xelo 0.1.0__tar.gz

xelo-0.1.0/LICENSE

@@ -0,0 +1,19 @@
+Apache License
+Version 2.0, January 2004
+http://www.apache.org/licenses/
+
+TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
+
+Copyright 2026 NuGuard AI
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.

xelo-0.1.0/PKG-INFO

@@ -0,0 +1,137 @@
+Metadata-Version: 2.4
+Name: xelo
+Version: 0.1.0
+Summary: AI SBOM generator with portable schema
+Author: NuGuardAI
+License-Expression: Apache-2.0
+Project-URL: Homepage, https://nuguard.ai
+Keywords: sbom,aibom,cyclonedx,security,llm,agent
+Classifier: Development Status :: 3 - Alpha
+Classifier: Intended Audience :: Developers
+Classifier: Programming Language :: Python :: 3
+Classifier: Programming Language :: Python :: 3.11
+Classifier: Programming Language :: Python :: 3.12
+Classifier: Topic :: Security
+Classifier: Topic :: Software Development :: Build Tools
+Requires-Python: >=3.11
+Description-Content-Type: text/markdown
+License-File: LICENSE
+Requires-Dist: pydantic<3,>=2.7.0
+Requires-Dist: structlog<26,>=24.0
+Provides-Extra: ts
+Requires-Dist: tree-sitter<1,>=0.23; extra == "ts"
+Requires-Dist: tree-sitter-javascript<1,>=0.23; extra == "ts"
+Requires-Dist: tree-sitter-typescript<1,>=0.23; extra == "ts"
+Provides-Extra: cdx
+Requires-Dist: cyclonedx-bom<8,>=4.4; extra == "cdx"
+Provides-Extra: llm
+Requires-Dist: litellm<2,>=1.40; extra == "llm"
+Provides-Extra: dev
+Requires-Dist: pytest>=8.0.0; extra == "dev"
+Requires-Dist: pytest-cov>=5.0.0; extra == "dev"
+Requires-Dist: ruff>=0.8.0; extra == "dev"
+Requires-Dist: mypy>=1.10.0; extra == "dev"
+Requires-Dist: cyclonedx-bom<8,>=4.4; extra == "dev"
+Requires-Dist: tree-sitter<1,>=0.23; extra == "dev"
+Requires-Dist: tree-sitter-javascript<1,>=0.23; extra == "dev"
+Requires-Dist: tree-sitter-typescript<1,>=0.23; extra == "dev"
+Requires-Dist: litellm<2,>=1.40; extra == "dev"
+Dynamic: license-file
+
+# Xelo
+
+Xelo is an open-source AI SBOM generator for agentic and LLM-powered applications.
+It scans code and configuration, produces AI-BOM JSON, and can export CycloneDX-compatible output for security and compliance workflows.
+
+## Why Xelo
+
+- Detects AI-specific components (agents, models, tools, prompts, datastores, auth, deployment artifacts).
+- Works on mixed Python and TypeScript repositories.
+- Uses deterministic extraction by default.
+- Supports optional LLM enrichment when you explicitly enable it.
+
+## Installation
+
+Install from PyPI:
+
+```bash
+pip install xelo
+```
+
+Install for deXelopment:
+
+```bash
+pip install -e ".[dev]"
+```
+
+## Quickstart
+
+Generate an AI-BOM from a local path:
+
+```bash
+Xelo scan path ./my-repo --format json --output sbom.json
+```
+
+Validate a generated document:
+
+```bash
+Xelo validate sbom.json
+```
+
+Export the JSON schema used by the models:
+
+```bash
+Xelo schema --output ai_bom.schema.json
+```
+
+CLI alias: `ai-sbom`.
+
+## CLI Commands
+
+| Command | Description |
+| --- | --- |
+| `Xelo scan path <PATH>` | Scan a local repository path |
+| `Xelo scan repo <URL>` | Clone and scan a remote repository |
+| `Xelo validate <FILE>` | Validate AI-BOM JSON against schema models |
+| `Xelo schema --output <FILE>` | Export schema JSON |
+
+Run `Xelo --help` or `Xelo <command> --help` for all flags.
+
+## Configuration
+
+`Xelo scan` can be configured via `.env` values and CLI flags. CLI flags take precedence.
+
+Environment variables:
+
+- `AISBOM_DETERMINISTIC_ONLY=true|false`
+- `AISBOM_LLM_MODEL=<litellm model string>`
+- `AISBOM_LLM_BUDGET_TOKENS=<int>`
+- `AISBOM_LLM_API_KEY=<optional key>`
+
+Example enabling enrichment:
+
+```bash
+Xelo scan path ./my-repo --enable-llm --llm-model gpt-4o-mini --output sbom.json
+```
+
+## DeXelopment
+
+```bash
+pip install -e ".[dev]"
+ruff check src tests
+mypy src
+pytest
+```
+
+## Project Docs
+
+- [Contributing](./CONTRIBUTING.md)
+- [Security Policy](./SECURITY.md)
+- [Support](./SUPPORT.md)
+- [Governance](./GOVERNANCE.md)
+- [Roadmap](./ROADMAP.md)
+- [Code of Conduct](./CODE_OF_CONDUCT.md)
+
+## License
+
+Apache-2.0. See [LICENSE](./LICENSE).

