Bundle Types Guide

The 5 Bundle Types

SCP uses a hierarchical bundle architecture with 5 distinct types, each serving a specific purpose in the governance model.

Bundle Type Hierarchy

Meta Bundle (SCS Foundation)
  ↓ imports
Standards Bundles (External: HIPAA, SOC2, CHAI, NIST)
  ↓ imports
Domain Bundle (The Company - e.g., Acme Health Corp)
  ↓ imports multiple
Concern Bundles (Functional Areas: Architecture, Security, Clinical, Data)
  ↓ imported by
Project Bundles (Individual Initiatives: Prior Auth App, Patient Portal)

---

1. Meta Bundle

What: Universal SCS vocabulary and semantic foundation

Who Creates: SCS (the platform owner)

Cardinality: 1 per ecosystem

Imports: None (foundation layer)

Contains: Meta-tier SCDs (scd:meta:scd-meta, bundle-meta, domain-meta, validator-meta)

Example: bundle:meta:1.0.0

Use Case: Provides the specification language itself - the vocabulary that all other bundles use.

---

2. Standards Bundle

What: External regulatory/compliance requirements

Who Creates: Standards bodies, regulators (CHAI, NIST, AICPA), or compliance teams

Cardinality: Many (one per standard)

Imports: May import other standards bundles

Contains: Standards-tier SCDs

Examples: - bundle:hipaa:1.0.0 - HIPAA compliance requirements - bundle:soc2:1.0.0 - SOC 2 Type II Trust Services Criteria - bundle:chai:1.0.0 - Coalition for Health AI principles - bundle:nist-800-63:1.0.0 - NIST identity standards

Use Case: Encode external compliance requirements once, import everywhere needed.

Real-World Examples: - Healthcare projects import bundle:hipaa and bundle:chai - SaaS companies import bundle:soc2 - Government projects import bundle:nist bundles

---

3. Domain Bundle ⭐

What: Company's corporate knowledge aggregator (THE KEY CONCEPT)

Who Creates: CTO/CIO (C-suite owned)

Cardinality: 1 per company

Imports: MUST import ≥1 concern bundle

Contains: NO SCDs directly (aggregates concerns)

Examples: - bundle:acme-health-corp:1.0.0 - bundle:megabank-financial:1.0.0 - bundle:techcorp-inc:1.0.0

Use Case: Build once, use everywhere. Every project in the company imports this single domain bundle and automatically gets all company context.

Why This Is Critical: - Company knowledge is defined once at the domain level - All projects import the domain → instant access to all concerns - Update a concern, version the domain → all projects get the update - Massive reduction in duplication and drift

Example Workflow:

# Domain bundle aggregates all concerns
bundle:acme-health-corp:1.0.0
  imports:
    - bundle:acme-architecture:1.0.0
    - bundle:acme-security:1.0.0
    - bundle:acme-clinical:1.0.0
    - bundle:acme-company-context:1.0.0
    - bundle:hipaa:1.0.0
    - bundle:chai:1.0.0

# Every project just imports the domain
bundle:prior-auth-app:1.0.0
  imports:
    - bundle:acme-health-corp:1.0.0  # Gets everything!

---

4. Concern Bundle

What: Functional area standards within a company (leaf nodes)

Who Creates: VPs/Directors (functional leaders)

Cardinality: Variable per company (based on needs)

Imports: MUST be empty (concerns are atomic/leaf nodes)

Contains: MUST have ≥1 project-tier SCD

Examples: - bundle:acme-architecture:1.0.0 - System patterns, tech stack - bundle:acme-security:1.0.0 - Security controls, threat model - bundle:acme-clinical-workflow:1.0.0 - Clinical protocols, safety requirements - bundle:acme-data-governance:1.0.0 - Data policies, retention rules - bundle:acme-company-context:1.0.0 - Mission, values, stakeholders

Ownership Examples:

Concern Bundle	Owner	Contains
Architecture	Chief Architect	Tech stack, patterns, deployment standards
Security	CISO	Security controls, threat model, policies
Clinical Workflow	Chief Medical Officer	Clinical protocols, safety requirements
Data Governance	Chief Data Officer	Data policies, classification, retention
Company-Context	CEO	Mission, values, stakeholders, culture

Use Case: Functional leaders own their domain of expertise. These bundles are imported by the company's domain bundle.

