hoziron package
Package authoring — scaffold, build, sign, verify, lint, and publish .hpkg packages.
Synopsis
hoziron package <subcommand> [options]
Subcommands
| Subcommand | Description |
|---|---|
init | Scaffold a new package directory |
build <path> | Build a .hpkg archive |
inspect <path> | Display manifest and payload structure |
sign <path> | Sign with ed25519 private key |
verify <path> | Verify signature and content hash |
keygen | Generate ed25519 signing keypair |
lint <path> | Validate against packaging rules |
publish <path> | Build, lint, sign, and publish in one step |
hoziron package init
Scaffold a new package directory with MANIFEST.toml template.
hoziron package init --type <type> --name <name> [--json]
Package Types
| Type | Description |
|---|---|
tool | Single tool implementation (Python/WASM/Node/Shell) |
skill | Tool bundle with runtime config |
competency | COMPETENCY.toml + system-prompt + knowledge + skill refs |
agent-template | Full agent config (model, triggers, competency, permissions) |
workflow-template | Workflow definition JSON + referenced agent templates |
integration | MCP server or external service integration |
Examples
$ hoziron package init --type competency --name claims-intake
✓ Created claims-intake/
├── MANIFEST.toml
└── payload/
└── COMPETENCY.md
$ hoziron package init --type tool --name pdf-extractor
✓ Created pdf-extractor/
├── MANIFEST.toml
└── payload/
└── TOOL.md
$ hoziron package init --type integration --name salesforce-connector
✓ Created salesforce-connector/
├── MANIFEST.toml
└── payload/
└── INTEGRATION.md
hoziron package build
Build a .hpkg archive from a package directory.
hoziron package build <path> [--output <dir>] [--json]
Flags
| Flag | Description |
|---|---|
-o, --output <dir> | Output directory (default: parent of source dir) |
--json | JSON output for scripting |
Example
$ hoziron package build ./claims-intake/
✓ Built: claims-intake-1.0.0.hpkg (24 KB)
Output: ./claims-intake-1.0.0.hpkg
$ hoziron package build ./claims-intake/ --output /tmp/packages/
✓ Built: claims-intake-1.0.0.hpkg (24 KB)
Output: /tmp/packages/claims-intake-1.0.0.hpkg
hoziron package inspect
Display manifest and payload structure without installing.
hoziron package inspect <path> [--json]
Example
$ hoziron package inspect ./claims-intake/
Package: claims-intake
Type: competency
Version: 1.0.0
License: MIT
Author: Insurance Corp <platform@company.com>
Min Platform: 0.5.0
Dependencies:
document-ocr: ^1.0
postgresql-connector: ^2.0
email-skill: ^1.2
Payload:
COMPETENCY.md (12.4 KB)
references/
claims-guide.md (8.4 KB)
coverage-rules.md (3.2 KB)
Signing: unsigned
Content Hash: sha256:a1b2c3...
hoziron package sign
Sign a package with the publisher's ed25519 private key.
hoziron package sign <path> [--key <key-path>] [--json]
Flags
| Flag | Description |
|---|---|
--key <path> | Path to private key (default: ~/.hoziron/keys/default.key) |
--json | JSON output |
Examples
# Sign with default key
$ hoziron package sign ./claims-intake/
✓ Package signed
Publisher key: ed25519:mK3x...
Content hash: sha256:a1b2c3d4...
# Sign with specific key
$ hoziron package sign ./claims-intake/ --key ~/.hoziron/keys/company.key
✓ Package signed
hoziron package verify
Verify signature and content hash integrity.
hoziron package verify <path> [--public-key <key>] [--json]
Flags
| Flag | Description |
|---|---|
--public-key <key> | Public key to verify against (default: uses key from manifest) |
--json | JSON output |
Examples
$ hoziron package verify ./claims-intake/
✓ Signature valid
Publisher: ed25519:mK3x...
Content hash: sha256:a1b2c3d4... ✓ matches
# Failed verification
$ hoziron package verify ./tampered-package/
✗ Verification failed
Content hash mismatch:
Expected: sha256:a1b2c3d4...
Actual: sha256:deadbeef...
hoziron package keygen
Generate an ed25519 signing keypair.
hoziron package keygen [--force] [--json]
Flags
| Flag | Description |
|---|---|
--force | Overwrite existing key if present |
--json | JSON output |
Example
$ hoziron package keygen
✓ Keypair generated
Private key: ~/.hoziron/keys/default.key
Public key: ~/.hoziron/keys/default.pub
Public key (for sharing): ed25519:mK3xR7...
⚠ Keep your private key secure. Never share it or commit it to version control.
# Overwrite existing
$ hoziron package keygen --force
✓ Keypair regenerated (previous key overwritten)
hoziron package lint
Validate manifest and payload structure against packaging rules.
hoziron package lint <path> [--json]
Example
$ hoziron package lint ./claims-intake/
✓ MANIFEST.toml valid
✓ Package name format (kebab-case, 3–64 chars)
✓ Version is valid semver
✓ License is valid SPDX identifier
✓ Author has name
✓ Dependencies use semver ranges
✓ Payload COMPETENCY.md exists
✓ Frontmatter valid (id, name, description, category, skills present)
All checks passed (8/8)
# With errors
$ hoziron package lint ./bad-package/
✓ MANIFEST.toml valid
✗ Package name format: "Bad Package!" contains invalid characters (expected kebab-case)
✗ Dependencies: "document-ocr: latest" is not a valid semver range
✗ SKILL.md: 'name' is required in frontmatter
3 errors found (5/8 passed)
hoziron package publish
Build, lint, sign, and publish in one step.
hoziron package publish <path> [--registry <name>] [--key <path>] [--skip-lint] [--json]
Flags
| Flag | Description |
|---|---|
--registry <name> | Target registry (overrides scope-based routing) |
--key <path> | Private key for signing |
--skip-lint | Skip the lint step |
--json | JSON output |
Example
$ hoziron package publish ./claims-intake/
Step 1/4: Lint ... ✓
Step 2/4: Build ... ✓ (claims-intake-1.0.0.hpkg, 24 KB)
Step 3/4: Sign ... ✓
Step 4/4: Upload to registry ... ✓
✓ Published claims-intake@1.0.0 to default registry
# Publish to a specific registry
$ hoziron package publish ./claims-intake/ --registry internal
✓ Published claims-intake@1.0.0 to internal
MANIFEST.toml Reference
[package]
type = "competency"
name = "claims-intake"
version = "1.0.0"
description = "First Notice of Loss processing"
license = "MIT"
min_platform_version = "0.5.0"
[package.author]
name = "Insurance Corp"
email = "platform@company.com"
url = "https://company.com"
[package.metadata]
repository = "https://github.com/company/claims-intake"
homepage = "https://company.com/docs/claims-intake"
keywords = ["insurance", "claims", "fnol"]
categories = ["insurance/claims"]
regions = ["us", "uk"]
[dependencies]
document-ocr = "^1.0"
postgresql-connector = "^2.0"
[optional-dependencies]
email-skill = "^1.2"
[peer-dependencies]
guidewire-claimcenter = "^3.0"
[standards]
mcp_compatible = true
openapi_spec = "payload/openapi.yaml"
[signing]
# Populated by `hoziron package sign`
publisher_key = "ed25519:mK3x..."
content_hash = "sha256:a1b2c3d4..."
See Also
- catalog.md — Installing and searching published packages
- competency.md — Using installed competencies
- ../competency-authoring.md — Writing COMPETENCY.toml