@parmanasystems/bundle

Deterministic governance bundle infrastructure for portable admissibility artifacts, canonical manifest continuity, cryptographic signature validation, and independently verifiable governance distribution.

Overview

@parmanasystems/bundle provides governed artifact packaging for Parmana Systems.

The bundle layer preserves deterministic governance continuity across:

• policy distribution
• runtime portability
• admissibility validation
• provenance continuity
• signature verification
• release lineage
• external verification workflows

Bundles act as portable deterministic governance artifacts.

They enable:

• clean-room verification
• independent admissibility validation
• reproducible governance continuity
• cryptographic trust portability
• fail-closed artifact validation

Core Principle

Bundles are deterministic governance artifacts that preserve admissibility continuity across environments.

A governed bundle contains:

• immutable policy lineage
• canonical manifests
• cryptographic signatures
• provenance continuity
• deterministic compatibility metadata

Bundles are designed to remain:

• portable
• reproducible
• independently verifiable
• cryptographically accountable

What This Package Does

@parmanasystems/bundle:

• creates governed bundles
• validates bundle manifests
• validates canonical bundle hashes
• preserves admissibility continuity
• enables deterministic artifact portability
• supports clean-room verification
• preserves cryptographic lineage continuity
• validates deterministic bundle integrity
• enforces fail-closed bundle semantics

What This Package Does NOT Do

@parmanasystems/bundle does not:

• perform AI inference
• determine business truth
• execute governed policy
• mutate immutable lineage
• bypass signature validation
• silently repair invalid manifests
• probabilistically package artifacts
• override admissibility semantics

Installation

npm install @parmanasystems/bundle

Quickstart

Create Governed Bundle

import {
  createBundleManifest
} from "@parmanasystems/bundle";

const manifest =
  createBundleManifest({

    policyId:
      "claims-approval",

    policyVersion:
      "1.0.0",

    bundleHash:
      "sha256:bundle"
  });

console.log(
  manifest
);

Example Bundle Structure

bundle/
├── policy.json
├── bundle.manifest.json
├── bundle.sig
└── provenance.json

Governed Bundle Contents

Governed bundles may contain:

• policy artifacts
• canonical manifests
• bundle hashes
• cryptographic signatures
• provenance continuity metadata
• compatibility lineage
• runtime continuity metadata

These artifacts preserve deterministic admissibility continuity.

Deterministic Guarantees

@parmanasystems/bundle enforces:

• deterministic bundle identity
• canonical manifest continuity
• reproducible bundle hashing
• immutable lineage continuity
• deterministic signature continuity
• portable admissibility validation
• fail-closed bundle verification
• reproducible governance artifact continuity

Identical governed artifacts produce identical deterministic bundle identity.

Canonical Bundle Manifests

Bundle manifests are canonical governance artifacts.

Canonical manifests preserve:

• stable hashing continuity
• deterministic signatures
• reproducible verification continuity
• portable admissibility identity

Example manifest:

{
  "policyId": "claims-approval",
  "policyVersion": "1.0.0",
  "bundleHash": "sha256:..."
}

Canonicalization ensures deterministic manifest identity across environments.

Bundle Hash Continuity

Bundles preserve deterministic integrity using canonical hashes.

Bundle hashes stabilize:

• policy continuity
• provenance continuity
• release continuity
• admissibility continuity
• signature continuity

Bundle identity is deterministic and reproducible.

Cryptographic Signatures

Governed bundles support cryptographic signing using:

• canonical payloads
• deterministic manifests
• immutable lineage continuity
• Ed25519 signatures

Example:

bundle.sig

Signature verification validates:

• bundle integrity
• trust continuity
• admissibility continuity
• deterministic lineage

Admissibility Semantics

Bundles preserve admissibility continuity across environments.

Bundle admissibility depends on:

• canonical manifests
• immutable lineage
• signature continuity
• trust-root continuity
• compatibility continuity
• deterministic bundle integrity

Bundles are rejected when admissibility continuity fails.

Portable Verification

Bundles are designed for:

• clean-room verification
• external validation
• regulator-side inspection
• reproducible governance verification
• independent audit workflows
• portable trust continuity

Example:

parmana verify ./bundle

Verification validates:

• canonical hashes
• bundle signatures
• trust continuity
• provenance continuity
• admissibility continuity

Clean-Room Portability

Governed bundles are designed to validate independently from:

• repository source state
• workspace dependencies
• monorepo assumptions
• mutable infrastructure state

This enables:

• portable governance continuity
• external admissibility validation
• independent verification workflows
• reproducible trust portability

Fail-Closed Bundle Validation

The bundle layer intentionally rejects:

• canonical hash divergence
• invalid bundle signatures
• incompatible lineage continuity
• trust-root mismatch
• provenance divergence
• malformed manifests
• compatibility violations

Example failures:

✖ bundle signature mismatch
✖ canonical hash divergence
✖ admissibility continuity broken
✖ verification failed

Silent bundle repair is intentionally forbidden.

Trust Continuity

Bundle verification preserves:

• trust-root continuity
• release continuity
• provenance continuity
• signature lineage
• deterministic admissibility continuity

Trust validation depends on:

• immutable lineage
• canonical hashing
• deterministic signatures
• fail-closed verification semantics

Compatibility Model

The bundle layer validates compatibility across:

• policy versions
• runtime versions
• schema versions
• provenance lineage
• release manifests
• admissibility continuity

Incompatible lineage is rejected.

Architecture Boundaries

@parmanasystems/bundle:

• packages governed artifacts
• preserves deterministic bundle identity
• validates admissibility continuity
• enables portable verification

The bundle layer does not:

• execute governed policy
• determine admissibility directly
• replace cryptographic verification
• mutate immutable lineage

Bundles preserve deterministic trust portability.

Security Model

@parmanasystems/bundle uses:

• canonical hashing
• deterministic manifests
• immutable lineage continuity
• cryptographic signatures
• fail-closed validation
• deterministic verification semantics

Security continuity depends on:

• canonical payloads
• immutable manifests
• deterministic signatures
• trust-root continuity

Reproducibility Semantics

Bundles support deterministic reproducibility by preserving:

• canonical manifests
• stable hashes
• deterministic signatures
• immutable artifact continuity

This enables:

• independent rebuild verification
• reproducible governance validation
• deterministic release continuity
• portable trust verification

Example Use Cases

Portable Policy Distribution

Distribute governed policy artifacts across environments while preserving admissibility continuity.

External Verification

Verify governed artifacts independently in clean-room environments.

Regulated Governance Workflows

Preserve deterministic governance continuity for regulated operational systems.

Reproducible Release Validation

Validate deterministic artifact continuity across reproducible rebuild workflows.

Non-Goals

Parmana bundles do not:

• replace governance enforcement
• determine business correctness
• probabilistically package artifacts
• mutate immutable governance lineage
• bypass deterministic admissibility semantics

License

Apache-2.0