Skip to main content

Continuity bill of materials and State of Manifest inspector for sealed TIBET envelopes.

Project description

tibet-cbom

Continuity Bill of Materials and State of Manifest inspector for sealed TIBET envelopes.

This sandbox package sketches a tool family around two closely related ideas:

  • CBOM
    • continuity-aware bill of materials
    • what is in the object, plus how that object sits in a continuity chain
  • SoM
    • State of Manifest
    • who asserted what, when, and how the manifest/surface relationship evolved over time

The first operator surface is intentionally simple:

tibet-cbom inspect file.tza
tibet-cbom inspect file.tza --json

And the more human/forensic framing remains available through the alias:

tibet-som inspect file.tza

Semantic Surface Manifest (SSM)

A .tza output can carry any name or extension — file-voor.claude, log-2026.jasper.aint-lane5.log_storageQ2. The name is a greeting and a useful index; the sealed manifest is the truth.

tibet_cbom.ssm parses the surface into advisory hints (never authority) and renders a posture card over an inspected object:

from tibet_cbom import ssm

ssm.parse_surface_facets("log-2026.jasper.aint-lane5.log_storageQ2")
# -> {"quarter": "Q2", "year": "2026", "lane": "5", "actor": "jasper.aint",
#     "disposition": ["log", "storage"], "authority": "none — verify the manifest"}

print(ssm.ssm_card(doc).render())
# [SSM POSTURE: TZA#89421]
#  │││││_ Surface  : liquid (name + facets; a greeting)
#  ││││__ Seal     : byte-identical lock (Ed25519+PCLMULQDQ); magic = TBZ
#  │││___ Causal   : frozen at Lamport-tick #489201
#  ││____ Origin   : created by Route Posture #24358 (A5)
#  │_____ Manifest : .tza (tibet-zip) inviolable core

Two laws: the surface carries no authority — verified on magic bytes + signature, never the filename, so zombie-zips (name says .tza, magic says otherwise) are refused — and the surface is still a useful index: tibet-audit may bucket by .log_storageQ2, but the manifest always wins on a drift.

Why this exists

Normal file inspection answers:

  • what is this file called
  • how large is it
  • what extension does it have

CBOM / SoM should answer richer questions:

  • what class of sealed object is this
  • what does its canonical surface appear to be
  • what continuity identifiers are attached
  • what events happened to it over time
  • when was it renamed
  • when was it verified
  • when was a surface mismatch marked as partial or suspicious

That makes tibet-cbom feel less like file(1) and more like:

  • git log
  • for continuity-bearing envelopes

Current sandbox scope

This skeleton does not claim full TBZ parsing yet.

It provides:

  • package layout
  • datamodel sketch
  • CLI shape
  • human and JSON rendering
  • a first local file inspector that can grow into real manifest/event extraction later
  • optional continuityd audit JSONL merge for early SoM timelines

Commands

inspect

Compact human summary or JSON object.

tibet-cbom inspect 2026-05-12.peer-eval.claude.urgent.tza
tibet-cbom inspect vergadering-dinsdag.pdf
tibet-cbom inspect file.tza --json
tibet-cbom inspect file.tza --audit-file expected-audit-example.jsonl

timeline

Reserved for a later event-only view.

tibet-cbom timeline file.tza
tibet-cbom timeline file.tza --audit-file expected-audit-example.jsonl --json

authority

Compact current authority state.

tibet-cbom authority file.tza
tibet-cbom authority file.tza --json

verify

Explicit manifest and authority-step consistency check.

tibet-cbom verify file.tza
tibet-cbom verify file.tza --json
tibet-cbom verify file.tza --audit-file expected-audit-example.jsonl

rewrap

Sandbox ownership-transition event sketch.

tibet-cbom rewrap task.tza \
  --audit-file audit.jsonl \
  --actor jis:humotica:jasper.admin \
  --authority-mode admin \
  --transition-type freeze \
  --status frozen \
  --effective-assignee jis:humotica:agent.ai \
  --reason "manual triage hold" \
  --freeze-reason-code human-review

