Skip to content

Integration: rules as part of the signed schema artifact (audit/compliance) #106

Description

@rrrodzilla

Workstream: Integration · Part of #89

Context

A key compliance win: a declarative rule is part of the signed schema artifact — reviewable in a PR, covered by the signature, an auditable control for ATO — unlike opaque out-of-band hook binaries. Must integrate with the existing signing pipeline (sign/verify, off→warn→enforce, trust bundles).

Scope

  • Ensure rule definitions are inside the signed schema payload and covered by signature verification.
  • Confirm verify and the enforce stage reject tampered rules.
  • Document the audit story (how a reviewer enumerates all rules gating an entity).

Acceptance

  • Rules are signed/verified with the schema; tampering fails verification; audit doc added.

Dependencies: Suggested order: after rules persist in the schema payload (#103). Soft.

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or request

    Type

    No type

    Fields

    No fields configured for issues without a type.

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions