Metadata-Version: 2.4
Name: skillgate
Version: 1.1.1
Summary: CLI-first CI/CD policy enforcement tool that scans agent skills for security risks
Author: SkillGate Team
License: Proprietary
Project-URL: Homepage, https://skillgate.io
Project-URL: Documentation, https://skillgate.io/docs
Project-URL: Repository, https://github.com/skillgate/skillgate
Project-URL: Changelog, https://github.com/skillgate/skillgate/blob/main/CHANGELOG.md
Project-URL: Issues, https://github.com/skillgate/skillgate/issues
Keywords: security,agent,skill,ci,policy,static-analysis,sarif
Classifier: Development Status :: 4 - Beta
Classifier: Environment :: Console
Classifier: Intended Audience :: Developers
Classifier: Programming Language :: Python :: 3
Classifier: Programming Language :: Python :: 3.10
Classifier: Programming Language :: Python :: 3.11
Classifier: Programming Language :: Python :: 3.12
Classifier: Programming Language :: Python :: 3.13
Classifier: Topic :: Security
Classifier: Topic :: Software Development :: Quality Assurance
Classifier: Typing :: Typed
Requires-Python: <3.14,>=3.10
Description-Content-Type: text/markdown
License-File: LICENSE
Requires-Dist: typer>=0.9.0
Requires-Dist: rich>=13.0.0
Requires-Dist: pydantic>=2.0.0
Requires-Dist: pyyaml>=6.0
Requires-Dist: pynacl>=1.5.0
Requires-Dist: httpx>=0.25.0
Provides-Extra: watch
Requires-Dist: watchdog>=4.0.0; extra == "watch"
Provides-Extra: docs
Requires-Dist: pypdf>=4.0.0; extra == "docs"
Requires-Dist: python-docx>=1.1.0; extra == "docs"
Provides-Extra: ast
Requires-Dist: tree-sitter>=0.22.0; extra == "ast"
Requires-Dist: tree-sitter-python>=0.23.0; extra == "ast"
Requires-Dist: tree-sitter-javascript>=0.23.0; extra == "ast"
Requires-Dist: tree-sitter-typescript>=0.23.0; extra == "ast"
Requires-Dist: tree-sitter-go>=0.23.0; extra == "ast"
Requires-Dist: tree-sitter-rust>=0.23.0; extra == "ast"
Requires-Dist: tree-sitter-ruby>=0.23.0; extra == "ast"
Requires-Dist: tree-sitter-bash>=0.23.0; extra == "ast"
Provides-Extra: api
Requires-Dist: fastapi>=0.110.0; extra == "api"
Requires-Dist: uvicorn[standard]>=0.27.0; extra == "api"
Requires-Dist: PyJWT[crypto]>=2.8.0; extra == "api"
Requires-Dist: stripe>=8.0.0; extra == "api"
Requires-Dist: sqlalchemy>=2.0.0; extra == "api"
Requires-Dist: greenlet>=3.0.0; extra == "api"
Requires-Dist: aiosqlite>=0.20.0; extra == "api"
Requires-Dist: alembic>=1.13.0; extra == "api"
Requires-Dist: asyncpg>=0.29.0; extra == "api"
Requires-Dist: psycopg[binary]>=3.1.0; extra == "api"
Requires-Dist: redis>=5.0.0; extra == "api"
Requires-Dist: httpx>=0.27.0; extra == "api"
Provides-Extra: worker
Requires-Dist: arq>=0.26.0; extra == "worker"
Provides-Extra: otel
Requires-Dist: opentelemetry-api>=1.20.0; extra == "otel"
Requires-Dist: opentelemetry-sdk>=1.20.0; extra == "otel"
Requires-Dist: opentelemetry-exporter-otlp-proto-grpc>=1.20.0; extra == "otel"
Requires-Dist: opentelemetry-instrumentation-fastapi>=0.41b0; extra == "otel"
Provides-Extra: dev
Requires-Dist: pytest>=7.4.0; extra == "dev"
Requires-Dist: pytest-cov>=4.1.0; extra == "dev"
Requires-Dist: pytest-xdist>=3.3.0; extra == "dev"
Requires-Dist: ruff>=0.4.0; extra == "dev"
Requires-Dist: mypy>=1.8.0; extra == "dev"
Requires-Dist: setuptools-scm>=8.0; extra == "dev"
Requires-Dist: types-PyYAML>=6.0; extra == "dev"
Dynamic: license-file

<h1 align="center">SkillGate</h1>
<p align="center"><strong>Deterministic AI Agent Security Governance for CI/CD and Runtime.</strong></p>

