@parmanasystems/core 1.86.0 → 1.89.0
This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
- package/dist/index.d.ts +2 -2
- package/dist/index.js +3 -1
- package/dist/index.js.map +1 -1
- package/package.json +8 -8
package/dist/index.d.ts
CHANGED
|
@@ -1,8 +1,8 @@
|
|
|
1
1
|
export { RuntimeRequirements, createPolicy, generateBundle, upgradePolicy, validatePolicy } from '@parmanasystems/governance';
|
|
2
2
|
export { signBundle } from '@parmanasystems/crypto';
|
|
3
3
|
import { Signer, Verifier } from '@parmanasystems/execution';
|
|
4
|
-
export { ExecutionAttestation, ExecutionContext, ExecutionToken, INVARIANT_REGISTRY, InvariantBoundary, InvariantEntry, InvariantId, InvariantViolation, LocalSigner, LocalVerifier, ReplayStore, RuntimeManifest, Signer, Verifier, ViolationReport, executeDecision, getRuntimeManifest, hashInput, issueToken, signRuntimeManifest, verifyExecutionToken, verifyRuntimeManifest, violate } from '@parmanasystems/execution';
|
|
5
|
-
export { MemoryReplayStore, RedisReplayStore, executeFromSignals } from '@parmanasystems/execution-runtime';
|
|
4
|
+
export { ConfirmExecutionRequest, ExecutedAction, ExecutionAttestation, ExecutionContext, ExecutionIntegrityProof, ExecutionToken, INVARIANT_REGISTRY, InvariantBoundary, InvariantEntry, InvariantId, InvariantViolation, LocalSigner, LocalVerifier, MatchDetails, ReplayStore, RuntimeManifest, Signer, Verifier, ViolationReport, executeDecision, getRuntimeManifest, hashInput, issueToken, signRuntimeManifest, verifyExecutionToken, verifyRuntimeManifest, violate } from '@parmanasystems/execution';
|
|
5
|
+
export { MemoryReplayStore, RedisReplayStore, confirmExecution, executeFromSignals } from '@parmanasystems/execution-runtime';
|
|
6
6
|
export { verifyAttestation, verifyBundle, verifyExecutionRequirements, verifyRuntime, verifyRuntimeCompatibility } from '@parmanasystems/verifier';
|
|
7
7
|
export { DecisionOutcome, DecisionResult } from '@parmanasystems/contracts';
|
|
8
8
|
import { AuditOverride } from '@parmanasystems/audit-db';
|
package/dist/index.js
CHANGED
|
@@ -21,7 +21,8 @@ import {
|
|
|
21
21
|
import {
|
|
22
22
|
executeFromSignals,
|
|
23
23
|
MemoryReplayStore,
|
|
24
|
-
RedisReplayStore
|
|
24
|
+
RedisReplayStore,
|
|
25
|
+
confirmExecution
|
|
25
26
|
} from "@parmanasystems/execution-runtime";
|
|
26
27
|
import {
|
|
27
28
|
verifyAttestation,
|
|
@@ -253,6 +254,7 @@ export {
|
|
|
253
254
|
assertNoOperationalMetadata,
|
|
254
255
|
assertNonEmptyString,
|
|
255
256
|
canonicalize2 as canonicalize,
|
|
257
|
+
confirmExecution,
|
|
256
258
|
createPolicy,
|
|
257
259
|
executeDecision,
|
|
258
260
|
executeFromSignals,
|
package/dist/index.js.map
CHANGED
|
@@ -1 +1 @@
|
|
|
1
|
-
{"version":3,"sources":["../src/index.ts","../src/override.ts","../src/canonicalize.ts","../src/invariants.ts","../src/deterministic-policy.ts","../src/validator.ts"],"sourcesContent":["// -----------------------------\r\n// Governance Lifecycle\r\n// -----------------------------\r\nexport {\r\n createPolicy,\r\n upgradePolicy,\r\n validatePolicy,\r\n generateBundle\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport {\r\n signBundle\r\n} from \"@parmanasystems/crypto\";\r\n\r\n// -----------------------------\r\n// Deterministic Execution Core\r\n// -----------------------------\r\nexport {\r\n executeDecision,\r\n issueToken,\r\n verifyExecutionToken,\r\n getRuntimeManifest,\r\n signRuntimeManifest,\r\n verifyRuntimeManifest,\r\n LocalSigner,\r\n LocalVerifier\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Runtime Orchestration\r\n// -----------------------------\r\nexport {\r\n executeFromSignals,\r\n MemoryReplayStore,\r\n RedisReplayStore\r\n} from \"@parmanasystems/execution-runtime\";\r\n\r\n// -----------------------------\r\n// Portable Verification\r\n// -----------------------------\r\nexport {\r\n verifyAttestation,\r\n verifyBundle,\r\n verifyRuntime,\r\n verifyRuntimeCompatibility,\r\n verifyExecutionRequirements\r\n} from \"@parmanasystems/verifier\";\r\n\r\n// -----------------------------\r\n// Canonical Governance Types\r\n// -----------------------------\r\nexport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n