xelo-0.1.0/README.md

@@ -0,0 +1,97 @@
+# Xelo
+
+Xelo is an open-source AI SBOM generator for agentic and LLM-powered applications.
+It scans code and configuration, produces AI-BOM JSON, and can export CycloneDX-compatible output for security and compliance workflows.
+
+## Why Xelo
+
+- Detects AI-specific components (agents, models, tools, prompts, datastores, auth, deployment artifacts).
+- Works on mixed Python and TypeScript repositories.
+- Uses deterministic extraction by default.
+- Supports optional LLM enrichment when you explicitly enable it.
+
+## Installation
+
+Install from PyPI:
+
+```bash
+pip install xelo
+```
+
+Install for deXelopment:
+
+```bash
+pip install -e ".[dev]"
+```
+
+## Quickstart
+
+Generate an AI-BOM from a local path:
+
+```bash
+Xelo scan path ./my-repo --format json --output sbom.json
+```
+
+Validate a generated document:
+
+```bash
+Xelo validate sbom.json
+```
+
+Export the JSON schema used by the models:
+
+```bash
+Xelo schema --output ai_bom.schema.json
+```
+
+CLI alias: `ai-sbom`.
+
+## CLI Commands
+
+| Command | Description |
+| --- | --- |
+| `Xelo scan path <PATH>` | Scan a local repository path |
+| `Xelo scan repo <URL>` | Clone and scan a remote repository |
+| `Xelo validate <FILE>` | Validate AI-BOM JSON against schema models |
+| `Xelo schema --output <FILE>` | Export schema JSON |
+
+Run `Xelo --help` or `Xelo <command> --help` for all flags.
+
+## Configuration
+
+`Xelo scan` can be configured via `.env` values and CLI flags. CLI flags take precedence.
+
+Environment variables:
+
+- `AISBOM_DETERMINISTIC_ONLY=true|false`
+- `AISBOM_LLM_MODEL=<litellm model string>`
+- `AISBOM_LLM_BUDGET_TOKENS=<int>`
+- `AISBOM_LLM_API_KEY=<optional key>`
+
+Example enabling enrichment:
+
+```bash
+Xelo scan path ./my-repo --enable-llm --llm-model gpt-4o-mini --output sbom.json
+```
+
+## DeXelopment
+
+```bash
+pip install -e ".[dev]"
+ruff check src tests
+mypy src
+pytest
+```
+
+## Project Docs
+
+- [Contributing](./CONTRIBUTING.md)
+- [Security Policy](./SECURITY.md)
+- [Support](./SUPPORT.md)
+- [Governance](./GOVERNANCE.md)
+- [Roadmap](./ROADMAP.md)
+- [Code of Conduct](./CODE_OF_CONDUCT.md)
+
+## License
+
+Apache-2.0. See [LICENSE](./LICENSE).

