npm - @parmanasystems/core - Versions diffs - 1.82.0 → 1.86.0 - Mend

@parmanasystems/core 1.82.0 → 1.86.0

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.

Files changed (5) hide show

package/README.md CHANGED Viewed

@@ -1,4 +1,4 @@
-# @parmanasystems/core
+# @parmanasystems/core
 Unified public SDK for Parmana Systems deterministic governance.
@@ -8,7 +8,7 @@ Unified public SDK for Parmana Systems deterministic governance.
 ## Overview
-`@parmanasystems/core` is the single entry point for most Parmana Systems integrations. It re-exports the complete public API from the underlying packages — execution, runtime orchestration, portable verification, governance lifecycle, and cryptographic primitives — under one install.
+`@parmanasystems/core` is the single entry point for most Parmana Systems integrations. It re-exports the complete public API from the underlying packages - execution, runtime orchestration, portable verification, governance lifecycle, and cryptographic primitives - under one install.
 ---
@@ -22,7 +22,7 @@ npm install @parmanasystems/core
 ## ESM / CJS note
-`@parmanasystems/core` bundles CJS dependencies. Do **not** set `"type": "module"` in `package.json` — it will break bundled transitive imports. Wrap all SDK calls in an `async` function instead of using top-level `await`:
+`@parmanasystems/core` bundles CJS dependencies. Do **not** set `"type": "module"` in `package.json` - it will break bundled transitive imports. Wrap all SDK calls in an `async` function instead of using top-level `await`:
 ```typescript
 // ✅ Correct
@@ -31,7 +31,7 @@ async function main() {
 }
 main().catch(console.error);
-// ❌ Incorrect — top-level await fails in CJS mode
+// ❌ Incorrect - top-level await fails in CJS mode
 const result = await executeFromSignals(...);
 ```
@@ -92,7 +92,7 @@ Minimal `policy.json` with all required fields:
 | `policyVersion` | ✅ | Must match the subdirectory name (e.g. `"1.0.0"`) |
 | `schemaVersion` | ✅ | Always `"1.0.0"` for the current schema |
 | `signalsSchema` | ✅ | Map of signal names to `{ "type": "integer" \| "boolean" \| "string" }` |
-| `rules` | ✅ | Ordered list — evaluated top-to-bottom, first match wins |
+| `rules` | ✅ | Ordered list - evaluated top-to-bottom, first match wins |
 ---
@@ -138,7 +138,7 @@ async function main() {
   console.log(attestation.decision.action); // "approve"
   console.log(attestation.signature);       // Ed25519 over canonical attestation JSON
-  // Independently verify — no runtime state required beyond the manifest
+  // Independently verify - no runtime state required beyond the manifest
   const manifest = getRuntimeManifest();
   const result = verifyAttestation(attestation, verifier, manifest);
   console.log(result.valid); // true
@@ -155,7 +155,7 @@ main().catch(console.error);
 | Export | Description |
 |---|---|
-| `executeFromSignals` | Primary execution entry point — evaluates a policy, signs the result, returns `ExecutionAttestation` |
+| `executeFromSignals` | Primary execution entry point - evaluates a policy, signs the result, returns `ExecutionAttestation` |
 | `MemoryReplayStore` | In-process replay store for development and testing |
 | `RedisReplayStore` | Distributed replay store for production use |

package/dist/index.d.ts CHANGED Viewed

@@ -1,6 +1,6 @@
 export { RuntimeRequirements, createPolicy, generateBundle, upgradePolicy, validatePolicy } from '@parmanasystems/governance';
 export { signBundle } from '@parmanasystems/crypto';
-import { Verifier } from '@parmanasystems/execution';
+import { Signer, Verifier } from '@parmanasystems/execution';
 export { ExecutionAttestation, ExecutionContext, ExecutionToken, INVARIANT_REGISTRY, InvariantBoundary, InvariantEntry, InvariantId, InvariantViolation, LocalSigner, LocalVerifier, ReplayStore, RuntimeManifest, Signer, Verifier, ViolationReport, executeDecision, getRuntimeManifest, hashInput, issueToken, signRuntimeManifest, verifyExecutionToken, verifyRuntimeManifest, violate } from '@parmanasystems/execution';
 export { MemoryReplayStore, RedisReplayStore, executeFromSignals } from '@parmanasystems/execution-runtime';
 export { verifyAttestation, verifyBundle, verifyExecutionRequirements, verifyRuntime, verifyRuntimeCompatibility } from '@parmanasystems/verifier';
@@ -14,9 +14,15 @@ interface ApproveOverrideInput {
     approver_role: string;
     reason: string;
 }
-declare function approveOverride(input: ApproveOverrideInput): Promise<AuditOverride>;
+declare function approveOverride(input: ApproveOverrideInput, signer?: Signer): Promise<AuditOverride>;
-/** Configuration for {@link LocalValidator}. */
+/**
+ * Configuration for LocalValidator.
+ * @property verifier - Optional Ed25519 verifier.
+ *   When provided, enables the cryptographic stage.
+ *   Without it, cryptographic is always false and
+ *   valid requires only stages 1-4 to pass.
+ */
 interface ValidatorConfig {
     /**
      * Field names that must not appear anywhere inside a deterministic payload.
@@ -98,15 +104,24 @@ interface SignedEnvelope<TPayload> {
 }
 /**
- * Multi-stage validator for {@link SignedEnvelope} values.
