@parmanasystems/execution-runtime 1.71.20 → 1.71.24

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (4) hide show
  1. package/dist/index.d.ts +14 -2
  2. package/dist/index.js +111 -34
  3. package/dist/index.js.map +1 -1
  4. package/package.json +2 -2
package/dist/index.d.ts CHANGED
@@ -58,12 +58,18 @@ declare class RedisReplayStore implements AsyncReplayStore {
58
58
  constructor(url: string);
59
59
  hasExecuted(execution_fingerprint: string): Promise<boolean>;
60
60
  markExecuted(execution_fingerprint: string): Promise<void>;
61
+ reserve(execution_fingerprint: string): Promise<void>;
62
+ confirm(execution_fingerprint: string): Promise<void>;
61
63
  get(key: string): Promise<string | null>;
62
64
  set(key: string, value: string): Promise<void>;
63
65
  del(key: string): Promise<void>;
64
66
  close(): Promise<void>;
65
67
  }
66
68
 
69
+ interface MemoryReplayStoreOptions {
70
+ warnInProduction?: boolean;
71
+ maxSize?: number;
72
+ }
67
73
  /**
68
74
  * 🔒 In-memory replay protection
69
75
  *
@@ -72,9 +78,15 @@ declare class RedisReplayStore implements AsyncReplayStore {
72
78
  * operational execution IDs.
73
79
  */
74
80
  declare class MemoryReplayStore implements ReplayStore {
75
- private store;
81
+ private reserved;
82
+ private confirmed;
83
+ private maxSize;
84
+ constructor(options?: MemoryReplayStoreOptions);
85
+ reserve(execution_fingerprint: string): Promise<void>;
86
+ confirm(execution_fingerprint: string): Promise<void>;
76
87
  markExecuted(execution_fingerprint: string): Promise<void>;
77
88
  hasExecuted(execution_fingerprint: string): Promise<boolean>;
89
+ private checkMaxSize;
78
90
  }
79
91
 
80
92
  declare function resolveOverride(executionId: string, replayStore: AsyncReplayStore & {
@@ -102,4 +114,4 @@ interface DryRunResult {
102
114
  }
103
115
  declare function evaluateDryRun(policyId: string, policyVersion: string, signals: Record<string, unknown>, governed_time?: string): DryRunResult;
104
116
 
105
- export { type DryRunResult, MemoryReplayStore, RedisReplayStore, addReviewTask, evaluateDryRun, executeBatch, executeFromSignals, executeWithRedis, getAllTasks, resolveOverride };
117
+ export { type DryRunResult, MemoryReplayStore, type MemoryReplayStoreOptions, RedisReplayStore, addReviewTask, evaluateDryRun, executeBatch, executeFromSignals, executeWithRedis, getAllTasks, resolveOverride };
package/dist/index.js CHANGED
@@ -5,9 +5,7 @@ import {
5
5
  getRuntimeManifest,
6
6
  evaluatePolicy,
7
7
  loadPolicy,
8
- canonicalizeForSigning,
9
- validateSignalsStrict,
10
- violate
8
+ canonicalizeForSigning
11
9
  } from "@parmanasystems/execution";
12
10
  import crypto from "crypto";
13
11
  async function executeFromSignals(input, signer, verifier, replayStore) {
@@ -15,10 +13,6 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
15
13
  input.policyId,
16
14
  input.policyVersion
17
15
  );
18
- validateSignalsStrict(
19
- input.signals,
20
- policy
21
- );
22
16
  const decision = evaluatePolicy(
23
17
  policy,
24
18
  input.signals
@@ -35,20 +29,23 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
35
29
  signals: input.signals
36
30
  })
37
31
  ).digest("hex");
38
- const hasRun = await replayStore.hasExecuted(
39
- execution_fingerprint
40
- );
41
- if (hasRun) {
42
- violate(
43
- "INV-013",
44
- "replay",
45
- `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`,
32
+ if (replayStore.reserve) {
33
+ await replayStore.reserve(
34
+ execution_fingerprint
35
+ );
36
+ } else {
37
+ const alreadyExecuted = await replayStore.hasExecuted(
38
+ execution_fingerprint
39
+ );
40
+ if (alreadyExecuted) {
41
+ throw new Error(
42
+ `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`
43
+ );
44
+ }
45
+ await replayStore.markExecuted(
46
46
  execution_fingerprint
47
47
  );
48
48
  }
49
- await replayStore.markExecuted(
50
- execution_fingerprint
51
- );
52
49
  const runtimeManifest = getRuntimeManifest();
53
50
  const token = issueToken({
54
51
  executionId: execution_fingerprint,
@@ -64,7 +61,7 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
64
61
  token
65
62
  )
66
63
  );
67
- return executeDecision({
64
+ const attestation = await executeDecision({
68
65
  token,
69
66
  execution_fingerprint,
70
67
  token_signature,
@@ -78,6 +75,19 @@ async function executeFromSignals(input, signer, verifier, replayStore) {
78
75
  supported_schemaVersions: runtimeManifest.supported_schemaVersions
79
76
  }
80
77
  });
78
+ if (replayStore.confirm) {
79
+ try {
80
+ await replayStore.confirm(
81
+ execution_fingerprint
82
+ );
83
+ } catch (err) {
84
+ console.warn(
85
+ "[PARMANA WARNING] Failed to confirm execution fingerprint after successful execution:",
86
+ err
87
+ );
88
+ }
89
+ }
90
+ return attestation;
81
91
  }
82
92
 
83
93
  // src/execute-with-redis.ts
@@ -128,10 +138,15 @@ var RedisReplayStore = class {
128
138
  this.client = new Redis(url);
129
139
  }
130
140
  async hasExecuted(execution_fingerprint) {
131
- const res = await this.client.exists(
132
- `exec:${execution_fingerprint}`
133
- );
134