xelo-0.1.0/pyproject.toml

@@ -0,0 +1,86 @@
+[build-system]
+requires = ["setuptools>=68", "wheel"]
+build-backend = "setuptools.build_meta"
+
+[project]
+name = "xelo"
+version = "0.1.0"
+description = "AI SBOM generator with portable schema"
+readme = "README.md"
+requires-python = ">=3.11"
+license = "Apache-2.0"
+authors = [{ name = "NuGuardAI" }]
+keywords = ["sbom", "aibom", "cyclonedx", "security", "llm", "agent"]
+classifiers = [
+  "Development Status :: 3 - Alpha",
+  "Intended Audience :: Developers",
+  "Programming Language :: Python :: 3",
+  "Programming Language :: Python :: 3.11",
+  "Programming Language :: Python :: 3.12",
+  "Topic :: Security",
+  "Topic :: Software Development :: Build Tools",
+]
+dependencies = [
+  "pydantic>=2.7.0,<3",
+  "structlog>=24.0,<26",
+]
+
+[project.urls]
+Homepage = "https://nuguard.ai"
+
+[project.optional-dependencies]
+# Accurate TypeScript/JavaScript AST parsing (highly recommended)
+# Without this, Velo falls back to regex-based TS parsing.
+ts = [
+  "tree-sitter>=0.23,<1",
+  "tree-sitter-javascript>=0.23,<1",
+  "tree-sitter-typescript>=0.23,<1",
+]
+# Standard SBOM generation via cyclonedx-py CLI (highest fidelity)
+cdx = [
+  "cyclonedx-bom>=4.4,<8",
+]
+# LLM-based enrichment: verification, confidence scoring, asset summaries
+# Supports any provider via litellm model strings (OpenAI, Anthropic, Ollama, etc.)
+# Required when using ExtractionConfig(deterministic_only=False)
+llm = [
+  "litellm>=1.40,<2",
+]
+dev = [
+  "pytest>=8.0.0",
+  "pytest-cov>=5.0.0",
+  "ruff>=0.8.0",
+  "mypy>=1.10.0",
+  "cyclonedx-bom>=4.4,<8",
+  "tree-sitter>=0.23,<1",
+  "tree-sitter-javascript>=0.23,<1",
+  "tree-sitter-typescript>=0.23,<1",
+  "litellm>=1.40,<2",
+]
+
+[project.scripts]
+velo = "ai_sbom.cli:main"
+ai-sbom = "ai_sbom.cli:main"
+
+[tool.setuptools.packages.find]
+where = ["src"]
+
+[tool.setuptools.package-data]
+"ai_sbom" = ["py.typed", "schemas/*.json"]
+
+[tool.pytest.ini_options]
+pythonpath = ["src"]
+addopts = "-q"
+markers = [
+  "smoke: end-to-end tests against live repositories (require network + git)",
+]
+
+[tool.ruff]
+line-length = 100
+target-version = "py311"
+
+[tool.mypy]
+python_version = "3.11"
+strict = true
+warn_unreachable = true
+pretty = true

xelo-0.1.0/setup.cfg

@@ -0,0 +1,4 @@
+[egg_info]
+tag_build = 
+tag_date = 0
+

xelo-0.1.0/src/ai_sbom/__init__.py

@@ -0,0 +1,11 @@
+from .config import ExtractionConfig
+from .extractor import SbomExtractor
+from .models import AiBomDocument
+from .serializer import SbomSerializer
+
+__all__ = [
+    "AiBomDocument",
+    "ExtractionConfig",
+    "SbomExtractor",
+    "SbomSerializer",
+]

xelo-0.1.0/src/ai_sbom/adapters/__init__.py

@@ -0,0 +1,21 @@
+"""ai_sbom.adapters — pluggable framework detection adapters.
+
+Sub-packages
+------------
+python/
+    AST-aware adapters for Python files.  Each module targets one agentic
+    framework: LangGraph, OpenAI Agents, AutoGen, CrewAI, Semantic Kernel,
+    LlamaIndex, and generic LLM client detection.
+
+typescript/
+    Tree-sitter (or regex) adapters for TypeScript/JavaScript files.
+    Mirrors the Python adapter set and adds: LangGraph TS, OpenAI Agents TS,
+    Bedrock Agents, Google ADK, DataStores, and Prompts.
+
+Base classes / registry
+-----------------------
+base.py      ``FrameworkAdapter`` and ``DetectionAdapter`` ABCs, plus
+             ``ComponentDetection`` and ``RelationshipHint`` data classes.
+registry.py  ``default_framework_adapters()`` and ``default_registry()``
+             factory functions used by ``SbomExtractor``.
+"""

