# SBOM ledger retention policy

## Purpose
Retention keeps ledger history bounded while preserving audit trails for compliance.

## Configuration
Settings are bound from `SbomService:Ledger` (env prefix `SBOM_SbomService__Ledger__`):
- `MaxVersionsPerArtifact`: max ledger versions retained per artifact (default 50).
- `MaxAgeDays`: prune versions older than N days (0 disables age pruning).
- `MinVersionsToKeep`: minimum versions always retained per artifact.

## Operations
- `POST /internal/sbom/retention/prune` applies retention rules and returns a summary.
- `GET /internal/sbom/ledger/audit?artifact=<ref>` returns audit entries for create/prune actions.

## Guarantees
- Audit entries are append-only and preserved even when versions are pruned.
- Deterministic ordering is used when selecting versions to prune.