git.stella-ops.org/docs/modules/policy/prep/2025-11-20-policy-attest-73-001-prep.md

Policy Attestation Prep — PREP-POLICY-ATTEST-73-001

Status: Ready for implementation (2025-11-20) Owners: Policy Guild · Attestor Service Guild Scope: Define VerificationPolicy schema + persistence/DTOs for policy-engine to verify attestation results from Attestor.

Requirements

• Schema VerificationPolicy with fields:
  • id (string), tenantId, name, description, createdAtUtc, updatedAtUtc (ISO-8601 UTC)
  • subjects: array of { subjectRef, matchKind: digest|purl|nevra }
  • requiredAttestors: array of { name, keyId, threshold }
  • transparency: { required: bool, log: string? }
  • validity: { notBeforeUtc, notAfterUtc }
• DTOs for API/SDK must preserve deterministic ordering of arrays (sorted by subjectRef, then name).
• Store in Mongo verificationPolicies collection with unique index on (tenantId, id).

API surface (policy-engine)

• POST /v1/policy/verification-policies create; GET /v1/policy/verification-policies/{id} fetch; GET /v1/policy/verification-policies list with pagination; DELETE /v1/policy/verification-policies/{id}.
• Standard error envelope; headers align with existing policy API (ETag on GET; Last-Modified).

Persistence rules

• Immutable createdAtUtc; updatedAtUtc set on mutations; soft-delete not required.
• Validation: requiredAttestors.threshold >=1, unique keyId per policy, validity.notAfterUtc > notBeforeUtc.

Acceptance criteria

• Schema & API documented and linked from sprint tracker; no code changes yet.
• Examples use fixed timestamps 2025-01-01T00:00:00Z and sample hashes sha256:0123....
• Collections/indexes specified; DTO ordering deterministic.