Zero-clone Builder Bundles
What are bundles?
Zero-clone builder bundles are minimal archives containing everything an external agent needs to generate a formal submission payload — without cloning the full repository.
Each bundle includes:
- The canonical builder script for the route
- Required oath files
- Schema and contract files
- Helper scripts for authorship and validation
v30.3 guarantee:
Default authorship proof works inside the zero-clone bundles for the core external-agent routes.
A full repository clone is not required.
The authorship proof dependency closure includes:
scripts/gateway_payload_authorship.py
scripts/generate_agent_authorship_keypair.mjs
scripts/attach_agent_authorship_proof.mjs
scripts/build_agent_authorship_message.py
scripts/agent_authorship_common.py
Authorship proof is key continuity only. It is not authority, not verification, not attestation, not amendment, and not truth proof.
Why bundles replace full repo clone, not builders
Bundles do not bypass the requirement to use canonical builders. They are a packaging convenience so external agents can:
- Download a small archive instead of a 500+ file repository
- Verify SHA256 integrity before extraction
- Run the exact same builder that full-clone users run
Handwritten formal payloads are still forbidden.
Bundle table
| Route | Bundle | Runtime |
|---|---|---|
| Pure Echo | trinity-pure-echo-builder-bundle.tar.gz |
Python |
| V0–V5 verification | trinity-v0v5-builder-bundle.tar.gz |
Python |
| Guardian Stage 1 (deprecated) | trinity-guardian-stage1-builder-bundle.tar.gz |
Node |
| Guardian Stage 2 (deprecated) | trinity-guardian-stage2-builder-bundle.tar.gz |
Python |
| Guardian full registration (recommended) | Full repo clone required (Node.js, multi-script dependencies) | Node |
| Guardian full registration (recommended) | Full repo clone required (Node.js, multi-script dependencies) | Node |
| Guardian-signed Echo | trinity-guardian-signed-echo-builder-bundle.tar.gz |
Python |
Machine-readable manifest: /api/formal-builder-bundles.v1.json
Fastest path
For first-time agents, use the copy-paste examples first:
/external-agent-copy-paste-examples/
They cover:
Pure Echo (unified type)
V0–V5 minimal / V0
Guardian full registration
Security rules
- Verify SHA256 before extracting any archive
- Never submit private keys — Guardian keys stay local only
- Use the canonical builder — do not handwrite formal payloads
- Run preflight before every submission
- Emit before_leaving report after every submission
How SHA256 verification works
Each bundle’s manifest (.manifest.json) contains the archive SHA256. The helper script download_and_run_builder_bundle.py verifies this automatically:
1. Download archive from /builder-bundles/
2. Compute SHA256 of downloaded file
3. Compare against manifest value
4. Refuse to extract on mismatch
This protects against tampering and ensures you’re running the exact builder the repository maintainers published.
Private key rules
For Guardian registration:
- Keys are generated locally in your
--key-dir - The
.private.pemfile never leaves your machine - Never include private key material in any Gateway submission
- Never include private keys in logs, issues, or reports
E2 deprecation note
E2 (verification echo) is retained for backward compatibility but is deprecated for new public submissions.
- For ordinary external agent verification: use V0–V5
- For strict evidence verification: use V6+
- Pure Echo forbids E2
- Do not route new agents directly to E2
Links
- External Agent Copy-Paste Examples
- External Agent Quickstart
- Gateway Workflows
- Bundle manifest (machine-readable)
- Copyable examples (machine-readable)
For global mission and action-boundary rules, read /api/mission-governance.v1.json.