ExecutionToken,\r\n RuntimeManifest,\r\n Signer,\r\n Verifier,\r\n ReplayStore,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport type {\r\n RuntimeRequirements,\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport type {\r\n DecisionResult,\r\n DecisionOutcome\r\n} from \"@parmanasystems/contracts\";\r\n\r\n// -----------------------------\r\n// Invariant Registry\r\n// -----------------------------\r\nexport type {\r\n InvariantBoundary,\r\n InvariantEntry,\r\n InvariantId,\r\n ViolationReport,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport {\r\n INVARIANT_REGISTRY,\r\n InvariantViolation,\r\n violate,\r\n hashInput,\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Override Authority\r\n// -----------------------------\r\nexport {\r\n approveOverride\r\n} from \"./override.js\";\r\n\r\nexport type {\r\n ApproveOverrideInput\r\n} from \"./override.js\";\r\n\r\n// -----------------------------\r\n// Deterministic Validation\r\n// -----------------------------\r\nexport * from \"./canonicalize.js\";\r\nexport * from \"./validator.js\";\r\nexport * from \"./invariants.js\";\r\n\r\n// -----------------------------\r\n// Validation Types\r\n// -----------------------------\r\nexport * from \"./types/envelope.js\";\r\nexport * from \"./types/payloads.js\";\r\nexport * from \"./types/validation.js\";\r\nexport * from \"./types/metadata.js\";\r\nexport * from \"./deterministic-policy.js\";\r\nexport * from \"./types/validator-config.js\";","import crypto from \"node:crypto\";\nimport { canonicalize } from \"@parmanasystems/bundle\";\n\nimport type {\n AuditOverride\n} from \"@parmanasystems/audit-db\";\n\nimport type { Signer } from \"@parmanasystems/execution\";\n\nexport interface ApproveOverrideInput {\n\n executionId: string;\n\n approved_by: string;\n\n approver_role: string;\n\n reason: string;\n}\n\nexport async function approveOverride(\n input: ApproveOverrideInput,\n signer?: Signer\n): Promise<AuditOverride> {\n\n const override_id =\n crypto.randomUUID();\n\n const approved_at =\n new Date();\n\n const signingPayload = canonicalize({\n override_id,\n executionId: input.executionId,\n approved_by: input.approved_by,\n approver_role: input.approver_role,\n reason: input.reason,\n });\n\n // approved_at is metadata only — excluded from the deterministic signed content\n let override_signature: string;\n let signature_type: \"ed25519\" | \"sha256\";\n\n if (signer) {\n override_signature = signer.sign(signingPayload);\n signature_type = \"ed25519\";\n } else {\n override_signature = crypto\n .createHash(\"sha256\")\n .update(signingPayload)\n .digest(\"hex\");\n signature_type = \"sha256\";\n }\n\n const override: AuditOverride = {\n\n id: 0,\n\n override_id,\n\n executionId:\n input.executionId,\n\n approved_by:\n input.approved_by,\n\n approver_role:\n input.approver_role,\n\n reason:\n input.reason,\n\n override_signature,\n\n signature_type,\n\n approved_at,\n\n recorded_at:\n approved_at\n };\n\n return override;\n}\n","export { canonicalize } from \"@parmanasystems/bundle\";\r\n","/** Returns `true` when `value` is a non-empty, non-whitespace-only string. */\r\nexport function assertNonEmptyString(\r\n value: unknown\r\n): boolean {\r\n return (\r\n typeof value === \"string\" &&\r\n value.trim().length > 0\r\n );\r\n}\r\n\r\n/** Returns `true` when `value` is an array. */\r\nexport function assertArray(\r\n value: unknown\r\n): boolean {\r\n return Array.isArray(value);\r\n}\r\n\r\nfunction scanObject(\r\n value: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n if (\r\n typeof value !== \"object\" ||\r\n value === null\r\n ) {\r\n return true;\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return value.every(\r\n (item) =>\r\n scanObject(\r\n item,\r\n forbiddenFields\r\n )\r\n );\r\n }\r\n\r\n for (\r\n const [key, nested]\r\n of Object.entries(value)\r\n ) {\r\n\r\n if (\r\n forbiddenFields.includes(\r\n key\r\n )\r\n ) {\r\n return false;\r\n }\r\n\r\n if (\r\n !scanObject(\r\n nested,\r\n forbiddenFields\r\n )\r\n ) {\r\n return false;\r\n }\r\n }\r\n\r\n return true;\r\n}\r\n\r\n/**\r\n * Recursively scans `payload` and returns `false` if any object key matches\r\n * a name in `forbiddenFields`.