SHIVA Release Supply-Chain Kit
A self-contained deterministic release system for scientific datasets, provenance, and offline verification. Full Python source, deterministic builder and verifier, local DSSE-style Ed25519 attestations, MerkleCommit roots, deterministic ZIP bundling, SQLite audit catalog, DataLad publication helper, and wrapper templates for in-toto / Cosign / Rekor / PAR2 / OpenTimestamps.
products/demo_release/Every stage
is replayable.
A working local core that runs each stage in order, deterministically. Stage outputs are themselves hashed and recorded in the integrity manifest.
Payload scanning
Walk the input tree, build a typed file inventory.
Canonical manifest
Deterministic ordering, normalized line endings, fixed metadata.
Merkle root
Bottom-up tree across the manifest's per-file digests.
Deterministic ZIP
Reproducible archive — same input bytes → same archive bytes.
Trace + evidence + integrity emission
Three artefact streams written in lockstep with the build.
Local DSSE envelope signing
Ed25519 envelopes over the manifest. Private keys stay on the build machine.
Offline verification
Re-walk every file, recompute every hash, re-validate every signature — without network access.
SQLite audit catalog
Append-only catalog of every release, every file, every signature, every verification.
HTML compliance capsule
Single-file viewer for the release with embedded verification logic.
SHIVA memory snapshot
Portable memory state at the moment of release.
Application capsule emission
The final user-facing capsule that explains every module / agent / engine / framework.
Higher-trust modes,
opt-in.
The package emits wrapper templates and exact command templates for these tools. They aren't run in the core because they need external CLIs, but the integration points are scaffolded.
Redundancy
Repair-block generation against bit-rot for long-term archival.
Bundle signing
Container/bundle signing with a Sigstore trust root.
Checkpoint pinning
Public transparency-log inclusion of the release manifest.
Anchoring
Cryptographic timestamp pinned to the Bitcoin blockchain.
Layout integration
Multi-step supply-chain layout binding each build step to its expected actor.
Publication
Helper for handing a sealed release to a DataLad dataset for public publication.
Three commands.
One sealed release.
A fully generated demo is in the package.
Inside products/demo_release/: compliance_capsule.html, compliance_capsule_app.html, INTEGRITY.json, verify_report.json, module_registry.json, SHIVA_MEMORY_SNAPSHOT.json.