Replay store
Switch from MemoryReplayStore to RedisReplayStore
MemoryReplayStore loses all replay protection state on process restart and does not work across multiple processes. Any duplicate execution that crosses a restart boundary will not be detected.
import { RedisReplayStore } from "@parmanasystems/core";
const store = new RedisReplayStore(
process.env.REDIS_URL ?? "redis://localhost:6379"
);
Key management
Store private keys in a secrets manager - not in source code
Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
Back up your public key - you need it to verify all historical attestations
const signer = new LocalSigner(process.env.GOVERNANCE_PRIVATE_KEY!);
const verifier = new LocalVerifier(process.env.GOVERNANCE_PUBLIC_KEY!);
AwsKmsSigner from @parmanasystems/execution. Because AwsKmsSigner is not re-exported from @parmanasystems/core, import it directly:
import { AwsKmsSigner } from "@parmanasystems/execution";
const signer = new AwsKmsSigner("arn:aws:kms:us-east-1:123456789012:key/...");
Policy bundles
Compile and sign all policies before deployment
Verify bundle integrity on every deployment
Never modify a policy.json after its bundle has been signed - create a new version instead
npx parmana policy compile ./policies/loan-approval/1.0.0
npx parmana policy build ./policies/loan-approval/1.0.0
npx parmana verify bundle ./policies/loan-approval/1.0.0
Audit persistence
Store attestations in a persistent database
Never delete attestations - they are your audit trail
Store the public key alongside attestations for long-term verification
@parmanasystems/audit-db for PostgreSQL-backed attestation storage with full querying support.
import { AuditDb, runMigrations } from "@parmanasystems/audit-db";
// Run migrations once at startup
await runMigrations(process.env.DATABASE_URL!);
// Or use db.migrate() which calls runMigrations internally
const db = new AuditDb(process.env.DATABASE_URL!);
await db.migrate();
await db.recordDecision({
executionId: attestation.executionId,
policyId: attestation.policyId,
policyVersion: attestation.policyVersion,
decision_action: attestation.decision.action,
decision_reason: attestation.decision.reason,
requires_override: attestation.decision.requires_override,
execution_state: attestation.execution_state,
execution_fingerprint: attestation.execution_fingerprint,
signature: attestation.signature,
});
Monitoring and alerting
Alert on governance execution errors - policy not found, invalid signals, replay violations
Alert on INV-013 replay violations - these may indicate double-submission attacks or misconfigured retry logic
Monitor replay store health - if Redis is unavailable, execution will be blocked (fail-closed)
try {
const attestation = await executeFromSignals(...);
} catch (error: any) {
if (error.message.includes("INV-013")) {
metrics.increment("governance.replay_violation");
logger.warn({ msg: "Replay detected", fingerprint: error.fingerprint });
}
}
Multi-process deployments
Use RedisReplayStore - MemoryReplayStore does not share state across processes
If using @parmanasystems/server, ensure all instances share the same Redis instance
Verification at read time
Re-verify attestations when reading from the database for compliance-critical operations
const stored = await db.getDecision(executionId);
const result = verifyAttestation(stored, verifier);
if (!result.valid) {
// Attestation has been tampered with
securityAlert("TAMPERED_ATTESTATION", { executionId });
}
