euconform.bundle.v1
April 13, 2026 · View on GitHub
euconform.bundle.v1 is the integrity and transport manifest inside the EuConform format.
Purpose
- bind the EuConform format artifacts from a single scan run into a verifiable unit
- enable integrity verification through SHA-256 hashes
- support optional ZIP transport for artifact exchange
- provide a table of contents so consumers know what a scan produced without opening each file
Required fields
schemaVersiongeneratedAttooltargetartifacts
Artifact references
Each entry in the artifacts array describes one artifact:
| Field | Type | Required | Description |
|---|---|---|---|
role | enum | yes | "report", "aibom", "ci", or "summary" |
fileName | string | yes | Relative filename (e.g. "euconform.report.json") |
sha256 | string | yes | Hex-encoded SHA-256 hash of the file content |
schemaVersion | string | no | Schema version of the referenced JSON document |
mimeType | string | no | MIME type for non-JSON artifacts (e.g. "text/markdown") |
required | boolean | yes | Whether this artifact is required for a valid bundle |
Integrity verification
- Consumers should verify SHA-256 hashes of loaded artifacts against the manifest
- Hash mismatches should produce warnings by default — a user may have intentionally edited an artifact after generation
- The
generatedAt,tool, andtargetfields in the bundle must match the corresponding values in referenced artifacts - Strict verification modes may escalate hash and metadata mismatches to errors for CI
ZIP transport
- The CLI can optionally produce a
euconform.bundle.zipcontaining all artifacts plus the bundle manifest - The ZIP uses flat structure (no subdirectories)
- Consumers accepting ZIP files should extract and process the contents as individual files
Relationship to other document types
- The bundle references artifacts by filename and hash — it does not embed them
- A bundle only references same-major the EuConform format documents (v1 bundle references v1 artifacts)
- The
reportartifact is the only required artifact;aibom,ci, andsummaryare optional - The bundle itself is optional — all the EuConform format tooling must continue to work with individual artifact files
Notes
- the bundle is generated by the CLI whenever a report artifact is written
- empty
artifactsis not valid — at minimum the report must be referenced rolevalues are a fixed enum; future document types (e.g.eval) will extend this enum in a new bundle schema version
Verify with CLI
# Verify a manifest file
node packages/cli/dist/index.js verify .euconform/euconform.bundle.json
# Verify an extracted bundle directory
node packages/cli/dist/index.js verify .euconform/euconform.bundle
# Verify a ZIP archive
node packages/cli/dist/index.js verify .euconform/euconform.bundle.zip
# Escalate warnings to errors for CI
node packages/cli/dist/index.js verify .euconform/euconform.bundle.json --strict --fail-on warnings