> ## Documentation Index
> Fetch the complete documentation index at: https://docs.parmanasystems.com/llms.txt
> Use this file to discover all available pages before exploring further.

# @parmana/execution-control

> Gateway-authenticated, session-scoped credential isolation for connectors. Also home to a separate, currently-unwired Execution Permit model, disambiguated below.

<Info>**\[AVAILABLE]** for credential isolation, wired into the default server. **\[PARTIAL]** for the separate `ExecutionPermit` model described below, real and tested, not reachable from `packages/api` or `packages/runtime` today.</Info>

## Purpose

Authenticates a calling gateway, issues single-use session credentials, and routes a
verified release to a connector, auditing every step. See [Credential
isolation](/concepts/credential-isolation) and [Gateway attestation](/concepts/gateway-attestation)
for the concepts.

## Install

```bash theme={null}
npm install @parmana/execution-control
```

## Key exports: the wired credential-isolation path

| Export                                                                                                                                     | Stability                                                                                                                          |
| ------------------------------------------------------------------------------------------------------------------------------------------ | ---------------------------------------------------------------------------------------------------------------------------------- |
| `ExecutionControlService`                                                                                                                  | \[AVAILABLE]. Authenticates a gateway, opens a session, routes to a connector, audits each step.                                   |
| `SessionCredentialExecutionControl`                                                                                                        | \[AVAILABLE]. Wraps `ExecutionControlService` so no session can be created without a valid, request-bound gateway attestation.     |
| `GatewayAttestationSigner` / `GatewayAttestation`                                                                                          | \[AVAILABLE]. See [Gateway attestation](/concepts/gateway-attestation).                                                            |
| `SignedTokenConnectorAuthenticator`                                                                                                        | \[AVAILABLE]. Verifies a `GatewayAttestation`'s signature and that it's bound to the request's `authorizationId`.                  |
| `SessionCredentialVault`, `InMemorySessionCredentialVault`                                                                                 | \[AVAILABLE]. Single-use, time-bounded credential leases. See [Issue and verify session credentials](/guides/session-credentials). |
| `SessionCredentialSecureConnector`                                                                                                         | \[AVAILABLE]. Wraps a raw executor so it only runs after policy, attestation, and session checks all pass.                         |
| `Clock`, `SystemClock`, `IdGenerator`, `RandomIdGenerator`                                                                                 | \[AVAILABLE]. See [Determinism and clocks](/concepts/determinism-and-clocks) for their real, narrow scope.                         |
| `MemoryExecutionAuditSink`                                                                                                                 | \[AVAILABLE]. In-memory only, records `session.created` / `execution.completed` / `execution.rejected` events.                     |
| `ConnectorRegistry`, `ConnectorAuthenticator`, `CredentialVault`, `GatewaySessionStore`, `ConnectorPolicy`, `SecureConnector` (interfaces) | \[AVAILABLE]. The seams `@parmana/connector-sdk` implements.                                                                       |

## A second, separate model in this package: `ExecutionPermit`

<Warning>
  **This is not the same thing as "Execution Permit," an earlier prototype name for [Execution
  authorization](/concepts/execution-authorization)** (`packages/shared/src/domain/execution-permit.ts`,
  added and deleted the same day, see the [Glossary](/glossary)). That file is gone. This is a
  different, currently real, `ExecutionPermit`:

  ```typescript theme={null}
  // packages/execution-control/src/models/ExecutionPermit.ts
  export interface ExecutionPermit {
    readonly permitId: string;
    readonly artifactHash: string;
    readonly gatewayId: string;
    readonly policyVersion: string;
    readonly decision: ExecutionDecision;
    readonly issuedAt: string;
    readonly expiresAt: string;
    readonly signatures: SignatureBundle;
  }
  ```

  `ExecutionPermitBuilder` and `ExecutionDecision` (also exported from this package) build
  this artifact. It's consumed by `@parmana/receipt`'s `ExecutionReceiptBuilder`, and exercised
  end to end by `examples/tutorials/53-execution-permit/` through `56-complete-execution-flow/`.
  **Nothing in `packages/runtime` or `packages/api` imports `@parmana/receipt` or this
  `ExecutionPermit` model.** It is real, tested, hybrid-signature-capable code, running in a
  parallel path the default server and the main [Execution trust record](/concepts/execution-trust-records)
  pipeline never touch.
</Warning>

## Minimal example

```typescript theme={null}
import { InMemorySessionCredentialVault, RandomIdGenerator, SystemClock } from "@parmana/execution-control";

const vault = new InMemorySessionCredentialVault({
  credentials, clock: new SystemClock(), idGenerator: new RandomIdGenerator(), lifetimeMs: 30_000,
});
const session = await vault.issue("vendor-payment", authorizationId);
const credential = await vault.consume(session.sessionCredentialId); // only once
```

Full runnable version: [Issue and verify session credentials](/guides/session-credentials).

## Next

<CardGroup cols={2}>
  <Card title="Issue and verify session credentials" icon="key" href="/guides/session-credentials">
    Issue, consume, expire, reuse-reject, and revoke, run live.
  </Card>

  <Card title="@parmana/receipt" icon="file-check" href="/reference/receipt">
    The other half of the unwired `ExecutionPermit` path.
  </Card>
</CardGroup>
