Package Exports
- @parmanasystems/bundle
Readme
@parmanasystems/bundle
Deterministic governance bundle infrastructure for canonical manifests, reproducible artifacts, and cryptographic provenance.
Overview
@parmanasystems/bundle provides the deterministic artifact foundation for the Parmana Systems governance ecosystem.
It is responsible for:
- canonical serialization
- deterministic hashing
- governance manifest generation
- reproducible governance artifacts
- portable provenance lineage
- deterministic bundle verification
- governance artifact traversal
Every signed governance artifact in Parmana depends on this package.
This includes:
- execution attestations
- runtime manifests
- governance bundles
- release manifests
- rebuild attestations
Governance bundles are deterministic infrastructure artifacts with reproducible cryptographic lineage.
Mental Model
Policy
↓
Canonical Serialization
↓
Manifest Generation
↓
Deterministic Hashing
↓
Signature
↓
Portable Governance Artifact
The bundle layer transforms governance configuration into reproducible governance artifacts.
What this package does
The bundle package provides:
deterministic JSON canonicalization
governance manifest generation
reproducible hashing
governance artifact traversal
manifest verification
deterministic provenance reconstruction
This package establishes the deterministic artifact model required for:
replay-safe governance
portable verification
reproducible releases
cryptographic integrity
When to use this package
Use this package when:
generating governance manifests
creating reproducible governance artifacts
canonicalizing governance payloads
computing deterministic governance hashes
verifying governance artifact integrity
implementing provenance reconstruction
building custom signing flows
Do NOT use this package when:
executing governed decisions
independently verifying attestations
deploying HTTP runtimes
performing governance evaluation
In those cases use:
Package Responsibility
@parmanasystems/execution governed execution
@parmanasystems/verifier independent verification
@parmanasystems/server deployable runtime
@parmanasystems/core unified governance SDK
Features
Deterministic canonical serialization
Stable governance hashing
Reproducible governance manifests
Portable governance artifacts
Deterministic file traversal
Bundle integrity verification
Canonical provenance reconstruction
Cross-platform reproducibility
Installation
npm install @parmanasystems/bundle
Quick Start
import {
canonicalize,
sha256,
generateManifest,
verifyManifest,
} from "@parmanasystems/bundle";
const canonical =
canonicalize({
b: 2,
a: 1,
});
console.log(canonical);
const hash =
sha256(canonical);
console.log(hash);
const manifest =
await generateManifest(
"claims-approval",
"v1",
"./policies/claims-approval/v1"
);
const result =
await verifyManifest(
manifest,
"./policies/claims-approval/v1"
);
console.log(
result.valid
);
Core Concepts
Canonical Serialization
Canonical serialization produces deterministic JSON bytes.
The same object always produces the same serialized representation regardless of:
property insertion order
runtime environment
platform differences
Example:
canonicalize({
b: 2,
a: 1,
});
Produces:
{
"a": 1,
"b": 2
}
Canonicalization guarantees:
stable hashes
reproducible signatures
deterministic provenance
portable verification
Deterministic Hashing
Governance artifacts are hashed deterministically.
The same canonical content always produces the same hash.
identical content → identical hash
This enables:
provenance reconstruction
independent verification
replay-safe governance
reproducible releases
Governance Bundles
Governance bundles package deterministic governance artifacts.
Bundles include:
policy definitions
manifest metadata
artifact hashes
runtime requirements
governance provenance
Bundles are:
portable
reproducible
independently verifiable
content-addressed
Reproducibility
The bundle layer enables deterministic rebuild verification.
Reproducibility is based on:
canonical serialization
deterministic traversal
stable hashing
immutable artifacts
Provenance derives from deterministic artifacts, not runtime metadata.
This means provenance does NOT depend on:
timestamps
git state
runtime memory
deployment environment
Bundle Provenance
Governance provenance includes:
artifact hashes
manifest lineage
runtime requirements
canonical serialization
deterministic bundle identity
This enables:
portable governance validation
independent rebuild verification
immutable artifact lineage
Example Bundle Manifest
{
"manifest_version": "1",
"policy_id": "claims-approval",
"policy_version": "v1",
"artifacts": [
{
"path": "policy.json",
"hash": "91ac7e2c..."
},
{
"path": "bundle.sig",
"hash": "7f2a11d9..."
}
],
"runtime_requirements": {
"supported_runtime_versions": [
"1.x"
],
"supported_schema_versions": [
"1.0.0"
]
},
"bundle_hash": "f4f8b7d1..."
}
Bundle Lifecycle
Governance Artifact
↓
canonicalize()
↓
Deterministic JSON Bytes
↓
sha256()
↓
Manifest Generation
↓
Signature
↓
Portable Governance Artifact
API Overview
canonicalize
Produces deterministic JSON serialization.
import {
canonicalize
} from "@parmanasystems/bundle";
const canonical =
canonicalize({
b: 2,
a: 1,
});
Canonicalization recursively sorts keys and produces stable deterministic output.
sha256
Computes deterministic SHA-256 hashes.
import {
sha256
} from "@parmanasystems/bundle";
const hash =
sha256(
'{"a":1}'
);
generateManifest
Generates deterministic governance manifests.
import {
generateManifest
} from "@parmanasystems/bundle";
const manifest =
await generateManifest(
"claims-approval",
"v1",
"./policies/claims-approval/v1"
);
Manifest generation:
traverses artifacts deterministically
hashes all governance files
computes bundle lineage
verifyManifest
Verifies governance manifest integrity.
import {
verifyManifest
} from "@parmanasystems/bundle";
const result =
await verifyManifest(
manifest,
"./policies/claims-approval/v1"
);
console.log(
result.valid
);
Verification checks:
deterministic hashes
artifact integrity
manifest lineage
traverseBundle
Returns deterministically ordered bundle artifacts.
import {
traverseBundle
} from "@parmanasystems/bundle";
const files =
await traverseBundle(
"./policies/claims-approval/v1"
);
Traversal uses:
sorted ordering
POSIX-relative paths
deterministic traversal semantics
Types
BundleManifest
interface BundleManifest {
manifest_version: "1";
policy_id: string;
policy_version: string;
artifacts: BundleArtifact[];
runtime_requirements:
RuntimeRequirements;
bundle_hash: string;
}
BundleArtifact
interface BundleArtifact {
path: string;
hash: string;
}
VerifyResult
interface VerifyResult {
valid: boolean;
expected_bundle_hash: string;
actual_bundle_hash: string;
}
Role in the Governance Pipeline
Governance Policy
↓
Bundle Generation
↓
Canonical Serialization
↓
Deterministic Hashing
↓
Bundle Signature
↓
Governed Runtime Execution
↓
Independent Verification
The bundle layer provides the reproducible artifact foundation for the entire governance ecosystem.
Recommended Architecture
Governance Artifacts
↓
Canonical Serialization
↓
Deterministic Bundle
↓
Signed Provenance
↓
Portable Verification
Relationship to Other Parmana Packages
Package Responsibility
@parmanasystems/governance governance lifecycle
@parmanasystems/bundle canonical artifact infrastructure
@parmanasystems/crypto signing and verification
@parmanasystems/verifier bundle integrity verification
@parmanasystems/execution execution attestation signing
Security Model
The bundle layer guarantees:
deterministic serialization
stable governance hashes
reproducible provenance
immutable artifact lineage
deterministic traversal
portable integrity verification
The package is designed so that:
provenance derives from deterministic artifacts, not runtime metadata
Most Important Principle
Governance bundles are deterministic infrastructure artifacts with reproducible cryptographic lineage.
License
Apache-2.0