- return res === 1;
141
+ const [confirmed, pending] = await Promise.all([
142
+ this.client.exists(
143
+ `exec:${execution_fingerprint}`
144
+ ),
145
+ this.client.exists(
146
+ `exec:pending:${execution_fingerprint}`
147
+ )
148
+ ]);
149
+ return confirmed === 1 || pending === 1;
135
150
  }
136
151
  async markExecuted(execution_fingerprint) {
137
152
  const result = await this.client.set(
@@ -145,6 +160,35 @@ var RedisReplayStore = class {
145
160
  );
146
161
  }
147
162
  }
163
+ async reserve(execution_fingerprint) {
164
+ const alreadyConfirmed = await this.client.exists(
165
+ `exec:${execution_fingerprint}`
166
+ );
167
+ if (alreadyConfirmed === 1) {
168
+ throw new Error(
169
+ `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`
170
+ );
171
+ }
172
+ const result = await this.client.set(
173
+ `exec:pending:${execution_fingerprint}`,
174
+ "1",
175
+ "NX"
176
+ );
177
+ if (result !== "OK") {
178
+ throw new Error(
179
+ `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`
180
+ );
181
+ }
182
+ }
183
+ async confirm(execution_fingerprint) {
184
+ await this.client.set(
185
+ `exec:${execution_fingerprint}`,
186
+ "1"
187
+ );
188
+ await this.client.del(
189
+ `exec:pending:${execution_fingerprint}`
190
+ );
191
+ }
148
192
  async get(key) {
149
193
  return this.client.get(key);
150
194
  }
@@ -163,27 +207,60 @@ var RedisReplayStore = class {
163
207
  };
164
208
 
165
209
  // src/memory-replay-store.ts
210
+ var DEFAULT_MAX_SIZE = 1e6;
166
211
  var MemoryReplayStore = class {
167
- constructor() {
168
- this.store = /* @__PURE__ */ new Set();
212
+ constructor(options = {}) {
213
+ this.reserved = /* @__PURE__ */ new Set();
214
+ this.confirmed = /* @__PURE__ */ new Set();
215
+ const {
216
+ warnInProduction = true,
217
+ maxSize = DEFAULT_MAX_SIZE
218
+ } = options;
219
+ this.maxSize = maxSize;
220
+ if (warnInProduction && process.env["NODE_ENV"] === "production") {
221
+ console.warn(
222
+ "[PARMANA WARNING] MemoryReplayStore is not suitable for production. It loses all replay protection on process restart and does not work across multiple processes. Use RedisReplayStore in production."
223
+ );
224
+ }
169
225
  }
170
- async markExecuted(execution_fingerprint) {
171
- if (this.store.has(
172
- execution_fingerprint
173
- )) {
226
+ async reserve(execution_fingerprint) {
227
+ if (this.reserved.has(execution_fingerprint) || this.confirmed.has(execution_fingerprint)) {
174
228
  throw new Error(
175
229
  `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`
176
230
  );
177
231
  }
178
- this.store.add(
232
+ this.checkMaxSize();
233
+ this.reserved.add(
179
234
  execution_fingerprint
180
235
  );
181
236
  }
182
- async hasExecuted(execution_fingerprint) {
183
- return this.store.has(
237
+ async confirm(execution_fingerprint) {
238
+ this.reserved.delete(
239
+ execution_fingerprint
240
+ );
241
+ this.confirmed.add(
242
+ execution_fingerprint
243
+ );
244
+ }
245
+ async markExecuted(execution_fingerprint) {
246
+ await this.reserve(
247
+ execution_fingerprint
248
+ );
249
+ await this.confirm(
184
250
  execution_fingerprint
185
251
  );
186
252
  }
253
+ async hasExecuted(execution_fingerprint) {
254
+ return this.reserved.has(execution_fingerprint) || this.confirmed.has(execution_fingerprint);
255
+ }
256
+ checkMaxSize() {
257
+ const total = this.reserved.size + this.confirmed.size;
258
+ if (total >= this.maxSize) {
259
+ throw new Error(
260
+ `MemoryReplayStore has reached maximum size of ${this.maxSize} entries. Switch to RedisReplayStore for production use.`
261
+ );
262
+ }
263
+ }
187
264
  };
188
265
 
189
266
  // src/resolve-override.ts
@@ -240,14 +317,14 @@ function getAllTasks() {
240
317
  import {
241
318
  evaluatePolicy as evaluatePolicy2,
242
319
  loadPolicy as loadPolicy2,
243
- validateSignalsStrict as validateSignalsStrict2
320
+ validateSignalsStrict
244
321
  } from "@parmanasystems/execution";
245
322
  function evaluateDryRun(policyId, policyVersion, signals, governed_time = (/* @__PURE__ */ new Date()).toISOString()) {
246
323
  const policy = loadPolicy2(
247
324
  policyId,
248
325
  policyVersion
249
326
  );
250
- validateSignalsStrict2(
327
+ validateSignalsStrict(
251
328
  signals,
252
329
  policy
253
330
  );
package/dist/index.js.map CHANGED
@@ -1 +1 @@
1
