tibet-cbom 0.1.0__tar.gz

tibet_cbom-0.1.0/LICENSE

@@ -0,0 +1 @@
+MIT License — Copyright (c) 2026 Humotica, Jasper van de Meent, Root AI, Codex

tibet_cbom-0.1.0/PKG-INFO

@@ -0,0 +1,214 @@
+Metadata-Version: 2.4
+Name: tibet-cbom
+Version: 0.1.0
+Summary: Continuity bill of materials and State of Manifest inspector for sealed TIBET envelopes.
+Author-email: Jasper van de Meent <info@humotica.com>, Codex <codex@humotica.nl>
+License: MIT
+License-File: LICENSE
+Keywords: audit,cbom,continuity,icc,manifest,provenance,som,tbz,tibet,timeline
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Intended Audience :: System Administrators
+Classifier: License :: OSI Approved :: MIT License
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.10
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: System :: Logging
+Requires-Python: >=3.10
+Description-Content-Type: text/markdown
+
+# tibet-cbom
+
+**Continuity Bill of Materials and State of Manifest inspector for sealed TIBET envelopes.**
+
+This sandbox package sketches a tool family around two closely related
+ideas:
+
+- `CBOM`
+  - continuity-aware bill of materials
+  - what is in the object, plus how that object sits in a continuity
+    chain
+- `SoM`
+  - State of Manifest
+  - who asserted what, when, and how the manifest/surface relationship
+    evolved over time
+
+The first operator surface is intentionally simple:
+
+```bash
+tibet-cbom inspect file.tza
+tibet-cbom inspect file.tza --json
+```
+
+And the more human/forensic framing remains available through the alias:
+
+```bash
+tibet-som inspect file.tza
+```
+
+## Why this exists
+
+Normal file inspection answers:
+
+- what is this file called
+- how large is it
+- what extension does it have
+
+CBOM / SoM should answer richer questions:
+
+- what class of sealed object is this
+- what does its canonical surface appear to be
+- what continuity identifiers are attached
+- what events happened to it over time
+- when was it renamed
+- when was it verified
+- when was a surface mismatch marked as partial or suspicious
+
+That makes `tibet-cbom` feel less like `file(1)` and more like:
+
+- `git log`
+- for continuity-bearing envelopes
+
+## Current sandbox scope
+
+This skeleton does **not** claim full TBZ parsing yet.
+
+It provides:
+
+- package layout
+- datamodel sketch
+- CLI shape
+- human and JSON rendering
+- a first local file inspector that can grow into real manifest/event
+  extraction later
+- optional continuityd audit JSONL merge for early SoM timelines
+
+## Commands
+
+### `inspect`
+
+Compact human summary or JSON object.
+
+```bash
+tibet-cbom inspect 2026-05-12.peer-eval.claude.urgent.tza
+tibet-cbom inspect vergadering-dinsdag.pdf
+tibet-cbom inspect file.tza --json
+tibet-cbom inspect file.tza --audit-file expected-audit-example.jsonl
+```
+
+### `timeline`
+
+Reserved for a later event-only view.
+
+```bash
+tibet-cbom timeline file.tza
+tibet-cbom timeline file.tza --audit-file expected-audit-example.jsonl --json
+```
+
+### `authority`
+
+Compact current authority state.
+
+```bash
+tibet-cbom authority file.tza
+tibet-cbom authority file.tza --json
+```
+
+### `verify`
+
+Explicit manifest and authority-step consistency check.
+
+```bash
+tibet-cbom verify file.tza
+tibet-cbom verify file.tza --json
+tibet-cbom verify file.tza --audit-file expected-audit-example.jsonl
+```
+
+### `rewrap`
+
+Sandbox ownership-transition event sketch.
+
+```bash
+tibet-cbom rewrap task.tza \
+  --audit-file audit.jsonl \
+  --actor jis:humotica:jasper.admin \
+  --authority-mode admin \
+  --transition-type freeze \
+  --status frozen \
+  --effective-assignee jis:humotica:agent.ai \
+  --reason "manual triage hold" \
+  --freeze-reason-code human-review
+```
+
+If you also want a sandbox sealed bundle:
+
+```bash
+tibet-cbom rewrap task.tza \
+  --audit-file audit.jsonl \
+  --actor jis:humotica:jasper.admin \
+  --authority-mode admin \
+  --transition-type freeze \
+  --status frozen \
+  --effective-assignee jis:humotica:agent.ai \
+  --reason "manual triage hold" \
+  --freeze-reason-code human-review \
+  --identity-dir ./admin-identity \
+  --emit-bundle /tmp/admin-freeze.tza
+```
+
+Basic policy guards now apply:
+
+- `handoff` requires `--handoff-target`
+- `freeze` requires `--freeze-reason-code`
+- `authority-mode=admin` expects an admin actor id
+- emitted bundle signing identity must match transition actor
+
+## Data model direction
+
+The package uses two main record types:
+
+- `CBOMDocument`
+  - file path
+  - human name
+  - canonical name hint
+  - continuity identifiers
+  - surface status
+  - material facts
+  - event timeline
+- `SoMEvent`
+  - timestamp
+  - action
+  - actor
+  - action id
+  - notes / fields
+
+This keeps the distinction clear:
+
+- CBOM is the object summary
+- SoM is the walkable event chain inside or around that object
+
+## Likely next steps
+
+- extract canonical surface from real manifests
+- map continuity IDs from real payloads/manifests
+- render surface status transitions:
+  - `MATCH`
+  - `PARTIAL`
+  - `DISGUISED`
+  - `RENAMED`
+- deepen `verify` into fuller chain integrity / succession validation
+
+## Short framing
+
+VCs answer:
+
+- who are you
+
+SoM answers:
+
+- what did you manifest and when
+
+CBOM then becomes the readable continuity-aware object view that ties
+those together.

