abom-cli 0.1.1__tar.gz → 0.1.3__tar.gz

{abom_cli-0.1.1 → abom_cli-0.1.3}/PKG-INFO

@@ -1,6 +1,6 @@
 Metadata-Version: 2.4
 Name: abom-cli
-Version: 0.1.1
+Version: 0.1.3
 Summary: ABOM — the Agent Bill of Materials. Scan, sign, and verify what your AI agents are made of.
 Project-URL: Homepage, https://abom.ai
 Project-URL: Repository, https://github.com/josephassiga/abom
@@ -59,6 +59,8 @@ abom verify abom.json --policy policy.json   # + enforce a policy (exit 1 on vio
 | `abom keygen` | Show (or create) the local ed25519 signing key (`~/.abom/signing_key.pem`, override with `ABOM_KEY`). |
 | `abom version` | Print the tool and spec versions. |
 
+All commands accept **`-v`** (info) / **`-vv`** (debug) / **`-q`** (errors only) / **`--json-logs`** (NDJSON for CI) — logs go to stderr, so the ABOM on stdout stays clean.
+
 ### Example
 
 ```

{abom_cli-0.1.1 → abom_cli-0.1.3}/README.md

@@ -19,6 +19,8 @@ abom verify abom.json --policy policy.json   # + enforce a policy (exit 1 on vio
 | `abom keygen` | Show (or create) the local ed25519 signing key (`~/.abom/signing_key.pem`, override with `ABOM_KEY`). |
 | `abom version` | Print the tool and spec versions. |
 
+All commands accept **`-v`** (info) / **`-vv`** (debug) / **`-q`** (errors only) / **`--json-logs`** (NDJSON for CI) — logs go to stderr, so the ABOM on stdout stays clean.
+
 ### Example
 
 ```

{abom_cli-0.1.1 → abom_cli-0.1.3}/pyproject.toml

@@ -1,6 +1,6 @@
 [project]
 name = "abom-cli"
-version = "0.1.1"
+version = "0.1.3"
 description = "ABOM — the Agent Bill of Materials. Scan, sign, and verify what your AI agents are made of."
 readme = "README.md"
 requires-python = ">=3.10"

{abom_cli-0.1.1 → abom_cli-0.1.3}/src/abom/__init__.py

@@ -1,3 +1,3 @@
 """ABOM — the Agent Bill of Materials. Scan, sign, and verify AI agents."""
 
-__version__ = "0.1.1"
+__version__ = "0.1.2"

{abom_cli-0.1.1 → abom_cli-0.1.3}/src/abom/bom.py

@@ -14,11 +14,13 @@ from __future__ import annotations
 
 import dataclasses
 import hashlib
+import logging
 
 from . import sign as _sign
 from .audit import GENESIS, canonical_json, make_record, verify_chain
 
 ABOM_VERSION = "0.1"
+log = logging.getLogger("abom.bom")
 
 
 def _sha256(obj) -> str:
@@ -44,6 +46,8 @@ def build_composition(agent: dict, components: list[dict], controls: dict,
         "agent": agent, "components": components, "controls": controls,
     }
     body["composition_sha256"] = _sha256(body)
+    log.debug("composition built: %d components, sha256=%s…",
+              len(components), body["composition_sha256"][:16])
     return _sign.sign_obj(body, key) if sign else body
 
 
@@ -143,5 +147,13 @@ def verify_abom(composition: dict, chain: list | None = None, policy: dict | Non
                 findings.append({"rule": "approval_coverage", "seq": seq, "severity": "high",
                                  "detail": "consequential action without approval"})
 
+    log.info("verify: %d finding(s) over %d components / %d action(s)",
+             len(findings), len(composition.get("components", [])), len(chain),
+             extra={"event": "verify_done", "findings": len(findings),
+                    "components": len(composition.get("components", [])), "actions": len(chain)})
+    for f in findings:
+        log.debug("finding: [%s] %s — %s", f.get("severity"), f.get("rule"), f.get("detail"),
+                  extra={"event": "finding", "rule": f.get("rule"),
+                         "severity": f.get("severity"), "detail": f.get("detail")})
     return {"ok": len(findings) == 0, "findings": findings,
             "actions": len(chain), "components": len(composition.get("components", []))}

