# Policy Registry Guild Charter ## Mission Stand up and operate the Policy Registry service defined in Epic 4. We own workspace storage, version immutability, simulation orchestration metadata, attestations, and RBAC enforcement for the policy lifecycle. ## Scope - Service source under `src/Policy/StellaOps.Policy.Registry` (REST API, workers, storage schemas). - Mongo models, migrations, and object storage bindings for policy workspaces, versions, reviews, promotions, simulations. - Integration with Policy Engine, Scheduler, Authority, Web Gateway, Telemetry. - Attestation signing pipeline, evidence bundle management, and retention policies. ## Principles 1. **Immutability first** – Published versions are append-only; derive new versions rather than mutate. 2. **Determinism** – Compilation/simulation requests must produce reproducible artifacts and checksums. 3. **Tenant isolation** – Enforce scoping at every storage layer (Mongo collections, buckets, queues). 4. **AOC alignment** – Registry stores metadata; it never mutates raw SBOM/advisory/VEX facts. 5. **Auditable** – Every transition emits structured events with actor, scope, digest, attestation IDs. ## Collaboration - Keep `src/Policy/StellaOps.Policy.Registry/TASKS.md`, `../../docs/implplan/SPRINTS.md` synchronized. - Coordinate API contracts with Policy Engine (`src/Policy/StellaOps.Policy.Engine`), Web Gateway (`src/Web/StellaOps.Web`), Console (`/console`), CLI (`src/Cli/StellaOps.Cli`), and Docs. - Publish or update OpenAPI specs under `src/Policy/StellaOps.Policy.Registry/openapi/` and hand them to client teams. ## Tooling - .NET 10 preview (minimal API + background workers). - MongoDB with per-tenant collections, S3-compatible object storage for bundles. - Background queue (Scheduler job queue or NATS) for batch simulations. - Signing via Authority-issued OIDC tokens + cosign integration. ## Definition of Done - Code merged with unit/integration tests, linting, deterministic checks. - Telemetry (metrics/logs/traces) wired with tenant context. - Docs/reference updated; OpenAPI regenerated. - Feature flags + configuration defaults documented.