Package the operational truth
A model file alone is not deployable. A package must contain enough information to load, constrain, evaluate, trace, and retire the model. Packaging is where model research becomes an operable supply chain.
Recommended package contents
| File | Purpose |
|---|---|
manifest.json | Canonical identifiers, versions, digests, and package metadata. |
model.* | Weight or executable artifact. |
tokenizer.* | Exact tokenizer and vocabulary when applicable. |
contract.json | Verified capability and interface contract. |
lineage.json | Parents, mutation operator, data lineage, and creation record. |
evaluation-card.json | Suite versions, scores, uncertainty, failures, and approvals. |
resource-profile.json | Memory, latency, throughput, energy, and hardware results. |
permissions.json | Required tools, files, network, data classes, and denied capabilities. |
license-notice.json | Model, data, code, and redistribution obligations. |
rollback.json | Compatible prior artifact and migration instructions. |
signatures/ | Integrity and publisher signatures. |
Canonical manifest
Use deterministic key ordering, normalized numeric formats, UTF-8, and no environment-specific absolute paths. The artifact identifier should remain identical when copied across systems.
Entry points
A package declares how it is loaded through an adapter, not arbitrary executable hooks. Runtime adapters are higher-trust code maintained separately. This reduces the risk that every package becomes a supply-chain execution surface.
Permission minimization
Package permissions describe needs; deployment policy grants the intersection of package need and environment allowance. A descendant never inherits broader authority merely because its parent had it.
runtime_permissions <- INTERSECTION(
package.requested_permissions,
contract.maximum_permissions,
environment.allowed_permissions,
task.allowed_permissions
)
IF package.requested_permissions NOT_SUBSET_OF contract.maximum_permissions
REJECT_PACKAGE
END IFEvaluation card
The evaluation card should list failed cases, not only aggregate wins. Include confidence intervals, slice results, calibration, cost distributions, safety tests, and comparison with the current champion under the same environment.
Package states
Packages are immutable, but lifecycle state can change in registry metadata: candidate, evaluated, approved, shadow, canary, champion, archived, quarantined, retired. State transitions are audited and policy-controlled.
Source reports used for this guide
These reports are preserved verbatim in the site archive. The guide above is an editorial synthesis and may narrow, qualify, or reorganize claims from the source material.