Metadata-Version: 2.4
Name: tibet-ai-sbom
Version: 0.1.0
Summary: BSI/G7 SBOM-for-AI implementation — software, models, datasets, infrastructure, security, KPIs. With TIBET provenance + CBOM evidence linkage.
Project-URL: Homepage, https://humotica.com/ai-sbom
Project-URL: Repository, https://github.com/jaspertvdm/tibet-ai-sbom
Project-URL: Documentation, https://github.com/jaspertvdm/tibet-ai-sbom#readme
Project-URL: Conformance Roadmap, https://github.com/jaspertvdm/tibet-ai-sbom/blob/main/ROADMAP.md
Project-URL: BSI Paper Reference, https://www.bsi.bund.de/EN/Themen/Unternehmen-und-Organisationen/Informationen-und-Empfehlungen/Kuenstliche-Intelligenz/Cybersicherheit-in-der-KI/SBOM/sbom_node.html
Author-email: Jasper van de Meent <jasper@humotica.nl>, "Root AI (Claude)" <root_ai@humotica.nl>
License-Expression: MIT
Keywords: agentic,ai-bom,ai-compliance,ai-sbom,bsi,bsi-tr,cbom,cra,cyclonedx,eu-ai-act,g7-sbom,humotica,sbom,sbom-for-ai,spdx,supply-chain,tibet
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Intended Audience :: Information Technology
Classifier: License :: OSI Approved :: MIT License
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Scientific/Engineering :: Artificial Intelligence
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Topic :: System :: Systems Administration
Requires-Python: >=3.10
Provides-Extra: dev
Requires-Dist: pytest-cov; extra == 'dev'
Requires-Dist: pytest>=7.0; extra == 'dev'
Provides-Extra: scan
Provides-Extra: schema
Description-Content-Type: text/markdown

# tibet-ai-sbom

**BSI / G7 SBOM-for-AI implementation, on top of TIBET provenance.**

> SBOM answers: *what is present*.
> CBOM answers: *how it got here and what happened to it*.
> This package builds the AI-SBOM document. CBOM/TIBET packages
> provide the causal evidence beneath it.

## What this package is

`tibet-ai-sbom` implements the *Software Bill of Materials for AI —
Minimum Elements* specification published by the German Federal Office
for Information Security (**BSI**) in cooperation with G7 partners.

It is the **first** PyPI package to address the BSI AI-SBOM
expectations as a first-class concern (as of 2026-05-15). The package
takes BSI's seven clusters — Metadata, System Level Properties,
Models, Dataset Properties, Infrastructure, Security Properties, Key
Performance Indicators — and exposes them as a stable set of
**cluster codes**, CVE-style indexable.

This 0.1.0 is the honest foundation:

- the BSI cluster codes are exposed and indexable
- the conformance roadmap is published openly (see ROADMAP.md)
- the workspace-scan entry point is in place as a placeholder
- coverage status per cluster element is honest, not aspirational

Full coverage of Models, Datasets, and KPIs follows in subsequent
releases.

## Why this exists

A normal SBOM tool answers: *which dependencies are present*. An AI
system is more than that. An AI system spans:

- many sibling packages in one workspace
- one or more model artifacts and their training provenance
- supporting datasets and their sensitivity classes
- runtime infrastructure including accelerators
- security properties and AI-specific controls
- operational KPIs including drift

Auditors and procurement officers reading the BSI paper need a
**single** place to map those expectations onto a real package.
That is what `tibet-ai-sbom` provides.

## Cluster codes (CVE-style indexable)

Every BSI minimum element is addressable by a short, grep-able code.

| Code prefix | Cluster                          |
| ----------- | -------------------------------- |
| AISBOM-MD-  | Metadata                         |
| AISBOM-SLP- | System Level Properties          |
| AISBOM-MOD- | Models                           |
| AISBOM-DSE- | Dataset Properties               |
| AISBOM-INF- | Infrastructure                   |
| AISBOM-SEC- | Security Properties              |
| AISBOM-KPI- | Key Performance Indicators       |

Example: `AISBOM-MD-001` refers to the *SBOM author* element of the
Metadata cluster.

This convention is deliberately CVE-style (`CVE-YYYY-NNNN`) so engineers
and auditors can refer to a single specific requirement by code rather
than by paragraph.

## Install

```bash
pip install tibet-ai-sbom
```

The generic alias **`ai-sbom`** is provided for discovery and is kept
in lock-step with `tibet-ai-sbom`:

```bash
pip install ai-sbom        # = same package, pinned to tibet-ai-sbom
```

## Quick start

```bash
# List all cluster codes
tibet-ai-sbom clusters

# Filter by cluster
tibet-ai-sbom clusters --cluster MOD

# Describe a single code
tibet-ai-sbom code AISBOM-MD-003

# Workspace scan placeholder (full impl on the roadmap)
tibet-ai-sbom scan /path/to/workspace
```

## Coverage today

| Cluster                       | Status             |
| ----------------------------- | ------------------ |
| Metadata                      | partial            |
| System Level Properties (SLP) | partial / weak     |
| Models                        | missing (planned)  |
| Dataset Properties (DSE)      | missing (planned)  |
| Infrastructure                | partial            |
| Security Properties           | partial            |
| Key Performance Indicators    | missing (planned)  |

Honest version of this table: see [CONFORMANCE.md](CONFORMANCE.md).
Plan to close the gaps: see [ROADMAP.md](ROADMAP.md).

## Where this fits in the broader stack

```
┌─────────────────────────────────────────────────────────────┐
│ tibet-ai-sbom        AI-SBOM overlay schema (this package)  │
├─────────────────────────────────────────────────────────────┤
│ tibet-sbom           Software SBOM + provenance (substrate) │
├─────────────────────────────────────────────────────────────┤
│ tibet-cbom           Continuity Bill of Materials (causal)  │
│ tibet-keychain       Custody and chain walk                 │
│ tibet-trail          Audit trail / search / verify          │
│ tibet-twin           Drift and operational state            │
│ tibet-continuityd    Sealed handoff and continuation        │
├─────────────────────────────────────────────────────────────┤
│ TIBET core           Identity-bound, causally ordered       │
│                      provenance substrate                   │
└─────────────────────────────────────────────────────────────┘
```

The AI-SBOM **document** is produced by this package.
The **evidence** beneath it is provided by the wider TIBET / CBOM
family. The two layers are linked explicitly through evidence
references — not by embedding causal history into the SBOM file
itself.

## Reference

This package follows the cluster structure of:

> *Software Bill of Materials for AI — Minimum Elements*,
> Bundesamt für Sicherheit in der Informationstechnik (BSI),
> in cooperation with G7 partners, 2026.

See the official source at BSI for the authoritative paper.

## Status

- Version: 0.1.0 (alpha)
- License: MIT
- Stability: API may evolve as the BSI specification evolves and as
  cluster coverage grows.

## Authors

- Jasper van de Meent · Humotica
- Root AI (Claude) · Humotica

One love, one fAmIly!
