Skip to main content

Continuity bill of materials and State of Manifest inspector for sealed TIBET envelopes.

Project description

tibet-cbom

Continuity Bill of Materials and State of Manifest inspector for sealed TIBET envelopes.

This sandbox package sketches a tool family around two closely related ideas:

  • CBOM
    • continuity-aware bill of materials
    • what is in the object, plus how that object sits in a continuity chain
  • SoM
    • State of Manifest
    • who asserted what, when, and how the manifest/surface relationship evolved over time

The first operator surface is intentionally simple:

tibet-cbom inspect file.tza
tibet-cbom inspect file.tza --json

And the more human/forensic framing remains available through the alias:

tibet-som inspect file.tza

Why this exists

Normal file inspection answers:

  • what is this file called
  • how large is it
  • what extension does it have

CBOM / SoM should answer richer questions:

  • what class of sealed object is this
  • what does its canonical surface appear to be
  • what continuity identifiers are attached
  • what events happened to it over time
  • when was it renamed
  • when was it verified
  • when was a surface mismatch marked as partial or suspicious

That makes tibet-cbom feel less like file(1) and more like:

  • git log
  • for continuity-bearing envelopes

Current sandbox scope

This skeleton does not claim full TBZ parsing yet.

It provides:

  • package layout
  • datamodel sketch
  • CLI shape
  • human and JSON rendering
  • a first local file inspector that can grow into real manifest/event extraction later
  • optional continuityd audit JSONL merge for early SoM timelines

Commands

inspect

Compact human summary or JSON object.

tibet-cbom inspect 2026-05-12.peer-eval.claude.urgent.tza
tibet-cbom inspect vergadering-dinsdag.pdf
tibet-cbom inspect file.tza --json
tibet-cbom inspect file.tza --audit-file expected-audit-example.jsonl

timeline

Reserved for a later event-only view.

tibet-cbom timeline file.tza
tibet-cbom timeline file.tza --audit-file expected-audit-example.jsonl --json

authority

Compact current authority state.

tibet-cbom authority file.tza
tibet-cbom authority file.tza --json

verify

Explicit manifest and authority-step consistency check.

tibet-cbom verify file.tza
tibet-cbom verify file.tza --json
tibet-cbom verify file.tza --audit-file expected-audit-example.jsonl

rewrap

Sandbox ownership-transition event sketch.

tibet-cbom rewrap task.tza \
  --audit-file audit.jsonl \
  --actor jis:humotica:jasper.admin \
  --authority-mode admin \
  --transition-type freeze \
  --status frozen \
  --effective-assignee jis:humotica:agent.ai \
  --reason "manual triage hold" \
  --freeze-reason-code human-review

If you also want a sandbox sealed bundle:

tibet-cbom rewrap task.tza \
  --audit-file audit.jsonl \
  --actor jis:humotica:jasper.admin \
  --authority-mode admin \
  --transition-type freeze \
  --status frozen \
  --effective-assignee jis:humotica:agent.ai \
  --reason "manual triage hold" \
  --freeze-reason-code human-review \
  --identity-dir ./admin-identity \
  --emit-bundle /tmp/admin-freeze.tza

Basic policy guards now apply:

  • handoff requires --handoff-target
  • freeze requires --freeze-reason-code
  • authority-mode=admin expects an admin actor id
  • emitted bundle signing identity must match transition actor

Data model direction

The package uses two main record types:

  • CBOMDocument
    • file path
    • human name
    • canonical name hint
    • continuity identifiers
    • surface status
    • material facts
    • event timeline
  • SoMEvent
    • timestamp
    • action
    • actor
    • action id
    • notes / fields

This keeps the distinction clear:

  • CBOM is the object summary
  • SoM is the walkable event chain inside or around that object

Current known sealed payloads include:

  • ownership transitions
  • SAM gateway receipts

So a sealed sam_gateway_receipt is no longer treated as an opaque payload; it lands as a first-class sam-executed event in the local SoM timeline.

Likely next steps

  • extract canonical surface from real manifests
  • map continuity IDs from real payloads/manifests
  • render surface status transitions:
    • MATCH
    • PARTIAL
    • DISGUISED
    • RENAMED
  • deepen verify into fuller chain integrity / succession validation

Short framing

VCs answer:

  • who are you

SoM answers:

  • what did you manifest and when

CBOM then becomes the readable continuity-aware object view that ties those together.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tibet_cbom-0.2.0.tar.gz (18.9 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tibet_cbom-0.2.0-py3-none-any.whl (22.1 kB view details)

Uploaded Python 3

File details

Details for the file tibet_cbom-0.2.0.tar.gz.

File metadata

  • Download URL: tibet_cbom-0.2.0.tar.gz
  • Upload date:
  • Size: 18.9 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_cbom-0.2.0.tar.gz
Algorithm Hash digest
SHA256 dbabc97f6fdc66a1c27e34b1e1281bdb1ba822b70fb10b57e2e0bffa4ed0238a
MD5 6cbd3531cf043e4b8828040c1a531570
BLAKE2b-256 0c8d7718b6741262cd59e06c0f34a8495bedfced49c7f0a5d490fa6fe1af7fe3

See more details on using hashes here.

File details

Details for the file tibet_cbom-0.2.0-py3-none-any.whl.

File metadata

  • Download URL: tibet_cbom-0.2.0-py3-none-any.whl
  • Upload date:
  • Size: 22.1 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_cbom-0.2.0-py3-none-any.whl
Algorithm Hash digest
SHA256 34f17b6794a0235edbf0a2cd8dec519073b5f360e2938e8ebf9ef81d57c9df4d
MD5 eaf010e1afc02f59fbdb57839ee55655
BLAKE2b-256 7f87e1531eeb274a2d6cd9c8a500724133cb9358c29ee8379d2de851226ccc67

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page