\r\n *\r\n * Used by {@link LocalValidator} to enforce that operational-metadata fields\r\n * have not contaminated the deterministic signing scope.\r\n *\r\n * @param payload - The payload object to inspect.\r\n * @param forbiddenFields - Field names that must not appear anywhere in the payload.\r\n */\r\nexport function assertNoOperationalMetadata(\r\n payload: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n return scanObject(\r\n payload,\r\n forbiddenFields\r\n );\r\n}\r\n","/**\r\n * Field names that must not appear inside a deterministic payload.\r\n *\r\n * These are operational-metadata fields that introduce non-determinism\r\n * (timestamps, hostnames, trace IDs, deployment context) and would break\r\n * reproducible verification if present in the signed payload scope.\r\n *\r\n * Used as the default for {@link ValidatorConfig.forbiddenDeterministicFields}.\r\n */\r\nexport const forbiddenDeterministicFields = [\r\n \"generatedAt\",\r\n \"environment\",\r\n \"host\",\r\n \"runtime\",\r\n \"traceId\"\r\n] as const;\r\n","import { canonicalize } from \"./canonicalize.js\";\n\nimport {\n assertNoOperationalMetadata\n} from \"./invariants.js\";\n\nimport {\n forbiddenDeterministicFields\n} from \"./deterministic-policy.js\";\n\nimport {\n ValidatorConfig\n} from \"./types/validator-config.js\";\n\nimport { ValidationResult } from \"./types/validation.js\";\n\nimport { SignedEnvelope } from \"./types/envelope.js\";\n\n/**\n * LocalValidator validates ExecutionAttestations through\n * five sequential stages. All stages must pass for\n * valid to be true.\n *\n * Stages:\n * 1. structure — all required fields present and typed correctly\n * 2. canonical — payload serializes deterministically via canonicalize()\n * 3. deterministic — execution_fingerprint matches SHA-256 of canonical signals\n * 4. metadataIsolation — no execution metadata fields leak into signed payload\n * 5. cryptographic — Ed25519 signature verifies against canonical payload\n * (requires ValidatorConfig.verifier to be set)\n *\n * @example\n * const validator = new LocalValidator({ verifier });\n * const result = validator.validate(attestation);\n * if (!result.valid) {\n * console.log(result.checks); // shows which stage failed\n * }\n */\nexport class LocalValidator {\n\n private readonly config:\n ValidatorConfig;\n\n /**\n * @param config - Optional override for {@link ValidatorConfig}.\n * Defaults to using {@link forbiddenDeterministicFields}.\n */\n constructor(\n config: ValidatorConfig = {}\n ) {\n this.config = {\n forbiddenDeterministicFields,\n ...config\n };\n }\n\n private extractDeterministicPayload(\n envelope: SignedEnvelope<unknown>\n ): unknown {\n return envelope.payload;\n }\n\n /** Returns `true` when `envelope` has `payload` (any value) and `signature` (string). */\n validateStructure(\n envelope: SignedEnvelope<unknown>\n ): boolean {\n\n return (\n typeof envelope === \"object\" &&\n envelope !== null &&\n \"payload\" in envelope &&\n \"signature\" in envelope &&\n typeof envelope.signature === \"string\"\n );\n }\n\n /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */\n validateCanonical(\n payload: unknown\n ): boolean {\n\n try {\n\n canonicalize(payload);\n\n return true;\n\n } catch {\n\n return false;\n }\n }\n\n /**\n * Returns `true` when the payload does not contain execution metadata fields\n * that must remain isolated from the deterministic signing scope.\n */\n validateMetadataIsolation(\n envelope: SignedEnvelope<unknown>\n ): boolean {\n\n try {\n\n const payload =\n this.extractDeterministicPayload(\n envelope\n );\n\n const metadataFields = [\n \"executionId\",\n \"policyId\",\n \"policyVersion\",\n \"execution_fingerprint\",\n \"execution_state\",\n \"runtime_manifest\",\n ];\n\n const payloadKeys =\n Object.keys(\n (payload as Record<string, unknown>) || {}\n );\n\n return !metadataFields.some(\n (f) => payloadKeys.includes(f)\n );\n\n } catch {\n\n return false;\n }\n }\n\n /**\n * Runs all five validation stages against `envelope` and returns a\n * {@link ValidationResult} with per-stage flags and accumulated error messages.