@parmanasystems/core 1.0.19

package/README.md

@@ -0,0 +1,135 @@
+# @parmanasystems/core
+
+Portable runtime SDK for the parmanasystems deterministic governance ecosystem.
+
+[![npm](https://img.shields.io/npm/v/@parmanasystems/core)](https://www.npmjs.com/package/@parmanasystems/core)
+
+## Overview
+
+`@parmanasystems/core` is the recommended single-package install for most applications. It re-exports the full governance lifecycle, execution runtime, and verification layer, and adds the deterministic validator and canonical JSON utilities.
+
+Install this instead of separately installing `@parmanasystems/execution`, `@parmanasystems/governance`, and `@parmanasystems/verifier`.
+
+## Installation
+
+```bash
+npm install @parmanasystems/core
+```
+
+## Quick start
+
+```typescript
+import {
+  executeFromSignals,
+  verifyAttestation,
+  LocalSigner,
+  LocalVerifier,
+  getRuntimeManifest,
+  RedisReplayStore,
+} from "@parmanasystems/core";
+import { createClient } from "redis";
+
+const redis    = createClient();
+await redis.connect();
+
+const signer   = new LocalSigner(process.env.Parmana_PRIVATE_KEY!);
+const verifier = new LocalVerifier(process.env.Parmana_PUBLIC_KEY!);
+const store    = new RedisReplayStore(redis);
+const manifest = getRuntimeManifest();
+
+// Execute a governance decision
+const result = await executeFromSignals(
+  {
+    policyId:      "claims-approval",
+    policyVersion: "v1",
+    signals: { insurance_active: true, risk_score: 42 },
+  },
+  signer,
+  verifier,
+  store
+);
+
+if (result.status === "success" && result.signature) {
+  // Independently verify
+  const verification = verifyAttestation(
+    { execution_id: result.execution_id, ...result },
+    verifier,
+    manifest
+  );
+  console.log(verification.valid);  // true
+}
+```
+
+## Exports
+
+### Governance lifecycle (from `@parmanasystems/governance`)
+
+| Export | Description |
+|---|---|
+| `createPolicy` | Scaffold a new policy directory |
+| `upgradePolicy` | Create an upgraded policy version |
+| `validatePolicy` | Validate a policy structure |
+| `generateBundle` | Generate a content-addressed policy bundle |
+| `definePolicy` | Build a PolicyDefinition in memory |
+
+### Deterministic execution (from `@parmanasystems/execution`)
+
+| Export | Description |
+|---|---|
+| `executeFromSignals` | Full pipeline: load policy → evaluate → sign |
+| `executeDecision` | Lower-level: token → verify → replay → sign |
+| `executeSimple` | Token-based execution without policy file |
+| `resolveOverride` | Complete a pending_override execution |
+| `evaluatePolicy` | Pure policy rule evaluation |
+| `issueToken` | Issue a single-use execution token |
+| `signExecutionToken` | Sign a token |
+| `verifyExecutionToken` | Verify a token signature |
+| `getRuntimeManifest` | Return the active runtime manifest |
+| `signRuntimeManifest` | Sign a runtime manifest |
+| `verifyRuntimeManifest` | Verify a runtime manifest signature |
+| `LocalSigner` | Ed25519 signer (Node.js crypto) |
+| `LocalVerifier` | Ed25519 verifier (Node.js crypto) |
+| `MemoryReplayStore` | In-process replay protection |
+| `RedisReplayStore` | Distributed Redis replay protection |
+| `INVARIANT_REGISTRY` | All 60+ registered invariants |
+| `InvariantViolation` | Invariant violation error class |
+| `violate` | Throw a structured invariant violation |
+
+### Portable verification (from `@parmanasystems/verifier`)
+
+| Export | Description |
+|---|---|
+| `verifyAttestation` | Four-check attestation verification |
+| `verifyBundle` | Bundle signature and hash verification |
+| `verifyRuntime` | Runtime manifest comparison |
+| `verifyRuntimeCompatibility` | Runtime requirements check |
+| `verifyExecutionRequirements` | Execution requirements check |
+
+### Canonical utilities (from `@parmanasystems/bundle`)
+
+```typescript
+import { canonicalize } from "@parmanasystems/core";
+// Deterministic JSON serialization (sorted keys, stable bytes)
+```
+
+### Types
+
+```typescript
+import type {
+  ExecutionContext,
+  ExecutionAttestation,
+  ExecutionToken,
+  DecisionResult,
+  RuntimeManifest,
+  Signer,
+  AsyncSigner,
+  Verifier,
+  ReplayStore,
+  AsyncReplayStore,
+  ViolationReport,
+} from "@parmanasystems/core";
+```
+
+## License
+
+Apache-2.0

package/dist/index.d.ts

@@ -0,0 +1,217 @@
+export { RuntimeRequirements, createPolicy, generateBundle, upgradePolicy, validatePolicy } from '@parmanasystems/governance';
+export { DecisionResult, ExecutionAttestation, ExecutionContext, ExecutionToken, INVARIANT_REGISTRY, InvariantBoundary, InvariantEntry, InvariantId, InvariantViolation, LocalSigner, LocalVerifier, MemoryReplayStore, ReplayStore, RuntimeManifest, Signer, Verifier, ViolationReport, executeDecision, executeFromSignals, getRuntimeManifest, hashInput, issueToken, signRuntimeManifest, verifyExecutionToken, verifyRuntimeManifest, violate } from '@parmanasystems/execution';
+export { verifyAttestation, verifyBundle, verifyExecutionRequirements, verifyRuntime, verifyRuntimeCompatibility } from '@parmanasystems/verifier';
+
+/**
+ * Serializes `value` to a stable, compact JSON string with object keys sorted
+ * recursively.  Used by the core validation pipeline for determinism checks.
