licit-ai-cli 0.1.0__tar.gz

licit_ai_cli-0.1.0/.gitignore

@@ -0,0 +1,45 @@
+# Python
+__pycache__/
+*.py[cod]
+*$py.class
+*.egg-info/
+*.egg
+dist/
+build/
+.eggs/
+*.whl
+
+# Virtual environments
+.venv/
+venv/
+env/
+
+# Testing
+.pytest_cache/
+.coverage
+htmlcov/
+.tox/
+
+# IDE
+.vscode/
+.idea/
+*.swp
+*.swo
+*~
+
+# OS
+.DS_Store
+Thumbs.db
+
+# vigil cache
+.cache/
+
+# Type checking
+.mypy_cache/
+.pytype/
+
+# Config (user-specific)
+.vigil.yaml
+
+tmp/
+.claude/

licit_ai_cli-0.1.0/CHANGELOG.md

@@ -0,0 +1,46 @@
+# Changelog
+
+All notable changes to this project will be documented in this file.
+
+The format is based on [Keep a Changelog](https://keepachangelog.com/en/1.1.0/),
+and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0.html).
+
+## [Unreleased]
+
+### Added
+
+#### Phase 1 — Foundation
+
+- **Project structure** — Complete project scaffolding with `pyproject.toml`, editable install via hatchling, and full directory layout for all V0 modules.
+- **Configuration system** (`src/licit/config/`)
+  - Pydantic v2 schema with 9 config models covering provenance, changelog, frameworks, connectors, FRIA, Annex IV, and report settings.
+  - YAML config loader with 3-level resolution: explicit path → `.licit.yaml` in cwd → defaults.
+  - `save_config()` for persisting configuration changes.
+- **Core data models** (`src/licit/core/models.py`)
+  - 3 enums: `ComplianceStatus`, `ChangeSeverity`, `ProvenanceSource` (using `StrEnum`).
+  - 6 dataclasses: `ProvenanceRecord`, `ConfigChange`, `ControlRequirement`, `ControlResult`, `ComplianceSummary`, `GapItem`.
+- **Project auto-detection** (`src/licit/core/project.py`)
+  - `ProjectDetector` with 8 detection methods: name, languages (Python/JS/TS/Go/Rust/Java), frameworks (FastAPI/Flask/Django/React/Next/Express), agent configs (10 patterns), CI/CD (GitHub Actions/GitLab CI/Jenkins/CircleCI), testing, security tools, git info.
+  - `ProjectContext` dataclass with 20+ fields across 6 categories.
+- **Evidence collection** (`src/licit/core/evidence.py`)
+  - `EvidenceBundle` with 18 fields covering provenance, changelog, FRIA, guardrails, audit trail, human oversight, and security findings.
+  - `EvidenceCollector` gathers evidence from `.licit/` data, project configs (architect guardrails, quality gates, budget), CI/CD, architect reports, and SARIF files.
+- **CLI with 10 commands** (`src/licit/cli.py`)
+  - `licit init` — Initialize project with auto-detection and `.licit.yaml` creation.
+  - `licit trace` — Track code provenance (skeleton, Phase 2).
+  - `licit changelog` — Agent config changelog (skeleton, Phase 3).
+  - `licit fria` — FRIA questionnaire (skeleton, Phase 4).
+  - `licit annex-iv` — Annex IV documentation (skeleton, Phase 4).
+  - `licit report` — Unified compliance report (skeleton, Phase 6).
+  - `licit gaps` — Gap analysis (skeleton, Phase 6).
+  - `licit verify` — CI/CD gate with exit codes 0/1/2 (skeleton, Phase 4-6).
+  - `licit status` — Show project compliance status.
+  - `licit connect` — Enable/disable optional connectors.
+- **Logging** (`src/licit/logging/setup.py`) — structlog configuration with WARNING default level, verbose mode support.
+- **Test suite** — 52 tests across 5 test files covering config schema, config loading, project detection, evidence collection, and all CLI commands.
+- **Type safety** — Full mypy strict mode compliance across all 21 source files.
+- **Code quality** — ruff linting with zero errors.
+
+## [0.1.0] — Unreleased
+
+Initial release target. V0 MVP with full compliance evaluation capabilities.