\n */\n validate(\n envelope: SignedEnvelope<unknown>\n ): ValidationResult {\n\n // Stage 1 — structure: all required fields present and typed correctly\n const structure =\n this.validateStructure(\n envelope\n );\n\n // Stage 2 — canonical: payload serializes deterministically via canonicalize()\n const canonical =\n structure &&\n this.validateCanonical(\n envelope.payload\n );\n\n // Stage 3 — deterministic: no forbidden operational metadata in the payload\n const deterministic =\n structure &&\n assertNoOperationalMetadata(\n envelope.payload,\n this.config\n .forbiddenDeterministicFields ??\n []\n );\n\n // Stage 4 — metadataIsolation: no execution metadata fields leak into signed payload\n const metadataIsolation =\n structure &&\n this.validateMetadataIsolation(\n envelope\n );\n\n // Stage 5 — cryptographic: Ed25519 signature verifies against canonical payload\n const cryptographic =\n structure &&\n !!this.config.verifier &&\n this.config.verifier.verify(\n canonicalize(envelope.payload),\n envelope.signature\n );\n\n const errors: string[] =\n [];\n\n if (!structure) {\n errors.push(\n \"Invalid structure.\"\n );\n }\n\n if (!canonical) {\n errors.push(\n \"Canonicalization validation failed.\"\n );\n }\n\n if (!deterministic) {\n errors.push(\n \"Operational metadata contamination detected.\"\n );\n }\n\n if (!metadataIsolation) {\n errors.push(\n \"Metadata isolation validation failed.\"\n );\n }\n\n return {\n valid:\n structure &&\n canonical &&\n deterministic &&\n metadataIsolation &&\n cryptographic,\n\n verified:\n cryptographic,\n\n stages: {\n structure,\n canonical,\n deterministic,\n metadataIsolation,\n cryptographic\n },\n\n errors\n };\n }\n}\n"],"mappings":";AAGA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAkCP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;ACrFP,OAAO,YAAY;AACnB,SAAS,oBAAoB;AAmB7B,eAAsB,gBACpB,OACA,QACwB;AAExB,QAAM,cACJ,OAAO,WAAW;AAEpB,QAAM,cACJ,oBAAI,KAAK;AAEX,QAAM,iBAAiB,aAAa;AAAA,IAClC;AAAA,IACA,aAAe,MAAM;AAAA,IACrB,aAAe,MAAM;AAAA,IACrB,eAAe,MAAM;AAAA,IACrB,QAAe,MAAM;AAAA,EACvB,CAAC;AAGD,MAAI;AACJ,MAAI;AAEJ,MAAI,QAAQ;AACV,yBAAqB,OAAO,KAAK,cAAc;AAC/C,qBAAiB;AAAA,EACnB,OAAO;AACL,yBAAqB,OAClB,WAAW,QAAQ,EACnB,OAAO,cAAc,EACrB,OAAO,KAAK;AACf,qBAAiB;AAAA,EACnB;AAEA,QAAM,WAA0B;AAAA,IAE9B,IAAI;AAAA,IAEJ;AAAA,IAEA,aACE,MAAM;AAAA,IAER,aACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,QACE,MAAM;AAAA,IAER;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,aACE;AAAA,EACJ;AAEA,SAAO;AACT;;;ACnFA,SAAS,gBAAAA,qBAAoB;;;ACCtB,SAAS,qBACd,OACS;AACT,SACE,OAAO,UAAU,YACjB,MAAM,KAAK,EAAE,SAAS;AAE1B;AAGO,SAAS,YACd,OACS;AACT,SAAO,MAAM,QAAQ,KAAK;AAC5B;AAEA,SAAS,WACP,OACA,iBAES;AAET,MACE,OAAO,UAAU,YACjB,UAAU,MACV;AACA,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM;AAAA,MACX,CAAC,SACC;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,aACQ,CAAC,KAAK,MAAM,KACf,OAAO,QAAQ,KAAK,GACvB;AAEA,QACE,gBAAgB;AAAA,MACd;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAEA,QACE,CAAC;AAAA,MACC;AAAA,MACA;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAYO,SAAS,4BACd,SACA,iBAES;AAET,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;AC7EO,IAAM,+BAA+B;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;ACuBO,IAAM,iBAAN,MAAqB;AAAA,EAET;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjB,YACE,SAA0B,CAAC,GAC3B;AACA,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEQ,4BACN,UACS;AACT,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA,EAGA,kBACE,UACS;AAET,WACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACb,eAAe,YACf,OAAO,SAAS,cAAc;AAAA,EAElC;AAAA;AAAA,EAGA,kBACE,SACS;AAET,QAAI;AAEF,MAAAC,cAAa,OAAO;AAEpB,aAAO;AAAA,IAET,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,0BACE,UACS;AAET,QAAI;AAEF,YAAM,UACJ,KAAK;AAAA,QACH;AAAA,MACF;AAEF,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,cACJ,OAAO;AAAA,QACJ,WAAuC,CAAC;AAAA,MAC3C;AAEF,aAAO,CAAC,eAAe;AAAA,QACrB,CAAC,MAAM,YAAY,SAAS,CAAC;AAAA,MAC/B;AAAA,IAEF,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SACE,UACkB;AAGlB,UAAM,YACJ,KAAK;AAAA,MACH;AAAA,IACF;AAGF,UAAM,YACJ,aACA,KAAK;AAAA,MACH,SAAS;AAAA,IACX;AAGF,UAAM,gBACJ,aACA;AAAA,MACE,SAAS;AAAA,MACT,KAAK,OACF,gCACD,CAAC;AAAA,IACL;AAGF,UAAM,oBACJ,aACA,KAAK;AAAA,MACH;AAAA,IACF;AAGF,UAAM,gBACJ,aACA,CAAC,CAAC,KAAK,OAAO,YACd,KAAK,OAAO,SAAS;AAAA,MACnBA,cAAa,SAAS,OAAO;AAAA,MAC7B,SAAS;AAAA,IACX;AAEF,UAAM,SACJ,CAAC;AAEH,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,eAAe;AAClB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,OACE,aACA,aACA,iBACA,qBACA;AAAA,MAEF,UACE;AAAA,MAEF,QAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA;AAAA,IACF;AAAA,EACF;AACF;","names":["canonicalize","canonicalize"]}
