Metadata-Version: 2.4
Name: tibet-sbom
Version: 0.2.0
Summary: Software Bill of Materials with TIBET Provenance — every dependency traced, every build proven
Project-URL: Homepage, https://humotica.com
Project-URL: Repository, https://github.com/jaspertvdm/tibet-sbom
Project-URL: Documentation, https://humotica.com/docs/tibet-sbom
Project-URL: Bug Tracker, https://github.com/jaspertvdm/tibet-sbom/issues
Project-URL: TIBET Protocol, https://pypi.org/project/tibet-core/
Project-URL: IETF TIBET Draft, https://datatracker.ietf.org/doc/draft-vandemeent-tibet-provenance/
Author-email: "J. van de Meent" <jasper@humotica.com>, "R. AI" <root_idd@humotica.nl>
Maintainer-email: Humotica AI Lab <ai@humotica.nl>
License: MIT
License-File: LICENSE
Keywords: compliance,cra,cyclonedx,provenance,sbom,spdx,supply-chain,tibet
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: System Administrators
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries
Requires-Python: >=3.10
Requires-Dist: tibet-core>=0.2.0
Provides-Extra: dev
Requires-Dist: pytest>=7.0; extra == 'dev'
Requires-Dist: ruff>=0.1.0; extra == 'dev'
Provides-Extra: full
Requires-Dist: rich>=13.0.0; extra == 'full'
Description-Content-Type: text/markdown

# tibet-sbom — Software Bill of Materials + TIBET Provenance

**Every dependency traced. Every build proven.**

The EU Cyber Resilience Act (CRA) requires Software Bills of Materials for
all products with digital elements sold in the EU. The US Executive Order
14028 mandates machine-readable SBOMs for government software. Existing
tools like Syft and CycloneDX generate dependency lists — but a list alone
proves nothing about *where* a component came from, *why* that version was
chosen, or *what* the build context was.

tibet-sbom adds **TIBET provenance** to SBOMs. Every dependency becomes a
TIBET token with four dimensions:

| Dimension   | SBOM Meaning                                       |
|-------------|-----------------------------------------------------|
| **ERIN**    | Component name, version, hash, source registry      |
| **ERAAN**   | Parent component, dependency chain, `jis:` URI       |
| **EROMHEEN**| Scan environment, timestamp, scanner version         |
| **ERACHTER**| Why this component, why this version, build context  |

## Compatible Formats

- **CycloneDX** — OWASP standard, JSON/XML
- **SPDX** — Linux Foundation standard, ISO/IEC 5962
- **TIBET** — Full provenance chain per component

## Installation

```bash
pip install tibet-sbom
```

With rich terminal output:

```bash
pip install tibet-sbom[full]
```

## Quick Start

```python
from tibet_sbom import SBOMGenerator

gen = SBOMGenerator()
sbom = gen.scan("/path/to/project")

print(f"Found {len(sbom.components)} components")
print(f"TIBET chain: {sbom.tibet_chain_length} tokens")

# Export as CycloneDX
cyclonedx = gen.export_cyclonedx()

# Export with full TIBET provenance
tibet = gen.export_tibet()
```

## CLI Usage

```bash
# Concept overview — what tibet-sbom does and why
tibet-sbom info

# Scan a project and print SBOM summary
tibet-sbom scan /path/to/project

# Export in specific format
tibet-sbom export /path/to/project --format cyclonedx
tibet-sbom export /path/to/project --format spdx
tibet-sbom export /path/to/project --format tibet

# Compliance check against CRA and EO 14028
tibet-sbom check /path/to/project

# Demo with sample project
tibet-sbom demo
```

All commands support `--json` for machine-readable output.

## Why Not Just Syft/CycloneDX?

Those tools answer: *"What dependencies does this project have?"*

tibet-sbom answers: *"What dependencies does this project have, where did
each one come from, what was the build environment when it was scanned,
and can you cryptographically prove the chain of custody?"*

A dependency list without provenance is a checklist. A dependency list
with TIBET provenance is **evidence**.

## Regulatory Context

- **EU CRA** (Cyber Resilience Act) — Regulation (EU) 2024/2847.
  Requires manufacturers to identify and document vulnerabilities and
  components, maintain SBOMs, and provide security updates.
- **US EO 14028** — Executive Order on Improving the Nation's
  Cybersecurity. Requires machine-readable SBOMs, supplier
  identification, and integrity verification for government software.

## License

MIT — Humotica AI Lab 2025-2026

Part of the [TIBET protocol](https://pypi.org/project/tibet-core/) family.
