SVF SVF Clinical Platform — paid clinical bundle, two capsules free in the browser Open the live demo
All capsules
SHIVA OS/Capsules/Supply Chain
Finished project SLSA-shaped MIT

SHIVA Release Supply-Chain Kit

A self-contained deterministic release system for scientific datasets, provenance, and offline verification. Full Python source, deterministic builder and verifier, local DSSE-style Ed25519 attestations, MerkleCommit roots, deterministic ZIP bundling, SQLite audit catalog, DataLad publication helper, and wrapper templates for in-toto / Cosign / Rekor / PAR2 / OpenTimestamps.

Language
Python · pure stdlib + minimal deps
Signing
DSSE envelope · Ed25519
Sealing
MerkleCommit payload + bundle roots
Audit catalog
SQLite
Publication
DataLad helper
Demo release
products/demo_release/
01 — The 11-stage pipeline

Every stage
is replayable.

A working local core that runs each stage in order, deterministically. Stage outputs are themselves hashed and recorded in the integrity manifest.

01

Payload scanning

Walk the input tree, build a typed file inventory.

02

Canonical manifest

Deterministic ordering, normalized line endings, fixed metadata.

03

Merkle root

Bottom-up tree across the manifest's per-file digests.

04

Deterministic ZIP

Reproducible archive — same input bytes → same archive bytes.

05

Trace + evidence + integrity emission

Three artefact streams written in lockstep with the build.

06

Local DSSE envelope signing

Ed25519 envelopes over the manifest. Private keys stay on the build machine.

07

Offline verification

Re-walk every file, recompute every hash, re-validate every signature — without network access.

08

SQLite audit catalog

Append-only catalog of every release, every file, every signature, every verification.

09

HTML compliance capsule

Single-file viewer for the release with embedded verification logic.

10

SHIVA memory snapshot

Portable memory state at the moment of release.

11

Application capsule emission

The final user-facing capsule that explains every module / agent / engine / framework.

02 — Scaffolded external adapters

Higher-trust modes,
opt-in.

The package emits wrapper templates and exact command templates for these tools. They aren't run in the core because they need external CLIs, but the integration points are scaffolded.

PAR2

Redundancy

Repair-block generation against bit-rot for long-term archival.

Cosign

Bundle signing

Container/bundle signing with a Sigstore trust root.

Rekor

Checkpoint pinning

Public transparency-log inclusion of the release manifest.

OpenTimestamps

Anchoring

Cryptographic timestamp pinned to the Bitcoin blockchain.

in-toto

Layout integration

Multi-step supply-chain layout binding each build step to its expected actor.

DataLad

Publication

Helper for handing a sealed release to a DataLad dataset for public publication.

03 — Quickstart

Three commands.
One sealed release.

# 1. Set up + generate a local signing key cd shiva_release_supply_chain_finished_project python -m venv .venv && . .venv/bin/activate pip install -r requirements.txt export PYTHONPATH=src python -m shiva_release.cli generate-keys --out-dir keys/local # 2. Build a sealed release from an input tree python -m shiva_release.cli release \ --input examples/input \ --output products/my_release \ --release-name my_release_v1 \ --private-key keys/local/dev_ed25519_private.pem # 3. Verify it offline python -m shiva_release.cli verify \ --release-dir products/my_release \ --public-key keys/local/dev_ed25519_public.pem
Demo
A fully generated demo is in the package.

Inside products/demo_release/: compliance_capsule.html, compliance_capsule_app.html, INTEGRITY.json, verify_report.json, module_registry.json, SHIVA_MEMORY_SNAPSHOT.json.