@parmanasystems/bundle 1.0.19

package/README.md

@@ -0,0 +1,120 @@
+# @parmanasystems/bundle
+
+Deterministic artifact canonicalization, hashing, and bundle I/O for the parmanasystems governance runtime.
+
+[![npm](https://img.shields.io/npm/v/@parmanasystems/bundle)](https://www.npmjs.com/package/@parmanasystems/bundle)
+
+## Overview
+
+`@parmanasystems/bundle` provides the canonical serialization foundation that makes parmanasystems governance decisions independently verifiable.
+
+Every signed governance artifact — execution results, runtime manifests, policy bundles — is signed over the **canonical JSON** form produced by this package. This ensures:
+
+- The same object always serializes to the same byte sequence regardless of property insertion order
+- Signatures can be independently reproduced and verified by any party
+- Artifact hashes are stable across platforms and runtimes
+
+## Installation
+
+```bash
+npm install @parmanasystems/bundle
+```
+
+## API
+
+### `canonicalize(value: unknown): string`
+
+Produces a deterministic JSON string with recursively sorted keys and stable formatting (INV-001). Enforced as a sealed-VM function — no `Date.now` or `Math.random` allowed inside.
+
+```typescript
+import { canonicalize } from "@parmanasystems/bundle";
+
+canonicalize({ b: 2, a: 1 });
+// '{\n  "a": 1,\n  "b": 2\n}'
+```
+
+### `sha256(content: string): string`
+
+Returns a SHA-256 hex digest of the given string.
+
+```typescript
+import { sha256 } from "@parmanasystems/bundle";
+
+sha256('{"a":1}');
+// "e3b0c44..." (hex)
+```
+
+### `generateManifest(policyId, version, directory): Promise<BundleManifest>`
+
+Hashes all files in a policy directory and produces a `BundleManifest` with a self-verifying `bundle_hash`.
+
+```typescript
+import { generateManifest } from "@parmanasystems/bundle";
+
+const manifest = await generateManifest("claims-approval", "v1", "./policies/claims-approval/v1");
+```
+
+### `readManifest(directory): Promise<BundleManifest>`
+
+Reads `bundle.manifest.json` from a directory.
+
+### `verifyManifest(manifest, directory): Promise<VerifyResult>`
+
+Re-hashes all artifacts and compares against the stored manifest.
+
+```typescript
+const result = await verifyManifest(manifest, directory);
+console.log(result.valid);  // true
+```
+
+### `traverseBundle(dir: string): Promise<string[]>`
+
+Returns sorted POSIX-relative file paths within a bundle directory, enabling deterministic hash computation.
+
+## Types
+
+### BundleManifest
+
+```typescript
+interface BundleManifest {
+  manifest_version: "1";
+  policy_id: string;
+  policy_version: string;
+  artifacts: BundleArtifact[];
+  runtime_requirements: RuntimeRequirements;
+  bundle_hash: string;  // self-verifying SHA-256
+}
+
+interface BundleArtifact {
+  path: string;    // POSIX-relative
+  hash: string;    // SHA-256 hex
+}
+```
+
+### VerifyResult
+
+```typescript
+interface VerifyResult {
+  valid: boolean;
+  expected_bundle_hash: string;
+  actual_bundle_hash: string;
+}
+```
+
+## Role in the pipeline
+
+```
+Governance artifact (object)
+        │
+   canonicalize()   ← this package
+        │
+   canonical JSON string
+        │
+   sha256() / Ed25519 sign / verify
+```
+
+`canonicalize()` is called by `signExecutionToken()`, `stageSign()`, and every other signing path in `@parmanasystems/execution`. You only need to call it directly for custom signing or verification flows.
+
+## License
+
+Apache-2.0

package/dist/index.d.ts

@@ -0,0 +1,120 @@
+/**
+ * Serializes `value` to a stable, pretty-printed JSON string with object keys
+ * sorted recursively.  This is the canonical byte representation used for all
+ * bundle hashing and manifest signing operations.
+ *
+ * Arrays preserve their original order; only object keys are sorted.