tibet_cbom-0.1.0/README.md

@@ -0,0 +1,193 @@
+# tibet-cbom
+
+**Continuity Bill of Materials and State of Manifest inspector for sealed TIBET envelopes.**
+
+This sandbox package sketches a tool family around two closely related
+ideas:
+
+- `CBOM`
+  - continuity-aware bill of materials
+  - what is in the object, plus how that object sits in a continuity
+    chain
+- `SoM`
+  - State of Manifest
+  - who asserted what, when, and how the manifest/surface relationship
+    evolved over time
+
+The first operator surface is intentionally simple:
+
+```bash
+tibet-cbom inspect file.tza
+tibet-cbom inspect file.tza --json
+```
+
+And the more human/forensic framing remains available through the alias:
+
+```bash
+tibet-som inspect file.tza
+```
+
+## Why this exists
+
+Normal file inspection answers:
+
+- what is this file called
+- how large is it
+- what extension does it have
+
+CBOM / SoM should answer richer questions:
+
+- what class of sealed object is this
+- what does its canonical surface appear to be
+- what continuity identifiers are attached
+- what events happened to it over time
+- when was it renamed
+- when was it verified
+- when was a surface mismatch marked as partial or suspicious
+
+That makes `tibet-cbom` feel less like `file(1)` and more like:
+
+- `git log`
+- for continuity-bearing envelopes
+
+## Current sandbox scope
+
+This skeleton does **not** claim full TBZ parsing yet.
+
+It provides:
+
+- package layout
+- datamodel sketch
+- CLI shape
+- human and JSON rendering
+- a first local file inspector that can grow into real manifest/event
+  extraction later
+- optional continuityd audit JSONL merge for early SoM timelines
+
+## Commands
+
+### `inspect`
+
+Compact human summary or JSON object.
+
+```bash
+tibet-cbom inspect 2026-05-12.peer-eval.claude.urgent.tza
+tibet-cbom inspect vergadering-dinsdag.pdf
+tibet-cbom inspect file.tza --json
+tibet-cbom inspect file.tza --audit-file expected-audit-example.jsonl
+```
+
+### `timeline`
+
+Reserved for a later event-only view.
+
+```bash
+tibet-cbom timeline file.tza
+tibet-cbom timeline file.tza --audit-file expected-audit-example.jsonl --json
+```
+
+### `authority`
+
+Compact current authority state.
+
+```bash
+tibet-cbom authority file.tza
+tibet-cbom authority file.tza --json
+```
+
+### `verify`
+
+Explicit manifest and authority-step consistency check.
+
+```bash
+tibet-cbom verify file.tza
+tibet-cbom verify file.tza --json
+tibet-cbom verify file.tza --audit-file expected-audit-example.jsonl
+```
+
+### `rewrap`
+
+Sandbox ownership-transition event sketch.
+
+```bash
+tibet-cbom rewrap task.tza \
+  --audit-file audit.jsonl \
+  --actor jis:humotica:jasper.admin \
+  --authority-mode admin \
+  --transition-type freeze \
+  --status frozen \
+  --effective-assignee jis:humotica:agent.ai \
+  --reason "manual triage hold" \
+  --freeze-reason-code human-review
+```
+
+If you also want a sandbox sealed bundle:
