npm - @parmanasystems/core - Versions diffs - 1.71.24 → 1.71.36 - Mend

@parmanasystems/core 1.71.24 → 1.71.36

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (4) hide show

package/dist/index.d.ts CHANGED Viewed

@@ -1,10 +1,12 @@
 export { RuntimeRequirements, createPolicy, generateBundle, upgradePolicy, validatePolicy } from '@parmanasystems/governance';
 export { signBundle } from '@parmanasystems/crypto';
+import { Verifier } from '@parmanasystems/execution';
 export { ExecutionAttestation, ExecutionContext, ExecutionToken, INVARIANT_REGISTRY, InvariantBoundary, InvariantEntry, InvariantId, InvariantViolation, LocalSigner, LocalVerifier, ReplayStore, RuntimeManifest, Signer, Verifier, ViolationReport, executeDecision, getRuntimeManifest, hashInput, issueToken, signRuntimeManifest, verifyExecutionToken, verifyRuntimeManifest, violate } from '@parmanasystems/execution';
 export { MemoryReplayStore, RedisReplayStore, executeFromSignals } from '@parmanasystems/execution-runtime';
 export { verifyAttestation, verifyBundle, verifyExecutionRequirements, verifyRuntime, verifyRuntimeCompatibility } from '@parmanasystems/verifier';
 export { DecisionOutcome, DecisionResult } from '@parmanasystems/contracts';
 import { AuditOverride } from '@parmanasystems/audit-db';
+export { canonicalize } from '@parmanasystems/bundle';
 interface ApproveOverrideInput {
     executionId: string;
@@ -14,15 +16,6 @@ interface ApproveOverrideInput {
 }
 declare function approveOverride(input: ApproveOverrideInput): Promise<AuditOverride>;
-/**
- * Serializes `value` to a stable, compact JSON string with object keys sorted
- * recursively.  Used by the core validation pipeline for determinism checks.
- *
- * Note: unlike `@parmanasystems/bundle`'s `canonicalize`, this variant uses
- * compact output (`JSON.stringify` without indentation) for in-memory comparisons.
- */
-declare function canonicalize(value: unknown): string;
 /** Configuration for {@link LocalValidator}. */
 interface ValidatorConfig {
     /**
@@ -30,6 +23,13 @@ interface ValidatorConfig {
      * Defaults to {@link forbiddenDeterministicFields} when omitted.
      */
     forbiddenDeterministicFields?: readonly string[];
+    /**
+     * Optional Ed25519 verifier for the cryptographic stage.
+     * When provided, `stages.cryptographic` reflects the actual signature check
+     * and `valid` can be `true` on a fully verified envelope.
+     * When omitted, `stages.cryptographic` is always `false`.
+     */
+    verifier?: Verifier;
 }
 /**
@@ -121,9 +121,8 @@ declare class LocalValidator {
     /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */
     validateCanonical(payload: unknown): boolean;
     /**
-     * Returns `true` when the canonical form of the payload alone equals the
-     * canonical form of `{ payload }`, confirming that no metadata fields have
-     * leaked into the deterministic signing scope.
+     * Returns `true` when the payload does not contain execution metadata fields
+     * that must remain isolated from the deterministic signing scope.
      */
     validateMetadataIsolation(envelope: SignedEnvelope<unknown>): boolean;
     /**
@@ -226,4 +225,4 @@ interface GovernanceMetadata {
  */
 declare const forbiddenDeterministicFields: readonly ["generatedAt", "environment", "host", "runtime", "traceId"];
-export { type ApproveOverrideInput, type AttestationPayload, type GovernanceMetadata, LocalValidator, type OperationalMetadata, type ProvenanceMetadata, type ReleasePayload, type RuntimePayload, type SignedEnvelope, type ValidationResult, type ValidationStages, type ValidatorConfig, approveOverride, assertArray, assertNoOperationalMetadata, assertNonEmptyString, canonicalize, forbiddenDeterministicFields };
+export { type ApproveOverrideInput, type AttestationPayload, type GovernanceMetadata, LocalValidator, type OperationalMetadata, type ProvenanceMetadata, type ReleasePayload, type RuntimePayload, type SignedEnvelope, type ValidationResult, type ValidationStages, type ValidatorConfig, approveOverride, assertArray, assertNoOperationalMetadata, assertNonEmptyString, forbiddenDeterministicFields };

