Metadata-Version: 2.4
Name: xelo-toolbox
Version: 0.1.0
Summary: AI SBOM integrations and analysis toolbox
Author: NuGuardAI
License-Expression: Apache-2.0
Project-URL: Homepage, https://nuguard.ai
Project-URL: Repository, https://github.com/NuGuardAI/Xelo-toolbox
Project-URL: Issues, https://github.com/NuGuardAI/Xelo-toolbox/issues
Project-URL: Changelog, https://github.com/NuGuardAI/Xelo-toolbox/blob/main/CHANGELOG.md
Keywords: sbom,aibom,cyclonedx,security,llm,agent,xray
Classifier: Development Status :: 3 - Alpha
Classifier: Intended Audience :: Developers
Classifier: Operating System :: OS Independent
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Libraries :: Python Modules
Requires-Python: >=3.11
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: pydantic<3,>=2.7.0
Requires-Dist: xelo[llm,ts]>=0.1.0
Provides-Extra: dev
Requires-Dist: pytest>=8.0.0; extra == "dev"
Requires-Dist: pytest-cov>=5.0.0; extra == "dev"
Requires-Dist: ruff>=0.8.0; extra == "dev"
Requires-Dist: mypy>=1.10.0; extra == "dev"
Dynamic: license-file

# Xelo Toolbox

Xelo Toolbox is an open-source AI SBOM integration and analysis CLI.
It consumes AI-BOM/SBOM JSON and offers a suite of tools for integration with security and governance platforms.

## Why Xelo Toolbox

- Runs plugins across a common toolbox interface.
- Exports CycloneDX JSON for downstream security tooling.
- Integrates with JFrog Xray ingestion flows.

## Installation

Install from PyPI:

```bash
pip install xelo-toolbox
```

Install for development:

```bash
pip install -e ".[dev]"
```

## Quickstart

Analyze dependency and AI component breakdown:

```bash
xelo-toolbox deps analyze --sbom sbom.json
```

Scan directly from source (no pre-generated SBOM required):

```bash
# Local repository/path scan
xelo-toolbox deps analyze --path /workspaces/my-app

# GitHub repository scan (optional --ref for branch/tag/commit)
xelo-toolbox vuln scan --repo https://github.com/org/repo.git --ref main --provider all
```

Run vulnerability/risk scan:

```bash
xelo-toolbox vuln scan --sbom sbom.json --provider all
```

Run license policy check:

```bash
xelo-toolbox license check --sbom sbom.json --policy policy.json
```

Export CycloneDX output:

```bash
xelo-toolbox cyclonedx export --sbom sbom.json --output bom.json
```

## CLI Commands

| Command | Description |
| --- | --- |
| `xelo-toolbox deps analyze` | Analyze AI components and dependency groups |
| `xelo-toolbox vuln scan` | Run structural and advisory-backed risk scanning |
| `xelo-toolbox license check` | Enforce deny-list license policy |
| `xelo-toolbox cyclonedx export` | Export CycloneDX 1.6 JSON BOM |
| `xelo-toolbox xray submit` | Submit payload to JFrog Xray |

Run `xelo-toolbox --help` or `xelo-toolbox <command> --help` for all flags.

## Configuration

Most commands are configured via CLI flags. For integration commands, you provide endpoint/auth fields directly:

- Xray: `--url`, `--project`, `--token`, `--tenant-id`, `--application-id`
- Vulnerability scan provider: `--provider all|xelo-rules|osv|grype`

## Development

```bash
pip install -e ".[dev]"
ruff check src tests
mypy src
pytest
```

## Project Docs

- [Contributing](./CONTRIBUTING.md)
- [Security Policy](./SECURITY.md)
- [Support](./SUPPORT.md)
- [Governance](./GOVERNANCE.md)
- [Roadmap](./ROADMAP.md)
- [Code of Conduct](./CODE_OF_CONDUCT.md)
- [Packaging and PyPI](./PACKAGING.md)
- [Release Runbook](./RELEASE.md)
- [Changelog](./CHANGELOG.md)

## License

Apache-2.0. See [LICENSE](./LICENSE).
