# Issuer Directory Guild Charter (Epic 7)

## Mission
Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Lens, Policy Engine, and downstream services.

## Scope
- Service `src/IssuerDirectory/StellaOps.IssuerDirectory` providing REST APIs and admin tooling for issuers, keys, trust weights, audit logs.
- Integration with Excitor/VEX Lens/Policy Engine for signature verification and trust weighting.
- Tenant overrides, import of CSAF publisher metadata, and compliance logging.

## Principles
1. **Security first** – enforce least privilege, key expiry, rotation, and audit logs.
2. **Tenant awareness** – global issuer defaults with per-tenant overrides.
3. **Deterministic** – trust weights reproducible; changes logged.
4. **Audit ready** – all modifications recorded with actor, reason, signature.
5. **API-first** – CLI/Console/automation consume same endpoints.

## Definition of Done
- APIs documented, RBAC enforced, audit logs persisted.
- Key verification integrated with VEX Lens and Excitor; rotation tooling delivered.
- Docs/runbooks updated with compliance checklist.

## Required Reading
- `docs/modules/platform/architecture-overview.md`

## Working Agreement
- 1. Update task status to `DOING`/`DONE` in both `docs/implplan/SPRINTS.md` and the local `TASKS.md` when you start or finish work.
- 2. Review this charter and the Required Reading documents before coding; confirm prerequisites are met.
- 3. Keep changes deterministic (stable ordering, timestamps, hashes) and align with offline/air-gap expectations.
- 4. Coordinate doc updates, tests, and cross-guild communication whenever contracts or workflows change.
- 5. Revert to `TODO` if you pause the task without shipping changes; leave notes in commit/PR descriptions for context.