lab700xdev parent
The comparison to npm is spot on.
We are seeing the exact same pattern: a massive explosion of dependency complexity, but now the "dependencies" aren't 50KB JavaScript files, they are 10GB binary blobs that we treat as black boxes.
The "Shadow AI" problem (developers cloning a random repo + downloading a model from a Google Drive link to get a specific uncensored tune) is exactly what we built the CLI for. We want to make it trivial to run a "hygiene check" on that download folder before mounting it into a container.
Consider adding a little UI to this. If I can just right-click a model/zip/folder and click "scan", then there's really no reason not to have this around (speaking in terms of removing any practical barrier, including laziness).
That barrier to entry ("laziness") is the #1 security vulnerability. If it takes 3 minutes to set up a scanner, nobody does it. That's actually why we built the Web Viewer - so you can just drag-and-drop the JSON output rather than reading terminal logs. But a native OS "Right Click --> Scan with AIsbom" Context Menu integration is a fantastic idea for a future desktop release. Thanks.