+ *
+ * Enforces: INV-001, INV-048, INV-049, INV-050, INV-051, INV-052, INV-053, INV-054.
+ */
+declare function canonicalize(value: unknown): string;
+
+/** Returns the SHA-256 hex digest of `content` (interpreted as UTF-8). Enforces: INV-047, INV-057. */
+declare function sha256(content: string): string;
+
+/** Capability and version constraints that a runtime must satisfy to execute a bundle. */
+interface RuntimeRequirements {
+    /** Runtime capability strings that must appear in the executing runtime's capability list (e.g. `"replay-protection"`). */
+    required_capabilities: string[];
+    /** Runtime version strings (e.g. `"1.0.0"`) that are acceptable to the bundle. */
+    supported_runtime_versions: string[];
+    /** Schema version strings (e.g. `"1.0.0"`) that the bundle's artifacts conform to. */
+    supported_schema_versions: string[];
+}
+
+/** A single file artifact tracked by a BundleManifest, identified by its relative path and SHA-256 hash. */
+interface BundleArtifact {
+    /** Normalized POSIX-style path relative to the bundle directory. */
+    path: string;
+    /** SHA-256 hex digest of the canonical file content. */
+    hash: string;
+}
+/**
+ * Signed, content-addressed manifest describing all artifacts in a policy bundle.
+ * The `bundle_hash` is a SHA-256 commitment over the full manifest (with `bundle_hash`
+ * zeroed), making the manifest self-verifying.
+ */
+interface BundleManifest {
+    /** Manifest format version. Currently `"1"`. */
+    manifest_version: string;
+    /** Policy identifier this bundle belongs to. */
+    policy_id: string;
+    /** Policy version string (e.g. `"v1"`). */
+    policy_version: string;
+    /** Ordered list of all content-addressed artifacts in the bundle. */
+    artifacts: BundleArtifact[];
+    /** Runtime capability and version constraints required to execute this bundle. */
+    runtime_requirements: RuntimeRequirements;
+    /**
+     * SHA-256 hex digest of the canonical manifest with `bundle_hash` set to `""`.
+     * A tamper-evident commitment over all artifact hashes and metadata.
+     */
+    bundle_hash: string;
+}
+/** Result returned by {@link verifyManifest}, including the expected and actual bundle hashes. */
+interface VerifyResult {
+    /** `true` when the re-computed bundle hash matches the manifest commitment. */
+    valid: boolean;
+    /** The bundle hash stored in the manifest (expected value). */
+    expected_bundle_hash: string;
+    /** The bundle hash re-computed from the directory contents (actual value). */
+    actual_bundle_hash: string;
+}
+
+/**
+ * Generates a content-addressed {@link BundleManifest} for `policyId`/`policyVersion`
+ * by hashing every file under `directory` (manifest and sig files excluded).
+ *
+ * JSON files are canonicalized before hashing; other files have CRLF normalized
+ * to LF.  The final `bundle_hash` is SHA-256 of the canonical manifest with
+ * `bundle_hash` set to `""`, making it a deterministic commitment over all
+ * artifact content.
+ *
+ * @param policyId      - Policy identifier to embed in the manifest.
+ * @param policyVersion - Policy version string (e.g. `"v1"`).
+ * @param directory     - Absolute path to the bundle directory.
+ */
+declare function generateManifest(policyId: string, policyVersion: string, directory: string): BundleManifest;
+
+/**
+ * Reads and JSON-parses `bundle.manifest.json` from `directory`.
+ *
+ * @param directory - Path to a bundle directory containing `bundle.manifest.json`.
+ */
+declare function readManifest(directory: string): BundleManifest;
+
+/**
+ * Recursively enumerates all non-excluded files under `directory`, returning
+ * normalized POSIX-style paths relative to `root` (defaults to `directory`).
+ * Entries are sorted deterministically by name at each level.
+ * `bundle.manifest.json` and `bundle.sig` are always excluded.
+ *
+ * @param directory - The directory to traverse.
+ * @param root      - The root used for computing relative output paths.
