Package Management

The MIND package manager design is specified in mind-spec with modern dependency resolution, supply chain security, and compliance features. Implementation is in early stages; the interfaces and workflows described here reflect the specification and are subject to change.

Architecture

┌─────────────────────────────────────────────────┐
│              Package Manager CLI                │
├─────────────────────────────────────────────────┤
│  Manifest Parser  │  Lockfile Manager           │
├───────────────────┼─────────────────────────────┤
│  PubGrub Resolver │  Content-Addressed Storage  │
├───────────────────┼─────────────────────────────┤
│  Sparse Registry  │  Workspace Manager          │
├─────────────────────────────────────────────────┤
│        Security: Audit | SBOM | Provenance      │
└─────────────────────────────────────────────────┘

Core Features

PubGrub CDCL Resolver

Modern satisfiability-based dependency resolution using the PubGrub algorithm (same as Cargo and pub). Features:

• Conflict-Driven Clause Learning: Efficient backtracking on version conflicts
• Multi-Version Isolation: Support for diamond dependencies with version isolation
• Resolution Strategies: Minimal, maximal, or hybrid version selection

Content-Addressed Storage

All packages are stored by SHA-256 content hash, enabling:

• Deduplication: Identical packages stored once regardless of version
• Integrity Verification: Automatic hash checking on install
• Reproducible Builds: Same lockfile always produces same install

Lockfile Integrity

# mind.lock
[metadata]
version = "1"
generated = "2026-01-20T21:45:00Z"

[[package]]
name = "tensor-utils"
version = "2.1.0"
source = "registry+https://packages.mindlang.dev"
integrity = "sha256-a1b2c3d4e5f6..."
dependencies = ["core@1.0", "math@2.0"]

Security & Compliance

Security Audit (OSV)

Integrated vulnerability scanning using the Open Source Vulnerabilities database:

use mind_runtime::package::{SecurityAuditor, AuditConfig};

let auditor = SecurityAuditor::new(AuditConfig::default());
let report = auditor.audit(&lockfile.packages)?;

for advisory in report.advisories {
    println!("{}: {} ({})",
        advisory.id,
        advisory.summary,
        advisory.severity
    );
}

SLSA Provenance

Supply chain attestations with Ed25519 cryptographic signatures following SLSA framework:

• Level 1-3 Support: Configurable provenance levels
• Ed25519 Signing: Fast, secure digital signatures
• In-toto Format: Industry-standard attestation schema
• Sigstore Compatible: Optional transparency log integration

SBOM Generation

Software Bill of Materials in industry-standard formats:

use mind_runtime::package::{SbomGenerator, SbomConfig, SbomFormat};

let generator = SbomGenerator::new(SbomConfig {
    format: SbomFormat::CycloneDx,  // or SbomFormat::Spdx
    include_dev_deps: false,
    ..Default::default()
});

let sbom = generator.generate(&lockfile)?;
sbom.save("sbom.json")?;

Supports SPDX 3.0 and CycloneDX 1.5 formats for regulatory compliance.

Policy Enforcement

Configurable security gates with three policy levels:

Workspace Support

Monorepo management with shared dependencies and workspace inheritance:

# mind.toml (workspace root)
[workspace]
members = ["packages/*", "apps/*"]

[workspace.dependencies]
core = "1.0"
tensor = { version = "2.0", features = ["gpu"] }

# packages/my-lib/mind.toml
[package]
name = "my-lib"

[dependencies]
core.workspace = true  # inherits from workspace

Sparse Registry Protocol

HTTP-based package index with efficient caching:

• Async HTTP: Non-blocking fetches with reqwest
• ETag/If-Modified-Since: Conditional requests for bandwidth efficiency
• Local Cache: Configurable TTL for offline support
• Auth Support: Bearer token authentication for private registries

Learn More

See the Package Management Specification for the full technical details, and the Roadmap for the feature status. Enterprise customers can access the runtime implementation via Enterprise license.