+
+```bash
+tibet-cbom rewrap task.tza \
+  --audit-file audit.jsonl \
+  --actor jis:humotica:jasper.admin \
+  --authority-mode admin \
+  --transition-type freeze \
+  --status frozen \
+  --effective-assignee jis:humotica:agent.ai \
+  --reason "manual triage hold" \
+  --freeze-reason-code human-review \
+  --identity-dir ./admin-identity \
+  --emit-bundle /tmp/admin-freeze.tza
+```
+
+Basic policy guards now apply:
+
+- `handoff` requires `--handoff-target`
+- `freeze` requires `--freeze-reason-code`
+- `authority-mode=admin` expects an admin actor id
+- emitted bundle signing identity must match transition actor
+
+## Data model direction
+
+The package uses two main record types:
+
+- `CBOMDocument`
+  - file path
+  - human name
+  - canonical name hint
+  - continuity identifiers
+  - surface status
+  - material facts
+  - event timeline
+- `SoMEvent`
+  - timestamp
+  - action
+  - actor
+  - action id
+  - notes / fields
+
+This keeps the distinction clear:
+
+- CBOM is the object summary
+- SoM is the walkable event chain inside or around that object
+
+## Likely next steps
+
+- extract canonical surface from real manifests
+- map continuity IDs from real payloads/manifests
+- render surface status transitions:
+  - `MATCH`
+  - `PARTIAL`
+  - `DISGUISED`
+  - `RENAMED`
+- deepen `verify` into fuller chain integrity / succession validation
+
+## Short framing
+
+VCs answer:
+
+- who are you
+
+SoM answers:
+
+- what did you manifest and when
+
+CBOM then becomes the readable continuity-aware object view that ties
+those together.

tibet_cbom-0.1.0/pyproject.toml

@@ -0,0 +1,43 @@
+[build-system]
+requires = ["hatchling"]
+build-backend = "hatchling.build"
+
+[project]
+name = "tibet-cbom"
+version = "0.1.0"
+description = "Continuity bill of materials and State of Manifest inspector for sealed TIBET envelopes."
+readme = "README.md"
+license = {text = "MIT"}
+requires-python = ">=3.10"
+authors = [
+    {name = "Jasper van de Meent", email = "info@humotica.com"},
+    {name = "Codex", email = "codex@humotica.nl"},
+]
+keywords = [
+    "tibet", "cbom", "som", "manifest", "continuity", "tbz",
+    "icc", "timeline", "audit", "provenance",
+]
+classifiers = [
+    "Development Status :: 3 - Alpha",
+    "Intended Audience :: Developers",
+    "Intended Audience :: System Administrators",
+    "License :: OSI Approved :: MIT License",
+    "Programming Language :: Python :: 3",
+    "Programming Language :: Python :: 3.10",
+    "Programming Language :: Python :: 3.11",
+    "Programming Language :: Python :: 3.12",
+    "Topic :: Security",
+    "Topic :: System :: Logging",
+]
+dependencies = []
+
+[project.scripts]
+tibet-cbom = "tibet_cbom.cli:main"
+tcbom = "tibet_cbom.cli:main"
+tibet-som = "tibet_cbom.cli:main"
+
+[tool.hatch.build.targets.sdist]
+include = ["/src"]
+
+[tool.hatch.build.targets.wheel]
+packages = ["src/tibet_cbom"]