+ */
+declare function traverseDirectory(directory: string, root?: string): string[];
+
+/**
+ * Re-hashes every file under `directory` and recomputes the bundle hash, then
+ * compares it against `manifest.bundle_hash`.
+ *
+ * Returns `valid: true` only when the on-disk content matches the manifest
+ * commitment exactly.  Any file addition, deletion, or modification produces
+ * a differing hash and `valid: false`.
+ *
+ * @param manifest  - The reference manifest containing the expected bundle hash.
+ * @param directory - Bundle directory whose contents will be re-hashed.
+ */
+declare function verifyManifest(manifest: BundleManifest, directory: string): VerifyResult;
+
+/**
+ * Writes `manifest` to `<directory>/bundle.manifest.json` in canonical form.
+ * The output is deterministic: identical manifests always produce identical
+ * bytes on disk.
+ *
+ * @param manifest  - The manifest to persist.
+ * @param directory - Destination bundle directory.
+ */
+declare function writeManifest(manifest: BundleManifest, directory: string): void;
+
+export { type BundleArtifact, type BundleManifest, type RuntimeRequirements, type VerifyResult, canonicalize, generateManifest, readManifest, sha256, traverseDirectory, verifyManifest, writeManifest };

package/dist/index.js

@@ -0,0 +1,219 @@
+// src/canonicalize.ts
+function canonicalize(value) {
+  return JSON.stringify(sortKeys(value), null, 2);
+}
+function sortKeys(value) {
+  if (Array.isArray(value)) {
+    return value.map(sortKeys);
+  }
+  if (value !== null && typeof value === "object") {
+    return Object.keys(value).sort().reduce((acc, key) => {
+      acc[key] = sortKeys(
+        value[key]
+      );
+      return acc;
+    }, {});
+  }
+  return value;
+}
+
+// src/hash.ts
+import * as crypto from "crypto";
+function sha256(content) {
+  return crypto.createHash("sha256").update(content, "utf8").digest("hex");
+}
+
+// src/manifest.ts
+import * as fs2 from "fs";
+import * as path2 from "path";
+
+// src/traverse.ts
+import fs from "fs";
+import path from "path";
+var EXCLUDED_FILES = [
+  "bundle.manifest.json",
+  "bundle.sig"
+];
+function traverseDirectory(directory, root = directory) {
+  const entries = fs.readdirSync(directory, {
+    withFileTypes: true
+  }).sort(
+    (a, b) => a.name.localeCompare(b.name)
+  );
+  const results = [];
+  for (const entry of entries) {
+    const fullPath = path.join(
+      directory,
+      entry.name
+    );
+    if (entry.isDirectory()) {
+      results.push(
+        ...traverseDirectory(
+          fullPath,
+          root
+        )
+      );
+      continue;
+    }
+    if (EXCLUDED_FILES.includes(
+      entry.name
+    )) {
+      continue;
+    }
+    const relativePath = path.relative(
+      root,
+      fullPath
+    );
+    results.push(
+      normalizePath(relativePath)
+    );
+  }
+  return results;
+}
+function normalizePath(value) {
+  return value.replace(/\\\\/g, "/");
+}
+
+// src/manifest.ts
+function generateManifest(policyId, policyVersion, directory) {
+  const files = traverseDirectory(directory);
+  const artifacts = files.map((relativePath) => {
+    const fullPath = path2.join(
+      directory,
+      relativePath
+    );
+    const content = fs2.readFileSync(