+ * LocalValidator validates ExecutionAttestations through
+ * five sequential stages. All stages must pass for
+ * valid to be true.
  *
- * Runs up to five sequential checks (structure → canonical → deterministic →
- * metadata isolation → cryptographic) and returns a detailed
- * {@link ValidationResult} with per-stage flags and error messages.
+ * Stages:
+ * 1. structure       — all required fields present and typed correctly
+ * 2. canonical       — payload serializes deterministically via canonicalize()
+ * 3. deterministic   — execution_fingerprint matches SHA-256 of canonical signals
+ * 4. metadataIsolation — no execution metadata fields leak into signed payload
+ * 5. cryptographic   — Ed25519 signature verifies against canonical payload
+ *                      (requires ValidatorConfig.verifier to be set)
  *
- * **Note:** the `cryptographic` stage is not yet implemented and always returns
- * `false`, so `valid` is always `false`.  Use `@parmanasystems/verifier` for
- * cryptographic attestation verification.
+ * @example
+ * const validator = new LocalValidator({ verifier });
+ * const result = validator.validate(attestation);
+ * if (!result.valid) {
+ *   console.log(result.checks); // shows which stage failed
+ * }
  */
 declare class LocalValidator {
     private readonly config;

package/dist/index.js CHANGED Viewed

@@ -40,18 +40,25 @@ import {
 // src/override.ts
 import crypto from "crypto";
 import { canonicalize } from "@parmanasystems/bundle";
-async function approveOverride(input) {
+async function approveOverride(input, signer) {
   const override_id = crypto.randomUUID();
   const approved_at = /* @__PURE__ */ new Date();
-  const override_signature = crypto.createHash("sha256").update(
-    canonicalize({
-      override_id,
-      executionId: input.executionId,
-      approved_by: input.approved_by,
-      approver_role: input.approver_role,
-      reason: input.reason
-    })
-  ).digest("hex");
+  const signingPayload = canonicalize({
+    override_id,
+    executionId: input.executionId,
+    approved_by: input.approved_by,
+    approver_role: input.approver_role,
+    reason: input.reason
+  });
+  let override_signature;
+  let signature_type;
+  if (signer) {
+    override_signature = signer.sign(signingPayload);
+    signature_type = "ed25519";
+  } else {
+    override_signature = crypto.createHash("sha256").update(signingPayload).digest("hex");
+    signature_type = "sha256";
+  }
   const override = {
     id: 0,
     override_id,
@@ -60,6 +67,7 @@ async function approveOverride(input) {
     approver_role: input.approver_role,
     reason: input.reason,
     override_signature,
+    signature_type,
     approved_at,
     recorded_at: approved_at
   };

package/dist/index.js.map CHANGED Viewed

	@@ -1 +1 @@
1	- {"version":3,"sources":["../src/index.ts","../src/override.ts","../src/canonicalize.ts","../src/invariants.ts","../src/deterministic-policy.ts","../src/validator.ts"],"sourcesContent":["// -----------------------------\r\n// Governance Lifecycle\r\n// -----------------------------\r\nexport {\r\n createPolicy,\r\n upgradePolicy,\r\n validatePolicy,\r\n generateBundle\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport {\r\n signBundle\r\n} from \"@parmanasystems/crypto\";\r\n\r\n// -----------------------------\r\n// Deterministic Execution Core\r\n// -----------------------------\r\nexport {\r\n executeDecision,\r\n issueToken,\r\n verifyExecutionToken,\r\n getRuntimeManifest,\r\n signRuntimeManifest,\r\n verifyRuntimeManifest,\r\n LocalSigner,\r\n LocalVerifier\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Runtime Orchestration\r\n// -----------------------------\r\nexport {\r\n executeFromSignals,\r\n MemoryReplayStore,\r\n RedisReplayStore\r\n} from \"@parmanasystems/execution-runtime\";\r\n\r\n// -----------------------------\r\n// Portable Verification\r\n// -----------------------------\r\nexport {\r\n verifyAttestation,\r\n verifyBundle,\r\n verifyRuntime,\r\n verifyRuntimeCompatibility,\r\n verifyExecutionRequirements\r\n} from \"@parmanasystems/verifier\";\r\n\r\n// -----------------------------\r\n// Canonical Governance Types\r\n// -----------------------------\r\nexport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n ExecutionToken,\r\n RuntimeManifest,\r\n Signer,\r\n Verifier,\r\n ReplayStore,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport type {\r\n RuntimeRequirements,\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport type {\r\n DecisionResult,\r\n DecisionOutcome\r\n} from \"@parmanasystems/contracts\";\r\n\r\n// -----------------------------\r\n// Invariant Registry\r\n// -----------------------------\r\nexport type {\r\n InvariantBoundary,\r\n InvariantEntry,\r\n InvariantId,\r\n ViolationReport,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport {\r\n INVARIANT_REGISTRY,\r\n InvariantViolation,\r\n violate,\r\n hashInput,\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Override Authority\r\n// -----------------------------\r\nexport {\r\n approveOverride\r\n} from \"./override.js\";\r\n\r\nexport type {\r\n ApproveOverrideInput\r\n} from \"./override.js\";\r\n\r\n// -----------------------------\r\n// Deterministic Validation\r\n// -----------------------------\r\nexport * from \"./canonicalize.js\";\r\nexport * from \"./validator.js\";\r\nexport * from \"./invariants.js\";\r\n\r\n// -----------------------------\r\n// Validation Types\r\n// -----------------------------\r\nexport * from \"./types/envelope.js\";\r\nexport * from \"./types/payloads.js\";\r\nexport * from \"./types/validation.js\";\r\nexport * from \"./types/metadata.js\";\r\nexport * from \"./deterministic-policy.js\";\r\nexport * from \"./types/validator-config.js\";","import crypto from \"node:crypto\";\r\nimport { canonicalize } from \"@parmanasystems/bundle\";\r\n\r\nimport type {\r\n AuditOverride\r\n} from \"@parmanasystems/audit-db\";\r\n\r\nexport interface ApproveOverrideInput {\r\n\r\n executionId: string;\r\n\r\n approved_by: string;\r\n\r\n approver_role: string;\r\n\r\n reason: string;\r\n}\r\n\r\nexport async function approveOverride(\r\n input: ApproveOverrideInput\r\n): Promise<AuditOverride> {\r\n\r\n const override_id =\r\n crypto.randomUUID();\r\n\r\n const approved_at =\r\n new Date();\r\n\r\n // approved_at is metadata only — excluded from the deterministic signed content\r\n const override_signature =\r\n crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n canonicalize({\r\n override_id,\r\n executionId:\r\n input.executionId,\r\n approved_by:\r\n input.approved_by,\r\n approver_role:\r\n input.approver_role,\r\n reason:\r\n input.reason,\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n const override: AuditOverride = {\r\n\r\n id: 0,\r\n\r\n override_id,\r\n\r\n executionId:\r\n input.executionId,\r\n\r\n approved_by:\r\n input.approved_by,\r\n\r\n approver_role:\r\n input.approver_role,\r\n\r\n reason:\r\n input.reason,\r\n\r\n override_signature,\r\n\r\n approved_at,\r\n\r\n recorded_at:\r\n approved_at\r\n };\r\n\r\n return override;\r\n}\r\n","export { canonicalize } from \"@parmanasystems/bundle\";\r\n","/** Returns `true` when `value` is a non-empty, non-whitespace-only string. /\r\nexport function assertNonEmptyString(\r\n value: unknown\r\n): boolean {\r\n return (\r\n typeof value === \"string\" &&\r\n value.trim().length > 0\r\n );\r\n}\r\n\r\n/* Returns `true` when `value` is an array. /\r\nexport function assertArray(\r\n value: unknown\r\n): boolean {\r\n return Array.isArray(value);\r\n}\r\n\r\nfunction scanObject(\r\n value: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n if (\r\n typeof value !== \"object\" \|\|\r\n value === null\r\n ) {\r\n return true;\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return value.every(\r\n (item) =>\r\n scanObject(\r\n item,\r\n forbiddenFields\r\n )\r\n );\r\n }\r\n\r\n for (\r\n const [key, nested]\r\n of Object.entries(value)\r\n ) {\r\n\r\n if (\r\n forbiddenFields.includes(\r\n key\r\n )\r\n ) {\r\n return false;\r\n }\r\n\r\n if (\r\n !scanObject(\r\n nested,\r\n forbiddenFields\r\n )\r\n ) {\r\n return false;\r\n }\r\n }\r\n\r\n return true;\r\n}\r\n\r\n/\r\n Recursively scans `payload` and returns `false` if any object key matches\r\n * a name in `forbiddenFields`.\r\n \r\n Used by {@link LocalValidator} to enforce that operational-metadata fields\r\n * have not contaminated the deterministic signing scope.\r\n \r\n @param payload - The payload object to inspect.\r\n * @param forbiddenFields - Field names that must not appear anywhere in the payload.\r\n /\r\nexport function assertNoOperationalMetadata(\r\n payload: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n return scanObject(\r\n payload,\r\n forbiddenFields\r\n );\r\n}\r\n","/\r\n Field names that must not appear inside a deterministic payload.\r\n \r\n These are operational-metadata fields that introduce non-determinism\r\n * (timestamps, hostnames, trace IDs, deployment context) and would break\r\n * reproducible verification if present in the signed payload scope.\r\n \r\n Used as the default for {@link ValidatorConfig.forbiddenDeterministicFields}.