+ *
+ * Note: unlike `@parmanasystems/bundle`'s `canonicalize`, this variant uses
+ * compact output (`JSON.stringify` without indentation) for in-memory comparisons.
+ */
+declare function canonicalize(value: unknown): string;
+
+/** Configuration for {@link LocalValidator}. */
+interface ValidatorConfig {
+    /**
+     * Field names that must not appear anywhere inside a deterministic payload.
+     * Defaults to {@link forbiddenDeterministicFields} when omitted.
+     */
+    forbiddenDeterministicFields?: readonly string[];
+}
+
+/**
+ * Per-stage pass/fail breakdown produced by {@link LocalValidator}.
+ * Each stage is run in order; a `false` entry short-circuits subsequent
+ * stages that depend on it.
+ */
+interface ValidationStages {
+    /** Envelope has both `payload` and `signature` fields of the correct types. */
+    structure: boolean;
+    /** The payload serializes without error through the canonical JSON pipeline. */
+    canonical: boolean;
+    /**
+     * The payload contains no {@link forbiddenDeterministicFields} (e.g. `generatedAt`,
+     * `traceId`) that would break deterministic reproducibility.
+     */
+    deterministic: boolean;
+    /**
+     * The canonical payload matches the canonical envelope-without-metadata, confirming
+     * that metadata has not contaminated the deterministic signing scope.
+     */
+    metadataIsolation: boolean;
+    /**
+     * Cryptographic signature over the payload has been verified.
+     * Currently always `false` — cryptographic verification is not yet wired into
+     * `LocalValidator`.  Use `@parmanasystems/verifier` for signature verification.
+     */
+    cryptographic: boolean;
+}
+/** Full validation result returned by {@link LocalValidator.validate}. */
+interface ValidationResult {
+    /**
+     * `true` only when all five validation stages pass, including `cryptographic`.
+     * Currently always `false` because the cryptographic stage is not yet implemented.
+     */
+    valid: boolean;
+    /** `true` when cryptographic signature verification passed. Currently always `false`. */
+    verified: boolean;
+    /** Granular per-stage results for diagnostics. */
+    stages: ValidationStages;
+    /** Human-readable error messages for every failed stage. */
+    errors: string[];
+}
+
+/**
+ * Generic signed wrapper for deterministic governance payloads.
+ *
+ * Contains exactly two fields: the deterministic `payload` (signing scope)
+ * and the cryptographic `signature` over its canonical form.
+ *
+ * Metadata is structurally absent — not optional, not filtered at runtime.
+ * Any operational context (host, trace IDs, timestamps) must be stripped by
+ * the caller before constructing a SignedEnvelope.  Callers that receive
+ * metadata from external sources should destructure it out at the boundary:
+ *
+ *   const { metadata: _meta, ...envelope } = rawInput;
+ *   validator.validate(envelope);
+ *
+ * Enforces: INV-078 (metadata non-interference), INV-004 (no time dependency).
+ */
+interface SignedEnvelope<TPayload> {
+    /** The deterministic payload to be signed and verified. */
+    payload: TPayload;
+    /** Base64-encoded Ed25519 signature over the canonical `payload`. */
+    signature: string;
+}
+
+/**
+ * Multi-stage validator for {@link SignedEnvelope} values.