- {"version":3,"sources":["../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/memory-replay-store.ts","../src/resolve-override.ts","../src/review-store.ts","../src/dry-run.ts"],"sourcesContent":["import {\r\n executeDecision,\r\n issueToken,\r\n getRuntimeManifest,\r\n evaluatePolicy,\r\n loadPolicy,\r\n canonicalizeForSigning,\r\n validateSignalsStrict,\r\n violate\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionAttestation,\r\n Signer,\r\n Verifier,\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport crypto from \"crypto\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n },\r\n\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: ReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // Validate signals against schema\r\n // -----------------------------\r\n validateSignalsStrict(\r\n input.signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // Evaluate policy\r\n // -----------------------------\r\n const decision =\r\n evaluatePolicy(\r\n policy,\r\n input.signals\r\n );\r\n\r\n if (\r\n decision.status !== \"decided\"\r\n ) {\r\n\r\n throw new Error(\r\n \"[SYS-006] Policy evaluation returned undecided\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Deterministic execution identity\r\n // -----------------------------\r\n const execution_fingerprint =\r\n crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n signals:\r\n input.signals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // Replay protection\r\n // -----------------------------\r\n // hasExecuted is NOT wrapped in try/catch — if the store is unavailable\r\n // we cannot confirm uniqueness, so we must block execution (fail-closed).\r\n const hasRun = await replayStore.hasExecuted(\r\n execution_fingerprint\r\n );\r\n if (hasRun) {\r\n violate(\r\n \"INV-013\",\r\n \"replay\",\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`,\r\n execution_fingerprint\r\n );\r\n }\r\n\r\n await replayStore.markExecuted(\r\n execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest =\r\n getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // Deterministic governance token\r\n // -----------------------------\r\n const token =\r\n issueToken({\r\n\r\n executionId:\r\n execution_fingerprint,\r\n\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n runtimeVersion:\r\n runtimeManifest.runtimeVersion,\r\n\r\n decision_payload:\r\n decision.outcome,\r\n\r\n signalsHash:\r\n execution_fingerprint\r\n });\r\n\r\n// -----------------------------\r\n// Explicit cryptographic signing\r\n// -----------------------------\r\nconst token_signature =\r\n signer.sign(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision({\r\n\r\n token,\r\n\r\n execution_fingerprint,\r\n\r\n token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements: {\r\n\r\n supported_runtimeVersions: [\r\n runtimeManifest.runtimeVersion\r\n ],\r\n\r\n supported_schemaVersions:\r\n runtimeManifest\r\n .supported_schemaVersions\r\n }\r\n });\r\n}","import {\r\n executeDecision\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🟢 ASYNC ADAPTER\r\n * Handles distributed replay protection\r\n * while preserving deterministic execution core.\r\n */\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Distributed replay protection\r\n // -----------------------------\r\n await redisStore.markExecuted(\r\n context.execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision(\r\n context\r\n );\r\n}","import type {\r\n Signer,\r\n Verifier,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\n/**\r\n * Executes multiple records sequentially.\r\n *\r\n * Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier,\r\n\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n\r\n output: {\r\n status: \"error\",\r\n\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 Distributed replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n const res =\r\n await this.client.exists(\r\n `exec:${execution_fingerprint}`\r\n );\r\n\r\n return res === 1;\r\n }\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${execution_fingerprint}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string | null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import type {\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 In-memory replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class MemoryReplayStore\r\n implements ReplayStore {\r\n\r\n private store =\r\n new Set<string>();\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n if (\r\n this.store.has(\r\n execution_fingerprint\r\n )\r\n ) {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n\r\n this.store.add(\r\n execution_fingerprint\r\n );\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n return this.store.has(\r\n execution_fingerprint\r\n );\r\n }\r\n}","import {\r\n executeWithRedis\r\n} from \"./execute-with-redis.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n Signer,\r\n Verifier\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n\r\n replayStore: AsyncReplayStore & {\r\n get: (\r\n key: string\r\n ) => Promise<string | null>;\r\n\r\n del: (\r\n key: string\r\n ) => Promise<void>;\r\n },\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier\r\n) {\r\n\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw =\r\n await replayStore.get(\r\n `pending:${executionId}`\r\n );\r\n\r\n if (!raw) {\r\n\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored =\r\n JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute approved override\r\n // -----------------------------\r\n const execution =\r\n await executeWithRedis(\r\n {\r\n token:\r\n stored.token,\r\n\r\n execution_fingerprint:\r\n stored.token.executionId,\r\n\r\n token_signature:\r\n stored.token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n stored.runtime_manifest,\r\n\r\n runtime_requirements:\r\n stored.runtime_requirements\r\n },\r\n\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(\r\n `pending:${executionId}`\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return deterministic result\r\n // -----------------------------\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n executionId,\r\n\r\n signature:\r\n execution.signature,\r\n\r\n resolved:\r\n true\r\n };\r\n}","import * as fs from \"node:fs\";\r\n\r\nconst FILE = \"./review-queue.json\";\r\n\r\nexport function addReviewTask(task: any) {\r\n let data: any[] = [];\r\n\r\n if (fs.existsSync(FILE)) {\r\n data = JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n }\r\n\r\n data.push(task);\r\n\r\n fs.writeFileSync(FILE, JSON.stringify(data, null, 2));\r\n}\r\n\r\nexport function getAllTasks() {\r\n if (!fs.existsSync(FILE)) return [];\r\n return JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n}\r\n","import {\r\n evaluatePolicy,\r\n loadPolicy,\r\n validateSignalsStrict\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport interface DryRunResult {\r\n\r\n policyId: string;\r\n\r\n policyVersion: string;\r\n\r\n schemaVersion: string;\r\n\r\n decision: DecisionResult;\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n policyId,\r\n policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(\r\n signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(\r\n policy,\r\n signals\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n\r\n policyId,\r\n\r\n policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n decision,\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n\r\n dry_run: true,\r\n\r\n evaluated_at:\r\n governed_time\r\n };\r\n}"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AASP,OAAO,YAAY;AAEnB,eAAsB,mBACpB,OAMA,QACA,UACA,aAC+B;AAK/B,QAAM,SACJ;AAAA,IACE,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AAKF;AAAA,IACE,MAAM;AAAA,IACN;AAAA,EACF;AAKA,QAAM,WACJ;AAAA,IACE;AAAA,IACA,MAAM;AAAA,EACR;AAEF,MACE,SAAS,WAAW,WACpB;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAKA,QAAM,wBACJ,OACG,WAAW,QAAQ,EACnB;AAAA,IACC,KAAK,UAAU;AAAA,MACb,UACE,MAAM;AAAA,MAER,eACE,MAAM;AAAA,MAER,SACE,MAAM;AAAA,IACV,CAAC;AAAA,EACH,EACC,OAAO,KAAK;AAOjB,QAAM,SAAS,MAAM,YAAY;AAAA,IAC/B;AAAA,EACF;AACA,MAAI,QAAQ;AACV;AAAA,MACE;AAAA,MACA;AAAA,MACA,2DAA2D,qBAAqB;AAAA,MAChF;AAAA,IACF;AAAA,EACF;AAEA,QAAM,YAAY;AAAA,IAChB;AAAA,EACF;AAKA,QAAM,kBACJ,mBAAmB;AAKrB,QAAM,QACJ,WAAW;AAAA,IAET,aACE;AAAA,IAEF,UACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,eACE,OAAO;AAAA,IAET,gBACE,gBAAgB;AAAA,IAElB,kBACE,SAAS;AAAA,IAEX,aACE;AAAA,EACJ,CAAC;AAKL,QAAM,kBACJ,OAAO;AAAA,IACL;AAAA,MACE;AAAA,IACF;AAAA,EACF;AAKA,SAAO,gBAAgB;AAAA,IAErB;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,kBACE;AAAA,IAEF,sBAAsB;AAAA,MAEpB,2BAA2B;AAAA,QACzB,gBAAgB;AAAA,MAClB;AAAA,MAEA,0BACE,gBACG;AAAA,IACP;AAAA,EACF,CAAC;AACH;;;ACrLA;AAAA,EACE,mBAAAA;AAAA,OACK;AAaP,eAAsB,iBACpB,SACA,YAC+B;AAK/B,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,EACV;AAKA,SAAOA;AAAA,IACL;AAAA,EACF;AACF;;;ACjBA,eAAsB,aACpB,SAOA,QAEA,UAEA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QAEP,QAAQ;AAAA,UACN,QAAQ;AAAA,UAER,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACrEA,OAAO,WAAW;AAiBX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,UAAM,MACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,IAC/B;AAEF,WAAO,QAAQ;AAAA,EACjB;AAAA,EAEA,MAAM,aACJ,uBACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;AC/EO,IAAM,oBAAN,MACkB;AAAA,EADlB;AAGL,SAAQ,QACN,oBAAI,IAAY;AAAA;AAAA,EAElB,MAAM,aACJ,uBACe;AAEf,QACE,KAAK,MAAM;AAAA,MACT;AAAA,IACF,GACA;AAEA,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAEA,SAAK,MAAM;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,WAAO,KAAK,MAAM;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AACF;;;ACnCA,eAAsB,gBACpB,aAEA,aAUA,QAEA,UACA;AAKA,QAAM,MACJ,MAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAEF,MAAI,CAAC,KAAK;AAER,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SACJ,KAAK,MAAM,GAAG;AAKhB,QAAM,YACJ,MAAM;AAAA,IACJ;AAAA,MACE,OACE,OAAO;AAAA,MAET,uBACE,OAAO,MAAM;AAAA,MAEf,iBACE,OAAO;AAAA,MAET;AAAA,MAEA;AAAA,MAEA,kBACE,OAAO;AAAA,MAET,sBACE,OAAO;AAAA,IACX;AAAA,IAEA;AAAA,EACF;AAKF,QAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAKA,SAAO;AAAA,IAEL,QACE;AAAA,IAEF;AAAA,IAEA,WACE,UAAU;AAAA,IAEZ,UACE;AAAA,EACJ;AACF;;;AClGA,YAAY,QAAQ;AAEpB,IAAM,OAAO;AAEN,SAAS,cAAc,MAAW;AACvC,MAAI,OAAc,CAAC;AAEnB,MAAO,cAAW,IAAI,GAAG;AACvB,WAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAAA,EAClD;AAEA,OAAK,KAAK,IAAI;AAEd,EAAG,iBAAc,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AACtD;AAEO,SAAS,cAAc;AAC5B,MAAI,CAAI,cAAW,IAAI,EAAG,QAAO,CAAC;AAClC,SAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAClD;;;ACnBA;AAAA,EACE,kBAAAC;AAAA,EACA,cAAAC;AAAA,EACA,yBAAAC;AAAA,OACK;AAyBA,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJD;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,EAAAC;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKA,QAAM,WACJF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,SAAO;AAAA,IAEL;AAAA,IAEA;AAAA,IAEA,eACE,OAAO;AAAA,IAET;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IAEV,SAAS;AAAA,IAET,cACE;AAAA,EACJ;AACF;","names":["executeDecision","evaluatePolicy","loadPolicy","validateSignalsStrict"]}