xelo-0.1.0/src/ai_sbom/adapters/base.py

@@ -0,0 +1,184 @@
+from __future__ import annotations
+
+import re
+from dataclasses import dataclass, field
+from typing import Any
+
+from ai_sbom.types import ComponentType
+
+
+# ---------------------------------------------------------------------------
+# Legacy regex-adapter types (kept for backwards compatibility and non-Python
+# file scanning)
+# ---------------------------------------------------------------------------
+
+@dataclass(frozen=True)
+class AdapterMatch:
+    pattern: str
+    line: int
+    snippet: str
+
+
+@dataclass(frozen=True)
+class AdapterDetection:
+    adapter_name: str
+    component_type: ComponentType
+    priority: int
+    canonical_name: str
+    metadata: dict[str, Any]
+    matches: tuple[AdapterMatch, ...]
+
+
+class DetectionAdapter:
+    name: str
+    priority: int
+
+    def detect(self, content: str) -> AdapterDetection | None:
+        raise NotImplementedError
+
+
+class RegexAdapter(DetectionAdapter):
+    def __init__(
+        self,
+        *,
+        name: str,
+        component_type: ComponentType,
+        priority: int,
+        patterns: tuple[re.Pattern[str], ...],
+        canonical_name: str | None = None,
+        metadata: dict[str, Any] | None = None,
+    ) -> None:
+        self.name = name
+        self.component_type = component_type
+        self.priority = priority
+        self.patterns = patterns
+        self.canonical_name = canonical_name
+        self.metadata = metadata or {}
+
+    def detect(self, content: str) -> AdapterDetection | None:
+        all_matches: list[AdapterMatch] = []
+        for pattern in self.patterns:
+            for match in pattern.finditer(content):
+                line = content[: match.start()].count("\n") + 1
+                all_matches.append(
+                    AdapterMatch(
+                        pattern=pattern.pattern,
+                        line=line,
+                        snippet=match.group(0)[:120],
+                    )
+                )
+
+        if not all_matches:
+            return None
+
+        canonical = (
+            self.canonical_name
+            or all_matches[0].snippet.strip().lower().replace(" ", "_")
+        )
+        return AdapterDetection(
+            adapter_name=self.name,
+            component_type=self.component_type,
+            priority=self.priority,
+            canonical_name=canonical,
+            metadata=self.metadata,
+            matches=tuple(all_matches),
+        )
+
+
+# ---------------------------------------------------------------------------
+# Rich AST-aware adapter types
+# ---------------------------------------------------------------------------
+
+@dataclass(frozen=True)
+class RelationshipHint:
+    """Deferred relationship between two components, resolved after node creation."""
+    source_canonical: str
+    source_type: ComponentType
+    target_canonical: str
+    target_type: ComponentType
+    relationship_type: str  # "USES", "CALLS", "ACCESSES", etc.
+
+
+@dataclass
+class ComponentDetection:
+    """A single detected AI component, produced by a FrameworkAdapter.
+
+    Richer than ``AdapterDetection``: carries file/line context,
+    evidence kind, and pre-computed metadata from AST analysis.
+    """
+    component_type: ComponentType
+    canonical_name: str         # lowercase, stable identifier used for dedup
+    display_name: str           # human-readable name for the node
+    adapter_name: str
+    priority: int
+    confidence: float
+    metadata: dict[str, Any] = field(default_factory=dict)
+    file_path: str = ""
+    line: int = 0
+    snippet: str = ""
+    evidence_kind: str = "regex"  # "ast_import" | "ast_instantiation" | "ast_call" | "regex"
+    # Relationships to other components detected in the same pass
+    relationships: list[RelationshipHint] = field(default_factory=list)
+
+
+class FrameworkAdapter:
+    """Base class for AST-aware framework adapters.
+
+    Unlike ``RegexAdapter``, a ``FrameworkAdapter`` receives both the raw
+    file content and the structured ``ParseResult`` from ``ast_parser.parse()``.
+    It returns a list of ``ComponentDetection`` objects rather than a single
+    ``AdapterDetection``.
+
+    Subclasses must implement:
+      - ``name: str``        — unique adapter identifier
+      - ``priority: int``    — lower = higher priority during dedup
+      - ``handles_imports``  — list of module prefixes that activate this adapter
+      - ``extract()``        — main detection/extraction logic
+    """
+
+    name: str = "unknown"
+    priority: int = 50
+    handles_imports: list[str] = []   # module prefixes that trigger this adapter
+
+    def can_handle(self, imports_present: set[str]) -> bool:
+        """Return True if any of the file's imported module prefixes match."""
+        for mod in imports_present:
+            for prefix in self.handles_imports:
+                if mod == prefix or mod.startswith(prefix + "."):
+                    return True
+        return False
+
+    def extract(
+        self,
+        content: str,
+        file_path: str,
+        parse_result: Any,   # ai_sbom.ast_parser.ParseResult
+    ) -> list[ComponentDetection]:
+        """Extract component detections from *file_path*.
+
+        ``parse_result`` is a ``ParseResult`` from ``ast_parser.parse(content)``
+        or ``None`` for non-Python files.
+        """
+        raise NotImplementedError
+
+    def _framework_node(self, file_path: str, line: int = 0) -> ComponentDetection:
+        """Emit a FRAMEWORK presence node for this adapter's framework.
+
+        Subclasses should call this at the start of ``extract()`` whenever
+        ``can_handle()`` returned True, to guarantee a FRAMEWORK node is always
+        emitted even if no higher-level components are detected.
+        """
+        from ai_sbom.types import ComponentType as _CT
+        return ComponentDetection(
+            component_type=_CT.FRAMEWORK,
+            canonical_name=f"framework:{self.name}",
+            display_name=f"framework:{self.name}",
+            adapter_name=self.name,
+            priority=self.priority,
+            confidence=0.95,
+            metadata={"framework": self.name},
+            file_path=file_path,
+            line=line,
+            snippet=f"import {self.name}",
+            evidence_kind="ast_import",
+        )