+ *
+ * Runs up to five sequential checks (structure → canonical → deterministic →
+ * metadata isolation → cryptographic) and returns a detailed
+ * {@link ValidationResult} with per-stage flags and error messages.
+ *
+ * **Note:** the `cryptographic` stage is not yet implemented and always returns
+ * `false`, so `valid` is always `false`.  Use `@parmanasystems/verifier` for
+ * cryptographic attestation verification.
+ */
+declare class LocalValidator {
+    private readonly config;
+    /**
+     * @param config - Optional override for {@link ValidatorConfig}.
+     *   Defaults to using {@link forbiddenDeterministicFields}.
+     */
+    constructor(config?: ValidatorConfig);
+    private extractDeterministicPayload;
+    /** Returns `true` when `envelope` has `payload` (any value) and `signature` (string). */
+    validateStructure(envelope: SignedEnvelope<unknown>): boolean;
+    /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */
+    validateCanonical(payload: unknown): boolean;
+    /**
+     * Returns `true` when the canonical form of the payload alone equals the
+     * canonical form of `{ payload }`, confirming that no metadata fields have
+     * leaked into the deterministic signing scope.
+     */
+    validateMetadataIsolation(envelope: SignedEnvelope<unknown>): boolean;
+    /**
+     * Runs all five validation stages against `envelope` and returns a
+     * {@link ValidationResult} with per-stage flags and accumulated error messages.
+     */
+    validate(envelope: SignedEnvelope<unknown>): ValidationResult;
+}
+
+/** Returns `true` when `value` is a non-empty, non-whitespace-only string. */
+declare function assertNonEmptyString(value: unknown): boolean;
+/** Returns `true` when `value` is an array. */
+declare function assertArray(value: unknown): boolean;
+/**
+ * Recursively scans `payload` and returns `false` if any object key matches
+ * a name in `forbiddenFields`.
+ *
+ * Used by {@link LocalValidator} to enforce that operational-metadata fields
+ * have not contaminated the deterministic signing scope.
+ *
+ * @param payload         - The payload object to inspect.
+ * @param forbiddenFields - Field names that must not appear anywhere in the payload.
+ */
+declare function assertNoOperationalMetadata(payload: unknown, forbiddenFields: readonly string[]): boolean;
+
+/** Deterministic payload for a release artifact attestation. */
+interface ReleasePayload {
+    /** Semantic version of the release (e.g. `"1.0.5"`). */
+    version: string;
+    /** List of artifact identifiers (e.g. package names or SHA-256 hashes) included in the release. */
+    artifacts: string[];
+}
+/** Deterministic payload for a runtime version attestation. */
+interface RuntimePayload {
+    /** Runtime identifier. */
+    runtime: string;
+    /** Semantic version of the runtime. */
+    version: string;
+    /** Schema or protocol versions the runtime is compatible with. */
+    compatibility: string[];
+}
+/** Deterministic payload for a governance decision attestation. */
+interface AttestationPayload {
+    /** The governance decision (e.g. `"approve"` or `"deny"`). */
+    decision: string;
+    /** The policy version that produced the decision. */
+    policyVersion: string;
+    /** ISO 8601 UTC timestamp of when the decision was made. */
+    timestamp: string;
+}
+
+/**
+ * Non-deterministic operational context attached to a governance envelope.
+ * Fields in this interface are in the {@link forbiddenDeterministicFields} list
+ * and must not appear inside a deterministic payload.
+ */
+interface OperationalMetadata {
+    /** ISO 8601 timestamp of when the envelope was generated. */
+    generatedAt?: string;
+    /** Deployment environment (e.g. `"production"`, `"staging"`). */
+    environment?: string;
+    /** Hostname of the generating process. */
+    host?: string;
+    /** Runtime identifier or version of the generating process. */
+    runtime?: string;
+    /** Distributed trace identifier. */
+    traceId?: string;
+}
+/** Immutable provenance information that links an envelope to a specific runtime build. */
+interface ProvenanceMetadata {
+    /** Semantic version of the governance runtime. */
+    runtimeVersion?: string;
+    /** SHA-256 bundle hash of the executing policy. */
+    bundleHash?: string;
+    /** Version of the trust root used for verification. */
+    trustRootVersion?: string;
+    /** CI build identifier that produced the artifact. */
+    buildId?: string;
+}
+/**
+ * Container for governance envelope metadata.
+ * Split into `operational` (non-deterministic, excluded from signing) and
+ * `provenance` (deterministic, included in signing) sections.
