[AVAILABLE] for every export below. [ROADMAP] for KMS/HSM key custody, no provider class exists for it yet, see Deploy patterns.
Purpose
Every hash and signature in Parmana goes through this package: trust record hashing, authorization signing and verification, receipt signing, and canonical JSON serialization so the signing side and verifying side always compute byte-identical input.Install
Key exports
Bootstrap, [AVAILABLE]
| Export | Signature |
|---|---|
CryptoBootstrap.create() | (): CryptoProvider, builds from config.crypto.primarySignatureProvider |
CryptoBootstrap.createHybrid() | (): HybridCryptoProvider, requires SECONDARY_SIGNATURE_PROVIDER set, throws otherwise |
High-level services, [AVAILABLE]
| Export | Purpose |
|---|---|
VerificationCrypto | .hash(), .sign(), .verifySignature(), .verify() on an ExecutionTrustRecord. No constructor arguments, builds its own FileKeyProvider internally. See Verify a trust record independently. |
AuthorizationSigner | .sign({ decisionId, businessTransactionId, policyName, policyVersion, executableContent }, privateKey, keyId, ttlSeconds): Promise<SignedExecutionAuthorization> |
AuthorizationVerifier | Verifies a SignedExecutionAuthorization’s signature independent of @parmana/envelope-verifier’s fuller checks (expiry, nonce, TTL policy) |
ReceiptCrypto | Signs and verifies Receipt artifacts |
TrustRecordHasher | Canonical hash of an ExecutionTrustRecord’s signed fields, see Execution trust records for exactly which fields |
ExecutableContentHasher | Canonical hash of { businessTransactionId, action, target, parameters }, the value bound into businessTransactionHash, see The gateway |
ReceiptHasher | Canonical hash for receipts |
Low-level primitives, [AVAILABLE]
| Export | Purpose |
|---|---|
ArtifactSigner / SignatureVerifier | Sign/verify any canonically-serializable object with a given CryptoProvider |
CanonicalSerializer | Key-sorted, deterministic JSON serialization, what makes hashing reproducible |
Ed25519SignatureProvider | Default signature provider |
Dilithium3SignatureProvider | ML-DSA-65 (FIPS 204) provider, requires Node ≥ 24, produces randomized (non-deterministic) signatures |
SHA256HashProvider | Default hash provider |
FileKeyProvider | .getPrivateKey(keyId), .getPublicKey(keyId), reads <PARMANA_KEY_DIR>/<keyId>.{private,public}.pem. getPublicKey never checks for the private key file. The only implemented KeyProvider. |
assertKeyType | Fails closed, naming both expected and actual key type, if a key doesn’t match the configured provider (CLAIMS.md 2.13) |
Hybrid signing, [AVAILABLE]
| Export | Purpose |
|---|---|
HybridSigner / HybridVerifier | Sign or verify with two CryptoProviders at once |
SignatureBundleBuilder | Builds a SignatureBundle (primary + secondary signature) |
Minimal example
Next
Choose a signature provider
Ed25519, ML-DSA-65, and hybrid signing, all run live.
@parmana/envelope-verifier
Where
AuthorizationVerifier’s check fits into the fuller envelope verification flow.