Package Format Overview
An InstallHub package is a ZIP archive with a precise internal structure. This guide is the specification for that format — useful for engineers building packages programmatically or validating package contents.
The Package as a Contract
The InstallHub package format is a stable, versioned contract. Every package produced by the export system and consumed by the import system follows this format exactly. Tools that build packages programmatically must adhere to it to be accepted by the import pipeline.
Package Structure at a Glance
{packageName}-{version}.zip
├── manifest.json ← REQUIRED: package metadata, artifact index, checksum
├── README.md ← REQUIRED: human-readable description
└── artifacts/
├── workflows/
│ ├── {processId}.json ← ProcessDefinition or ThreadDefinition
│ └── ...
├── forms/
│ └── {formId}.json ← AtlasForm
├── rules/
│ └── {ruleId}.json ← RuleSet
├── entities/
│ └── {entityId}.json ← EntitySchema
└── apps/
└── {appId}.json ← AppDefinitionThree Invariants
Every valid InstallHub package satisfies these invariants:
Manifest at Root
The file manifest.json must exist at the ZIP root. The import engine reads this first and rejects any ZIP that does not contain it.
Every Artifact Declared
Every file under artifacts/ must be declared in the manifest's artifacts array. Files present in the ZIP but missing from the manifest are rejected as untrusted content.
Checksum Matches
The checksum field in the manifest must equal the SHA-256 of all artifact file bytes computed by the import engine. Any mismatch → immediate rejection.
Format Version
The manifest includes a manifestVersion field. The current format version is "1.0". Future versions that make breaking changes to the schema will increment this. The import engine checks manifestVersion and rejects packages with an unsupported version.
| manifestVersion | Support Status | Notes |
|---|---|---|
1.0 | Current | The format defined in this guide |
Why ZIP?
ZIP was chosen for the following reasons:
- Universal support — every platform, language, and CI/CD tool can read and write ZIP
- Streaming-friendly — individual files can be read without decompressing the entire archive
- Text compression — JSON artifact files compress very well (typically 70–85% size reduction)
- Widely auditable — security reviewers can inspect package contents without special tools
Guide Contents
| Page | Topic |
|---|---|
| ZIP Structure | Exact directory layout and file naming conventions |
| Manifest Schema | Complete JSON schema for manifest.json with all field constraints |
| Artifact Serialization | How each artifact type is encoded in JSON |
| Versioning | SemVer for packages and per-artifact version fields |
| Dependency Declarations | Package-to-package dependencies and version constraints |
| Checksum | SHA-256 algorithm, input, and verification process |
| README.md in Package | Required and optional sections of the package README |