+ */
+interface GovernanceMetadata {
+    /** Non-deterministic operational context — excluded from determinism checks. */
+    operational?: OperationalMetadata;
+    /** Immutable provenance information — included in determinism checks. */
+    provenance?: ProvenanceMetadata;
+}
+
+/**
+ * Field names that must not appear inside a deterministic payload.
+ *
+ * These are operational-metadata fields that introduce non-determinism
+ * (timestamps, hostnames, trace IDs, deployment context) and would break
+ * reproducible verification if present in the signed payload scope.
+ *
+ * Used as the default for {@link ValidatorConfig.forbiddenDeterministicFields}.
+ */
+declare const forbiddenDeterministicFields: readonly ["generatedAt", "environment", "host", "runtime", "traceId"];
+
+export { type AttestationPayload, type GovernanceMetadata, LocalValidator, type OperationalMetadata, type ProvenanceMetadata, type ReleasePayload, type RuntimePayload, type SignedEnvelope, type ValidationResult, type ValidationStages, type ValidatorConfig, assertArray, assertNoOperationalMetadata, assertNonEmptyString, canonicalize, forbiddenDeterministicFields };

package/dist/index.js

@@ -0,0 +1,237 @@
+// src/index.ts
+import {
+  createPolicy,
+  upgradePolicy,
+  validatePolicy,
+  generateBundle
+} from "@parmanasystems/governance";
+import {
+  executeFromSignals,
+  executeDecision,
+  issueToken,
+  verifyExecutionToken,
+  getRuntimeManifest,
+  signRuntimeManifest,
+  verifyRuntimeManifest,
+  LocalSigner,
+  LocalVerifier,
+  MemoryReplayStore
+} from "@parmanasystems/execution";
+import {
+  verifyAttestation,
+  verifyBundle,
+  verifyRuntime,
+  verifyRuntimeCompatibility,
+  verifyExecutionRequirements
+} from "@parmanasystems/verifier";
+import {
+  INVARIANT_REGISTRY,
+  InvariantViolation,
+  violate,
+  hashInput
+} from "@parmanasystems/execution";
+
+// src/canonicalize.ts
+function sortKeys(value) {
+  if (Array.isArray(value)) {
+    return value.map(sortKeys);
+  }
+  if (value && typeof value === "object") {
+    return Object.keys(value).sort().reduce((acc, key) => {
+      acc[key] = sortKeys(value[key]);
+      return acc;
+    }, {});
+  }
+  return value;
+}
+function canonicalize(value) {
+  return JSON.stringify(sortKeys(value));
+}
+
+// src/invariants.ts
+function assertNonEmptyString(value) {
+  return typeof value === "string" && value.trim().length > 0;
+}
+function assertArray(value) {
+  return Array.isArray(value);
+}
+function scanObject(value, forbiddenFields) {
+  if (typeof value !== "object" || value === null) {
+    return true;
+  }
+  if (Array.isArray(value)) {
+    return value.every(
+      (item) => scanObject(
+        item,
+        forbiddenFields
+      )
+    );
+  }
+  for (const [key, nested] of Object.entries(value)) {
+    if (forbiddenFields.includes(
+      key
+    )) {
+      return false;
+    }
+    if (!scanObject(
+      nested,
+      forbiddenFields
+    )) {
+      return false;
+    }
+  }
+  return true;
+}
+function assertNoOperationalMetadata(payload, forbiddenFields) {
+  return scanObject(
+    payload,
+    forbiddenFields
+  );
+}
+
+// src/deterministic-policy.ts
+var forbiddenDeterministicFields = [
+  "generatedAt",
+  "environment",
+  "host",
+  "runtime",
+  "traceId"
+];
+
+// src/validator.ts
+var LocalValidator = class {
+  config;
+  /**
+   * @param config - Optional override for {@link ValidatorConfig}.
+   *   Defaults to using {@link forbiddenDeterministicFields}.
+   */
+  constructor(config = {}) {
+    this.config = {
+      forbiddenDeterministicFields,
+      ...config
+    };
+  }
+  extractDeterministicPayload(envelope) {
+    return envelope.payload;
+  }
+  /** Returns `true` when `envelope` has `payload` (any value) and `signature` (string). */
+  validateStructure(envelope) {
+    return typeof envelope === "object" && envelope !== null && "payload" in envelope && "signature" in envelope && typeof envelope.signature === "string";
+  }
+  /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */
+  validateCanonical(payload) {
+    try {
+      canonicalize(payload);
+      return true;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Returns `true` when the canonical form of the payload alone equals the
+   * canonical form of `{ payload }`, confirming that no metadata fields have
+   * leaked into the deterministic signing scope.