tibet_cbom-0.1.0/src/tibet_cbom/__init__.py

@@ -0,0 +1,3 @@
+"""tibet-cbom — continuity bill of materials / State of Manifest sketch."""
+
+__version__ = "0.1.0"

tibet_cbom-0.1.0/src/tibet_cbom/audit.py

@@ -0,0 +1,115 @@
+from __future__ import annotations
+
+import json
+from datetime import datetime, timezone
+from pathlib import Path
+
+from .models import CBOMDocument, SoMEvent
+
+
+def _ts_to_iso(value) -> str:
+    if isinstance(value, (int, float)):
+        return datetime.fromtimestamp(value, tz=timezone.utc).strftime(
+            "%Y-%m-%dT%H:%M:%SZ"
+        )
+    if isinstance(value, str) and value:
+        return value
+    return datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ")
+
+
+def _event_notes(record: dict) -> list[str]:
+    notes: list[str] = []
+    for key in (
+        "intake_class",
+        "disposition_hint",
+        "surface_status",
+        "disposition",
+        "canonical_name",
+    ):
+        value = record.get(key)
+        if value not in (None, "", [], {}):
+            notes.append(f"{key}={value}")
+    if record.get("renamed_by_operator"):
+        notes.append("renamed_by_operator=true")
+    return notes
+
+
+def merge_audit_file(doc: CBOMDocument, audit_path: str) -> CBOMDocument:
+    path = Path(audit_path)
+    if not path.exists():
+        raise FileNotFoundError(f"no such audit file: {path}")
+
+    matched: list[dict] = []
+    with open(path, "r", encoding="utf-8", errors="replace") as f:
+        for line in f:
+            line = line.strip()
+            if not line:
+                continue
+            try:
+                record = json.loads(line)
+            except json.JSONDecodeError:
+                continue
+            if record.get("name") == doc.file_name:
+                matched.append(record)
+
+    if not matched:
+        doc.events.append(
+            SoMEvent(
+                timestamp=datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
+                action="audit-unmatched",
+                actor="tibet-cbom",
+                action_id="act_audit_unmatched",
+                notes=[f"audit_file={path.name}", "no records matched file name"],
+            )
+        )
+        return doc
+
+    if len(matched) > 1:
+        doc.events.append(
+            SoMEvent(
+                timestamp=datetime.now(timezone.utc).strftime("%Y-%m-%dT%H:%M:%SZ"),
+                action="audit-name-collision",
+                actor="tibet-cbom",
+                action_id="act_audit_collision",
+                notes=[
+                    f"audit_file={path.name}",
+                    f"matched_records={len(matched)}",
+                    "top-level fields not overwritten because name-only match is ambiguous",
+                ],
+            )
+        )
+
+    for idx, record in enumerate(matched, start=1):
+        stage = record.get("stage", "audit")
+        actor = record.get("actor_id") or record.get("actor") or "continuityd"
+        action_id = record.get("action_id") or f"act_audit_{idx}"
+        doc.events.append(
+            SoMEvent(
+                timestamp=_ts_to_iso(record.get("ts")),
+                action=stage,
+                actor=actor,
+                action_id=action_id,
+                notes=_event_notes(record),
+            )
+        )
+
+    if len(matched) > 1:
+        return doc
+
+    latest = matched[-1]
+    if latest.get("canonical_name"):
+        doc.canonical_name = latest["canonical_name"]
+    if latest.get("continuity_id"):
+        doc.continuity_id = latest["continuity_id"]
+    if latest.get("object_id"):
+        doc.object_id = latest["object_id"]
+    if latest.get("surface_status"):
+        doc.surface_status = latest["surface_status"]
+    if latest.get("disposition"):
+        doc.disposition_hint = latest["disposition"]
+    elif latest.get("disposition_hint"):
+        doc.disposition_hint = latest["disposition_hint"]
+    if latest.get("intake_class"):
+        doc.intake_class = latest["intake_class"]
+
+    return doc