npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2025 – Pkg Stats / Ryan Hefner

@forge-framework/cli

v1.2.0

Published

AI Software Bill of Materials (AI-SBOM) CLI - Generate, verify, and audit cryptographically-signed records for AI-generated code

Vulnerabilities

Powered byPowered by Snyk
  • 0High
  • 0Medium
  • 0Low

Links

Git

Maintainers

goleary661goleary661

Keywords

aisbomsoftware-bill-of-materialsai-sbomcode-provenancecryptographic-signinged25519compliancesoc2hipaaauditai-generated-codecode-verificationsupply-chain-securityforgecli

Readme

FORGE CLI

AI Software Bill of Materials (AI-SBOM) for AI-Generated Code

npm version License: MIT

Create cryptographically-signed audit trails for AI-generated code. Track what was generated, by which AI model, when, and verify it hasn't been tampered with.

Why FORGE CLI?

As AI-assisted coding becomes ubiquitous, regulated industries need answers to critical questions:

  • "Which code in our codebase was AI-generated?"
  • "What AI model generated this function?"
  • "Has this AI-generated code been modified since creation?"
  • "Can we prove our AI coding practices meet SOC2/HIPAA requirements?"

FORGE CLI provides cryptographic proof of AI code provenance through AI-SBOMs.

Quick Start

# Install globally
npm install -g @forge-framework/cli

# Generate a signing key (once per project/organization)
forge-cli keygen --output forge-key.json

# Create an SBOM for AI-generated code
forge-cli generate src/login.ts \
  --provider anthropic \
  --model claude-3.5-sonnet \
  --key-file forge-key.json

# Verify the SBOM hasn't been tampered with
forge-cli verify src/login.sbom.json

# Check compliance against SOC2 policies
forge-cli policy check src/login.sbom.json --policy soc2

Commands

forge-cli generate <file>

Create an AI-SBOM for existing code.

forge-cli generate mycode.ts \
  --provider anthropic \
  --model claude-3.5-sonnet \
  --key-file forge-key.json \
  --output mycode.sbom.json

Options: | Flag | Description | Default | |------|-------------|---------| | -p, --provider | AI provider (anthropic, openai, gemini) | unknown | | -m, --model | Model ID (claude-3.5-sonnet, gpt-4, etc.) | unknown | | -k, --key-file | Path to signing key | Ephemeral key | | -o, --output | Output SBOM path | <input>.sbom.json | | -t, --type | Artifact type (function, component, test) | Auto-detected | | -c, --classification | Data classification | internal |

forge-cli keygen

Generate an Ed25519 key pair for signing.

forge-cli keygen --output ~/.forge/company-key.json

Options: | Flag | Description | Default | |------|-------------|---------| | -o, --output | Output key file path | forge-key.json | | -f, --force | Overwrite existing file | false |

forge-cli verify <file>

Verify SBOM cryptographic signature.

forge-cli verify artifact.sbom.json --verbose

Exit Codes:

  • 0 - Signature valid
  • 1 - Signature invalid or verification error

forge-cli audit [directory]

Scan directory and generate audit report.

forge-cli audit ./sboms/

Output includes:

  • Total SBOMs found
  • Model/provider distribution
  • Validation pass rate
  • Signature validity summary

forge-cli policy check <file>

Evaluate SBOM against compliance policies.

# Basic security check
forge-cli policy check artifact.sbom.json

# SOC2 compliance
forge-cli policy check artifact.sbom.json --policy soc2

# HIPAA compliance
forge-cli policy check artifact.sbom.json --policy hipaa

Available Policies: | Policy | Description | |--------|-------------| | security-basic | TypeScript validation, signatures required | | soc2 | SOC2 Type II requirements + review approval | | hipaa | HIPAA-compliant providers only (Anthropic, Azure) |

forge-cli export <input> <output>

Export SBOM to different formats.

