Skip to main content

Documentation Index

Fetch the complete documentation index at: https://parmanasystems.mintlify.app/llms.txt

Use this file to discover all available pages before exploring further.

Overview

Compliance teams face a recurring challenge: when a regulator, internal auditor, or legal counsel asks “can you prove this decision was made by this policy, with these inputs, on this date?” — most systems cannot answer definitively. Parmana Systems’s verification model is designed specifically for this scenario. Every ExecutionAttestation is:
  • Self-contained — it carries all information needed to verify it
  • Portable — verification requires only the attestation and the public key
  • Independently reproducible — the verifier does not need access to the database, runtime, or application code

The verification model

Production System          Compliance Team / Auditor
──────────────────         ─────────────────────────
executeFromSignals()   →   receives ExecutionAttestation
  produces attestation

stores in audit-db     →   queries for specific executionId

exports artifact       →   parmana verify artifact
                             (no production access required)
The compliance team needs:
  1. The ExecutionAttestation JSON (exportable from the audit database)
  2. The public key (can be published openly — it verifies, not signs)
  3. The parmana CLI or the @parmanasystems/verifier package

Setting up the audit database

import { AuditDb } from "@parmanasystems/audit-db";

const db = new AuditDb({
  connectionString: process.env.DATABASE_URL,
});

// After every governed execution, persist the attestation
const attestation = await executeFromSignals(/* ... */);
await db.recordDecision(attestation);
The audit-db package stores the full ExecutionAttestation including the cryptographic signature. The signature is what allows post-hoc verification — even if the database row is later queried, the signature proves the attestation content has not been modified since it was first written.

Exporting a verification artifact

For a specific execution, generate a portable verification artifact: 
# From the project root
npm run proof:verify -- --executionId a3f2b1c4d8e7f96a012b3c4d5e6f7890...

# This produces:
# ./artifacts/reproducibility/verification.json
The verification artifact contains:
  • The attestation fields
  • Invariant check results
  • Runtime manifest state
  • Bundle manifest state
  • All verification check outcomes

Independent verification

The compliance team can verify the artifact with the parmana CLI, which they can install independently: 
# Install the verifier CLI
npm install -g @parmanasystems/verifier-cli

# Verify the artifact
parmana verify artifact ./verification.json
Example output: 
parmanasystems Verifier CLI

Trust root: /usr/local/lib/.../trust/root.pub

[VERIFY] Verification Artifact

Artifact: ./verification.json
artifact_hash: 8f4a2e9c1b3d...
runtimeVersion: 1.65.0
runtimeHash: 7c2d8f1a...
schemaVersion: 1

✓ signature_verified
✓ runtime_manifest_verified
✓ bundle_manifest_verified
✓ bundle_signature_verified
✓ attestation_signature_verified
✓ invariants_verified

Verification: PASS

Machine-readable output for CI/compliance tools

parmana verify artifact ./verification.json --json

{
  "valid": true,
  "checks": {
    "signature_verified":             true,
    "runtime_manifest_verified":      true,
    "bundle_manifest_verified":       true,
    "bundle_signature_verified":      true,
    "attestation_signature_verified": true,
    "invariants_verified":            true
  },
  "artifact": {
    "artifact_hash":   "8f4a2e9c1b3d...",
    "runtimeVersion":  "1.65.0",
    "runtimeHash":     "7c2d8f1a...",
    "schemaVersion":   "1"
  }
}

Strict mode for automated compliance gates

parmana verify artifact ./verification.json --strict
# Exit code 0 = PASS, exit code 1 = FAIL
# Use in CI pipelines or compliance automation

Verifying via the REST API

For systems that query the audit trail programmatically: 
import { ParmanaClient } from "@parmanasystems/sdk-client";

const client = new ParmanaClient({ baseUrl: "http://localhost:3000" });

const result = await client.verify({
  executionId:     attestation.executionId,
  decision:        attestation.decision,
  execution_state: attestation.execution_state,
  runtimeHash:     attestation.runtimeHash,
  signature:       attestation.signature,
});

console.log(result.valid);
// true

console.log(result.checks);
// { signature_verified: true, runtime_verified: true, schema_compatible: true }

What the signature proves

The Ed25519 signature over the canonical attestation JSON proves:
  1. Authenticity — The attestation was produced by a runtime holding the corresponding private key
  2. Integrity — None of the attested fields (decision, policyId, policyVersion, signalsHash, execution_state, runtimeHash) have been modified since signing
  3. Non-repudiation — The signature cannot be produced without the private key; it cannot be forged

What it does NOT prove

  • That the input signals themselves were correct (the signals are hashed, not embedded)
  • That the policy file corresponds to a particular business intent (that is a policy governance question)
  • That the key holder acted in good faith (key custody is an operational security question)

Compliance checklist

1

Publish the public key

Publish your Ed25519 public key in a trust root accessible to compliance teams. The key verifies attestations without enabling any signing.
2

Persist every attestation

Use @parmanasystems/audit-db to store every ExecutionAttestation in PostgreSQL immediately after execution.
3

Version-lock your policies

Never modify a published policy in place. Increment the version (v1v2) and deploy new decisions against the new version. Historical attestations always reference the version that was active.
4

Export artifacts on request

For any regulated decision, export a verification artifact with npm run proof:verify and provide it to auditors along with the public key.
5

Verify in CI

Run parmana verify artifact --strict as part of your release pipeline to confirm the governance chain is intact before publishing new versions.