@parmanasystems/execution-runtime 1.71.12 → 1.71.18

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/dist/index.js +13 -1
  2. package/dist/index.js.map +1 -1
  3. package/package.json +2 -2
package/dist/index.js CHANGED
@@ -6,7 +6,8 @@ import {
6
6
  evaluatePolicy,
7
7
  loadPolicy,
8
8
  canonicalizeForSigning,
9
- validateSignalsStrict
9
+ validateSignalsStrict,
10
+ violate
10
11
  } from "@parmanasystems/execution";
11
12
  import crypto from "crypto";
12
13
  async function executeFromSignals(input, signer, verifier, replayStore) {
@@ -34,6 +35,17 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
34
35
  signals: input.signals
35
36
  })
36
37
  ).digest("hex");
38
+ const hasRun = await replayStore.hasExecuted(
39
+ execution_fingerprint
40
+ );
41
+ if (hasRun) {
42
+ violate(
43
+ "INV-013",
44
+ "replay",
45
+ `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`,
46
+ execution_fingerprint
47
+ );
48
+ }
37
49
  await replayStore.markExecuted(
38
50
  execution_fingerprint
39
51
  );
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/memory-replay-store.ts","../src/resolve-override.ts","../src/review-store.ts","../src/dry-run.ts"],"sourcesContent":["import {\r\n executeDecision,\r\n issueToken,\r\n getRuntimeManifest,\r\n evaluatePolicy,\r\n loadPolicy,\r\n canonicalizeForSigning,\r\n validateSignalsStrict\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionAttestation,\r\n Signer,\r\n Verifier,\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport crypto from \"crypto\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n },\r\n\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: ReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // Validate signals against schema\r\n // -----------------------------\r\n validateSignalsStrict(\r\n input.signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // Evaluate policy\r\n // -----------------------------\r\n const decision =\r\n evaluatePolicy(\r\n policy,\r\n input.signals\r\n );\r\n\r\n if (\r\n decision.status !== \"decided\"\r\n ) {\r\n\r\n throw new Error(\r\n \"[SYS-006] Policy evaluation returned undecided\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Deterministic execution identity\r\n // -----------------------------\r\n const execution_fingerprint =\r\n crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n signals:\r\n input.signals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // Replay protection\r\n // -----------------------------\r\n await replayStore.markExecuted(\r\n execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest =\r\n getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // Deterministic governance token\r\n // -----------------------------\r\n const token =\r\n issueToken({\r\n\r\n executionId:\r\n execution_fingerprint,\r\n\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n runtimeVersion:\r\n runtimeManifest.runtimeVersion,\r\n\r\n decision_payload:\r\n decision.outcome,\r\n\r\n signalsHash:\r\n execution_fingerprint\r\n });\r\n\r\n// -----------------------------\r\n// Explicit cryptographic signing\r\n// -----------------------------\r\nconst token_signature =\r\n signer.sign(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision({\r\n\r\n token,\r\n\r\n execution_fingerprint,\r\n\r\n token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements: {\r\n\r\n supported_runtimeVersions: [\r\n runtimeManifest.runtimeVersion\r\n ],\r\n\r\n supported_schemaVersions:\r\n runtimeManifest\r\n .supported_schemaVersions\r\n }\r\n });\r\n}","import {\r\n executeDecision\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🟢 ASYNC ADAPTER\r\n * Handles distributed replay protection\r\n * while preserving deterministic execution core.