Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt

Use this file to discover all available pages before exploring further.

What is execution integrity?

An attestation proves that a governance decision was made correctly — that signals were evaluated against a policy, that the runtime was valid, and that the result was signed. But it does not prove that the real-world action that followed actually matched the decision. Execution integrity bridges that gap. After your system acts on a governance decision — disbursing a loan, sending a payment, deploying code — you call confirmExecution to produce a cryptographic proof that the action matched the authorization. This proof is independently verifiable and tamper-evident.

How it works

1. executeFromSignals()          → ExecutionAttestation  (governance authorization)
2. Your system performs action   → ExecutedAction         (what actually happened)
3. confirmExecution()            → ExecutionIntegrityProof (proof they match)
confirmExecution does the following:
  1. Verifies the attestation signature — confirms the authorization was legitimately issued
  2. Checks the replay store — prevents double-confirmation of the same execution ID
  3. Computes an integrityHashsha256(canonicalize({ authorizationId, execution_fingerprint, executedAction }))
  4. Evaluates match criteria — checks action type, payload consistency, and time window
  5. Signs the proof — produces a signed ExecutionIntegrityProof under PARMANA_AUDIT_V1 domain

Usage

import {
  executeFromSignals,
  confirmExecution,
  LocalSigner,
  LocalVerifier,
  MemoryReplayStore,
} from "@parmanasystems/core";

const signer   = new LocalSigner(privateKey);
const verifier = new LocalVerifier(publicKey);
const store    = new MemoryReplayStore();

// Step 1: Get governance authorization
const attestation = await executeFromSignals(
  {
    policyId:      "loan-approval",
    policyVersion: "1.0.0",
    signals:       { credit_score: 720, loan_amount: 15000 },
  },
  signer, verifier, store
);

// Step 2: Perform the real-world action
// ... disburse the loan ...

// Step 3: Confirm the action matches the authorization
const proof = await confirmExecution(
  {
    attestation,
    executedAction: {
      type:       "LOAN_DISBURSED",
      payload:    { amount: 15000, policyId: "loan-approval" },
      executedAt: new Date().toISOString(),
      executedBy: "disbursement-service",
    },
    timeWindowSeconds: 300, // default: 300
  },
  signer,
  verifier,
  store
);

console.log(proof.match);        // true — action matches authorization
console.log(proof.integrityHash); // sha256 linking authorization to action
console.log(proof.verified);      // true — always true when returned without error

ExecutedAction

The description of the real-world action that was performed: 
interface ExecutedAction {
  type:        string;            // e.g. "LOAN_DISBURSED"
  payload:     Record<string, unknown>;
  executedAt:  string;            // ISO 8601
  executedBy?: string;
}

ExecutionIntegrityProof

The signed proof returned by confirmExecution: 
interface ExecutionIntegrityProof {
  executionId:     string;   // UUID for this proof event
  authorizationId: string;   // executionId from the original attestation
  integrityHash:   string;   // sha256 linking authorization + executedAction
  authorized: {
    action:        string;
    reason:        string;
    policyId:      string;
    policyVersion: string;
  };
  executed:     ExecutedAction;
  match:        boolean;       // true when all three match checks pass
  matchDetails: MatchDetails;
  signature:    string;        // Ed25519 over canonicalized proof payload
  confirmedAt:  string;        // ISO 8601
  verified:     true;          // always true when returned without error
}

MatchDetails

Breakdown of why match is true or false: 
interface MatchDetails {
  actionTypeMatch:   boolean; // executedAction.type contains or matches decision.action
  payloadConsistent: boolean; // payload fields don't contradict the authorization
  withinTimeWindow:  boolean; // abs(executedAt - confirmedAt) <= timeWindowSeconds
  timeWindowSeconds: number;  // the configured window
}
match is true only when all three conditions are met:
CheckWhat it tests
actionTypeMatchexecutedAction.type contains or is contained by decision.action (case-insensitive)
payloadConsistentpayload.action (if present) is consistent with decision.action; payload.policyId (if present) matches attestation.policyId
withinTimeWindowThe time between executedAt and the moment of confirmation is within timeWindowSeconds
A match: false proof is still a valid, signed record. Store it — it documents that execution occurred outside the authorized bounds.

Error conditions

ErrorCause
INTEGRITY_INVALID_ATTESTATIONThe attestation’s signature is invalid — the authorization was tampered with or came from the wrong signer
INTEGRITY_ALREADY_CONFIRMEDThis executionId has already been confirmed — prevents double-confirmation

Use Cases

Loan disbursement proof

After executeFromSignals returns an approve attestation for a personal loan, the disbursement service transfers the funds and immediately calls confirmExecution with type: "LOAN_DISBURSED" and the amount. The resulting ExecutionIntegrityProof proves — in a tamper-evident, signed record — that the disbursement happened within the 5-minute window following the governance authorization. If match: false, the insurer or regulator can see exactly which check failed.

Insurance claim settlement

After a motor insurance claim is approved (claim_amount: 18500, policy_active: true), the claims system sends the settlement payment and confirms it: type: "CLAIM_SETTLED", payload: { amount: 18500, claimId: "CLM-2024-001" }. The integrity proof is stored alongside the original attestation. Auditors get both — the authorization and the confirmed execution — linked by authorizationId.

Catching action/authorization mismatches

A governance decision approves a personal loan for ₹15,000. Due to a bug, the disbursement service sends ₹150,000. When confirmExecution is called with the actual amount in the payload, payloadConsistent may return false if the payload contradicts the authorization. Even if match: false, the signed proof records the discrepancy — giving the audit trail evidence that the execution deviated from the authorization.

Via HTTP

The @parmanasystems/server exposes this as POST /confirm-execution. See the Server Package for the request/response schema.

See also