+      fullPath,
+      "utf8"
+    );
+    const canonicalContent = relativePath.endsWith(".json") ? canonicalize(
+      JSON.parse(content)
+    ) : content.replace(
+      /\r\n/g,
+      "\n"
+    );
+    return {
+      path: relativePath,
+      hash: sha256(
+        canonicalContent
+      )
+    };
+  });
+  const manifest = {
+    manifest_version: "1",
+    policy_id: policyId,
+    policy_version: policyVersion,
+    artifacts,
+    runtime_requirements: {
+      required_capabilities: [
+        "replay-protection",
+        "attestation-signing",
+        "bundle-verification"
+      ],
+      supported_runtime_versions: [
+        "1.0.0"
+      ],
+      supported_schema_versions: [
+        "1.0.0"
+      ]
+    },
+    bundle_hash: ""
+  };
+  const canonical = canonicalize(
+    manifest
+  );
+  const bundleHash = sha256(
+    canonical
+  );
+  manifest.bundle_hash = bundleHash;
+  return manifest;
+}
+
+// src/read.ts
+import fs3 from "fs";
+import path3 from "path";
+function readManifest(directory) {
+  const manifestPath = path3.join(
+    directory,
+    "bundle.manifest.json"
+  );
+  const content = fs3.readFileSync(
+    manifestPath,
+    "utf8"
+  );
+  return JSON.parse(content);
+}
+
+// src/verify.ts
+import fs4 from "fs";
+import path4 from "path";
+function verifyManifest(manifest, directory) {
+  const files = traverseDirectory(directory);
+  const recalculatedArtifacts = files.map((relativePath) => {
+    const fullPath = path4.join(
+      directory,
+      relativePath
+    );
+    const content = fs4.readFileSync(
+      fullPath,
+      "utf8"
+    );
+    const canonicalContent = relativePath.endsWith(".json") ? canonicalize(
+      JSON.parse(content)
+    ) : content.replace(
+      /\r\n/g,
+      "\n"
+    );
+    return {
+      path: relativePath,
+      hash: sha256(
+        canonicalContent
+      )
+    };
+  });
+  const reconstructedManifest = {
+    manifest_version: manifest.manifest_version,
+    policy_id: manifest.policy_id,
+    policy_version: manifest.policy_version,
+    artifacts: recalculatedArtifacts,
+    runtime_requirements: manifest.runtime_requirements,
+    bundle_hash: ""
+  };
+  const canonical = canonicalize(
+    reconstructedManifest
+  );
+  const recalculatedBundleHash = sha256(
+    canonical
+  );
+  return {
+    valid: recalculatedBundleHash === manifest.bundle_hash,
+    expected_bundle_hash: manifest.bundle_hash,
+    actual_bundle_hash: recalculatedBundleHash
+  };
+}
+
+// src/write.ts
+import fs5 from "fs";
+import path5 from "path";
+function writeManifest(manifest, directory) {
+  const manifestPath = path5.join(
+    directory,
+    "bundle.manifest.json"
+  );
+  const canonical = canonicalize(manifest);
+  fs5.writeFileSync(
+    manifestPath,
+    canonical,
+    "utf8"
+  );
+}
+export {
+  canonicalize,
+  generateManifest,
+  readManifest,
+  sha256,
+  traverseDirectory,
+  verifyManifest,
+  writeManifest
