Fluid Forge
Why Forge
Concepts
Get Started
  • Consume a Data Product
  • See it run
  • Demos
  • Local (DuckDB)
  • Source-Aligned (Postgres → DuckDB)
  • AI Forge + Data Models
  • MCP Output Port — Serve to AI Agents
  • GCP (BigQuery)
  • Snowflake Team Collaboration
  • Declarative Airflow
  • Orchestration Export
  • Jenkins CI/CD
  • Universal Pipeline
  • 11-Stage Production Pipeline
  • Catalog Forge End-to-End
CLI Reference
  • Agent Policy (concept)
  • MCP Output Port — Serve to Agents
  • MCP deep-dive
  • AI-assisted authoring
  • LLM providers & backends
  • Overview
  • Quickstart
  • Examples
  • Your own CI
  • Your own scaffolding
  • Custom validator
  • Apply hook
  • Reference
  • Overview
  • Architecture
  • GCP (BigQuery)
  • AWS (S3 + Athena)
  • Snowflake
  • Local (DuckDB)
  • Custom Providers
  • Roadmap
GitHub
Why Forge
Concepts
Get Started
  • Consume a Data Product
  • See it run
  • Demos
  • Local (DuckDB)
  • Source-Aligned (Postgres → DuckDB)
  • AI Forge + Data Models
  • MCP Output Port — Serve to AI Agents
  • GCP (BigQuery)
  • Snowflake Team Collaboration
  • Declarative Airflow
  • Orchestration Export
  • Jenkins CI/CD
  • Universal Pipeline
  • 11-Stage Production Pipeline
  • Catalog Forge End-to-End
CLI Reference
  • Agent Policy (concept)
  • MCP Output Port — Serve to Agents
  • MCP deep-dive
  • AI-assisted authoring
  • LLM providers & backends
  • Overview
  • Quickstart
  • Examples
  • Your own CI
  • Your own scaffolding
  • Custom validator
  • Apply hook
  • Reference
  • Overview
  • Architecture
  • GCP (BigQuery)
  • AWS (S3 + Athena)
  • Snowflake
  • Local (DuckDB)
  • Custom Providers
  • Roadmap
GitHub
  • Introduction

    • Home
    • Why Fluid Forge
    • Getting Started
    • Snowflake Quickstart
    • See it run
    • Forge Data Model
    • Vision & Roadmap
    • Playground
    • FAQ
  • Concepts

    • Concepts
    • Builds, Exposes, Bindings
    • What is a contract?
    • Quality, SLAs & Lineage
    • Governance & Policy
    • Agent Policy (LLM/AI governance)
    • Providers vs Platforms
    • Fluid Forge vs alternatives
  • Data Products

    • Consume a Data Product
    • Product Types — SDP, ADP, CDP
  • Walkthroughs

    • Walkthrough: Local Development
    • Source-Aligned: Postgres → DuckDB → Parquet
    • AI Forge And Data-Model Journeys
    • Walkthrough: MCP Output Port
    • Walkthrough: Deploy to Google Cloud Platform
    • Walkthrough: Snowflake Team Collaboration
    • Declarative Airflow DAG Generation - The FLUID Way
    • Generating Orchestration Code from Contracts
    • Jenkins CI/CD for FLUID Data Products
    • Universal Pipeline
    • The 11-Stage Pipeline
    • End-to-End Walkthrough: Catalog → Contract → Transformation
  • CLI Reference

    • CLI Reference
    • Core workflow

      • fluid init
      • fluid demo
      • fluid forge
      • fluid validate
      • fluid plan
      • fluid apply
      • fluid diff
      • fluid status
    • Build & ship

      • fluid bundle
      • fluid generate
      • fluid generate artifacts
      • fluid validate-artifacts
      • fluid verify-signature
      • fluid generate iac
      • fluid generate-airflow
      • fluid generate-pipeline
      • fluid viz-graph
      • fluid publish
      • fluid ship
      • fluid rollback
      • fluid schedule-sync
    • AI & Agents

      • fluid ai
      • fluid agents
      • fluid mcp
      • fluid memory
      • fluid stats
      • fluid skills
    • Quality & governance

      • fluid test
      • fluid verify
      • fluid contract-tests
      • fluid contract-validation
      • fluid policy
      • fluid policy check
      • fluid policy compile
      • fluid policy apply
    • Standards & interoperability

      • fluid odps
      • fluid odps-bitol
      • fluid odcs
      • fluid export
      • fluid export-odps
      • fluid exporters
      • fluid import
      • fluid market
      • fluid datamesh-manager
    • Project & workspace