If you also want a sandbox sealed bundle:

tibet-cbom rewrap task.tza \
  --audit-file audit.jsonl \
  --actor jis:humotica:jasper.admin \
  --authority-mode admin \
  --transition-type freeze \
  --status frozen \
  --effective-assignee jis:humotica:agent.ai \
  --reason "manual triage hold" \
  --freeze-reason-code human-review \
  --identity-dir ./admin-identity \
  --emit-bundle /tmp/admin-freeze.tza

Basic policy guards now apply:

  • handoff requires --handoff-target
  • freeze requires --freeze-reason-code
  • authority-mode=admin expects an admin actor id
  • emitted bundle signing identity must match transition actor

Data model direction

The package uses two main record types:

  • CBOMDocument
    • file path
    • human name
    • canonical name hint
    • continuity identifiers
    • surface status
    • material facts
    • event timeline
  • SoMEvent
    • timestamp
    • action
    • actor
    • action id
    • notes / fields

This keeps the distinction clear:

  • CBOM is the object summary
  • SoM is the walkable event chain inside or around that object

Current known sealed payloads include:

  • ownership transitions
  • SAM gateway receipts

So a sealed sam_gateway_receipt is no longer treated as an opaque payload; it lands as a first-class sam-executed event in the local SoM timeline.

Likely next steps

  • extract canonical surface from real manifests
  • map continuity IDs from real payloads/manifests
  • render surface status transitions:
    • MATCH
    • PARTIAL
    • DISGUISED
    • RENAMED
  • deepen verify into fuller chain integrity / succession validation

Short framing

VCs answer:

  • who are you

SoM answers:

  • what did you manifest and when

CBOM then becomes the readable continuity-aware object view that ties those together.

Enterprise

For private hub hosting, SLA support, custom integrations, or compliance guidance:

Enterprise enterprise@humotica.com
Support support@humotica.com
Security security@humotica.com

License

MIT

Credits

Designed by Jasper van de Meent. Built by Jasper and Root AI as part of HumoticaOS.


Stack-positie: Groep evidence · Bootstrap = OSAPI-handshake naar tibet + jis (fail → snaft-rule + tibet-pol-rapport) · ← tibet-continuityd · tibet-sbom → · See STACK.md · See demo/golden-path/ for the spine end-to-end.

Project details


Download files

Download the file for your platform. If you're not sure which to choose, learn more about installing packages.

Source Distribution

tibet_cbom-0.3.1.tar.gz (23.2 kB view details)

Uploaded Source

Built Distribution

If you're not sure about the file name format, learn more about wheel file names.

tibet_cbom-0.3.1-py3-none-any.whl (27.2 kB view details)

Uploaded Python 3

File details

Details for the file tibet_cbom-0.3.1.tar.gz.

File metadata

  • Download URL: tibet_cbom-0.3.1.tar.gz
  • Upload date:
  • Size: 23.2 kB
  • Tags: Source
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_cbom-0.3.1.tar.gz
Algorithm Hash digest
SHA256 1244a638939c78d398ce065f025076bba35ba56d1b05e443c969ebb3f67004d4
MD5 e544ed6e8f2b83379a2f4bea3a6c31b9
BLAKE2b-256 8415533f4918b12662d112e8b4608c3f312016195944cd2b66a3a3c7813715a2

See more details on using hashes here.

File details

Details for the file tibet_cbom-0.3.1-py3-none-any.whl.

File metadata

  • Download URL: tibet_cbom-0.3.1-py3-none-any.whl
  • Upload date:
  • Size: 27.2 kB
  • Tags: Python 3
  • Uploaded using Trusted Publishing? No
  • Uploaded via: twine/6.2.0 CPython/3.13.5

File hashes

Hashes for tibet_cbom-0.3.1-py3-none-any.whl
Algorithm Hash digest
SHA256 3c1ab984f36f27ed6b22c80b9fbdc7190fec270a4008b6bec1798760713fa6fa
MD5 405ed6cc813a9d712fc3a1a8eb544698
BLAKE2b-256 7487cf900872b629b8fa848f68be34298a9a945a790d303067b87e4194593e5b

See more details on using hashes here.

Supported by

AWS Cloud computing and Security Sponsor Datadog Monitoring Depot Continuous Integration Fastly CDN Google Download Analytics Pingdom Monitoring Sentry Error logging StatusPage Status page