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/canonicalize.ts","../src/hash.ts","../src/manifest.ts","../src/traverse.ts","../src/read.ts","../src/verify.ts","../src/write.ts"],"sourcesContent":["/**\n * Serializes `value` to a stable, pretty-printed JSON string with object keys\n * sorted recursively.  This is the canonical byte representation used for all\n * bundle hashing and manifest signing operations.\n *\n * Arrays preserve their original order; only object keys are sorted.\n *\n * Enforces: INV-001, INV-048, INV-049, INV-050, INV-051, INV-052, INV-053, INV-054.\n */\nexport function canonicalize(value: unknown): string {\n  return JSON.stringify(sortKeys(value), null, 2);\n}\n\nfunction sortKeys(value: unknown): unknown {\n  if (Array.isArray(value)) {\n    return value.map(sortKeys);\n  }\n\n  if (value !== null && typeof value === \"object\") {\n    return Object.keys(value as Record<string, unknown>)\n      .sort()\n      .reduce<Record<string, unknown>>((acc, key) => {\n        acc[key] = sortKeys(\n          (value as Record<string, unknown>)[key]\n        );\n\n        return acc;\n      }, {});\n  }\n\n  return value;\n}\n\n\n\n\n","import * as crypto from \"crypto\";\n\n/** Returns the SHA-256 hex digest of `content` (interpreted as UTF-8). Enforces: INV-047, INV-057. */\nexport function sha256(content: string): string {\n  return crypto\n    .createHash(\"sha256\")\n    .update(content, \"utf8\")\n    .digest(\"hex\");\n}\n\n\n\n\n","import * as fs from \"fs\";\nimport * as path from \"path\";\n\nimport { canonicalize } from \"./canonicalize\";\nimport { sha256 } from \"./hash\";\nimport { traverseDirectory } from \"./traverse\";\n\nimport type {\n  BundleArtifact,\n  BundleManifest,\n} from \"./types\";\n\n/**\n * Generates a content-addressed {@link BundleManifest} for `policyId`/`policyVersion`\n * by hashing every file under `directory` (manifest and sig files excluded).\n *\n * JSON files are canonicalized before hashing; other files have CRLF normalized\n * to LF.  The final `bundle_hash` is SHA-256 of the canonical manifest with\n * `bundle_hash` set to `\"\"`, making it a deterministic commitment over all\n * artifact content.\n *\n * @param policyId      - Policy identifier to embed in the manifest.\n * @param policyVersion - Policy version string (e.g. `\"v1\"`).\n * @param directory     - Absolute path to the bundle directory.\n */\nexport function generateManifest(\n  policyId: string,\n  policyVersion: string,\n  directory: string\n): BundleManifest {\n\n  const files =\n    traverseDirectory(directory);\n\n  const artifacts: BundleArtifact[] =\n    files.map((relativePath) => {\n\n      const fullPath =\n        path.join(\n          directory,\n          relativePath\n        );\n\n      const content =\n        fs.readFileSync(\n          fullPath,\n          \"utf8\"\n        );\n\n      const canonicalContent =\n        relativePath.endsWith(\".json\")\n          ? canonicalize(\n              JSON.parse(content)\n            )\n          : content.replace(\n              /\\r\\n/g,\n              \"\\n\"\n            );\n\n      return {\n        path:\n          relativePath,\n\n        hash:\n          sha256(\n            canonicalContent\n          ),\n      };\n    });\n\n  const manifest: BundleManifest = {\n    manifest_version:\n      \"1\",\n\n    policy_id:\n      policyId,\n\n    policy_version:\n      policyVersion,\n\n    artifacts,\n\n    runtime_requirements: {\n      required_capabilities: [\n        \"replay-protection\",\n        \"attestation-signing\",\n        \"bundle-verification\",\n      ],\n\n      supported_runtime_versions: [\n        \"1.0.0\",\n      ],\n\n      supported_schema_versions: [\n        \"1.0.0\",\n      ],\n    },\n\n    bundle_hash:\n      \"\",\n  };\n\n  const canonical =\n    canonicalize(\n      manifest\n    );\n\n  const bundleHash =\n    sha256(\n      canonical\n    );\n\n  manifest.bundle_hash =\n    bundleHash;\n\n  return manifest;\n}\n\n\n\n\n","import fs from \"fs\";\nimport path from \"path\";\n\nconst EXCLUDED_FILES = [\n  \"bundle.manifest.json\",\n  \"bundle.sig\",\n];\n\n/**\n * Recursively enumerates all non-excluded files under `directory`, returning\n * normalized POSIX-style paths relative to `root` (defaults to `directory`).\n * Entries are sorted deterministically by name at each level.\n * `bundle.manifest.json` and `bundle.sig` are always excluded.\n *\n * @param directory - The directory to traverse.\n * @param root      - The root used for computing relative output paths.\n */\nexport function traverseDirectory(\n  directory: string,\n  root: string = directory\n): string[] {\n  const entries = fs\n    .readdirSync(directory, {\n      withFileTypes: true,\n    })\n    .sort((a, b) =>\n      a.name.localeCompare(b.name)\n    );\n\n  const results: string[] = [];\n\n  for (const entry of entries) {\n    const fullPath = path.join(\n      directory,\n      entry.name\n    );\n\n    if (entry.isDirectory()) {\n      results.push(\n        ...traverseDirectory(\n          fullPath,\n          root\n        )\n      );\n\n      continue;\n    }\n\n    if (\n      EXCLUDED_FILES.includes(\n        entry.name\n      )\n    ) {\n      continue;\n    }\n\n    const relativePath =\n      path.relative(\n        root,\n        fullPath\n      );\n\n    results.push(\n      normalizePath(relativePath)\n    );\n  }\n\n  return results;\n}\n\nfunction normalizePath(\n  value: string\n): string {\n  return value.replace(/\\\\\\\\/g, \"/\");\n}\n\n\n\n\n","import fs from \"fs\";\nimport path from \"path\";\n\nimport type {\n  BundleManifest,\n} from \"./types\";\n\n/**\n * Reads and JSON-parses `bundle.manifest.json` from `directory`.\n *\n * @param directory - Path to a bundle directory containing `bundle.manifest.json`.\n */\nexport function readManifest(\n  directory: string\n): BundleManifest {\n  const manifestPath = path.join(\n    directory,\n    \"bundle.manifest.json\"\n  );\n\n  const content =\n    fs.readFileSync(\n      manifestPath,\n      \"utf8\"\n    );\n\n  return JSON.parse(content);\n}\n\n\n\n\n","import fs from \"fs\";\nimport path from \"path\";\n\nimport { canonicalize } from \"./canonicalize\";\nimport { sha256 } from \"./hash\";\nimport { traverseDirectory } from \"./traverse\";\n\nimport type {\n  BundleManifest,\n  VerifyResult,\n} from \"./types\";\n\n/**\n * Re-hashes every file under `directory` and recomputes the bundle hash, then\n * compares it against `manifest.bundle_hash`.\n *\n * Returns `valid: true` only when the on-disk content matches the manifest\n * commitment exactly.  Any file addition, deletion, or modification produces\n * a differing hash and `valid: false`.\n *\n * @param manifest  - The reference manifest containing the expected bundle hash.