to be honnest I am not a big fan of this being adding to the ports tree, because usually the sbom analysis (my use case at least is on what would be reployed, so it needs to happen and the packaging level more than at the source level imho.

LGTM and I like @kevans proposal.

should fix the issues spotted by scaleway people as well

this is not for all case because people may have multiple checkouts of the source tree (other than /usr/src) this is good only for releases.

The main goal of mdo(1) I had in mind when I implemented is cases where on some system operators have to run commands as another user, like I connect ssh me@machine, then I need to do some things as nextcloud user. so basically every people in the "admin" group can run a command as nextcloud.
being able to have on this machine nextcloud the default user mdo switches to make it more user friendly, but yes this is sugar, not a strong requirement.

I am puzzled here, yes I like this, as it makes mdo(1) way more versatile, but I am also wondering if we are not here a little bit over thinking this, I get the completeness of it, but I fail at seeing a practical use case for this, and this adds lots of complexity to the code. Caan you share example on how you expect this to be used?

I love this!