InstallHub
Manifest Generation
The manifest is the authoritative descriptor of a package — the first thing the import engine reads, and the source of truth for what the bundle contains, who created it, and whether it is intact.
What the Manifest Contains
The manifest is generated after dependency resolution and checksum computation are complete. It is the last file written before the ZIP is finalized.
Complete manifest.json Example
{
"manifestVersion": "1.0",
"packageId": "pkg-a3f9c821-4b2e-49d1-bc44-f7e2a1c09d33",
"name": "Employee Onboarding Suite",
"packageType": "workflow-package",
"version": "2.1.0",
"description": "Complete employee onboarding with multi-step approval, forms, and notifications",
"author": "HR Automation Team",
"authorEmail": "hr-automation@company.com",
"organization": "Acme Corp",
"exportedAt": "2026-05-25T09:00:00Z",
"exportedBy": "engineer@company.com",
"tenantId": "tenant-7f3a9b12-...",
"platformVersion": "4.2.0",
"checksum": "sha256:3a9f1c4e8d2b7f6a1e5c9d3b0a4f8e2c7d1a6b9e3f5c8d2a0b7e4f1c9d3a6b0",
"tags": ["hr", "onboarding", "approval"],
"artifacts": [
{
"type": "ProcessDefinition",
"id": "proc-1001",
"name": "EmployeeOnboarding",
"version": "2.1.0",
"file": "artifacts/workflows/proc-1001.json",
"hash": "sha256:abc123..."
},
{
"type": "ThreadDefinition",
"id": "thread-2002",
"name": "ApprovalSubflow",
"version": "1.0.0",
"file": "artifacts/workflows/thread-2002.json",
"hash": "sha256:def456..."
},
{
"type": "AtlasForm",
"id": "form-2005",
"name": "EmployeeForm",
"version": "1.3.0",
"file": "artifacts/forms/form-2005.json",
"hash": "sha256:ghi789..."
},
{
"type": "RuleSet",
"id": "rule-305",
"name": "ApprovalRules",
"version": "1.0.0",
"file": "artifacts/rules/rule-305.json",
"hash": "sha256:jkl012..."
},
{
"type": "EntitySchema",
"id": "ent-44",
"name": "EmployeeSchema",
"version": "1.0.0",
"file": "artifacts/entities/ent-44.json",
"hash": "sha256:mno345..."
}
],
"dependencies": [
{ "type": "ProcessDefinition", "id": "proc-1001", "name": "EmployeeOnboarding", "version": "2.1.0", "hash": "sha256:abc123..." },
{ "type": "ThreadDefinition", "id": "thread-2002", "name": "ApprovalSubflow", "version": "1.0.0", "hash": "sha256:def456..." },
{ "type": "AtlasForm", "id": "form-2005", "name": "EmployeeForm", "version": "1.3.0", "hash": "sha256:ghi789..." },
{ "type": "RuleSet", "id": "rule-305", "name": "ApprovalRules", "version": "1.0.0", "hash": "sha256:jkl012..." },
{ "type": "EntitySchema", "id": "ent-44", "name": "EmployeeSchema", "version": "1.0.0", "hash": "sha256:mno345..." }
],
"packageDependencies": [],
"installOrder": ["ent-44", "rule-305", "form-2005", "thread-2002", "proc-1001"]
}Manifest Fields Reference
| Field | Type | Required | Description |
|---|---|---|---|
manifestVersion | string | Yes | Schema version — currently "1.0". Incremented on breaking manifest changes. |
packageId | GUID string | Yes | Unique identifier generated at export time. Stable across re-downloads of the same export. |
name | string | Yes | Human-readable package name (1–100 chars). |
packageType | enum string | Yes | One of: workflow-package, form-package, app-package, agent-package, config-package. |
version | SemVer string | Yes | Package version — major.minor.patch. |
exportedAt | ISO 8601 UTC | Yes | Timestamp when the export was created. |
exportedBy | string | Yes | Identity of the user who triggered the export. |
tenantId | string | Yes | Source tenant. Informational — IDs are remapped on import. |
platformVersion | SemVer string | Yes | BizFirstGO platform version at export time. Import warns if target platform is older. |
checksum | sha256:{hex} | Yes | SHA-256 of all artifact file contents. Recomputed and verified on import. |
artifacts | array | Yes | One entry per artifact in the bundle, with file path and per-artifact hash. |
dependencies | array | Yes | Full dependency closure with version and hash — mirrors artifacts but used by the import engine for validation. |
packageDependencies | array | No | Other InstallHub packages that must be installed before this one. |
installOrder | string[] | Yes | Topologically sorted artifact IDs — the import engine installs in this order. |
Per-Artifact Hash
Each artifact entry in the manifest carries its own hash — a SHA-256 of that artifact file's bytes only. This allows the import engine to verify each artifact individually in addition to the whole-bundle checksum, and to identify exactly which file was corrupted if verification fails.
Platform Version Compatibility
The manifest records the platform version at export time. On import, the engine compares this to the target platform version:
- Same or newer platform: Import proceeds normally.
- Older platform (target is older than source): Import displays a compatibility warning. The package may use features not available in the older platform. The administrator must explicitly acknowledge and continue.
- Major version mismatch: Import is blocked. The package requires a major platform upgrade before it can be installed.
C# Entity
public class PackageManifest
{
public string ManifestVersion { get; init; } = "1.0";
public string PackageId { get; init; }
public string Name { get; init; }
public string PackageType { get; init; }
public string Version { get; init; }
public string? Description { get; init; }
public string? Author { get; init; }
public string ExportedBy { get; init; }
public string TenantId { get; init; }
public string PlatformVersion { get; init; }
public string Checksum { get; init; }
public string[] Tags { get; init; } = [];
public ArtifactEntry[] Artifacts { get; init; }
public DependencyEntry[] Dependencies { get; init; }
public PackageDependency[] PackageDependencies { get; init; } = [];
public string[] InstallOrder { get; init; }
public DateTimeOffset ExportedAt { get; init; }
}