+   */
+  validateMetadataIsolation(envelope) {
+    try {
+      const canonicalPayload = canonicalize(
+        this.extractDeterministicPayload(
+          envelope
+        )
+      );
+      const canonicalEnvelope = canonicalize({
+        payload: this.extractDeterministicPayload(
+          envelope
+        )
+      });
+      return canonicalPayload === canonicalEnvelope;
+    } catch {
+      return false;
+    }
+  }
+  /**
+   * Runs all five validation stages against `envelope` and returns a
+   * {@link ValidationResult} with per-stage flags and accumulated error messages.
+   */
+  validate(envelope) {
+    const structure = this.validateStructure(
+      envelope
+    );
+    const canonical = structure && this.validateCanonical(
+      envelope.payload
+    );
+    const deterministic = structure && assertNoOperationalMetadata(
+      envelope.payload,
+      this.config.forbiddenDeterministicFields ?? []
+    );
+    const metadataIsolation = structure && this.validateMetadataIsolation(
+      envelope
+    );
+    const cryptographic = false;
+    const errors = [];
+    if (!structure) {
+      errors.push(
+        "Invalid structure."
+      );
+    }
+    if (!canonical) {
+      errors.push(
+        "Canonicalization validation failed."
+      );
+    }
+    if (!deterministic) {
+      errors.push(
+        "Operational metadata contamination detected."
+      );
+    }
+    if (!metadataIsolation) {
+      errors.push(
+        "Metadata isolation validation failed."
+      );
+    }
+    return {
+      valid: structure && canonical && deterministic && metadataIsolation && cryptographic,
+      verified: cryptographic,
+      stages: {
+        structure,
+        canonical,
+        deterministic,
+        metadataIsolation,
+        cryptographic
+      },
+      errors
+    };
+  }
+};
+export {
+  INVARIANT_REGISTRY,
+  InvariantViolation,
+  LocalSigner,
+  LocalValidator,
+  LocalVerifier,
+  MemoryReplayStore,
+  assertArray,
+  assertNoOperationalMetadata,
+  assertNonEmptyString,
+  canonicalize,
+  createPolicy,
+  executeDecision,
+  executeFromSignals,
+  forbiddenDeterministicFields,
+  generateBundle,
+  getRuntimeManifest,
+  hashInput,
+  issueToken,
+  signRuntimeManifest,
+  upgradePolicy,
+  validatePolicy,
+  verifyAttestation,
+  verifyBundle,
+  verifyExecutionRequirements,
+  verifyExecutionToken,
+  verifyRuntime,
+  verifyRuntimeCompatibility,
+  verifyRuntimeManifest,
+  violate
+};
+//# sourceMappingURL=index.js.map

package/dist/index.js.map

@@ -0,0 +1 @@
+{"version":3,"sources":["../src/index.ts","../src/canonicalize.ts","../src/invariants.ts","../src/deterministic-policy.ts","../src/validator.ts"],"sourcesContent":["// -----------------------------\n// Governance Lifecycle\n// -----------------------------\nexport {\n  createPolicy,\n  upgradePolicy,\n  validatePolicy,\n  generateBundle\n} from \"@parmanasystems/governance\";\n\n// -----------------------------\n// Deterministic Execution\n// -----------------------------\nexport {\n  executeFromSignals,\n  executeDecision,\n  issueToken,\n  verifyExecutionToken,\n  getRuntimeManifest,\n  signRuntimeManifest,\n  verifyRuntimeManifest,\n  LocalSigner,\n  LocalVerifier,\n  MemoryReplayStore\n} from \"@parmanasystems/execution\";\n\n// -----------------------------\n// Portable Verification\n// -----------------------------\nexport {\n  verifyAttestation,\n  verifyBundle,\n  verifyRuntime,\n  verifyRuntimeCompatibility,\n  verifyExecutionRequirements\n} from \"@parmanasystems/verifier\";\n\n// -----------------------------\n// Canonical Governance Types\n// -----------------------------\nexport type {\n  ExecutionContext,\n  ExecutionAttestation,\n  ExecutionToken,\n  RuntimeManifest,\n  Signer,\n  Verifier,\n  ReplayStore,\n  DecisionResult\n} from \"@parmanasystems/execution\";\n\nexport type {\n  RuntimeRequirements,\n} from \"@parmanasystems/governance\";\n\n// -----------------------------\n// Invariant Registry\n// -----------------------------\nexport