The Package Concept
An InstallHub package is a self-contained, versioned, integrity-verified bundle of BizFirstGO artifacts — everything needed to reproduce a capability in another tenant.
What a Package Contains
Every package is a ZIP archive with a well-defined internal structure:
my-onboarding-package-2.1.0.zip
├── manifest.json ← Package metadata and artifact index
├── README.md ← Human-readable description
└── artifacts/
├── workflows/
│ ├── proc-1001.json ← ProcessDefinition
│ └── thread-2002.json ← ThreadDefinition
├── forms/
│ └── form-2005.json ← AtlasForm
├── rules/
│ └── rule-305.json ← RuleSet
└── entities/
└── ent-44.json ← EntitySchemaThe Manifest
The manifest.json is the authoritative descriptor of the package. Every import operation begins by reading and validating this file.
{
"manifestVersion": "1.0",
"packageId": "pkg-a3f9c821-...",
"name": "Onboarding Suite",
"packageType": "workflow-package",
"version": "2.1.0",
"description": "Complete employee onboarding workflow with forms",
"author": "HR Automation Team",
"exportedAt": "2026-05-25T09:00:00Z",
"exportedBy": "user@company.com",
"tenantId": "tenant-7f3a...",
"checksum": "sha256:3a9f1c4e...",
"artifacts": [
{ "type": "ProcessDefinition", "id": "proc-1001", "file": "artifacts/workflows/proc-1001.json", "name": "OnboardingWorkflow", "version": "2.1.0" },
{ "type": "AtlasForm", "id": "form-2005", "file": "artifacts/forms/form-2005.json", "name": "EmployeeForm", "version": "1.0.0" }
],
"dependencies": [
{ "type": "ProcessDefinition", "id": "proc-1001", "name": "OnboardingWorkflow", "version": "2.1.0", "hash": "sha256:abc..." },
{ "type": "AtlasForm", "id": "form-2005", "name": "EmployeeForm", "version": "1.0.0", "hash": "sha256:def..." }
],
"packageDependencies": []
}Manifest Fields Reference
| Field | Type | Description |
|---|---|---|
manifestVersion | string | Version of the manifest schema itself — currently "1.0" |
packageId | string (GUID) | Unique identifier for this package instance |
name | string | Human-readable package name |
packageType | string enum | One of: workflow-package, form-package, app-package, agent-package, config-package |
version | SemVer string | Package version — major.minor.patch |
exportedAt | ISO 8601 datetime | UTC timestamp of when the package was created |
tenantId | string | Source tenant — informational; ID remapping handles cross-tenant install |
checksum | string | SHA-256 hash of all artifact file contents (before manifest is included) |
artifacts | array | Each artifact included in this bundle with its file path inside the ZIP |
dependencies | array | Full dependency list with version hashes for integrity verification |
packageDependencies | array | Other InstallHub packages this package requires to be installed first |
Versioning
Packages use Semantic Versioning (SemVer): major.minor.patch.
- Patch (
2.1.0→2.1.1): Bug fixes — backward compatible, safe to auto-update. - Minor (
2.1.0→2.2.0): New optional artifacts or fields — backward compatible. - Major (
2.1.0→3.0.0): Breaking changes — existing workflows or forms may need updates after import.
Integrity Verification
The checksum field is a SHA-256 hash computed over the concatenated contents of all artifact files in the bundle (excluding the manifest itself). On import, the engine recomputes this hash and compares it to the manifest value.
- If they match: bundle is intact — import proceeds.
- If they differ: bundle has been tampered with or corrupted — import is rejected immediately.
ChecksumMismatch error. If you need to modify an artifact, do it in the source tenant and re-export.
Package Dependencies
A package can declare that it requires another InstallHub package to already be installed. This is used when one package extends or customizes another:
{
"packageDependencies": [
{
"packageName": "BizFirstGO.HRBase",
"minVersion": "1.0.0",
"maxVersion": "2.0.0"
}
]
}The import engine checks that all declared package dependencies are satisfied before installing. If a required package is missing, the import is blocked with a clear error listing the missing dependencies.