# Markdown report for stakeholders
forge-cli export artifact.sbom.json report.md --format markdown

# CSV for spreadsheet analysis
forge-cli export artifact.sbom.json data.csv --format csv

# YAML for configuration management
forge-cli export artifact.sbom.json config.yaml --format yaml

CI/CD Integration

GitHub Actions

name: AI Code Compliance
on: [push, pull_request]

jobs:
  verify-sboms:
    runs-on: ubuntu-latest
    steps:
      - uses: actions/checkout@v4
      
      - name: Setup Node.js
        uses: actions/setup-node@v4
        with:
          node-version: '20'
          
      - name: Install FORGE CLI
        run: npm install -g @forge-framework/cli
        
      - name: Verify All SBOMs
        run: |
          for sbom in $(find . -name "*.sbom.json"); do
            forge-cli verify "$sbom"
          done
          
      - name: Policy Compliance Check
        run: |
          for sbom in $(find . -name "*.sbom.json"); do
            forge-cli policy check "$sbom" --policy soc2
          done
          
      - name: Generate Audit Report
        run: forge-cli audit . > audit-report.txt

GitLab CI

verify-ai-code:
  image: node:20
  script:
    - npm install -g @forge-framework/cli
    - forge-cli audit ./sboms/
    - forge-cli policy check ./sboms/*.sbom.json --policy soc2

Pre-commit Hook

#!/bin/bash
# .git/hooks/pre-commit

# Verify all SBOMs before commit
for sbom in $(git diff --cached --name-only | grep '\.sbom\.json$'); do
  forge-cli verify "$sbom" || exit 1
done

What's in an AI-SBOM?

{
  "sbomVersion": "1.0",
  "specVersion": "forge-ai-sbom-1.0",
  "created": "2025-01-15T10:30:00.000Z",
  "artifact": {
    "tCodeId": "T-FUNCTION-abc123",
    "type": "function",
    "name": "authenticateUser",
    "contentHash": "36ab341d2feedefc...",
    "signature": "ed25519_signature...",
    "publicKey": "da57fd3de3bee3d4..."
  },
  "generation": {
    "model": {
      "provider": "anthropic",
      "modelId": "claude-3.5-sonnet",
      "temperature": 0.7
    },
    "prompt": {
      "hash": "prompt_hash_not_content",
      "tokenCount": 1500
    }
  },
  "validation": {
    "static": {
      "typescript": { "passed": true, "errorCount": 0 },
      "security": { "passed": true, "errorCount": 0 }
    },
    "review": {
      "agent": "AUDITOR",
      "decision": "approved"
    }
  },
  "provenance": {
    "merkleRoot": "merkle_root_hash...",
    "chainPosition": 1
  },
  "compliance": {
    "dataClassification": "internal",
    "licenses": [{ "spdxId": "MIT" }]
  }
}

Security

Key Management

  • Never commit key files to version control
  • Add forge-key.json to .gitignore
  • Store production keys in secure vaults (AWS Secrets Manager, HashiCorp Vault)
  • Use separate keys for development, staging, and production

Cryptographic Details

  • Signing Algorithm: Ed25519 (EdDSA)
  • Hashing Algorithm: BLAKE3
  • Signature Size: 64 bytes
  • Public Key Size: 32 bytes

Tamper Detection

If anyone modifies the code after SBOM generation, verification will fail:

$ forge-cli verify modified-code.sbom.json
✗ SBOM Signature INVALID
Reason: signature_mismatch

This SBOM may have been tampered with!
The content does not match the cryptographic signature.

Use Cases

Financial Services (SOC2/SOX)

Track AI-generated trading algorithms, prove code provenance for auditors.

Healthcare (HIPAA)

Ensure AI-generated code processing PHI uses only HIPAA-compliant providers.

Government (FedRAMP/CMMC)

Maintain continuous monitoring of AI-generated code changes.

Enterprise SaaS

Demonstrate security maturity to enterprise customers during vendor assessments.

Roadmap

  • [ ] TypeScript validation during generate
  • [ ] Test runner integration for coverage metrics
  • [ ] Security scanner integration
  • [ ] Batch processing (forge-cli generate ./src/**/*.ts)
  • [ ] GitHub Action (pre-packaged)
  • [ ] VS Code extension

Contributing

Contributions are welcome! Please read our contributing guidelines before submitting PRs.

License

MIT License - see LICENSE for details.

Support