{abom_cli-0.1.1 → abom_cli-0.1.3}/src/abom/cli.py

@@ -14,7 +14,7 @@ from pathlib import Path
 
 import typer
 
-from . import __version__, bom, scan as scanner, sign
+from . import __version__, bom, log, scan as scanner, sign
 
 app = typer.Typer(
     add_completion=False,
@@ -35,8 +35,12 @@ def scan(
     sign_manifest: bool = typer.Option(True, "--sign/--no-sign", help="ed25519-sign the manifest."),
     name: str = typer.Option(None, "--name", help="Override the detected agent name."),
     version: str = typer.Option(None, "--agent-version", help="Override the detected agent version."),
+    verbose: int = typer.Option(0, "-v", "--verbose", count=True, help="-v info, -vv debug (to stderr)."),
+    quiet: bool = typer.Option(False, "-q", "--quiet", help="Errors only."),
+    json_logs: bool = typer.Option(False, "--json-logs", help="Structured NDJSON logs to stderr (CI)."),
 ):
     """Scan a repo and emit a signed ABOM Composition Manifest."""
+    log.setup(verbose, quiet, json_logs)
     root = Path(path)
     if not root.exists():
         typer.secho(f"path not found: {path}", fg="red", err=True)
@@ -79,8 +83,12 @@ def scan(
 def verify(
     abom_file: str = typer.Argument("abom.json", help="ABOM file to verify."),
     policy_file: str = typer.Option(None, "--policy", "-p", help="Policy JSON to enforce."),
+    verbose: int = typer.Option(0, "-v", "--verbose", count=True, help="-v info, -vv debug (to stderr)."),
+    quiet: bool = typer.Option(False, "-q", "--quiet", help="Errors only."),
+    json_logs: bool = typer.Option(False, "--json-logs", help="Structured NDJSON logs to stderr (CI)."),
 ):
     """Verify an ABOM's signature, and (with --policy) its compliance."""
+    log.setup(verbose, quiet, json_logs)
     try:
         doc = json.loads(Path(abom_file).read_text())
     except Exception as exc:
@@ -107,8 +115,14 @@ def verify(
 
 
 @app.command()
-def keygen(show_private: bool = typer.Option(False, "--show-private", help="Print the private key path.")):
+def keygen(
+    show_private: bool = typer.Option(False, "--show-private", help="Print the private key path."),
+    verbose: int = typer.Option(0, "-v", "--verbose", count=True, help="-v info, -vv debug (to stderr)."),
+    quiet: bool = typer.Option(False, "-q", "--quiet", help="Errors only."),
+    json_logs: bool = typer.Option(False, "--json-logs", help="Structured NDJSON logs to stderr (CI)."),
+):
     """Show (or create) the local ed25519 signing key."""
+    log.setup(verbose, quiet, json_logs)
     key = sign.load_or_create_key()
     pub_b64 = sign._pub_b64(key.public_key())
     path = sign.default_key_path()

