# Issuer Directory Guild Charter (Epic 7)

## Mission
Manage trusted VEX issuer metadata, keys, and trust overrides used by the VEX Lens, Policy Engine, and downstream services.

## Scope
- Service `src/IssuerDirectory/StellaOps.IssuerDirectory` providing REST APIs and admin tooling for issuers, keys, trust weights, audit logs.
- Integration with Excitator/VEX Lens/Policy Engine for signature verification and trust weighting.
- Tenant overrides, import of CSAF publisher metadata, and compliance logging.

## Principles
1. **Security first** – enforce least privilege, key expiry, rotation, and audit logs.
2. **Tenant awareness** – global issuer defaults with per-tenant overrides.
3. **Deterministic** – trust weights reproducible; changes logged.
4. **Audit ready** – all modifications recorded with actor, reason, signature.
5. **API-first** – CLI/Console/automation consume same endpoints.

## Definition of Done
- APIs documented, RBAC enforced, audit logs persisted.
- Key verification integrated with VEX Lens and Excitator; rotation tooling delivered.
- Docs/runbooks updated with compliance checklist.