30 lines
1.7 KiB
Markdown
30 lines
1.7 KiB
Markdown
# Policy Attestation Prep — PREP-POLICY-ATTEST-73-001
|
|
|
|
Status: **Ready for implementation** (2025-11-20)
|
|
Owners: Policy Guild · Attestor Service Guild
|
|
Scope: Define VerificationPolicy schema + persistence/DTOs for policy-engine to verify attestation results from Attestor.
|
|
|
|
## Requirements
|
|
- Schema `VerificationPolicy` with fields:
|
|
- `id` (string), `tenantId`, `name`, `description`, `createdAtUtc`, `updatedAtUtc` (ISO-8601 UTC)
|
|
- `subjects`: array of `{ subjectRef, matchKind: digest|purl|nevra }`
|
|
- `requiredAttestors`: array of `{ name, keyId, threshold }`
|
|
- `transparency`: `{ required: bool, log: string? }`
|
|
- `validity`: `{ notBeforeUtc, notAfterUtc }`
|
|
- DTOs for API/SDK must preserve deterministic ordering of arrays (sorted by `subjectRef`, then `name`).
|
|
- Store in Mongo `verificationPolicies` collection with unique index on `(tenantId, id)`.
|
|
|
|
## API surface (policy-engine)
|
|
- `POST /v1/policy/verification-policies` create; `GET /v1/policy/verification-policies/{id}` fetch; `GET /v1/policy/verification-policies` list with pagination; `DELETE /v1/policy/verification-policies/{id}`.
|
|
- Standard error envelope; headers align with existing policy API (ETag on GET; `Last-Modified`).
|
|
|
|
## Persistence rules
|
|
- Immutable `createdAtUtc`; `updatedAtUtc` set on mutations; soft-delete not required.
|
|
- Validation: `requiredAttestors.threshold >=1`, unique `keyId` per policy, `validity.notAfterUtc` > `notBeforeUtc`.
|
|
|
|
## Acceptance criteria
|
|
- Schema & API documented and linked from sprint tracker; no code changes yet.
|
|
- Examples use fixed timestamps `2025-01-01T00:00:00Z` and sample hashes `sha256:0123...`.
|
|
- Collections/indexes specified; DTO ordering deterministic.
|
|
|