abom_cli-0.1.3/src/abom/log.py

@@ -0,0 +1,66 @@
+"""Logging for the abom CLI.
+
+Logs go to **stderr** so they never mix into the ABOM written to stdout.
+
+  (default)      warnings + errors only
+  -v             INFO  — high-level steps (what was scanned / verified)
+  -vv            DEBUG — per-dependency / per-file / per-check detail
+  -q / --quiet   ERROR — errors only
+  --json-logs    one NDJSON object per line on stderr (for CI pipelines)
+"""
+from __future__ import annotations
+
+import datetime as _dt
+import json
+import logging
+import sys
+
+log = logging.getLogger("abom")
+
+# Standard LogRecord attributes — everything else is treated as structured extra.
+_STD = {
+    "name", "msg", "args", "levelname", "levelno", "pathname", "filename",
+    "module", "exc_info", "exc_text", "stack_info", "lineno", "funcName",
+    "created", "msecs", "relativeCreated", "thread", "threadName",
+    "processName", "process", "taskName", "message", "asctime",
+}
+
+
+class JsonFormatter(logging.Formatter):
+    """Render each record as a single JSON line, including any ``extra=`` fields."""
+
+    def format(self, record: logging.LogRecord) -> str:
+        data = {
+            "ts": _dt.datetime.fromtimestamp(record.created, _dt.timezone.utc)
+                     .isoformat(timespec="milliseconds"),
+            "level": record.levelname,
+            "logger": record.name,
+            "msg": record.getMessage(),
+        }
+        for key, value in record.__dict__.items():
+            if key not in _STD and not key.startswith("_"):
+                data[key] = value
+        if record.exc_info:
+            data["exc"] = self.formatException(record.exc_info)
+        return json.dumps(data, default=str)
+
+
+def setup(verbose: int = 0, quiet: bool = False, json_logs: bool = False) -> None:
+    if quiet:
+        level = logging.ERROR
+    elif verbose >= 2:
+        level = logging.DEBUG
+    elif verbose == 1:
+        level = logging.INFO
+    else:
+        level = logging.WARNING
+
+    handler = logging.StreamHandler(sys.stderr)
+    handler.setFormatter(
+        JsonFormatter() if json_logs
+        else logging.Formatter("%(levelname).1s %(name)s | %(message)s")
+    )
+    root = logging.getLogger("abom")
+    root.handlers[:] = [handler]
+    root.setLevel(level)
+    root.propagate = False

{abom_cli-0.1.1 → abom_cli-0.1.3}/src/abom/scan.py

@@ -9,6 +9,7 @@ from __future__ import annotations
 
 import hashlib
 import json
+import logging
 import re
 from pathlib import Path
 
@@ -17,6 +18,8 @@ try:
 except ModuleNotFoundError:  # Python 3.10
     import tomli as tomllib
 
+log = logging.getLogger("abom.scan")
+
 # --- known signals -----------------------------------------------------------
 FRAMEWORKS = {
     "langchain": "LangChain", "langchain-core": "LangChain", "langgraph": "LangGraph",
@@ -144,7 +147,10 @@ def _agent_meta(root: Path) -> dict:
 
 def scan(root: Path) -> dict:
     root = Path(root)
+    log.info("scanning %s", root.resolve())
     deps = parse_dependencies(root)
+    log.info("parsed %d dependencies", len(deps))
+    log.debug("dependencies: %s", ", ".join(sorted(deps)) or "(none)")
     components: list[dict] = []
     seen: set[tuple] = set()
 
@@ -153,6 +159,10 @@ def scan(root: Path) -> dict:
         if key not in seen:
             seen.add(key)
             components.append(comp)
+            log.debug("+ %-10s %-28s [%s]", comp["type"], comp.get("name", "?"),
+                      comp.get("detected_from", "?"),
+                      extra={"event": "component", "comp_type": comp["type"],
+                             "comp_name": comp.get("name"), "source": comp.get("detected_from")})
 
     # 1. from dependencies
     for d in sorted(deps):
@@ -203,6 +213,8 @@ def scan(root: Path) -> dict:
         add({"type": "model", "name": name, "provenance": "referenced in source",
              "egress": provider == "external", "detected_from": "source"})
 
+    log.info("detected %d components", len(components),
+             extra={"event": "scan_done", "components": len(components)})
     return {
         "agent": _agent_meta(root),
         "components": components,

{abom_cli-0.1.1 → abom_cli-0.1.3}/src/abom/sign.py

@@ -9,6 +9,7 @@ from __future__ import annotations
 
 import base64
 import hashlib
+import logging
 import os
 from pathlib import Path
 
