Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt

Use this file to discover all available pages before exploring further.

Low-level package that implements the canonical serialization and content-addressing used throughout the governance pipeline. Consumed internally by @parmanasystems/governance and @parmanasystems/verifier. Most applications don’t need to import this directly.

Install

npm install @parmanasystems/bundle

Key exports

ExportDescription
canonicalizeStable, sorted-key JSON serialization
sha256SHA-256 hex digest
generateManifestBuild a content-addressed bundle manifest
writeManifestWrite manifest to disk
readManifestRead and parse a manifest file
verifyManifestVerify that policy files match the manifest hash
traverseDirectoryList policy files, excluding bundle artifacts

canonicalize

Produces a deterministic JSON string from any value by recursively sorting object keys, NFC-normalizing strings, and normalizing line endings. This is the canonical byte representation for all hashing and signing operations across the governance pipeline. 
import { canonicalize } from "@parmanasystems/bundle";

canonicalize({ z: 3, a: 1, m: 2 })
// '{"a":1,"m":2,"z":3}'

canonicalize({ nested: { b: 2, a: 1 } })
// '{"nested":{"a":1,"b":2}}'
Properties:
  • Object keys are sorted recursively at every level
  • Array order is preserved
  • Strings are Unicode NFC-normalized
  • CRLF (\r\n) line endings are normalized to LF (\n)
  • Output is compact JSON - no extra whitespace

sha256

import { sha256 } from "@parmanasystems/bundle";

const hash = sha256("hello world");
// "b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576d4b5c4f5a5b5d4b"

verifyManifest

import { readManifest, verifyManifest } from "@parmanasystems/bundle";

const manifest = readManifest("./policies/loan-approval/1.0.0/bundle.manifest.json");
const result   = verifyManifest(manifest, "./policies/loan-approval/1.0.0");

console.log(result.valid);
console.log(result.expected_bundle_hash);
console.log(result.actual_bundle_hash);

Why canonical serialization matters

The execution_fingerprint and all signatures in the governance pipeline depend on canonical serialization. Without it:
  • An attestation signed on one platform may not verify on another
  • Key insertion order affects the hash, making fingerprints non-reproducible
  • Third parties computing the fingerprint from the same inputs get different values
See Trust Portability for the full explanation.