DEV Community

get eqo
get eqo

Posted on

Tracking AI prompts is a nightmare. So we built an open-source Prompt Bill of Materials (PBOM)

If you are building AI applications in production, you already know the dirty secret: prompt management is a mess

What starts as a clean system prompt quickly turns into a tangled web of hardcoded strings, tweaked parameters, and fragmented version histories. When an AI feature suddenly starts hallucinating or fails a security check, tracing the exact combination of the prompt, model version, and temperature that caused the issue is incredibly painful.

In traditional software, we solved supply-chain chaos with the SBOM (Software Bill of Materials).

AI needs the exact same thing. That is why we are open-sourcing the PBOM (Prompt Bill of Materials) Specification.

🧩 Enter the PBOM

EqoAI/pbom-spec is an open-source standard designed to track, version, and secure the lifecycle of AI prompts.

Just like an SBOM tells you exactly which open-source libraries are running in your application, a PBOM provides a machine-readable ledger of your AI supply chain. It acts as a standardized contract that describes the components of an AI prompt system.

What does it look like?

Instead of guessing what went into a production AI call, a PBOM gives you a structured, verifiable manifest. Here is a conceptual look at how you can standardize a prompt's footprint:


json
{
  "pbomVersion": "1.0",
  "metadata": {
    "timestamp": "2026-07-18T10:00:00Z",
    "author": "EqoAI"
  },
  "components": [
    {
      "type": "model",
      "name": "gpt-4",
      "version": "0613",
      "parameters": {
        "temperature": 0.7,
        "max_tokens": 500
      }
    },
    {
      "type": "prompt_template",
      "id": "customer-support-v2",
      "hash": "sha256:8f434346648f...",
      "dependencies": ["user_context_module"]
    }
  ]
}
Enter fullscreen mode Exit fullscreen mode

Top comments (1)

Collapse
 
alexshev profile image
Alex Shev

A prompt bill of materials is a useful framing because prompts are becoming production dependencies. Version, owner, model assumptions, tools, and evaluation history matter just like package metadata. Otherwise the workflow is impossible to audit later.