Skip to main content

Documentation Index

Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt

Use this file to discover all available pages before exploring further.

Replay store

Switch from MemoryReplayStore to RedisReplayStore
MemoryReplayStore loses all replay protection state on process restart and does not work across multiple processes. Any duplicate execution that crosses a restart boundary will not be detected. 
import { RedisReplayStore } from "@parmanasystems/core";

const store = new RedisReplayStore({
  host: process.env.REDIS_HOST,
  port: parseInt(process.env.REDIS_PORT ?? "6379"),
});

Key management

Store private keys in a secrets manager - not in source code
Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
Back up your public key - you need it to verify all historical attestations
const signer   = new LocalSigner(process.env.GOVERNANCE_PRIVATE_KEY!);
const verifier = new LocalVerifier(process.env.GOVERNANCE_PUBLIC_KEY!);
For AWS KMS-backed signing, use AwsKmsSigner from @parmanasystems/execution: 
import { AwsKmsSigner } from "@parmanasystems/execution";

const signer = new AwsKmsSigner("arn:aws:kms:us-east-1:123456789012:key/...");

Policy bundles

Compile and sign all policies before deployment
Verify bundle integrity on every deployment
Never modify a policy.json after its bundle has been signed - create a new version instead
npx parmana policy compile ./policies/loan-approval/1.0.0
npx parmana policy build   ./policies/loan-approval/1.0.0
npx parmana verify bundle  ./policies/loan-approval/1.0.0

Audit persistence

Store attestations in a persistent database
Never delete attestations - they are your audit trail
Store the public key alongside attestations for long-term verification
Use @parmanasystems/audit-db for PostgreSQL-backed attestation storage with full querying support. 
import { AuditDb, runMigrations } from "@parmanasystems/audit-db";

await runMigrations(process.env.DATABASE_URL!);
const db = new AuditDb(process.env.DATABASE_URL!);

await db.recordDecision({
  executionId:           attestation.executionId,
  policyId:              attestation.policyId,
  policyVersion:         attestation.policyVersion,
  decision_action:       attestation.decision.action,
  decision_reason:       attestation.decision.reason,
  requires_override:     attestation.decision.requires_override,
  execution_state:       attestation.execution_state,
  execution_fingerprint: attestation.execution_fingerprint,
  signature:             attestation.signature,
});

Monitoring and alerting

Alert on governance execution errors - policy not found, invalid signals, replay violations
Alert on INV-013 replay violations - these may indicate double-submission attacks or misconfigured retry logic
Monitor replay store health - if Redis is unavailable, execution will be blocked (fail-closed)
try {
  const attestation = await executeFromSignals(...);
} catch (error: any) {
  if (error.message.includes("INV-013")) {
    metrics.increment("governance.replay_violation");
    logger.warn({ msg: "Replay detected", fingerprint: error.fingerprint });
  }
}

Multi-process deployments

Use RedisReplayStore - MemoryReplayStore does not share state across processes
If using @parmanasystems/server, ensure all instances share the same Redis instance

Verification at read time

Re-verify attestations when reading from the database for compliance-critical operations
const stored = await db.getDecision(executionId);
const result = verifyAttestation(stored, verifier);

if (!result.valid) {
  // Attestation has been tampered with
  securityAlert("TAMPERED_ATTESTATION", { executionId });
}