licit_ai_cli-0.1.0/LICENSE

@@ -0,0 +1,21 @@
+MIT License
+
+Copyright (c) 2026 Diego Alba Ruiz
+
+Permission is hereby granted, free of charge, to any person obtaining a copy
+of this software and associated documentation files (the "Software"), to deal
+in the Software without restriction, including without limitation the rights
+to use, copy, modify, merge, publish, distribute, sublicense, and/or sell
+copies of the Software, and to permit persons to whom the Software is
+furnished to do so, subject to the following conditions:
+
+The above copyright notice and this permission notice shall be included in all
+copies or substantial portions of the Software.
+
+THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR
+IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY,
+FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE
+AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER
+LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM,
+OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
+SOFTWARE.

licit_ai_cli-0.1.0/PKG-INFO

@@ -0,0 +1,267 @@
+Metadata-Version: 2.4
+Name: licit-ai-cli
+Version: 0.1.0
+Summary: Regulatory compliance for AI-powered development teams
+License: MIT
+License-File: LICENSE
+Keywords: ai,audit,compliance,eu-ai-act,owasp,provenance
+Requires-Python: >=3.12
+Requires-Dist: click>=8.1
+Requires-Dist: cryptography>=42.0
+Requires-Dist: jinja2>=3.1
+Requires-Dist: pydantic>=2.0
+Requires-Dist: pyyaml>=6.0
+Requires-Dist: structlog>=24.1
+Provides-Extra: dev
+Requires-Dist: mypy>=1.9; extra == 'dev'
+Requires-Dist: pytest-cov>=5.0; extra == 'dev'
+Requires-Dist: pytest>=8.0; extra == 'dev'
+Requires-Dist: ruff>=0.4; extra == 'dev'
+Description-Content-Type: text/markdown
+
+# licit
+
+**Regulatory compliance for AI-powered development teams.**
+
+licit is a standalone CLI tool that tracks AI-generated code provenance, evaluates compliance against regulatory frameworks (EU AI Act, OWASP Agentic Top 10), generates required documentation (FRIA, Annex IV), and works as a CI/CD gate — all without requiring external services or infrastructure.
+
+[![Python 3.12+](https://img.shields.io/badge/python-3.12+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+---
+
+## The Problem
+
+Teams using AI coding assistants (Claude Code, Cursor, Copilot, Codex) face three gaps:
+
+1. **No provenance tracking** — Can't distinguish AI-generated code from human-written code at scale.
+2. **Regulatory requirements** — The EU AI Act mandates documentation (FRIA, Annex IV), risk management, and transparency that no existing tool automates.
+3. **Agentic security risks** — Autonomous AI agents introduce risks (prompt injection, privilege escalation) not covered by traditional security tools.
+
+## The Solution
+
+```
+licit init       →  Auto-detect project: languages, frameworks, CI/CD, agent configs
+licit trace      →  Track code provenance (human vs AI) from git history
+licit changelog  →  Monitor agent config changes (CLAUDE.md, .cursorrules, etc.)
+licit fria       →  Generate Fundamental Rights Impact Assessment (EU AI Act Art. 27)
+licit annex-iv   →  Generate Annex IV Technical Documentation
+licit report     →  Unified compliance report (Markdown, JSON, HTML)
+licit gaps       →  Find compliance gaps with actionable recommendations
+licit verify     →  CI/CD gate: exit 0 (pass) or exit 1 (fail)
+licit status     →  Quick compliance overview
+licit connect    →  Configure optional connectors (architect, vigil)
+```
+
+## Quick Start
+
+### Installation
+
+```bash
+pip install licit-ai-cli
+```
+
+Or from source:
+
+```bash
+git clone https://github.com/your-org/licit-cli.git
+cd licit-cli
+pip install -e ".[dev]"
+```
+
+> **Requires Python 3.12+**
+
+### Initialize
+
+```bash
+cd your-project
+licit init
+```
+
+This auto-detects your project and creates `.licit.yaml`:
+
+```
+  Project: my-app
+  Languages: python, typescript
+  Agent configs: 2 detected
+  CI/CD: github-actions
+  Testing: pytest
+  Security tools: vigil, semgrep
+
+  Agent configurations found:
+    - CLAUDE.md (claude-code)
+    - .cursorrules (cursor)
+
+  Created .licit.yaml
+  Created .licit/ directory
+```
+
+### Track Provenance
+
+```bash
+licit trace                      # Analyze full git history
+licit trace --since 2026-01-01   # Since specific date
+licit trace --stats              # Show AI vs human stats
+```
+
+### Evaluate Compliance
+
+```bash
+licit report                         # Full compliance report
+licit report --framework eu-ai-act   # EU AI Act only