\r\n */\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Distributed replay protection\r\n // -----------------------------\r\n await redisStore.markExecuted(\r\n context.execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision(\r\n context\r\n );\r\n}","import type {\r\n Signer,\r\n Verifier,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\n/**\r\n * Executes multiple records sequentially.\r\n *\r\n * Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier,\r\n\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n\r\n output: {\r\n status: \"error\",\r\n\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 Distributed replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n const res =\r\n await this.client.exists(\r\n `exec:${execution_fingerprint}`\r\n );\r\n\r\n return res === 1;\r\n }\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${execution_fingerprint}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string | null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import type {\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 In-memory replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class MemoryReplayStore\r\n implements ReplayStore {\r\n\r\n private store =\r\n new Set<string>();\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n if (\r\n this.store.has(\r\n execution_fingerprint\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n\r\n this.store.add(\r\n execution_fingerprint\r\n );\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n return this.store.has(\r\n execution_fingerprint\r\n );\r\n }\r\n}","import {\r\n executeWithRedis\r\n} from \"./execute-with-redis.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n Signer,\r\n Verifier\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n\r\n replayStore: AsyncReplayStore & {\r\n get: (\r\n key: string\r\n ) => Promise<string | null>;\r\n\r\n del: (\r\n key: string\r\n ) => Promise<void>;\r\n },\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier\r\n) {\r\n\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw =\r\n await replayStore.get(\r\n `pending:${executionId}`\r\n );\r\n\r\n if (!raw) {\r\n\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored =\r\n JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute approved override\r\n // -----------------------------\r\n const execution =\r\n await executeWithRedis(\r\n {\r\n token:\r\n stored.token,\r\n\r\n execution_fingerprint:\r\n stored.token.executionId,\r\n\r\n token_signature:\r\n stored.token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n stored.runtime_manifest,\r\n\r\n runtime_requirements:\r\n stored.runtime_requirements\r\n },\r\n\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(\r\n `pending:${executionId}`\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return deterministic result\r\n // -----------------------------\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n executionId,\r\n\r\n signature:\r\n execution.signature,\r\n\r\n resolved:\r\n true\r\n };\r\n}","import * as fs from \"node:fs\";\r\n\r\nconst FILE = \"./review-queue.json\";\r\n\r\nexport function addReviewTask(task: any) {\r\n let data: any[] = [];\r\n\r\n if (fs.existsSync(FILE)) {\r\n data = JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n }\r\n\r\n data.push(task);\r\n\r\n fs.writeFileSync(FILE, JSON.stringify(data, null, 2));\r\n}\r\n\r\nexport function getAllTasks() {\r\n if (!fs.existsSync(FILE)) return [];\r\n return JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n}\r\n","import {\r\n evaluatePolicy,\r\n loadPolicy,\r\n validateSignalsStrict\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport interface DryRunResult {\r\n\r\n policyId: string;\r\n\r\n policyVersion: string;\r\n\r\n schemaVersion: string;\r\n\r\n decision: DecisionResult;\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n policyId,\r\n policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(\r\n signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(\r\n policy,\r\n signals\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n\r\n policyId,\r\n\r\n policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n decision,\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n\r\n dry_run: true,\r\n\r\n evaluated_at:\r\n governed_time\r\n };\r\n}"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AASP,OAAO,YAAY;AAEnB,eAAsB,mBACpB,OAMA,QACA,UACA,aAC+B;AAK/B,QAAM,SACJ;AAAA,IACE,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AAKF;AAAA,IACE,MAAM;AAAA,IACN;AAAA,EACF;AAKA,QAAM,WACJ;AAAA,IACE;AAAA,IACA,MAAM;AAAA,EACR;AAEF,MACE,SAAS,WAAW,WACpB;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAKA,QAAM,wBACJ,OACG,WAAW,QAAQ,EACnB;AAAA,IACC,KAAK,UAAU;AAAA,MACb,UACE,MAAM;AAAA,MAER,eACE,MAAM;AAAA,MAER,SACE,MAAM;AAAA,IACV,CAAC;AAAA,EACH,EACC,OAAO,KAAK;AAKjB,QAAM,YAAY;AAAA,IAChB;AAAA,EACF;AAKA,QAAM,kBACJ,mBAAmB;AAKrB,QAAM,QACJ,WAAW;AAAA,IAET,aACE;AAAA,IAEF,UACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,eACE,OAAO;AAAA,IAET,gBACE,gBAAgB;AAAA,IAElB,kBACE,SAAS;AAAA,IAEX,aACE;AAAA,EACJ,CAAC;AAKL,QAAM,kBACJ,OAAO;AAAA,IACL;AAAA,MACE;AAAA,IACF;AAAA,EACF;AAKA,SAAO,gBAAgB;AAAA,IAErB;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,kBACE;AAAA,IAEF,sBAAsB;AAAA,MAEpB,2BAA2B;AAAA,QACzB,gBAAgB;AAAA,MAClB;AAAA,MAEA,0BACE,gBACG;AAAA,IACP;AAAA,EACF,CAAC;AACH;;;ACtKA;AAAA,EACE,mBAAAA;AAAA,OACK;AAaP,eAAsB,iBACpB,SACA,YAC+B;AAK/B,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,EACV;AAKA,SAAOA;AAAA,IACL;AAAA,EACF;AACF;;;ACjBA,eAAsB,aACpB,SAOA,QAEA,UAEA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QAEP,QAAQ;AAAA,UACN,QAAQ;AAAA,UAER,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACrEA,OAAO,WAAW;AAiBX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,UAAM,MACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,IAC/B;AAEF,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aACJ,uBACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC/EO,IAAM,oBAAN,MACkB;AAAA,EADlB;AAGL,SAAQ,QACN,oBAAI,IAAY;AAAA;AAAA,EAElB,MAAM,aACJ,uBACe;AAEf,QACE,KAAK,MAAM;AAAA,MACT;AAAA,IACF,GACA;AAEA,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAEA,SAAK,MAAM;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,WAAO,KAAK,MAAM;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACF;;;ACnCA,eAAsB,gBACpB,aAEA,aAUA,QAEA,UACA;AAKA,QAAM,MACJ,MAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAEF,MAAI,CAAC,KAAK;AAER,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SACJ,KAAK,MAAM,GAAG;AAKhB,QAAM,YACJ,MAAM;AAAA,IACJ;AAAA,MACE,OACE,OAAO;AAAA,MAET,uBACE,OAAO,MAAM;AAAA,MAEf,iBACE,OAAO;AAAA,MAET;AAAA,MAEA;AAAA,MAEA,kBACE,OAAO;AAAA,MAET,sBACE,OAAO;AAAA,IACX;AAAA,IAEA;AAAA,EACF;AAKF,QAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAKA,SAAO;AAAA,IAEL,QACE;AAAA,IAEF;AAAA,IAEA,WACE,UAAU;AAAA,IAEZ,UACE;AAAA,EACJ;AACF;;;AClGA,YAAY,QAAQ;AAEpB,IAAM,OAAO;AAEN,SAAS,cAAc,MAAW;AACvC,MAAI,OAAc,CAAC;AAEnB,MAAO,cAAW,IAAI,GAAG;AACvB,WAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAAA,EAClD;AAEA,OAAK,KAAK,IAAI;AAEd,EAAG,iBAAc,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AACtD;AAEO,SAAS,cAAc;AAC5B,MAAI,CAAI,cAAW,IAAI,EAAG,QAAO,CAAC;AAClC,SAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAClD;;;ACnBA;AAAA,EACE,kBAAAC;AAAA,EACA,cAAAC;AAAA,EACA,yBAAAC;AAAA,OACK;AAyBA,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJD;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,EAAAC;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKA,QAAM,WACJF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,SAAO;AAAA,IAEL;AAAA,IAEA;AAAA,IAEA,eACE,OAAO;AAAA,IAET;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IAEV,SAAS;AAAA,IAET,cACE;AAAA,EACJ;AACF;","names":["executeDecision","evaluatePolicy","loadPolicy","validateSignalsStrict"]}
1