package/dist/index.js CHANGED Viewed

@@ -10498,7 +10498,8 @@ import {
   getRuntimeManifest,
   evaluatePolicy,
   loadPolicy,
-  canonicalizeForSigning
+  canonicalizeForSigning,
+  validateSignalsStrict
 } from "@parmanasystems/execution";
 import crypto from "crypto";
 import {
@@ -10507,13 +10508,17 @@ import {
 import {
   evaluatePolicy as evaluatePolicy2,
   loadPolicy as loadPolicy2,
-  validateSignalsStrict
+  validateSignalsStrict as validateSignalsStrict2
 } from "@parmanasystems/execution";
 async function executeFromSignals(input, signer, verifier, replayStore) {
   const policy = loadPolicy(
     input.policyId,
     input.policyVersion
   );
+  validateSignalsStrict(
+    input.signals,
+    policy
+  );
   const decision = evaluatePolicy(
     policy,
     input.signals
@@ -10524,7 +10529,7 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
     );
   }
   const execution_fingerprint = crypto.createHash("sha256").update(
-    JSON.stringify({
+    canonicalizeForSigning({
       policyId: input.policyId,
       policyVersion: input.policyVersion,
       signals: input.signals
@@ -10549,7 +10554,7 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
   }
   const runtimeManifest = getRuntimeManifest();
   const token = issueToken({
-    executionId: execution_fingerprint,
+    executionId: crypto.randomUUID(),
     policyId: input.policyId,
     policyVersion: input.policyVersion,
     schemaVersion: policy.schemaVersion,
@@ -10735,17 +10740,17 @@ import {
 // src/override.ts
 import crypto2 from "crypto";
+import { canonicalize } from "@parmanasystems/bundle";
 async function approveOverride(input) {
   const override_id = crypto2.randomUUID();
   const approved_at = /* @__PURE__ */ new Date();
   const override_signature = crypto2.createHash("sha256").update(
-    JSON.stringify({
+    canonicalize({
       override_id,
       executionId: input.executionId,
       approved_by: input.approved_by,
       approver_role: input.approver_role,
-      reason: input.reason,
-      approved_at
+      reason: input.reason
     })
   ).digest("hex");
   const override = {
@@ -10763,21 +10768,7 @@ async function approveOverride(input) {
 }
 // src/canonicalize.ts
-function sortKeys(value) {
-  if (Array.isArray(value)) {
-    return value.map(sortKeys);
-  }
-  if (value && typeof value === "object") {
-    return Object.keys(value).sort().reduce((acc, key) => {
-      acc[key] = sortKeys(value[key]);
-      return acc;
-    }, {});
-  }
-  return value;
-}
-function canonicalize(value) {
-  return JSON.stringify(sortKeys(value));
-}
+import { canonicalize as canonicalize2 } from "@parmanasystems/bundle";
 // src/invariants.ts
 function assertNonEmptyString(value) {
@@ -10852,30 +10843,35 @@ var LocalValidator = class {
   /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */
   validateCanonical(payload) {
     try {
-      canonicalize(payload);
+      canonicalize2(payload);
       return true;
     } catch {
       return false;
     }
   }
   /**
-   * Returns `true` when the canonical form of the payload alone equals the
-   * canonical form of `{ payload }`, confirming that no metadata fields have
-   * leaked into the deterministic signing scope.
+   * Returns `true` when the payload does not contain execution metadata fields
+   * that must remain isolated from the deterministic signing scope.
    */
   validateMetadataIsolation(envelope) {
     try {
-      const canonicalPayload = canonicalize(
-        this.extractDeterministicPayload(
-          envelope
-        )
+      const payload = this.extractDeterministicPayload(
+        envelope
+      );
+      const metadataFields = [
+        "executionId",
+        "policyId",
+        "policyVersion",
+        "execution_fingerprint",
+        "execution_state",
+        "runtime_manifest"
+      ];
+      const payloadKeys = Object.keys(
+        payload || {}
+      );
+      return !metadataFields.some(
+        (f) => payloadKeys.includes(f)
       );
-      const canonicalEnvelope = canonicalize({
-        payload: this.extractDeterministicPayload(
-          envelope
-        )
-      });
-      return canonicalPayload === canonicalEnvelope;
     } catch {
       return false;
     }
@@ -10898,7 +10894,10 @@ var LocalValidator = class {
     const metadataIsolation = structure && this.validateMetadataIsolation(
       envelope
     );
-    const cryptographic = false;
+    const cryptographic = structure && !!this.config.verifier && this.config.verifier.verify(
+      canonicalize2(envelope.payload),
+      envelope.signature
+    );
     const errors = [];
     if (!structure) {
       errors.push(
@@ -10946,7 +10945,7 @@ export {
   assertArray,
   assertNoOperationalMetadata,
   assertNonEmptyString,
-  canonicalize,
+  canonicalize2 as canonicalize,
   createPolicy,
   executeDecision3 as executeDecision,
   executeFromSignals,