<p align="center">
  <a href="https://skillgate.io">Website</a> •
  <a href="https://skillgate.io/docs">Docs</a> •
  <a href="https://github.com/skillgate/skillgate">GitHub</a> •
  <a href="https://pypi.org/project/skillgate/">PyPI</a>
</p>

<p align="center">
  <img src="https://img.shields.io/badge/python-3.10%2B-blue" alt="Python" />
  <img src="https://img.shields.io/badge/runtime-CLI%20%2B%20API%20%2B%20Worker-0b5fff" alt="Runtime" />
  <img src="https://img.shields.io/badge/security-signed%20evidence-0a7d3b" alt="Signed Evidence" />
  <img src="https://img.shields.io/badge/license-proprietary-1f2937" alt="License" />
</p>

SkillGate is the control plane for AI-agent execution safety. It does not stop at detection.
It enforces policy, blocks unsafe actions, and produces signed evidence for enterprise audit,
compliance, and procurement.

## Why SkillGate

- Deterministic policy enforcement, not best-effort warnings.
- Runtime governance gates for high-risk agent actions.
- Signed proof artifacts (Ed25519 + canonical JSON) for trust and traceability.
- CI/CD integration that can fail builds on policy violations.
- Enterprise-ready legal/governance posture and release gates.

## Quick Start

Choose one entrypoint:

- Recommended: Python CLI (canonical runtime)
- Alternative: npm wrapper (delegates to Python runtime)

### Option A — Python CLI (recommended)

```bash
pipx install skillgate
skillgate version
```

### Option B — npm wrapper (optional)

The npm package is a launcher only. It still requires Python + `skillgate` installed.

```bash
npm install -g @skillgate-io/cli
skillgate version
# or run without install:
npx @skillgate-io/cli version
```

### Required runtime configuration (minimum)

SkillGate reads configuration from environment variables (shell, `.env`, CI, or deployment secrets).

```bash
export SKILLGATE_API_KEY="sg_free_or_paid_key_here"
```

Optional, depending on your flow:

```bash
export SKILLGATE_API_URL="https://api.skillgate.io"
```

For the full environment reference, see `.env.example`.

### First governed scan

```bash
skillgate scan ./my-agent-skill --enforce --policy production
```

### Verify signed report

```bash
skillgate verify report.json
```

## Standout Capabilities

- Static + semantic risk analysis across multi-language agent code.
- Deterministic risk scoring and policy outcomes.
- Runtime gateway controls (approval, scope, budget, lineage).
- Governance-before-autonomy gates for write/remediation paths.
- Signed release/readiness and proof-pack evidence workflows.

## Programming Languages and Stack

### Core product

- Python 3.10+ (`skillgate` CLI/core/API/worker)
- TypeScript/React/Next.js (`web-ui`)
- Shell scripts (deployment, smoke, rollback, release gates)
- YAML/JSON (CI workflows, governance policies, contracts)

### Runtime components

- CLI: Typer + Rich
- API: FastAPI + SQLAlchemy + Alembic + PostgreSQL + Redis
- Security/signing: PyNaCl (Ed25519), SHA-256
- Quality gates: pytest, Ruff, mypy, pip-audit, detect-secrets
- Web: Next.js 14, React 18, TypeScript, Tailwind

## Repository Structure

```text
skillgate/
├── skillgate/        # CLI + core + API + worker
├── web-ui/           # Marketing/docs/product UI
├── scripts/          # Deploy, release, quality and gate automation
├── tests/            # Unit, integration, e2e, defense, docs contracts
├── docs/             # PRD, architecture, implementation and governance packs
└── .github/workflows # CI/CD and release gates
```

## Documentation

- Product and roadmap: `docs/PRD.md`, `docs/IMPLEMENTATION-PLAN.md`
- Open-core split governance: `docs/section-16-open-core-split-governance/README.md`
- Deployment runbooks: `docs/PROD-SETUP-NETLIFY-RAILWAY.md`, `docs/STABLE-LAUNCH-RUNBOOK.md`
- API migrations: `docs/API-MIGRATIONS.md`

## CTA: Build a Governed Agent Pipeline

1. Install SkillGate (Python CLI recommended; npm wrapper optional).
2. Run your first enforced scan.
3. Add CI gate enforcement.
4. Generate and verify signed evidence.
5. Roll into runtime governance for production agent actions.

For enterprise rollout support: `support@skillgate.io`

## License

Proprietary. All rights reserved.
