Skip to main content

Pack Metadata and Versioning

Every full config document requires a pack: object. Keeptrusts uses its fields for validation and traceability:

  • pack.version into config_version
  • pack.name into pack_name
  • a SHA-256 fingerprint from the raw file bytes (config_sha256)

Only the schema-defined keys on this page are accepted. name, version, and enabled are required.

pack:
name: finance-compliance
version: 2.1.0
enabled: true

This is the minimum valid pack block.

Supported behavior

FieldUsed by KeeptrustsBehavior
nameyesRequired non-empty name; stored as pack_name
versionyesRequired semantic version; stored as config_version
enabledvalidation onlyRequired boolean. The gateway loader does not currently skip enforcement when it is false.
idmetadataOptional non-empty identifier, up to 200 characters
authormetadataOptional owner or team, up to 200 characters
descriptionmetadataOptional description, up to 2,000 characters

Important implications

enabled is required but is not a runtime on/off switch

This does not disable the configuration at load time:

pack:
name: disabled-looking-pack
version: 1.0.0
enabled: false

Do not use pack.enabled: false as a deployment safety control. Select or withdraw the configuration through the owning rollout workflow instead.

id is optional metadata

The validator accepts id, but the gateway loader does not derive it from name or use it as the runtime configuration fingerprint.

Config fingerprinting

Keeptrusts computes a config fingerprint from the raw file bytes before parsing.

config_sha256 = sha256_prefixed(policy-config.yaml bytes)

That fingerprint is independent of pack.id or pack.version.

Next steps