|
|
1
|
+
{"version":3,"sources":["../src/index.ts","../src/override.ts","../src/canonicalize.ts","../src/invariants.ts","../src/deterministic-policy.ts","../src/validator.ts"],"sourcesContent":["// -----------------------------\r\n// Governance Lifecycle\r\n// -----------------------------\r\nexport {\r\n createPolicy,\r\n upgradePolicy,\r\n validatePolicy,\r\n generateBundle\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport {\r\n signBundle\r\n} from \"@parmanasystems/crypto\";\r\n\r\n// -----------------------------\r\n// Deterministic Execution Core\r\n// -----------------------------\r\nexport {\r\n executeDecision,\r\n issueToken,\r\n verifyExecutionToken,\r\n getRuntimeManifest,\r\n signRuntimeManifest,\r\n verifyRuntimeManifest,\r\n LocalSigner,\r\n LocalVerifier\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Runtime Orchestration\r\n// -----------------------------\r\nexport {\r\n executeFromSignals,\r\n MemoryReplayStore,\r\n RedisReplayStore,\r\n confirmExecution,\r\n} from \"@parmanasystems/execution-runtime\";\r\n\r\nexport type {\r\n ExecutedAction,\r\n ExecutionIntegrityProof,\r\n MatchDetails,\r\n ConfirmExecutionRequest,\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Portable Verification\r\n// -----------------------------\r\nexport {\r\n verifyAttestation,\r\n verifyBundle,\r\n verifyRuntime,\r\n verifyRuntimeCompatibility,\r\n verifyExecutionRequirements\r\n} from \"@parmanasystems/verifier\";\r\n\r\n// -----------------------------\r\n// Canonical Governance Types\r\n// -----------------------------\r\nexport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n ExecutionToken,\r\n RuntimeManifest,\r\n Signer,\r\n Verifier,\r\n ReplayStore,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport type {\r\n RuntimeRequirements,\r\n} from \"@parmanasystems/governance\";\r\n\r\nexport type {\r\n DecisionResult,\r\n DecisionOutcome\r\n} from \"@parmanasystems/contracts\";\r\n\r\n// -----------------------------\r\n// Invariant Registry\r\n// -----------------------------\r\nexport type {\r\n InvariantBoundary,\r\n InvariantEntry,\r\n InvariantId,\r\n ViolationReport,\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport {\r\n INVARIANT_REGISTRY,\r\n InvariantViolation,\r\n violate,\r\n hashInput,\r\n} from \"@parmanasystems/execution\";\r\n\r\n// -----------------------------\r\n// Override Authority\r\n// -----------------------------\r\nexport {\r\n approveOverride\r\n} from \"./override.js\";\r\n\r\nexport type {\r\n ApproveOverrideInput\r\n} from \"./override.js\";\r\n\r\n// -----------------------------\r\n// Deterministic Validation\r\n// -----------------------------\r\nexport * from \"./canonicalize.js\";\r\nexport * from \"./validator.js\";\r\nexport * from \"./invariants.js\";\r\n\r\n// -----------------------------\r\n// Validation Types\r\n// -----------------------------\r\nexport * from \"./types/envelope.js\";\r\nexport * from \"./types/payloads.js\";\r\nexport * from \"./types/validation.js\";\r\nexport * from \"./types/metadata.js\";\r\nexport * from \"./deterministic-policy.js\";\r\nexport * from \"./types/validator-config.js\";","import crypto from \"node:crypto\";\nimport { canonicalize } from \"@parmanasystems/bundle\";\n\nimport type {\n AuditOverride\n} from \"@parmanasystems/audit-db\";\n\nimport type { Signer } from \"@parmanasystems/execution\";\n\nexport interface ApproveOverrideInput {\n\n executionId: string;\n\n approved_by: string;\n\n approver_role: string;\n\n reason: string;\n}\n\nexport async function approveOverride(\n input: ApproveOverrideInput,\n signer?: Signer\n): Promise<AuditOverride> {\n\n const override_id =\n crypto.randomUUID();\n\n const approved_at =\n new Date();\n\n