\n * @param directory - Bundle directory whose contents will be re-hashed.\n */\nexport function verifyManifest(\n  manifest: BundleManifest,\n  directory: string\n): VerifyResult {\n\n  const files =\n    traverseDirectory(directory);\n\n  const recalculatedArtifacts =\n    files.map((relativePath) => {\n\n      const fullPath =\n        path.join(\n          directory,\n          relativePath\n        );\n\n      const content =\n        fs.readFileSync(\n          fullPath,\n          \"utf8\"\n        );\n\n      const canonicalContent =\n        relativePath.endsWith(\".json\")\n          ? canonicalize(\n              JSON.parse(content)\n            )\n          : content.replace(\n              /\\r\\n/g,\n              \"\\n\"\n            );\n\n      return {\n        path: relativePath,\n\n        hash:\n          sha256(\n            canonicalContent\n          ),\n      };\n    });\n\n  const reconstructedManifest: BundleManifest =\n    {\n      manifest_version:\n        manifest.manifest_version,\n\n      policy_id:\n        manifest.policy_id,\n\n      policy_version:\n        manifest.policy_version,\n\n      artifacts:\n        recalculatedArtifacts,\n\n      runtime_requirements:\n        manifest.runtime_requirements,\n\n      bundle_hash: \"\",\n    };\n\n  const canonical =\n    canonicalize(\n      reconstructedManifest\n    );\n\n  const recalculatedBundleHash =\n    sha256(\n      canonical\n    );\n\n  return {\n    valid:\n      recalculatedBundleHash ===\n      manifest.bundle_hash,\n\n    expected_bundle_hash:\n      manifest.bundle_hash,\n\n    actual_bundle_hash:\n      recalculatedBundleHash,\n  };\n}\n\n\n\n\n","import fs from \"fs\";\nimport path from \"path\";\n\nimport { canonicalize } from \"./canonicalize\";\n\nimport type {\n  BundleManifest,\n} from \"./types\";\n\n/**\n * Writes `manifest` to `<directory>/bundle.manifest.json` in canonical form.\n * The output is deterministic: identical manifests always produce identical\n * bytes on disk.\n *\n * @param manifest  - The manifest to persist.\n * @param directory - Destination bundle directory.\n */\nexport function writeManifest(\n  manifest: BundleManifest,\n  directory: string\n): void {\n  const manifestPath = path.join(\n    directory,\n    \"bundle.manifest.json\"\n  );\n\n  const canonical =\n    canonicalize(manifest);\n\n  fs.writeFileSync(\n    manifestPath,\n    canonical,\n    \"utf8\"\n  );\n}\n\n\n\n\n"],"mappings":";AASO,SAAS,aAAa,OAAwB;AACnD,SAAO,KAAK,UAAU,SAAS,KAAK,GAAG,MAAM,CAAC;AAChD;AAEA,SAAS,SAAS,OAAyB;AACzC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,QAAQ;AAAA,EAC3B;AAEA,MAAI,UAAU,QAAQ,OAAO,UAAU,UAAU;AAC/C,WAAO,OAAO,KAAK,KAAgC,EAChD,KAAK,EACL,OAAgC,CAAC,KAAK,QAAQ;AAC7C,UAAI,GAAG,IAAI;AAAA,QACR,MAAkC,GAAG;AAAA,MACxC;AAEA,aAAO;AAAA,IACT,GAAG,CAAC,CAAC;AAAA,EACT;AAEA,SAAO;AACT;;;AC/BA,YAAY,YAAY;AAGjB,SAAS,OAAO,SAAyB;AAC9C,SACG,kBAAW,QAAQ,EACnB,OAAO,SAAS,MAAM,EACtB,OAAO,KAAK;AACjB;;;ACRA,YAAYA,SAAQ;AACpB,YAAYC,WAAU;;;ACDtB,OAAO,QAAQ;AACf,OAAO,UAAU;AAEjB,IAAM,iBAAiB;AAAA,EACrB;AAAA,EACA;AACF;AAWO,SAAS,kBACd,WACA,OAAe,WACL;AACV,QAAM,UAAU,GACb,YAAY,WAAW;AAAA,IACtB,eAAe;AAAA,EACjB,CAAC,EACA;AAAA,IAAK,CAAC,GAAG,MACR,EAAE,KAAK,cAAc,EAAE,IAAI;AAAA,EAC7B;AAEF,QAAM,UAAoB,CAAC;AAE3B,aAAW,SAAS,SAAS;AAC3B,UAAM