type {\n  InvariantBoundary,\n  InvariantEntry,\n  InvariantId,\n  ViolationReport,\n} from \"@parmanasystems/execution\";\n\nexport {\n  INVARIANT_REGISTRY,\n  InvariantViolation,\n  violate,\n  hashInput,\n} from \"@parmanasystems/execution\";\n\n// -----------------------------\n// Deterministic Validation\n// -----------------------------\nexport * from \"./canonicalize\";\nexport * from \"./validator\";\nexport * from \"./invariants\";\n\n// -----------------------------\n// Validation Types\n// -----------------------------\nexport * from \"./types/envelope\";\nexport * from \"./types/payloads\";\nexport * from \"./types/validation\";\nexport * from \"./types/metadata\";\nexport * from \"./deterministic-policy\";\nexport * from \"./types/validator-config\";","function sortKeys(value: any): any {\n  if (Array.isArray(value)) {\n    return value.map(sortKeys);\n  }\n\n  if (value && typeof value === \"object\") {\n    return Object.keys(value)\n      .sort()\n      .reduce((acc, key) => {\n        acc[key] = sortKeys(value[key]);\n        return acc;\n      }, {} as Record<string, unknown>);\n  }\n\n  return value;\n}\n\n/**\n * Serializes `value` to a stable, compact JSON string with object keys sorted\n * recursively.  Used by the core validation pipeline for determinism checks.\n *\n * Note: unlike `@parmanasystems/bundle`'s `canonicalize`, this variant uses\n * compact output (`JSON.stringify` without indentation) for in-memory comparisons.\n */\nexport function canonicalize(value: unknown): string {\n  return JSON.stringify(sortKeys(value));\n}","/** Returns `true` when `value` is a non-empty, non-whitespace-only string. */\nexport function assertNonEmptyString(\n  value: unknown\n): boolean {\n  return (\n    typeof value === \"string\" &&\n    value.trim().length > 0\n  );\n}\n\n/** Returns `true` when `value` is an array. */\nexport function assertArray(\n  value: unknown\n): boolean {\n  return Array.isArray(value);\n}\n\nfunction scanObject(\n  value: unknown,\n  forbiddenFields:\n    readonly string[]\n): boolean {\n\n  if (\n    typeof value !== \"object\" ||\n    value === null\n  ) {\n    return true;\n  }\n\n  if (Array.isArray(value)) {\n    return value.every(\n      (item) =>\n        scanObject(\n          item,\n          forbiddenFields\n        )\n    );\n  }\n\n  for (\n    const [key, nested]\n    of Object.entries(value)\n  ) {\n\n    if (\n      forbiddenFields.includes(\n        key\n      )\n    ) {\n      return false;\n    }\n\n    if (\n      !scanObject(\n        nested,\n        forbiddenFields\n      )\n    ) {\n      return false;\n    }\n  }\n\n  return true;\n}\n\n/**\n * Recursively scans `payload` and returns `false` if any object key matches\n * a name in `forbiddenFields`.\n *\n * Used by {@link LocalValidator} to enforce that operational-metadata fields\n * have not contaminated the deterministic signing scope.\n *\n * @param payload         - The payload object to inspect.\n * @param forbiddenFields - Field names that must not appear anywhere in the payload.\n */\nexport function assertNoOperationalMetadata(\n  payload: unknown,\n  forbiddenFields:\n    readonly string[]\n): boolean {\n\n  return scanObject(\n    payload,\n    forbiddenFields\n  );\n}","/**\n * Field names that must not appear inside a deterministic payload.\n *\n * These are operational-metadata fields that introduce non-determinism\n * (timestamps, hostnames, trace IDs, deployment context) and would break\n * reproducible verification if present in the signed payload scope.\n *\n * Used as the default for {@link ValidatorConfig.forbiddenDeterministicFields}.\n */\nexport const forbiddenDeterministicFields = [\n  \"generatedAt\",\n  \"environment\",\n  \"host\",\n  \"runtime\",\n  \"traceId\"\n] as const;","import { canonicalize } from \"./canonicalize\";\n\nimport {\n  assertNoOperationalMetadata\n} from \"./invariants\";\n\nimport {\n  forbiddenDeterministicFields\n} from \"./deterministic-policy\";\n\nimport {\n  ValidatorConfig\n} from \"./types/validator-config\";\n\nimport { ValidationResult } from \"./types/validation\";\n\nimport { SignedEnvelope } from \"./types/envelope\";\n\n/**\n * Multi-stage validator for {@link SignedEnvelope} values.