const signingPayload = canonicalize({\n override_id,\n executionId: input.executionId,\n approved_by: input.approved_by,\n approver_role: input.approver_role,\n reason: input.reason,\n });\n\n // approved_at is metadata only — excluded from the deterministic signed content\n let override_signature: string;\n let signature_type: \"ed25519\" | \"sha256\";\n\n if (signer) {\n override_signature = signer.sign(signingPayload);\n signature_type = \"ed25519\";\n } else {\n override_signature = crypto\n .createHash(\"sha256\")\n .update(signingPayload)\n .digest(\"hex\");\n signature_type = \"sha256\";\n }\n\n const override: AuditOverride = {\n\n id: 0,\n\n override_id,\n\n executionId:\n input.executionId,\n\n approved_by:\n input.approved_by,\n\n approver_role:\n input.approver_role,\n\n reason:\n input.reason,\n\n override_signature,\n\n signature_type,\n\n approved_at,\n\n recorded_at:\n approved_at\n };\n\n return override;\n}\n","export { canonicalize } from \"@parmanasystems/bundle\";\r\n","/** Returns `true` when `value` is a non-empty, non-whitespace-only string. */\r\nexport function assertNonEmptyString(\r\n value: unknown\r\n): boolean {\r\n return (\r\n typeof value === \"string\" &&\r\n value.trim().length > 0\r\n );\r\n}\r\n\r\n/** Returns `true` when `value` is an array. */\r\nexport function assertArray(\r\n value: unknown\r\n): boolean {\r\n return Array.isArray(value);\r\n}\r\n\r\nfunction scanObject(\r\n value: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n if (\r\n typeof value !== \"object\" ||\r\n value === null\r\n ) {\r\n return true;\r\n }\r\n\r\n if (Array.isArray(value)) {\r\n return value.every(\r\n (item) =>\r\n scanObject(\r\n item,\r\n forbiddenFields\r\n )\r\n );\r\n }\r\n\r\n for (\r\n const [key, nested]\r\n of Object.entries(value)\r\n ) {\r\n\r\n if (\r\n forbiddenFields.includes(\r\n key\r\n )\r\n ) {\r\n return false;\r\n }\r\n\r\n if (\r\n !scanObject(\r\n nested,\r\n forbiddenFields\r\n )\r\n ) {\r\n return false;\r\n }\r\n }\r\n\r\n return true;\r\n}\r\n\r\n/**\r\n * Recursively scans `payload` and returns `false` if any object key matches\r\n * a name in `forbiddenFields`.\r\n *\r\n * Used by {@link LocalValidator} to enforce that operational-metadata fields\r\n * have not contaminated the deterministic signing scope.\r\n *\r\n * @param payload - The payload object to inspect.\r\n * @param forbiddenFields - Field names that must not appear anywhere in the payload.\r\n */\r\nexport function assertNoOperationalMetadata(\r\n payload: unknown,\r\n forbiddenFields:\r\n readonly string[]\r\n): boolean {\r\n\r\n return scanObject(\r\n payload,\r\n forbiddenFields\r\n );\r\n}\r\n","/**\r\n * Field names that must not appear inside a deterministic payload.\r\n *\r\n * These are operational-metadata fields that introduce non-determinism\r\n * (timestamps, hostnames, trace IDs, deployment context) and would break\r\n * reproducible verification if present in the signed payload scope.\r\n *\r\n * Used as the default for {@link ValidatorConfig.forbiddenDeterministicFields}.\r\n */\r\nexport const forbiddenDeterministicFields = [\r\n \"generatedAt\",\r\n \"environment\",\r\n \"host\",\r\n \"runtime\",\r\n \"traceId\"\r\n] as const;\r\n","import { canonicalize } from \"./canonicalize.js\";\n\nimport {\n assertNoOperationalMetadata\n} from \"./invariants.js\";\n\nimport {\n forbiddenDeterministicFields\n} from \"./deterministic-policy.js\";\n\nimport {\n ValidatorConfig\n} from \"./types/validator-config.js\";\n\nimport { ValidationResult } from \"./types/validation.js\";\n\nimport { SignedEnvelope } from \"./types/envelope.js\";\n\n/**\n * LocalValidator validates ExecutionAttestations through\n * five sequential stages. All stages must pass for\n * valid to be true.\n *\n * Stages:\n * 1. structure — all required fields present and typed correctly\n * 2. canonical — payload serializes deterministically via canonicalize()\n * 3. deterministic — execution_fingerprint matches SHA-256 of canonical signals\n * 4. metadataIsolation — no execution metadata fields leak into signed payload\n * 5. cryptographic — Ed25519 signature verifies against canonical payload\n * (requires ValidatorConfig.verifier to be set)\n *\n * @example\n * const validator = new LocalValidator({ verifier });\n * const result = validator.validate(attestation);\n * if (!result.valid) {\n * console.log(result.checks); // shows which stage failed\n * }\n */\nexport class LocalValidator {\n\n private readonly config:\n ValidatorConfig;\n\n /**\n * @param config - Optional override for {@link ValidatorConfig}.