# Policy Attestation Prep — PREP-POLICY-ATTEST-73-001

Status: **Ready for implementation** (2025-11-20)
Owners: Policy Guild · Attestor Service Guild
Scope: Define VerificationPolicy schema + persistence/DTOs for policy-engine to verify attestation results from Attestor.

## Requirements
- Schema `VerificationPolicy` with fields:
  - `id` (string), `tenantId`, `name`, `description`, `createdAtUtc`, `updatedAtUtc` (ISO-8601 UTC)
  - `subjects`: array of `{ subjectRef, matchKind: digest|purl|nevra }`
  - `requiredAttestors`: array of `{ name, keyId, threshold }`
  - `transparency`: `{ required: bool, log: string? }`
  - `validity`: `{ notBeforeUtc, notAfterUtc }`
- DTOs for API/SDK must preserve deterministic ordering of arrays (sorted by `subjectRef`, then `name`).
- Store in Mongo `verificationPolicies` collection with unique index on `(tenantId, id)`.

## API surface (policy-engine)
- `POST /v1/policy/verification-policies` create; `GET /v1/policy/verification-policies/{id}` fetch; `GET /v1/policy/verification-policies` list with pagination; `DELETE /v1/policy/verification-policies/{id}`.
- Standard error envelope; headers align with existing policy API (ETag on GET; `Last-Modified`).

## Persistence rules
- Immutable `createdAtUtc`; `updatedAtUtc` set on mutations; soft-delete not required.
- Validation: `requiredAttestors.threshold >=1`, unique `keyId` per policy, `validity.notAfterUtc` > `notBeforeUtc`.

## Acceptance criteria
- Schema & API documented and linked from sprint tracker; no code changes yet.
- Examples use fixed timestamps `2025-01-01T00:00:00Z` and sample hashes `sha256:0123...`.
- Collections/indexes specified; DTO ordering deterministic.