@@ -20,6 +21,8 @@ from cryptography.hazmat.primitives.asymmetric.ed25519 import (
 
 from .audit import canonical_json
 
+log = logging.getLogger("abom.sign")
+
 
 def default_key_path() -> Path:
     return Path(os.environ.get("ABOM_KEY", str(Path.home() / ".abom" / "signing_key.pem")))
@@ -28,6 +31,7 @@ def default_key_path() -> Path:
 def load_or_create_key(path: Path | None = None) -> Ed25519PrivateKey:
     path = Path(path or default_key_path())
     if path.exists():
+        log.debug("loaded signing key from %s", path)
         return serialization.load_pem_private_key(path.read_bytes(), password=None)
     key = Ed25519PrivateKey.generate()
     path.parent.mkdir(parents=True, exist_ok=True)
@@ -42,6 +46,7 @@ def load_or_create_key(path: Path | None = None) -> Ed25519PrivateKey:
         os.chmod(path, 0o600)
     except OSError:
         pass
+    log.info("generated new ed25519 signing key at %s", path)
     return key
 
 
@@ -60,6 +65,7 @@ def sign_obj(obj: dict, key: Ed25519PrivateKey | None = None) -> dict:
     body = {k: v for k, v in obj.items() if k != "signature"}
     sig = key.sign(canonical_json(body).encode("utf-8"))
     pub_b64 = _pub_b64(key.public_key())
+    log.debug("signed with key_id=%s", key_id(pub_b64))
     return {
         **obj,
         "signature": {
@@ -76,16 +82,21 @@ def verify_obj(obj: dict, trusted_keys: set[str] | None = None) -> bool:
     signer's key id must be in it."""
     sig = obj.get("signature") or {}
     if sig.get("alg") != "ed25519":
+        log.debug("verify: unsupported or missing signature alg %r", sig.get("alg"))
         return False
     pub_b64, value = sig.get("public_key"), sig.get("value")
     if not pub_b64 or not value:
+        log.debug("verify: signature missing public_key or value")
         return False
     if trusted_keys is not None and key_id(pub_b64) not in trusted_keys:
+        log.debug("verify: signer key_id %s not in trusted set", key_id(pub_b64))
         return False
     try:
         pub = Ed25519PublicKey.from_public_bytes(base64.b64decode(pub_b64))
         body = {k: v for k, v in obj.items() if k != "signature"}
         pub.verify(base64.b64decode(value), canonical_json(body).encode("utf-8"))
+        log.debug("verify: signature OK (key_id=%s)", key_id(pub_b64))
         return True
     except Exception:
+        log.debug("verify: signature INVALID (key_id=%s)", key_id(pub_b64))
         return False

abom_cli-0.1.3/tests/test_log.py

@@ -0,0 +1,36 @@
+"""Tests for the logging verbosity setup."""
+import logging
+
+from abom import log as logmod
+
+
+def test_levels():
+    logmod.setup(verbose=0)
+    assert logging.getLogger("abom").level == logging.WARNING
+    logmod.setup(verbose=1)
+    assert logging.getLogger("abom").level == logging.INFO
+    logmod.setup(verbose=2)
+    assert logging.getLogger("abom").level == logging.DEBUG
+    logmod.setup(quiet=True)
+    assert logging.getLogger("abom").level == logging.ERROR
+
+
+def test_handler_goes_to_stderr():
+    logmod.setup(verbose=1)
+    handlers = logging.getLogger("abom").handlers
+    assert len(handlers) == 1
+    import sys
+    assert handlers[0].stream is sys.stderr
+
+
+def test_json_logs_are_parseable(capsys):
+    import json
+    logmod.setup(verbose=1, json_logs=True)
+    logging.getLogger("abom.t").info("hi there", extra={"event": "x", "n": 3})
+    line = capsys.readouterr().err.strip().splitlines()[-1]
+    rec = json.loads(line)  # valid JSON per line
+    assert rec["level"] == "INFO"
+    assert rec["logger"] == "abom.t"
+    assert rec["msg"] == "hi there"
+    assert rec["event"] == "x" and rec["n"] == 3
+    assert "ts" in rec