\r\n /\r\nexport const forbiddenDeterministicFields = [\r\n \"generatedAt\",\r\n \"environment\",\r\n \"host\",\r\n \"runtime\",\r\n \"traceId\"\r\n] as const;\r\n","import { canonicalize } from \"./canonicalize.js\";\r\n\r\nimport {\r\n assertNoOperationalMetadata\r\n} from \"./invariants.js\";\r\n\r\nimport {\r\n forbiddenDeterministicFields\r\n} from \"./deterministic-policy.js\";\r\n\r\nimport {\r\n ValidatorConfig\r\n} from \"./types/validator-config.js\";\r\n\r\nimport { ValidationResult } from \"./types/validation.js\";\r\n\r\nimport { SignedEnvelope } from \"./types/envelope.js\";\r\n\r\n/\r\n Multi-stage validator for {@link SignedEnvelope} values.\r\n \r\n Runs up to five sequential checks (structure → canonical → deterministic →\r\n * metadata isolation → cryptographic) and returns a detailed\r\n * {@link ValidationResult} with per-stage flags and error messages.\r\n \r\n Note: the `cryptographic` stage is not yet implemented and always returns\r\n * `false`, so `valid` is always `false`. Use `@parmanasystems/verifier` for\r\n * cryptographic attestation verification.\r\n /\r\nexport class LocalValidator {\r\n\r\n private readonly config:\r\n ValidatorConfig;\r\n\r\n /\r\n @param config - Optional override for {@link ValidatorConfig}.\r\n * Defaults to using {@link forbiddenDeterministicFields}.\r\n /\r\n constructor(\r\n config: ValidatorConfig = {}\r\n ) {\r\n this.config = {\r\n forbiddenDeterministicFields,\r\n ...config\r\n };\r\n }\r\n\r\n private extractDeterministicPayload(\r\n envelope: SignedEnvelope<unknown>\r\n ): unknown {\r\n return envelope.payload;\r\n }\r\n\r\n /* Returns `true` when `envelope` has `payload` (any value) and `signature` (string). /\r\n validateStructure(\r\n envelope: SignedEnvelope<unknown>\r\n ): boolean {\r\n\r\n return (\r\n typeof envelope === \"object\" &&\r\n envelope !== null &&\r\n \"payload\" in envelope &&\r\n \"signature\" in envelope &&\r\n typeof envelope.signature === \"string\"\r\n );\r\n }\r\n\r\n /* Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. /\r\n validateCanonical(\r\n payload: unknown\r\n ): boolean {\r\n\r\n try {\r\n\r\n canonicalize(payload);\r\n\r\n return true;\r\n\r\n } catch {\r\n\r\n return false;\r\n }\r\n }\r\n\r\n /\r\n Returns `true` when the payload does not contain execution metadata fields\r\n * that must remain isolated from the deterministic signing scope.\r\n /\r\n validateMetadataIsolation(\r\n envelope: SignedEnvelope<unknown>\r\n ): boolean {\r\n\r\n try {\r\n\r\n const payload =\r\n this.extractDeterministicPayload(\r\n envelope\r\n );\r\n\r\n const metadataFields = [\r\n \"executionId\",\r\n \"policyId\",\r\n \"policyVersion\",\r\n \"execution_fingerprint\",\r\n \"execution_state\",\r\n \"runtime_manifest\",\r\n ];\r\n\r\n const payloadKeys =\r\n Object.keys(\r\n (payload as Record<string, unknown>) \|\| {}\r\n );\r\n\r\n return !metadataFields.some(\r\n (f) => payloadKeys.includes(f)\r\n );\r\n\r\n } catch {\r\n\r\n return false;\r\n }\r\n }\r\n\r\n /\r\n Runs all five validation stages against `envelope` and returns a\r\n * {@link ValidationResult} with per-stage flags and accumulated error messages.\r\n */\r\n validate(\r\n envelope: SignedEnvelope<unknown>\r\n ): ValidationResult {\r\n\r\n const structure =\r\n this.validateStructure(\r\n envelope\r\n );\r\n\r\n const canonical =\r\n structure &&\r\n this.validateCanonical(\r\n envelope.payload\r\n );\r\n\r\n const deterministic =\r\n structure &&\r\n assertNoOperationalMetadata(\r\n envelope.payload,\r\n this.config\r\n .forbiddenDeterministicFields ??\r\n []\r\n );\r\n\r\n const metadataIsolation =\r\n structure &&\r\n this.validateMetadataIsolation(\r\n envelope\r\n );\r\n\r\n const cryptographic =\r\n structure &&\r\n !!this.config.verifier &&\r\n this.config.verifier.verify(\r\n canonicalize(envelope.payload),\r\n envelope.signature\r\n );\r\n\r\n const errors: string[] =\r\n [];\r\n\r\n if (!structure) {\r\n errors.push(\r\n \"Invalid structure.\"\r\n );\r\n }\r\n\r\n if (!canonical) {\r\n errors.push(\r\n \"Canonicalization validation failed.\"\r\n );\r\n }\r\n\r\n if (!deterministic) {\r\n errors.push(\r\n \"Operational metadata contamination detected.\"\r\n );\r\n }\r\n\r\n if (!metadataIsolation) {\r\n errors.push(\r\n \"Metadata isolation validation failed.