Every item below is sourced, CLAIMS.md §5 for the permanent refusals, or a specific
file/test/live run for everything else on this page.
Permanent refusals, CLAIMS.md §5
These are not “not yet” items. Parmana does not intend to ever make these claims unscoped, because no implementation could honestly back them:- Execution is impossible to bypass under all circumstances.
- Mathematical proof of execution correctness.
- Cryptographic proof of every aspect of runtime behavior.
- Guaranteed regulatory compliance.
- Absolute prevention of all unauthorized execution.
- Tamper-proof operation in every deployment environment.
- Elimination of all software defects or operational risks.
- “Non-bypassable” or “the single execution authority” as an unscoped, system-wide claim. The gateway enforces nothing at the network level, and is a property of systems that route through it, not of the network Parmana runs on.
- Deterministic signature output for ML-DSA-65. Those signatures are randomized by design, only verification is deterministic, see Choose a signature provider.
Scoped claims, not absent ones
Some real, tested guarantees hold only within a stated boundary. Treating the boundary as the whole claim is the honest reading:- Envelope verification is non-bypassable only for a system that runs it. As of commit
651497athe default server does, for the one connector it registers. A system you build that doesn’t call@parmana/envelope-verifiergets none of this. - Single-use is scoped to whichever
NonceStoreinstance checks it. Independent gateway instances, each with their ownMemoryNonceStore, can each accept the same authorization once, not once fleet-wide (CLAIMS.md 3.2). - Credential isolation is proven for one connector,
vendor-payment. The mechanism is generic and tested, but reaching a second connector today is a bootstrap code change, not something the architecture does automatically, see Credential isolation.
Mocks are labeled as mocks
SapConnector, OracleConnector, WorkdayConnector, and SalesforceConnector
(packages/connector-sdk/src/connectors/) are explicit, self-documented reference mocks,
“deterministic, in-memory connector used until the real enterprise connector is
implemented.” None of them calls a real SAP, Oracle, Workday, or Salesforce system, and
none is wired into the default server. No real enterprise connector exists in this
repository for any vendor. See The gateway and Add a connector
with the Connector SDK.
Real, tested, and disconnected from the default server
Two packages found during this documentation effort are genuinely built and tested, but don’t participate in the pipelinepackages/api actually runs:
@parmana/receipt: itsExecutionReceiptBuilder,ExecutionReceiptVerifier, and the separateExecutionPermitmodel it depends on (from@parmana/execution-control) are exercised only byexamples/tutorials/53through56. Nothing inpackages/runtimeorpackages/apiimports@parmana/receipt. See @parmana/receipt.@parmana/replay’sReplayEngine: does genuinely re-evaluate a recorded policy decision, real semantic verification, not a signature recheck, but nothing inpackages/apiorpackages/runtimeimports it either.POST /replayis a separate, narrower thing (a signature recheck). See @parmana/replay.
No authentication
packages/api has no auth middleware on any of its 14 routes today. Every route in
Endpoints is unauthenticated in the current implementation, this
is a present, current gap, not a caveat about some future deployment.
No key management beyond local files
Both signing keys,default.*.pem and gateway.*.pem, are files on disk read by
FileKeyProvider, the only implemented KeyProvider. aws-kms, azure-key-vault,
gcp-kms, and hsm are declared as valid config values with zero implementing classes,
setting KEY_PROVIDER to one of these does nothing. See Deploy patterns
and the key-compromise incident on Security.
One verified, current gap in error handling
A structurally incompletePOST /execute body (a valid UUID, but missing required nested
fields) does not produce the clean 400 the error-handler appears designed to return, it
throws an unhandled TypeError deep in validation, caught only by a generic 500. Verified
live, not inferred, see Endpoints. This is reported, not fixed,
in this documentation pass.
Next
The CLAIMS.md discipline
How to verify any of the above yourself.
Roadmap
What’s designed but not built yet, and the sequencing behind it.