\n * Defaults to using {@link forbiddenDeterministicFields}.\n */\n constructor(\n config: ValidatorConfig = {}\n ) {\n this.config = {\n forbiddenDeterministicFields,\n ...config\n };\n }\n\n private extractDeterministicPayload(\n envelope: SignedEnvelope<unknown>\n ): unknown {\n return envelope.payload;\n }\n\n /** Returns `true` when `envelope` has `payload` (any value) and `signature` (string). */\n validateStructure(\n envelope: SignedEnvelope<unknown>\n ): boolean {\n\n return (\n typeof envelope === \"object\" &&\n envelope !== null &&\n \"payload\" in envelope &&\n \"signature\" in envelope &&\n typeof envelope.signature === \"string\"\n );\n }\n\n /** Returns `true` when `payload` can be serialized through the canonical JSON pipeline without error. */\n validateCanonical(\n payload: unknown\n ): boolean {\n\n try {\n\n canonicalize(payload);\n\n return true;\n\n } catch {\n\n return false;\n }\n }\n\n /**\n * Returns `true` when the payload does not contain execution metadata fields\n * that must remain isolated from the deterministic signing scope.\n */\n validateMetadataIsolation(\n envelope: SignedEnvelope<unknown>\n ): boolean {\n\n try {\n\n const payload =\n this.extractDeterministicPayload(\n envelope\n );\n\n const metadataFields = [\n \"executionId\",\n \"policyId\",\n \"policyVersion\",\n \"execution_fingerprint\",\n \"execution_state\",\n \"runtime_manifest\",\n ];\n\n const payloadKeys =\n Object.keys(\n (payload as Record<string, unknown>) || {}\n );\n\n return !metadataFields.some(\n (f) => payloadKeys.includes(f)\n );\n\n } catch {\n\n return false;\n }\n }\n\n /**\n * Runs all five validation stages against `envelope` and returns a\n * {@link ValidationResult} with per-stage flags and accumulated error messages.\n */\n validate(\n envelope: SignedEnvelope<unknown>\n ): ValidationResult {\n\n // Stage 1 — structure: all required fields present and typed correctly\n const structure =\n this.validateStructure(\n envelope\n );\n\n // Stage 2 — canonical: payload serializes deterministically via canonicalize()\n const canonical =\n structure &&\n this.validateCanonical(\n envelope.payload\n );\n\n // Stage 3 — deterministic: no forbidden operational metadata in the payload\n const deterministic =\n structure &&\n assertNoOperationalMetadata(\n envelope.payload,\n this.config\n .forbiddenDeterministicFields ??\n []\n );\n\n // Stage 4 — metadataIsolation: no execution metadata fields leak into signed payload\n const metadataIsolation =\n structure &&\n this.validateMetadataIsolation(\n envelope\n );\n\n // Stage 5 — cryptographic: Ed25519 signature verifies against canonical payload\n const cryptographic =\n structure &&\n !!this.config.verifier &&\n this.config.verifier.verify(\n canonicalize(envelope.payload),\n envelope.signature\n );\n\n const errors: string[] =\n [];\n\n if (!structure) {\n errors.push(\n \"Invalid structure.\"\n );\n }\n\n if (!canonical) {\n errors.push(\n \"Canonicalization validation failed.\"\n );\n }\n\n if (!deterministic) {\n errors.push(\n \"Operational metadata contamination detected.\"\n );\n }\n\n if (!metadataIsolation) {\n errors.push(\n \"Metadata isolation validation failed.