// provenance_manifest.kdl // Extended KDL manifest schema with full provenance chain embedding // This shows how package manifests embed complete source attribution package "htop" { version "3.2.2" stream "stable" // Core package metadata metadata { description "Interactive process viewer" homepage "https://htop.dev" license "GPL-2.0" architecture "x86_64" build_date "2025-08-05T14:30:00Z" } // Package hashes for integrity hashes { package_hash "blake3-abc123def456789..." manifest_hash "blake3-def456789abc123..." content_hash "blake3-789abc123def456..." } // REVOLUTIONARY: Complete provenance chain embedded in manifest provenance { source_type "grafted" // original, grafted, converted, rebuilt, mirrored trust_score 0.85 // Calculated trust score (0.0-1.0) last_verified "2025-08-05T14:30:00Z" // Original source information original_source { url "https://github.com/htop-dev/htop/archive/3.2.2.tar.gz" ecosystem "github" fetch_method "http" } // Complete provenance chain chain { // Step 1: Source fetching step type="source" { timestamp "2025-08-05T10:00:00Z" actor "automated-graft-engine" location "nexusos-infrastructure" input_hash "" output_hash "blake3-source123456..." verified true metadata { source_url "https://github.com/htop-dev/htop/archive/3.2.2.tar.gz" fetch_method "http" user_agent "nimpak-fetcher/1.0" content_type "application/gzip" } // Optional cryptographic signature signature { algorithm "ed25519" key_id "nexusos-graft-engine-2025" value "base64-encoded-signature-data" timestamp "2025-08-05T10:00:00Z" } } // Step 2: Package grafting from Arch Linux step type="graft" { timestamp "2025-08-05T10:15:00Z" actor "automated-graft-engine" location "graft-engine" input_hash "blake3-source123456..." output_hash "blake3-graft789abc..." ve metadata { source_ecosystem "arch-linux" original_package "htop-3.2.2-1-x86_64.pkg.tar.zst" graft_method "archive-extraction" verification_performed true files_extracted 47 } signature { algorithm "ed25519" key_id "nexusos-graft-engine-2025" value "base64-encoded-graft-signature" timestamp "2025-08-05T10:15:00Z" } } // Step 3: Package conversion to .npk format step type="convert" { timestamp "2025-08-05T10:30:00Z" actor "nimpak-converter" location "nexusos-infrastructure" input_hash "blake3-graft789abc..." output_hash "blake3-convert123def..." verified true metadata { converter_version "nimpak-1.0.0" conversion_method "gobolinux-restructure" manifest_generated true integrity_verified true } signature { algorithm "ed25519" key_id "nexusos-converter-2025" value "base64-encoded-convert-signature" timestamp "2025-08-05T10:30:00Z" } } // Step 4: Final package signing step type="sign" { timestamp "2025-08-05T10:45:00Z" actor "nexusos-signing-authority" location "signing-infrastructure" input_hash "blake3-convert123def..." output_hash "blake3-convert123def..." // Signing doesn't change content verified true metadata { signing_authority "NexusOS Package Authority" key_algorithm "ed25519" signature_type "detached" policy_version "2025.1" } signature { algorithm "ed25519" key_id "nexusos-repo-2025" value "base64-encoded-final-signature" timestamp "2025-08-05T10:45:00Z" } } } // Trust calculation breakdown trust_calculation { base_score 0.5 source_type_modifier 0.05 // Grafted penalty actor_trust_bonus 0.2 // Trusted actors location_trust_bonus 0.1 // Trusted locations signature_bonus 0.2 // All steps signed verification_bonus 0.1 // All steps verified age_penalty 0.0 // Recent provenance final_score 0.85 } // Verification status verification { last_verified "2025-08-05T14:30:00Z" verification_successful true errors [] step_verification { source_step true graft_step true convert_step true sign_step true } hash_chain_valid true signatures_valid true keys_trusted true } } // Dependencies with their own provenance dependencies { libc { version "2.38" trust_score 0.95 // Higher trust for core libraries provenance_summary { source_type "original" chain_length 3 all_signed true last_verified "2025-08-04T12:00:00Z" } } ncurses { version "6.4" trust_score 0.88 provenance_summary { source_type "grafted" chain_length 4 all_signed true last_verified "2025-08-04T15:30:00Z" } } } // ACUL compliance with provenance integration acul { required false membership "NexusOS-Community" license "GPL-2.0" // Provenance-based compliance provenance_compliant true trust_threshold_met true source_attribution_complete true build_reproducible true } // Installation metadata installation { installed_at "2025-08-05T15:00:00Z" installed_by "user-markus" installation_method "nip-install" cell "default" // Post-installation verification post_install_verification { integrity_verified true provenance_verified true trust_score_acceptable true policy_compliant true } } } // Example of a high-trust original source package package "nim-compiler" { version "2.0.0" stream "stable" provenance { source_type "original" trust_score 0.98 // Very high trust for original source original_source { url "https://github.com/nim-lang/Nim/archive/v2.0.0.tar.gz" ecosystem "github-official" verified_publisher true } chain { step type="source" { timestamp "2025-08-01T09:00:00Z" actor "nexusos-build-farm" location "reproducible-builds" input_hash "" output_hash "blake3-nim-source..." verified true signature { algorithm "ed25519" key_id "nim-lang-official-2025" value "official-nim-signature" timestamp "2025-08-01T09:00:00Z" } } step type="build" { timestamp "2025-08-01T09:30:00Z" actor "nexusos-build-farm" location "reproducible-builds" input_hash "blake3-nim-source..." output_hash "blake3-nim-build..." verified true metadata { build_system "nim-bootstrap" build_flags ["--opt:speed", "--gc:orc"] compiler_version "nim-1.6.14" build_environment "reproducible" build_reproducible true } signature { algorithm "ed25519" key_id "nexusos-build-farm-2025" value "build-signature-data" timestamp "2025-08-01T09:30:00Z" } } step type="sign" { timestamp "2025-08-01T10:00:00Z" actor "nexusos-signing-authority" location "signing-infrastructure" input_hash "blake3-nim-build..." output_hash "blake3-nim-build..." verified true signature { algorithm "ed25519" key_id "nexusos-repo-2025" value "final-package-signature" timestamp "2025-08-01T10:00:00Z" } } } trust_calculation { base_score 0.5 source_type_modifier 0.1 // Original source bonus actor_trust_bonus 0.2 // Highly trusted actors location_trust_bonus 0.1 // Trusted build infrastructure signature_bonus 0.2 // All steps cryptographically signed verification_bonus 0.1 // Perfect verification record completeness_bonus 0.1 // Complete provenance chain official_publisher_bonus 0.05 // Official Nim project final_score 0.98 } } } // Example of a low-trust package with issues package "suspicious-tool" { version "1.0.0" stream "testing" provenance { source_type "mirrored" trust_score 0.35 // Low trust due to issues chain { step type="source" { timestamp "2025-07-01T12:00:00Z" actor "unknown-mirror" location "untrusted-location" input_hash "" output_hash "blake3-suspicious..." verified false // Verification failed metadata { source_url "http://sketchy-mirror.com/tool.tar.gz" fetch_method "http" ssl_verified false } // No signature - red flag } step type="build" { timestamp "2025-07-01T13:00:00Z" actor "unknown-builder" location "unknown-location" input_hash "blake3-suspicious..." output_hash "blake3-build-suspicious..." verified false metadata { build_system "unknown" build_flags [] build_reproducible false } // No signature - another red flag } } trust_calculation { base_score 0.5 source_type_modifier -0.1 // Mirrored penalty actor_trust_penalty -0.2 // Unknown actors location_trust_penalty -0.1 // Untrusted locations signature_penalty -0.2 // No signatures verification_penalty -0.2 // Failed verification ssl_penalty -0.05 // No SSL verification final_score 0.35 } verification { last_verified "2025-08-05T14:30:00Z" verification_successful false errors [ "No cryptographic signatures found", "Unknown build actors", "Source fetched over insecure HTTP", "Build not reproducible" ] } } }