Constraint: Concern bundles CANNOT import other bundles - they are leaf nodes. This ensures clean separation of concerns.

---

5. Project Bundle

What: Individual project/initiative implementation (entry point for AI)

Who Creates: Product/Project Managers

Cardinality: Many (one per project)

Imports: Typically imports domain bundle (gets everything)

Contains: Project-specific SCDs

Examples: - bundle:prior-auth-app:1.0.0 - Prior authorization application - bundle:patient-portal:1.0.0 - Patient engagement portal - bundle:claims-processing:1.0.0 - Claims automation system

Use Case: This is what gets deployed and consumed by AI. Contains project-specific context plus imports all company knowledge via domain bundle.

Example:

id: bundle:prior-auth-app
type: project
version: "1.0.0"
title: "Prior Authorization Application"

scds:
  - scd:project:prior-auth-requirements
  - scd:project:prior-auth-workflows
  - scd:project:formulary-rules

imports:
  - bundle:acme-health-corp:1.0.0  # Gets all company context

# When deployed, AI gets:
# - prior-auth-app SCDs
# - acme-health-corp domain (which includes):
#   - acme-architecture concern
#   - acme-security concern
#   - acme-clinical concern
#   - acme-company-context concern
#   - hipaa standards
#   - chai standards

---

Ownership Model

Role	Owns Bundle Type	Contains	Updates When
SCS	Meta	SCS specification language	Spec changes
Standards Bodies	Standards	HIPAA, SOC2, CHAI, NIST	Regulation updates
CTO/CIO	Domain	Company knowledge aggregator	Concerns change, standards added
Chief Architect	Architecture	System patterns, tech stack	Tech decisions evolve
CISO	Security	Security controls, threats	Threat landscape changes
CMO	Clinical	Clinical protocols, safety	Clinical guidelines update
CDO	Data Governance	Data policies, retention	Compliance requirements change
CEO	Company-Context	Mission, values, stakeholders	Company direction shifts
Product/Project Mgr	Project	Individual initiatives	Project requirements evolve

---

Bundle Type Constraints (Enforced by Control Plane)

Meta Bundle

• ❌ NO imports
• ✅ Contains meta-tier SCDs only

Standards Bundle

• ✅ Can import other standards bundles
• ✅ Contains standards-tier SCDs only

Domain Bundle

• ✅ MUST import ≥1 concern bundle
• ❌ NO SCDs directly (aggregates only)

Concern Bundle

• ❌ NO imports (leaf nodes)
• ✅ MUST have ≥1 project-tier SCD

Project Bundle

• ✅ Imports domain (or other bundles)
• ✅ Contains project-tier SCDs

---

Design Patterns

Pattern 1: Single Domain, Multiple Concerns

Most companies follow this pattern:

1 Domain Bundle (Acme Health Corp)
  ↓
5-10 Concern Bundles (Architecture, Security, Clinical, Data, Company-Context, etc.)
  ↓
Many Project Bundles (Prior Auth, Patient Portal, Claims, etc.)

Pattern 2: Standards Composition

Standards bundles can compose:

bundle:healthcare-compliance:1.0.0
  imports:
    - bundle:hipaa:1.0.0
    - bundle:chai:1.0.0
    - bundle:hitech:1.0.0

Pattern 3: Minimal Project

Projects can be lean:

bundle:simple-app:1.0.0
  scds:
    - scd:project:app-requirements
  imports:
    - bundle:company-domain:1.0.0  # Gets everything else

---

Versioning Strategy

• Meta: Rarely changes (only on spec updates)
• Standards: Updates when regulations change
• Domain: Updates when concerns are added/updated
• Concerns: Independent versioning, domain imports specific versions
• Projects: Frequent updates, pins domain version

Example Evolution:

1. Concern updated: bundle:acme-security:1.0.0 → 1.1.0
2. Domain updated to import new version: bundle:acme-health-corp:2.0.0
3. Projects update domain import: bundle:prior-auth:1.2.0 imports acme-health-corp:2.0.0

---

Next Steps

• See 4-Phase Workflow for the bundle lifecycle
• Review control-plane/examples/pilot/ for real-world bundle examples
• Check Architecture Overview for system design