\"\n );\n }\n\n return {\n valid:\n structure &&\n canonical &&\n deterministic &&\n metadataIsolation &&\n cryptographic,\n\n verified:\n cryptographic,\n\n stages: {\n structure,\n canonical,\n deterministic,\n metadataIsolation,\n cryptographic\n },\n\n errors\n };\n }\n}\n"],"mappings":";AAGA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAEP;AAAA,EACE;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAKP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAYP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AAkCP;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;;;AC7FP,OAAO,YAAY;AACnB,SAAS,oBAAoB;AAmB7B,eAAsB,gBACpB,OACA,QACwB;AAExB,QAAM,cACJ,OAAO,WAAW;AAEpB,QAAM,cACJ,oBAAI,KAAK;AAEX,QAAM,iBAAiB,aAAa;AAAA,IAClC;AAAA,IACA,aAAe,MAAM;AAAA,IACrB,aAAe,MAAM;AAAA,IACrB,eAAe,MAAM;AAAA,IACrB,QAAe,MAAM;AAAA,EACvB,CAAC;AAGD,MAAI;AACJ,MAAI;AAEJ,MAAI,QAAQ;AACV,yBAAqB,OAAO,KAAK,cAAc;AAC/C,qBAAiB;AAAA,EACnB,OAAO;AACL,yBAAqB,OAClB,WAAW,QAAQ,EACnB,OAAO,cAAc,EACrB,OAAO,KAAK;AACf,qBAAiB;AAAA,EACnB;AAEA,QAAM,WAA0B;AAAA,IAE9B,IAAI;AAAA,IAEJ;AAAA,IAEA,aACE,MAAM;AAAA,IAER,aACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,QACE,MAAM;AAAA,IAER;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,aACE;AAAA,EACJ;AAEA,SAAO;AACT;;;ACnFA,SAAS,gBAAAA,qBAAoB;;;ACCtB,SAAS,qBACd,OACS;AACT,SACE,OAAO,UAAU,YACjB,MAAM,KAAK,EAAE,SAAS;AAE1B;AAGO,SAAS,YACd,OACS;AACT,SAAO,MAAM,QAAQ,KAAK;AAC5B;AAEA,SAAS,WACP,OACA,iBAES;AAET,MACE,OAAO,UAAU,YACjB,UAAU,MACV;AACA,WAAO;AAAA,EACT;AAEA,MAAI,MAAM,QAAQ,KAAK,GAAG;AACxB,WAAO,MAAM;AAAA,MACX,CAAC,SACC;AAAA,QACE;AAAA,QACA;AAAA,MACF;AAAA,IACJ;AAAA,EACF;AAEA,aACQ,CAAC,KAAK,MAAM,KACf,OAAO,QAAQ,KAAK,GACvB;AAEA,QACE,gBAAgB;AAAA,MACd;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAEA,QACE,CAAC;AAAA,MACC;AAAA,MACA;AAAA,IACF,GACA;AACA,aAAO;AAAA,IACT;AAAA,EACF;AAEA,SAAO;AACT;AAYO,SAAS,4BACd,SACA,iBAES;AAET,SAAO;AAAA,IACL;AAAA,IACA;AAAA,EACF;AACF;;;AC7EO,IAAM,+BAA+B;AAAA,EAC1C;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AACF;;;ACuBO,IAAM,iBAAN,MAAqB;AAAA,EAET;AAAA;AAAA;AAAA;AAAA;AAAA,EAOjB,YACE,SAA0B,CAAC,GAC3B;AACA,SAAK,SAAS;AAAA,MACZ;AAAA,MACA,GAAG;AAAA,IACL;AAAA,EACF;AAAA,EAEQ,4BACN,UACS;AACT,WAAO,SAAS;AAAA,EAClB;AAAA;AAAA,EAGA,kBACE,UACS;AAET,WACE,OAAO,aAAa,YACpB,aAAa,QACb,aAAa,YACb,eAAe,YACf,OAAO,SAAS,cAAc;AAAA,EAElC;AAAA;AAAA,EAGA,kBACE,SACS;AAET,QAAI;AAEF,MAAAC,cAAa,OAAO;AAEpB,aAAO;AAAA,IAET,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,0BACE,UACS;AAET,QAAI;AAEF,YAAM,UACJ,KAAK;AAAA,QACH;AAAA,MACF;AAEF,YAAM,iBAAiB;AAAA,QACrB;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEA,YAAM,cACJ,OAAO;AAAA,QACJ,WAAuC,CAAC;AAAA,MAC3C;AAEF,aAAO,CAAC,eAAe;AAAA,QACrB,CAAC,MAAM,YAAY,SAAS,CAAC;AAAA,MAC/B;AAAA,IAEF,QAAQ;AAEN,aAAO;AAAA,IACT;AAAA,EACF;AAAA;AAAA;AAAA;AAAA;AAAA,EAMA,SACE,UACkB;AAGlB,UAAM,YACJ,KAAK;AAAA,MACH;AAAA,IACF;AAGF,UAAM,YACJ,aACA,KAAK;AAAA,MACH,SAAS;AAAA,IACX;AAGF,UAAM,gBACJ,aACA;AAAA,MACE,SAAS;AAAA,MACT,KAAK,OACF,gCACD,CAAC;AAAA,IACL;AAGF,UAAM,oBACJ,aACA,KAAK;AAAA,MACH;AAAA,IACF;AAGF,UAAM,gBACJ,aACA,CAAC,CAAC,KAAK,OAAO,YACd,KAAK,OAAO,SAAS;AAAA,MACnBA,cAAa,SAAS,OAAO;AAAA,MAC7B,SAAS;AAAA,IACX;AAEF,UAAM,SACJ,CAAC;AAEH,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,WAAW;AACd,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,eAAe;AAClB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,QAAI,CAAC,mBAAmB;AACtB,aAAO;AAAA,QACL;AAAA,MACF;AAAA,IACF;AAEA,WAAO;AAAA,MACL,OACE,aACA,aACA,iBACA,qBACA;AAAA,MAEF,UACE;AAAA,MAEF,QAAQ;AAAA,QACN;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAAA,MAEA;AAAA,IACF;AAAA,EACF;AACF;","names":["canonicalize","canonicalize"]}
|
package/package.json
CHANGED
|
@@ -1,6 +1,6 @@
|
|
|
1
1
|
{
|
|
2
2
|
"name": "@parmanasystems/core",
|
|
3
|
-
"version": "1.
|
|
3
|
+
"version": "1.89.0",
|
|
4
4
|
"private": false,
|
|
5
5
|
"type": "module",
|
|
6
6
|
"scripts": {
|
|
@@ -18,13 +18,13 @@
|
|
|
18
18
|
],
|
|
19
19
|
"sideEffects": false,
|
|
20
20
|
"dependencies": {
|
|
21
|
-
"@parmanasystems/audit-db": "^1.
|
|
22
|
-
"@parmanasystems/bundle": "^1.
|
|
23
|
-
"@parmanasystems/crypto": "^1.
|
|
24
|
-
"@parmanasystems/execution": "^1.
|
|
25
|
-
"@parmanasystems/execution-runtime": "^1.
|
|
26
|
-
"@parmanasystems/governance": "^1.
|
|
27
|
-
"@parmanasystems/verifier": "^1.
|
|
21
|
+
"@parmanasystems/audit-db": "^1.89.0",
|
|
22
|
+
"@parmanasystems/bundle": "^1.89.0",
|
|
23
|
+
"@parmanasystems/crypto": "^1.89.0",
|
|
24
|
+
"@parmanasystems/execution": "^1.89.0",
|
|
25
|
+
"@parmanasystems/execution-runtime": "^1.89.0",
|
|
26
|
+
"@parmanasystems/governance": "^1.89.0",
|
|
27
|
+
"@parmanasystems/verifier": "^1.89.0"
|
|
28
28
|
},
|
|
29
29
|
"description": "Public orchestration and SDK surface for parmanasystems deterministic governance infrastructure.",
|
|
30
30
|
"license": "Apache-2.0",
|