Read REST API → Replay before this guide if you haven’t — POST /replay currently performs the same hash-integrity check as POST /verify, not a re-evaluation of policy against recorded signals. This guide covers both what you can do today and what @parmana/replay’s real engine would do if it were wired in.
What you can do today
curl -X POST http://localhost:3000/replay \
-H "Content-Type: application/json" \
-d '{ "businessTransactionId": "..." }'
{ "businessTransactionId": "...", "trustRecordHash": "...", "verified": true }
This confirms the stored Execution Trust Record hasn’t been tampered with since it was written — useful, but it’s an integrity check, not independent confirmation that the recorded Decision was the correct one given the recorded Policy and signals.
What real deterministic replay would check
packages/replay/src/ReplayEngine.ts re-runs PolicyEngine.evaluate() against the trust record’s recorded transaction.signals and policy, and compares its own replayedDecision.outcome against the recordedDecision.outcome:
import { ReplayEngine } from "@parmana/replay";
const engine = new ReplayEngine();
const result = engine.replay({
trustRecord, // from GET /trust-records/:id
transaction: trustRecord.transaction,
policy, // the same Policy version referenced by trustRecord.transaction.policy
});
// result.matches === true means the policy would make the same decision again today,
// given the same recorded signals.
This is not currently reachable through packages/api — you’d construct and call ReplayEngine yourself, in your own code, against a trust record and policy you’ve fetched independently (e.g. via GET /trust-records/:id and reading the policy file directly from policies/<name>/<version>/policy.json).
examples/06-replay’s run.ts is currently an unimplemented stub (console.log("Parmana Example 06 - Replay")) — there’s no runnable example of either path in the monorepo yet.
Why this distinction matters
- Hash verification (
POST /replay, POST /verify today) answers: has this record been altered since it was written?
- Deterministic decision replay (
ReplayEngine, not currently wired in) answers: would the same Policy, given the same signals, produce the same Decision again, independent of trusting the original run?
Both matter for an audit — a record can be byte-for-byte unaltered and still have been produced by a buggy or since-changed policy evaluation. See FAQ for more on how this relates to Verification.
Replay (REST API)
The endpoint and its current behavior.
replay package
ReplayEngine in full.
Policy
What’s being re-evaluated.
Trust Chain Audit
Reading the full record this operates on.