+ {"version":3,"sources":["../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/memory-replay-store.ts","../src/resolve-override.ts","../src/review-store.ts","../src/dry-run.ts"],"sourcesContent":["import {\r\n executeDecision,\r\n issueToken,\r\n getRuntimeManifest,\r\n evaluatePolicy,\r\n loadPolicy,\r\n canonicalizeForSigning,\r\n validateSignalsStrict,\r\n violate\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionAttestation,\r\n Signer,\r\n Verifier,\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport crypto from \"crypto\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n },\r\n\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: ReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // Validate signals against schema\r\n // -----------------------------\r\n validateSignalsStrict(\r\n input.signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // Evaluate policy\r\n // -----------------------------\r\n const decision =\r\n evaluatePolicy(\r\n policy,\r\n input.signals\r\n );\r\n\r\n if (\r\n decision.status !== \"decided\"\r\n ) {\r\n\r\n throw new Error(\r\n \"[SYS-006] Policy evaluation returned undecided\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Deterministic execution identity\r\n // -----------------------------\r\n const execution_fingerprint =\r\n crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n signals:\r\n input.signals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // Replay protection\r\n // -----------------------------\r\n // hasExecuted is NOT wrapped in try/catch — if the store is unavailable\r\n // we cannot confirm uniqueness, so we must block execution (fail-closed).\r\n const hasRun = await replayStore.hasExecuted(\r\n execution_fingerprint\r\n );\r\n if (hasRun) {\r\n violate(\r\n \"INV-013\",\r\n \"replay\",\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`,\r\n execution_fingerprint\r\n );\r\n }\r\n\r\n await replayStore.markExecuted(\r\n execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest =\r\n getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // Deterministic governance token\r\n // -----------------------------\r\n const token =\r\n issueToken({\r\n\r\n executionId:\r\n execution_fingerprint,\r\n\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n runtimeVersion:\r\n runtimeManifest.runtimeVersion,\r\n\r\n decision_payload:\r\n decision.outcome,\r\n\r\n signalsHash:\r\n execution_fingerprint\r\n });\r\n\r\n// -----------------------------\r\n// Explicit cryptographic signing\r\n// -----------------------------\r\nconst token_signature =\r\n signer.sign(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision({\r\n\r\n token,\r\n\r\n execution_fingerprint,\r\n\r\n token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements: {\r\n\r\n supported_runtimeVersions: [\r\n runtimeManifest.runtimeVersion\r\n ],\r\n\r\n supported_schemaVersions:\r\n runtimeManifest\r\n .supported_schemaVersions\r\n }\r\n });\r\n}","import {\r\n executeDecision\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🟢 ASYNC ADAPTER\r\n * Handles distributed replay protection\r\n * while preserving deterministic execution core.\r\n */\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Distributed replay protection\r\n // -----------------------------\r\n await redisStore.markExecuted(\r\n context.execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision(\r\n context\r\n );\r\n}","import type {\r\n Signer,\r\n Verifier,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\n/**\r\n * Executes multiple records sequentially.