Skip to main content

Continuity bill of materials and State of Manifest inspector for sealed TIBET envelopes.

Project description

tibet-cbom

Continuity Bill of Materials and State of Manifest inspector for sealed TIBET envelopes.

This sandbox package sketches a tool family around two closely related ideas:

  • CBOM
    • continuity-aware bill of materials
    • what is in the object, plus how that object sits in a continuity chain
  • SoM
    • State of Manifest
    • who asserted what, when, and how the manifest/surface relationship evolved over time

The first operator surface is intentionally simple:

tibet-cbom inspect file.tza
tibet-cbom inspect file.tza --json

And the more human/forensic framing remains available through the alias:

tibet-som inspect file.tza

Semantic Surface Manifest (SSM)

A .tza output can carry any name or extension — file-voor.claude, log-2026.jasper.aint-lane5.log_storageQ2. The name is a greeting and a useful index; the sealed manifest is the truth.

tibet_cbom.ssm parses the surface into advisory hints (never authority) and renders a posture card over an inspected object:

from tibet_cbom import ssm

ssm.parse_surface_facets("log-2026.jasper.aint-lane5.log_storageQ2")
# -> {"quarter": "Q2", "year": "2026", "lane": "5", "actor": "jasper.aint",
#     "disposition": ["log", "storage"], "authority": "none — verify the manifest"}

print(ssm.ssm_card(doc).render())
# [SSM POSTURE: TZA#89421]
#  │││││_ Surface  : liquid (name + facets; a greeting)
#  ││││__ Seal     : byte-identical lock (Ed25519+PCLMULQDQ); magic = TBZ
#  │││___ Causal   : frozen at Lamport-tick #489201
#  ││____ Origin   : created by Route Posture #24358 (A5)
#  │_____ Manifest : .tza (tibet-zip) inviolable core

Two laws: the surface carries no authority — verified on magic bytes + signature, never the filename, so zombie-zips (name says .tza, magic says otherwise) are refused — and the surface is still a useful index: tibet-audit may bucket by .log_storageQ2, but the manifest always wins on a drift.

Why this exists

Normal file inspection answers:

  • what is this file called
  • how large is it
  • what extension does it have

CBOM / SoM should answer richer questions:

  • what class of sealed object is this
  • what does its canonical surface appear to be
  • what continuity identifiers are attached
  • what events happened to it over time
  • when was it renamed
  • when was it verified
  • when was a surface mismatch marked as partial or suspicious

That makes tibet-cbom feel less like file(1) and more like:

  • git log
  • for continuity-bearing envelopes

Current sandbox scope

This skeleton does not claim full TBZ parsing yet.

It provides:

  • package layout
  • datamodel sketch
  • CLI shape
  • human and JSON rendering
  • a first local file inspector that can grow into real manifest/event extraction later
  • optional continuityd audit JSONL merge for early SoM timelines

Commands

inspect

Compact human summary or JSON object.

tibet-cbom inspect 2026-05-12.peer-eval.claude.urgent.tza
tibet-cbom inspect vergadering-dinsdag.pdf
tibet-cbom inspect file.tza --json
tibet-cbom inspect file.tza --audit-file expected-audit-example.jsonl

timeline

Reserved for a later event-only view.

tibet-cbom timeline file.tza
tibet-cbom timeline file.tza --audit-file expected-audit-example.jsonl --json

authority

Compact current authority state.

tibet-cbom authority file.tza
tibet-cbom authority file.tza --json

verify

Explicit manifest and authority-step consistency check.

tibet-cbom verify file.tza
tibet-cbom verify file.tza --json
tibet-cbom verify file.tza --audit-file expected-audit-example.jsonl

rewrap

Sandbox ownership-transition event sketch.

tibet-cbom rewrap task.tza \
  --audit-file audit.jsonl \
  --actor jis:humotica:jasper.admin \
  --authority-mode admin \
  --transition-type freeze \
  --status frozen \
  --effective-assignee jis:humotica:agent.ai \
  --reason "manual triage hold" \
  --freeze-reason-code human-review

If you also want a sandbox sealed bundle:

tibet-cbom rewrap task.tza \
  --audit-file audit.jsonl \
  --actor jis:humotica:jasper.admin \
  --authority-mode admin \
  --transition-type freeze \
  --status frozen \
  --effective-assignee jis:humotica:agent.ai \
  --reason "manual triage hold" \
  --freeze-reason-code human-review \
  --identity-dir ./admin-identity \
  --emit-bundle /tmp/admin-freeze.tza

Basic policy guards now apply:

  • handoff requires --handoff-target
  • freeze requires --freeze-reason-code
  • authority-mode=admin expects an admin actor id
  • emitted bundle signing identity must match transition actor

Data model direction

The package uses two main record types:

  • CBOMDocument
    • file path
    • human name
    • canonical name hint
    • continuity identifiers
    • surface status
    • material facts
    • event timeline
  • SoMEvent
    • timestamp
    • action
    • actor
    • action id
    • notes / fields

This keeps the distinction clear:

  • CBOM is the object summary
  • SoM is the walkable event chain inside or around that object

Current known sealed payloads include:

  • ownership transitions
  • SAM gateway receipts

So a sealed sam_gateway_receipt is no longer treated as an opaque payload; it lands as a first-class sam-executed event in the local SoM timeline.

Likely next steps

  • extract canonical surface from real manifests
  • map continuity IDs from real payloads/manifests
  • render surface status transitions:
    • MATCH
    • PARTIAL
    • DISGUISED
    • RENAMED
  • deepen verify into fuller chain integrity / succession validation

Short framing

VCs answer:

  • who are you

SoM answers:

  • what did you manifest and when

CBOM then becomes the readable continuity-aware object view that ties those together.

Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

Enterprise enterprise@humotica.com
Support support@humotica.com
Security security@humotica.com

License

MIT

Credits

Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.


Stack-positie: Groep evidence · Bootstrap = OSAPI-handshake naar tibet + jis (fail → snaft-rule + tibet-pol-rapport) · ← tibet-continuityd · tibet-sbom → · See STACK.md · See demo/golden-path/ for the spine end-to-end.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tibet_cbom-0.3.0.tar.gz (22.7 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tibet_cbom-0.3.0-py3-none-any.whl (26.5 kB view details)

Uploaded Python 3

File details

Details for the file tibet_cbom-0.3.0.tar.gz.

File metadata

  • Download URL: tibet_cbom-0.3.0.tar.gz
  • Upload date:
  • Size: 22.7 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_cbom-0.3.0.tar.gz
Algorithm Hash digest
SHA256 0bddd530285c6eb8a89c7bf5c1b06e65cd6d615ce72734952e2bf057d2025bff
MD5 3b0bbfc970dca5da758dc32561ad9853
BLAKE2b-256 13ecf8dc4467aade959b319adfb20663483ce24b2d71406587323da71d920148

See more details on using hashes here.

File details

Details for the file tibet_cbom-0.3.0-py3-none-any.whl.

File metadata

  • Download URL: tibet_cbom-0.3.0-py3-none-any.whl
  • Upload date:
  • Size: 26.5 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_cbom-0.3.0-py3-none-any.whl
Algorithm Hash digest
SHA256 30c02632b722e9b026dd83b0980c1439c31d862e1eb7653545b5ca58b39cc54c
MD5 794a9a39f1ce835559edade4d3adb829
BLAKE2b-256 6db09011cb61bfe963f4173c9c6fb95332967060e8249e49e62ed1fd63a08d24

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page