1
+ {"version":3,"sources":["../src/execute-from-signals.ts","../src/execute-with-redis.ts","../src/execute-batch.ts","../src/redis-replay-store.ts","../src/memory-replay-store.ts","../src/resolve-override.ts","../src/review-store.ts","../src/dry-run.ts"],"sourcesContent":["import {\r\n executeDecision,\r\n issueToken,\r\n getRuntimeManifest,\r\n evaluatePolicy,\r\n loadPolicy,\r\n canonicalizeForSigning\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionAttestation,\r\n Signer,\r\n Verifier,\r\n ReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport crypto from \"crypto\";\r\n\r\nexport async function executeFromSignals(\r\n input: {\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n },\r\n\r\n signer: Signer,\r\n verifier: Verifier,\r\n replayStore: ReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n input.policyId,\r\n input.policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // Evaluate policy\r\n // -----------------------------\r\n const decision =\r\n evaluatePolicy(\r\n policy,\r\n input.signals\r\n );\r\n\r\n if (\r\n decision.status !== \"decided\"\r\n ) {\r\n\r\n throw new Error(\r\n \"[SYS-006] Policy evaluation returned undecided\"\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Deterministic execution identity\r\n // -----------------------------\r\n const execution_fingerprint =\r\n crypto\r\n .createHash(\"sha256\")\r\n .update(\r\n JSON.stringify({\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n signals:\r\n input.signals\r\n })\r\n )\r\n .digest(\"hex\");\r\n\r\n // -----------------------------\r\n // Replay protection (two-phase commit)\r\n // -----------------------------\r\n if (replayStore.reserve) {\r\n await replayStore.reserve(\r\n execution_fingerprint\r\n );\r\n } else {\r\n const alreadyExecuted =\r\n await replayStore.hasExecuted(\r\n execution_fingerprint\r\n );\r\n\r\n if (alreadyExecuted) {\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n\r\n await replayStore.markExecuted(\r\n execution_fingerprint\r\n );\r\n }\r\n\r\n // -----------------------------\r\n // Runtime manifest\r\n // -----------------------------\r\n const runtimeManifest =\r\n getRuntimeManifest();\r\n\r\n // -----------------------------\r\n // Deterministic governance token\r\n // -----------------------------\r\n const token =\r\n issueToken({\r\n\r\n executionId:\r\n execution_fingerprint,\r\n\r\n policyId:\r\n input.policyId,\r\n\r\n policyVersion:\r\n input.policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n runtimeVersion:\r\n runtimeManifest.runtimeVersion,\r\n\r\n decision_payload:\r\n decision.outcome,\r\n\r\n signalsHash:\r\n execution_fingerprint\r\n });\r\n\r\n // -----------------------------\r\n // Explicit cryptographic signing\r\n // -----------------------------\r\n const token_signature =\r\n signer.sign(\r\n canonicalizeForSigning(\r\n token\r\n )\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n const attestation =\r\n await executeDecision({\r\n\r\n token,\r\n\r\n execution_fingerprint,\r\n\r\n token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n runtimeManifest,\r\n\r\n runtime_requirements: {\r\n\r\n supported_runtimeVersions: [\r\n runtimeManifest.runtimeVersion\r\n ],\r\n\r\n supported_schemaVersions:\r\n runtimeManifest\r\n .supported_schemaVersions\r\n }\r\n });\r\n\r\n // -----------------------------\r\n // 2PC confirm\r\n // -----------------------------\r\n if (replayStore.confirm) {\r\n try {\r\n await replayStore.confirm(\r\n execution_fingerprint\r\n );\r\n } catch (err) {\r\n console.warn(\r\n \"[PARMANA WARNING] Failed to confirm execution fingerprint after successful execution:\",\r\n err\r\n );\r\n }\r\n }\r\n\r\n return attestation;\r\n}","import {\r\n executeDecision\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n ExecutionContext,\r\n ExecutionAttestation,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🟢 ASYNC ADAPTER\r\n * Handles distributed replay protection\r\n * while preserving deterministic execution core.\r\n */\r\nexport async function executeWithRedis(\r\n context: ExecutionContext,\r\n redisStore: AsyncReplayStore\r\n): Promise<ExecutionAttestation> {\r\n\r\n // -----------------------------\r\n // Distributed replay protection\r\n // -----------------------------\r\n await redisStore.markExecuted(\r\n context.execution_fingerprint\r\n );\r\n\r\n // -----------------------------\r\n // Deterministic execution\r\n // -----------------------------\r\n return executeDecision(\r\n context\r\n );\r\n}","import type {\r\n Signer,\r\n Verifier,\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport {\r\n executeFromSignals,\r\n} from \"./execute-from-signals.js\";\r\n\r\n/**\r\n * Executes multiple records sequentially.\r\n *\r\n * Each record is processed independently.\r\n * Errors are captured per-record (fail-isolated).