+licit report --format html -o r.html # HTML output
+licit gaps                           # What's missing?
+```
+
+### CI/CD Integration
+
+```yaml
+# .github/workflows/compliance.yml
+- name: Compliance check
+  run: |
+    pip install licit-ai-cli
+    licit verify
+```
+
+Exit codes: `0` = compliant, `1` = non-compliant, `2` = partially compliant.
+
+## Frameworks Supported
+
+| Framework | Version | Status |
+|-----------|---------|--------|
+| EU AI Act | Regulation (EU) 2024/1689 | V0 |
+| OWASP Agentic Top 10 | 2026 | V0 |
+| NIST AI RMF | AI 100-1 | Planned (V1) |
+| ISO/IEC 42001 | 2023 | Planned (V1) |
+
+### EU AI Act Coverage
+
+licit evaluates deployer obligations across key articles:
+
+- **Art. 9** — Risk management (guardrails, quality gates, security scanning)
+- **Art. 12** — Record keeping (git history, audit trails, provenance)
+- **Art. 13** — Transparency (technical documentation, config changelog)
+- **Art. 14** — Human oversight (review gates, dry-run, intervention capability)
+- **Art. 26** — Deployer obligations (agent configuration, monitoring)
+- **Art. 27** — FRIA (interactive 5-step questionnaire)
+- **Annex IV** — Technical documentation (auto-generated from project metadata)
+
+### OWASP Agentic Top 10 Coverage
+
+Maps project security posture against all 10 agentic AI risks including prompt injection, unauthorized code execution, data exfiltration, and privilege escalation.
+
+## Agent Configs Detected
+
+licit monitors configuration files for AI coding agents:
+
+| File | Agent |
+|------|-------|
+| `CLAUDE.md` | Claude Code |
+| `.claude/settings.json` | Claude Code |
+| `.cursorrules` | Cursor |
+| `.cursor/rules` | Cursor |
+| `AGENTS.md` | GitHub Agents |
+| `.github/copilot-instructions.md` | GitHub Copilot |
+| `.architect/config.yaml` | architect |
+| `.prompts/**/*.md` | Generic |
+
+## Configuration
+
+All configuration lives in `.licit.yaml`:
+
+```yaml
+provenance:
+  enabled: true
+  methods: [git-infer]
+  confidence_threshold: 0.6
+  store_path: .licit/provenance.jsonl
+
+changelog:
+  enabled: true
+  watch_files:
+    - CLAUDE.md
+    - .cursorrules
+    - AGENTS.md
+    - .architect/config.yaml
+
+frameworks:
+  eu_ai_act: true
+  owasp_agentic: true
+
+connectors:
+  architect:
+    enabled: false
+  vigil:
+    enabled: false
+
+reports:
+  default_format: markdown
+  include_evidence: true
+  include_recommendations: true
+```
+
+## Optional Connectors
+
+licit is **fully standalone** — connectors enrich, they don't enable.
+
+| Connector | What it reads | Value added |
+|-----------|--------------|-------------|
+| **architect** | `.architect/reports/`, config | Guardrails, quality gates, budget limits, audit trail |
+| **vigil** | SARIF files | Security findings with severity levels |
+
+```bash
+licit connect architect --enable
+licit connect vigil --enable
+```
+
+## Project Structure
+
+```
+src/licit/
+├── cli.py              # 10 CLI commands
+├── config/             # Pydantic v2 config schema + YAML loader
+├── core/               # Models, project detection, evidence collection
+├── provenance/         # Git analysis, heuristics, JSONL store, attestation
+├── changelog/          # Agent config monitoring, diff, classification
+├── frameworks/         # EU AI Act evaluator, FRIA, Annex IV, OWASP
+├── connectors/         # architect + vigil integrations
+├── reports/            # Unified reports, gap analysis, formatters
+└── logging/            # structlog configuration
+```
+
+## Development
+
+```bash
+# Install with dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest tests/ -q
+
+# Lint
+ruff check src/licit/
+
+# Type check
+mypy src/licit/ --strict
+```
+
+## Philosophy
+
+- **Standalone** — Works without any external tools. Connectors are optional.
+- **Filesystem-first** — Everything is files in `.licit/`. No database, no server.
+- **Developer-first** — CLI that fits into existing git/CI workflows.
+- **Language-agnostic** — Detects Python, JS/TS, Go, Rust, Java projects.
+- **Provenance-first** — Understands code origin (AI vs human) for more accurate evaluations.
+
+## Roadmap
+
+| Version | Key Features |
+|---------|-------------|
+| **V0** (current) | CLI, EU AI Act, OWASP, provenance, FRIA, Annex IV, CI/CD gate |
+| **V0.x** | Cursor/Codex session readers, PDF reports, GitHub Action |
+| **V1** | NIST AI RMF, ISO 42001, plugin system, Sigstore, MCP Server |
+| **V2** | Web dashboard, multi-project, trend analysis, AI remediation |
+
+## License
+
+[MIT](LICENSE) — Copyright (c) 2026 Diego Alba Ruiz

