JSPM

@parmanasystems/signing

1.98.54
  • ESM via JSPM
  • ES Module Entrypoint
  • Export Map
  • Keywords
  • License
  • Repository URL
  • TypeScript Types
  • README
  • Created
  • Published
  • Downloads 13
  • Score
    100M100P100Q72622F
  • License Apache-2.0

Deterministic runtime signing infrastructure for governed execution authority, KMS abstraction, and independently verifiable trust lineage.

Package Exports

  • @parmanasystems/signing
  • @parmanasystems/signing/package.json

Readme

@parmanasystems/signing

Runtime signing authority for the Parmana server. Reads Ed25519 key material from environment variables at startup, wraps it in a SigningAuthority interface, and provides the authority to the server and execution runtime. This package is the bridge between the deployment's key management strategy and the Signer interface that executeFromSignals and executeDecision require.

Public API

/**
 * Create a SigningAuthority from environment variables.
 * Reads PARMANA_SIGNING_PROVIDER to select the backend.
 * Currently only "local" is supported — reads PEM key files from paths
 * in PARMANA_SIGNING_PRIVATE_KEY_PATH and PARMANA_SIGNING_PUBLIC_KEY_PATH.
 * Throws [SYS-TRUST-002] for unknown providers.
 */
function createSigningAuthority(): SigningAuthority

/**
 * File-backed Ed25519 signer that reads PEM key paths from env vars at construction.
 * Throws [SYS-TRUST-001] if key path env vars are missing.
 */
class EnvPemSigner implements SigningAuthority {
  constructor()                                // reads env vars
  async sign(payload: string): Promise<string> // returns base64 signature
  getPublicKey(): string                       // returns SPKI PEM string
}

/**
 * The signing authority interface. Implemented by EnvPemSigner.
 * Extends the Signer interface with getPublicKey().
 */
interface SigningAuthority {
  sign(payload: string): Promise<string>;
  getPublicKey(): string;
}

Environment variables

Variable Required Description
PARMANA_SIGNING_PROVIDER No Signing backend. Only local is supported. Default: local.
PARMANA_SIGNING_PRIVATE_KEY_PATH Yes (when provider is local) Absolute path to the Ed25519 PKCS8 private key PEM file.
PARMANA_SIGNING_PUBLIC_KEY_PATH Yes (when provider is local) Absolute path to the Ed25519 SPKI public key PEM file.

Generate a key pair:

openssl genpkey -algorithm ed25519 -out /secure/parmana/private.pem
openssl pkey -pubout -in /secure/parmana/private.pem -out /secure/parmana/public.pem

Package wiring

@parmanasystems/signing has no internal @parmanasystems dependencies. It is used exclusively by @parmanasystems/server: getRuntimeSecurityContext() calls createSigningAuthority() and passes the resulting SigningAuthority as the signer argument to executeFromSignals. The LocalVerifier in @parmanasystems/execution is constructed with the public key from signer.getPublicKey().