\r\n */\r\nexport async function executeBatch(\r\n records: Array<{\r\n policyId: string;\r\n policyVersion: string;\r\n signals: Record<string, unknown>;\r\n governed_time: string;\r\n }>,\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier,\r\n\r\n replayStore: AsyncReplayStore\r\n) {\r\n\r\n const outputs = [];\r\n\r\n for (const record of records) {\r\n\r\n try {\r\n\r\n const output =\r\n await executeFromSignals(\r\n record,\r\n signer,\r\n verifier,\r\n replayStore\r\n );\r\n\r\n outputs.push({\r\n input: record,\r\n output\r\n });\r\n\r\n } catch (err: unknown) {\r\n\r\n outputs.push({\r\n input: record,\r\n\r\n output: {\r\n status: \"error\",\r\n\r\n error:\r\n err instanceof Error\r\n ? err.message\r\n : \"Unknown error\"\r\n }\r\n });\r\n\r\n }\r\n }\r\n\r\n return outputs;\r\n}","import Redis from \"ioredis\";\r\n\r\nimport type {\r\n Redis as RedisClient\r\n} from \"ioredis\";\r\n\r\nimport type {\r\n AsyncReplayStore\r\n} from \"@parmanasystems/execution\";\r\n\r\n/**\r\n * 🔒 Distributed replay protection\r\n *\r\n * Replay protection operates on deterministic\r\n * semantic execution fingerprints rather than\r\n * operational execution IDs.\r\n */\r\nexport class RedisReplayStore\r\n implements AsyncReplayStore {\r\n\r\n private client: RedisClient;\r\n\r\n constructor(\r\n url: string\r\n ) {\r\n\r\n this.client =\r\n new (Redis as any)(url);\r\n }\r\n\r\n async hasExecuted(\r\n execution_fingerprint: string\r\n ): Promise<boolean> {\r\n\r\n const [confirmed, pending] =\r\n await Promise.all([\r\n this.client.exists(\r\n `exec:${execution_fingerprint}`\r\n ),\r\n this.client.exists(\r\n `exec:pending:${execution_fingerprint}`\r\n )\r\n ]);\r\n\r\n return confirmed === 1 || pending === 1;\r\n }\r\n\r\n async markExecuted(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:${execution_fingerprint}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async reserve(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n const alreadyConfirmed =\r\n await this.client.exists(\r\n `exec:${execution_fingerprint}`\r\n );\r\n\r\n if (alreadyConfirmed === 1) {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n\r\n const result =\r\n await this.client.set(\r\n `exec:pending:${execution_fingerprint}`,\r\n \"1\",\r\n \"NX\"\r\n );\r\n\r\n if (result !== \"OK\") {\r\n\r\n throw new Error(\r\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\r\n );\r\n }\r\n }\r\n\r\n async confirm(\r\n execution_fingerprint: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n `exec:${execution_fingerprint}`,\r\n \"1\"\r\n );\r\n\r\n await this.client.del(\r\n `exec:pending:${execution_fingerprint}`\r\n );\r\n }\r\n\r\n async get(\r\n key: string\r\n ): Promise<string | null> {\r\n\r\n return this.client.get(key);\r\n }\r\n\r\n async set(\r\n key: string,\r\n value: string\r\n ): Promise<void> {\r\n\r\n await this.client.set(\r\n key,\r\n value\r\n );\r\n }\r\n\r\n async del(\r\n key: string\r\n ): Promise<void> {\r\n\r\n await this.client.del(key);\r\n }\r\n\r\n async close(): Promise<void> {\r\n\r\n await this.client.quit();\r\n }\r\n}","import type {\n ReplayStore\n} from \"@parmanasystems/execution\";\n\nexport interface MemoryReplayStoreOptions {\n warnInProduction?: boolean;\n maxSize?: number;\n}\n\nconst DEFAULT_MAX_SIZE = 1_000_000;\n\n/**\n * 🔒 In-memory replay protection\n *\n * Replay protection operates on deterministic\n * semantic execution fingerprints rather than\n * operational execution IDs.\n */\nexport class MemoryReplayStore\n implements ReplayStore {\n\n private reserved =\n new Set<string>();\n\n private confirmed =\n new Set<string>();\n\n private maxSize: number;\n\n constructor(\n options: MemoryReplayStoreOptions = {}\n ) {\n\n const {\n warnInProduction = true,\n maxSize = DEFAULT_MAX_SIZE\n } = options;\n\n this.maxSize = maxSize;\n\n if (\n warnInProduction &&\n process.env[\"NODE_ENV\"] === \"production\"\n ) {\n\n console.warn(\n \"[PARMANA WARNING] MemoryReplayStore is not suitable for production. \" +\n \"It loses all replay protection on process restart and does not \" +\n \"work across multiple processes. Use RedisReplayStore in production.\"\n );\n }\n }\n\n async reserve(\n execution_fingerprint: string\n ): Promise<void> {\n\n if (\n this.reserved.has(execution_fingerprint) ||\n this.confirmed.has(execution_fingerprint)\n ) {\n\n throw new Error(\n `[INV-013@replay] Replay detected: execution_fingerprint ${execution_fingerprint} has already been consumed`\n );\n }\n\n this.checkMaxSize();\n\n this.reserved.add(\n execution_fingerprint\n );\n }\n\n async confirm(\n execution_fingerprint: string\n ): Promise<void> {\n\n this.reserved.delete(\n execution_fingerprint\n );\n\n this.confirmed.add(\n execution_fingerprint\n );\n }\n\n async markExecuted(\n execution_fingerprint: string\n ): Promise<void> {\n\n await this.reserve(\n execution_fingerprint\n );\n\n await this.confirm(\n execution_fingerprint\n );\n }\n\n async hasExecuted(\n execution_fingerprint: string\n ): Promise<boolean> {\n\n return (\n this.reserved.has(execution_fingerprint) ||\n this.confirmed.has(execution_fingerprint)\n );\n }\n\n private checkMaxSize(): void {\n\n const total =\n this.reserved.size +\n this.confirmed.size;\n\n if (total >= this.maxSize) {\n\n throw new Error(\n `MemoryReplayStore has reached maximum size of ${this.maxSize} entries. ` +\n `Switch to RedisReplayStore for production use.