licit_ai_cli-0.1.0/README.md

@@ -0,0 +1,246 @@
+# licit
+
+**Regulatory compliance for AI-powered development teams.**
+
+licit is a standalone CLI tool that tracks AI-generated code provenance, evaluates compliance against regulatory frameworks (EU AI Act, OWASP Agentic Top 10), generates required documentation (FRIA, Annex IV), and works as a CI/CD gate — all without requiring external services or infrastructure.
+
+[![Python 3.12+](https://img.shields.io/badge/python-3.12+-blue.svg)](https://www.python.org/downloads/)
+[![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
+
+---
+
+## The Problem
+
+Teams using AI coding assistants (Claude Code, Cursor, Copilot, Codex) face three gaps:
+
+1. **No provenance tracking** — Can't distinguish AI-generated code from human-written code at scale.
+2. **Regulatory requirements** — The EU AI Act mandates documentation (FRIA, Annex IV), risk management, and transparency that no existing tool automates.
+3. **Agentic security risks** — Autonomous AI agents introduce risks (prompt injection, privilege escalation) not covered by traditional security tools.
+
+## The Solution
+
+```
+licit init       →  Auto-detect project: languages, frameworks, CI/CD, agent configs
+licit trace      →  Track code provenance (human vs AI) from git history
+licit changelog  →  Monitor agent config changes (CLAUDE.md, .cursorrules, etc.)
+licit fria       →  Generate Fundamental Rights Impact Assessment (EU AI Act Art. 27)
+licit annex-iv   →  Generate Annex IV Technical Documentation
+licit report     →  Unified compliance report (Markdown, JSON, HTML)
+licit gaps       →  Find compliance gaps with actionable recommendations
+licit verify     →  CI/CD gate: exit 0 (pass) or exit 1 (fail)
+licit status     →  Quick compliance overview
+licit connect    →  Configure optional connectors (architect, vigil)
+```
+
+## Quick Start
+
+### Installation
+
+```bash
+pip install licit-ai-cli
+```
+
+Or from source:
+
+```bash
+git clone https://github.com/your-org/licit-cli.git
+cd licit-cli
+pip install -e ".[dev]"
+```
+
+> **Requires Python 3.12+**
+
+### Initialize
+
+```bash
+cd your-project
+licit init
+```
+
+This auto-detects your project and creates `.licit.yaml`:
+
+```
+  Project: my-app
+  Languages: python, typescript
+  Agent configs: 2 detected
+  CI/CD: github-actions
+  Testing: pytest
+  Security tools: vigil, semgrep
+
+  Agent configurations found:
+    - CLAUDE.md (claude-code)
+    - .cursorrules (cursor)
+
+  Created .licit.yaml
+  Created .licit/ directory
+```
+
+### Track Provenance
+
+```bash
+licit trace                      # Analyze full git history
+licit trace --since 2026-01-01   # Since specific date
+licit trace --stats              # Show AI vs human stats
+```
+
+### Evaluate Compliance
+
+```bash
+licit report                         # Full compliance report
+licit report --framework eu-ai-act   # EU AI Act only
+licit report --format html -o r.html # HTML output
+licit gaps                           # What's missing?
+```
+
+### CI/CD Integration
+
+```yaml
+# .github/workflows/compliance.yml
+- name: Compliance check
+  run: |
+    pip install licit-ai-cli
+    licit verify
+```
+
+Exit codes: `0` = compliant, `1` = non-compliant, `2` = partially compliant.
+
+## Frameworks Supported
+
+| Framework | Version | Status |
+|-----------|---------|--------|
+| EU AI Act | Regulation (EU) 2024/1689 | V0 |
+| OWASP Agentic Top 10 | 2026 | V0 |
+| NIST AI RMF | AI 100-1 | Planned (V1) |
+| ISO/IEC 42001 | 2023 | Planned (V1) |
+
+### EU AI Act Coverage
+
+licit evaluates deployer obligations across key articles:
+
+- **Art. 9** — Risk management (guardrails, quality gates, security scanning)
+- **Art. 12** — Record keeping (git history, audit trails, provenance)
