[AVAILABLE], every command below was run in this session, commit
651497a.Goal
See every stage of how Parmana thinks fire for one real transaction: policy decision, the signed authorization envelope itself (not just its effects), gateway re-verification, and the resulting trust record.Prerequisites
- Completed Quickstart once, or at least read it, this guide assumes the server and keys are already set up the same way.
- Read Execution authorization, this guide shows the envelope that page describes.
Steps
1. See the authorization envelope directly
The REST API never returns aSignedExecutionAuthorization to the caller, The
gateway consumes it internally and returns only the resulting trust
record. To actually see the envelope, use the Runtime library directly, which is exactly
what examples/tutorials/11-execution-authorization/run.ts does: build a Runtime with a
FilePolicyRepository, execute a transaction, and print result.context.authorization
before it’s discarded.
Content Hash is businessTransactionHash, the field The gateway
independently recomputes and compares before releasing execution. Expires At is two
minutes after Authorized At, the envelope’s TTL.
2. Run the same shape of request through the full server
This library call skips the gateway and connector entirely, it’s the Runtime in isolation. To see the whole pipeline, authorization through gateway verification through credential issuance through a connector, run Quickstart steps 3 and 5 if you haven’t: start the server, then execute a transaction over HTTP.Verify
Compare what each path returns. The library call above hands you the rawSignedExecutionAuthorization, algorithm, key ID, nonce, expiry, content hash, all visible.
The HTTP call in Quickstart hands you only the final ExecutionTrustRecord, the
authorization existed and was checked, but the envelope itself never leaves the server
process, The gateway is what consumed it. Both paths produce a
trust record whose executions[0].decision.outcome is "APPROVED" for the same input
signals, same policy, same outcome, different amount of what you get to see.
Troubleshoot
Execution Authorization was not generatedthrown by the tutorial. The transaction’s Decision came backREJECTED, an authorization is signed only after approval, see Write your first policy for what a rejected decision actually does (it throws, it doesn’t return aREJECTEDobject).- The HTTP path’s trust record has no visible authorization anywhere. This is by design, not a bug, see step 2 above.
Content Hashdiffers between two runs with identical-looking transaction JSON. Check timestamps and generated IDs (businessTransactionId,intentId, etc.), the hash covers the full executable content, any field that differs between runs changes it.
Next
Detect tampering
Mutate this same content and watch the hash comparison reject it.
Verify a trust record independently
Check the resulting trust record’s signature without Parmana running at all.