,WAAW,KAAK;AAAA,MACpB;AAAA,MACA,MAAM;AAAA,IACR;AAEA,QAAI,MAAM,YAAY,GAAG;AACvB,cAAQ;AAAA,QACN,GAAG;AAAA,UACD;AAAA,UACA;AAAA,QACF;AAAA,MACF;AAEA;AAAA,IACF;AAEA,QACE,eAAe;AAAA,MACb,MAAM;AAAA,IACR,GACA;AACA;AAAA,IACF;AAEA,UAAM,eACJ,KAAK;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,YAAQ;AAAA,MACN,cAAc,YAAY;AAAA,IAC5B;AAAA,EACF;AAEA,SAAO;AACT;AAEA,SAAS,cACP,OACQ;AACR,SAAO,MAAM,QAAQ,SAAS,GAAG;AACnC;;;ADjDO,SAAS,iBACd,UACA,eACA,WACgB;AAEhB,QAAM,QACJ,kBAAkB,SAAS;AAE7B,QAAM,YACJ,MAAM,IAAI,CAAC,iBAAiB;AAE1B,UAAM,WACC;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,UACD;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAEF,UAAM,mBACJ,aAAa,SAAS,OAAO,IACzB;AAAA,MACE,KAAK,MAAM,OAAO;AAAA,IACpB,IACA,QAAQ;AAAA,MACN;AAAA,MACA;AAAA,IACF;AAEN,WAAO;AAAA,MACL,MACE;AAAA,MAEF,MACE;AAAA,QACE;AAAA,MACF;AAAA,IACJ;AAAA,EACF,CAAC;AAEH,QAAM,WAA2B;AAAA,IAC/B,kBACE;AAAA,IAEF,WACE;AAAA,IAEF,gBACE;AAAA,IAEF;AAAA,IAEA,sBAAsB;AAAA,MACpB,uBAAuB;AAAA,QACrB;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA,4BAA4B;AAAA,QAC1B;AAAA,MACF;AAAA,MAEA,2BAA2B;AAAA,QACzB;AAAA,MACF;AAAA,IACF;AAAA,IAEA,aACE;AAAA,EACJ;AAEA,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF,QAAM,aACJ;AAAA,IACE;AAAA,EACF;AAEF,WAAS,cACP;AAEF,SAAO;AACT;;;AEpHA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAWV,SAAS,aACd,WACgB;AAChB,QAAM,eAAeA,MAAK;AAAA,IACxB;AAAA,IACA;AAAA,EACF;AAEA,QAAM,UACJD,IAAG;AAAA,IACD;AAAA,IACA;AAAA,EACF;AAEF,SAAO,KAAK,MAAM,OAAO;AAC3B;;;AC3BA,OAAOE,SAAQ;AACf,OAAOC,WAAU;AAsBV,SAAS,eACd,UACA,WACc;AAEd,QAAM,QACJ,kBAAkB,SAAS;AAE7B,QAAM,wBACJ,MAAM,IAAI,CAAC,iBAAiB;AAE1B,UAAM,WACJC,MAAK;AAAA,MACH;AAAA,MACA;AAAA,IACF;AAEF,UAAM,UACJC,IAAG;AAAA,MACD;AAAA,MACA;AAAA,IACF;AAEF,UAAM,mBACJ,aAAa,SAAS,OAAO,IACzB;AAAA,MACE,KAAK,MAAM,OAAO;AAAA,IACpB,IACA,QAAQ;AAAA,MACN;AAAA,MACA;AAAA,IACF;AAEN,WAAO;AAAA,MACL,MAAM;AAAA,MAEN,MACE;AAAA,QACE;AAAA,MACF;AAAA,IACJ;AAAA,EACF,CAAC;AAEH,QAAM,wBACJ;AAAA,IACE,kBACE,SAAS;AAAA,IAEX,WACE,SAAS;AAAA,IAEX,gBACE,SAAS;AAAA,IAEX,WACE;AAAA,IAEF,sBACE,SAAS;AAAA,IAEX,aAAa;AAAA,EACf;AAEF,QAAM,YACJ;AAAA,IACE;AAAA,EACF;AAEF,QAAM,yBACJ;AAAA,IACE;AAAA,EACF;AAEF,SAAO;AAAA,IACL,OACE,2BACA,SAAS;AAAA,IAEX,sBACE,SAAS;AAAA,IAEX,oBACE;AAAA,EACJ;AACF;;;AC3GA,OAAOC,SAAQ;AACf,OAAOC,WAAU;AAgBV,SAAS,cACd,UACA,WACM;AACN,QAAM,eAAeC,MAAK;AAAA,IACxB;AAAA,IACA;AAAA,EACF;AAEA,QAAM,YACJ,aAAa,QAAQ;AAEvB,EAAAC,IAAG;AAAA,IACD;AAAA,IACA;AAAA,IACA;AAAA,EACF;AACF;","names":["fs","path","fs","path","fs","path","path","fs","fs","path","path","fs"]}

package/package.json

@@ -0,0 +1,43 @@
+{
+  "name": "@parmanasystems/bundle",
+  "version": "1.0.19",
+  "private": false,
+  "type": "module",
+  "scripts": {
+    "build": "tsup"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "description": "Deterministic governance artifact packaging and manifest infrastructure for parmanasystems.",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pavancharak/parmanasystems-core.git"
+  },
+  "homepage": "https://github.com/pavancharak/parmanasystems-core",
+  "bugs": {
+    "url": "https://github.com/pavancharak/parmanasystems-core/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "governance",
+    "bundle",
+    "manifest",
+    "deterministic",
+    "provenance",
+    "artifacts"
+  ],
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts"
+}