+- **Art. 13** — Transparency (technical documentation, config changelog)
+- **Art. 14** — Human oversight (review gates, dry-run, intervention capability)
+- **Art. 26** — Deployer obligations (agent configuration, monitoring)
+- **Art. 27** — FRIA (interactive 5-step questionnaire)
+- **Annex IV** — Technical documentation (auto-generated from project metadata)
+
+### OWASP Agentic Top 10 Coverage
+
+Maps project security posture against all 10 agentic AI risks including prompt injection, unauthorized code execution, data exfiltration, and privilege escalation.
+
+## Agent Configs Detected
+
+licit monitors configuration files for AI coding agents:
+
+| File | Agent |
+|------|-------|
+| `CLAUDE.md` | Claude Code |
+| `.claude/settings.json` | Claude Code |
+| `.cursorrules` | Cursor |
+| `.cursor/rules` | Cursor |
+| `AGENTS.md` | GitHub Agents |
+| `.github/copilot-instructions.md` | GitHub Copilot |
+| `.architect/config.yaml` | architect |
+| `.prompts/**/*.md` | Generic |
+
+## Configuration
+
+All configuration lives in `.licit.yaml`:
+
+```yaml
+provenance:
+  enabled: true
+  methods: [git-infer]
+  confidence_threshold: 0.6
+  store_path: .licit/provenance.jsonl
+
+changelog:
+  enabled: true
+  watch_files:
+    - CLAUDE.md
+    - .cursorrules
+    - AGENTS.md
+    - .architect/config.yaml
+
+frameworks:
+  eu_ai_act: true
+  owasp_agentic: true
+
+connectors:
+  architect:
+    enabled: false
+  vigil:
+    enabled: false
+
+reports:
+  default_format: markdown
+  include_evidence: true
+  include_recommendations: true
+```
+
+## Optional Connectors
+
+licit is **fully standalone** — connectors enrich, they don't enable.
+
+| Connector | What it reads | Value added |
+|-----------|--------------|-------------|
+| **architect** | `.architect/reports/`, config | Guardrails, quality gates, budget limits, audit trail |
+| **vigil** | SARIF files | Security findings with severity levels |
+
+```bash
+licit connect architect --enable
+licit connect vigil --enable
+```
+
+## Project Structure
+
+```
+src/licit/
+├── cli.py              # 10 CLI commands
+├── config/             # Pydantic v2 config schema + YAML loader
+├── core/               # Models, project detection, evidence collection
+├── provenance/         # Git analysis, heuristics, JSONL store, attestation
+├── changelog/          # Agent config monitoring, diff, classification
+├── frameworks/         # EU AI Act evaluator, FRIA, Annex IV, OWASP
+├── connectors/         # architect + vigil integrations
+├── reports/            # Unified reports, gap analysis, formatters
+└── logging/            # structlog configuration
+```
+
+## Development
+
+```bash
+# Install with dev dependencies
+pip install -e ".[dev]"
+
+# Run tests
+pytest tests/ -q
+
+# Lint
+ruff check src/licit/
+
+# Type check
+mypy src/licit/ --strict
+```
+
+## Philosophy
+
+- **Standalone** — Works without any external tools. Connectors are optional.
+- **Filesystem-first** — Everything is files in `.licit/`. No database, no server.
+- **Developer-first** — CLI that fits into existing git/CI workflows.
+- **Language-agnostic** — Detects Python, JS/TS, Go, Rust, Java projects.
+- **Provenance-first** — Understands code origin (AI vs human) for more accurate evaluations.
+
+## Roadmap
+
+| Version | Key Features |
+|---------|-------------|
+| **V0** (current) | CLI, EU AI Act, OWASP, provenance, FRIA, Annex IV, CI/CD gate |
+| **V0.x** | Cursor/Codex session readers, PDF reports, GitHub Action |
+| **V1** | NIST AI RMF, ISO 42001, plugin system, Sigstore, MCP Server |
+| **V2** | Web dashboard, multi-project, trend analysis, AI remediation |
+
+## License
+
+[MIT](LICENSE) — Copyright (c) 2026 Diego Alba Ruiz