\n *\n * Runs up to five sequential checks (structure → canonical → deterministic →\n * metadata isolation → cryptographic) and returns a detailed\n * {@link ValidationResult} with per-stage flags and error messages.\n *\n * **Note:** the `cryptographic` stage is not yet implemented and always returns\n * `false`, so `valid` is always `false`.  Use `@parmanasystems/verifier` for\n * cryptographic attestation verification.\n */\nexport class LocalValidator {\n\n  private readonly config:\n    ValidatorConfig;\n\n  /**\n   * @param config - Optional override for {@link ValidatorConfig}.\n   *   Defaults to using {@link forbiddenDeterministicFields}.\n   */\n  constructor(\n    config: ValidatorConfig = {}\n  ) {\n    this.config = {\n      forbiddenDeterministicFields,\n      ...config\n    };\n  }\n\n  private extractDeterministicPayload(\n    envelope: SignedEnvelope<unknown>\n  ): unknown {\n    return envelope.payload;\n  }\n\n  /** Returns `true` when `envelope` has `payload` (any value) and `signature` (string). */\n  validateStructure(\n    envelope: SignedEnvelope<unknown>\n  ): boolean {\n\n    return (\n      typeof envelope === \"object\" &&\n      envelope !== null &&\n      \"payload\" in envelope &&\n      \"signature\" in envelope &&\n      typeof envelope.signature === \"string\"\n    );\n  }\n\n  /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */\n  validateCanonical(\n    payload: unknown\n  ): boolean {\n\n    try {\n\n      canonicalize(payload);\n\n      return true;\n\n    } catch {\n\n      return false;\n    }\n  }\n\n  /**\n   * Returns `true` when the canonical form of the payload alone equals the\n   * canonical form of `{ payload }`, confirming that no metadata fields have\n   * leaked into the deterministic signing scope.\n   */\n  validateMetadataIsolation(\n    envelope: SignedEnvelope<unknown>\n  ): boolean {\n\n    try {\n\n      const canonicalPayload =\n        canonicalize(\n          this.extractDeterministicPayload(\n            envelope\n          )\n        );\n\n      const canonicalEnvelope =\n        canonicalize({\n          payload:\n            this.extractDeterministicPayload(\n              envelope\n            )\n        });\n\n      return (\n        canonicalPayload ===\n        canonicalEnvelope\n      );\n\n    } catch {\n\n      return false;\n    }\n  }\n\n  /**\n   * Runs all five validation stages against `envelope` and returns a\n   * {@link ValidationResult} with per-stage flags and accumulated error messages.\n   */\n  validate(\n    envelope: SignedEnvelope<unknown>\n  ): ValidationResult {\n\n    const structure =\n      this.validateStructure(\n        envelope\n      );\n\n    const canonical =\n      structure &&\n      this.validateCanonical(\n        envelope.payload\n      );\n\n    const deterministic =\n      structure &&\n      assertNoOperationalMetadata(\n        envelope.payload,\n        this.config\n          .forbiddenDeterministicFields ??\n          []\n      );\n\n    const metadataIsolation =\n      structure &&\n      this.validateMetadataIsolation(\n        envelope\n      );\n\n    const cryptographic =\n      false;\n\n    const errors: string[] =\n      [];\n\n    if (!structure) {\n      errors.push(\n        \"Invalid structure.\"\n      );\n    }\n\n    if (!canonical) {\n      errors.push(\n        \"Canonicalization validation failed.\"\n      );\n    }\n\n    if (!deterministic) {\n      errors.push(\n        \"Operational metadata contamination detected.\"\n      );\n    }\n\n    if (!metadataIsolation) {\n      errors.push(\n        \"Metadata isolation validation failed.