      • fluid product-new
      • fluid product-add
      • fluid workspace
      • fluid contract
      • fluid split
      • fluid config
      • fluid providers
      • fluid plugins
      • fluid provider-init
      • fluid auth
      • fluid secrets
      • fluid ide
      • fluid scaffold-ci
      • fluid scaffold-composer
      • fluid scaffold-ide
      • fluid docs
      • fluid runs
      • fluid retention
      • fluid describe
      • fluid doctor
      • fluid roadmap
      • fluid version
    • Catalog adapters

      • Source Catalog Integration (V1.5)
      • Publishing to a Catalog — Overview
      • BigQuery Catalog
      • Snowflake Horizon Catalog
      • Databricks Unity Catalog
      • Google Dataplex Catalog
      • AWS Glue Data Catalog
      • DataHub Catalog
      • Data Mesh Manager Catalog
      • OpenMetadata Catalog
    • CLI by task

      • CLI by task
      • Add quality rules
      • Add agent governance
      • Debug a failed pipeline run
      • Switch clouds with one line
  • Recipes

    • Recipes
    • Recipe — add a quality rule
    • Recipe — switch clouds with one line
    • Recipe — tag PII in your schema
    • Write a contract that consumes another contract
    • Generate per-environment overlays
  • SDK & Plugins

    • SDK & Plugins
    • Quickstart — your first plugin
    • Examples

      • Runnable examples
      • Example: hello-scaffold — the minimal viable plugin
      • Example: gitlab-ci-scaffold — generate a complete CI project
      • Example: steward-validator — a custom governance rule
      • Example: prod-key-guard — apply-time invariant check
    • Journeys

      • Journeys
      • Your own CI/CD

        • You have your own CI/CD setup, no problem
        • GitLab CI — the bundle template
        • GitHub Actions — the bundle template
        • Jenkins — the bundle template
        • CircleCI — the bundle template
      • You have a strict project layout, no problem
      • You have governance rules, no problem
      • You want a check at apply time, no problem
    • Reference

      • Reference
      • Roles reference
      • Entry points reference
      • Trust model
      • Packaging
      • Companion packages
  • Providers

    • Providers
    • Provider Architecture
    • GCP Provider
    • AWS Provider
    • Snowflake Provider
    • Local Provider
    • Creating Custom Providers
    • Provider Roadmap
  • AI & Agents

    • MCP Server
    • Built-in And Custom Forge Guidance
    • Forge Discovery Guide
    • Forge Memory Guide
    • Authoring Forge Tools
    • Guided fluid forge UX
    • LLM Providers
    • LiteLLM Backend
    • Capability Warnings
    • Cost Tracking
    • FLUID Forge Contract GPT Packet
    • Agentic Primitives
  • Operate & Deploy

    • Airflow Integration
    • Blueprints
    • Source-Aligned Acquisition
  • Govern & Secure

    • Governance, Compliance & the Business Case
    • Governance & Compliance
    • Network Safety
    • Credential Resolver — Security Model
  • Configuration & Reference

    • Environment Variables
    • Typed Errors
    • Typed CLI Errors
    • API Stability — fluid_build.api
  • Architecture & Releases

    • V1.5 Catalog Integration — Architecture Deep-Dive
    • V1.5 + V2 Hardening — Release Notes
  • Project

    • Contributing to Fluid Forge
    • Fluid Forge Docs Baseline: CLI 0.9.0
    • Fluid Forge Docs Baseline: CLI 0.8.11
    • Fluid Forge Docs Baseline: CLI 0.8.10
    • Fluid Forge Docs Baseline: CLI 0.8.9
    • Fluid Forge Docs Baseline: CLI 0.8.8
    • Fluid Forge Docs Baseline: CLI 0.8.7
    • Fluid Forge Docs Baseline: CLI 0.8.6
    • Fluid Forge Docs Baseline: CLI 0.8.5
    • Fluid Forge Docs Baseline: CLI 0.8.4
    • Fluid Forge Docs Baseline: CLI 0.8.3
    • Fluid Forge Docs Baseline: CLI 0.8.0
    • Fluid Forge Docs Baseline: CLI 0.7.11
    • Fluid Forge Docs Baseline: CLI 0.7.9
    • Fluid Forge v0.7.1 - Multi-Provider Export Release

fluid bundle

Stage 1 of the 11-stage pipeline. Package the contract and its source files into a single bundle — either a resolved single-document YAML/JSON (development) or a deterministic content-addressable tgz archive with a SHA-256 MANIFEST (production).

Renamed from fluid compile in 0.7.3. The hidden fluid compile alias was removed; use fluid bundle --format yaml as the one-to-one replacement for legacy callers.

Syntax

fluid bundle CONTRACT

Key options

Input / output

OptionDescription
--out, -oOutput path. Default - for stdout (yaml/json) or the current directory (tgz).
--env, -eApply an environment overlay after ref resolution.
--format, -fOutput format: yaml (default), json, or tgz. See below.

