Topology Bill of Materials
The open topology standard for Infrastructure Governance. A TBoM declares the topology of an AI system — what can talk to what, which tools and capabilities exist, and which pathways were deliberately excluded — as a deterministic, fingerprinted, machine-readable artifact. It is a public specification anyone can read, validate against, and build on.
Like an SBOM — but for the topology of an AI system.
A software bill of materials lists the components inside a piece of software — the libraries and packages it is built from — so you can reason about what is really in it.
A Topology Bill of Materials declares the structure of an AI system — its participants, the pathways declared between them, and the pathways deliberately left out — with a deterministic fingerprint over that structure. You cannot govern what you cannot describe. A TBoM is how the system describes itself, precisely enough to verify.
A TBoM is a pre-execution structural artifact. It answers one question precisely: what topology was declared, and what does its structure hash to? It does not sign, load keys, execute agents, or contain solver output. Receipts, commitments, recognition records, and attestations are separate artifact families that reference a TBoM by fingerprint — they are not fields inside it.
An open standard, with commercial infrastructure built around it.
The standard is deliberately independent of any one product. Anyone can produce and validate a TBoM without InvarOS. InvarOS is the commercial infrastructure that produces TBoMs at the hardware layer, verifies them, and governs on them.
Topology Bill of Materials (TBoM)
Public specification · Apache-2.0 · JSON Schemas · reference validator · conformance vectors · permanent identifiers at tbom.yozi.systems. Adopt it, produce it, validate against it — with or without InvarOS.
InvarOS
Produces TBoMs at the infrastructure layer via the native invarosd runtime, verifies structural and trajectory properties with a deterministic mathematical core, enforces policy before execution, and emits cryptographic evidence — from a developer workstation to air-gapped and sovereign deployments.
Explore the InvarOS platform →A measurement standard the whole field can share.
Governance only interoperates if everyone can agree on how a system's topology is described. An open, deterministic format for that description benefits the field regardless of who builds the tooling around it — the same way SBOMs, CycloneDX, and in-toto became shared infrastructure rather than one vendor's feature.
TBoM is published under Apache-2.0 with a normative specification (RFC 2119 language), machine- readable JSON Schemas, a reference validator, and synthetic conformance vectors. Permanent specification, schema, registry, and algorithm identifiers are rooted at tbom.yozi.systems. Yozi Systems is the specification owner and change controller; the specification itself is free to adopt.
Two profile families, versioned independently.
A profile is a concrete, versioned JSON Schema that fully determines the shape of a class of TBoM artifacts. Consumers dispatch on both profile family and version — never on a bare version number.
| Profile | Version | Status | Describes |
|---|---|---|---|
| Agentic Topology | 3.0.0 | Public draft | Pre-execution agentic AI topology: agents, tools, and their declared pathways. |
| Edge Network Topology | 3.0.0 | Frozen legacy | Historical observed interface topology. Frozen for byte-compatible fingerprint continuity; retained as the legacy profile behind earlier artifacts on this site. |
| Edge Network Topology | 4.0.0 | Current profile | Structure defined by declared intent, with runtime state as a separate observation projection. Reference producer and bootstrap discovery implemented in invarosd; qualified Internal Full and Public Minimal artifacts have been captured and validated (schema, semantics, and independent fingerprint reproduction). See the live artifacts → |
Honest status: Profile 4.0.0 is the current profile. Its Phase 0 normative package is locked, a reference producer is implemented in invarosd, and qualified Internal Full and Public Minimal artifacts have been captured live and validated (schema, semantic, and independent fingerprint reproduction). That qualification covers local discovery and evidence integration — not full enterprise policy orchestration, production enforcement, live federation, or daemon receipt orchestration, which remain roadmap. Edge Network Topology Profile 3.0.0 is frozen exactly as implemented and is retained only as the legacy profile behind earlier artifacts. The specification records the exact state of each.
Read it, validate against it, adopt it — no contact required.
Everything you need to work with TBoM is public. Follow the path from specification to validator to your own artifacts.
Specification
The normative TBoM artifact model, profile identification, canonical serialization, fingerprint expectations, and explicit non-claims.
SPECIFICATION.md →JSON Schemas
Machine-readable schemas for each profile. Validate any candidate artifact against the exact profile and version it claims.
schemas/ →Reference validator
An offline schema validator and tbom-validate CLI that dispatches by profile id and version. No network required.
validator/ →Conformance vectors
Synthetic normative inputs with expected fingerprints. A passing validator run does not by itself establish producer conformance — the vectors make the contract explicit.
conformance/ →git clone https://github.com/Yozi-Systems/invaros-tbom-spec
cd invaros-tbom-spec
# set up and run the reference validator (offline)
python3 -m venv .venv && . .venv/bin/activate
python -m pip install .[test]
tbom-validate examples/agentic/*.json examples/edge-network/*.json
→ artifacts validated against their declared profile schemas
Start here
Specification, schema, registry, and algorithm identifiers are permanently rooted at tbom.yozi.systems.
What a TBoM is not.
Precision about boundaries is part of the standard. A TBoM is deliberately narrow so it can be exact.
Not enforcement
TBoM artifacts describe topology; they do not enforce it by themselves. Enforcement is the job of the runtime that consumes them.
Not authenticity
Fingerprints provide deterministic integrity naming — not authenticity, replay protection, trusted freshness, or absolute downgrade resistance.
Not a trust assertion
TBoM means Topology Bill of Materials, never "Trust" Bill of Materials. A TBoM is not by itself a trust assertion, signature, or proof of authenticity.
Observation ≠ structure
In Profile 4, runtime observation is evidence, not structure. Observed behavior cannot create, remove, or invalidate a declared structural fact.
Adopt the standard, or build with the infrastructure.
Developers can adopt TBoM directly from the public repository today. Organizations building governed AI infrastructure can engage InvarOS for the runtime, verification, and evidence layer built around it.