`\n );\n }\n }\n}\n","import {\r\n executeWithRedis\r\n} from \"./execute-with-redis.js\";\r\n\r\nimport type {\r\n AsyncReplayStore,\r\n Signer,\r\n Verifier\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport async function resolveOverride(\r\n executionId: string,\r\n\r\n replayStore: AsyncReplayStore & {\r\n get: (\r\n key: string\r\n ) => Promise<string | null>;\r\n\r\n del: (\r\n key: string\r\n ) => Promise<void>;\r\n },\r\n\r\n signer: Signer,\r\n\r\n verifier: Verifier\r\n) {\r\n\r\n // -----------------------------\r\n // 1. Load pending execution\r\n // -----------------------------\r\n const raw =\r\n await replayStore.get(\r\n `pending:${executionId}`\r\n );\r\n\r\n if (!raw) {\r\n\r\n throw new Error(\r\n `[SYS-021] No pending execution found for ${executionId}`\r\n );\r\n }\r\n\r\n const stored =\r\n JSON.parse(raw);\r\n\r\n // -----------------------------\r\n // 2. Execute approved override\r\n // -----------------------------\r\n const execution =\r\n await executeWithRedis(\r\n {\r\n token:\r\n stored.token,\r\n\r\n execution_fingerprint:\r\n stored.token.executionId,\r\n\r\n token_signature:\r\n stored.token_signature,\r\n\r\n signer,\r\n\r\n verifier,\r\n\r\n runtime_manifest:\r\n stored.runtime_manifest,\r\n\r\n runtime_requirements:\r\n stored.runtime_requirements\r\n },\r\n\r\n replayStore\r\n );\r\n\r\n // -----------------------------\r\n // 3. Remove pending state\r\n // -----------------------------\r\n await replayStore.del(\r\n `pending:${executionId}`\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return deterministic result\r\n // -----------------------------\r\n return {\r\n\r\n status:\r\n \"success\" as const,\r\n\r\n executionId,\r\n\r\n signature:\r\n execution.signature,\r\n\r\n resolved:\r\n true\r\n };\r\n}","import * as fs from \"node:fs\";\r\n\r\nconst FILE = \"./review-queue.json\";\r\n\r\nexport function addReviewTask(task: any) {\r\n let data: any[] = [];\r\n\r\n if (fs.existsSync(FILE)) {\r\n data = JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n }\r\n\r\n data.push(task);\r\n\r\n fs.writeFileSync(FILE, JSON.stringify(data, null, 2));\r\n}\r\n\r\nexport function getAllTasks() {\r\n if (!fs.existsSync(FILE)) return [];\r\n return JSON.parse(fs.readFileSync(FILE, \"utf-8\"));\r\n}\r\n","import {\r\n evaluatePolicy,\r\n loadPolicy,\r\n validateSignalsStrict\r\n} from \"@parmanasystems/execution\";\r\n\r\nimport type {\r\n DecisionResult\r\n} from \"@parmanasystems/execution\";\r\n\r\nexport interface DryRunResult {\r\n\r\n policyId: string;\r\n\r\n policyVersion: string;\r\n\r\n schemaVersion: string;\r\n\r\n decision: DecisionResult;\r\n\r\n rule_trace: string[];\r\n\r\n governed: false;\r\n\r\n dry_run: true;\r\n\r\n evaluated_at: string;\r\n}\r\n\r\nexport function evaluateDryRun(\r\n policyId: string,\r\n policyVersion: string,\r\n signals: Record<string, unknown>,\r\n governed_time = new Date().toISOString()\r\n): DryRunResult {\r\n\r\n // -----------------------------\r\n // 1. Load policy\r\n // -----------------------------\r\n const policy =\r\n loadPolicy(\r\n policyId,\r\n policyVersion\r\n );\r\n\r\n // -----------------------------\r\n // 2. Validate signals\r\n // -----------------------------\r\n validateSignalsStrict(\r\n signals,\r\n policy\r\n );\r\n\r\n // -----------------------------\r\n // 3. Evaluate policy\r\n // -----------------------------\r\n const decision: DecisionResult =\r\n evaluatePolicy(\r\n policy,\r\n signals\r\n );\r\n\r\n // -----------------------------\r\n // 4. Return dry-run result\r\n // -----------------------------\r\n return {\r\n\r\n policyId,\r\n\r\n policyVersion,\r\n\r\n schemaVersion:\r\n policy.schemaVersion,\r\n\r\n decision,\r\n\r\n rule_trace: [],\r\n\r\n governed: false,\r\n\r\n dry_run: true,\r\n\r\n evaluated_at:\r\n governed_time\r\n };\r\n}"],"mappings":";AAAA;AAAA,EACE;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,EACA;AAAA,OACK;AASP,OAAO,YAAY;AAEnB,eAAsB,mBACpB,OAMA,QACA,UACA,aAC+B;AAK/B,QAAM,SACJ;AAAA,IACE,MAAM;AAAA,IACN,MAAM;AAAA,EACR;AAKF,QAAM,WACJ;AAAA,IACE;AAAA,IACA,MAAM;AAAA,EACR;AAEF,MACE,SAAS,WAAW,WACpB;AAEA,UAAM,IAAI;AAAA,MACR;AAAA,IACF;AAAA,EACF;AAKA,QAAM,wBACJ,OACG,WAAW,QAAQ,EACnB;AAAA,IACC,KAAK,UAAU;AAAA,MACb,UACE,MAAM;AAAA,MAER,eACE,MAAM;AAAA,MAER,SACE,MAAM;AAAA,IACV,CAAC;AAAA,EACH,EACC,OAAO,KAAK;AAKjB,MAAI,YAAY,SAAS;AACvB,UAAM,YAAY;AAAA,MAChB;AAAA,IACF;AAAA,EACF,OAAO;AACL,UAAM,kBACJ,MAAM,YAAY;AAAA,MAChB;AAAA,IACF;AAEF,QAAI,iBAAiB;AACnB,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAEA,UAAM,YAAY;AAAA,MAChB;AAAA,IACF;AAAA,EACF;AAKA,QAAM,kBACJ,mBAAmB;AAKrB,QAAM,QACJ,WAAW;AAAA,IAET,aACE;AAAA,IAEF,UACE,MAAM;AAAA,IAER,eACE,MAAM;AAAA,IAER,eACE,OAAO;AAAA,IAET,gBACE,gBAAgB;AAAA,IAElB,kBACE,SAAS;AAAA,IAEX,aACE;AAAA,EACJ,CAAC;AAKH,QAAM,kBACJ,OAAO;AAAA,IACL;AAAA,MACE;AAAA,IACF;AAAA,EACF;AAKF,QAAM,cACJ,MAAM,gBAAgB;AAAA,IAEpB;