Supply chain (opt-in, --format tgz only)

OptionDescription
--signSigstore cosign sign the emitted tgz. Default is keyless OIDC (GitHub / GitLab / CircleCI / GCP WIF all detected automatically). Writes <bundle>.sig and — in keyless mode — <bundle>.pem next to the tgz.
--sign-key PATH_OR_KMS_URIUse keyed cosign signing instead of keyless. Supports file paths and KMS URIs (awskms://, gcpkms://, azurekms://, hashivault://, k8s://). Required for Bitbucket Pipelines, air-gapped, and regulatory environments without OIDC.
--attestEmit a SLSA Level 2 in-toto v1 provenance predicate next to the bundle as <bundle>.tgz.intoto.jsonl. Records the build system (GitHub / GitLab / CircleCI / Jenkins / Bitbucket / Azure), invocation ID, git commit SHA, and subject[0].digest.sha256 = <bundle SHA>.

Output formats

yaml / json (default)

Resolves every $ref in the contract and emits a single-document YAML or JSON file. Drop-in replacement for the legacy fluid compile command.

fluid bundle contract.fluid.yaml                       # stdout, yaml
fluid bundle contract.fluid.yaml --out bundled.yaml    # file, yaml
fluid bundle contract.fluid.yaml --format json --out bundled.json
fluid bundle contract.fluid.yaml --env prod --out prod-bundled.yaml

tgz (canonical production format)

Emits a deterministic content-addressable tgz with:

  • MANIFEST.json — SHA-256 per file + merkle root (the bundleDigest referenced by stage 6 plan and verified by stage 7 apply)
  • contract.resolved.yaml / contract.resolved.json — $ref pointers resolved; inline SQL / OpenAPI blocks are extracted into sources/ and replaced with {"$source": "sources/..."} sentinels
  • sources/sql/{id}.sql, sources/openapi/{id}.yaml, sources/policy/*.yaml — extracted fragments

Two independent runs produce byte-identical tgz output (tar-header normalisation + sort_keys=True + Unicode NFC + enforced trailing newlines). This is what makes bundleDigest a stable identifier.

fluid bundle contract.fluid.yaml --format tgz --out runtime/bundle.tgz

With keyless cosign signing on a GitHub Actions runner:

fluid bundle contract.fluid.yaml --format tgz --out runtime/bundle.tgz --sign
# emits: runtime/bundle.tgz, bundle.tgz.sig, bundle.tgz.pem

With keyed cosign signing (Bitbucket / air-gapped):

fluid bundle contract.fluid.yaml --format tgz --out runtime/bundle.tgz \
  --sign --sign-key awskms:///arn:aws:kms:us-east-1:111122223333:key/bc436485-…
# emits: runtime/bundle.tgz, bundle.tgz.sig

With SLSA L2 provenance attestation alongside signing:

fluid bundle contract.fluid.yaml --format tgz --out runtime/bundle.tgz --sign --attest
# emits: runtime/bundle.tgz, .sig, .pem, .intoto.jsonl

Verify a signed bundle with fluid verify-signature.

Examples

# Dev: resolve-and-inspect (equivalent to legacy fluid compile)
fluid bundle contract.fluid.yaml

# Dev with env overlay
fluid bundle contract.fluid.yaml --env staging --out staging-bundled.yaml

# Prod: canonical content-addressable tgz (stage 1 of the 11-stage pipeline)
fluid bundle contract.fluid.yaml --format tgz --out runtime/bundle.tgz

# Prod + supply chain (GitHub Actions / keyless OIDC)
fluid bundle contract.fluid.yaml --format tgz --out runtime/bundle.tgz --sign --attest

Determinism guarantees

The tgz format produces byte-identical output across independent runs of the same input. Guaranteed by:

  • tar header normalisation: mtime=SOURCE_DATE_EPOCH, uid=gid=0, uname=gname="", mode 0o644 / 0o755, entries sorted by path.
  • YAML via yaml.safe_dump(sort_keys=True, default_flow_style=False).
  • JSON via json.dumps(sort_keys=True, separators=(",", ":")).
  • SQL / policy / OpenAPI fragments: byte-identical to the source strings after Unicode NFC normalisation + trailing-newline enforcement. No formatter mutation.

Result: the bundle's SHA-256 digest is a stable cryptographic identifier usable as a cache key, a release artifact, or the bundleDigest field in plan.json.

Notes

  • fluid bundle --format yaml is the drop-in replacement for the removed fluid compile command.
  • --sign and --attest are tgz-only. On yaml / json they are rejected with a clear error — signing a text format isn't a useful operation.
  • Cosign must be on PATH for --sign. See fluid doctor to verify.
  • Use bundle to inspect or ship a resolved contract after fragmenting with fluid split.
Edit this page on GitHub
Last Updated: 4/24/26, 10:17 AM
Contributors: Jeff Watson, fas89
Next
fluid generate