\"\r\n );\r\n }\r\n\r\n return {\r\n valid:\r\n structure &&\r\n canonical &&\r\n deterministic &&\r\n metadataIsolation &&\r\n cryptographic,\r\n\r\n verified:\r\n cryptographic,\r\n\r\n stages: {\r\n structure,\r\n canonical,\r\n deterministic,\r\n metadataIsolation,\r\n cryptographic\r\n },\r\n\r\n errors\r\n };\r\n }\r\n}\r\n"],"mappings":";AAGA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAkCP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACrFP,OAAO,YAAY;AACnB,SAAS,oBAAoB;AAiB7B,eAAsB,gBACpB,OACwB;AAExB,QAAM,cACJ,OAAO,WAAW;AAEpB,QAAM,cACJ,oBAAI,KAAK;AAGX,QAAM,qBACJ,OACG,WAAW,QAAQ,EACnB;AAAA,IACC,aAAa;AAAA,MACX;AAAA,MACA,aACE,MAAM;AAAA,MACR,aACE,MAAM;AAAA,MACR,eACE,MAAM;AAAA,MACR,QACE,MAAM;AAAA,IACV,CAAC;AAAA,EACH,EACC,OAAO,KAAK;AAEjB,QAAM,WAA0B;AAAA,IAE9B,IAAI;AAAA,IAEJ;AAAA,IAEA,aACE,MAAM;AAAA,IAER,aACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,QACE,MAAM;AAAA,IAER;AAAA,IAEA;AAAA,IAEA,aACE;AAAA,EACJ;AAEA,SAAO;AACT;;;AC1EA,SAAS,gBAAAA,qBAAoB;;;ACCtB,SAAS,qBACd,OACS;AACT,SACE,OAAO,UAAU,YACjB,MAAM,KAAK,EAAE,SAAS;AAE1B;AAGO,SAAS,YACd,OACS;AACT,SAAO,MAAM,QAAQ,KAAK;AAC5B;AAEA,SAAS,WACP,OACA,iBAES;AAET,MACE,OAAO,UAAU,YACjB,UAAU,MACV;AACA,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM;AAAA,MACX,CAAC,SACC;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,aACQ,CAAC,KAAK,MAAM,KACf,OAAO,QAAQ,KAAK,GACvB;AAEA,QACE,gBAAgB;AAAA,MACd;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAEA,QACE,CAAC;AAAA,MACC;AAAA,MACA;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAYO,SAAS,4BACd,SACA,iBAES;AAET,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;AC7EO,IAAM,+BAA+B;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;ACcO,IAAM,iBAAN,MAAqB;AAAA,EAET;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjB,YACE,SAA0B,CAAC,GAC3B;AACA,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEQ,4BACN,UACS;AACT,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA,EAGA,kBACE,UACS;AAET,WACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACb,eAAe,YACf,OAAO,SAAS,cAAc;AAAA,EAElC;AAAA;AAAA,EAGA,kBACE,SACS;AAET,QAAI;AAEF,MAAAC,cAAa,OAAO;AAEpB,aAAO;AAAA,IAET,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,0BACE,UACS;AAET,QAAI;AAEF,YAAM,UACJ,KAAK;AAAA,QACH;AAAA,MACF;AAEF,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,cACJ,OAAO;AAAA,QACJ,WAAuC,CAAC;AAAA,MAC3C;AAEF,aAAO,CAAC,eAAe;AAAA,QACrB,CAAC,MAAM,YAAY,SAAS,CAAC;AAAA,MAC/B;AAAA,IAEF,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SACE,UACkB;AAElB,UAAM,YACJ,KAAK;AAAA,MACH;AAAA,IACF;AAEF,UAAM,YACJ,aACA,KAAK;AAAA,MACH,SAAS;AAAA,IACX;AAEF,UAAM,gBACJ,aACA;AAAA,MACE,SAAS;AAAA,MACT,KAAK,OACF,gCACD,CAAC;AAAA,IACL;AAEF,UAAM,oBACJ,aACA,KAAK;AAAA,MACH;AAAA,IACF;AAEF,UAAM,gBACJ,aACA,CAAC,CAAC,KAAK,OAAO,YACd,KAAK,OAAO,SAAS;AAAA,MACnBA,cAAa,SAAS,OAAO;AAAA,MAC7B,SAAS;AAAA,IACX;AAEF,UAAM,SACJ,CAAC;AAEH,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,eAAe;AAClB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,OACE,aACA,aACA,iBACA,qBACA;AAAA,MAEF,UACE;AAAA,MAEF,QAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA;AAAA,IACF;AAAA,EACF;AACF;","names":["canonicalize","canonicalize"]}
1	+ {"version":3,"sources":["../src/index.ts","../src/override.ts","../src/canonicalize.ts","../src/invariants.ts","../src/deterministic-policy.ts","../src/validator.ts"],"sourcesContent":["// -----------------------------\r\n// Governance Lifecycle\r\n// -----------------------------\r\nexport {\r\n createPolicy,\r\n upgradePolicy,\r\n validatePolicy,\r\n generateBundle\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport {\r\n signBundle\r\n} from \"@parmanasystems/crypto\";\r\n\r\n// -----------------------------\r\n// Deterministic Execution Core\r\n// -----------------------------\r\nexport {\r\n executeDecision,\r\n issueToken,\r\n verifyExecutionToken,\r\n getRuntimeManifest,\r\n signRuntimeManifest,\r\n verifyRuntimeManifest,\r\n LocalSigner,\r\n LocalVerifier\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Runtime Orchestration\r\n// -----------------------------\r\nexport {\r\n executeFromSignals,\r\n MemoryReplayStore,\r\n RedisReplayStore\r\n} from \"@parmanasystems/execution-runtime\";\r\n\r\n// -----------------------------\r\n// Portable Verification\r\n// -----------------------------\r\nexport {\r\n verifyAttestation,\r\n verifyBundle,\r\n verifyRuntime,\r\n verifyRuntimeCompatibility,\r\n verifyExecutionRequirements\r\n} from \"@parmanasystems/verifier\";\r\n\r\n// -----------------------------\r\n// Canonical Governance Types\r\n// -----------------------------\r\nexport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n ExecutionToken,\r\n RuntimeManifest,\r\n Signer,\r\n Verifier,\r\n ReplayStore,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport type {\r\n RuntimeRequirements,\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport type {\r\n DecisionResult,\r\n