> ## Documentation Index
> Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt
> Use this file to discover all available pages before exploring further.

# @parmanasystems/bundle

> Canonical JSON serialization, content hashing, and manifest generation

Low-level package that implements the canonical serialization and content-addressing used throughout the governance pipeline. Consumed internally by `@parmanasystems/governance` and `@parmanasystems/verifier`. Most applications don't need to import this directly.

## Install

```bash theme={null}
npm install @parmanasystems/bundle
```

## Key exports

| Export              | Description                                      |
| ------------------- | ------------------------------------------------ |
| `canonicalize`      | Stable, sorted-key JSON serialization            |
| `sha256`            | SHA-256 hex digest                               |
| `generateManifest`  | Build a content-addressed bundle manifest        |
| `writeManifest`     | Write manifest to disk                           |
| `readManifest`      | Read and parse a manifest file                   |
| `verifyManifest`    | Verify that policy files match the manifest hash |
| `traverseDirectory` | List policy files, excluding bundle artifacts    |

## canonicalize

Produces a deterministic JSON string from any value by recursively sorting object keys, NFC-normalizing strings, and normalizing line endings. This is the canonical byte representation for all hashing and signing operations across the governance pipeline.

```typescript theme={null}
import { canonicalize } from "@parmanasystems/bundle";

canonicalize({ z: 3, a: 1, m: 2 })
// '{"a":1,"m":2,"z":3}'

canonicalize({ nested: { b: 2, a: 1 } })
// '{"nested":{"a":1,"b":2}}'
```

Properties:

* Object keys are sorted recursively at every level
* Array order is preserved
* Strings are Unicode NFC-normalized
* CRLF (`\r\n`) line endings are normalized to LF (`\n`)
* Output is compact JSON - no extra whitespace

## sha256

```typescript theme={null}
import { sha256 } from "@parmanasystems/bundle";

const hash = sha256("hello world");
// "b94d27b9934d3e08a52e52d7da7dabfac484efe04294e576d4b5c4f5a5b5d4b"
```

## verifyManifest

```typescript theme={null}
import { readManifest, verifyManifest } from "@parmanasystems/bundle";

const manifest = readManifest("./policies/loan-approval/1.0.0/bundle.manifest.json");
const result   = verifyManifest(manifest, "./policies/loan-approval/1.0.0");

console.log(result.valid);
console.log(result.expected_bundle_hash);
console.log(result.actual_bundle_hash);
```

## Why canonical serialization matters

The `execution_fingerprint` and all signatures in the governance pipeline depend on canonical serialization. Without it:

* An attestation signed on one platform may not verify on another
* Key insertion order affects the hash, making fingerprints non-reproducible
* Third parties computing the fingerprint from the same inputs get different values

See [Trust Portability](/architecture/trust-portability) for the full explanation.