\"\n      );\n    }\n\n    return {\n      valid:\n        structure &&\n        canonical &&\n        deterministic &&\n        metadataIsolation &&\n        cryptographic,\n\n      verified:\n        cryptographic,\n\n      stages: {\n        structure,\n        canonical,\n        deterministic,\n        metadataIsolation,\n        cryptographic\n      },\n\n      errors\n    };\n  }\n}"],"mappings":";AAGA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AA8BP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACtEP,SAAS,SAAS,OAAiB;AACjC,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM,IAAI,QAAQ;AAAA,EAC3B;AAEA,MAAI,SAAS,OAAO,UAAU,UAAU;AACtC,WAAO,OAAO,KAAK,KAAK,EACrB,KAAK,EACL,OAAO,CAAC,KAAK,QAAQ;AACpB,UAAI,GAAG,IAAI,SAAS,MAAM,GAAG,CAAC;AAC9B,aAAO;AAAA,IACT,GAAG,CAAC,CAA4B;AAAA,EACpC;AAEA,SAAO;AACT;AASO,SAAS,aAAa,OAAwB;AACnD,SAAO,KAAK,UAAU,SAAS,KAAK,CAAC;AACvC;;;ACzBO,SAAS,qBACd,OACS;AACT,SACE,OAAO,UAAU,YACjB,MAAM,KAAK,EAAE,SAAS;AAE1B;AAGO,SAAS,YACd,OACS;AACT,SAAO,MAAM,QAAQ,KAAK;AAC5B;AAEA,SAAS,WACP,OACA,iBAES;AAET,MACE,OAAO,UAAU,YACjB,UAAU,MACV;AACA,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM;AAAA,MACX,CAAC,SACC;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,aACQ,CAAC,KAAK,MAAM,KACf,OAAO,QAAQ,KAAK,GACvB;AAEA,QACE,gBAAgB;AAAA,MACd;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAEA,QACE,CAAC;AAAA,MACC;AAAA,MACA;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAYO,SAAS,4BACd,SACA,iBAES;AAET,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;AC7EO,IAAM,+BAA+B;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;ACcO,IAAM,iBAAN,MAAqB;AAAA,EAET;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjB,YACE,SAA0B,CAAC,GAC3B;AACA,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEQ,4BACN,UACS;AACT,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA,EAGA,kBACE,UACS;AAET,WACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACb,eAAe,YACf,OAAO,SAAS,cAAc;AAAA,EAElC;AAAA;AAAA,EAGA,kBACE,SACS;AAET,QAAI;AAEF,mBAAa,OAAO;AAEpB,aAAO;AAAA,IAET,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA;AAAA,EAOA,0BACE,UACS;AAET,QAAI;AAEF,YAAM,mBACJ;AAAA,QACE,KAAK;AAAA,UACH;AAAA,QACF;AAAA,MACF;AAEF,YAAM,oBACJ,aAAa;AAAA,QACX,SACE,KAAK;AAAA,UACH;AAAA,QACF;AAAA,MACJ,CAAC;AAEH,aACE,qBACA;AAAA,IAGJ,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SACE,UACkB;AAElB,UAAM,YACJ,KAAK;AAAA,MACH;AAAA,IACF;AAEF,UAAM,YACJ,aACA,KAAK;AAAA,MACH,SAAS;AAAA,IACX;AAEF,UAAM,gBACJ,aACA;AAAA,MACE,SAAS;AAAA,MACT,KAAK,OACF,gCACD,CAAC;AAAA,IACL;AAEF,UAAM,oBACJ,aACA,KAAK;AAAA,MACH;AAAA,IACF;AAEF,UAAM,gBACJ;AAEF,UAAM,SACJ,CAAC;AAEH,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,eAAe;AAClB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,OACE,aACA,aACA,iBACA,qBACA;AAAA,MAEF,UACE;AAAA,MAEF,QAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA;AAAA,IACF;AAAA,EACF;AACF;","names":[]}

package/package.json

@@ -0,0 +1,50 @@
+{
+  "name": "@parmanasystems/core",
+  "version": "1.0.19",
+  "private": false,
+  "type": "module",
+  "scripts": {
+    "build": "tsup"
+  },
+  "exports": {
+    ".": {
+      "types": "./dist/index.d.ts",
+      "import": "./dist/index.js",
+      "default": "./dist/index.js"
+    }
+  },
+  "files": [
+    "dist"
+  ],
+  "sideEffects": false,
+  "dependencies": {
+    "@parmanasystems/bundle": "^1.0.19",
+    "@parmanasystems/crypto": "^1.0.19",
+    "@parmanasystems/execution": "^1.0.19",
+    "@parmanasystems/governance": "^1.0.19",
+    "@parmanasystems/verifier": "^1.0.19"
+  },
+  "description": "Public orchestration and SDK surface for parmanasystems deterministic governance infrastructure.",
+  "license": "Apache-2.0",
+  "repository": {
+    "type": "git",
+    "url": "https://github.com/pavancharak/parmanasystems-core.git"
+  },
+  "homepage": "https://github.com/pavancharak/parmanasystems-core",
+  "bugs": {
+    "url": "https://github.com/pavancharak/parmanasystems-core/issues"
+  },
+  "engines": {
+    "node": ">=20"
+  },
+  "keywords": [
+    "sdk",
+    "governance",
+    "orchestration",
+    "deterministic",
+    "runtime",
+    "verification"
+  ],
+  "main": "./dist/index.js",
+  "types": "./dist/index.d.ts"
+}