npm package discovery and stats viewer.

Discover Tips

  • General search

    [free text search, go nuts!]

  • Package details

    pkg:[package-name]

  • User packages

    @[username]

Sponsor

Optimize Toolset

I’ve always been into building performant and accessible sites, but lately I’ve been taking it extremely seriously. So much so that I’ve been building a tool to help me optimize and monitor the sites that I build to make sure that I’m making an attempt to offer the best experience to those who visit them. If you’re into performant, accessible and SEO friendly sites, you might like it too! You can check it out at Optimize Toolset.

About

Hi, 👋, I’m Ryan Hefner  and I built this site for me, and you! The goal of this site was to provide an easy way for me to check the stats on my npm packages, both for prioritizing issues and updates, and to give me a little kick in the pants to keep up on stuff.

As I was building it, I realized that I was actually using the tool to build the tool, and figured I might as well put this out there and hopefully others will find it to be a fast and useful way to search and browse npm packages as I have.

If you’re interested in other things I’m working on, follow me on Twitter or check out the open source projects I’ve been publishing on GitHub.

I am also working on a Twitter bot for this site to tweet the most popular, newest, random packages from npm. Please follow that account now and it will start sending out packages soon–ish.

Open Software & Tools

This site wouldn’t be possible without the immense generosity and tireless efforts from the people who make contributions to the world and share their work via open source initiatives. Thank you 🙏

© 2026 – Pkg Stats / Ryan Hefner

@parmanasystems/execution-runtime

v1.98.56

Published

Deterministic governance runtime enforcement layer for replay-safe execution, governed orchestration, runtime provenance continuity, and fail-closed policy execution.

Downloads

386

Readme

@parmanasystems/execution-runtime

The operational enforcement layer. executeFromSignals is the top-level entry point that orchestrates the full governance pipeline: load and verify the policy bundle, normalize and validate input signals, evaluate the policy, compute the execution fingerprint, check replay protection, issue the token, sign it, call executeDecision, and confirm the replay store. A ReplayStore is mandatory — execution without one throws immediately.


Public API

Main entry point

/**
 * Full governance execution pipeline.
 *
 * Steps (in order):
 *   1. Load policy bundle from policiesRootPath/<policyId>/<policyVersion>/
 *   2. Verify bundle manifest signature with trustPublicKeyPath
 *   3. Normalize and validate input signals against policy schema
 *   4. Evaluate policy — produces DecisionResult
 *   5. Compute execution_fingerprint (SHA-256 of canonical {policyId, policyVersion, signals})
 *   6. Reserve fingerprint in replayStore (throws INV-013 on replay)
 *   7. Issue ExecutionToken and sign it
 *   8. Call executeDecision() to produce signed ExecutionAttestation
 *   9. Confirm fingerprint in replayStore
 *
 * @param input.signals  Raw signal map — governed signals (with provenance) or plain values.
 * @param signer         Ed25519 signing authority for token and attestation.
 * @param verifier       Paired verifier for signature checks.
 * @param runtimeEnvironment  Paths to policy bundles, trust root, and release manifest.
 *                            Defaults to env vars if omitted.
 * @param replayStore    REQUIRED. Throws [INV-REPLAY-001] if not provided.
 */
async function executeFromSignals(
  input: {
    policyId: string;
    policyVersion: string;
    signals: Record<string, unknown>;
  },
  signer: Signer,
  verifier: Verifier,
  runtimeEnvironment?: {
    policiesRootPath: string;
    trustPublicKeyPath: string;
    trustRootPath: string;
    releaseManifestPath: string;
  },
  replayStore?: ReplayStore
): Promise<ExecutionAttestation>

Redis-backed execution

/**
 * Execute with a Redis-backed replay store.
 * Convenience wrapper around executeFromSignals with RedisReplayStore.
 */
async function executeWithRedis(
  input: { policyId: string; policyVersion: string; signals: Record<string, unknown> },
  signer: Signer,
  verifier: Verifier,
  redisUrl: string,
  runtimeEnvironment?: RuntimeEnvironment
): Promise<ExecutionAttestation>

Batch execution

/**
 * Execute multiple governance decisions in sequence.
 * Each item uses the same signer/verifier/replayStore.
 * Fails fast on the first error.
 */
async function executeBatch(
  items: Array<{ policyId: string; policyVersion: string; signals: Record<string, unknown> }>,
  signer: Signer,
  verifier: Verifier,
  replayStore: ReplayStore,
  runtimeEnvironment?: RuntimeEnvironment
): Promise<ExecutionAttestation[]>

Dry run

/**
 * Evaluate the policy and preview the decision without replay protection,
 * signing, or side effects. Returns DryRunResult — not an attestation.
 */
async function evaluateDryRun(
  input: { policyId: string; policyVersion: string; signals: Record<string, unknown> },
  runtimeEnvironment?: RuntimeEnvironment
): Promise<DryRunResult>

interface DryRunResult {
  decision: DecisionOutcome;
  rule_id: string;
  signalsValidated: boolean;
}

Override resolution

/**
 * Transition a pending_override execution to a resolved state.
 * Requires the replay store to support the advanced lifecycle (reserve/confirm/fail).
 */
async function resolveOverride(
  executionId: string,
  replayStore: ReplayStore
): Promise<void>

Replay stores

/** Redis-backed replay store. Uses SET NX with TTL for distributed replay protection. */
class RedisReplayStore implements ReplayStore {
  constructor(redisUrl: string, options?: RedisReplayStoreOptions)
}

interface RedisReplayStoreOptions {
  ttlSeconds?: number;   // default: 86400 (24 h)
  keyPrefix?: string;
}

/** In-memory replay store for testing and single-process deployments. */
class MemoryReplayStore implements ReplayStore {
  constructor(options?: MemoryReplayStoreOptions)
}

interface MemoryReplayStoreOptions {
  maxSize?: number;
}

Review task store

/** Append a review task for a pending_override execution. */
async function addReviewTask(task: ReviewTask): Promise<void>

/** Retrieve all pending review tasks. */
async function getAllTasks(): Promise<ReviewTask[]>

interface ReviewTask {
  executionId: string;
  policyId: string;
  policyVersion: string;
  reason?: string;
  createdAt: string;
}

Environment variables

When runtimeEnvironment is not provided, executeFromSignals reads paths from the environment via getRuntimePaths() (imported from @parmanasystems/server's runtime module):

| Variable | Description | |---|---| | PARMANA_POLICIES_ROOT | Root directory of compiled policy bundles. | | PARMANA_TRUST_ROOT | Path to trust-root.json. | | PARMANA_TRUST_PUBLIC_KEY | Path to the trust root public key PEM. | | PARMANA_RELEASE_MANIFEST | Path to release-manifest.json. | | PARMANA_RELEASE_SIGNATURE | Path to release-manifest.sig. |

In normal server deployments these are injected by the container environment; direct library callers should pass the runtimeEnvironment argument explicitly.


Package wiring

@parmanasystems/execution-runtime depends on @parmanasystems/execution (core three-stage pipeline), @parmanasystems/governance (loadPolicyBundle), @parmanasystems/provenance (normalizeGovernedSignals), and @parmanasystems/canonical. The server injects a RedisReplayStore (from this package) and passes it along with a Signer/Verifier from @parmanasystems/signing. @parmanasystems/core re-exports executeFromSignals, MemoryReplayStore, and RedisReplayStore.