Support directory input for `validate` command

[wiebe-vandendriessche]

Problem or motivation

• validate only accepts a single file via --input

• Cannot validate directories containing multiple AIBOMs

• Typical aibomgen output produces multiple BOM files

• Users must manually loop or script around the CLI

• Current flow:

  bom, err := bomio.ReadBOM(inputPath, format)

  assumes a single file and tightly couples parsing to execution

• No file discovery or filtering:

  • no support for .json / .xml scanning
  • no recursive traversal

• Poor CI/CD usability:

  • cannot validate full artifact directories
  • no aggregated success or failure reporting
  • stops on first error instead of processing all files

Proposed solution

• Extend --input to accept:

  • single file
  • directory

• Add directory handling:

  • detect if path is directory
  • list files and filter by .json and .xml
  • optional --recursive support

• Process all BOMs:

  • iterate over files
  • run existing validation per file
  • collect results

• Improve output:

  • per-file validation results
  • aggregated summary (valid, invalid counts)

• Error handling:

  • continue on individual file errors
  • return non-zero exit code if any file fails

• Refactor:

  func ListBOMFiles(path string) ([]string, error)

Alternatives considered

• Keep single-file input and rely on shell scripting

  • rejected due to poor UX and portability

• Add separate batch command (e.g. validate-dir)

  • rejected as unnecessary duplication

• Require explicit file lists as input

  • less ergonomic than directory support

Additional context

• Aligns with expected CLI behavior for tools operating on artifacts
• Similar batch patterns exist in linters and scanners
• Enables easier integration in CI pipelines