Skip to main content
A lightweight package for verifying governance attestations without the full execution runtime. Use this in auditing services, third-party verifiers, or any context where you only need to verify - not execute.

Install

npm install @parmanasystems/verifier

Key exports

ExportDescription
verifyAttestationVerify signature, runtime hash, bundle hash, and invariants
verifyBundleVerify a policy bundle’s content integrity and signature
LocalVerifierEd25519 verifier from a PEM public key

Verifying an attestation

import { verifyAttestation, LocalVerifier } from "@parmanasystems/verifier";

const verifier = new LocalVerifier(process.env.GOVERNANCE_PUBLIC_KEY!);
const result   = verifyAttestation(attestation, verifier);

if (!result.valid) {
  console.error("Attestation invalid:", result.errors);
}

console.log(result.checks);
// {
//   signature_verified: true,
//   runtime_verified:   true,
//   schema_compatible:  true,
//   governed:           true,
// }

Verifying a policy bundle

import { verifyBundle } from "@parmanasystems/verifier";

const result = verifyBundle(
  "./policies/loan-approval/1.0.0/bundle.manifest.json",
  "./policies/loan-approval/1.0.0/bundle.sig",
  "./trust/root.pub"
);

console.log(result.valid); // true only if content and signature verify

Offline verification

Attestations are self-contained - you can verify them with only the public key, no network or database access required: 
import fs from "fs";
import { verifyAttestation, LocalVerifier } from "@parmanasystems/verifier";

const attestation = JSON.parse(fs.readFileSync("attestation.json", "utf8"));
const verifier    = new LocalVerifier(fs.readFileSync("public.pem", "utf8"));

const result = verifyAttestation(attestation, verifier);
console.log(result.valid); // true - verified with no infrastructure access
This works five minutes after signing or five years after signing. The verification result is identical regardless of when or where it runs.

See also