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA;AAAA,IAEA,kBACE;AAAA,IAEF,sBAAsB;AAAA,MAEpB,2BAA2B;AAAA,QACzB,gBAAgB;AAAA,MAClB;AAAA,MAEA,0BACE,gBACG;AAAA,IACP;AAAA,EACF,CAAC;AAKH,MAAI,YAAY,SAAS;AACvB,QAAI;AACF,YAAM,YAAY;AAAA,QAChB;AAAA,MACF;AAAA,IACF,SAAS,KAAK;AACZ,cAAQ;AAAA,QACN;AAAA,QACA;AAAA,MACF;AAAA,IACF;AAAA,EACF;AAEA,SAAO;AACT;;;ACjMA;AAAA,EACE,mBAAAA;AAAA,OACK;AAaP,eAAsB,iBACpB,SACA,YAC+B;AAK/B,QAAM,WAAW;AAAA,IACf,QAAQ;AAAA,EACV;AAKA,SAAOA;AAAA,IACL;AAAA,EACF;AACF;;;ACjBA,eAAsB,aACpB,SAOA,QAEA,UAEA,aACA;AAEA,QAAM,UAAU,CAAC;AAEjB,aAAW,UAAU,SAAS;AAE5B,QAAI;AAEF,YAAM,SACJ,MAAM;AAAA,QACJ;AAAA,QACA;AAAA,QACA;AAAA,QACA;AAAA,MACF;AAEF,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QACP;AAAA,MACF,CAAC;AAAA,IAEH,SAAS,KAAc;AAErB,cAAQ,KAAK;AAAA,QACX,OAAO;AAAA,QAEP,QAAQ;AAAA,UACN,QAAQ;AAAA,UAER,OACE,eAAe,QACX,IAAI,UACJ;AAAA,QACR;AAAA,MACF,CAAC;AAAA,IAEH;AAAA,EACF;AAEA,SAAO;AACT;;;ACrEA,OAAO,WAAW;AAiBX,IAAM,mBAAN,MACuB;AAAA,EAI5B,YACE,KACA;AAEA,SAAK,SACH,IAAK,MAAc,GAAG;AAAA,EAC1B;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,UAAM,CAAC,WAAW,OAAO,IACvB,MAAM,QAAQ,IAAI;AAAA,MAChB,KAAK,OAAO;AAAA,QACV,QAAQ,qBAAqB;AAAA,MAC/B;AAAA,MACA,KAAK,OAAO;AAAA,QACV,gBAAgB,qBAAqB;AAAA,MACvC;AAAA,IACF,CAAC;AAEH,WAAO,cAAc,KAAK,YAAY;AAAA,EACxC;AAAA,EAEA,MAAM,aACJ,uBACe;AAEf,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,MAC7B;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,QACJ,uBACe;AAEf,UAAM,mBACJ,MAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,IAC/B;AAEF,QAAI,qBAAqB,GAAG;AAE1B,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAEA,UAAM,SACJ,MAAM,KAAK,OAAO;AAAA,MAChB,gBAAgB,qBAAqB;AAAA,MACrC;AAAA,MACA;AAAA,IACF;AAEF,QAAI,WAAW,MAAM;AAEnB,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,QACJ,uBACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB,QAAQ,qBAAqB;AAAA,MAC7B;AAAA,IACF;AAEA,UAAM,KAAK,OAAO;AAAA,MAChB,gBAAgB,qBAAqB;AAAA,IACvC;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACwB;AAExB,WAAO,KAAK,OAAO,IAAI,GAAG;AAAA,EAC5B;AAAA,EAEA,MAAM,IACJ,KACA,OACe;AAEf,UAAM,KAAK,OAAO;AAAA,MAChB;AAAA,MACA;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,IACJ,KACe;AAEf,UAAM,KAAK,OAAO,IAAI,GAAG;AAAA,EAC3B;AAAA,EAEA,MAAM,QAAuB;AAE3B,UAAM,KAAK,OAAO,KAAK;AAAA,EACzB;AACF;;;ACnIA,IAAM,mBAAmB;AASlB,IAAM,oBAAN,MACkB;AAAA,EAUvB,YACE,UAAoC,CAAC,GACrC;AAVF,SAAQ,WACN,oBAAI,IAAY;AAElB,SAAQ,YACN,oBAAI,IAAY;AAQhB,UAAM;AAAA,MACJ,mBAAmB;AAAA,MACnB,UAAU;AAAA,IACZ,IAAI;AAEJ,SAAK,UAAU;AAEf,QACE,oBACA,QAAQ,IAAI,UAAU,MAAM,cAC5B;AAEA,cAAQ;AAAA,QACN;AAAA,MAGF;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,QACJ,uBACe;AAEf,QACE,KAAK,SAAS,IAAI,qBAAqB,KACvC,KAAK,UAAU,IAAI,qBAAqB,GACxC;AAEA,YAAM,IAAI;AAAA,QACR,2DAA2D,qBAAqB;AAAA,MAClF;AAAA,IACF;AAEA,SAAK,aAAa;AAElB,SAAK,SAAS;AAAA,MACZ;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,QACJ,uBACe;AAEf,SAAK,SAAS;AAAA,MACZ;AAAA,IACF;AAEA,SAAK,UAAU;AAAA,MACb;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,aACJ,uBACe;AAEf,UAAM,KAAK;AAAA,MACT;AAAA,IACF;AAEA,UAAM,KAAK;AAAA,MACT;AAAA,IACF;AAAA,EACF;AAAA,EAEA,MAAM,YACJ,uBACkB;AAElB,WACE,KAAK,SAAS,IAAI,qBAAqB,KACvC,KAAK,UAAU,IAAI,qBAAqB;AAAA,EAE5C;AAAA,EAEQ,eAAqB;AAE3B,UAAM,QACJ,KAAK,SAAS,OACd,KAAK,UAAU;AAEjB,QAAI,SAAS,KAAK,SAAS;AAEzB,YAAM,IAAI;AAAA,QACR,iDAAiD,KAAK,OAAO;AAAA,MAE/D;AAAA,IACF;AAAA,EACF;AACF;;;AClHA,eAAsB,gBACpB,aAEA,aAUA,QAEA,UACA;AAKA,QAAM,MACJ,MAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAEF,MAAI,CAAC,KAAK;AAER,UAAM,IAAI;AAAA,MACR,4CAA4C,WAAW;AAAA,IACzD;AAAA,EACF;AAEA,QAAM,SACJ,KAAK,MAAM,GAAG;AAKhB,QAAM,YACJ,MAAM;AAAA,IACJ;AAAA,MACE,OACE,OAAO;AAAA,MAET,uBACE,OAAO,MAAM;AAAA,MAEf,iBACE,OAAO;AAAA,MAET;AAAA,MAEA;AAAA,MAEA,kBACE,OAAO;AAAA,MAET,sBACE,OAAO;AAAA,IACX;AAAA,IAEA;AAAA,EACF;AAKF,QAAM,YAAY;AAAA,IAChB,WAAW,WAAW;AAAA,EACxB;AAKA,SAAO;AAAA,IAEL,QACE;AAAA,IAEF;AAAA,IAEA,WACE,UAAU;AAAA,IAEZ,UACE;AAAA,EACJ;AACF;;;AClGA,YAAY,QAAQ;AAEpB,IAAM,OAAO;AAEN,SAAS,cAAc,MAAW;AACvC,MAAI,OAAc,CAAC;AAEnB,MAAO,cAAW,IAAI,GAAG;AACvB,WAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAAA,EAClD;AAEA,OAAK,KAAK,IAAI;AAEd,EAAG,iBAAc,MAAM,KAAK,UAAU,MAAM,MAAM,CAAC,CAAC;AACtD;AAEO,SAAS,cAAc;AAC5B,MAAI,CAAI,cAAW,IAAI,EAAG,QAAO,CAAC;AAClC,SAAO,KAAK,MAAS,gBAAa,MAAM,OAAO,CAAC;AAClD;;;ACnBA;AAAA,EACE,kBAAAC;AAAA,EACA,cAAAC;AAAA,EACA;AAAA,OACK;AAyBA,SAAS,eACd,UACA,eACA,SACA,iBAAgB,oBAAI,KAAK,GAAE,YAAY,GACzB;AAKd,QAAM,SACJA;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKA,QAAM,WACJD;AAAA,IACE;AAAA,IACA;AAAA,EACF;AAKF,SAAO;AAAA,IAEL;AAAA,IAEA;AAAA,IAEA,eACE,OAAO;AAAA,IAET;AAAA,IAEA,YAAY,CAAC;AAAA,IAEb,UAAU;AAAA,IAEV,SAAS;AAAA,IAET,cACE;AAAA,EACJ;AACF;","names":["executeDecision","evaluatePolicy","loadPolicy"]}
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "@parmanasystems/execution-runtime",
3
- "version": "1.71.20",
3
+ "version": "1.71.24",
4
4
  "private": false,
5
5
  "type": "module",
6
6
  "description": "Runtime orchestration layer for Parmana Systems.",
@@ -20,7 +20,7 @@
20
20
  "build": "tsup"
21
21
  },
22
22
  "dependencies": {
23
- "@parmanasystems/execution": "^1.71.20",
23
+ "@parmanasystems/execution": "^1.71.24",
24
24
  "ioredis": "^5.4.1"
25
25
  },
26
26
  "devDependencies": {