "Supports lockfile-only runs via `--package-lock-only`, surfacing the npm error when no lockfile is present instead of masking it or reconstructing dependency data independently.",
      "max_score": 10
    }
  ]
}