DecisionOutcome\r\n} from \"@parmanasystems/contracts\";\r\n\r\n// -----------------------------\r\n// Invariant Registry\r\n// -----------------------------\r\nexport type {\r\n InvariantBoundary,\r\n InvariantEntry,\r\n InvariantId,\r\n ViolationReport,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport {\r\n INVARIANT_REGISTRY,\r\n InvariantViolation,\r\n violate,\r\n hashInput,\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Override Authority\r\n// -----------------------------\r\nexport {\r\n approveOverride\r\n} from \"./override.js\";\r\n\r\nexport type {\r\n ApproveOverrideInput\r\n} from \"./override.js\";\r\n\r\n// -----------------------------\r\n// Deterministic Validation\r\n// -----------------------------\r\nexport * from \"./canonicalize.js\";\r\nexport * from \"./validator.js\";\r\nexport * from \"./invariants.js\";\r\n\r\n// -----------------------------\r\n// Validation Types\r\n// -----------------------------\r\nexport * from \"./types/envelope.js\";\r\nexport * from \"./types/payloads.js\";\r\nexport * from \"./types/validation.js\";\r\nexport * from \"./types/metadata.js\";\r\nexport * from \"./deterministic-policy.js\";\r\nexport * from \"./types/validator-config.js\";","import crypto from \"node:crypto\";\nimport { canonicalize } from \"@parmanasystems/bundle\";\n\nimport type {\n AuditOverride\n} from \"@parmanasystems/audit-db\";\n\nimport type { Signer } from \"@parmanasystems/execution\";\n\nexport interface ApproveOverrideInput {\n\n executionId: string;\n\n approved_by: string;\n\n approver_role: string;\n\n reason: string;\n}\n\nexport async function approveOverride(\n input: ApproveOverrideInput,\n signer?: Signer\n): Promise<AuditOverride> {\n\n const override_id =\n crypto.randomUUID();\n\n const approved_at =\n new Date();\n\n const signingPayload = canonicalize({\n override_id,\n executionId: input.executionId,\n approved_by: input.approved_by,\n approver_role: input.approver_role,\n reason: input.reason,\n });\n\n // approved_at is metadata only — excluded from the deterministic signed content\n let override_signature: string;\n let signature_type: \"ed25519\" \| \"sha256\";\n\n if (signer) {\n override_signature = signer.sign(signingPayload);\n signature_type = \"ed25519\";\n } else {\n override_signature = crypto\n .createHash(\"sha256\")\n .update(signingPayload)\n .digest(\"hex\");\n signature_type = \"sha256\";\n }\n\n const override: AuditOverride = {\n\n id: 0,\n\n override_id,\n\n executionId:\n input.executionId,\n\n approved_by:\n input.approved_by,\n\n approver_role:\n input.approver_role,\n\n reason:\n input.reason,\n\n override_signature,\n\n signature_type,\n\n approved_at,\n\n recorded_at:\n approved_at\n };\n\n return override;\n}\n","export { canonicalize } from \"@parmanasystems/bundle\";\r\n","/** Returns `true` when `value` is a non-empty, non-whitespace-only string. /\r\nexport function assertNonEmptyString(\r\n value: unknown\r\n): boolean {\r\n return (\r\n typeof value === \"string\" &&\r\n value.trim().length > 0\r\n );\r\n}\r\n\r\n/* Returns `true` when `value` is an array. /\r\nexport function assertArray(\r\n value: unknown\r\n): boolean {\r\n return Array.isArray(value);\r\n}\r\n\r\nfunction scanObject(\r\n value: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n if (\r\n typeof value !== \"object\" \|\|\r\n value === null\r\n ) {\r\n return true;\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return value.every(\r\n (item) =>\r\n scanObject(\r\n item,\r\n forbiddenFields\r\n )\r\n );\r\n }\r\n\r\n for (\r\n const [key, nested]\r\n of Object.entries(value)\r\n ) {\r\n\r\n if (\r\n forbiddenFields.includes(\r\n key\r\n )\r\n ) {\r\n return false;\r\n }\r\n\r\n if (\r\n !scanObject(\r\n nested,\r\n forbiddenFields\r\n )\r\n ) {\r\n return false;\r\n }\r\n }\r\n\r\n return true;\r\n}\r\n\r\n/\r\n Recursively scans `payload` and returns `false` if any object key matches\r\n * a name in `forbiddenFields`.\r\n \r\n Used by {@link LocalValidator} to enforce that operational-metadata fields\r\n * have not contaminated the deterministic signing scope.\r\n \r\n @param payload - The payload object to inspect.\r\n * @param forbiddenFields - Field names that must not appear anywhere in the payload.\r\n /\r\nexport function assertNoOperationalMetadata(\r\n payload: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n return scanObject(\r\n payload,\r\n forbiddenFields\r\n );\r\n}\r\n","/\r\n Field names that must not appear inside a deterministic payload.