\r\n *\r\n * Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier,\r\n\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n\r\n output: {\r\n status: \"error\",\r\n\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 Distributed replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n const res =\r\n await this.client.exists(\r\n `exec:${execution_fingerprint}`\r\n );\r\n\r\n return res === 1;\r\n }\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${execution_fingerprint}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string | null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import type {\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 In-memory replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class MemoryReplayStore\r\n implements ReplayStore {\r\n\r\n private store =\r\n new Set<string>();\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n if (\r\n this.store.has(\r\n execution_fingerprint\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n\r\n this.store.add(\r\n execution_fingerprint\r\n );\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n return this.store.has(\r\n execution_fingerprint\r\n );\r\n }\r\n}","import {\r\n executeWithRedis\r\n} from \"./execute-with-redis.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n Signer,\r\n Verifier\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n\r\n replayStore: AsyncReplayStore & {\r\n get: (\r\n key: string\r\n ) => Promise<string | null>;\r\n\r\n del: (\r\n key: string\r\n ) => Promise<void>;\r\n },\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier\r\n) {\r\n\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw =\r\n await replayStore.get(\r\n `pending:${executionId}`\r\n );\r\n\r\n if (!raw) {\r\n\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored =\r\n JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute approved override\r\n // -----------------------------\r\n const execution =\r\n await executeWithRedis(\r\n {\r\n token:\r\n stored.token,\r\n\r\n execution_fingerprint:\r\n stored.token.executionId,\r\n\r\n token_signature:\r\n stored.token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n stored.runtime_manifest,\r\n\r\n runtime_requirements:\r\n stored.runtime_requirements\r\n },\r\n\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(\r\n `pending:${executionId}`\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return deterministic result\r\n // -----------------------------\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n executionId,\r\n\r\n signature:\r\n execution.signature,\r\n\r\n resolved:\r\n true\r\n };\r\n}","import * as fs from \"node:fs\";\r\n\r\nconst FILE = \"./review-queue.json\";\r\n\r\nexport function addReviewTask(task: any) {\r\n let data: any[] = [];\r\n\r\n if (fs.existsSync(FILE)) {\r\n data = JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n }\r\n\r\n data.push(task);\r\n\r\n fs.writeFileSync(FILE, JSON.stringify(data, null, 2));\r\n}\r\n\r\nexport function getAllTasks() {\r\n if (!fs.existsSync(FILE)) return [];\r\n return JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n}\r\n","import {\r\n evaluatePolicy,\r\n loadPolicy,\r\n validateSignalsStrict\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport interface DryRunResult {\r\n\r\n policyId: string;\r\n\r\n policyVersion: string;\r\n\r\n schemaVersion: string;\r\n\r\n decision: DecisionResult;\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n policyId,\r\n policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(\r\n signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(\r\n policy,\r\n signals\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n\r\n policyId,\r\n\r\n policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n decision,\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n\r\n dry_run: true,\r\n\r\n evaluated_at:\r\n governed_time\r\n };\r\n}"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AASP,OAAO,YAAY;AAEnB,eAAsB,mBACpB,OAMA,QACA,UACA,aAC+B;AAK/B,QAAM,SACJ;AAAA,IACE,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AAKF;AAAA,IACE,MAAM;AAAA,IACN;AAAA,EACF;AAKA,QAAM,WACJ;AAAA,IACE;AAAA,IACA,MAAM;AAAA,EACR;AAEF,MACE,SAAS,WAAW,WACpB;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAKA,QAAM,wBACJ,OACG,WAAW,QAAQ,EACnB;AAAA,IACC,KAAK,UAAU;AAAA,MACb,UACE,MAAM;AAAA,MAER,eACE,MAAM;AAAA,MAER,SACE,MAAM;AAAA,IACV,CAAC;AAAA,EACH,EACC,OAAO,KAAK;AAOjB,QAAM,SAAS,MAAM,YAAY;AAAA,IAC/B;AAAA,EACF;AACA,MAAI,QAAQ;AACV;AAAA,MACE;AAAA,MACA;AAAA,MACA,2DAA2D,qBAAqB;AAAA,MAChF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAY;AAAA,IAChB;AAAA,EACF;AAKA,QAAM,kBACJ,mBAAmB;AAKrB,QAAM,QACJ,WAAW;AAAA,IAET,aACE;AAAA,IAEF,UACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,eACE,OAAO;AAAA,IAET,gBACE,gBAAgB;AAAA,IAElB,kBACE,SAAS;AAAA,IAEX,aACE;AAAA,EACJ,CAAC;AAKL,QAAM,kBACJ,OAAO;AAAA,IACL;AAAA,MACE;AAAA,IACF;AAAA,EACF;AAKA,SAAO,gBAAgB;AAAA,IAErB;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,kBACE;AAAA,IAEF,sBAAsB;AAAA,MAEpB,2BAA2B;AAAA,QACzB,gBAAgB;AAAA,MAClB;AAAA,MAEA,0BACE,gBACG;AAAA,IACP;AAAA,EACF,CAAC;AACH;;;ACrLA;AAAA,EACE,mBAAAA;AAAA,OACK;AAaP,eAAsB,iBACpB,SACA,YAC+B;AAK/B,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,EACV;AAKA,SAAOA;AAAA,IACL;AAAA,EACF;AACF;;;ACjBA,eAAsB,aACpB,SAOA,QAEA,UAEA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QAEP,QAAQ;AAAA,UACN,QAAQ;AAAA,UAER,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACrEA,OAAO,WAAW;AAiBX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,UAAM,MACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,IAC/B;AAEF,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aACJ,uBACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC/EO,IAAM,oBAAN,MACkB;AAAA,EADlB;AAGL,SAAQ,QACN,oBAAI,IAAY;AAAA;AAAA,EAElB,MAAM,aACJ,uBACe;AAEf,QACE,KAAK,MAAM;AAAA,MACT;AAAA,IACF,GACA;AAEA,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAEA,SAAK,MAAM;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,WAAO,KAAK,MAAM;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACF;;;ACnCA,eAAsB,gBACpB,aAEA,aAUA,QAEA,UACA;AAKA,QAAM,MACJ,MAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAEF,MAAI,CAAC,KAAK;AAER,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SACJ,KAAK,MAAM,GAAG;AAKhB,QAAM,YACJ,MAAM;AAAA,IACJ;AAAA,MACE,OACE,OAAO;AAAA,MAET,uBACE,OAAO,MAAM;AAAA,MAEf,iBACE,OAAO;AAAA,MAET;AAAA,MAEA;AAAA,MAEA,kBACE,OAAO;AAAA,MAET,sBACE,OAAO;AAAA,IACX;AAAA,IAEA;AAAA,EACF;AAKF,QAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAKA,SAAO;AAAA,IAEL,QACE;AAAA,IAEF;AAAA,IAEA,WACE,UAAU;AAAA,IAEZ,UACE;AAAA,EACJ;AACF;;;AClGA,YAAY,QAAQ;AAEpB,IAAM,OAAO;AAEN,SAAS,cAAc,MAAW;AACvC,MAAI,OAAc,CAAC;AAEnB,MAAO,cAAW,IAAI,GAAG;AACvB,WAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAAA,EAClD;AAEA,OAAK,KAAK,IAAI;AAEd,EAAG,iBAAc,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AACtD;AAEO,SAAS,cAAc;AAC5B,MAAI,CAAI,cAAW,IAAI,EAAG,QAAO,CAAC;AAClC,SAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAClD;;;ACnBA;AAAA,EACE,kBAAAC;AAAA,EACA,cAAAC;AAAA,EACA,yBAAAC;AAAA,OACK;AAyBA,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJD;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,EAAAC;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKA,QAAM,WACJF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,SAAO;AAAA,IAEL;AAAA,IAEA;AAAA,IAEA,eACE,OAAO;AAAA,IAET;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IAEV,SAAS;AAAA,IAET,cACE;AAAA,EACJ;AACF;","names":["executeDecision","evaluatePolicy","loadPolicy","validateSignalsStrict"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@parmanasystems/execution-runtime",
3
- "version": "1.71.12",
3
+ "version": "1.71.18",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "description": "Runtime orchestration layer for Parmana Systems.",
@@ -20,7 +20,7 @@
20
20
  "build": "tsup"
21
21
  },
22
22
  "dependencies": {
23
- "@parmanasystems/execution": "^1.71.12",
23
+ "@parmanasystems/execution": "^1.71.18",
24
24
  "ioredis": "^5.4.1"
25
25
  },
26
26
  "devDependencies": {