> ## Documentation Index
> Fetch the complete documentation index at: https://docs.manthan.systems/llms.txt
> Use this file to discover all available pages before exploring further.
# Production Checklist
> Everything you need before going to production with Parmana
## Replay store
Switch from MemoryReplayStore to RedisReplayStore
`MemoryReplayStore` loses all replay protection state on process restart and does not work across multiple processes. Any duplicate execution that crosses a restart boundary will not be detected.
```typescript theme={null}
import { RedisReplayStore } from "@parmanasystems/core";
const store = new RedisReplayStore(
process.env.REDIS_URL ?? "redis://localhost:6379"
);
```
## Key management
Store private keys in a secrets manager - not in source code
Use environment variables or a secrets manager (AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager)
Back up your public key - you need it to verify all historical attestations
```typescript theme={null}
const signer = new LocalSigner(process.env.GOVERNANCE_PRIVATE_KEY!);
const verifier = new LocalVerifier(process.env.GOVERNANCE_PUBLIC_KEY!);
```
For AWS KMS-backed signing, use `AwsKmsSigner` from `@parmanasystems/execution`. Because `AwsKmsSigner` is not re-exported from `@parmanasystems/core`, import it directly:
```typescript theme={null}
import { AwsKmsSigner } from "@parmanasystems/execution";
const signer = new AwsKmsSigner("arn:aws:kms:us-east-1:123456789012:key/...");
```
## Policy bundles
Compile and sign all policies before deployment
Verify bundle integrity on every deployment
Never modify a policy.json after its bundle has been signed - create a new version instead
```bash theme={null}
npx parmana policy compile ./policies/loan-approval/1.0.0
npx parmana policy build ./policies/loan-approval/1.0.0
npx parmana verify bundle ./policies/loan-approval/1.0.0
```
## Audit persistence
Store attestations in a persistent database
Never delete attestations - they are your audit trail
Store the public key alongside attestations for long-term verification
Use `@parmanasystems/audit-db` for PostgreSQL-backed attestation storage with full querying support.
```typescript theme={null}
import { AuditDb, runMigrations } from "@parmanasystems/audit-db";
// Run migrations once at startup
await runMigrations(process.env.DATABASE_URL!);
// Or use db.migrate() which calls runMigrations internally
const db = new AuditDb(process.env.DATABASE_URL!);
await db.migrate();
await db.recordDecision({
executionId: attestation.executionId,
policyId: attestation.policyId,
policyVersion: attestation.policyVersion,
decision_action: attestation.decision.action,
decision_reason: attestation.decision.reason,
requires_override: attestation.decision.requires_override,
execution_state: attestation.execution_state,
execution_fingerprint: attestation.execution_fingerprint,
signature: attestation.signature,
});
```
## Monitoring and alerting
Alert on governance execution errors - policy not found, invalid signals, replay violations
Alert on `INV-013` replay violations - these may indicate double-submission attacks or misconfigured retry logic
Monitor replay store health - if Redis is unavailable, execution will be blocked (fail-closed)
```typescript theme={null}
try {
const attestation = await executeFromSignals(...);
} catch (error: any) {
if (error.message.includes("INV-013")) {
metrics.increment("governance.replay_violation");
logger.warn({ msg: "Replay detected", fingerprint: error.fingerprint });
}
}
```
## Multi-process deployments
Use RedisReplayStore - MemoryReplayStore does not share state across processes
If using @parmanasystems/server, ensure all instances share the same Redis instance
## Verification at read time
Re-verify attestations when reading from the database for compliance-critical operations
```typescript theme={null}
const stored = await db.getDecision(executionId);
const result = verifyAttestation(stored, verifier);
if (!result.valid) {
// Attestation has been tampered with
securityAlert("TAMPERED_ATTESTATION", { executionId });
}
```