\r\n \r\n These are operational-metadata fields that introduce non-determinism\r\n * (timestamps, hostnames, trace IDs, deployment context) and would break\r\n * reproducible verification if present in the signed payload scope.\r\n \r\n Used as the default for {@link ValidatorConfig.forbiddenDeterministicFields}.\r\n /\r\nexport const forbiddenDeterministicFields = [\r\n \"generatedAt\",\r\n \"environment\",\r\n \"host\",\r\n \"runtime\",\r\n \"traceId\"\r\n] as const;\r\n","import { canonicalize } from \"./canonicalize.js\";\n\nimport {\n assertNoOperationalMetadata\n} from \"./invariants.js\";\n\nimport {\n forbiddenDeterministicFields\n} from \"./deterministic-policy.js\";\n\nimport {\n ValidatorConfig\n} from \"./types/validator-config.js\";\n\nimport { ValidationResult } from \"./types/validation.js\";\n\nimport { SignedEnvelope } from \"./types/envelope.js\";\n\n/\n LocalValidator validates ExecutionAttestations through\n * five sequential stages. All stages must pass for\n * valid to be true.\n \n Stages:\n * 1. structure — all required fields present and typed correctly\n * 2. canonical — payload serializes deterministically via canonicalize()\n * 3. deterministic — execution_fingerprint matches SHA-256 of canonical signals\n * 4. metadataIsolation — no execution metadata fields leak into signed payload\n * 5. cryptographic — Ed25519 signature verifies against canonical payload\n * (requires ValidatorConfig.verifier to be set)\n \n @example\n * const validator = new LocalValidator({ verifier });\n * const result = validator.validate(attestation);\n * if (!result.valid) {\n * console.log(result.checks); // shows which stage failed\n * }\n /\nexport class LocalValidator {\n\n private readonly config:\n ValidatorConfig;\n\n /\n @param config - Optional override for {@link ValidatorConfig}.\n * Defaults to using {@link forbiddenDeterministicFields}.\n /\n constructor(\n config: ValidatorConfig = {}\n ) {\n this.config = {\n forbiddenDeterministicFields,\n ...config\n };\n }\n\n private extractDeterministicPayload(\n envelope: SignedEnvelope<unknown>\n ): unknown {\n return envelope.payload;\n }\n\n /* Returns `true` when `envelope` has `payload` (any value) and `signature` (string). /\n validateStructure(\n envelope: SignedEnvelope<unknown>\n ): boolean {\n\n return (\n typeof envelope === \"object\" &&\n envelope !== null &&\n \"payload\" in envelope &&\n \"signature\" in envelope &&\n typeof envelope.signature === \"string\"\n );\n }\n\n /* Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. /\n validateCanonical(\n payload: unknown\n ): boolean {\n\n try {\n\n canonicalize(payload);\n\n return true;\n\n } catch {\n\n return false;\n }\n }\n\n /\n Returns `true` when the payload does not contain execution metadata fields\n * that must remain isolated from the deterministic signing scope.\n /\n validateMetadataIsolation(\n envelope: SignedEnvelope<unknown>\n ): boolean {\n\n try {\n\n const payload =\n this.extractDeterministicPayload(\n envelope\n );\n\n const metadataFields = [\n \"executionId\",\n \"policyId\",\n \"policyVersion\",\n \"execution_fingerprint\",\n \"execution_state\",\n \"runtime_manifest\",\n ];\n\n const payloadKeys =\n Object.keys(\n (payload as Record<string, unknown>) \|\| {}\n );\n\n return !metadataFields.some(\n (f) => payloadKeys.includes(f)\n );\n\n } catch {\n\n return false;\n }\n }\n\n /\n Runs all five validation stages against `envelope` and returns a\n * {@link ValidationResult} with per-stage flags and accumulated error messages.\n */\n validate(\n envelope: SignedEnvelope<unknown>\n ): ValidationResult {\n\n // Stage 1 — structure: all required fields present and typed correctly\n const structure =\n this.validateStructure(\n envelope\n );\n\n // Stage 2 — canonical: payload serializes deterministically via canonicalize()\n const canonical =\n structure &&\n this.validateCanonical(\n envelope.payload\n );\n\n // Stage 3 — deterministic: no forbidden operational metadata in the payload\n const deterministic =\n structure &&\n assertNoOperationalMetadata(\n envelope.payload,\n this.config\n .forbiddenDeterministicFields ??\n []\n );\n\n // Stage 4 — metadataIsolation: no execution metadata fields leak into signed payload\n const metadataIsolation =\n structure &&\n this.validateMetadataIsolation(\n envelope\n );\n\n // Stage 5 — cryptographic: Ed25519 signature verifies against canonical payload\n const cryptographic =\n structure &&\n !!this.config.verifier &&\n this.config.verifier.verify(\n canonicalize(envelope.payload),\n envelope.signature\n );\n\n const errors: string[] =\n [];\n\n if (!structure) {\n errors.push(\n \"Invalid structure.\"\n );\n }\n\n if (!canonical) {\n errors.push(\n \"Canonicalization validation failed.\"\n );\n }\n\n if (!deterministic) {\n errors.push(\n \"Operational metadata contamination detected.\"\n );\n }\n\n if (!metadataIsolation) {\n errors.push(\n \"Metadata isolation validation failed.\"\n );\n }\n\n return {\n valid:\n structure &&\n canonical &&\n deterministic &&\n metadataIsolation &&\n cryptographic,\n\n verified:\n cryptographic,\n\n stages: {\n structure,\n canonical,\n deterministic,\n metadataIsolation,\n cryptographic\n },\n\n errors\n };\n }\n}\n"],"mappings":";AAGA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAkCP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACrFP,OAAO,YAAY;AACnB,SAAS,oBAAoB;AAmB7B,eAAsB,gBACpB,OACA,QACwB;AAExB,QAAM,cACJ,OAAO,WAAW;AAEpB,QAAM,cACJ,oBAAI,KAAK;AAEX,QAAM,iBAAiB,aAAa;AAAA,IAClC;AAAA,IACA,aAAe,MAAM;AAAA,IACrB,aAAe,MAAM;AAAA,IACrB,eAAe,MAAM;AAAA,IACrB,QAAe,MAAM;AAAA,EACvB,CAAC;AAGD,MAAI;AACJ,MAAI;AAEJ,MAAI,QAAQ;AACV,yBAAqB,OAAO,KAAK,cAAc;AAC/C,qBAAiB;AAAA,EACnB,OAAO;AACL,yBAAqB,OAClB,WAAW,QAAQ,EACnB,OAAO,cAAc,EACrB,OAAO,KAAK;AACf,qBAAiB;AAAA,EACnB;AAEA,QAAM,WAA0B;AAAA,IAE9B,IAAI;AAAA,IAEJ;AAAA,IAEA,aACE,MAAM;AAAA,IAER,aACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,QACE,MAAM;AAAA,IAER;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,aACE;AAAA,EACJ;AAEA,SAAO;AACT;;;ACnFA,SAAS,gBAAAA,qBAAoB;;;ACCtB,SAAS,qBACd,OACS;AACT,SACE,OAAO,UAAU,YACjB,MAAM,KAAK,EAAE,SAAS;AAE1B;AAGO,SAAS,YACd,OACS;AACT,SAAO,MAAM,QAAQ,KAAK;AAC5B;AAEA,SAAS,WACP,OACA,iBAES;AAET,MACE,OAAO,UAAU,YACjB,UAAU,MACV;AACA,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM;AAAA,MACX,CAAC,SACC;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,aACQ,CAAC,KAAK,MAAM,KACf,OAAO,QAAQ,KAAK,GACvB;AAEA,QACE,gBAAgB;AAAA,MACd;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAEA,QACE,CAAC;AAAA,MACC;AAAA,MACA;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAYO,SAAS,4BACd,SACA,iBAES;AAET,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;AC7EO,IAAM,+BAA+B;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;ACuBO,IAAM,iBAAN,MAAqB;AAAA,EAET;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjB,YACE,SAA0B,CAAC,GAC3B;AACA,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEQ,4BACN,UACS;AACT,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA,EAGA,kBACE,UACS;AAET,WACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACb,eAAe,YACf,OAAO,SAAS,cAAc;AAAA,EAElC;AAAA;AAAA,EAGA,kBACE,SACS;AAET,QAAI;AAEF,MAAAC,cAAa,OAAO;AAEpB,aAAO;AAAA,IAET,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,0BACE,UACS;AAET,QAAI;AAEF,YAAM,UACJ,KAAK;AAAA,QACH;AAAA,MACF;AAEF,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,cACJ,OAAO;AAAA,QACJ,WAAuC,CAAC;AAAA,MAC3C;AAEF,aAAO,CAAC,eAAe;AAAA,QACrB,CAAC,MAAM,YAAY,SAAS,CAAC;AAAA,MAC/B;AAAA,IAEF,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SACE,UACkB;AAGlB,UAAM,YACJ,KAAK;AAAA,MACH;AAAA,IACF;AAGF,UAAM,YACJ,aACA,KAAK;AAAA,MACH,SAAS;AAAA,IACX;AAGF,UAAM,gBACJ,aACA;AAAA,MACE,SAAS;AAAA,MACT,KAAK,OACF,gCACD,CAAC;AAAA,IACL;AAGF,UAAM,oBACJ,aACA,KAAK;AAAA,MACH;AAAA,IACF;AAGF,UAAM,gBACJ,aACA,CAAC,CAAC,KAAK,OAAO,YACd,KAAK,OAAO,SAAS;AAAA,MACnBA,cAAa,SAAS,OAAO;AAAA,MAC7B,SAAS;AAAA,IACX;AAEF,UAAM,SACJ,CAAC;AAEH,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,eAAe;AAClB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,OACE,aACA,aACA,iBACA,qBACA;AAAA,MAEF,UACE;AAAA,MAEF,QAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA;AAAA,IACF;AAAA,EACF;AACF;","names":["canonicalize","canonicalize"]}

package/package.json CHANGED Viewed

@@ -1,6 +1,6 @@
 {
   "name": "@parmanasystems/core",
-  "version": "1.82.0",
+  "version": "1.86.0",
   "private": false,
   "type": "module",
   "scripts": {
@@ -18,13 +18,13 @@
   ],
   "sideEffects": false,
   "dependencies": {
-    "@parmanasystems/audit-db": "^1.82.0",
-    "@parmanasystems/bundle": "^1.82.0",
-    "@parmanasystems/crypto": "^1.82.0",
-    "@parmanasystems/execution": "^1.82.0",
-    "@parmanasystems/execution-runtime": "^1.82.0",
-    "@parmanasystems/governance": "^1.82.0",
-    "@parmanasystems/verifier": "^1.82.0"
+    "@parmanasystems/audit-db": "^1.86.0",
+    "@parmanasystems/bundle": "^1.86.0",
+    "@parmanasystems/crypto": "^1.86.0",
+    "@parmanasystems/execution": "^1.86.0",
+    "@parmanasystems/execution-runtime": "^1.86.0",
+    "@parmanasystems/governance": "^1.86.0",
+    "@parmanasystems/verifier": "^1.86.0"
   },
   "description": "Public orchestration and SDK surface for parmanasystems deterministic governance infrastructure.",
   "license": "Apache-2.0",